Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Vista Random Restarts and BSOD

(In Progress)
(!)

Mystic_Meerkatz's Avatar
Mystic_Meerkatz Mystic_Meerkatz is offline
Computer Specs
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Oct 2011
Experience: Intermediate
31-Oct-2011, 10:56 AM #1
Question Vista Random Restarts and BSOD
Hi, this is my first post, so i'm new here. I am running windows vista home premium 32 bit. I get random BSOD restarts and these can happen from about 20- 180 minutes from the time i boot up the computer. I have Malwarebytes, Superantispyware and IObit Malware Fighter installed, and i managed to run them all once, but just before the scans finished, the programs crashed. I have never been able to start any of the programs again since; every time i try, it just comes up with an error, reading: 'Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item'. And also, i noticed that my free hard drive space had gone down from 74gb, to 27 gb... i don't know whether that has anything to do with it, but i certainly havnt downloaded anything that size. Thanks
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,711 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
31-Oct-2011, 03:55 PM #2
Run the following, copy and paste both logs to your next reply:
  • Download DDS by sUBs from one of the following links.* Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.* *
  • When done, DDS will open two (2) logs
    * * * * *1. DDS.txt
    * * * * *2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.

    *
  • Instead of attaching, please copy/past both logs into your next reply.
  • Close the program window, and delete the program from your desktop.
Please note:* You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.*
Information on A/V control HERE

Kevin
Mystic_Meerkatz's Avatar
Mystic_Meerkatz Mystic_Meerkatz is offline
Computer Specs
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Oct 2011
Experience: Intermediate
01-Nov-2011, 12:02 PM #3
Hi Kevin, The scan ran succesfully, and the logs are as follows:

