Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Processes multiplying and hogging up memory: conhost.exe, dllhost.exe, ctfmon...


  • This topic is locked This topic is locked
102 replies to this topic

#1 kosmikk

kosmikk

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:59 PM

Posted 31 October 2015 - 05:02 PM

Yesterday computer started working slow, and when checked the task manager, saw that numerous processes were taking up very high amounts of memory.  Tried to 'end task' them, but they would reappear again and again,

some of the processes:
ctfmon.exe, msiexec.exe, notepad.exe, dllhost.exe, svchost.exe, conhost.exe, msdtc.exe, taskhost.exe, audiodg.exe, PresentationHost.exe . . .

There was no AV on the computer, so I tried downloading some and running it, but they wouldn't run - as if something was blocking them.

I tried manually removing the files created at the time when this started, hijackthis and combofix prior to posting here.

I also got the blue screen quite a few times since yesterday.

 

Below is the FRST.txt:


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:31-10-2015
Ran by V (administrator) on V-PC (31-10-2015 14:10:54)
Running from C:\Users\V\Desktop
Loaded Profiles: V (Available Profiles: V)
Platform: Windows 7 Ultimate (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: "C:\Program Files (x86)\Comodo\Dragon\dragon.exe" -- "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Privacyware/PWI, Inc.) C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
(Palm) C:\Program Files\Palm, Inc\novacom\amd64\novacomd.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Piriform Ltd) C:\Program Files\Speccy\Speccy64.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(SterJo Software) C:\Users\V\AppData\Local\SterJo NetStalker\NetStalker.exe
(Privacyware/PWI, Inc.) C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\PFGUI.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\PresentationHost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1091347035-978146883-2204785632-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\SysWOW64\GPhotos.scr [4558848 2014-01-06] (Google Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\..\Interfaces\{C919FDE6-1275-4DC7-A524-C69B83FB5C72}: [NameServer] 68.238.96.12,68.238.64.12

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1091347035-978146883-2204785632-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1091347035-978146883-2204785632-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1091347035-978146883-2204785632-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKU\S-1-5-21-1091347035-978146883-2204785632-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://yandex.ru/yandsearch?win=151&clid=2168010&text={searchTerms}
SearchScopes: HKU\S-1-5-21-1091347035-978146883-2204785632-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://yandex.ru/yandsearch?win=151&clid=2168010&text={searchTerms}
Toolbar: HKU\S-1-5-21-1091347035-978146883-2204785632-1000 -> No Name - {91397D20-1446-11D4-8AF4-0040CA1127B6} -  No File
DPF: HKLM {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-13] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-13] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-13] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-13] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\V\AppData\Roaming\Mozilla\Firefox\Profiles\rukihmdg.default
FF NewTab: yafd:tabs
FF DefaultSearchEngine.US: Google
FF SelectedSearchEngine: Google
FF Homepage: about:home
FF Session Restore: -> is enabled.
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll [2015-09-26] ()
FF Plugin: @videolan.org/vlc,version=2.0.7 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-07-30] (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2013-03-21] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-26] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-05-06] ()
FF Plugin-x32: @canon.com/EPPEX -> C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL [2011-09-21] (CANON INC.)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2014-01-06] (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2013-12-18] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2013-12-18] (Oracle Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2013-03-21] (Adobe Systems)
FF Plugin HKU\S-1-5-21-1091347035-978146883-2204785632-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\V\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2014-03-14] (Google)
FF Plugin HKU\S-1-5-21-1091347035-978146883-2204785632-1000: @talk.google.com/O1DPlugin -> C:\Users\V\AppData\Roaming\Mozilla\plugins\npo1d.dll [2014-03-14] (Google)
FF Plugin HKU\S-1-5-21-1091347035-978146883-2204785632-1000: @tools.google.com/Google Update;version=3 -> C:\Users\V\AppData\Local\Google\Update\1.3.23.9\npGoogleUpdate3.dll [2014-03-26] (Google Inc.)
FF Plugin HKU\S-1-5-21-1091347035-978146883-2204785632-1000: @tools.google.com/Google Update;version=9 -> C:\Users\V\AppData\Local\Google\Update\1.3.23.9\npGoogleUpdate3.dll [2014-03-26] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\V\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2014-03-14] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\V\AppData\Roaming\mozilla\plugins\npo1d.dll [2014-03-14] (Google)
FF SearchPlugin: C:\Users\V\AppData\Roaming\Mozilla\Firefox\Profiles\rukihmdg.default\searchplugins\yandex.ru-203329.xml [2014-11-20]
FF Extension: ClipConverter Desktop - C:\Users\V\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\desktop@clipconverter.cc.xpi [2013-09-29] [not signed]
FF Extension: Bitdefender QuickScan - C:\Users\V\AppData\Roaming\Mozilla\Firefox\Profiles\rukihmdg.default\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2015-10-30]
FF Extension: No Name - C:\Users\V\AppData\Roaming\Mozilla\Firefox\Profiles\rukihmdg.default\Extensions\helper-sig@savefrom.net.xpi [2015-10-25] [not signed]
FF Extension: WildFox Video Add-On - C:\Users\V\AppData\Roaming\Mozilla\Firefox\Profiles\rukihmdg.default\Extensions\jid0-dZYPMLgRfjeoOt02mKpCI95xNVw@jetpack.xpi [2015-10-25]
FF Extension: Visual Bookmarks - C:\Users\V\AppData\Roaming\Mozilla\Firefox\Profiles\rukihmdg.default\Extensions\vb@yandex.ru.xpi [2015-10-28] [not signed]
FF Extension: Video WithOut Flash - C:\Users\V\AppData\Roaming\Mozilla\Firefox\Profiles\rukihmdg.default\Extensions\vwof@drev.com.xpi [2015-10-25]
FF HKLM-x32\...\Firefox\Extensions: [fmconverter@gmail.com] - C:\Program Files (x86)\Freemake\Freemake Video Converter\BrowserPlugin\Firefox
FF Extension: Freemake Video Converter Plugin - C:\Program Files (x86)\Freemake\Freemake Video Converter\BrowserPlugin\Firefox [2014-06-28] [not signed]

