1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Vista Random Restarts and BSOD

Discussion in 'Virus & Other Malware Removal' started by Mystic_Meerkatz, Oct 31, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. Mystic_Meerkatz

    Mystic_Meerkatz Thread Starter

    Joined:
    Oct 30, 2011
    Messages:
    13
    Hi, this is my first post, so i'm new here. I am running windows vista home premium 32 bit. I get random BSOD restarts and these can happen from about 20- 180 minutes from the time i boot up the computer. I have Malwarebytes, Superantispyware and IObit Malware Fighter installed, and i managed to run them all once, but just before the scans finished, the programs crashed. I have never been able to start any of the programs again since; every time i try, it just comes up with an error, reading: 'Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item'. And also, i noticed that my free hard drive space had gone down from 74gb, to 27 gb... i don't know whether that has anything to do with it, but i certainly havnt downloaded anything that size. Thanks :)
     
  2. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,155
    Run the following, copy and paste both logs to your next reply:

    • Download DDS by sUBs from one of the following links.* Save it to your desktop.
    • Double click on the DDS icon, allow it to run.
    • A small box will open, with an explanation about the tool.* *
    • When done, DDS will open two (2) logs
      * * * * *1. DDS.txt
      * * * * *2. Attach.txt
    • Save both reports to your desktop.
    • The instructions here ask you to attach the Attach.txt.
      [​IMG]
      *
    • Instead of attaching, please copy/past both logs into your next reply.
    • Close the program window, and delete the program from your desktop.
    Please note:* You may have to disable any script protection running if the scan fails to run.
    After downloading the tool, disconnect from the internet and disable all antivirus protection.
    Run the scan, enable your A/V and reconnect to the internet.*
    Information on A/V control HERE

    Kevin
     
  3. Mystic_Meerkatz

    Mystic_Meerkatz Thread Starter

    Joined:
    Oct 30, 2011
    Messages:
    13
    Hi Kevin, The scan ran succesfully, and the logs are as follows:

    The DDS .txt file contained:
    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
    Run by andrea at 16:50:27 on 2011-11-01
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1015.244 [GMT 0:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\2287287126:2848238199.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\IObit\Game Booster\gbtray.exe
    C:\Windows\explorer.exe
    C:\Windows\System32\svchost.exe -k Akamai
    c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Windows\system32\svchost.exe -k hpdevmgmt
    c:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\RtHDVCpl.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Common Files\Steam\SteamService.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\ehome\mcupdate.EXE
    C:\Windows\system32\vssvc.exe
    C:\Windows\System32\svchost.exe -k swprv
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Page =
    uSearch Bar = Preserve
    uStart Page = hxxp://www.google.co.uk/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=Pavilion&pf=desktop
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=74&bd=Pavilion&pf=desktop
    mSearchAssistant =
    uURLSearchHooks: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.7\iobitToolbarIE.dll
    uURLSearchHooks: H - No File
    uWinlogon: Shell=c:\users\andrea\appdata\local\563b5588\X
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.7\iobitToolbarIE.dll
    BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
    BHO: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - No File
    BHO: CescrtHlpr Object: {64182481-4f71-486b-a045-b233bd0da8fc} - c:\program files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: UrlHelper Class: {74322bf9-df26-493f-b0da-6d2fc5e6429e} - c:\program files\bearshare applications\bearshare mediabar\BearShareIEHelper.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: SMTTB2009 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\hyperionics db toolbar\tbcore3.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
    TB: BT Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: BearShare MediaBar: {d3dee18f-db64-4beb-9ff1-e1f0a5033e4a} - c:\program files\bearshare applications\bearshare mediabar\BearShareMediaBar.dll
    TB: @c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\6.3.2322.0\npwinext.dll
    TB: Hyperionics DB Toolbar: {338b4dfe-2e2c-4338-9e41-e176d497299e} - c:\program files\hyperionics db toolbar\tbcore3.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: IObit Toolbar: {0bda0769-fd72-49f4-9266-e1fb004f4d8f} - c:\program files\iobit toolbar\ie\4.7\iobitToolbarIE.dll
    TB: facemoods Toolbar: {db4e9724-f518-4dfd-9c7c-78b52103cab9} - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Steam] "c:\program files\steam\steam.exe" -silent
    uRun: [Facebook Update] "c:\users\andrea\appdata\local\facebook\update\FacebookUpdate.exe" /c /nocrashserver
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [0Y4Y3X5Y6DUXWU2WBBXNI] c:\cadat.bin\061327E16B1.exe /q
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
    mRun: [RtHDVCpl] RtHDVCpl.exe
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [<NO NAME>]
    mRun: [SearchSettings] "c:\program files\common files\spigot\search settings\SearchSettings.exe"
    mRun: [facemoods] "c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I
    dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    LSP: mswsock.dll
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{591E5CB6-BA0C-4CFD-9592-9641189BA0A3} : DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{F051EF43-EFF3-44CB-9141-0DEE6AD6868F} : DhcpNameServer = 192.168.1.254
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\andrea\application data\mozilla\firefox\profiles\zmkl9zob.default\
    FF - prefs.js: browser.search.selectedEngine - MyStart Search
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=382950&p=
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\andrea\appdata\local\facebook\video\skype\npFacebookVideoCalling.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20080305.002\IDSvix86.sys [2008-3-6 261680]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-10-1 21504]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-1 21504]
    R3 netr73;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2011-9-15 464384]
    R3 SAAVideo;% SAADriver%;c:\windows\system32\drivers\SAAVideo.sys [2010-4-9 26624]
    R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2008-10-3 37936]
    S2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]