The DDS .txt file contained:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by andrea at 16:50:27 on 2011-11-01
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1015.244 [GMT 0:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\2287287126:2848238199.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Game Booster\gbtray.exe
C:\Windows\explorer.exe
C:\Windows\System32\svchost.exe -k Akamai
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\mcupdate.EXE
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uSearch Bar = Preserve
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=Pavilion&pf=desktop
mSearchAssistant =
uURLSearchHooks: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.7\iobitToolbarIE.dll
uURLSearchHooks: H - No File
uWinlogon: Shell=c:\users\andrea\appdata\local\563b5588\X
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.7\iobitToolbarIE.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - No File
BHO: CescrtHlpr Object: {64182481-4f71-486b-a045-b233bd0da8fc} - c:\program files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: UrlHelper Class: {74322bf9-df26-493f-b0da-6d2fc5e6429e} - c:\program files\bearshare applications\bearshare mediabar\BearShareIEHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\hyperionics db toolbar\tbcore3.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: BT Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: BearShare MediaBar: {d3dee18f-db64-4beb-9ff1-e1f0a5033e4a} - c:\program files\bearshare applications\bearshare mediabar\BearShareMediaBar.dll
TB: @c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
TB: Hyperionics DB Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - c:\program files\hyperionics db toolbar\tbcore3.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.7\iobitToolbarIE.dll
TB: facemoods Toolbar: {db4e9724-f518-4dfd-9c7c-78b52103cab9} - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Facebook Update] "c:\users\andrea\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [0Y4Y3X5Y6DUXWU2WBBXNI] c:\cadat.bin\061327E16B1.exe /q
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [<NO NAME>]
mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
mRun: [facemoods] "c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: mswsock.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{591E5CB6-BA0C-4CFD-9592-9641189BA0A3} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{F051EF43-EFF3-44CB-9141-0DEE6AD6868F} : DhcpNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\andrea\application data\mozilla\firefox\profiles\zmkl9zob.default\
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=382950&p=
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\andrea\appdata\local\facebook\video\skype\npFacebookVideoCalling.d ll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20080305.002\IDSvix86 .sys [2008-3-6 261680]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-10-1 21504]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-1 21504]
R3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2011-9-15 464384]
R3 SAAVideo;% SAADriver%;c:\windows\system32\drivers\SAAVideo.sys [2010-4-9 26624]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-10-3 37936]
S2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]
S2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-9-27 745880]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9f356f95a1633;Google Update Service (gupdate1c9f356f95a1633);c:\program files\google\update\GoogleUpdate.exe [2009-6-22 133104]
S2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-10-29 820568]
S3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\FileMonitor.sys [2011-10-29 18768]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-5-6 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-22 133104]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\RegFilter.sys [2011-10-29 30600]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2009-5-30 1251720]
S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\UrlFilter.sys [2011-10-29 19792]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v040 0.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-11-01 16:45:59 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1f045b0f-be4a-4275-af1b-0baf5ebeca13}\offreg.dll
2011-11-01 16:45:53 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1f045b0f-be4a-4275-af1b-0baf5ebeca13}\mpengine.dll
2011-10-30 00:18:45 -------- d-----w- c:\program files\MAXON
2011-10-29 22:31:04 -------- d-----w- c:\program files\facemoods.com
2011-10-29 22:30:28 -------- d-----w- c:\programdata\Premium
2011-10-29 22:30:24 -------- d-----w- c:\programdata\InstallMate
2011-10-26 22:31:51 -------- d---a-w- C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.Z...Z.ZZ..Z.Z
2011-10-26 21:54:52 -------- d---a-w- C:\3590F75ABA9E485486C100C1A9D4FF06Z.Z.ZZ.Z.Z..Z.ZZ
2011-10-26 21:19:14 -------- d---a-w- C:\3590F75ABA9E485486C100C1A9D4FF06Z.ZZZZZ..Z.ZZZ.Z
2011-10-26 10:44:39 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-25 22:15:06 -------- d-sh--w- c:\users\andrea\appdata\local\563b5588
2011-10-23 20:02:49 -------- d-----w- c:\programdata\MAGIX
2011-10-23 20:02:46 -------- d-----w- c:\program files\common files\MAGIX Services
2011-10-23 13:29:07 -------- d-----w- C:\tmp
2011-10-23 12:28:24 -------- d-----w- c:\users\andrea\.thumbnails
2011-10-23 11:50:32 -------- d-----w- c:\program files\ExperimentalScene
2011-10-13 20:58:54 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-13 20:58:54 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-13 20:58:54 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-13 20:58:54 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-12 19:31:11 -------- d-----w- c:\program files\Application Updater
2011-10-12 19:31:10 -------- d-----w- c:\program files\IObit Toolbar
2011-10-12 08:01:33 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-12 08:01:33 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-12 08:01:33 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-12 08:01:33 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-12 08:01:32 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-12 08:01:26 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-10-11 13:38:50 -------- d-----w- C:\a67c1eef30df046e9b42b9b0661c44
2011-10-10 16:05:31 -------- d-----w- c:\program files\Sony
2011-10-09 20:47:34 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2011-10-09 20:47:16 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2011-10-09 20:45:29 -------- d-----w- c:\windows\system32\RsFx
2011-10-09 20:44:20 -------- d-----w- c:\windows\system32\1033
2011-10-09 20:38:58 -------- d-----w- c:\program files\Microsoft SQL Server
2011-10-09 20:38:24 -------- d-----w- c:\program files\Microsoft Synchronization Services
2011-10-09 20:37:23 181728 ----a-w- c:\programdata\microsoft\vcsexpress\10.0\1033\ResourceCache.dll
2011-10-09 20:34:41 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2011-10-09 20:34:41 -------- d-----w- c:\program files\Microsoft Help Viewer
2011-10-09 10:11:49 -------- d-----w- c:\users\andrea\appdata\local\GameTuts
2011-10-04 19:34:09 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-10-04 19:34:09 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-10-02 20:36:50 -------- d-----w- c:\program files\common files\Solveig Multimedia
.
==================== Find3M ====================
.
2011-10-23 16:07:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-01 02:35:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-09-01 02:28:15 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-09-01 02:22:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-08-31 16:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 16:53:30.97 ===============




