Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Intermittent total unresponsiveness


  • This topic is locked This topic is locked
61 replies to this topic

#1 Nick10213

Nick10213

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:03:47 AM

Posted 24 June 2013 - 10:43 AM

My computer (Dell, Windows 7) will boot into regular and safe mode, and from a ubuntu live cd, but encounters the exact same problems in all instances.  Everything except Norton Antivirus runs properly (i'll explain), but the computer will only run about 30 seconds to a minute out of 10.  Meaning, it runs normally for a short time, then completely freezes for proportionally a much longer period of time, rendering any virus scan almost useless.  I've only been able to get windows defender to run (because it's already on the system), and after about 20 hours it was at about 60% complete (so said the flashing green progress bar), and eventually it completely stops and will not make any progress after hours.  I tried housecall (that was my previous "go to" quick and easy scan), but it took forever to download, and I'm not even sure it got through updating (this occurred a few months ago, and i got so frustrated staring at a frozen computer that I gave up after a week of doing nothing but attempting to solve it).  So, I downloaded ubuntu and made a livecd, and the same thing happens when I'm in that environment...runs, then freezes for a good period of time.  I ran an avg boot cd, I think it found some stuff (I'm sorry, I don't know what it found at this point), cleared it, and STILL I have the same issues.  I ran a full scan of windows defender offline now, and it found nothing.  It seems as long as I'm outside of an operating system (AVG and Windows Defender Offline), I'm ok, but in safe mode, regular, and ubuntu, I have this freeze issue.  Also, Norton doesnt work.  When I click anything relating to scan, it freezes and reports an error.  I haven't gotten into regular windows in a month or so, so I don't know what it was.  But, any information that would be helpful I would be glad to get and post.  I would prefer not to have to enter windows until the virus is cleared, because it literally takes an entire day to complete a single task.  I've been searching for all kinds of bootcds and things to bypass operating systems so I can solve this without going into windows or ubuntu, because that seems to allow for the most responsiveness.  Thank you for any direction or guidance, and as I said, any information required I'll get and post.

Edit:
Also, once or twice I got some little white text in the bottom right corner of the screen that said I was running an unregistered version of windows.  This is not true, as all software on the computer is legal and registered.

Thanks,
Nick


Edited by Nick10213, 24 June 2013 - 11:34 AM.


BC AdBot (Login to Remove)

 


#2 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:03:47 AM

Posted 24 June 2013 - 01:32 PM

Ran Sophos with no detection of any viruses.  Tried to run Rootkitbuster, but that has to be run in windows, and after about half an hour it had made no progress; I have run it on other computers and know that it completes a scan fairly quickly.



#3 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:03:47 AM

Posted 24 June 2013 - 02:20 PM

I've been checking the site a little more...I've tried to install DDS, but it won't run.  It had no association, and gave the associate file screen.  I associated it with cmd.exe; that didn't help.  So...?  I realize it takes time for a response, that's fine.  I want to have everything here when someone is available.  Is there another log that I should try and get to post?


Edited by Nick10213, 24 June 2013 - 03:58 PM.


#4 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:03:47 AM

Posted 25 June 2013 - 09:03 PM

So I got dds.scr to work on my other computer (the one I'm using now).  I copied it over to the infected computer via a flashdrive (that I've been running AVG rescuedisc from).  Tried to run it, it started to run, the computer alternated frozen and working like it normally did, but then it said a driver was installed for Teredo Tunneling Pseudo Interface.  Now, Windows won't load in normal or any of the various safe modes (with/without networking).  I ran sophos and AVG rescue (outside of an OS) again...no errors.  AVG found some cookies, as well as saying that realplayer.exe and realplayer[2].exe were corrupted; realplayer[2] was in Content.IE5.  Windows startup repair finds no problem, so it doesn't do anything.  The computer restarts, fails, restarts, then goes to startup repair.  That being said, I don't believe I know of a way to get a DDS log out of the computer now.  So, for whatever that's worth.  I'm doing what I can to get back into the computer (it's like fighting a war over here...), but I don't know if I know of a way to do it (not that there's not one).  On startup, I get a blue screen that flashes too quickly for me to read anything.  It's about 5 lines of text.


Edited by Nick10213, 25 June 2013 - 09:04 PM.


#5 Robybel

Robybel

    Bleepin' Mattley


  • Malware Response Team
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 26 June 2013 - 01:59 AM

Hi and Welcome!! Nick10213 :)

My name is Robybel.