    S2 Application Updater;Application Updater;c:\program files\application updater\ApplicationUpdater.exe [2011-9-27 745880]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate1c9f356f95a1633;Google Update Service (gupdate1c9f356f95a1633);c:\program files\google\update\GoogleUpdate.exe [2009-6-22 133104]
    S2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-10-29 820568]
    S3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\FileMonitor.sys [2011-10-29 18768]
    S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-5-6 39272]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-6-22 133104]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\RegFilter.sys [2011-10-29 30600]
    S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2009-5-30 1251720]
    S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wlh_x86\UrlFilter.sys [2011-10-29 19792]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
    .
    =============== Created Last 30 ================
    .
    2011-11-01 16:45:59 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1f045b0f-be4a-4275-af1b-0baf5ebeca13}\offreg.dll
    2011-11-01 16:45:53 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1f045b0f-be4a-4275-af1b-0baf5ebeca13}\mpengine.dll
    2011-10-30 00:18:45 -------- d-----w- c:\program files\MAXON
    2011-10-29 22:31:04 -------- d-----w- c:\program files\facemoods.com
    2011-10-29 22:30:28 -------- d-----w- c:\programdata\Premium
    2011-10-29 22:30:24 -------- d-----w- c:\programdata\InstallMate
    2011-10-26 22:31:51 -------- d---a-w- C:\3590F75ABA9E485486C100C1A9D4FF06ZZ.Z...Z.ZZ..Z.Z
    2011-10-26 21:54:52 -------- d---a-w- C:\3590F75ABA9E485486C100C1A9D4FF06Z.Z.ZZ.Z.Z..Z.ZZ
    2011-10-26 21:19:14 -------- d---a-w- C:\3590F75ABA9E485486C100C1A9D4FF06Z.ZZZZZ..Z.ZZZ.Z
    2011-10-26 10:44:39 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-10-25 22:15:06 -------- d-sh--w- c:\users\andrea\appdata\local\563b5588
    2011-10-23 20:02:49 -------- d-----w- c:\programdata\MAGIX
    2011-10-23 20:02:46 -------- d-----w- c:\program files\common files\MAGIX Services
    2011-10-23 13:29:07 -------- d-----w- C:\tmp
    2011-10-23 12:28:24 -------- d-----w- c:\users\andrea\.thumbnails
    2011-10-23 11:50:32 -------- d-----w- c:\program files\ExperimentalScene
    2011-10-13 20:58:54 563712 ----a-w- c:\windows\system32\oleaut32.dll
    2011-10-13 20:58:54 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2011-10-13 20:58:54 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-10-13 20:58:54 238080 ----a-w- c:\windows\system32\oleacc.dll
    2011-10-12 19:31:11 -------- d-----w- c:\program files\Application Updater
    2011-10-12 19:31:10 -------- d-----w- c:\program files\IObit Toolbar
    2011-10-12 08:01:33 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
    2011-10-12 08:01:33 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
    2011-10-12 08:01:33 293376 ----a-w- c:\windows\system32\psisdecd.dll
    2011-10-12 08:01:33 217088 ----a-w- c:\windows\system32\psisrndr.ax
    2011-10-12 08:01:32 2043392 ----a-w- c:\windows\system32\win32k.sys
    2011-10-12 08:01:26 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-10-11 13:38:50 -------- d-----w- C:\a67c1eef30df046e9b42b9b0661c44
    2011-10-10 16:05:31 -------- d-----w- c:\program files\Sony
    2011-10-09 20:47:34 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
    2011-10-09 20:47:16 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
    2011-10-09 20:45:29 -------- d-----w- c:\windows\system32\RsFx
    2011-10-09 20:44:20 -------- d-----w- c:\windows\system32\1033
    2011-10-09 20:38:58 -------- d-----w- c:\program files\Microsoft SQL Server
    2011-10-09 20:38:24 -------- d-----w- c:\program files\Microsoft Synchronization Services
    2011-10-09 20:37:23 181728 ----a-w- c:\programdata\microsoft\vcsexpress\10.0\1033\ResourceCache.dll
    2011-10-09 20:34:41 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
    2011-10-09 20:34:41 -------- d-----w- c:\program files\Microsoft Help Viewer
    2011-10-09 10:11:49 -------- d-----w- c:\users\andrea\appdata\local\GameTuts
    2011-10-04 19:34:09 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-10-04 19:34:09 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-10-02 20:36:50 -------- d-----w- c:\program files\common files\Solveig Multimedia
    .
    ==================== Find3M ====================
    .
    2011-10-23 16:07:42 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-09-01 02:35:59 1798144 ----a-w- c:\windows\system32\jscript9.dll
    2011-09-01 02:28:15 1126912 ----a-w- c:\windows\system32\wininet.dll
    2011-09-01 02:22:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2011-08-31 16:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    ============= FINISH: 16:53:30.97 ===============