Chrome:
=======
CHR HomePage: Default -> yandex.ru/?__PARAM__from=chromehp
CHR DefaultSearchURL: Default -> hxxp://yandex.ru/yandsearch?__PARAM__from=chromesearch&text={searchTerms}
CHR DefaultSearchKeyword: Default -> yandex.ru
CHR DefaultSuggestURL: Default -> hxxp://suggest.yandex.net/suggest-ff.cgi?uil=ru&part={searchTerms}
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\V\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Яндекс) - C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Extensions\aminlpmkfcdibgpgfajlgnamicjckkjf [2015-01-07]
CHR Extension: (Click to turn on/off spdy proxy.) - C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhihiednomfhmngipmplmgcngliajdnn [2015-01-07]
CHR Extension: (Стартовая — Яндекс) - C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Extensions\jdkihdhlegcdggknokfekoemkjjnjhgi [2015-01-07]
CHR Extension: (Ghostery) - C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2015-05-20]
CHR Extension: (Google Wallet) - C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-06-17]
CHR Extension: (Browsec) - C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Extensions\omghfjlpggmjjaagoclmmobgdodcjboh [2015-10-31]
CHR HKLM-x32\...\Chrome\Extension: [aminlpmkfcdibgpgfajlgnamicjckkjf] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jbolfgndggfhhpbnkgnpjkfhinclbigj] - C:\Program Files (x86)\Freemake\Freemake Video Converter\BrowserPlugin\Chrome\Freemake.Plugin.Chrome.crx [2014-06-28]
CHR HKLM-x32\...\Chrome\Extension: [jdkihdhlegcdggknokfekoemkjjnjhgi] - hxxp://clients2.google.com/service/update2/crx

Opera:
=======
OPR StartupUrls: "hxxp://www.yandex.ru/?win=151&clid=2168009"

