Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smart Virus / rootkit NOT letting me run NOTHING


  • This topic is locked This topic is locked
12 replies to this topic

#1 koddie

koddie

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 28 January 2015 - 04:23 PM

Today I powered on a PC I was NOT using for about 10 months (with some IMPORTANT data).

​After I logged my default administrator user:

1. My AV was not loading and something was strange. NO FREE SPACE on NON of my HDs.

So I deleted some BIG DATA and now I had a few GBs free on any of them. RESTARTED. 

 

 

2. NOW the big PROBLEM arrived:

The Avast! antivirus is still NOT loading.... AND:
I CAN NOT RUN BIG PART OF the EXE files (includes explorer.exe, msconfig.exe, regedit.exe, mbam.exe [Malwarebytes] )

 

Every time I try to open a file I get:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

 

Most of the important options on Windows (for example "Add or remove user accounts") are NOT working, although I'm logged on the administrator. 

 

 

I did some Google, I saw some suggestions, I tried:

TDSSKiller.exe , FixTDSS.exe , HitmanPro_x64.exe , msert.exe  [Microsoft Safety Scanner]

Could NOT run any of them. All give me the same problem ( "Windows cannot access the specified....." )

 

 

I tried the "trick" to rename to "iexplore.exe" - NOT working.

 

Although, the REAL Internet Explorer is working, also Windows Media Player and a few other useless applications. 
Avast is not loading as I said but it is showed at the Windows Task Manager - Processes - as loaded ( "AvastUI.exe *32 )

 

 

F8 on startup isn't doing nothing so I can not run SAFE MODE and I couldn't "force" to load safe mode as msconfig.exe is not working.

 

My machine is - 

Windows 7 Pro, SP 1, 64,  Legal Copy ("activated"), with "AVAST! Free Antivirus" installed. 


Edited by Chris Cosgrove, 28 January 2015 - 07:24 PM.
Moved to Virus, trojane, etc. logs at Broni's request


BC AdBot (Login to Remove)

 


#2 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:39 AM

Posted 29 January 2015 - 08:58 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

  • Important: To help me reviewing your logs, please post them in code boxes. You can create them by clicking on the <>-symbol on top of the reply window.

 

 

 

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#3 koddie

koddie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 29 January 2015 - 03:10 PM

I managed to run Farbar Recovery Scan Tool from the Advanced Boot Options (before Windows loading) & Command Prompt

[I could probably run more tools that way]

 

Here is the log:



Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-01-2015
Ran by SYSTEM on MININT-KOPGG3N on 29-01-2015 19:47:36
Running from h:\
Platform: Windows 7 Professional (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-19] (Adobe Systems Incorporated)
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1612504 2013-11-11] (COMODO)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3477640 2012-09-23] (Adobe Systems Inc.)
HKLM-x32\...\Run: [KiesTrayAgent] => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe [311152 2013-11-05] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [3767096 2014-03-01] (AVAST Software)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\RunOnce: [*CA] => [X]
HKU\Default\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\Default User\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\Eitan2012\...\Run: [AdobeBridge] => [X]
HKU\Eitan2012\...\Run: [KiesPreload] => C:\Program Files (x86)\Samsung\Kies\Kies.exe [1564528 2013-11-05] (Samsung)
HKU\Eitan2012\...\Run: [KiesAirMessage] => C:\Program Files (x86)\Samsung\Kies\KiesAirMessage.exe -startup
HKU\Eitan2012\...\Run: [Google Update] => C:\Users\Eitan2012\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2012-02-22] (Google Inc.)
HKU\Eitan2012\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [720064 2013-04-21] (Microsoft Corporation)
HKU\Eitan2012\...\Run: [] => C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [845168 2013-11-05] (Samsung)
HKU\UpdatusUser\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
Startup: C:\Users\Eitan2012\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft SharePoint Workspace.lnk
ShortcutTarget: Microsoft SharePoint Workspace.lnk -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE (Microsoft Corporation)