    The Attach .txt file contained:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista&#8482; Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 18/10/2007 22:51:12
    System Uptime: 01/11/2011 16:32:58 (0 hours ago)
    .
    Motherboard: ECS | | Livermore8
    Processor: Intel(R) Pentium(R) D CPU 3.00GHz | CPU 1 | 3000/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 142 GiB total, 26.288 GiB free.
    D: is FIXED (NTFS) - 7 GiB total, 0.954 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    ActiveCheck component for HP Active Support Library
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Shockwave Player 11.6
    Akamai NetSession Interface
    Any Video Converter 3.2.3
    AppCore
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AV
    Bing Bar Platform
    BitTorrent
    BT Broadband Desktop Help
    BT Wireless Connection Manager
    BT Yahoo! Applications
    BTHomeHub
    BufferChm
    ccCommon
    D1400
    D1400_Help
    D3DX10
    DeviceDiscovery
    DeviceManagementQFolder
    DivX Setup
    dj_sf_ProductContext
    dj_sf_software
    dj_sf_software_req
    Facebook Video Calling 1.0.0.8714
    Facemoods Toolbar
    Free Audio Converter version 2.3.2.804
    Free RAR Extract Frog
    Game Booster
    GameSpy Arcade
    Google Toolbar for Internet Explorer
    Google Update Helper
    GoToAssist Corporate
    Highlight Viewer (Windows Live Toolbar)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Active Support Library
    HP Active Support Library 32 bit components
    HP Customer Feedback
    HP Deskjet Printer Driver Software 9.0
    HP Imaging Device Functions 9.0
    HP On-Screen Cap/Num/Scroll Lock Indicator
    HP Photosmart Essential 2.01
    HP Photosmart Essential2.01
    HP Update
    HPAsset component for HP Active Support Library
    HPSSupply
    HyperCam 3
    Hyperionics DB Toolbar
    Intel(R) Graphics Media Accelerator Driver
    Internet From BT
    IObit Malware Fighter
    IObit Toolbar v4.7
    Java Auto Updater
    Java(TM) 6 Update 26
    Java(TM) SE Runtime Environment 6 Update 1
    Junk Mail filter update
    LightScribe 1.8.15.1
    LiveUpdate Notice (Symantec Corporation)
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Map Button (Windows Live Toolbar)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft Help Viewer 1.0
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2008
    Microsoft SQL Server 2008 Browser
    Microsoft SQL Server 2008 Common Files
    Microsoft SQL Server 2008 Database Engine Services
    Microsoft SQL Server 2008 Database Engine Shared
    Microsoft SQL Server 2008 Native Client
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server 2008 RsFx Driver
    Microsoft SQL Server 2008 Setup Support Files
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server System CLR Types
    Microsoft SQL Server VSS Writer
    Microsoft Visual C# 2010 Express - ENU
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Windows Media Video 9 VCM
    Microsoft Works
    Mozilla Firefox 7.0.1 (x86 en-GB)
    MSRedist
    MSVCRT
    MSVCRT Redists
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    Norton AntiVirus
    Norton Confidential Browser Component
    Norton Confidential Web Protection Component
    Norton Internet Security
    Norton Internet Security (Symantec Corporation)
    Norton PC Checkup
    Norton Protection Center
    OGA Notifier 2.0.0048.0
    Pando Media Booster
    PanoStandAlone
    PC MightyMax 2011
    PSSWCORE
    Python 2.5
    QuickTime
    Realtek High Definition Audio Driver
    Roxio Activation Module
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft Visual C# 2010 Express - ENU (KB2251489)
    Segoe UI
    Service Pack 1 for SQL Server 2008 (KB968369)
    Smart Menus (Windows Live Toolbar)
    SPBBC 32bit
    Sql Server Customer Experience Improvement Program
    Status
    Steam
    swMSM
    Symantec Real Time Storage Protection Component
    SymNet
    Text-To-Speech-Runtime
    Toolbox
    TrayApp
    UnloadSupport
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    VC80CRTRedist - 8.0.50727.6195
    Vegas Pro 10.0
    VideoToolkit01
    Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
    WebReg
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live Favorites for Windows Live Toolbar
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Mail
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live Toolbar Extension (Windows Live Toolbar)
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    WinRAR 4.01 (32-bit)