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 DragonUpdater; C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe [2098880 2013-11-11] ()
R2 NovacomD; C:\Program Files\Palm, Inc\novacom\amd64\novacomd.exe [72192 2011-06-24] (Palm) [File not signed]
R2 PFNet; C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe [374600 2013-12-17] (Privacyware/PWI, Inc.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [451072 2009-07-13] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 HtcVCom32; C:\Windows\System32\DRIVERS\HtcVComV64.sys [111616 2011-10-27] (HTC Incorporated)
S3 BS817559142; \??\C:\Users\V\AppData\Local\Temp\NTFS.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
R3 cpuz136; \??\C:\Users\V\AppData\Local\Temp\cpuz136\cpuz136_x64.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-31 14:10 - 2015-10-31 14:11 - 00013350 _____ C:\Users\V\Desktop\FRST.txt
2015-10-31 14:09 - 2015-10-31 14:10 - 00000000 ____D C:\FRST
2015-10-31 14:08 - 2015-10-31 14:08 - 02198016 _____ (Farbar) C:\Users\V\Desktop\FRST64.exe
2015-10-31 13:49 - 2015-10-31 13:49 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\V\Downloads\spybot-2.4.exe
2015-10-31 13:11 - 2015-10-31 13:11 - 02870984 _____ (ESET) C:\Users\V\Downloads\esetsmartinstaller_enu.exe
2015-10-31 12:45 - 2015-10-31 12:45 - 00000743 _____ C:\Users\V\Desktop\Start Emsisoft Emergency Kit.lnk
2015-10-31 12:45 - 2015-10-31 12:45 - 00000000 ____D C:\EEK
2015-10-31 12:45 - 2015-10-30 18:03 - 169533960 _____ C:\Users\V\Desktop\EmsisoftEmergencyKit.exe
2015-10-31 12:09 - 2015-10-31 12:09 - 00026597 _____ C:\ComboFix.txt
2015-10-31 11:58 - 2015-10-31 12:10 - 00000000 ____D C:\Qoobox
2015-10-31 11:58 - 2011-06-25 23:45 - 00256000 _____ C:\Windows\PEV.exe
2015-10-31 11:58 - 2010-11-07 10:20 - 00208896 _____ C:\Windows\MBR.exe
2015-10-31 11:58 - 2009-04-19 21:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-10-31 11:58 - 2000-08-30 17:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-10-31 11:58 - 2000-08-30 17:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-10-31 11:58 - 2000-08-30 17:00 - 00098816 _____ C:\Windows\sed.exe
2015-10-31 11:58 - 2000-08-30 17:00 - 00080412 _____ C:\Windows\grep.exe
2015-10-31 11:58 - 2000-08-30 17:00 - 00068096 _____ C:\Windows\zip.exe
2015-10-31 11:57 - 2015-10-31 12:08 - 00000000 ____D C:\Windows\erdnt
2015-10-31 11:56 - 2015-10-31 11:56 - 05637361 ____R (Swearware) C:\Users\V\Downloads\ComboFix.exe
2015-10-31 11:52 - 2015-10-31 11:52 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\V\Downloads\spybot-2-4.exe
2015-10-31 11:43 - 2015-07-24 12:31 - 04404952 _____ (Kaspersky Lab ZAO) C:\Users\V\Desktop\TDSSKiller(1).exe
2015-10-31 08:37 - 2015-10-31 08:39 - 92553880 _____ (Kaspersky Lab ZAO) C:\Users\V\Desktop\KVRT.exe
2015-10-31 08:35 - 2015-10-31 08:36 - 00372800 _____ (Kaspersky Lab.) C:\Users\V\Desktop\Kabasiji.exe
2015-10-31 08:32 - 2015-10-31 08:33 - 00125784 _____ (Kaspersky Lab ZAO) C:\Users\V\Desktop\fippkiller.exe
2015-10-31 08:25 - 2015-10-31 08:25 - 04404952 _____ (Kaspersky Lab ZAO) C:\Users\V\Desktop\tdsskiller.exe
2015-10-30 21:53 - 2015-10-30 21:53 - 00001560 _____ C:\Windows\DPINST.LOG
2015-10-30 21:28 - 2015-10-30 22:11 - 00000000 ____D C:\Program Files\HijackThis
2015-10-30 20:41 - 2015-10-30 20:43 - 00000000 ____D C:\Users\V\Desktop\lskjdf
2015-10-30 20:18 - 2015-10-30 20:19 - 21546080 _____ (Malwarebytes Corporation ) C:\Users\V\Desktop\mbam-setup-2.1.6.1022.exe
2015-10-30 20:13 - 2015-10-30 20:13 - 02019656 _____ (Bleeping Computer, LLC) C:\Users\V\Desktop\rkill.com
2015-10-30 20:11 - 2015-10-30 20:10 - 02924672 _____ (AVG Technologies) C:\Users\V\Desktop\AVG_Protection_Free_698.exe
2015-10-30 19:53 - 2015-10-02 12:09 - 143481208 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-10-30 19:48 - 2015-10-30 19:48 - 53770968 _____ (Microsoft Corporation) C:\Users\V\Downloads\Windows-KB890830-x64-V5.29.exe
2015-10-30 19:46 - 2015-10-30 20:04 - 137039704 _____ (Sophos Limited) C:\Users\V\Desktop\Sophos Virus Removal Tool.exe
2015-10-30 19:31 - 2015-10-30 19:31 - 00000000 ____D C:\Users\V\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SterJo Wireless Network Scanner
2015-10-30 19:31 - 2015-10-30 19:31 - 00000000 ____D C:\Users\V\AppData\Local\SterJo Wireless Network Scanner
2015-10-30 19:20 - 2015-10-30 19:26 - 00000000 ____D C:\Windows\Minidump