The Attach .txt file contained:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 18/10/2007 22:51:12
System Uptime: 01/11/2011 16:32:58 (0 hours ago)
.
Motherboard: ECS | | Livermore8
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | CPU 1 | 3000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 142 GiB total, 26.288 GiB free.
D: is FIXED (NTFS) - 7 GiB total, 0.954 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
ActiveCheck component for HP Active Support Library
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player 11.6
Akamai NetSession Interface
Any Video Converter 3.2.3
AppCore
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AV
Bing Bar Platform
BitTorrent
BT Broadband Desktop Help
BT Wireless Connection Manager
BT Yahoo! Applications
BTHomeHub
BufferChm
ccCommon
D1400
D1400_Help
D3DX10
DeviceDiscovery
DeviceManagementQFolder
DivX Setup
dj_sf_ProductContext
dj_sf_software
dj_sf_software_req
Facebook Video Calling 1.0.0.8714
Facemoods Toolbar
Free Audio Converter version 2.3.2.804
Free RAR Extract Frog
Game Booster
GameSpy Arcade
Google Toolbar for Internet Explorer
Google Update Helper
GoToAssist Corporate
Highlight Viewer (Windows Live Toolbar)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Feedback
HP Deskjet Printer Driver Software 9.0
HP Imaging Device Functions 9.0
HP On-Screen Cap/Num/Scroll Lock Indicator
HP Photosmart Essential 2.01
HP Photosmart Essential2.01
HP Update
HPAsset component for HP Active Support Library
HPSSupply
HyperCam 3
Hyperionics DB Toolbar
Intel(R) Graphics Media Accelerator Driver
Internet From BT
IObit Malware Fighter
IObit Toolbar v4.7
Java Auto Updater
Java(TM) 6 Update 26
Java(TM) SE Runtime Environment 6 Update 1
Junk Mail filter update
LightScribe 1.8.15.1
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware version 1.51.2.1300
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Application Error Reporting
Microsoft Help Viewer 1.0
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server System CLR Types
Microsoft SQL Server VSS Writer
Microsoft Visual C# 2010 Express - ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Windows Media Video 9 VCM
Microsoft Works
Mozilla Firefox 7.0.1 (x86 en-GB)
MSRedist
MSVCRT
MSVCRT Redists
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton PC Checkup
Norton Protection Center
OGA Notifier 2.0.0048.0
Pando Media Booster
PanoStandAlone
PC MightyMax 2011
PSSWCORE
Python 2.5
QuickTime
Realtek High Definition Audio Driver
Roxio Activation Module
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft Visual C# 2010 Express - ENU (KB2251489)
Segoe UI
Service Pack 1 for SQL Server 2008 (KB968369)
Smart Menus (Windows Live Toolbar)
SPBBC 32bit
Sql Server Customer Experience Improvement Program
Status
Steam
swMSM
Symantec Real Time Storage Protection Component
SymNet
Text-To-Speech-Runtime
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
VC80CRTRedist - 8.0.50727.6195
Vegas Pro 10.0
VideoToolkit01
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
WebReg
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Favorites for Windows Live Toolbar
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
WinRAR 4.01 (32-bit)
Youtube Downloader HD v. 2.6
.
==== Event Viewer Messages From Past Week ========
.
31/10/2011 22:26:32, Error: EventLog [6008] - The previous system shutdown at 22:25:26 on 31/10/2011 was unexpected.
31/10/2011 15:37:20, Error: EventLog [6008] - The previous system shutdown at 15:35:20 on 31/10/2011 was unexpected.
30/10/2011 18:47:11, Error: EventLog [6008] - The previous system shutdown at 18:45:40 on 30/10/2011 was unexpected.
30/10/2011 18:14:51, Error: Service Control Manager [7034] - The FABS - Helping agent for MAGIX media database service terminated unexpectedly. It has done this 1 time(s).
