Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access Infection on Dual-Booting System


  • This topic is locked This topic is locked
26 replies to this topic

#1 paultomasi

paultomasi

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 09 December 2013 - 07:16 AM

My computer is infected with Zero Access virus.

 

My system is dual-booting (Windows 8.0 32-bit preview release and Windows 8.1 64-bit Preview release).

 

I first noticed the infection in Windows 8.1 64-bit. My security was disabled and attempts to enable them failed.

 

A recent virus scan informs me there is evidence of Zero Access infection present.

 

I have tried many methods to solve this problem but I am now ready to receive guidance.

 

Can someone please help me. Thank you.

 

Paul

 



BC AdBot (Login to Remove)

 


#2 paultomasi

paultomasi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 09 December 2013 - 03:47 PM

I have followed the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" however, the system reboots during the scan...



#3 paultomasi

paultomasi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 09 December 2013 - 07:05 PM

(Working in Windows 8.0) I have been tackling this manually and so far tracked ZeroAccess to gupdate.exe.

 

I was able to eventually delete this file.

 

Windows Defender suffered massive damage as did C:\Windows\WinSxS.

 

Having prepared various downloads from a clean machine, working in safe mode, and with the internet unplugged, I was able to manually delete remnants of ZeroAccess.

 

My aim is to install Avast and perform a full scan during a clean boot.



#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 14 December 2013 - 07:20 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/516921 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:52 PM

Posted 19 December 2013 - 07:25 AM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:52 PM

Posted 21 December 2013 - 11:29 PM

This topic has been re-opened at the request of the person who originally posted.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:11:52 PM

Posted 23 December 2013 - 12:05 AM

Hello paultomasi, and  :welcome: to the Virus/Trojan/Spyware/Malware Removal forum.

I am oneof4, and I am here to help you!

  • I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.
  • At the top right-center of the topic you will see a button called Follow this topic. If you click on this, another page will open. Please choose Instantly for notification and then clicking on Follow this topic you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • If after 5 days you have not replied to this topic, I will assume it has been abandoned, and I will close it.
  • I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. :heart: Please be courteous and appreciative for the assistance provided!
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

We need to see some information about what is happening in your machine.  Please perform the following scans:

Download Security Check by screen317 from http://screen317.spywareinfoforum.org/SecurityCheck.exe
or http://screen317.changelog.fr/SecurityCheck.exe
.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

==========
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note
: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Best Regards,
oneof4.


#8 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:11:52 PM

Posted 01 January 2014 - 11:25 AM

Do you still need help?


Best Regards,
oneof4.


#9 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:11:52 PM

Posted 02 January 2014 - 06:48 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Best Regards,
oneof4.


#10 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:08:52 PM

Posted 03 January 2014 - 12:38 PM

This topic has been re-opened at the request of the person who originally posted.

#11 paultomasi

paultomasi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 04 January 2014 - 10:43 AM

I am no longer able to boot into Windows 8.1 64-bit (probably due to me hacking it to pieces).

 

When booting the PC, I can no longer get it to ask me which Windows version to boot to, and it was under Windows 8.1 64-bit where I noticed I was infected with the ZeroAccess virus.

 

On a positive not, I can access all the files on the Windows 8.1 64-bit partition so this may not be a major problem at the moment.

 

 

My disk configuration is as follows:

 

Disk 0 Volumes:

    System Reserved:  350 MB, NTFS, Healthy (System, Active, Primary Partition)

    Win 8 (C:):              139.39 GB, NTFS, Healthy (Boot, Page File, Cache Dump, Primary Partition)

 

CD-ROM 0:

    DVD (D:):                 No Media

 

Disk 1 Volumes:

    Win 8.1 (E:):            149.00 GB, NTFS, Healthy (Active, Primary Partition)

 

Disk 2 Volumes:

    DATA (F:):               931.51 GB, NTFS, Healthy (Primary Partition)

 

 

NOTE:

In MSConfig (System Configuration), [Boot] tab, there is just the one entry:

 

    Windows 8 (C:\Windows) : Current OS; Default OS

 

Should there be another entry for the Windows 8.1 OS?

Can I manually repair this so that I can boot back to Windows 8.1 again?

 

 

 

====== (1) DDS.COM ======

 

HelpBot suggested (#4, 14 December 2013 - 12:20 PM) I download and run DDS.COM.

 

Booting to Windows 8.0 32-bit. DDS.COM is not able to complete the scan of my system. About two-thirds of the way through, the PC reboots.

 

 

 

====== (2) SecurityCheck.exe ======

 

As requested (#7, 23 December 2013 - 05:05 AM) by Oneof4.

 

 