    Youtube Downloader HD v. 2.6
    .
    ==== Event Viewer Messages From Past Week ========
    .
    31/10/2011 22:26:32, Error: EventLog [6008] - The previous system shutdown at 22:25:26 on 31/10/2011 was unexpected.
    31/10/2011 15:37:20, Error: EventLog [6008] - The previous system shutdown at 15:35:20 on 31/10/2011 was unexpected.
    30/10/2011 18:47:11, Error: EventLog [6008] - The previous system shutdown at 18:45:40 on 30/10/2011 was unexpected.
    30/10/2011 18:14:51, Error: Service Control Manager [7034] - The FABS - Helping agent for MAGIX media database service terminated unexpectedly. It has done this 1 time(s).
    30/10/2011 11:26:20, Error: EventLog [6008] - The previous system shutdown at 05:05:47 on 30/10/2011 was unexpected.
    30/10/2011 03:03:45, Error: EventLog [6008] - The previous system shutdown at 02:43:08 on 30/10/2011 was unexpected.
    30/10/2011 03:03:38, Error: volsnap [27] - The shadow copies of volume C: were aborted during detection because a critical control file could not be opened.
    30/10/2011 03:03:24, Error: volsnap [25] - The shadow copies of volume C: were deleted because the shadow copy storage could not grow in time. Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.
    29/10/2011 22:33:04, Error: EventLog [6008] - The previous system shutdown at 22:31:40 on 29/10/2011 was unexpected.
    29/10/2011 19:02:09, Error: EventLog [6008] - The previous system shutdown at 18:59:48 on 29/10/2011 was unexpected.
    27/10/2011 11:48:55, Error: EventLog [6008] - The previous system shutdown at 23:52:12 on 26/10/2011 was unexpected.
    26/10/2011 22:57:39, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    26/10/2011 22:51:10, Error: EventLog [6008] - The previous system shutdown at 22:48:37 on 26/10/2011 was unexpected.
    26/10/2011 22:15:36, Error: EventLog [6008] - The previous system shutdown at 14:17:53 on 26/10/2011 was unexpected.
    26/10/2011 14:16:53, Error: EventLog [6008] - The previous system shutdown at 14:14:21 on 26/10/2011 was unexpected.
    26/10/2011 11:19:47, Error: EventLog [6008] - The previous system shutdown at 11:17:54 on 26/10/2011 was unexpected.
    26/10/2011 10:18:54, Error: EventLog [6008] - The previous system shutdown at 10:17:12 on 26/10/2011 was unexpected.
    26/10/2011 02:23:43, Error: Microsoft-Windows-Windows Defender [1008] - Windows Defender has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Sirefef.O&threatid=166941 Scan ID: {D25BD33C-0A7C-484F-A108-BD02B507AA99} Scan Type: AntiMalware User: NT AUTHORITY\NETWORK SERVICE Name: Trojan:Win32/Sirefef.O ID: 166941 Severity ID: 5 Category ID: 8 Path: Action: Remove Error Code: 0x80508017 Error description: Some actions couldn't be applied to potentially harmful items. The items might be stored in a read-only location. Delete the files or folders that contains the items or, for information on removing read-only permissions from files and folders, see Help and Support.
    01/11/2011 16:36:45, Error: Service Control Manager [7000] - The HP Health Check Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    01/11/2011 16:36:44, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Health Check Service service to connect.
    01/11/2011 16:34:59, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SQL Server VSS Writer service to connect.
    01/11/2011 16:34:59, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the SAS Core Service service to connect.
    01/11/2011 16:34:59, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the IMF Service service to connect.
    01/11/2011 16:34:59, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Application Updater service to connect.
    01/11/2011 16:34:59, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.
    01/11/2011 16:34:59, Error: Service Control Manager [7000] - The SQL Server VSS Writer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    01/11/2011 16:34:59, Error: Service Control Manager [7000] - The SAS Core Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    01/11/2011 16:34:59, Error: Service Control Manager [7000] - The IMF Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    01/11/2011 16:34:59, Error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    01/11/2011 16:33:27, Error: EventLog [6008] - The previous system shutdown at 16:31:57 on 01/11/2011 was unexpected.
    01/11/2011 16:23:57, Error: EventLog [6008] - The previous system shutdown at 16:20:51 on 01/11/2011 was unexpected.
    .
    ==== End Of File ===========================



