View Full Version : TrojanC-05 Continual Crash Poweroff
Hello:
Unfortunately I didn’t see this forum until I’d already tried many ‘fixes’ but I hope you can help.
My laptop continually powers off unless running in safemode.
I began having a problem around 3-12-13 or 3-13-12.
All programs were slow. Shortcuts didn’t work. Anything took forever or would hang.
Don’t know what I had done to cause this. Somewhere during that time I updated the firmware for the netgear wireless router. Unfortunately, I updated this firmware on wireless network before realizing I wasn’t supposed to do that.
I Ran Spybot Search Destroy and it found the TrojanC-05. I selected “Fix Problem”. Seemed to be okay but it must have reinstalled itself. I repeated this.
My laptop worked for a couple hours and then the power cut off.
Now I can only work in safemode. Kaspersky Pure didn’t catch this and it won’t even run in safemode.
My laptop continually powers off when I try to start in anything but safemode. I have tried “Last known Good Configuration”, I have tried CHKDSK and FSUTIL repair. During System Restore, the laptop cut off again so I now do not have any good restore points.
Unfortunately, I downloaded RegCure and it “fixed” 400+ problems and when I called the 888# they said I had over 4000 issues that had been on my laptop since the harddrive was replaced in June/July 2011. However I did not have any issues until a few days ago. I have, I hope, uninstalled this program.
I also ran Malware Bytes which found nothing.
I also today reinstalled and ran Everest Ultimate Edition and it did not identify the battery, even though my desktop shows the battery at 100%.
Since I can only keep the laptop powered on while in safemode, the Kaspersky is not running.
I have also unchecked the ‘resident’ box on the advanced mode of Spybot.
I have already downloaded and ran the ERUNT program.
I have run HiJackThis but am only attaching the two files you requested to start.
Thank You for your assistance.
9294
9295
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_29
Run by Alicia at 21:35:14 on 2012-03-15
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3963.3077 [GMT -4:00]
.
AV: Kaspersky PURE *Enabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Kaspersky PURE *Enabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
FW: Kaspersky PURE *Enabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files (x86)\IncrediMail\Bin\IncMail.exe
C:\Program Files (x86)\IncrediMail\Bin\ImApp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.rr.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files (x86)\IncrediMail_MediaBar_2\prxtbIncr.dll
mURLSearchHooks: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files (x86)\IncrediMail_MediaBar_2\prxtbIncr.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll
BHO: {9F3209E2-334B-41E9-B09C-703F398742E7} - No File
BHO: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files (x86)\IncrediMail_MediaBar_2\prxtbIncr.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
BHO: TMIEGBHO Class: {f1ad4a42-ba52-47bc-89df-3f68f24c017f} - C:\Program Files (x86)\Trend Micro\Browser Guard\TMAMS.dll
TB: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files (x86)\IncrediMail_MediaBar_2\prxtbIncr.dll
TB: TMBGBAR TOOLBAR: {c8137a8d-415d-450c-a1b1-d0c519d45296} - C:\Program Files (x86)\Trend Micro\Browser Guard\tmieg.dll
mRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Add animation to IncrediMail Style Box - C:\Program Files (x86)\IncrediMail\bin\resources\WebMenuImg.htm
IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{0FD623B8-6E10-4691-BBF5-6B880E1B5D27} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{DFEA21E9-D44E-4173-AEA8-3F2DC743771F} : DhcpNameServer = 192.168.1.1
AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\ievkbd.dll
BHO-X64: IEVkbdBHO - No File
BHO-X64: {9F3209E2-334B-41E9-B09C-703F398742E7} - No File
BHO-X64: IEGBH0 - No File
BHO-X64: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files (x86)\IncrediMail_MediaBar_2\prxtbIncr.dll
BHO-X64: IncrediMail MediaBar 2 - No File
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\klwtbbho.dll
BHO-X64: link filter bho - No File
BHO-X64: TMIEGBHO Class: {F1AD4A42-BA52-47BC-89DF-3F68F24C017F} - C:\Program Files (x86)\Trend Micro\Browser Guard\TMAMS.dll
BHO-X64: TMIEGBHO - No File
TB-X64: IncrediMail MediaBar 2 Toolbar: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - C:\Program Files (x86)\IncrediMail_MediaBar_2\prxtbIncr.dll
TB-X64: TMBGBAR TOOLBAR: {C8137A8D-415D-450C-A1B1-D0C519D45296} - C:\Program Files (x86)\Trend Micro\Browser Guard\tmieg.dll
mRun-x64: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe"
AppInit_DLLs-X64: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Alicia\AppData\Roaming\Mozilla\Firefox\Profiles\cecfzcl8.default\
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - www.rr.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 CSCrySec;InfoWatch Encrypt Sector Library driver;C:\Windows\system32\DRIVERS\CSCrySec.sys --> C:\Windows\system32\DRIVERS\CSCrySec.sys [?]