30/10/2011 11:26:20, Error: EventLog [6008] - The previous system shutdown at 05:05:47 on 30/10/2011 was unexpected.
30/10/2011 03:03:45, Error: EventLog [6008] - The previous system shutdown at 02:43:08 on 30/10/2011 was unexpected.
30/10/2011 03:03:38, Error: volsnap [27] - The shadow copies of volume C: were aborted during detection because a critical control file could not be opened.
30/10/2011 03:03:24, Error: volsnap [25] - The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time. Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.
29/10/2011 22:33:04, Error: EventLog [6008] - The previous system shutdown at 22:31:40 on 29/10/2011 was unexpected.
29/10/2011 19:02:09, Error: EventLog [6008] - The previous system shutdown at 18:59:48 on 29/10/2011 was unexpected.
27/10/2011 11:48:55, Error: EventLog [6008] - The previous system shutdown at 23:52:12 on 26/10/2011 was unexpected.
26/10/2011 22:57:39, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
26/10/2011 22:51:10, Error: EventLog [6008] - The previous system shutdown at 22:48:37 on 26/10/2011 was unexpected.
26/10/2011 22:15:36, Error: EventLog [6008] - The previous system shutdown at 14:17:53 on 26/10/2011 was unexpected.
26/10/2011 14:16:53, Error: EventLog [6008] - The previous system shutdown at 14:14:21 on 26/10/2011 was unexpected.
26/10/2011 11:19:47, Error: EventLog [6008] - The previous system shutdown at 11:17:54 on 26/10/2011 was unexpected.
26/10/2011 10:18:54, Error: EventLog [6008] - The previous system shutdown at 10:17:12 on 26/10/2011 was unexpected.
26/10/2011 02:23:43, Error: Microsoft-Windows-Windows Defender [1008] - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?link...hreatid=166941 Scan ID: {D25BD33C-0A7C-484F-A108-BD02B507AA99} Scan Type: AntiMalware User: NT AUTHORITY\NETWORK SERVICE Name: Trojan:Win32/Sirefef.O ID: 166941 Severity ID: 5 Category ID: 8 Path: Action: Remove Error Code: 0x80508017 Error description: Some actions couldn't be applied to potentially harmful items. The items might be stored in a read-only location. Delete the files or folders that contains the items or, for information on removing read-only permissions from files and folders, see Help and Support.
01/11/2011 16:36:45, Error: Service Control Manager [7000] - The HP Health Check Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
01/11/2011 16:36:44, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Health Check Service service to connect.
01/11/2011 16:34:59, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SQL Server VSS Writer service to connect.
01/11/2011 16:34:59, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SAS Core Service service to connect.
01/11/2011 16:34:59, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the IMF Service service to connect.
01/11/2011 16:34:59, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Application Updater service to connect.
01/11/2011 16:34:59, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.
01/11/2011 16:34:59, Error: Service Control Manager [7000] - The SQL Server VSS Writer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
01/11/2011 16:34:59, Error: Service Control Manager [7000] - The SAS Core Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
01/11/2011 16:34:59, Error: Service Control Manager [7000] - The IMF Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
01/11/2011 16:34:59, Error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
01/11/2011 16:33:27, Error: EventLog [6008] - The previous system shutdown at 16:31:57 on 01/11/2011 was unexpected.
01/11/2011 16:23:57, Error: EventLog [6008] - The previous system shutdown at 16:20:51 on 01/11/2011 was unexpected.
.
==== End Of File ===========================