 Results of screen317's Security Check version 0.99.78 
   x86 (UAC is enabled) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 Windows Firewall Disabled! 
avast! Antivirus  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
 Adobe Flash Player  11.8.800.94 
 Mozilla Firefox 22.0 Firefox out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast AvastUI.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 
````````````````````End of Log``````````````````````

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 02-01-2014 01
Ran by Paul at 2014-01-03 20:52:02
Running from C:\BC
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

7-Zip 9.20 (Version:  - )
ACID Xpress 7.0 (Version: 7.0.73 - Sony)
Adobe Flash Player 11 Plugin (Version: 11.8.800.94 - Adobe Systems Incorporated)
Audiograbber 1.83 SE  (Version: 1.83 SE  - Audiograbber)
avast! Free Antivirus (Version: 9.0.2008 - Avast Software)
CCleaner (Version: 4.05 - Piriform)
CDex - Open Source Digital Audio CD Extractor (Version: 1.70.4.2009 - Georgy Berdyshev)
Clementine (Version: 1.1.1 - Clementine)
CodeBlocks (Version: 12.11 - The Code::Blocks Team)
CPUID CPU-Z 1.66.1 (Version:  - )
CuteFTP 9 (Version: 9.0.5 - Globalscape)
EPSON Printer Software (Version:  - SEIKO EPSON Corporation)
Evince 2.32.0.145 (Version: 2.32.0.145 - (Custom build))
FileZilla Client 3.7.1.1 (Version: 3.7.1.1 - Tim Kosse)
GIMP 2.8.4 (Version: 2.8.4 - The GIMP Team)
Google Update Helper (Version: 1.3.21.153 - Google Inc.) Hidden
HD Tune 2.55 (Version:  - EFD Software)
Lightworks (Version: 11.1.0.0 - Lightworks)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219 - Microsoft Corporation)
Miro (Version: 6.0 - Participatory Culture Foundation)
Miro Video Converter (Version: 0.8.0 - Participatory Culture Foundation)
Mozilla Firefox 22.0 (x86 en-US) (Version: 22.0 - Mozilla)
MSVCRT Redists (Version: 1.0 - Sony Creative Software Inc.) Hidden
MuseScore 1.3 (Version: 1.3.0 - Werner Schweer and Others)
Notepad++ (Version: 6.3 - )
NVIDIA Control Panel 314.22 (Version: 314.22 - NVIDIA Corporation) Hidden
NVIDIA Graphics Driver 314.22 (Version: 314.22 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.23.1 (Version: 1.3.23.1 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.115.743 - NVIDIA Corporation) Hidden
OpenOffice 4.0.0 (Version: 4.00.9702 - Apache Software Foundation)
qBittorrent 3.0.9 (Version: 3.0.9 - Christophe Dumez)
Realtek High Definition Audio Driver (Version: 6.0.1.6662 - Realtek Semiconductor Corp.)
SSC Service Utility v4.30 (Version:  - SSC Localization Group)
VC80CRTRedist - 8.0.50727.6195 (Version: 1.2.0 - DivX, Inc) Hidden
VLC media player 2.0.7 (Version: 2.0.7 - VideoLAN)
WinDirStat 1.1.2 (Version:  - )

==================== Restore Points  =========================

13-12-2013 21:17:58 WLSetup
22-12-2013 03:30:32 Scheduled Checkpoint
30-12-2013 02:28:16 Scheduled Checkpoint

==================== Hosts content: ==========================

2013-11-06 14:53 - 2013-12-10 16:33 - 00000855 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {420FE4F2-591E-4096-A80C-296CBBA71C2E} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList
Task: {59B4E4CB-FBB1-4827-98F9-165FFB4E95C2} - System32\Tasks\Microsoft\Windows\Application Experience\StartupAppTask => Rundll32.exe Startupscan.dll,SusRunTask
Task: {59E81A26-CA55-4A37-9826-23020252F908} - System32\Tasks\Microsoft\Windows\ApplicationData\CleanupTemporaryState => Rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
Task: {6BA725C4-8F1E-4448-B982-A1F0119CE0F5} - System32\Tasks\Microsoft\Windows\WS\License Validation => Rundll32.exe WSClient.dll,WSpTLR licensing
Task: {85433BBF-59EF-4040-835C-BDF817901612} - System32\Tasks\Microsoft\Windows\Sysmain\WsSwapAssessmentTask => Rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask
Task: {FDAFD479-9C04-4BD8-AAE6-9D9F438F3933} - System32\Tasks\Microsoft\Windows\Servicing\StartComponentCleanup => C:\Windows\System32\Dism.exe [2012-05-19] (Microsoft Corporation)

==================== Loaded Modules (whitelisted) =============

2013-12-09 22:29 - 2013-12-09 22:29 - 19336120 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\18000646.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\24646105.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\18000646.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\24646105.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (01/03/2014 08:48:43 PM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is Number of WMI High Performance provider returned by WMI Adapter. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (01/03/2014 08:42:00 PM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is Number of WMI High Performance provider returned by WMI Adapter. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (01/03/2014 08:31:26 PM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is Number of WMI High Performance provider returned by WMI Adapter. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (01/03/2014 08:28:19 PM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is Number of WMI High Performance provider returned by WMI Adapter. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (01/03/2014 08:26:51 PM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is Number of WMI High Performance provider returned by WMI Adapter. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (01/02/2014 02:48:38 PM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is Number of WMI High Performance provider returned by WMI Adapter. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (01/02/2014 02:46:04 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 10.0.8400.0, time stamp: 0x4fb6ed03