R0 KLBG;Kaspersky Lab Boot Guard Driver;C:\Windows\system32\DRIVERS\klbg.sys --> C:\Windows\system32\DRIVERS\klbg.sys [?]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys --> C:\Windows\system32\DRIVERS\klim6.sys [?]
R3 NETw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\NETw5v64.sys --> C:\Windows\system32\DRIVERS\NETw5v64.sys [?]
S1 CSVirtualDiskDrv;InfoWatch Virtual Disk driver;C:\Windows\system32\DRIVERS\CSVirtualDiskDrv.sys --> C:\Windows\system32\DRIVERS\CSVirtualDiskDrv.sys [?]
S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
S2 AVP;Kaspersky PURE;C:\Program Files (x86)\Kaspersky Lab\Kaspersky PURE\avp.exe [2010-10-1 348760]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 CSObjectsSrv;CryptoStorage control service;C:\Program Files (x86)\Common Files\InfoWatch\CryptoStorage\ProtectedObjectsSrv.exe [2009-12-21 743992]
S2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-25 136176]
S2 RUBotSrv;Trend Micro RUBotted Service;C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [2011-11-25 439632]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-6-22 1153368]
S3 BrSerIb;Brother Serial Interface Driver(WDM);C:\Windows\system32\DRIVERS\BrSerIb.sys --> C:\Windows\system32\DRIVERS\BrSerIb.sys [?]
S3 BrUsbSIb;Brother Serial USB Driver(WDM);C:\Windows\system32\DRIVERS\BrUsbSIb.sys --> C:\Windows\system32\DRIVERS\BrUsbSIb.sys [?]
S3 BrYNSvc;BrYNSvc;C:\Program Files (x86)\Browny02\BrYNSvc.exe [2011-7-20 245760]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-7-25 136176]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;\??\C:\Windows\system32\drivers\hitmanpro36.sys --> C:\Windows\system32\drivers\hitmanpro36.sys [?]
S3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\system32\DRIVERS\klmouflt.sys --> C:\Windows\system32\DRIVERS\klmouflt.sys [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2011-9-17 89920]
.
=============== Created Last 30 ================
.