2015-10-30 19:19 - 2015-10-31 13:04 - 00005654 _____ C:\Windows\PFRO.log
2015-10-30 18:16 - 2015-10-30 18:50 - 00409067 _____ C:\Users\V\AppData\Local\census.cache
2015-10-30 18:15 - 2015-10-30 18:50 - 00170804 _____ C:\Users\V\AppData\Local\ars.cache
2015-10-30 17:56 - 2015-10-30 17:56 - 00000000 ____D C:\Users\V\AppData\Local\F-Secure
2015-10-30 17:56 - 2015-10-30 17:56 - 00000000 ____D C:\ProgramData\F-Secure
2015-10-30 17:54 - 2015-10-30 17:54 - 00572456 _____ (F-Secure Corporation) C:\Users\V\Downloads\F-SecureOnlineScanner.exe
2015-10-30 17:49 - 2015-10-30 18:20 - 00000010 _____ C:\Users\V\AppData\Local\sponge.last.runtime.cache
2015-10-30 17:49 - 2015-10-30 17:49 - 00000000 ____D C:\Users\V\AppData\Roaming\QuickScan
2015-10-30 17:33 - 2015-10-30 17:33 - 00000036 _____ C:\Users\V\AppData\Local\housecall.guid.cache
2015-10-30 17:33 - 2015-05-29 00:43 - 00307352 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2015-10-30 17:32 - 2015-10-30 17:31 - 02494944 _____ (Trend Micro Inc.) C:\Users\V\Desktop\HousecallLauncher64.exe
2015-10-30 17:23 - 2015-10-31 13:47 - 00006646 _____ C:\Windows\WindowsUpdate.log
2015-10-30 15:49 - 2015-10-30 15:49 - 00420296 _____ C:\Users\V\Downloads\Force Windows 7, 8, or 10 to Boot Into Safe Mode Without Using the F8 Key.htm
2015-10-30 15:49 - 2015-10-30 15:49 - 00000000 ____D C:\Users\V\Downloads\Force Windows 7, 8, or 10 to Boot Into Safe Mode Without Using the F8 Key_files
2015-10-30 15:31 - 2015-10-30 15:31 - 00000000 ____D C:\ProgramData\panda_url_filtering
2015-10-30 15:29 - 2015-10-30 23:46 - 00000000 ____D C:\Program Files (x86)\Panda Security
2015-10-30 15:23 - 2015-10-30 23:23 - 00000000 ____D C:\ProgramData\Panda Security
2015-10-30 15:09 - 2015-10-30 15:09 - 02113152 _____ C:\Users\V\Desktop\PANDAFREEAV.exe
2015-10-30 14:59 - 2015-10-30 14:59 - 00000000 ____D C:\Users\V\AppData\Local\SterJo NetStalker
2015-10-30 14:59 - 2015-10-30 14:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SterJo NetStalker
2015-10-30 14:56 - 2015-10-30 14:55 - 00711482 _____ (SterJo Software ) C:\Users\V\Desktop\wnetscanner_setup.exe
2015-10-30 14:53 - 2015-10-30 14:53 - 00841456 _____ (SterJo Software ) C:\Users\V\Desktop\startuppatrol_setup.exe
2015-10-30 14:52 - 2015-10-30 14:51 - 00940192 _____ (SterJo Software ) C:\Users\V\Desktop\netstalker_setup.exe
2015-10-30 14:36 - 2015-10-31 13:45 - 00001802 _____ C:\Windows\setupact.log
2015-10-30 14:36 - 2015-10-30 14:36 - 00000000 _____ C:\Windows\setuperr.log
2015-10-30 12:23 - 2015-10-30 12:37 - 00000143 _____ C:\Users\V\Desktop\new to do.txt
2015-10-29 18:18 - 2015-10-29 18:18 - 00000000 ___SD C:\Users\V\AppData\LocalLow\Temp
2015-10-29 13:41 - 2015-10-30 09:20 - 03373292 _____ C:\Windows\system32\CFG817559142
2015-10-29 13:27 - 2015-10-29 13:28 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-10-29 13:27 - 2015-10-29 13:28 - 00000000 ____D C:\Users\V\AppData\Roaming\Aijux
2015-10-28 00:45 - 2015-10-28 18:50 - 00000292 _____ C:\Users\V\Desktop\bad plugins.txt
2015-10-26 23:30 - 2015-10-28 19:14 - 00001058 _____ C:\Users\V\Desktop\shop to do.txt
2015-10-26 21:19 - 2015-10-26 21:19 - 00004185 _____ C:\Users\V\Desktop\tabbed login.css
2015-10-26 13:34 - 2015-10-26 13:38 - 00000000 ____D C:\Users\V\Desktop\art for sale
2015-10-26 13:31 - 2015-10-26 13:33 - 00000000 ____D C:\Users\V\Desktop\flare
2015-10-24 22:52 - 2015-10-24 22:52 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-10-24 19:48 - 2015-10-24 19:48 - 00494195 _____ C:\Users\V\Downloads\codecanyon-6819365-snippeter-code-snippets-manager-file-and-license.zip
2015-10-24 01:57 - 2015-10-24 01:57 - 00001230 _____ C:\Users\Public\Desktop\Port Forwarding Wizard Professional.lnk
2015-10-24 01:57 - 2015-10-24 01:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Port Forwarding Wizard Professional
2015-10-24 01:57 - 2015-10-24 01:57 - 00000000 ____D C:\Program Files (x86)\Port Forwarding Wizard Professional
2015-10-24 01:55 - 2015-10-24 01:56 - 02961107 _____ (upRedSun and iForwarder, Inc. ) C:\Users\V\Downloads\port-forwarding-wizard-pro-setup.exe
2015-10-23 20:45 - 2015-10-23 20:45 - 01007294 _____ C:\Users\V\Downloads\shop-master.zip
2015-10-23 20:35 - 2015-10-28 00:32 - 00000513 _____ C:\Users\V\Desktop\to do +.txt
2015-10-20 15:15 - 2015-10-20 15:17 - 00000000 ____D C:\Users\V\Desktop\101D5200
2015-10-20 15:10 - 2015-10-20 15:15 - 00000000 ____D C:\Users\V\Desktop\100D5200