Faulting module name: MSVCR110.dll, version: 11.0.51106.1, time stamp: 0x5098858e
Exception code: 0xc0000005
Fault offset: 0x00012b8a
Faulting process id: 0x100
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3
Faulting package full name: iexplore.exe4
Faulting package-relative application ID: iexplore.exe5

Error: (12/30/2013 02:28:21 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddCorePnPFiles : Enumerating driver store published INFs failed.

System Error:
The request is not supported.
.

Error: (12/30/2013 02:02:01 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is Number of WMI High Performance provider returned by WMI Adapter. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

Error: (12/28/2013 02:10:41 AM) (Source: Microsoft-Windows-LoadPerf) (User: NT AUTHORITY)
Description: The performance counter explain text string value in the registry is not formatted correctly. The malformed string is Number of WMI High Performance provider returned by WMI Adapter. The first DWORD in the Data section contains the index value to the malformed string while the second and third DWORDs in the Data section contain the last valid index values.

System errors:
=============
Error: (01/03/2014 08:44:31 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 8:37:48 PM on ‎1/‎3/‎2014 was unexpected.

Error: (01/03/2014 08:44:25 PM) (Source: Microsoft-Windows-Kernel-General) (User: NT AUTHORITY)
Description: 0xc000014d0

Error: (01/03/2014 08:37:48 PM) (Source: EventLog) (User: )
Description: The previous system shutdown at 8:22:40 PM on ‎1/‎3/‎2014 was unexpected.

Error: (01/03/2014 08:37:42 PM) (Source: Microsoft-Windows-Kernel-General) (User: NT AUTHORITY)
Description: 0xc000014d0

Error: (01/03/2014 08:34:50 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort3.

Error: (01/03/2014 08:34:49 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort3.

Error: (01/03/2014 08:34:48 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort3.

Error: (01/03/2014 08:34:47 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort3.

Error: (01/03/2014 08:34:47 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort3.

Error: (01/03/2014 08:34:47 PM) (Source: atapi) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort3.

Microsoft Office Sessions:
=========================
Error: (01/03/2014 08:48:43 PM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: Number of WMI High Performance provider returned by WMI Adapter1600000000C11B0000C11B0000D7090000

Error: (01/03/2014 08:42:00 PM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: Number of WMI High Performance provider returned by WMI Adapter1600000000C11B0000C11B0000D7090000

Error: (01/03/2014 08:31:26 PM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: Number of WMI High Performance provider returned by WMI Adapter1600000000C11B0000C11B0000D7090000

Error: (01/03/2014 08:28:19 PM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: Number of WMI High Performance provider returned by WMI Adapter1600000000C11B0000C11B0000D7090000

Error: (01/03/2014 08:26:51 PM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: Number of WMI High Performance provider returned by WMI Adapter1600000000C11B0000C11B0000D7090000

Error: (01/02/2014 02:48:38 PM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: Number of WMI High Performance provider returned by WMI Adapter1600000000C11B0000C11B0000D7090000

Error: (01/02/2014 02:46:04 PM) (Source: Application Error)(User: )
Description: iexplore.exe10.0.8400.04fb6ed03MSVCR110.dll11.0.51106.15098858ec000000500012b8a10001cf053971517535C:\Program Files\Internet Explorer\iexplore.exeC:\Windows\WinSxS\x86_avast.vc110.crt_2036b14a11e83e4a_11.0.60610.1_none_1d37a43bbfe1dc9c\MSVCR110.dll9aa7acbb-73bc-11e3-a665-00241d2e17e6

Error: (12/30/2013 02:28:21 AM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
AddCorePnPFiles : Enumerating driver store published INFs failed.

System Error:
The request is not supported.

Error: (12/30/2013 02:02:01 AM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: Number of WMI High Performance provider returned by WMI Adapter1600000000C11B0000C11B0000D7090000

Error: (12/28/2013 02:10:41 AM) (Source: Microsoft-Windows-LoadPerf)(User: NT AUTHORITY)
Description: Number of WMI High Performance provider returned by WMI Adapter1600000000C11B0000C11B0000D7090000

CodeIntegrity Errors:
===================================
  Date: 2013-05-06 22:26:06.509
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sfc_os.dll because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Percentage of memory in use: 23%
Total physical RAM: 2048 MB
Available physical RAM: 1566.86 MB
Total Pagefile: 2560 MB
Available Pagefile: 1696.79 MB
Total Virtual: 2047.88 MB
Available Virtual: 1869.63 MB

==================== Drives ================================

Drive c: (Win 8) (Fixed) (Total:139.39 GB) (Free:119.18 GB) NTFS
Drive e: (Win 8.1) (Fixed) (Total:149 GB) (Free:105.01 GB) NTFS
Drive f: (DATA) (Fixed) (Total:931.51 GB) (Free:697.32 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: 85EBFD7E)
Partition 1: (Not Active) - (Size=932 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 140 GB) (Disk ID: E29EB0B8)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=139 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 149 GB) (Disk ID: D76EA90A)
Partition 1: (Not Active) - (Size=149 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

 

====== (3) FRST.exe ======

 

As requested (#7, 23 December 2013 - 05:05 AM) by Oneof4.

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-01-2014 01
Ran by Paul (administrator) on PC1 on 03-01-2014 20:50:58