2012-03-16 00:04:54 -------- d-----w- C:\Windows\System32\wbem\Logs
2012-03-15 22:20:37 -------- d-----w- C:\Users\Alicia\AppData\Local\LogMeIn Rescue Applet
2012-03-15 22:00:26 -------- d-----w- C:\Users\Alicia\AppData\Roaming\ParetoLogic
2012-03-15 22:00:26 -------- d-----w- C:\Users\Alicia\AppData\Roaming\DriverCure
2012-03-15 22:00:19 -------- d-----w- C:\ProgramData\ParetoLogic
2012-03-15 21:49:19 -------- d-----w- C:\Users\Alicia\AppData\Local\ElevatedDiagnostics
2012-03-15 21:35:14 -------- d-----w- C:\ProgramData\SecTaskMan
2012-03-15 21:35:10 -------- d-----w- C:\Program Files (x86)\Security Task Manager
2012-03-15 21:24:15 -------- d-----w- C:\Program Files (x86)\Lavalys
2012-03-15 17:51:27 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{021FF130-6110-42C7-9D4A-0085D3C20119}\mpengine.dll
2012-03-15 00:55:32 708096 ----a-w- C:\Windows\System32\rdpencom.dll
2012-03-15 00:55:32 613376 ----a-w- C:\Windows\SysWow64\rdpencom.dll
2012-03-15 00:55:32 209920 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-14 21:18:51 12872 ----a-w- C:\Windows\System32\bootdelete.exe
2012-03-14 21:12:57 27424 ----a-w- C:\Windows\System32\drivers\hitmanpro36.sys
2012-03-14 21:11:34 -------- d-----w- C:\Program Files\HitmanPro
2012-03-14 21:11:30 -------- d-----w- C:\ProgramData\HitmanPro
2012-03-12 19:46:15 29696 ----a-w- C:\Windows\System32\drivers\tunnel.sys
2012-03-12 19:46:15 225280 ----a-w- C:\Windows\System32\iphlpsvc.dll
2012-02-25 01:53:24 -------- d-----w- C:\Windows\Twain32
2012-02-24 20:33:37 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2012-02-24 19:19:03 -------- d-----w- C:\Program Files (x86)\ESET
2012-02-21 00:27:38 53248 ----a-r- C:\Users\Alicia\AppData\Roaming\Microsoft\Installer\{7196E6BD-4B65-43F9-9D30-73A8E58D0E84}\ARPPRODUCTICON.exe
2012-02-21 00:26:33 -------- d-----w- C:\Users\Alicia\AppData\Roaming\Avery
.
==================== Find3M ====================
.
2012-02-23 14:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-14 16:49:43 327680 ----a-w- C:\Windows\System32\d3d10_1core.dll
2012-02-14 16:49:43 196096 ----a-w- C:\Windows\System32\d3d10_1.dll
2012-02-14 15:45:30 219648 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2012-02-13 14:38:31 2002944 ----a-w- C:\Windows\System32\d3d10warp.dll
2012-02-13 14:12:08 1172480 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2012-02-13 14:06:48 834048 ----a-w- C:\Windows\System32\d2d1.dll
2012-02-13 14:03:11 1555968 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-13 13:47:57 683008 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-02 15:34:25 2765824 ----a-w- C:\Windows\System32\win32k.sys
2012-01-03 14:25:21 404992 ----a-w- C:\Windows\System32\drivers\afd.sys
.
============= FINISH: 21:35:35.99 ===============
Hi and welcome to Safer-Networking, sorry for any delay in answering your request for help, the forum is really busy.
My name is Diver79, and I will be helping you with your malware problems.
Before we start please note the following important guidelines.
The instructions given are for THIS computer only! Using these instructions on a different computer, can make it inoperable!
Please DO NOT run any other software or scans whilst I am helping you.
Note: If you haven't done so already, please ensure you have read the following article. "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.Because of this, I advise you to backup any personal files and folders before you start.
How do I backup my files and folders in XP? (http://www.winxptutor.com/ntbackup.htm)
How to backup your data - Vista/Win7 (http://www.vista4beginners.com/How-to-backup-your-data)
Looking into your logs now. Will post instructions soon...
diver79.
Hi ASB2012,
There are no indications of infection in the logs so far. Lets run a few more scans and see what we find. If possible try to run the scans in normal mode, if this is not possible proceed to safe mode.
Can you confirm that the laptop never powers off while in Safe Mode?
aswMBR Scan
Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) and save it to your Desktop.
Right click aswMBR.exe & choose "Run as Administrator" to run it.
Click Yes to the prompt to download Avast! virus definitions.
(Please be patient whilst the virus definitions download)
With the AVscan set to Quick Scan, click the Scan button.
(Please be patient whilst your computer is scanned.)