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-03-01] (AVAST Software)
S2 CLPSLauncher; C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe [70352 2014-02-27] (Comodo Security Solutions, Inc.)
S2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [6254152 2013-10-19] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [164056 2013-09-24] (COMODO)
S2 DragonUpdater; C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [2135232 2014-01-28] ()
S2 GeekBuddyRSP; C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2014-02-27] (Comodo Security Solutions, Inc.)
S3 Samsung UPD Service2; C:\Windows\System32\SUPDSvc2.exe [165456 2011-12-01] (Samsung Electronics)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 61883; C:\Windows\System32\DRIVERS\61883.sys [60288 2009-07-13] (Microsoft Corporation)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [78648 2014-03-01] (AVAST Software)
S1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [92544 2013-11-01] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2013-11-01] ()
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1038072 2014-03-01] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [421704 2014-03-01] (AVAST Software)
S3 aswStm; C:\Windows\system32\drivers\aswStm.sys [80184 2014-03-01] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [207904 2014-03-01] ()
S3 bbcap; C:\Windows\System32\DRIVERS\bbcap.sys [4608 2013-09-27] (Windows (R) Codename Longhorn DDK provider)
S1 CFRMD; C:\Windows\System32\DRIVERS\CFRMD.sys [37976 2014-06-25] (Windows (R) Win 7 DDK provider)
S1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [23168 2013-09-24] (COMODO)
S1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [709144 2013-11-14] (COMODO)
S1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [48872 2013-09-24] (COMODO)
S3 GDPkIcpt; C:\Windows\system32\drivers\PktIcpt.sys [62368 2013-02-03] (G Data Software AG)
S1 HMD; C:\Windows\System32\DRIVERS\hmd.sys [14888 2013-10-06] ()
S1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [96800 2013-09-24] (COMODO)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-29 19:47 - 2015-01-29 19:47 - 00000000 ____D () C:\FRST
2015-01-28 11:53 - 2015-01-28 11:53 - 00000000 ____D () C:\Users\Eitan2012\Desktop\OK
2015-01-28 10:19 - 2015-01-28 08:09 - 129880312 _____ (Microsoft Corporation) C:\Users\Eitan2012\Desktop\msert.exe
2015-01-28 09:46 - 2015-01-11 15:08 - 11225840 _____ (SurfRight B.V.) C:\Users\Eitan2012\Desktop\HitmanPro_x64.exe
2015-01-28 09:46 - 2014-12-02 10:11 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Eitan2012\Desktop\mbam-setup-2.0.4.1028.exe
2015-01-28 09:40 - 2012-11-01 02:28 - 01931088 _____ (Symantec Corporation) C:\Users\Eitan2012\Desktop\FixTDSS.exe
2015-01-28 09:20 - 2015-01-28 10:18 - 00000000 ____D () C:\tsdk77

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-29 09:21 - 2012-02-23 02:19 - 01610489 _____ () C:\Windows\WindowsUpdate.log
2015-01-29 09:13 - 2013-09-27 13:25 - 00000031 _____ () C:\Windows\System32\bbcap.err
2015-01-29 08:33 - 2012-02-22 17:08 - 00000954 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3787592331-2260381968-2455151431-1001UA.job
2015-01-29 08:29 - 2012-02-22 18:27 - 00000928 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-28 20:15 - 2012-02-22 16:58 - 00000000 ____D () C:\users\Eitan2012
2015-01-28 20:14 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2015-01-28 13:33 - 2012-02-22 17:08 - 00000902 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3787592331-2260381968-2455151431-1001Core.job
2015-01-28 12:58 - 2012-03-26 03:47 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-01-28 11:55 - 2009-07-13 21:13 - 00782470 _____ () C:\Windows\System32\PerfStringBackup.INI
2015-01-28 11:53 - 2013-09-29 13:54 - 00000000 ____D () C:\Users\Eitan2012\AppData\Roaming\Dropbox
2015-01-28 09:30 - 2012-02-22 18:27 - 00000924 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-28 09:27 - 2009-07-13 20:45 - 00014848 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-28 09:27 - 2009-07-13 20:45 - 00014848 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-28 09:23 - 2012-02-22 18:27 - 00003924 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-01-28 09:23 - 2012-02-22 18:27 - 00003672 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-01-28 09:16 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-28 09:16 - 2009-07-13 20:51 - 00048730 _____ () C:\Windows\setupact.log