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-31 13:50 - 2009-07-13 22:13 - 00881764 _____ C:\Windows\system32\PerfStringBackup.INI
2015-10-31 13:10 - 2009-07-13 21:45 - 00014192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-31 13:10 - 2009-07-13 21:45 - 00014192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-31 13:10 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF
2015-10-31 13:05 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-31 13:05 - 2009-07-13 21:45 - 04915712 _____ C:\Windows\system32\FNTCACHE.DAT
2015-10-31 13:02 - 2013-08-02 13:04 - 00000000 ____D C:\Users\V\AppData\Roaming\vlc
2015-10-31 12:07 - 2009-07-13 19:34 - 00000215 _____ C:\Windows\system.ini
2015-10-31 00:02 - 2013-07-31 02:35 - 00058424 _____ C:\Users\V\AppData\Local\GDIPFONTCACHEV1.DAT
2015-10-30 22:20 - 2014-05-23 16:42 - 00000000 ____D C:\Users\V\My filmmaking
2015-10-30 22:08 - 2009-07-13 22:08 - 00032582 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-10-30 21:55 - 2015-09-21 19:15 - 00025600 ___SH C:\Users\V\Thumbs.db
2015-10-30 21:23 - 2013-08-01 18:09 - 00000000 ____D C:\Users\V\AppData\Roaming\tixati
2015-10-30 18:38 - 2013-07-30 20:23 - 00000000 ____D C:\Users\V
2015-10-30 15:50 - 2013-12-04 00:12 - 00000000 ____D C:\Windows\pss
2015-10-30 14:51 - 2013-12-19 15:08 - 00000000 ____D C:\Program Files\Pale Moon
2015-10-30 14:34 - 2015-01-07 17:38 - 00000000 ____D C:\Users\V\AppData\Roaming\uTorrent
2015-10-30 14:10 - 2015-01-07 17:02 - 00003654 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-10-30 14:10 - 2015-01-07 17:02 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-30 14:10 - 2015-01-07 17:02 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-30 13:45 - 2015-01-07 17:02 - 00003906 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-10-30 13:45 - 2014-06-26 14:23 - 00003446 _____ C:\Windows\System32\Tasks\{A95BE6F5-1335-45FA-89BB-CC8C8C76FB0B}
2015-10-30 13:45 - 2013-09-05 02:57 - 00003440 _____ C:\Windows\System32\Tasks\{042D0382-7DB0-4568-9B14-83C4287B9A60}
2015-10-30 13:45 - 2013-08-13 21:53 - 00003292 _____ C:\Windows\System32\Tasks\{CEB3BD1B-E838-469B-A5C7-359F484E359F}
2015-10-30 13:45 - 2013-08-05 16:14 - 00003126 _____ C:\Windows\System32\Tasks\{6EC1D3E7-8160-479E-821D-77E10CE867F8}
2015-10-29 14:22 - 2014-05-06 16:10 - 00000000 ____D C:\Users\V\Desktop\mr
2015-10-28 00:53 - 2014-12-18 03:28 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-10-24 16:14 - 2014-11-09 01:07 - 00000000 ____D C:\Users\V\Web
2015-10-24 01:54 - 2013-12-02 19:56 - 00000000 ____D C:\wamp
2015-10-06 12:58 - 2013-08-01 18:53 - 00000000 ____D C:\Users\V\Documents\Calibre Library