Thanks

Chris
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,711 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
01-Nov-2011, 12:28 PM #4
Hiya Chris,

You have zeroaccess rootkit infection, do the following :-

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

Link 1
Link 2
  • Ensure that Combofix is saved directly to the Desktop <--- Very important

    Before saving Combofix to the Desktop re-name to Gotcha.exe as below:



  • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
  • Close any open browsers and any other programs you might have running
  • Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  • Instructions for running Combofix available Here if required.
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...

Kevin

Last edited by kevinf80; 01-Nov-2011 at 03:15 PM.. Reason: Typing error
Mystic_Meerkatz's Avatar
Mystic_Meerkatz Mystic_Meerkatz is offline
Computer Specs
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Oct 2011
Experience: Intermediate
01-Nov-2011, 02:14 PM #5
Ok, i did all of that, and Firefox doesnt seem to be freezing constantly like it did before! My computer had to restart because a rootkit was detected, but after the whole process had complted, no log was shown. What to do?

Thanks again

Chris
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,711 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
01-Nov-2011, 03:14 PM #6
Hiya Chris,

Apologies, I gave two sets of instructions for running Combofix. Did you use both or only the first one. If Combofix completed successfully the log will be here C:\Combofix.txt

Select > Start > Computer > double click on C:\ and you should see Combofix.txt you may have to scroll to it...
Mystic_Meerkatz's Avatar
Mystic_Meerkatz Mystic_Meerkatz is offline
Computer Specs
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Oct 2011
Experience: Intermediate
01-Nov-2011, 03:41 PM #7
Hi Kevin,

I only used the first set of instructions, and i have looks in C:\ But Failed to find the Combofix.txt file. I found 2 folders: Gotcha.exe, and Gotcha.exe15507G. But neither of these contain the log either. What should i do now?

Chris
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,711 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
01-Nov-2011, 03:51 PM #8
Is this folder present C:\Qoobox have a look in there. Also if Combofix-Quarantine-files.txt is in there let me see that.
Mystic_Meerkatz's Avatar
Mystic_Meerkatz Mystic_Meerkatz is offline
Computer Specs
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Oct 2011
Experience: Intermediate
01-Nov-2011, 07:03 PM #9
There is a folder called Qoobox, and i have looked through all of its contents and the only .txt file that is in there, is one called catchme.txt. Otherwise, nothing.

Thanks

Chris
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,711 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
01-Nov-2011, 07:07 PM #10
Re-run Combofix, if it prompts to update allow it. Post the log if produced....
Mystic_Meerkatz's Avatar
Mystic_Meerkatz Mystic_Meerkatz is offline
Computer Specs
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Oct 2011
Experience: Intermediate
02-Nov-2011, 03:37 PM #11
Ok, i re ran combofix, i did get a log this time, but some serious problems have come with it. It will not let me open or run anything, whether its Google Chrome, Control Panel or ANYTHING. i cant run it. Also, it wont let me use my keyboard at all. i had to use the on screen keyboard just to login!. i am sending this message via my laptop, so there is no way i could give you the log, unless i sat there for hours copying it all out. but i can tell you, that when i click on something to run it, it comes up with an error. For example, i double click google chrome on my desktop, and this error appeares: C:\Users\chris\AppData\Local\Google\Chrome\Application\chrome.exe

Illegal operation attempted on a registry key that has been marked for deletion.

Any ideas?

Chris
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,711 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
02-Nov-2011, 03:47 PM #12
Did you see this in the instructions for running CF?

If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Re-boot and give an update on issues
Mystic_Meerkatz's Avatar
Mystic_Meerkatz Mystic_Meerkatz is offline
Computer Specs
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Oct 2011
Experience: Intermediate
02-Nov-2011, 03:51 PM #13
Ah, ok. i did see a warning, but not that one. Ill try restarting now.

Thanks
Mystic_Meerkatz's Avatar
Mystic_Meerkatz Mystic_Meerkatz is offline
Computer Specs
Junior Member with 13 posts.
THREAD STARTER
 
Join Date: Oct 2011
Experience: Intermediate
02-Nov-2011, 04:00 PM #14
Ok, i have restarted my conputer. I was still unable to use my keyboard, and for some reason, my desktop background has been changed to one that i had Around a year and a half ago. It will now let me run things, but as i said, i cannot type using my keyboard. I have searched for the log and have again, failed to find it. I did find 2 more .txt files that werbt there before, in the Quoobox folder. they are named 'Add-Remove Programs' and 'Combofix-quarantined-files'
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is offline kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,711 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
02-Nov-2011, 04:09 PM #15
Unplug your Keyboard from the PC and reboot. When Desktop is stable plug Keyboard back in, does windows see it and attribute driver? does it now work.
Let me see the two text files you mentioned if possible....
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


Tags
bsod, random, restarts, virus, vista

(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