Some content of TEMP:
====================
C:\Users\Eitan2012\AppData\Local\Temp\bbcap.dll
C:\Users\Eitan2012\AppData\Local\Temp\bbchlp.dll
C:\Users\Eitan2012\AppData\Local\Temp\FlashBackDriverInstaller.exe
C:\Users\Eitan2012\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih (1).exe
C:\Users\Eitan2012\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih (1)_1.exe
C:\Users\Eitan2012\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih(1).exe
C:\Users\Eitan2012\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih(1)_1.exe
C:\Users\Eitan2012\AppData\Local\Temp\install_flashplayer11x32_mssd_aaa_aih(1)_2.exe
C:\Users\Eitan2012\AppData\Local\Temp\vlc-2.1.1-win64.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-07-06 08:00:32
Restore point made on: 2014-07-13 08:00:32
Restore point made on: 2014-07-20 08:00:34
Restore point made on: 2014-07-27 08:00:32
Restore point made on: 2014-08-03 08:00:32

==================== Memory info =========================== 

Percentage of memory in use: 14%
Total physical RAM: 4094.49 MB
Available physical RAM: 3493.88 MB
Total Pagefile: 4092.64 MB
Available Pagefile: 3482.05 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:97.56 GB) (Free:0.47 GB) NTFS
Drive e: (New Volume) (Fixed) (Total:368.1 GB) (Free:12.72 GB) NTFS
Drive g: (Eitan 1TB) (Fixed) (Total:931.51 GB) (Free:10.93 GB) NTFS
Drive h: (EITANDOK) (Fixed) (Total:7.26 GB) (Free:6.6 GB) exFAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: E46E09D5)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=97.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=368.1 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: DF855275)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=42)

========================================================
Disk: 2 (Size: 7.5 GB) (Disk ID: DC3E5EC0)

Partition: GPT Partition Type.
Partition 2: (Not Active) - (Size=7.3 GB) - (Type=07 NTFS)


LastRegBack: 2015-01-28 12:32

==================== End Of Log ============================

BTW yesterday after I deleted some big data I had over 3GB free on C: , look now "0.47 GB" free.

 

 
 
Thanks.

Edited by koddie, 29 January 2015 - 03:13 PM.


#4 koddie

koddie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 29 January 2015 - 09:39 PM

Also from the Advanced Boot Options - Command Prompt -

I Can't do chkdsk /f or chkdsk /r, it saying:


X:\windows\system32>chkdsk /f
The type of the file system is NTFS.
Cannot lock current drive.
Windows cannot run disk checking on this volume because it is write protected.



#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:39 AM

Posted 30 January 2015 - 04:01 AM

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
 

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:


  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • In the command window type chkdsk /r C:  and press Enter

 
 
Please tell me the result (copy the command output and post it here)


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 koddie

koddie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 30 January 2015 - 12:54 PM

X:\windows\system32>chkdsk /r C:
The type of the file system is NTFS.

CHKDSK is verifying files (stage 1 of 5)...
  372736 file records processed.
File verification completed.
  2119 large file records processed.
  0 bad file records processed.
  2 EA records processed.
  60 reparse records processed.
CHKDSK is verifying indexes (stage 2 of 5)...
  465486 index entries processed.
Index verification completed.
  0 unindexed files scanned.
  0 unindexed files recovered.
CHKDSK is verifying security descriptors (stage 3 of 5)...
  372736 file SDs/SIDs processed.
Security descriptor verification completed.
  46376 data files processed.
CHKDSK is verifying Usn Journal...
  34678160 USN bytes processed.
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  372720 files processed.
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  126775 free clusters processed.
Free space verification is complete.
Windows has checked the file system and found no problems.

 102296575 KB total disk space.
 101180180 KB in 229035 files.
    129336 KB in 46377 indexes.
         0 KB in bad sectors.
    479959 KB in use by the system.
     65536 KB occupied by the log file.
    507100 KB available on disk.

      4096 bytes in each allocation unit.
  25574143 total allocation units on disk.
    126775 allocation units available on disk.
Failed to transfer logged messages to the event log with status 50.

X:\windows\system32>



Attached Files


Edited by koddie, 30 January 2015 - 12:58 PM.


#7 koddie

koddie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 01 February 2015 - 07:57 AM

Any idea ?



#8 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:39 AM

Posted 02 February 2015 - 05:35 AM

Create/Scan with Kaspersky Rescue Disk

Follow the instructions on this page for downloading the kav_rescue_10.iso (200 mb) file and creating the Kaspersky Rescue Disk.