I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.


Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")


Stay with this topic until I give you the all clean post.

Having said that....Let's get going!! ;)

===========================

FRST.jpgFRST

Download the 32 bit or 64 bit version for your system of FRST and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

- Proud Graduate of WTT Classroom -

Member of ASAP and UNITE


Please Only Copy And Paste Reports Into Topic - Do Not Attach

If you are satisfied with the help that you have received, please consider a donation btndonatesmr.gif

 

 


#6 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:03:47 AM

Posted 26 June 2013 - 08:23 AM

Thanks for your response, I'm going to get started on this now.  Since I'm being assisted, I'll stop the attempts that I'm making, but there is one last update I suppose.  Ubuntu somehow was running last night, I managed to get ClamAV on it via flash (I made no changes to anything, only scanned).  The problem was that I don't know Linux well, and apparently no one asks simple Linux questions on forums like "How do I read the stderr of a program?"  So, it found 5 infected files, but while I was trying to find out how to look at the log (I found numerous ways to create a specific log file when BEGINNING a scan, but no way to read the stderr that it logged things to automatically), it crashed.  Not sure what happened, but eventually the CD drive popped open and the computer restarted (I'm running a livecd of Ubuntu).  Anyway, that will be the last of my attempts to repair, but if it won't cause any more problems, I may try to scan again and see if I can get names for the files it found.  Unless you advise otherwise, of course.



#7 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:03:47 AM

Posted 26 June 2013 - 08:40 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 25-06-2013 02
Ran by SYSTEM on 26-06-2013 09:37:04
Running from F:\
WIN_7 Service Pack 1 (X86) OS Language: English(US)
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Winlogon: [Userinit]  [x]
HKLM\...\Winlogon: [Shell]  [x ] () <=== ATTENTION
HKU\Administrator\...\Run: [AudioBox VSL] C:\Program Files\PreSonus\AudioBox\AudioBox.exe -startup [ 2012-05-24] ()
HKU\Administrator\...\Run: [Spotify Web Helper] "C:\Users\Administrator\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [x]
HKU\Administrator\...\Run: [Google Update] "C:\Users\Administrator\AppData\Local\Google\Update\GoogleUpdate.exe" /c [ 2012-03-16] (Google Inc.)
HKU\Administrator\...\Run: [Akamai NetSession Interface] "C:\Users\Administrator\AppData\Local\Akamai\netsession_win.exe" [x]
HKU\Administrator\...\Run: [Spotify] "C:\Users\Administrator\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart [ 2013-05-06] (Spotify Ltd)
HKU\Administrator\...\Run: [EADM] "C:\Program Files\Origin\Origin.exe" -AutoStart [ 2013-06-24] (Electronic Arts)
HKU\Nick\...\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe -update activex [x]
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk ->  (No File)
Startup: C:\ProgramData\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exe (McAfee, Inc.)
 
========================== Services (Whitelisted) =================
 
S2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2010-02-08] (Symantec Corporation)
S2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2010-02-08] (Symantec Corporation)
S3 LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [3093880 2009-03-20] (Symantec Corporation)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.0.318\McCHSvc.exe [235216 2013-02-05] (McAfee, Inc.)
S2 O2FLASH; C:\Windows\system32\DRIVERS\o2flash.exe [72296 2011-02-21] (O2Micro International)
S2 Pharos Systems ComTaskMaster; C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe [345600 2010-01-14] (Pharos Systems International)
S2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [38608 2012-11-29] ()
S2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1864888 2010-02-08] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [341320 2010-02-08] (Symantec Corporation)
S2 STacSV; C:\Program Files\IDT\WDM\STacSV.exe [274514 2011-10-02] (IDT, Inc.)
S2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [2477304 2010-02-08] (Symantec Corporation)
 
