Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

root kit virus - likely zero access


  • This topic is locked This topic is locked
44 replies to this topic

#1 Otter Stenwick

Otter Stenwick

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:minneapolis, mn
  • Local time:10:09 AM

Posted 21 October 2013 - 08:41 PM

On web (firefox) friday and got redirected from a conference website and got infected with something. 

I have Win 7 home 64bit, on a emachine EL1333-11f.

Tried to go to Malware bytes to download it and wouldnt download. got it onto my machine via husbands computer.  Kept getting access denied messages where I tried to install or run programs. The more i looked the more weird stuff I found on computer - extra programs, extra user, strange file rights -fixed them. Deleted temp files, app data files, etc.

  I ran Rkill several times. had trouble booting into safe mode(keyboard?) my husband researched and downloaded on his machine, then  placed JRT and ADWcleaner on my desktop and combofix.  JRt and ADW ran but did not fix everything. Then I tried combofix  - it would not run, so I stopped and decided it was time to consult the experts (you). So i turned off the computer and didnt use it this weekend.

this is the latest Rkill log.

Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/17/2013 10:45:28 PM in x64 mode.
Windows Version: Windows 7 Home Premium

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * ALERT: ZEROACCESS rootkit symptoms found!

     * C:\Program Files (x86)\Google\Desktop\Install\{2da805ed-f3ec-902b-40fc-667ecac865a5}\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{2da805ed-f3ec-902b-40fc-667ecac865a5}\   \ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{2da805ed-f3ec-902b-40fc-667ecac865a5}\   \...\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{2da805ed-f3ec-902b-40fc-667ecac865a5}\   \...\ﯹ๛\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{2da805ed-f3ec-902b-40fc-667ecac865a5}\   \...\ﯹ๛\{2da805ed-f3ec-902b-40fc-667ecac865a5}\ [ZA Dir]
     * C:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
     * C:\Windows\assembly\GAC_64\Desktop.ini [ZA File]

 * ALERT: ZEROACCESS Reparse Point/Junction found!

     * C:\Program Files\Windows Defender\en-US => c:\windows\system32\config\ [Dir]
     * C:\Program Files\Windows Defender\MpAsDesc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpClient.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCmdRun.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpCommu.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpEvMsg.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpOAV.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpRTP.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MpSvc.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MSASCui.exe => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpCom.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpLics.dll => c:\windows\system32\config [File]
     * C:\Program Files\Windows Defender\MsMpRes.dll => c:\windows\system32\config [File]

Checking Windows Service Integrity:

 * Windows Firewall Authorization Driver (mpsdrv) is not Running.
   Startup Type set to: Manual

 * BFE [Missing Service]
 * BITS [Missing Service]
 * iphlpsvc [Missing Service]
 * MpsSvc [Missing Service]
 * PcaSvc [Missing Service]
 * PolicyAgent [Missing Service]
 * RemoteAccess [Missing Service]
 * WinDefend [Missing Service]
 * wscsvc [Missing Service]
 * wuauserv [Missing Service]

 * SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 10/17/2013 10:45:45 PM
Execution time: 0 hours(s), 0 minute(s), and 17 seconds(s)
 



BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 22 October 2013 - 01:50 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

 

Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

  • Run FRST.
  • Don´t change one of the checkboxes and hit Scan.
  • Logfiles are created on your desktop.
  • Poste the FRST.txt and (after the first scan only!) the Addition.txt.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 Otter Stenwick

Otter Stenwick
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:minneapolis, mn
  • Local time:10:09 AM

Posted 23 October 2013 - 08:33 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64)

Version: 24-10-2013
Ran by Otter (administrator) on OTTER7 on 23-10-2013

20:22:25
Running from C:\Users\Otter\Desktop
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Normal

==================== Processes (Whitelisted)

=================

(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple

\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Acer Incorporated) C:\Program Files (x86)\eMachines

\Registration\GregHSRW.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL

Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA

\RAVCpl64.exe
(Akamai Technologies, Inc.) C:\Users\Otter\AppData\Local

\Akamai\netsession_win.exe
() C:\Program Files (x86)\eMachines\Hotkey Utility

\HotkeyUtility.exe
(Akamai Technologies, Inc.) C:\Users\Otter\AppData\Local

\Akamai\netsession_win.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft

Application Virtualization Client\sftvsa.exe
(Microsoft Corporation) C:\Windows\System32\tcpsvcs.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL

Server\90\Shared\sqlwriter.exe
(Acer Group) C:\Program Files\eMachines\eMachines Updater

\UpdaterService.exe
() C:\Program Files\NVIDIA Corporation

\NetworkAccessManager\bin32\nSvcAppFlt.exe
() C:\Program Files\NVIDIA Corporation

\NetworkAccessManager\bin32\nSvcIp.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft

Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files (x86)\Common

Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe

==================== Registry (Whitelisted)

==================

HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio

\HDA\RAVCpl64.exe [7981088 2009-07-20] (Realtek

Semiconductor)
HKLM\...\Run: [NvCplDaemon] - RUNDLL32.EXE C:\Windows

\system32\NvCpl.dll,NvStartup
HKCU\...\Run: [Akamai NetSession Interface] - C:\Users

\Otter\AppData\Local\Akamai\netsession_win.exe [4489472

2013-06-05] (Akamai Technologies, Inc.)
HKCU\...\Run: [GetBooks] - "C:\Users\Otter\AppData\Local

\GetBooks\GetBooks.exe" 307a5a71e299b52634284b16de55df44
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION

(ZeroAccess rootkit hidden path)
HKLM-x32\...\Run: [Hotkey Utility] - C:\Program Files

(x86)\eMachines\Hotkey Utility\HotkeyUtility.exe [611872

2010-08-04] ()
HKLM-x32\...\Run: [BrStsMon00] - C:\Program Files

(x86)\Browny02\Brother\BrStMonW.exe [2621440 2010-06-10]

(Brother Industries, Ltd.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files

(x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012

-12-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files

(x86)\Common Files\Apple\Apple Application Support

\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files

(x86)\Common Files\Java\Java Update\jusched.exe [248552

2010-05-14] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files

(x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files

(x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple

Inc.)
HKU\Default\...\Run: [Sidebar] - %ProgramFiles%\Windows

Sidebar\Sidebar.exe /autoRun
HKU\Default\...\RunOnce: [ScrSav] - C:\Program Files

(x86)\eMachines\Screensaver\run_eMachines.exe [162336 2009

-07-21] ()
HKU\Default User\...\Run: [Sidebar] - %ProgramFiles%

\Windows Sidebar\Sidebar.exe /autoRun
HKU\Default User\...\RunOnce: [ScrSav] - C:\Program Files