Make sure you set to boot the machine from the CDRom drive first. Then save and exit the BIOS. The computer will begin to boot. Insert the disc in the CDrom drive, then restart the machine. It should then boot from that CD.

It's best if you refer to the instructions and images at Kaspersky How to record Kaspersky Rescue Disk 10 to a CD/DVD and boot my computer from the disk?

Once it boots from CD, press a key so it continues to boot from that CD.

Select the language, then be sure to select Kaspersky Rescue Disk Graphic Mode.

Kaspersky should begin scanning your machine. If it finds infection, look carefully at the files it lists. If any of them seem to be legit files, do not allow it to clean/quarantine/delete them. Rather, save the log and post the results for me to look over.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#9 koddie

koddie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 08 February 2015 - 06:58 PM

I did, only found a few archives  (zip and rar files), which I NEVER opened, so it's probably got nothing to do with it.

 

Anyway system is in the same state, only change is that G harddrive - stopped working (see screen shot).

Above is the Kaspersky Rescue log:

 

Objects Scan: stopped 1 day ago   (events: 2, objects: 95818, time: 00:10:47)	
2/7/15 10:16 PM	Task stopped			
2/7/15 10:05 PM	Task started			
Objects Scan: completed 1 day ago   (events: 2, objects: 7200, time: 00:03:03)	
2/7/15 10:20 PM	Task completed			
2/7/15 10:17 PM	Task started			
Objects Scan: completed 21 hours ago   (events: 35, objects: 1789686, time: 03:18:35)	
2/8/15 1:45 AM	Task completed			
2/8/15 1:45 AM	Deleted: Trojan-Ransom.Win32.Blocker.cgqa	C:/Users/E2012/Downloads/quick-more.zip		
2/8/15 1:45 AM	Detected: Trojan-Ransom.Win32.Blocker.cgqa	C:/Users/E2012/Downloads/quick-more.zip/quick-more.zip/quick-more.exe		
2/8/15 1:45 AM	Deleted: Trojan-Ransom.Win32.Blocker.cgqa	C:/Users/E2012/Downloads/quick-more (1).zip		
2/8/15 1:44 AM	Detected: Trojan-Ransom.Win32.Blocker.cgqa	C:/Users/E2012/Downloads/quick-more (1).zip/quick-more.zip/quick-more.exe		
2/8/15 1:44 AM	Deleted: VirTool.Win32.Topo.12 (analysis according to the database of dangerous URLs)	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar		
2/8/15 1:44 AM	Detected: VirTool.Win32.Topo.12 (analysis according to the database of dangerous URLs)	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial32.tutorial/files/topo12_fixed.rar/topo12_fixed.exe		
2/8/15 1:44 AM	Detected: HEUR:Trojan.Win32.Generic	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial37.tutorial/files/UnpackMe#5.exe		
2/8/15 1:44 AM	Detected: Packed.Win32.Katusha.o	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial40.tutorial/files/RvMe#8 by lena151.exe		
2/8/15 1:16 AM	Detected: Trojan.Win32.Genome.djh	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial28.tutorial/files/Program.exe		
2/8/15 12:15 AM	Untreated: Trojan-Ransom.Win32.Blocker.cgqa	C:/Users/E2012/Downloads/quick-more.zip/quick-more.zip/quick-more.exe	Postponed	
2/8/15 12:15 AM	Detected: Trojan-Ransom.Win32.Blocker.cgqa	C:/Users/E2012/Downloads/quick-more.zip/quick-more.zip/quick-more.exe		
2/8/15 12:15 AM	Untreated: Trojan-Ransom.Win32.Blocker.cgqa	C:/Users/E2012/Downloads/quick-more (1).zip/quick-more.zip/quick-more.exe	Postponed	
2/8/15 12:15 AM	Detected: Trojan-Ransom.Win32.Blocker.cgqa	C:/Users/E2012/Downloads/quick-more (1).zip/quick-more.zip/quick-more.exe		
2/8/15 12:03 AM	Untreated: VirTool.Win32.Topo.12 (analysis according to the database of dangerous URLs)	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial32.tutorial/files/topo12_fixed.rar/topo12_fixed.exe	Postponed	
2/8/15 12:03 AM	Detected: VirTool.Win32.Topo.12 (analysis according to the database of dangerous URLs)	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial32.tutorial/files/topo12_fixed.rar/topo12_fixed.exe		