After a while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
Click OK > Exit.
Note: Do not attempt to fix anything at this stage!
Two files will be created, aswMBR.txt & a file named MBR.dat.
MBR.dat is a backup of the MBR(master boot record), do not delete it..
I strongly suggest you keep a copy of this backup stored on an external device.
Copy & Paste the contents of aswMBR.txt into your next reply.
TDSSKiller
Please download TDSSKiller.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
Right click on TDSSKiller.exe and select Run as Administrator to launch it.
Click on Start Scan, the scan will run.
When the scan has finished, if it finds anything please click on the drop down arrow next to Cure and select Skip
Now click on Report to open the log file created by TDSSKiller in your root directory C:\
To find the log go to Start > Computer > C:
Post the contents of that log in your next reply please.
DO NOT TRY TO FIX ANYTHING AT THIS POINT
Thanks. I just saw your reply. Am downloading recommended items now and will reply with post as soon as they're done.
And No, the laptop does not ever powerout when in safe mode.
I was unable to attach the asw file. Nothing worked when I tried to browse to locate it. Also it wouldn't let me type in the file name. So, I have to copy and paste the the entire asw text file here. the TDSS file follows. Thanks for your assistance. I'll look forward to your reply, at your convenience.
While I'm thinking of it, if there are no infections, why did spybot detect the TrojanC-05 at about the same time my laptop started it's slowness, hanging and shutoff.
I'm due to receive a new battery and charger tomorrow I hope, though I will check back to this forum before letting the laptop charge the new battery.
I know you are inundated with requests. Thanks Again for your help.
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-18 22:47:14
-----------------------------
22:47:14.084 OS Version: Windows x64 6.0.6002 Service Pack 2
22:47:14.084 Number of processors: 2 586 0x170A
22:47:14.084 ComputerName: MOUNTAINFLOWER UserName: Alicia
22:47:14.942 Initialize success
22:47:18.733 AVAST engine defs: 12031700
22:47:29.434 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
22:47:29.434 Disk 0 Vendor: WDC_WD3200BEKT-00PVMT0 01.01A01 Size: 305245MB BusType: 3
22:47:29.466 Disk 0 MBR read successfully
22:47:29.466 Disk 0 MBR scan
22:47:29.466 Disk 0 Windows VISTA default MBR code
22:47:29.481 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305243 MB offset 2048
22:47:29.512 Disk 0 scanning C:\Windows\system32\drivers
22:47:41.150 Service scanning
22:48:00.931 Modules scanning
22:48:00.931 Disk 0 trace - called modules:
22:48:00.978 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
22:48:00.978 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004df2060]
22:48:00.978 3 CLASSPNP.SYS[fffffa6000dc7c33] -> nt!IofCallDriver -> [0xfffffa8004b91520]
22:48:01.492 5 acpi.sys[fffffa60008fbfde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0xfffffa8004b9b060]
22:48:02.709 AVAST engine scan C:\Windows
22:48:09.994 AVAST engine scan C:\Windows\system32
22:52:11.626 AVAST engine scan C:\Windows\system32\drivers
22:52:24.582 AVAST engine scan C:\Users\Alicia
23:02:11.602 AVAST engine scan C:\ProgramData
23:10:50.177 Scan finished successfully
23:11:15.184 Disk 0 MBR has been saved successfully to "C:\Users\Alicia\Desktop\MBR.dat"
23:11:15.200 The log file has been saved successfully to "C:\Users\Alicia\Desktop\aswMBR.txt"
23:13:04.0196 1660 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
23:13:04.0508 1660 ============================================================
23:13:04.0508 1660 Current date / time: 2012/03/18 23:13:04.0508
23:13:04.0508 1660 SystemInfo:
23:13:04.0508 1660
23:13:04.0508 1660 OS Version: 6.0.6002 ServicePack: 2.0