(x86)\eMachines\Screensaver\run_eMachines.exe [162336 2009

-07-21] ()
Startup: C:\Users\Otter\AppData\Roaming\Microsoft\Windows

\Start Menu\Programs\Startup\EvernoteClipper.lnk
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files

(x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote

Corp., 305 Walnut Street, Redwood City, CA 94063)
Startup: C:\Users\Otter\AppData\Roaming\Microsoft\Windows

\Start Menu\Programs\Startup\JL Alpine Advent Calendar.lnk
ShortcutTarget: JL Alpine Advent Calendar.lnk -> C:\Program

Files (x86)\JL Alpine Advent Calendar\JL Alpine Advent

Calendar.exe (No File)

==================== Internet (Whitelisted)

====================

HKCU\Software\Microsoft\Internet Explorer

\Main,Default_Page_URL =

http://homepage.emachines.com/rdr.aspx?

b=ACEW&l=0409&m=el1333&r=17361110k103p0434v135r47l1t299
HKLM\Software\Microsoft\Internet Explorer

\Main,Default_Page_URL =

http://homepage.emachines.com/rdr.aspx?

b=ACEW&l=0409&m=el1333&r=17361110k103p0434v135r47l1t299
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://homepage.emachines.com/rdr.aspx?

b=ACEW&l=0409&m=el1333&r=17361110k103p0434v135r47l1t299
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer

\Main,Default_Page_URL =

http://homepage.emachines.com/rdr.aspx?

b=ACEW&l=0409&m=el1333&r=17361110k103p0434v135r47l1t299
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer

\Main,Start Page = http://homepage.emachines.com/rdr.aspx?

b=ACEW&l=0409&m=el1333&r=17361110k103p0434v135r47l1t299
StartMenuInternet: IEXPLORE.EXE - C:\Program Files

(x86)\Internet Explorer\iexplore.exe
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-

BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin

\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-

FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe

\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems

Incorporated)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -

 No File
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-

4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

(Microsoft Corporation)
BHO-x32: Evernote extension - {92EF2EAD-A7CE-4424-B0DB-

499CF856608E} - C:\Program Files (x86)\Evernote\Evernote

\EvernoteIE.dll (Evernote Corp., 305 Walnut Street, Redwood

City, CA 94063)
BHO-x32: Free Download Manager - {CC59E0F9-7E43-44FA-9FAA-

8377850BF205} - C:\Program Files (x86)\Free Download

Manager\iefdm2.dll (FreeDownloadManager.ORG)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-

435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java

\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7}

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-

07617B9B86A8} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-

8E305202313F} - C:\Program Files (x86)\Windows Live

\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft

Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F}

- C:\Program Files (x86)\Windows Live\Messenger

\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-

B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars

\Internet Explorer\skypeieplugin.dll (Skype Technologies

S.A.)
Winsock: Catalog5 01 mswsock.dll File Not found ()

ATTENTION: The LibraryPath should be "%SystemRoot%

\system32\NLAapi.dll"
Winsock: Catalog5 02 mswsock.dll File Not found ()

ATTENTION: The LibraryPath should be "%SystemRoot%

\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog5-x64 01 mswsock.dll File Not found ()

ATTENTION: The LibraryPath should be "%SystemRoot%

\system32\NLAapi.dll"
Winsock: Catalog5-x64 02 mswsock.dll File Not found ()

ATTENTION: The LibraryPath should be "%SystemRoot%

\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found ()
Winsock: Catalog9-x64 02 mswsock.dll File Not found ()
Winsock: Catalog9-x64 03 mswsock.dll File Not found ()
Winsock: Catalog9-x64 04 mswsock.dll File Not found ()
Winsock: Catalog9-x64 05 mswsock.dll File Not found ()
Winsock: Catalog9-x64 06 mswsock.dll File Not found ()
Winsock: Catalog9-x64 07 mswsock.dll File Not found ()
Winsock: Catalog9-x64 08 mswsock.dll File Not found ()
Winsock: Catalog9-x64 09 mswsock.dll File Not found ()
Winsock: Catalog9-x64 10 mswsock.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.2.25

FireFox:
========
FF ProfilePath: C:\Users\Otter\AppData\Roaming\Mozilla

\Firefox\Profiles\7gsak1f6.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows

\system32\Macromed\Flash\NPSWF64_11_9_900_117.dll ()
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java

\jre7\bin\new_plugin\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows

\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program

Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files

(x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems,

Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:

\Program Files (x86)\Microsoft Silverlight

\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:

\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft

Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -

C:\Program Files (x86)\Windows Live\Photo Gallery

\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -

C:\Program Files (x86)\Google\Update

\1.3.21.165\npGoogleUpdate3.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=9 -

C:\Program Files (x86)\Google\Update

\1.3.21.165\npGoogleUpdate3.dll No File
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe

\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Otter\AppData\Roaming\Mozilla

\Firefox\Profiles\7gsak1f6.default\searchplugins\creative-

commons-search-beta.xml
FF Extension: No Name - C:\Users\Otter\AppData\Roaming

\Mozilla\Firefox\Profiles\7gsak1f6.default\Extensions

\foxmarks@kei.com
FF Extension: Evernote Web Clipper - C:\Users\Otter

\AppData\Roaming\Mozilla\Firefox\Profiles\7gsak1f6.default

\Extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
FF Extension: No Name - C:\Users\Otter\AppData\Roaming

\Mozilla\Firefox\Profiles\7gsak1f6.default\Extensions

\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF Extension: Skype extension - C:\Program Files

(x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-

43525BDAD38A}
FF Extension: Java Console - C:\Program Files (x86)\Mozilla

Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

==================== Services (Whitelisted)

=================

S3 COMSysApp; C:\Windows\SysWow64\dllhost.exe [7168 2009-

07-13] (Microsoft Corporation)
R2 ForceWare Intelligent Application Manager (IAM); C:

\Program Files\NVIDIA Corporation\NetworkAccessManager

\bin32\nSvcAppFlt.exe [625184 2009-04-19] ()
R2 Greg_Service; C:\Program Files (x86)\eMachines

\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer

Incorporated)
S3 msiserver; C:\Windows\SysWow64\msiexec.exe [73216 2009-

07-13] (Microsoft Corporation)
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server

\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [57617752 2009

-03-30] (Microsoft Corporation)
R2 nSvcIp; C:\Program Files\NVIDIA Corporation

\NetworkAccessManager\bin32\nSvcIp.exe [207904 2009-04-19]

()
S4 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL

Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [427880

2009-03-30] (Microsoft Corporation)
R2 Updater Service; C:\Program Files\eMachines\eMachines

Updater\UpdaterService.exe [243232 2010-01-28] (Acer Group)
R2 WSearch; C:\Windows\SysWow64\SearchIndexer.exe [428032

2009-07-13] (Microsoft Corporation)
S2 gupdate; "C:\Program Files (x86)\Google\Update

\GoogleUpdate.exe" /svc [x]
S3 gupdatem; "C:\Program Files (x86)\Google\Update

\GoogleUpdate.exe" /medsvc [x]
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop

\Install\{2da805ed-f3ec-902b-40fc-667ecac865a5}\   \...