2/8/15 12:03 AM	Untreated: HEUR:Trojan.Win32.Generic	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial37.tutorial/files/UnpackMe#5.exe	Postponed	
2/8/15 12:03 AM	Detected: HEUR:Trojan.Win32.Generic	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial37.tutorial/files/UnpackMe#5.exe		
2/8/15 12:03 AM	Untreated: Packed.Win32.Katusha.o	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial40.tutorial/files/RvMe#8 by lena151.exe	Postponed	
2/8/15 12:03 AM	Detected: Packed.Win32.Katusha.o	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial40.tutorial/files/RvMe#8 by lena151.exe		
2/8/15 12:03 AM	Untreated: Trojan.Win32.Genome.djh	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial28.tutorial/files/Program.exe	Postponed	
2/8/15 12:03 AM	Detected: Trojan.Win32.Genome.djh	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial28.tutorial/files/Program.exe		
2/7/15 11:06 PM	Untreated: Trojan-Ransom.Win32.Blocker.cgqa	C:/Users/E2012/Downloads/quick-more.zip/quick-more.zip/quick-more.exe	Postponed	
2/7/15 11:06 PM	Detected: Trojan-Ransom.Win32.Blocker.cgqa	C:/Users/E2012/Downloads/quick-more.zip/quick-more.zip/quick-more.exe		
2/7/15 11:06 PM	Untreated: Trojan-Ransom.Win32.Blocker.cgqa	C:/Users/E2012/Downloads/quick-more (1).zip/quick-more.zip/quick-more.exe	Postponed	
2/7/15 11:06 PM	Detected: Trojan-Ransom.Win32.Blocker.cgqa	C:/Users/E2012/Downloads/quick-more (1).zip/quick-more.zip/quick-more.exe		
2/7/15 10:54 PM	Untreated: VirTool.Win32.Topo.12 (analysis according to the database of dangerous URLs)	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial32.tutorial/files/topo12_fixed.rar/topo12_fixed.exe	Postponed	
2/7/15 10:54 PM	Detected: VirTool.Win32.Topo.12 (analysis according to the database of dangerous URLs)	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial32.tutorial/files/topo12_fixed.rar/topo12_fixed.exe		
2/7/15 10:53 PM	Untreated: HEUR:Trojan.Win32.Generic	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial37.tutorial/files/UnpackMe#5.exe	Postponed	
2/7/15 10:53 PM	Detected: HEUR:Trojan.Win32.Generic	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial37.tutorial/files/UnpackMe#5.exe		
2/7/15 10:53 PM	Untreated: Packed.Win32.Katusha.o	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial40.tutorial/files/RvMe#8 by lena151.exe	Postponed	
2/7/15 10:53 PM	Detected: Packed.Win32.Katusha.o	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial40.tutorial/files/RvMe#8 by lena151.exe		
2/7/15 10:53 PM	Untreated: Trojan.Win32.Genome.djh	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial28.tutorial/files/Program.exe	Postponed	
2/7/15 10:53 PM	Detected: Trojan.Win32.Genome.djh	C:/Users/E2012/Desktop/AUG2013/SNRWL-tutorials.rar/SNRWL-tutorials/SNRWL-tutorial28.tutorial/files/Program.exe		
2/7/15 10:27 PM	Task started			
Objects Scan: completed 19 hours ago   (events: 2, objects: 1211867, time: 01:40:00)	
2/8/15 1:58 AM	Task started			
2/8/15 3:38 AM	Task completed			

Attached Files



#10 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:39 AM

Posted 10 February 2015 - 08:45 AM

Do you have the windows disc?


Edited by TB-Psychotic, 10 February 2015 - 08:47 AM.

Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#11 koddie

koddie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 10 February 2015 - 12:18 PM

I will burn one if necessary, what should I do?



#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:39 AM

Posted 11 February 2015 - 04:06 AM

Try to do a repair installation following these instructions: http://www.sevenforums.com/tutorials/3413-repair-install.html

Your problem is not malware related.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#13 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:39 AM

Posted 03 July 2015 - 02:28 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users