==================== Files in the root of some directories =======

2013-12-19 12:55 - 2014-07-24 12:34 - 0000132 _____ () C:\Users\V\AppData\Roaming\Adobe PNG Format CS6 Prefs
2009-07-13 16:19 - 2009-07-13 18:14 - 0565248 _____ () C:\Users\V\AppData\Roaming\BackUp817559142.exe
2014-07-27 14:00 - 2014-07-27 14:01 - 0000404 _____ () C:\Users\V\AppData\Roaming\com.kennettnet.MusicRescue4.plist
2014-07-27 14:01 - 2014-07-27 14:01 - 0202216 _____ () C:\Users\V\AppData\Roaming\com.kennettnet.MusicRescue4.Profiles.plist
2014-02-01 00:15 - 2014-02-01 00:15 - 0000669 _____ () C:\Users\V\AppData\Roaming\Contact Sheet II.xml
2014-02-01 00:15 - 2014-02-01 00:16 - 0010176 _____ () C:\Users\V\AppData\Roaming\ContactSheetII.log
2014-01-19 23:14 - 2014-06-26 14:17 - 0001456 _____ () C:\Users\V\AppData\Local\Adobe Save for Web 13.0 Prefs
2015-10-30 18:15 - 2015-10-30 18:50 - 0170804 _____ () C:\Users\V\AppData\Local\ars.cache
2015-10-30 18:16 - 2015-10-30 18:50 - 0409067 _____ () C:\Users\V\AppData\Local\census.cache
2015-10-30 17:33 - 2015-10-30 17:33 - 0000036 _____ () C:\Users\V\AppData\Local\housecall.guid.cache
2013-10-22 13:36 - 2015-09-26 22:14 - 0007598 _____ () C:\Users\V\AppData\Local\Resmon.ResmonCfg
2015-10-30 17:49 - 2015-10-30 18:20 - 0000010 _____ () C:\Users\V\AppData\Local\sponge.last.runtime.cache
2015-06-26 02:33 - 2015-06-26 02:33 - 0000000 _____ () C:\Users\V\AppData\Local\{153DA760-BC10-4F4E-A14E-9F8F51BD7365}
2015-08-05 04:31 - 2015-08-05 04:31 - 0000000 _____ () C:\Users\V\AppData\Local\{16C49A12-6B91-4AC6-A984-D0952E51F7D2}
2015-02-23 12:13 - 2015-02-23 12:13 - 0000000 _____ () C:\Users\V\AppData\Local\{22DEF4B0-B786-40D0-9FB1-CA57150A19E0}
2015-04-23 11:13 - 2015-04-23 11:13 - 0000000 _____ () C:\Users\V\AppData\Local\{34191A55-F976-46C1-9D62-555D146CA927}
2015-08-04 04:31 - 2015-08-04 04:31 - 0000000 _____ () C:\Users\V\AppData\Local\{3B4EE493-4C45-44EA-BDE6-508A073C3EF6}
2015-04-30 12:26 - 2015-04-30 12:26 - 0000000 _____ () C:\Users\V\AppData\Local\{571954D0-72DD-4976-8818-FD53F19ED24A}
2015-08-06 04:31 - 2015-08-06 04:31 - 0000000 _____ () C:\Users\V\AppData\Local\{5FAA9A77-C6E3-47BB-9F1B-2D7541A71399}
2015-04-26 03:17 - 2015-04-26 03:17 - 0000000 _____ () C:\Users\V\AppData\Local\{944C6E56-F2CA-4317-A98A-E2BD032D5380}
2015-06-27 10:44 - 2015-06-27 10:44 - 0000000 _____ () C:\Users\V\AppData\Local\{C0A39423-E133-4CDF-A9DF-863BD7BB367D}
2015-06-06 09:38 - 2015-06-06 09:38 - 0000000 _____ () C:\Users\V\AppData\Local\{C38811B6-BA94-42A7-893A-B022FCF4A2A4}
2015-08-03 04:31 - 2015-08-03 04:31 - 0000000 _____ () C:\Users\V\AppData\Local\{E10A10F1-5808-4A03-97EE-ED7FD694242C}
2015-05-04 14:33 - 2015-05-04 14:33 - 0000057 _____ () C:\ProgramData\Ament.ini