\???\{2da805ed-f3ec-902b-40fc-

667ecac865a5}\GoogleUpdate.exe" < <==== ATTENTION

(ZeroAccess)

==================== Drivers (Whitelisted)

====================


==================== NetSvcs (Whitelisted)

===================


==================== One Month Created Files and Folders

========

2013-10-23 20:21 - 2013-10-23 20:21 - 00000000 ____D C:

\FRST
2013-10-23 20:09 - 2013-10-23 20:09 - 01955412 _____

(Farbar) C:\Users\Otter\Desktop\FRST64.exe
2013-10-21 20:02 - 2013-10-21 20:03 - 00550371 _____ C:

\Users\Otter\Downloads\Autoruns.zip
2013-10-17 20:54 - 2013-10-17 20:56 - 00000000 ____D C:

\AdwCleaner
2013-10-17 20:53 - 2013-10-17 20:50 - 01033335 _____

(Thisisu) C:\Users\Otter\Desktop\JRT.exe
2013-10-17 20:53 - 2013-10-17 20:49 - 01050644 _____ C:

\Users\Otter\Desktop\AdwCleaner.exe
2013-10-17 20:53 - 2013-10-17 20:46 - 05134711 _____

(Swearware) C:\Users\Otter\Desktop\ComboFix.exe
2013-10-17 20:44 - 2013-10-17 20:50 - 00000000 ____D C:

\Users\Public\Removal Tools
2013-10-17 19:47 - 2013-10-17 19:47 - 01898232 _____

(Bleeping Computer, LLC) C:\Users\Otter\Desktop

\iExplore.exe
2013-10-17 19:21 - 2013-10-17 19:21 - 00000000 ____D C:

\ProgramData\AVAST Software
2013-10-17 19:12 - 2013-10-17 19:14 - 85269544 _____ (AVAST

Software) C:\Users\Otter\Desktop

\avast_free_antivirus_setup.exe
2013-10-16 20:38 - 2013-10-16 20:38 - 00000000 __SHD C:

\Windows\SysWOW64\%APPDATA%
2013-10-12 00:50 - 2013-10-12 02:02 - 00000000 ____D C:

\Users\Otter\Documents\D&D-2nd
2013-10-11 01:30 - 2013-10-11 01:31 - 157873417 _____ C:

\Users\Otter\Downloads\OOo_3.3.0_Win_x86_install-wJRE_en-

US.exe.zip

==================== One Month Modified Files and Folders

=======

2013-10-23 20:21 - 2013-10-23 20:21 - 00000000 ____D C:

\FRST
2013-10-23 20:18 - 2011-05-21 08:33 - 00000892 _____ C:

\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-23 20:18 - 2009-07-14 00:08 - 00000006 ____H C:

\Windows\Tasks\SA.DAT
2013-10-23 20:18 - 2009-07-13 23:51 - 00165088 _____ C:

\Windows\setupact.log
2013-10-23 20:09 - 2013-10-23 20:09 - 01955412 _____

(Farbar) C:\Users\Otter\Desktop\FRST64.exe
2013-10-23 19:39 - 2011-01-20 18:37 - 00000000 ____D C:

\Program Files (x86)\Mozilla Firefox
2013-10-23 05:50 - 2011-07-22 08:59 - 00000000 ____D C:

\Users\Otter\AppData\Local\CrashDumps
2013-10-22 22:34 - 2009-07-14 00:13 - 00870488 _____ C:

\Windows\system32\PerfStringBackup.INI
2013-10-21 23:54 - 2011-05-21 08:33 - 00000896 _____ C:

\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-21 23:25 - 2012-04-23 00:08 - 00000830 _____ C:

\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-21 20:03 - 2013-10-21 20:02 - 00550371 _____ C:

\Users\Otter\Downloads\Autoruns.zip
2013-10-21 19:52 - 2009-07-13 23:45 - 00009696 ____H C:

\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-

1.C7483456-A289-439d-8115-601632D005A0
2013-10-21 19:52 - 2009-07-13 23:45 - 00009696 ____H C:

\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-

0.C7483456-A289-439d-8115-601632D005A0
2013-10-17 20:56 - 2013-10-17 20:54 - 00000000 ____D C:

\AdwCleaner
2013-10-17 20:53 - 2013-02-15 13:25 - 00018432 ___SH C:

\Users\Public\Thumbs.db
2013-10-17 20:50 - 2013-10-17 20:53 - 01033335 _____

(Thisisu) C:\Users\Otter\Desktop\JRT.exe
2013-10-17 20:50 - 2013-10-17 20:44 - 00000000 ____D C:

\Users\Public\Removal Tools
2013-10-17 20:49 - 2013-10-17 20:53 - 01050644 _____ C:

\Users\Otter\Desktop\AdwCleaner.exe
2013-10-17 20:46 - 2013-10-17 20:53 - 05134711 _____

(Swearware) C:\Users\Otter\Desktop\ComboFix.exe
2013-10-17 20:25 - 2010-09-15 22:32 - 01401506 _____ C:

\Windows\WindowsUpdate.log
2013-10-17 20:05 - 2010-08-25 13:47 - 00000000 ____D C:

\Program Files (x86)\Google
2013-10-17 19:47 - 2013-10-17 19:47 - 01898232 _____

(Bleeping Computer, LLC) C:\Users\Otter\Desktop

\iExplore.exe
2013-10-17 19:21 - 2013-10-17 19:21 - 00000000 ____D C:

\ProgramData\AVAST Software
2013-10-17 19:14 - 2013-10-17 19:12 - 85269544 _____ (AVAST

Software) C:\Users\Otter\Desktop

\avast_free_antivirus_setup.exe
2013-10-16 20:38 - 2013-10-16 20:38 - 00000000 __SHD C:

\Windows\SysWOW64\%APPDATA%
2013-10-16 12:07 - 2012-03-04 12:14 - 00000000 ____D C:

\Users\Public\Documents\medicine
2013-10-15 01:37 - 2011-01-27 22:34 - 00000000 ____D C:

\Users\Otter\AppData\Local\Apple Computer
2013-10-14 00:49 - 2011-05-21 08:33 - 00003892 _____ C:

\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2013-10-14 00:49 - 2011-05-21 08:33 - 00003640 _____ C:

\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2013-10-13 19:07 - 2011-01-30 00:13 - 00000000 ____D C:

\Users\Otter\Documents\ebooks
2013-10-12 02:02 - 2013-10-12 00:50 - 00000000 ____D C:

\Users\Otter\Documents\D&D-2nd
2013-10-11 01:31 - 2013-10-11 01:30 - 157873417 _____ C:

\Users\Otter\Downloads\OOo_3.3.0_Win_x86_install-wJRE_en-

US.exe.zip
2013-10-10 09:25 - 2012-04-23 00:08 - 00692616 _____ (Adobe

Systems Incorporated) C:\Windows

\SysWOW64\FlashPlayerApp.exe
2013-10-10 09:25 - 2012-04-23 00:08 - 00003768 _____ C:

\Windows\System32\Tasks\Adobe Flash Player Updater
2013-10-10 09:25 - 2011-06-26 20:44 - 00071048 _____ (Adobe

Systems Incorporated) C:\Windows

\SysWOW64\FlashPlayerCPLApp.cpl
2013-10-07 21:08 - 2013-04-14 10:47 - 00000000 ____D C:

\Users\Otter\Documents\Gaia
2013-09-25 20:22 - 2012-02-27 23:37 - 00000000 ____D C:

\Users\Otter\Documents\Calibre Library
2013-09-25 08:58 - 2009-07-13 22:20 - 00000000 ____D C:

\Windows\system32\NDF

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-1865460656-4038712473-3081438186-

1000\$RRTXBK4

Files to move or delete:
====================
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install


Some content of TEMP:
====================
C:\Users\Otter\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Otter\AppData\Local\Temp\Quarantine.exe


==================== Bamital & volsnap Check

=================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION:

ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program

Files\Windows Defender


LastRegBack: 2011-02-17 00:10

==================== End Of Log

============================

 

Addition.txt log generated by running Frst

Additional scan result of Farbar Recovery Scan Tool (x64)

Version: 24-10-2013
Ran by Otter at 2013-10-23 20:24:03
Running from C:\Users\Otter\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center

========================

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-

831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs

======================

7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)
Acrobat.com (x32 Version: 1.6.65)
Adobe AIR (x32 Version: 3.5.0.600)
Adobe Flash Player 11 ActiveX (x32 Version: 11.9.900.117)
Adobe Flash Player 11 Plugin (x32 Version: 11.9.900.117)
Adobe Reader X (10.1.5) (x32 Version: 10.1.5)
Advertising Center (x32 Version: 0.0.0.2)
Akamai NetSession Interface (HKCU)
Amazon Kindle (HKCU)
Apple Application Support (x32 Version: 2.3.4)
Apple Mobile Device Support (Version: 6.1.0.13)
Apple Software Update (x32 Version: 2.1.3.127)
BitTorrent (x32 Version: 7.2.0)
Bonjour (Version: 3.0.0.10)
BrainTrain's Memory Gym AE (x32 Version: 13.10.0)
calibre (x32 Version: 0.8.41)
Captain's Log MindPower Builder (x32 Version: 13.11.0)
Code Hero (x32 Version: 0.192)
CyberLink PowerDVD 9 (x32 Version: 9.0.2610.50)
DiceRoller 1.0
Dora's World Adventure (x32 Version: 1.00.0000)
Dungeon Keeper 2 (x32)
eMachines Recovery Management (x32 Version: 4.05.3007)
eMachines Registration (x32 Version: 1.02.3006)
eMachines ScreenSaver (x32 Version: 1.1.0812)
eMachines Updater (x32 Version: 1.02.3001)
Evernote v. 4.6.4 (x32 Version: 4.6.4.8136)
Free Download Manager 3.9.2 (x32)
GIMP 2.8.2 (Version: 2.8.2)
Google Update Helper (x32 Version: 1.3.21.165)
Hello World 0.1 (x32)
HL-2230 (x32 Version: 1.0.4.0)
Hotkey Utility (x32 Version: 2.05.3009)
ImagXpress (x32 Version: 7.0.74.0)
iTunes (Version: 11.0.4.4)
Java Auto Updater (x32 Version: 2.0.2.4)
Java™ 6 Update 22 (x32 Version: 6.0.220)
Java™ 7 Update 2 (64-bit) (Version: 7.0.20)
JumpStart Advanced Kindergarten (x32)
JumpStart Music (x32)
Junk Mail filter update (x32 Version: 14.0.8089.726)
Microsoft .NET Framework 4 Client Profile (Version:

4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft .NET Framework 4 Multi-Targeting Pack (x32

Version: 4.0.30319)
Microsoft Application Error Reporting (Version:

12.0.6015.5000)
Microsoft Application Error Reporting (x32 Version:

12.0.6012.5000)
Microsoft Choice Guard (x32 Version: 2.0.48.0)
Microsoft Help Viewer 1.0 (Version: 1.0.30319)
Microsoft Office 2010 (x32 Version: 14.0.4763.1000)
Microsoft Office Click-to-Run 2010 (Version:

14.0.4763.1000)
Microsoft Office Click-to-Run 2010 (x32 Version:

14.0.4763.1000)
Microsoft Office Starter 2010 - English (x32 Version:

14.0.4763.1000)
Microsoft Silverlight (x32 Version: 4.0.60531.0)
Microsoft Silverlight 3 SDK (x32 Version: 3.0.40818.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (x32

Version: 3.1.0000)
Microsoft SQL Server 2008 (64-bit)
Microsoft SQL Server 2008 Browser (x32 Version:

10.1.2531.0)
Microsoft SQL Server 2008 Common Files (Version:

10.0.1600.22)
Microsoft SQL Server 2008 Common Files (Version:

10.1.2531.0)
Microsoft SQL Server 2008 Database Engine Services

(Version: 10.1.2531.0)
Microsoft SQL Server 2008 Database Engine Shared (Version:

10.1.2531.0)
Microsoft SQL Server 2008 Native Client (Version:

10.1.2531.0)
Microsoft SQL Server 2008 R2 Management Objects (x32

Version: 10.50.1447.4)
Microsoft SQL Server 2008 R2 Management Objects (x64)

(Version: 10.50.1447.4)
Microsoft SQL Server 2008 RsFx Driver (Version:

10.1.2531.0)
Microsoft SQL Server 2008 Setup Support Files  (Version:

10.1.2731.0)
Microsoft SQL Server Compact 3.5 SP2 ENU (x32 Version:

3.5.8080.0)
Microsoft SQL Server Compact 3.5 SP2 x64 ENU (Version:

3.5.8080.0)
Microsoft SQL Server System CLR Types (x32 Version:

10.50.1447.4)
Microsoft SQL Server System CLR Types (x64) (Version:

10.50.1447.4)
Microsoft SQL Server VSS Writer (Version: 10.1.2531.0)
Microsoft Sync Framework Runtime v1.0 SP1 (x64) (Version:

1.0.3010.0)
Microsoft Visual Basic 2010 Express - ENU (x32 Version:

10.0.30319)
Microsoft Visual C# 2010 Express - ENU (x32 Version:

10.0.30319)
Microsoft Visual C++ 2005 Redistributable (x32 Version:

8.0.56336)
Microsoft Visual C++ 2005 Redistributable (x32 Version:

8.0.59193)
Microsoft Visual C++ 2005 Redistributable (x64) (Version:

8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x64

9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86

9.0.30729.4148 (x32 Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86

9.0.30729.4974 (x32 Version: 9.0.30729.4974)
Microsoft Visual C++ 2010  x64 Runtime - 10.0.30319

(Version: 10.0.30319)
Microsoft Visual C++ 2010  x86 Runtime - 10.0.30319 (x32

Version: 10.0.30319)
Microsoft Visual F# 2.0 Runtime (x32 Version: 10.0.30319)
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools

(x32 Version: 10.0.30319)
Microsoft Visual Studio 2010 Express Prerequisites x64 -

ENU (Version: 10.0.30319)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64)

(Version: 10.0.30319)
Microsoft Visual Studio Macro Tools (x32 Version:

9.0.30729)
Microsoft XNA Framework Redistributable 3.1 (x32 Version:

3.1.10527.0)
Mozilla Firefox 13.0.1 (x86 en-US) (x32 Version: 13.0.1)
Mozilla Maintenance Service (x32 Version: 13.0.1)
Mozilla Thunderbird (3.1.12) (x32 Version: 3.1.12 (en-US))
MSVCRT (x32 Version: 14.0.1468.721)
Nero 9 Essentials (x32)
Nero ControlCenter (x32 Version: 9.0.0.1)
Nero DiscSpeed (x32 Version: 5.4.13.100)
Nero DiscSpeed Help (x32 Version: 5.4.4.100)
Nero DriveSpeed (x32 Version: 4.4.12.100)
Nero DriveSpeed Help (x32 Version: 4.4.4.100)
Nero Express Help (x32 Version: 9.6.2.101)
Nero InfoTool (x32 Version: 6.4.12.100)
Nero InfoTool Help (x32 Version: 6.4.4.100)
Nero Installer (x32 Version: 4.4.9.0)
Nero Online Upgrade (x32 Version: 1.3.0.0)
Nero StartSmart (x32 Version: 9.4.37.100)
Nero StartSmart Help (x32 Version: 9.4.27.100)
Nero StartSmart OEM (x32 Version: 9.15.0.100)
NeroExpress (x32 Version: 9.4.33.100)
neroxml (x32 Version: 1.0.0)
NVIDIA Drivers (Version: 1.7)
NVIDIA ForceWare Network Access Manager (Version:

1.00.7305)
NVIDIA ForceWare Network Access Manager (x32)
OpenOffice.org 3.3 (x32 Version: 3.3.9567)
Pharaoh and Cleopatra (x32)
Populous (x32)
Python 2.5 Numeric-24.2 (HKCU)
Python 2.5 pygame-1.7.1release (HKCU)
Python 2.5.1 (x32 Version: 2.5.1150)
Python 2.7.2 (64-bit) (Version: 2.7.2150)
Python 3.2.2 (64-bit) (Version: 3.2.2150)
QuickTime (x32 Version: 7.74.80.86)
Realtek High Definition Audio Driver (x32 Version:

6.0.1.5898)
Scratch (x32 Version: 1.4.0.0)
Service Pack 1 for SQL Server 2008 (KB968369) (64-bit)

(Version: 10.1.2531.0)
Sigil 0.5.3
Skype Toolbars (x32 Version: 5.3.7555)
Skype™ 5.3 (x32 Version: 5.3.120)
SPE (x32)
Sql Server Customer Experience Improvement Program

(Version: 10.1.2531.0)
The Whispered World (x32)
TNT Reading Plus (x32 Version: 13.10.0)
TP-LINK Wireless Client Utility (x32 Version: 7.0)
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU

(x32 Version: 4.0.8080.0)
VLC media player 1.1.11 (x32 Version: 1.1.11)
Web Deployment Tool (Version: 1.1.0618)
Welcome Center (x32 Version: 1.02.3004)
Windows Live Call (x32 Version: 14.0.8064.0206)
Windows Live Communications Platform (x32 Version:

14.0.8064.206)
Windows Live Essentials (x32 Version: 14.0.8089.0726)
Windows Live Essentials (x32 Version: 14.0.8089.726)
Windows Live Mail (x32 Version: 14.0.8089.0726)
Windows Live Messenger (x32 Version: 14.0.8089.0726)
Windows Live Movie Maker (x32 Version: 14.0.8091.0730)
Windows Live Photo Gallery (x32 Version: 14.0.8081.709)
Windows Live Sign-in Assistant (x32 Version: 5.000.818.5)
Windows Live Sync (x32 Version: 14.0.8089.726)
Windows Live Upload Tool (x32 Version: 14.0.8014.1029)
Windows Live Writer (x32 Version: 14.0.8089.0726)
WindowsFormsApplication1 (HKCU Version: 1.0.0.0)
WinRAR 4.11 (64-bit) (Version: 4.11.0)
wxPython 2.8.7.1 (unicode) for Python 2.5 (x32 Version:

2.8.7.1-unicode)

==================== Restore Points  

=========================

16-03-2013 18:33:09 Installed Captain's Log MindPower

Builder
16-03-2013 22:31:41 Installed TNT Reading Plus
15-04-2013 06:36:34 Installed Evernote v. 4.6.4
18-05-2013 15:44:44 Removed OpenOffice.org 3.3
18-05-2013 15:51:10 Installed Java™ 6 Update 22
18-05-2013 15:52:26 Installed OpenOffice.org 3.3

==================== Hosts content:

==========================

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:

\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted)

=============

Task: {03772190-63B9-42FC-8B2E-3F33C36CD464} -

System32\Tasks\{17AEDCCF-AE69-4657-9844-6D29124E120E} =>

C:\Program Files (x86)\Skype\\Phone\Skype.exe [2011-06-15]

(Skype Technologies S.A.)
Task: {5AC0BA06-ECFE-4CF5-8BDC-B6777548218A} -

System32\Tasks\Adobe Flash Player Updater => C:\Windows

\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

[2013-10-10] (Adobe Systems Incorporated)
Task: {7DD9B120-1E0C-4C30-B661-48D542DB6025} -