Running from C:\BC
Microsoft Windows 8 Release Preview (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) ===================

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [AvastUI.exe] - C:\Program Files\AVAST Software\Avast\AvastUI.exe [3568312 2013-12-09] (AVAST Software)
MountPoints2: D - "D:\setup.exe"
HKU\Default\...\Run: [Sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\Default User\...\Run: [Sidebar] - %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.bing.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xECC39B3DE731CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKLM - avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Handler: AutorunsDisabled\wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (Microsoft Corporation)
Winsock: Catalog5 04 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100
Tcpip\..\Interfaces\{4FCBB7F1-7D91-4B90-BB77-2F849FC2EF0C}: [NameServer]8.8.8.8,8.8.4.4

FireFox:
========
FF ProfilePath: C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\keonwpv9.default
FF Homepage: hxxp://www.google.co.uk
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
FF Plugin: @google.com/npPicasa3,version=3.0.0 - C:\Program Files\Google\Picasa3\npPicasa3.dll No File
FF Plugin: @java.com/DTPlugin,version=10.21.2 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WLPG,version=16.4.3508.0205 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
FF Plugin: @videolan.org/vlc,version=2.0.7 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Extension: YouTube MP3 Download - C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\keonwpv9.default\Extensions\jid0-Z0Vu9hJlqV0fhIAPqPfmUCNubYQ@jetpack.xpi
FF Extension: Updated Ad Blocker for Firefox 11+ - C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\keonwpv9.default\Extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3618C}.xpi
FF Extension: Download YouTube Videos as MP4 - C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\keonwpv9.default\Extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF

Chrome:
=======
CHR HomePage: hxxp://www.google.com/ncr
CHR RestoreOnStartup: "hxxp://www.google.com/"
CHR DefaultSearchKeyword: http://www.google.com/
CHR Plugin: (Shockwave Flash) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\PepperFlash\11.7.700.202\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\29.0.1547.76\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\29.0.1547.76\pdf.dll No File
CHR Plugin: (DivX VOD Helper Plug-in) - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll No File
CHR Plugin: (DivX Plus Web Player) - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll No File
CHR Plugin: (Picasa) - C:\Program Files\Google\Picasa3\npPicasa3.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File
CHR Plugin: (VLC Web Plugin) - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_8_800_94.dll ()
CHR Plugin: (Java Deployment Toolkit 7.0.210.11) - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
CHR Extension: (Chit Chat City) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\achiaajeohjhddijekccekdhmmbogahe\1.4_0
CHR Extension: (BeGone Guerra Online) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahcchnfnladlkddlceegencfccjcfnjp\1_0
CHR Extension: (chessmail ~ Schach) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ahkgfhmdidjkcoflclddnmgacgeaahkk\2.2.12_0
CHR Extension: (Lucidchart: Diagrams Online) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\apboafhkiegglekeafbckfjldecefkhn\18_0
CHR Extension: (Reversi) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\aplpflfbkcifjkhcanimgkmgbeihaone\1.0.0.2_0
CHR Extension: (YouTube Options) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdokagampppgbnjfdlkfpphniapiiifn\1.8.137_0
CHR Extension: (HomeSwapper, council house exchange, Homeswap, house exchange - Home Page) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhepomjjeipmooejjkclafdnhobmjllj\2013.8.31.1572_0
CHR Extension: (Stockfish Chess Engine) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\blclgncpmocnakngonanmchfgoehjael\2.3.1.2_0
CHR Extension: (Spicy Schematics) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\blegkhkifkaidhbfdmlligpoabgffmcm\2.3.2_0
CHR Extension: (Call of duty Online) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmmfpiioapkhfkhanakeffcammpljhfd\1.1_0
CHR Extension: (History 2) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\cahejgbbfgmlmjgdjlibphdjeldhagkp\0.6.0_0
CHR Extension: (Chess Database Online) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\camfmmcdnlphhpiafcdjehiijplkmeke\1.0.0.0_0
CHR Extension: (Adblock Plus) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.5.5_0
CHR Extension: (Red Ball ) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\chhcfdhlmnnllgpaeknlijoehkigodbd\1.1.2_0
CHR Extension: (AdBlock+) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\chmimgmjdabgiilljdjfbonifbhiglao\1.1.9.18_0
CHR Extension: (Multiplayer Chess) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckjffnjacjdmdmpemmnplcgngbdgfmpc\1.2_0
CHR Extension: (Replace New Tab Page) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnkhddihkmmiiclaipbaaelfojkmlkja\1.2_0
CHR Extension: (Mini Pets) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\dbblkdgdckececdlldmopejbjfbgpcnh\1_0
CHR Extension: (PartyCloud) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\defekohaofmambflfpfoojkmfdpcbgko\4.1_0
CHR Extension: (FreeCell FREE) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\eodpakpdmbgmfdakbmmphpkabapdjchi\1.0_0
CHR Extension: (Google Apps Script) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\eoieeedlomnegifmaghhjnghhmcldobl\1.3_0