    Thanks

    Chris
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,155
    Hiya Chris,

    You have zeroaccess rootkit infection, do the following :-

    Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

    Link 1
    Link 2

    • Ensure that Combofix is saved directly to the Desktop <--- Very important

      Before saving Combofix to the Desktop re-name to Gotcha.exe as below:

      [​IMG]

    • Disable all security programs as they will have a negative effect on Combofix, instructions available Here if required. Be aware the list may not have all programs listed, if you need more help please ask.
    • Close any open browsers and any other programs you might have running
    • Double click the [​IMG] icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
    • Instructions for running Combofix available Here if required.
    • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
    • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

    ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read Here why disabling autoruns is recommended.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in next reply please...

    Kevin
     
  5. Mystic_Meerkatz

    Mystic_Meerkatz Thread Starter

    Joined:
    Oct 30, 2011
    Messages:
    13
    Ok, i did all of that, and Firefox doesnt seem to be freezing constantly like it did before! My computer had to restart because a rootkit was detected, but after the whole process had complted, no log was shown. What to do?

    Thanks again

    Chris
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,155
    Hiya Chris,

    Apologies, I gave two sets of instructions for running Combofix. Did you use both or only the first one. If Combofix completed successfully the log will be here C:\Combofix.txt

    Select > Start > Computer > double click on C:\ and you should see Combofix.txt you may have to scroll to it...
     
  7. Mystic_Meerkatz

    Mystic_Meerkatz Thread Starter

    Joined:
    Oct 30, 2011
    Messages:
    13
    Hi Kevin,

    I only used the first set of instructions, and i have looks in C:\ But Failed to find the Combofix.txt file. I found 2 folders: Gotcha.exe, and Gotcha.exe15507G. But neither of these contain the log either. What should i do now?

    Chris
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,155
    Is this folder present C:\Qoobox have a look in there. Also if Combofix-Quarantine-files.txt is in there let me see that.
     
  9. Mystic_Meerkatz

    Mystic_Meerkatz Thread Starter

    Joined:
    Oct 30, 2011
    Messages:
    13
    There is a folder called Qoobox, and i have looked through all of its contents and the only .txt file that is in there, is one called catchme.txt. Otherwise, nothing.

    Thanks :)

    Chris
     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,155
    Re-run Combofix, if it prompts to update allow it. Post the log if produced....
     
  11. Mystic_Meerkatz

    Mystic_Meerkatz Thread Starter

    Joined:
    Oct 30, 2011
    Messages:
    13
    Ok, i re ran combofix, i did get a log this time, but some serious problems have come with it. It will not let me open or run anything, whether its Google Chrome, Control Panel or ANYTHING. i cant run it. Also, it wont let me use my keyboard at all. i had to use the on screen keyboard just to login!. i am sending this message via my laptop, so there is no way i could give you the log, unless i sat there for hours copying it all out. but i can tell you, that when i click on something to run it, it comes up with an error. For example, i double click google chrome on my desktop, and this error appeares: C:\Users\chris\AppData\Local\Google\Chrome\Application\chrome.exe

    Illegal operation attempted on a registry key that has been marked for deletion.

    Any ideas?

    Chris
     
  12. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,155
    Did you see this in the instructions for running CF?

    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Re-boot and give an update on issues
     
  13. Mystic_Meerkatz

    Mystic_Meerkatz Thread Starter

    Joined:
    Oct 30, 2011
    Messages:
    13
    Ah, ok. i did see a warning, but not that one. Ill try restarting now.

    Thanks
     
  14. Mystic_Meerkatz

    Mystic_Meerkatz Thread Starter

    Joined:
    Oct 30, 2011
    Messages:
    13
    Ok, i have restarted my conputer. I was still unable to use my keyboard, and for some reason, my desktop background has been changed to one that i had Around a year and a half ago. It will now let me run things, but as i said, i cannot type using my keyboard. I have searched for the log and have again, failed to find it. I did find 2 more .txt files that werbt there before, in the Quoobox folder. they are named 'Add-Remove Programs' and 'Combofix-quarantined-files'
     
  15. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,155
    Unplug your Keyboard from the PC and reboot. When Desktop is stable plug Keyboard back in, does windows see it and attribute driver? does it now work.
    Let me see the two text files you mentioned if possible....
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1024835