System32\Tasks\{2FA11EDE-15FF-498E-827A-63AFA1909CC9} =>

D:\Autorun.exe
Task: {AF02B22E-BDAC-4698-B9BE-2590290A76BD} -

System32\Tasks\Microsoft\Windows Defender\MpIdleTask => c:

\program files\windows defender\MpCmdRun.exe [2009-07-13]

()
Task: {AFA8DE0D-63EF-4133-A0C4-791D97050554} -

System32\Tasks\{24626757-05F7-4ADC-A037-65C810076CF1} =>

D:\Autorun.exe
Task: {C43B0B95-9211-4B46-9E4D-1D621EA9F6B0} -

System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan

=> c:\program files\windows defender\MpCmdRun.exe [2009-07

-13] ()
Task: {C7408C5C-99C9-4284-8D5A-115894A3D558} -

System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program

Files (x86)\Google\Update\GoogleUpdate.exe
Task: {CCD96A28-FC37-4941-B635-D5F7F656735A} -

System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program

Files (x86)\Google\Update\GoogleUpdate.exe
Task: {DB04D1E8-2E45-4886-9D74-D831FC77501F} -

System32\Tasks\OfficeSoftwareProtectionPlatform

\SvcRestartTask => Sc.exe start osppsvc
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job =>

C:\Windows\SysWOW64\Macromed\Flash

\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job =>

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:

\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted)

=============

2009-07-13 18:21 - 2009-07-13 20:41 - 00320000 _____ () C:

\Windows\system32\mswsock.dll
2011-11-02 00:26 - 2011-11-02 00:26 - 00087912 _____ () C:

\Program Files (x86)\Common Files\Apple\Apple Application

Support\zlib1.dll
2011-11-02 00:26 - 2011-11-02 00:26 - 01242472 _____ () C:

\Program Files (x86)\Common Files\Apple\Apple Application

Support\libxml2.dll
2010-08-04 04:47 - 2010-08-04 04:47 - 00144896 _____ () C:

\Program Files (x86)\eMachines\Hotkey Utility

\HotkeyHook.dll

==================== Alternate Data Streams (whitelisted)

=========


==================== Safe Mode (whitelisted)

===================


==================== Faulty Device Manager Devices

=============

Name: NVIDIA nForce 10/100/1000 Mbps Ethernet
Description: NVIDIA nForce Networking Controller
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: NVIDIA
Service: NVNET
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then

click "Enable Device". This starts the Enable Device

wizard. Follow the instructions.


==================== Event log errors:

=========================

Application errors:
==================
Error: (10/23/2013 08:12:28 PM) (Source: SideBySide) (User:

)
Description: Activation context generation failed for "C:

\Windows\WinSxS\manifests\x86_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fa

bfc.manifest1".Error in manifest or policy file "C:

\Windows\WinSxS\manifests\x86_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fa

bfc.manifest2" on line C:\Windows\WinSxS\manifests

\x86_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fa

bfc.manifest3.
A component version required by the application conflicts

with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests

\x86_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fa

bfc.manifest.
Component 2: C:\Windows\WinSxS\manifests

\amd64_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7600.16385_none_fa64530317038

2f6.manifest.

Error: (10/23/2013 05:50:16 AM) (Source: Application Error)

(User: )
Description: Faulting application name:

FlashPlayerPlugin_11_9_900_117.exe, version: 11.9.900.117,

time stamp: 0x5244d3b6
Faulting module name: explorerframe.dll_unloaded, version:

0.0.0.0, time stamp: 0x4a5bda55
Exception code: 0xc0000005
Fault offset: 0x72486ed1
Faulting process id: 0x320
Faulting application start time:

0xFlashPlayerPlugin_11_9_900_117.exe0
Faulting application path:

FlashPlayerPlugin_11_9_900_117.exe1
Faulting module path: FlashPlayerPlugin_11_9_900_117.exe2
Report Id: FlashPlayerPlugin_11_9_900_117.exe3

Error: (10/23/2013 05:37:46 AM) (Source: Application Error)

(User: )
Description: Faulting application name:

FlashPlayerPlugin_11_9_900_117.exe, version: 11.9.900.117,

time stamp: 0x5244d3b6
Faulting module name: explorerframe.dll_unloaded, version:

0.0.0.0, time stamp: 0x4a5bda55
Exception code: 0xc0000005
Fault offset: 0x724851f2
Faulting process id: 0x574
Faulting application start time:

0xFlashPlayerPlugin_11_9_900_117.exe0
Faulting application path:

FlashPlayerPlugin_11_9_900_117.exe1
Faulting module path: FlashPlayerPlugin_11_9_900_117.exe2
Report Id: FlashPlayerPlugin_11_9_900_117.exe3

Error: (10/21/2013 07:55:38 PM) (Source: CVHSVC) (User: )
Description: Information only.
Error:  Initialization failed 0x80070424 Type:

88::UnexpectedError.

Error: (10/17/2013 11:04:34 PM) (Source: CVHSVC) (User: )
Description: Information only.
Error:  Initialization failed 0x80070424 Type:

88::UnexpectedError.

Error: (10/17/2013 10:47:16 PM) (Source: Application Error)

(User: )
Description: Faulting application name: explorer.exe,

version: 6.1.7600.16450, time stamp: 0x4aebab8d
Faulting module name: ntdll.dll, version: 6.1.7600.16385,

time stamp: 0x4a5be02b
Exception code: 0xc00000fd
Fault offset: 0x0000000000053841
Faulting process id: 0xfcc
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3

Error: (10/17/2013 10:40:16 PM) (Source: Application Error)

(User: )
Description: Faulting application name: Explorer.EXE,

version: 6.1.7600.16450, time stamp: 0x4aebab8d
Faulting module name: ntdll.dll, version: 6.1.7600.16385,

time stamp: 0x4a5be02b
Exception code: 0xc00000fd
Fault offset: 0x0000000000053841
Faulting process id: 0x678
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3

Error: (10/17/2013 09:08:28 PM) (Source: CVHSVC) (User: )
Description: Information only.
Error:  Initialization failed 0x80070424 Type:

88::UnexpectedError.

Error: (10/17/2013 08:38:36 PM) (Source: CVHSVC) (User: )
Description: Information only.
Error:  Initialization failed 0x80070424 Type:

88::UnexpectedError.