Some files in TEMP:
====================
C:\Users\V\AppData\Local\Temp\speccycpuid.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-21 00:14

==================== End of FRST.txt ============================



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,150 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:59 PM

Posted 04 November 2015 - 10:49 AM

Greetings kosmikk and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

I would like to see a fresh FRST report along with the Addition.txt report. Please do this.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop <<< Important
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 kosmikk

kosmikk
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:59 PM

Posted 04 November 2015 - 03:31 PM

Hi Gary, I'm V.

 

Since I wrote, next day my computer wasn't able to boot up and kept restart looping without end.

 

Now I'm using it with Puppy Linux, that's the only way I'm still able to access the information on the hd and check in online, don't know if there's a way to give you those logs through here or if at this point it can be saved even?


Edited by kosmikk, 04 November 2015 - 03:33 PM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,150 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:59 PM

Posted 04 November 2015 - 04:11 PM

Hi V.

Before we start poking around can you tell me if you tried to boot into Safe Mode.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 kosmikk

kosmikk
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:59 PM

Posted 04 November 2015 - 04:14 PM

Tried, it still keeps looping without showing me that screen where you can select safe mode.

 

The only thing I can access is bios.



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,150 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:59 PM

Posted 04 November 2015 - 04:17 PM

Please disconnect all power from the computer. If it is a laptop remove the battery as well. Hold down the power button for 30 seconds. Connect the power and attempt to boot. Let me know what happens.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 kosmikk

kosmikk
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:59 PM

Posted 04 November 2015 - 04:30 PM

Did that, same thing - it keeps looping.



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,150 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:59 PM

Posted 04 November 2015 - 04:38 PM

Just prior to being unable to boot did you modify any of the BIOS settings?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 kosmikk

kosmikk
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:59 PM

Posted 04 November 2015 - 04:48 PM

I didn't modify anything before that.

 

That day when I posted, I left the computer running [with the processes multiplying... and possibly overheating the computer]

when I checked it later it was shut off, and since then it's been looping.

 

I later went into bios to make usb boot up first [prior to that cd was first hdd second], but usb won't boot, only cd.



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,150 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:59 PM

Posted 04 November 2015 - 04:54 PM

OK, thank you for the great explanation. Please do this.