CHR Extension: (Dragon's Call II) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\fekbihbhfoldbdbjkldepljgmfanhmlo\0.0.0.1_0
CHR Extension: (Hardest game on earth 2) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\fffflepkpkdeinbbfgjlpgoddggnfamo\1.0_0
CHR Extension: (TV - Voozy.tv) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\flnepcgaapadgbmfkmacafjiejjhbipm\1.2_0
CHR Extension: (Watch ITV) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnbbjfmphmogchbnmjehbbahdepekbcn\1.1_0
CHR Extension: (Collusion for Chrome) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ganlifbpkcplnldliibcbegplfmcfigp\2.2.0_0
CHR Extension: (Air Hockey) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\gojagedhadegobocpaokaifiacjiolph\2.0.0_0
CHR Extension: (avast! Online Security) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki\9.0.2005.45_0
CHR Extension: (CircuitLab) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\haghanbgfkfpmepoohpigmglbfejljoj\0.0.0.8_0
CHR Extension: (Virtual Families) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\hghhhiocmmkhkamjbebmoookafamhobi\0.2_0
CHR Extension: (Isoball 3) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\iajlkcpgcnbhfhpdeooockfaincfkjjj\1.4.0_0
CHR Extension: (Reversi) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\idmhindgonjchndndoceodfmnficpjdg\2.9_0
CHR Extension: (Dragon's Call) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\iikkpomiljnmkmmbkcoihffbafbadcnb\0.0.0.1_0
CHR Extension: (Cooking dinner) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\imfhlhdfaokgndminnppfdhpifnniken\1.0_0
CHR Extension: (Cookies) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\iphcomljdfghbkdcfndaijbokpgddeno\1.7_0
CHR Extension: (Dragon Eternity) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhlcdemkogmboaddomippjbfokkedaoh\1.0.0.0_0
CHR Extension: (Play Chess vs. the Computer) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\jigmpephianlpnfdadfimdeiebbkoggb\1_0
CHR Extension: (FlyOrDie Checkers) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcgdaiakbmmipflbenhfdbmdnlamodbo\1.0.12_0
CHR Extension: (Chess) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\kiefmccciemniajdkgikpnocipidaaeg\1_0
CHR Extension: (Flow Colors Bridges) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhgjgepioclaangaicgmecejjcebppik\1.2_0
CHR Extension: (wet.fm) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\mahhpgifdcdppohmaeipjjpfeinakobj\1_0
CHR Extension: (Men's Fitness) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdjfaglapcnkfbbaokaeiafmeggpjaci\1.23_0
CHR Extension: (ChessCube Chess) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\mifpffdcpbindanieeagnpajlgpbeeno\1.1_0
CHR Extension: (Plants vs Zombies) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmcegpfdgcoclcdfkjahiimlikdpnina\1.0.5_0
CHR Extension: (Checkers) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnpfjokaplnkafjlidmjpkkcihedgcek\1.4_0
CHR Extension: (Go Fish) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\neefkidfhgdogabkmkenjiceblmookjf\1.0.0.0_0
CHR Extension: (Mobincube - FREE smartphone App builder) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfbnofjiempfokaedcfllenpopocpjid\5_0
CHR Extension: (Button Generator) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\njphjoojdldjpogfhbncccnkldebgbnd\3.0_0
CHR Extension: (Experts Exchange - Your Technology Questions Answered) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmcfonpcafofmbmiimdnciniplmaepbd\2013.8.31.1559_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
CHR Extension: (Death guarding) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\ocoecobedcimbjkadmhlhhmmcmiodbco\1.0_0
CHR Extension: (Reversi) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\odhjkapjdlmmadkepnmlkpadnnnnoebm\0.0.0.3_0
CHR Extension: (JSON Formatter) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\pblpfhfcojodgcifojnofommahgbaple\1.0.1.2_0
CHR Extension: (Flow Colors) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\pbnmelddedlommnmllmfhoephaidddmk\1.3_0
CHR Extension: (Psykopaint) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgjchkcfmigkkhedgjedmffdepgmpfil\0.0.0.10_0
CHR Extension: (Sal\u00F3n de Ajedrez | Chess Room) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\pndchcdebeblknllekihgiiaejankefp\0.0.1_0
CHR Extension: (Monopoly) - C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\pplaldhfjmihnkemlemlgjeifoigghgf\1.1_0
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx

========================== Services (Whitelisted) =================

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2013-12-09] (AVAST Software)
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S4 RemoteAccess; C:\Windows\System32\svchost.exe [24064 2012-05-19] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

R2 aswFsBlk; C:\Windows\system32\drivers\aswFsBlk.sys [35656 2013-12-09] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [70384 2013-12-09] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [79720 2013-12-09] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49944 2013-12-09] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [774392 2013-12-09] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [403440 2013-12-09] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [178304 2013-12-09] ()
R1 BasicRender; C:\Windows\System32\drivers\BasicRender.sys [24576 2012-05-19] (Microsoft Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S4 SNPSTD3; C:\Windows\system32\DRIVERS\snpstd3.sys [10252544 2007-03-27] (Sonix Co. Ltd.)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-01-03 20:50 - 2014-01-03 20:50 - 00000000 ____D C:\FRST