Error: (10/17/2013 08:03:43 PM) (Source: Application Error)

(User: )
Description: Faulting application name: Explorer.EXE,

version: 6.1.7600.16450, time stamp: 0x4aebab8d
Faulting module name: ntdll.dll, version: 6.1.7600.16385,

time stamp: 0x4a5be02b
Exception code: 0xc00000fd
Fault offset: 0x000000000005382a
Faulting process id: 0x50c
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3


System errors:
=============
Error: (10/23/2013 08:21:31 PM) (Source: Service Control

Manager) (User: )
Description: The HomeGroup Provider service depends on the

Function Discovery Resource Publication service which

failed to start because of the following error:
%%-2147024891

Error: (10/23/2013 08:21:31 PM) (Source: Service Control

Manager) (User: )
Description: The Function Discovery Resource Publication

service terminated with the following error:
%%-2147024891

Error: (10/23/2013 08:21:22 PM) (Source: Service Control

Manager) (User: )
Description: The Google Update Service (gupdate) service

failed to start due to the following error:
%%2

Error: (10/23/2013 08:18:52 PM) (Source: Service Control

Manager) (User: )
Description: The IKE and AuthIP IPsec Keying Modules

service depends the following service: BFE. This service

might not be installed.

Error: (10/23/2013 08:18:50 PM) (Source: Service Control

Manager) (User: )
Description: The Computer Browser service terminated with

the following error:
%%1060

Error: (10/23/2013 05:00:47 AM) (Source: Service Control

Manager) (User: )
Description: The HomeGroup Provider service depends on the

Function Discovery Provider Host service which failed to

start because of the following error:
%%1068

Error: (10/22/2013 10:33:34 PM) (Source: DCOM) (User: )
Description: 1068fdPHost{D3DCB472-7261-43CE-924B-

0704BD730D5F}

Error: (10/22/2013 10:33:34 PM) (Source: DCOM) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-

7C35AD3180EF}

Error: (10/22/2013 10:30:12 PM) (Source: DCOM) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-

505054503030}

Error: (10/22/2013 10:30:10 PM) (Source: DCOM) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-

5C22C517CE39}


Microsoft Office Sessions:
=========================
Error: (10/23/2013 08:12:28 PM) (Source: SideBySide)(User:

)
Description: C:\Windows\WinSxS\manifests

\x86_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fa

bfc.manifestC:\Windows\WinSxS\manifests

\amd64_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7600.16385_none_fa64530317038

2f6.manifestC:\Users\Otter\Downloads

\SoftonicDownloader_for_vlc-media-player.exe

Error: (10/23/2013 05:50:16 AM) (Source: Application

Error)(User: )
Description:

FlashPlayerPlugin_11_9_900_117.exe11.9.900.1175244d3b6explo

rerframe.dll_unloaded0.0.0.04a5bda55c000000572486ed132001ce

cfdd95b1ca70C:\Windows\SysWOW64\Macromed\Flash

\FlashPlayerPlugin_11_9_900_117.exeexplorerframe.dlle68d969

0-3bd0-11e3-8abb-ad0a5e939dae

Error: (10/23/2013 05:37:46 AM) (Source: Application

Error)(User: )
Description:

FlashPlayerPlugin_11_9_900_117.exe11.9.900.1175244d3b6explo

rerframe.dll_unloaded0.0.0.04a5bda55c0000005724851f257401ce

cfdbd28aa4a0C:\Windows\SysWOW64\Macromed\Flash

\FlashPlayerPlugin_11_9_900_117.exeexplorerframe.dll272d8ae

0-3bcf-11e3-8abb-ad0a5e939dae

Error: (10/21/2013 07:55:38 PM) (Source: CVHSVC)(User: )
Description: Error:  Initialization failed 0x80070424 Type:

88::UnexpectedError.

Error: (10/17/2013 11:04:34 PM) (Source: CVHSVC)(User: )
Description: Error:  Initialization failed 0x80070424 Type:

88::UnexpectedError.

Error: (10/17/2013 10:47:16 PM) (Source: Application

Error)(User: )
Description:

explorer.exe6.1.7600.164504aebab8dntdll.dll6.1.7600.163854a

5be02bc00000fd0000000000053841fcc01cecbb3cc8ba760C:

\Windows\explorer.exeC:\Windows\SYSTEM32\ntdll.dllfa695cd0

-37a7-11e3-b6a7-86f3d2b730d7

Error: (10/17/2013 10:40:16 PM) (Source: Application

Error)(User: )
Description:

Explorer.EXE6.1.7600.164504aebab8dntdll.dll6.1.7600.163854a

5be02bc00000fd000000000005384167801cecba57a017fa0C:

\Windows\Explorer.EXEC:\Windows\SYSTEM32\ntdll.dll0016dfa0

-37a7-11e3-b6a7-86f3d2b730d7

Error: (10/17/2013 09:08:28 PM) (Source: CVHSVC)(User: )
Description: Error:  Initialization failed 0x80070424 Type:

88::UnexpectedError.

Error: (10/17/2013 08:38:36 PM) (Source: CVHSVC)(User: )
Description: Error:  Initialization failed 0x80070424 Type:

88::UnexpectedError.

Error: (10/17/2013 08:03:43 PM) (Source: Application

Error)(User: )
Description:

Explorer.EXE6.1.7600.164504aebab8dntdll.dll6.1.7600.163854a

5be02bc00000fd000000000005382a50c01cecb955b8c15e0C:

\Windows\Explorer.EXEC:\Windows\SYSTEM32\ntdll.dll216c7360

-3791-11e3-a93f-bc3b2306fbdf


==================== Memory info

===========================

Percentage of memory in use: 43%
Total physical RAM: 1790.49 MB
Available physical RAM: 1013.81 MB
Total Pagefile: 3580.98 MB
Available Pagefile: 2585.47 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives

================================

Drive c: (eMachines) (Fixed) (Total:283.99 GB) (Free:22.41

GB) NTFS

==================== MBR & Partition Table

==================

========================================================
Disk: 0 (Size: 298 GB) (Disk ID: 740F0F46)
Partition 1: (Not Active) - (Size=14 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=284 GB) - (Type=07 NTFS)

==================== End Of Log

============================



#4 Otter Stenwick

Otter Stenwick
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:minneapolis, mn
  • Local time:10:09 AM

Posted 25 October 2013 - 12:31 AM

Awaiting your next instructions :)

#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 26 October 2013 - 07:01 AM

I cannote read your post clearly...please attach frst.txt to your next reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 Otter Stenwick

Otter Stenwick
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:minneapolis, mn
  • Local time:10:09 AM

Posted 27 October 2013 - 08:07 PM

My reply was frst.txt. Plus addition.txt below it.
I will re-run Farbar -frst. . Why could you not read? too long? something else?

Upon re reading your reply I see you want attached not copied .

Here it is =attached= as requested

 

Attached Files


Edited by Otter Stenwick, 27 October 2013 - 08:30 PM.