==================== Drivers (Whitelisted) ====================
 
S3 Acceler; C:\Windows\System32\DRIVERS\accelern.sys [44144 2011-10-02] (ST Microelectronics)
S3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [39656 2011-10-02] (Broadcom Corporation)
S3 e1cexpress; C:\Windows\System32\DRIVERS\e1c6232.sys [238760 2011-02-21] (Intel Corporation)
S3 e1yexpress; C:\Windows\System32\DRIVERS\e1y6232.sys [221912 2011-02-10] (Intel Corporation)
S3 MEI; C:\Windows\system32\drivers\HECI.sys [41088 2011-02-21] (Intel Corporation)
S3 NAVENG; C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20130509.004\NAVENG.SYS [93296 2013-01-15] (Symantec Corporation)
S3 NAVEX15; C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20130509.004\NAVEX15.SYS [1603824 2013-01-15] (Symantec Corporation)
S3 NETwNs32; C:\Windows\System32\DRIVERS\NETwNs32.sys [7434240 2011-02-21] (Intel Corporation)
S1 nvkflt; C:\Windows\System32\DRIVERS\nvkflt.sys [171112 2011-08-03] (NVIDIA Corporation)
S0 nvpciflt; C:\Windows\System32\DRIVERS\nvpciflt.sys [20328 2011-10-02] (NVIDIA Corporation)
S3 O2MDFRDR; C:\Windows\System32\DRIVERS\O2MDFw7.sys [60904 2011-02-21] (O2Micro )
S3 O2SDJRDR; C:\Windows\System32\DRIVERS\o2sdjw7.sys [63976 2011-10-02] (O2Micro )
S3 OA001Ufd; C:\Windows\System32\DRIVERS\OA001Ufd.sys [144672 2008-06-03] (Creative Technology Ltd.)
S3 OA001Vid; C:\Windows\System32\DRIVERS\OA001Vid.sys [277440 2008-09-18] (Creative Technology Ltd.)
S3 paeusbaudio; C:\Windows\System32\DRIVERS\paeusbaudio.sys [195448 2012-05-24] ()
S3 paeusbaudiodsp; C:\Windows\System32\DRIVERS\paeusbaudiodsp.sys [60280 2012-05-24] ()
S3 paeusbaudioks; C:\Windows\System32\DRIVERS\paeusbaudioks.sys [42872 2012-05-24] ()
S3 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2010-02-08] (Symantec Corporation)
S1 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [281648 2010-02-08] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [320560 2010-02-08] (Symantec Corporation)
S1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2010-02-08] (Symantec Corporation)
S0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17904 2011-07-15] (ST Microelectronics)
S3 stdriver; C:\Windows\System32\DRIVERS\stdriver32.sys [52312 2012-08-22] (NCH Software)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [124976 2011-08-25] (Symantec Corporation)
S3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [26416 2010-02-08] (Symantec Corporation)
S1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [188080 2010-02-08] (Symantec Corporation)
S3 xusb21; C:\Windows\System32\DRIVERS\xusb21.sys [56448 2009-04-08] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-06-26 09:36 - 2013-06-26 09:36 - 00000000 ____D C:\FRST
2013-06-25 13:01 - 2013-06-25 13:01 - 00000000 __SHD C:\found.001
2013-06-25 12:40 - 2013-06-24 11:04 - 00688992 ____R (Swearware) C:\Users\Administrator\Desktop\dds.scr
2013-06-24 10:50 - 2013-06-24 10:50 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-06-24 10:18 - 2013-06-25 12:36 - 00000408 ____A C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Administrator.job
2013-06-24 10:18 - 2013-06-24 10:52 - 00000402 ____A C:\Windows\Tasks\ReclaimerUpdateFiles_Administrator.job
2013-06-24 10:18 - 2013-06-24 10:52 - 00000398 ____A C:\Windows\Tasks\ReclaimerUpdateXML_Administrator.job
2013-06-24 08:43 - 2013-06-24 08:43 - 00131720 ____A (trend_company_name) C:\Windows\System32\Drivers\tmrkb.sys
2013-06-24 08:42 - 2013-06-24 08:42 - 00256904 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmcomm.sys
 