2014-01-03 20:34 - 2014-01-03 20:33 - 00688992 ____R (Swearware) C:\Users\Paul\Desktop\dds.com
2014-01-03 20:30 - 2014-01-03 02:12 - 00987410 _____ C:\Users\Paul\Desktop\SecurityCheck.exe
2014-01-03 20:26 - 2014-01-03 20:50 - 00000000 ____D C:\BC
2014-01-02 14:50 - 2014-01-02 14:50 - 00000054 _____ C:\Users\Paul\AppData\Roaming\mbam.context.scan
2014-01-02 14:47 - 2014-01-02 14:47 - 00000117 _____ C:\Windows\system32\netcfg-305375498.txt
2014-01-02 14:45 - 2014-01-02 14:45 - 00000117 _____ C:\Windows\system32\netcfg-305288012.txt
2013-12-30 08:47 - 2013-12-30 08:47 - 00000117 _____ C:\Windows\system32\netcfg-24549612.txt
2013-12-30 08:31 - 2013-12-30 08:31 - 00001476 _____ C:\Users\Paul\Desktop\iexplore.exe - Shortcut.lnk
2013-12-30 01:58 - 2013-12-30 01:58 - 00000117 _____ C:\Windows\system32\netcfg-26644.txt
2013-12-17 00:09 - 2013-12-17 00:09 - 00000117 _____ C:\Windows\system32\netcfg-14353074.txt
2013-12-16 23:05 - 2013-12-16 23:05 - 00001102 _____ C:\Users\Paul\Desktop\explorer.exe.lnk
2013-12-16 19:10 - 2013-12-16 19:10 - 00001280 _____ C:\Users\Paul\Desktop\JRT.txt
2013-12-16 18:59 - 2013-12-16 18:59 - 00000000 ____D C:\Windows\ERUNT
2013-12-16 18:58 - 2013-12-16 18:58 - 00000117 _____ C:\Windows\system32\netcfg-344653.txt
2013-12-16 18:41 - 2013-12-16 18:41 - 00000117 _____ C:\Windows\system32\netcfg-20576.txt
2013-12-16 16:28 - 2013-12-16 16:28 - 00022601 _____ C:\Users\Paul\Documents\tvl bcc.txt
2013-12-16 14:30 - 2013-12-16 14:30 - 00000820 _____ C:\Users\Paul\AppData\Local\recently-used.xbel
2013-12-15 14:49 - 2013-12-15 14:50 - 00000000 ____D C:\MICRO SD BLANKED FOR BVB
2013-12-14 16:34 - 2013-12-14 16:34 - 00000117 _____ C:\Windows\system32\netcfg-70728216.txt
2013-12-13 20:55 - 2013-12-13 20:56 - 01643744 _____ C:\Windows\system32\FNTCACHE.DAT
2013-12-13 10:30 - 2013-12-13 10:30 - 00000117 _____ C:\Windows\system32\netcfg-225302712.txt
2013-12-12 17:34 - 2013-12-12 17:34 - 00000117 _____ C:\Windows\system32\netcfg-164345290.txt
2013-12-12 04:17 - 2013-12-12 04:17 - 00000117 _____ C:\Windows\system32\netcfg-116518659.txt
2013-12-11 03:52 - 2013-12-11 03:52 - 00000000 _____ C:\Recovery.txt
2013-12-10 23:57 - 2013-12-10 23:57 - 00021376 _____ C:\Users\Paul\Documents\IE Bookmarks.htm
2013-12-10 23:00 - 2013-12-16 18:56 - 00000525 _____ C:\Users\Paul\Desktop\catchme.log
2013-12-10 19:46 - 2013-12-10 19:46 - 00000277 _____ C:\Windows\setupact.log
2013-12-10 19:46 - 2013-12-10 19:46 - 00000000 _____ C:\Windows\setuperr.log
2013-12-10 16:40 - 2013-12-10 16:41 - 00000117 _____ C:\Windows\system32\netcfg-34616.txt
2013-12-10 16:40 - 2013-12-10 16:40 - 00000117 _____ C:\Windows\system32\netcfg-31964.txt
2013-12-10 16:27 - 2014-01-03 20:44 - 00532945 _____ C:\Windows\WindowsUpdate.log
2013-12-10 16:25 - 2013-12-10 16:36 - 00181064 _____ (Sysinternals) C:\Windows\PSEXESVC.EXE
2013-12-10 11:18 - 2013-12-10 11:18 - 00001076 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-12-10 11:18 - 2013-12-10 11:18 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-12-10 11:18 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-12-10 03:11 - 2013-12-10 03:11 - 00000000 ____D C:\Qoobox
2013-12-10 03:01 - 2013-12-10 19:40 - 00000000 ____D C:\AdwCleaner
2013-12-09 23:33 - 2013-12-13 20:55 - 00001472 _____ C:\Windows\PFRO.log
2013-12-09 22:29 - 2013-12-09 22:29 - 00774392 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00403440 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00269216 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2013-12-09 22:29 - 2013-12-09 22:29 - 00178304 _____ C:\Windows\system32\Drivers\aswVmm.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00079720 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00070384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00049944 _____ C:\Windows\system32\Drivers\aswRvrt.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2013-12-09 22:29 - 2013-12-09 22:29 - 00035656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswFsBlk.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00002128 _____ C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-12-09 22:29 - 2013-12-09 22:29 - 00000000 ____D C:\Users\Paul\AppData\Roaming\AVAST Software
2013-12-09 22:29 - 2013-12-09 22:29 - 00000000 ____D C:\Program Files\AVAST Software
2013-12-09 22:27 - 2013-12-09 22:27 - 00403440 _____ (AVAST Software) C:\Windows\system32\Drivers\evjzznse.sys
2013-12-09 22:27 - 2013-12-09 22:27 - 00000000 ____D C:\ProgramData\AVAST Software
2013-12-09 22:24 - 2013-12-09 22:24 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-12-09 22:11 - 2013-12-09 22:11 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-12-09 21:29 - 2013-12-09 21:29 - 00000050 _____ C:\.directory
2013-12-09 20:51 - 2013-12-16 18:50 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2013-12-09 20:51 - 2013-12-16 18:45 - 00000000 ____D C:\Users\Paul\Desktop\mbar
2013-12-09 18:43 - 2013-12-09 18:43 - 00000000 ____D C:\Users\Paul\Documents\Freemake
2013-12-09 14:38 - 2013-12-09 14:55 - 00000000 ____D C:\ZEROACCESS2
2013-12-09 14:36 - 2013-12-17 00:16 - 00000000 ____D C:\ZEROACCESS
2013-12-09 09:09 - 2013-12-09 09:09 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-12-09 08:38 - 2010-06-02 04:55 - 00527192 _____ (Microsoft Corporation) C:\Windows\system32\XAudio2_7.dll
2013-12-09 08:38 - 2010-06-02 04:55 - 00074072 _____ (Microsoft Corporation) C:\Windows\system32\XAPOFX1_5.dll
2013-12-09 08:38 - 2010-05-26 11:41 - 02106216 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_43.dll
2013-12-09 08:38 - 2010-05-26 11:41 - 00248672 _____ (Microsoft Corporation) C:\Windows\system32\d3dx11_43.dll