#7 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 28 October 2013 - 04:30 AM

Fix with FRST (normal mode)

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    HKCU\...\Run: [GetBooks] - "C:\Users\Otter\AppData\Local\GetBooks\GetBooks.exe" 307a5a71e299b52634284b16de55df44
    HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
    BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
    U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{2da805ed-f3ec-902b-40fc-667ecac865a5}\   \...\???\{2da805ed-f3ec-902b-40fc-667ecac865a5}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
    
    C:\Users\Otter\AppData\Local\GetBooks
    C:\Program Files (x86)\Google\Desktop
    C:\Windows\SysWOW64\%APPDATA%
    C:\$Recycle.Bin\S-1-5-21-1865460656-4038712473-3081438186-1000
    
    DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
    
    CMD: netsh winsock reset
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#8 Otter Stenwick

Otter Stenwick
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:minneapolis, mn
  • Local time:10:09 AM

Posted 28 October 2013 - 07:53 PM


Pc running very slow.
Put fix list in download directory, ran FRST.  It took 15-25+ min to run, reboot, create log.  

I had mbam from last week that I had renamed mexplorer-setup-1.75.0.1300 exe.  
Setup was unable to create the directory
C:\Users\Otter\AppData\Local\Temp\is-JDSAM.tmp
Error 5:Access is Denied.
This is the same error I was getting last week.  
I redownloaded mbam and got the error again immediately - same except diff temp folder (is-4c9m.tmp).

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 27-10-2013 01
Ran by Otter at 2013-10-28 18:15:26 Run:1
Running from C:\Users\Otter\Downloads
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKCU\...\Run: [GetBooks] - "C:\Users\Otter\AppData\Local\GetBooks\GetBooks.exe" 307a5a71e299b52634284b16de55df44
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
U2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{2da805ed-f3ec-902b-40fc-667ecac865a5}\   \...\???\{2da805ed-f3ec-902b-40fc-667ecac865a5}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

C:\Users\Otter\AppData\Local\GetBooks
C:\Program Files (x86)\Google\Desktop
C:\Windows\SysWOW64\%APPDATA%
C:\$Recycle.Bin\S-1-5-21-1865460656-4038712473-3081438186-1000

DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

CMD: netsh winsock reset
*****************

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GetBooks => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key not found.
*etadpug => Service deleted successfully.
"C:\Users\Otter\AppData\Local\GetBooks" => File/Directory not found.

"C:\Program Files (x86)\Google\Desktop" directory move:

Could not move "C:\Program Files (x86)\Google\Desktop" directory. => Scheduled to move on reboot.

C:\Windows\SysWOW64\%APPDATA% => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-1865460656-4038712473-3081438186-1000 => Moved successfully.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

=========  netsh winsock reset =========

The following helper DLL cannot be loaded: WSHELPER.DLL.
The following command was not found: winsock reset.

========= End of CMD: =========


=========== Result of Scheduled Files to move ===========

C:\Program Files (x86)\Google\Desktop => Moved successfully.

==== End of Fixlog ====

#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 29 October 2013 - 02:44 AM

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!
  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe
When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 Otter Stenwick

Otter Stenwick
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:minneapolis, mn
  • Local time:10:09 AM

Posted 29 October 2013 - 07:08 PM

I tried to run combo fix that was downloaded last week. This morning it did nothing.this evening it errors out after a minute with "Error! Can't initialize plug-ins directory. Please try again later."

#11 Otter Stenwick

Otter Stenwick
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:minneapolis, mn
  • Local time:10:09 AM

Posted 30 October 2013 - 01:01 AM

If you re-read my first entry you see combo fix did not work originally which is when I quit doing programs on my own... See previous entry for current error message.

Edited by Otter Stenwick, 30 October 2013 - 01:03 AM.


#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 30 October 2013 - 03:15 AM

Delete your existing copy of combofix. Then reboot into safe mode with networking and try again.


Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!
  • Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
  • Run Combofix.exe
When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 Otter Stenwick

Otter Stenwick
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:minneapolis, mn
  • Local time:10:09 AM

Posted 30 October 2013 - 08:27 PM

Getting into safe mode was difficult -emachines need you to press it multiple times. I had downloaded a new copy of Combofix. I ran it and got the same error again. I did all these programs last week as I noted last week! I am sorry I cant give you more logs when the programs dont run.  Have you asked others for suggestions when these tools don't run?

I wonder if I have 2 malware or some other problems with my computer as well.

I continue to notice strange entries - Internet explorer creates 2 task when it runs, Firefox has huge memory, I had another network listing (josh basement?) when I went to disable my internet access, and everything is VERY slow!!  especially shutting down which takes 2-4 minutes on 'shutting down' screen. 

Another person suggested  I download Kapersky rescue disk10 and boot to that on a usb drive - to detect and possibly clean the drive. Shall I try it?


Edited by Otter Stenwick, 31 October 2013 - 01:26 AM.


#14 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 31 October 2013 - 03:08 AM

Kaspersky Rescue Disk would be one of the next steps...


Create/Scan with Kaspersky Rescue Disk

Follow the instructions on this page for downloading the kav_rescue_10.iso (200 mb) file and creating the Kaspersky Rescue Disk.

Make sure you set to boot the machine from the CDRom drive first. Then save and exit the BIOS. The computer will begin to boot. Insert the disc in the CDrom drive, then restart the machine. It should then boot from that CD.

It's best if you refer to the instructions and images at Kaspersky How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

Once it boots from CD, press a key so it continues to boot from that CD.

Select the language, then be sure to select Kaspersky Rescue Disk Graphic Mode.

Kaspersky should begin scanning your machine. If it finds infection, look carefully at the files it lists. If any of them seem to be legit files, do not allow it to clean/quarantine/delete them. Rather, save the log and post the results for me to look over.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#15 Otter Stenwick

Otter Stenwick
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:minneapolis, mn
  • Local time:10:09 AM

Posted 01 November 2013 - 02:20 AM

Repair 10 does not boot. I tried both a USB drive and a cd. Changed bios to boot first to media, then Nvdia option?,3rd hard drive. It will sit at boot cd for few seconds, Nvdia media unplugged error, then boot up in windows normal off HD. I have figured out how to press f8 enough to safe mode boot. Few other people have no rescue boot issue. frustrated that nothing with install!! In safe mode ran rkill and updated FRST since it is the only programs that run :(( did not run your fix script again) tried malware bytes again -still no authority to install despite being admin account.
if deleting anything would help - let me know and I will. Writing this on ipad. Will- attach- log files in case you want to check them(but not overwhelm the thread)
Next idea of what to try....

Attached Files


Edited by Otter Stenwick, 01 November 2013 - 02:28 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users