===================================================

GET xPUD MBR Dump

--------------------

For this step you will need a USB device and a blank CD.
  • Download GETxPUD.exe to the desktop of your clean computer
  • Double click the GETxPUD icon
  • Click Run
  • Double click the GETxPUD folder which should now be on your desktop
  • Double click on get & burn
  • The program will download xpud_0.9.2.iso, and when it is finished it will open a BurnCDCC window

BurnCDCC.jpg

  • Click on Start, insert a blank CD when instructed, then click OK
  • When completed, the CD will eject for removal
  • Remove the CD and insert it and a USB device into the infected computer
  • Boot the infected computer with the CD you just burned
  • As the computer boots up gently tap F12 and choose to boot from the CD by using the keyboard arrow keys to highlight CD/DVD and then hit Enter
  • At the first screen select English
  • A Welcome to xPUD screen will appear
  • Press File
  • Under File System on the left hand side click on the triangle symbol to expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Double click on the folder that represents your USB drive (sdb1 ?).
  • If you do not see it, please remove the USB device, wait about 5 seconds, reinsert it, then click on the Refresh icon to the left of the house icon near the top of your screen. It should be added under mnt
  • On the top bar select Tool then select Open Terminal
  • Now please type the following and press Enter. Makes sure there is a space between the different colors.

dd if=/dev/sda of=mbr.zip bs=512 count=1

  • After it has finished (within just a few seconds) a file will be located on your USB drive named mbr.zip
  • Remove the USB drive, insert it back in your working computer
  • Attach mbr.zip to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Attached mbr.zip

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 kosmikk

kosmikk
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:59 PM

Posted 04 November 2015 - 06:42 PM

Alright, took a while, but when I pressed 'English' it didn't take me to a welcome screen, instead it went to a black screen with code, I'm including a photo of that, maybe it'll be useful.

 

PS - I couldn't restart from there, had to power off to quit it.

Attached Files


Edited by kosmikk, 04 November 2015 - 06:44 PM.


#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,150 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:59 PM

Posted 04 November 2015 - 06:54 PM

The program is having difficulty with the video driver.

While I pursue alternatives can you tell me why you think the computer may have overheated?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 kosmikk

kosmikk
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:59 PM

Posted 04 November 2015 - 07:04 PM

I forgot to mention in the original post, when the processes were multiplying I kept checking the temperature on speccy, and it was jumping from 60 to 80 F all the time, and some processes when not 'ended' they would reach up to 1g in memory... air in the room also was hotter when the computer was on.



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,150 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:59 PM

Posted 04 November 2015 - 07:08 PM

Greetings V.

OK, thanks for that information. I don't think that is dangerously hot.

Let's use this program to try to get a copy of your Master Boot Record. I am looking at either that or a physical problem with your hard drive or memory, for starters.

===================================================

Master Boot Record (MBR) Report Using Ubuntu Live CD

--------------
  • Download 10.04.4 LTS onto your desktop. This is a large file so allow it some time to download
  • Insert a CD into your CD player
  • Double click on the Ubuntu icon
  • Click Burn, then Close when completed
  • Insert a USB device into the infected computer
  • With the disk in the infected computer's CD restart your computer
  • If your computer does not automatically boot from the CD please see here
  • Once the Ubuntu desktop is loaded please select English and then Try Ubuntu (be patient while the program loads)

Ubuntu.jpg

  • Click the Dash Home icon on the left side at the top
  • Type terminal in the search box and hit Enter
  • A command prompt window will open
  • Type the following line and press Enter. Please be sure there is a space between the different colors.

sudo dd if=/dev/sda of=mbr.bin bs=512 count=1

  • If successful you will see a notation 512 bytes copied
  • Click the Home Folder which should be the third icon from the top in the left panel. You will see some folders there, as well as the mbr.bin file you just created
  • Under Devices locate your USB device
  • Drag and drop mbr.bin onto the USB
  • Click the power button icon in the upper right hand corner of the screen and select Shut Down
  • Remove the CD and USB and reboot your computer
  • Zip and attach the mbr.bin file to your next reply
===================================================

Things I would like to see in your next reply. :thumbsup2:
  • Attached mbr zip file

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 kosmikk

kosmikk
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:04:59 PM

Posted 04 November 2015 - 09:37 PM

Ok, here it is.

 

I don't think there's anything wrong with ram, since puppy is running on it, and the hdd itself can be seen from here.

Attached Files

  • Attached File  mbr.zip   567bytes   6 downloads

Edited by kosmikk, 04 November 2015 - 09:38 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users