2013-12-09 08:38 - 2009-09-04 17:29 - 00453456 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_42.dll
2013-12-09 08:38 - 2006-11-29 13:06 - 03426072 _____ (Microsoft Corporation) C:\Windows\system32\d3dx9_32.dll
2013-12-09 08:34 - 2013-12-09 08:34 - 00002259 _____ C:\Windows\epplauncher.mif
2013-12-09 08:33 - 2013-12-09 08:33 - 00000020 ___SH C:\Users\Paul\ntuser.ini
2013-12-08 01:41 - 2013-12-08 01:41 - 00000000 ____D C:\Windows\erdnt

==================== One Month Modified Files and Folders =======

2014-01-03 20:50 - 2014-01-03 20:50 - 00000000 ____D C:\FRST
2014-01-03 20:50 - 2014-01-03 20:26 - 00000000 ____D C:\BC
2014-01-03 20:49 - 2013-04-13 00:03 - 00000000 ____D C:\Users\Paul\AppData\Roaming\Notepad++
2014-01-03 20:48 - 2012-05-19 07:39 - 00005096 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-03 20:44 - 2013-12-10 16:27 - 00532945 _____ C:\Windows\WindowsUpdate.log
2014-01-03 20:44 - 2012-05-19 07:34 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-03 20:38 - 2013-04-05 10:16 - 00000000 ____D C:\Users\Paul
2014-01-03 20:33 - 2014-01-03 20:34 - 00688992 ____R (Swearware) C:\Users\Paul\Desktop\dds.com
2014-01-03 02:12 - 2014-01-03 20:30 - 00987410 _____ C:\Users\Paul\Desktop\SecurityCheck.exe
2014-01-03 00:00 - 2012-05-19 08:22 - 00000000 ____D C:\Windows\system32\sru
2014-01-02 14:50 - 2014-01-02 14:50 - 00000054 _____ C:\Users\Paul\AppData\Roaming\mbam.context.scan
2014-01-02 14:47 - 2014-01-02 14:47 - 00000117 _____ C:\Windows\system32\netcfg-305375498.txt
2014-01-02 14:45 - 2014-01-02 14:45 - 00000117 _____ C:\Windows\system32\netcfg-305288012.txt
2014-01-02 03:00 - 2012-05-19 08:22 - 00000000 ____D C:\Windows\Microsoft.NET
2013-12-30 08:47 - 2013-12-30 08:47 - 00000117 _____ C:\Windows\system32\netcfg-24549612.txt
2013-12-30 08:31 - 2013-12-30 08:31 - 00001476 _____ C:\Users\Paul\Desktop\iexplore.exe - Shortcut.lnk
2013-12-30 08:26 - 2012-05-19 08:22 - 00000000 ____D C:\Windows\system32\NDF
2013-12-30 01:58 - 2013-12-30 01:58 - 00000117 _____ C:\Windows\system32\netcfg-26644.txt
2013-12-30 01:57 - 2013-04-06 03:16 - 00000000 ____D C:\Windows\pss
2013-12-26 01:52 - 2012-05-19 05:35 - 00262144 ___SH C:\Windows\system32\config\BBI
2013-12-26 01:25 - 2012-05-19 08:22 - 00000000 ____D C:\Windows\registration
2013-12-17 00:16 - 2013-12-09 14:36 - 00000000 ____D C:\ZEROACCESS
2013-12-17 00:09 - 2013-12-17 00:09 - 00000117 _____ C:\Windows\system32\netcfg-14353074.txt
2013-12-16 23:05 - 2013-12-16 23:05 - 00001102 _____ C:\Users\Paul\Desktop\explorer.exe.lnk
2013-12-16 19:10 - 2013-12-16 19:10 - 00001280 _____ C:\Users\Paul\Desktop\JRT.txt
2013-12-16 18:59 - 2013-12-16 18:59 - 00000000 ____D C:\Windows\ERUNT
2013-12-16 18:58 - 2013-12-16 18:58 - 00000117 _____ C:\Windows\system32\netcfg-344653.txt
2013-12-16 18:56 - 2013-12-10 23:00 - 00000525 _____ C:\Users\Paul\Desktop\catchme.log
2013-12-16 18:50 - 2013-12-09 20:51 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2013-12-16 18:45 - 2013-12-09 20:51 - 00000000 ____D C:\Users\Paul\Desktop\mbar
2013-12-16 18:41 - 2013-12-16 18:41 - 00000117 _____ C:\Windows\system32\netcfg-20576.txt
2013-12-16 16:28 - 2013-12-16 16:28 - 00022601 _____ C:\Users\Paul\Documents\tvl bcc.txt
2013-12-16 14:30 - 2013-12-16 14:30 - 00000820 _____ C:\Users\Paul\AppData\Local\recently-used.xbel
2013-12-15 14:50 - 2013-12-15 14:49 - 00000000 ____D C:\MICRO SD BLANKED FOR BVB
2013-12-14 16:34 - 2013-12-14 16:34 - 00000117 _____ C:\Windows\system32\netcfg-70728216.txt
2013-12-13 21:19 - 2013-10-10 13:43 - 00000000 ____D C:\Program Files\Windows Live
2013-12-13 21:19 - 2013-10-10 13:38 - 00000000 ____D C:\Users\Paul\AppData\Local\Windows Live
2013-12-13 21:19 - 2012-05-19 08:22 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2013-12-13 20:56 - 2013-12-13 20:55 - 01643744 _____ C:\Windows\system32\FNTCACHE.DAT
2013-12-13 20:55 - 2013-12-09 23:33 - 00001472 _____ C:\Windows\PFRO.log
2013-12-13 10:30 - 2013-12-13 10:30 - 00000117 _____ C:\Windows\system32\netcfg-225302712.txt
2013-12-12 17:34 - 2013-12-12 17:34 - 00000117 _____ C:\Windows\system32\netcfg-164345290.txt
2013-12-12 15:50 - 2013-05-12 03:08 - 00000000 ____D C:\Users\Paul\AppData\Roaming\vlc
2013-12-12 04:17 - 2013-12-12 04:17 - 00000117 _____ C:\Windows\system32\netcfg-116518659.txt
2013-12-11 03:52 - 2013-12-11 03:52 - 00000000 _____ C:\Recovery.txt
2013-12-10 23:57 - 2013-12-10 23:57 - 00021376 _____ C:\Users\Paul\Documents\IE Bookmarks.htm
2013-12-10 20:01 - 2013-06-20 12:39 - 00000000 ____D C:\Program Files\Common Files\DivX Shared
2013-12-10 19:48 - 2013-04-05 10:16 - 00001908 _____ C:\Windows\diagwrn.xml
2013-12-10 19:48 - 2013-04-05 10:16 - 00001908 _____ C:\Windows\diagerr.xml
2013-12-10 19:46 - 2013-12-10 19:46 - 00000277 _____ C:\Windows\setupact.log
2013-12-10 19:46 - 2013-12-10 19:46 - 00000000 _____ C:\Windows\setuperr.log
2013-12-10 19:40 - 2013-12-10 03:01 - 00000000 ____D C:\AdwCleaner
2013-12-10 16:41 - 2013-12-10 16:40 - 00000117 _____ C:\Windows\system32\netcfg-34616.txt
2013-12-10 16:40 - 2013-12-10 16:40 - 00000117 _____ C:\Windows\system32\netcfg-31964.txt
2013-12-10 16:37 - 2013-04-05 10:19 - 00000000 ____D C:\ProgramData\PRICache
2013-12-10 16:36 - 2013-12-10 16:25 - 00181064 _____ (Sysinternals) C:\Windows\PSEXESVC.EXE
2013-12-10 11:18 - 2013-12-10 11:18 - 00001076 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-12-10 11:18 - 2013-12-10 11:18 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-12-10 03:11 - 2013-12-10 03:11 - 00000000 ____D C:\Qoobox
2013-12-09 22:38 - 2013-04-11 18:29 - 00000000 ____D C:\Users\Paul\AppData\Local\Google
2013-12-09 22:37 - 2013-09-20 08:28 - 00000000 ____D C:\wamp