==================== One Month Modified Files and Folders ========
 
2013-06-26 09:36 - 2013-06-26 09:36 - 00000000 ____D C:\FRST
2013-06-25 13:01 - 2013-06-25 13:01 - 00000000 __SHD C:\found.001
2013-06-25 12:55 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-25 12:55 - 2009-07-13 20:39 - 00096540 ____A C:\Windows\setupact.log
2013-06-25 12:44 - 2013-05-13 06:58 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-25 12:43 - 2010-11-20 13:01 - 00800170 ____A C:\Windows\System32\PerfStringBackup.INI
2013-06-25 12:38 - 2012-03-17 18:36 - 00000000 ____D C:\Program Files\Origin
2013-06-25 12:38 - 2012-02-07 12:44 - 01319148 ____A C:\Windows\WindowsUpdate.log
2013-06-25 12:36 - 2013-06-24 10:18 - 00000408 ____A C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Administrator.job
2013-06-25 12:36 - 2012-08-05 12:41 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-06-25 12:30 - 2013-02-07 19:30 - 00000000 ___RD C:\Users\Administrator\Dropbox
2013-06-25 12:30 - 2013-02-07 19:24 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Dropbox
2013-06-25 12:30 - 2012-03-16 17:07 - 00000940 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2809488865-1493460987-1410110774-500UA.job
2013-06-24 11:04 - 2013-06-25 12:40 - 00688992 ____R (Swearware) C:\Users\Administrator\Desktop\dds.scr
2013-06-24 10:56 - 2012-02-20 18:38 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Spotify
2013-06-24 10:52 - 2013-06-24 10:18 - 00000402 ____A C:\Windows\Tasks\ReclaimerUpdateFiles_Administrator.job
2013-06-24 10:52 - 2013-06-24 10:18 - 00000398 ____A C:\Windows\Tasks\ReclaimerUpdateXML_Administrator.job
2013-06-24 10:50 - 2013-06-24 10:50 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-06-24 10:30 - 2009-07-13 20:34 - 00019344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-06-24 10:30 - 2009-07-13 20:34 - 00019344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-06-24 10:19 - 2012-08-05 12:41 - 00000900 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-06-24 10:18 - 2009-07-13 20:33 - 00505824 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-24 08:54 - 2013-05-06 09:36 - 00002411 ____A C:\Users\Administrator\Desktop\Google Chrome.lnk
2013-06-24 08:46 - 2013-05-13 06:58 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2013-06-24 08:46 - 2011-08-25 08:05 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2013-06-24 08:43 - 2013-06-24 08:43 - 00131720 ____A (trend_company_name) C:\Windows\System32\Drivers\tmrkb.sys
2013-06-24 08:42 - 2013-06-24 08:42 - 00256904 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmcomm.sys
 
Files to move or delete:
====================
C:\Users\Administrator\Logos4Setup.exe
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION!
HKLM\...\exefile\open\command:  <===== ATTENTION!
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 11%
Total physical RAM: 4053.02 MB
Available physical RAM: 3583.85 MB
Total Pagefile: 4051.3 MB
Available Pagefile: 3584.03 MB
Total Virtual: 2047.88 MB
Available Virtual: 1915.52 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:232.79 GB) (Free:157.12 GB) NTFS
Drive e: (Ubuntu 13.04 i38) (CDROM) (Total:0.11 GB) (Free:0 GB) CDFS
Drive f: (PENDRIVE) (Removable) (Total:1.89 GB) (Free:1.4 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 233 GB) (Disk ID: 1D8D6388)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=233 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 2 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=2 GB) - (Type=0B)
 
 
LastRegBack: 2013-05-04 17:39
 
==================== End Of Log ============================


#8 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:03:47 AM

Posted 26 June 2013 - 08:45 AM

For what it's worth, these problems started in early May, and this log only goes back a month.  Don't know if that's an issue, just thought it might be helpful.



#9 Robybel

Robybel

    Bleepin' Mattley


  • Malware Response Team
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 27 June 2013 - 08:23 AM

Hi Nick :)


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

2013-06-25 13:01 - 2013-06-25 13:01 - 00000000 __SHD C:\found.001
2013-06-25 13:01 - 2013-06-25 13:01 - 00000000 __SHD C:\found.001
2013-06-25 12:55 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-06-25 12:44 - 2013-05-13 06:58 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-06-25 12:30 - 2012-03-16 17:07 - 00000940 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2809488865-1493460987-1410110774-500UA.job
2013-06-24 10:30 - 2009-07-13 20:34 - 00019344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
C:\Users\Administrator\Logos4Setup.exe
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

- Proud Graduate of WTT Classroom -

Member of ASAP and UNITE


Please Only Copy And Paste Reports Into Topic - Do Not Attach

If you are satisfied with the help that you have received, please consider a donation btndonatesmr.gif

 

 