2013-12-09 22:29 - 2013-12-09 22:29 - 00774392 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00403440 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00269216 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2013-12-09 22:29 - 2013-12-09 22:29 - 00178304 _____ C:\Windows\system32\Drivers\aswVmm.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00079720 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00070384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00049944 _____ C:\Windows\system32\Drivers\aswRvrt.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2013-12-09 22:29 - 2013-12-09 22:29 - 00035656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswFsBlk.sys
2013-12-09 22:29 - 2013-12-09 22:29 - 00002128 _____ C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-12-09 22:29 - 2013-12-09 22:29 - 00000000 ____D C:\Users\Paul\AppData\Roaming\AVAST Software
2013-12-09 22:29 - 2013-12-09 22:29 - 00000000 ____D C:\Program Files\AVAST Software
2013-12-09 22:27 - 2013-12-09 22:27 - 00403440 _____ (AVAST Software) C:\Windows\system32\Drivers\evjzznse.sys
2013-12-09 22:27 - 2013-12-09 22:27 - 00000000 ____D C:\ProgramData\AVAST Software
2013-12-09 22:24 - 2013-12-09 22:24 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-12-09 22:11 - 2013-12-09 22:11 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-12-09 21:29 - 2013-12-09 21:29 - 00000050 _____ C:\.directory
2013-12-09 18:43 - 2013-12-09 18:43 - 00000000 ____D C:\Users\Paul\Documents\Freemake
2013-12-09 18:43 - 2013-09-10 01:52 - 00000000 ____D C:\ProgramData\Freemake
2013-12-09 15:21 - 2013-09-29 00:48 - 00000000 ____D C:\Users\Public\Documents\Lightworks
2013-12-09 14:55 - 2013-12-09 14:38 - 00000000 ____D C:\ZEROACCESS2
2013-12-09 09:09 - 2013-12-09 09:09 - 00000000 ____D C:\Windows\Microsoft Antimalware
2013-12-09 08:34 - 2013-12-09 08:34 - 00002259 _____ C:\Windows\epplauncher.mif
2013-12-09 08:33 - 2013-12-09 08:33 - 00000020 ___SH C:\Users\Paul\ntuser.ini
2013-12-08 01:41 - 2013-12-08 01:41 - 00000000 ____D C:\Windows\erdnt
2013-12-07 22:24 - 2013-04-06 09:32 - 00000000 ____D C:\Windows\Minidump
2013-12-07 21:50 - 2013-01-20 23:39 - 00000000 ____D C:\Users\Paul\.thumbnails
2013-12-07 21:32 - 2013-09-29 12:25 - 00000000 ___RD C:\Users\Paul\Google Drive
2013-12-07 03:58 - 2012-05-19 08:22 - 00000000 ____D C:\Windows\AUInstallAgent
ZeroAccess:
C:\Users\Paul\AppData\Local\Google\Desktop\Install

Some content of TEMP:
====================
C:\Users\Paul\AppData\Local\Temp\catchme.dll

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2013-12-31 03:00

==================== End Of Log ============================


Edited by paultomasi, 04 January 2014 - 10:58 AM.


#12 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:11:52 PM

Posted 04 January 2014 - 01:21 PM

Does tapping F12 upon boot-up not give you a boot drive choice menu?


Best Regards,
oneof4.


#13 paultomasi

paultomasi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 04 January 2014 - 02:39 PM

Pressing F12 during POST enables boot from any disk (or device) at the BIOS level providing it contains the necessary boot structure of course.

 

This is not the same as pressing F12 (or some other combination) after POST where Windows presents the dual boot option. 

 

Yes, pressing F12 during POST gives me the option to boot from another disk (or device) however, attempting to boot from another disk results in "Missing operating system" or "No boot information" (or whatever).

 

Previously, I could press F8 (I think) during Windows start up and I would be presented with a two-line option in DOS to boot to either Windows 8 or Windows 8.1. This no longer works.

 

I have lost the Windows 8.1 install DVD and currently trying to recreate one.



#14 paultomasi

paultomasi
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:03:52 AM

Posted 06 January 2014 - 02:16 PM

I tried all weekend to re-install Windows 8.1. I should have known something was seriously wrong when each attempt literally took 5 hours at which point the installation halted with a "corrupt file" error message.

 

I can only conclude from this, that whatever infection I had, was interfering with the re-install, even though I had re-partitioned and re-formatted the primary boot drive at one point.

 

As a final attempt, I removed all other drives. Booted to Avira Live CD, used G-Parted to re-partition my drive (again) and re-formatted the drive.

 

Now, the install whizzed through in minutes - not hours!

 

There are a couple of issues though.

 

(1) I need to re-attach  my two other drives so that I can retrieve my data and my settings. This worries me as I am unsure how to go about this without risking re-infecting my system - especially in the light of the persistence of the previous infection.

 

(2) I need to scan the other two drives to confirm they are free from infection. This also worries me because I am scared merely connecting the drives may re-infect my system again.

 

I can supply an up-to-date scan of my system as it is at the moment (just the primary drive connected) and then go from there...

 

Can you please advise me how I should proceed.

 

Thank you.



#15 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:11:52 PM

Posted 06 January 2014 - 03:24 PM

Can you remove your newly re-formatted Windows 8.1 drive, then boot using one of the other drives?  If so, maybe we can deal with infections at that point.  My thoughts are that you are correct in suspecting one of the other drives, in fact, the FRST log you posted from the Windows 8.0 (C:\) drive at that time, revealed evidence of the ZeroAccess infection.


Best Regards,
oneof4.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users