#10 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:03:47 AM

Posted 28 June 2013 - 01:10 AM

Before I say this, I would like to be clear that I am doing everything as instructed, nothing more or less.  Having said that, I came to a forum to receive help from a person.  It appears as though I am talking to an automated service, or at best, someone who's copying and pasting materials from a source of standardized procedures.  What exactly am I doing?  What does FRST do?  When I'm running "fix", what is happening?  Logos is a pretty important program, I'd like to retain us of it (I realize it's only a setup file, but still). Are files being renamed?  Deleted?  How can I give a name to what's wrong?  Is it a virus, or have I altered an important system file somehow?  I've given some information that I'd like help interpreting, but it seems as though I'm just getting some stock answers.  Thank you for the help I've received so far and will continue to receive, but I do like learning about what I'm doing.  If it's not protocol to help me understand what's going on, I'll be a little disappointed, but I'll live.  Thank you for helping me, and thank you for your continued assistance in helping me solve this problem.  I'm sorry if it seems like I'm not grateful, but I really am.  I do enjoy learning though (If I could get paid to attend college, you have no idea how happy I'd be).

 

Thank you for your time,

Nick



#11 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:03:47 AM

Posted 28 June 2013 - 01:13 AM

What is the X: partition from?  Is that from the programs I've been using to boot the computer from (AVG Rescue, Sophos, Ubuntu)?  It appears to almost be a dummy windows, with some folders that don't contain anything but have windows names, like desktop, libraries, system, computer, etc.



#12 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:03:47 AM

Posted 28 June 2013 - 01:15 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 25-06-2013 02
Ran by SYSTEM at 2013-06-28 02:14:56 Run:1
Running from F:\
Boot Mode: Recovery
 
==============================================
 
C:\found.001 => Moved successfully.
C:\found.001 => File/Directory not found.
C:\Windows\Tasks\SA.DAT => Moved successfully.
C:\Windows\Tasks\Adobe Flash Player Updater.job => Moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2809488865-1493460987-1410110774-500UA.job => Moved successfully.
C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 => Moved successfully.
C:\Users\Administrator\Logos4Setup.exe => Moved successfully.


#13 Robybel

Robybel

    Bleepin' Mattley


  • Malware Response Team
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 28 June 2013 - 04:37 PM

Hi Nick :)
 
From this side does not a robot that responds to your request for help.
Of course I can say anything you want, but we risk prolonging the correction until the end of days.
 

What exactly am I doing? What does FRST do? When I'm running "fix", what is happening?

 
You could not work in normal mode, then FRST, is a tool that allows you to work in the recovery environment.
The priority right now is to allow you to work in normal mode, eliminating the various infections that FRST has found.

Drive x is the drive of boot of the Recovery enviro environment.

OK Follow this now

Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Next

AdwCleaner
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
Next

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Next
  • Download RogueKiller and save it to your desktop.
  • Quit all other programs
  • Start RogueKiller.exe
  • Wait until the Prescan has finished ...
  • Click on Scan
    RGKRScan.png
  • Wait for the end of the scan
  • A report will be created on your desktop.
  • Click on the Delete button
    RGKRDelete.png
  • Next click on the ShortcutsFix
    RGKRShortcutsFix.png
  • another report will be created on your desktop.
Please post: All RKreport.txt text files located on your desktop.

On your next reply please post :
  • checkup.txt
  • AdwCleaner[S1].txt
  • JRT.txt
  • All RKreport.txt
Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

- Proud Graduate of WTT Classroom -

Member of ASAP and UNITE


Please Only Copy And Paste Reports Into Topic - Do Not Attach

If you are satisfied with the help that you have received, please consider a donation btndonatesmr.gif

 

 


#14 Nick10213

Nick10213
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northeast USA
  • Local time:03:47 AM

Posted 28 June 2013 - 07:48 PM

Thanks for the help so far, I realize this takes a lot of time on your end.  

 

I still end up getting a quick blue screen followed by the "failed to start" screen that gives an option for startup repair or start windows normally.  If I select start windows normally, it tries to start, blue screen, reboot.



#15 Robybel

Robybel

    Bleepin' Mattley


  • Malware Response Team
  • 179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:47 AM

Posted 29 June 2013 - 11:11 AM

Hi Nick

Let's try to restart your windows

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

HKLM\...\Winlogon: [Shell]  [x ] () <=== ATTENTION
HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon:  <===== ATTENTION!
HKLM\...\exefile\open\command:  <===== ATTENTION!
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next

You have got a minidump file for the event (BSOD)

It should be located at ... C:\Windows\Minidump

Please find and post it

- Proud Graduate of WTT Classroom -

Member of ASAP and UNITE


Please Only Copy And Paste Reports Into Topic - Do Not Attach

If you are satisfied with the help that you have received, please consider a donation btndonatesmr.gif

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users