23:13:04.0508 1660 Product type: Workstation
23:13:04.0508 1660 ComputerName: MOUNTAINFLOWER
23:13:04.0508 1660 UserName: Alicia
23:13:04.0508 1660 Windows directory: C:\Windows
23:13:04.0508 1660 System windows directory: C:\Windows
23:13:04.0508 1660 Running under WOW64
23:13:04.0508 1660 Processor architecture: Intel x64
23:13:04.0508 1660 Number of processors: 2
23:13:04.0508 1660 Page size: 0x1000
23:13:04.0508 1660 Boot type: Safe boot with network
23:13:04.0508 1660 ============================================================
23:13:05.0522 1660 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
23:13:05.0522 1660 \Device\Harddisk0\DR0:
23:13:05.0538 1660 MBR used
23:13:05.0538 1660 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x2542D800
23:13:05.0569 1660 Initialize success
23:13:05.0569 1660 ============================================================
23:13:08.0346 1908 ============================================================
23:13:08.0346 1908 Scan started
23:13:08.0346 1908 Mode: Manual;
23:13:08.0346 1908 ============================================================
23:13:09.0110 1908 ACPI (1965aaffab07e3fb03c77f81beba3547) C:\Windows\system32\drivers\acpi.sys
23:13:09.0110 1908 ACPI - ok
23:13:09.0141 1908 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
23:13:09.0157 1908 adp94xx - ok
23:13:09.0173 1908 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
23:13:09.0173 1908 adpahci - ok
23:13:09.0204 1908 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
23:13:09.0204 1908 adpu160m - ok
23:13:09.0219 1908 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
23:13:09.0219 1908 adpu320 - ok
23:13:09.0282 1908 AFD (c4f6ce6087760ad70960c9eb130e7943) C:\Windows\system32\drivers\afd.sys
23:13:09.0282 1908 AFD - ok
23:13:09.0329 1908 AgereSoftModem (e59bc94c0fc336f2f6a07a7e16441c48) C:\Windows\system32\DRIVERS\agrsm64.sys
23:13:09.0344 1908 AgereSoftModem - ok
23:13:09.0360 1908 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
23:13:09.0360 1908 agp440 - ok
23:13:09.0375 1908 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
23:13:09.0375 1908 aic78xx - ok
23:13:09.0391 1908 aliide (157d0898d4b73f075ce9fa26b482df98) C:\Windows\system32\drivers\aliide.sys
23:13:09.0391 1908 aliide - ok
23:13:09.0407 1908 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
23:13:09.0407 1908 amdide - ok
23:13:09.0422 1908 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
23:13:09.0422 1908 AmdK8 - ok
23:13:09.0453 1908 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
23:13:09.0453 1908 arc - ok
23:13:09.0469 1908 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
23:13:09.0469 1908 arcsas - ok
23:13:09.0500 1908 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
23:13:09.0500 1908 AsyncMac - ok
23:13:09.0563 1908 atapi (e68d9b3a3905619732f7fe039466a623) C:\Windows\system32\drivers\atapi.sys
23:13:09.0563 1908 atapi - ok
23:13:09.0812 1908 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
23:13:09.0812 1908 blbdrive - ok
23:13:09.0843 1908 bowser (2348447a80920b2493a9b582a23e81e1) C:\Windows\system32\DRIVERS\bowser.sys
23:13:09.0843 1908 bowser - ok
23:13:09.0859 1908 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
23:13:09.0859 1908 BrFiltLo - ok
23:13:09.0890 1908 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
23:13:09.0890 1908 BrFiltUp - ok
23:13:09.0937 1908 BrSerIb (6df544e72ff139e8fbbba6d0e569bea5) C:\Windows\system32\DRIVERS\BrSerIb.sys
23:13:09.0937 1908 BrSerIb - ok
23:13:09.0953 1908 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys
23:13:09.0953 1908 Brserid - ok
23:13:09.0984 1908 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
23:13:09.0984 1908 BrSerWdm - ok
23:13:09.0999 1908 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
23:13:09.0999 1908 BrUsbMdm - ok
23:13:09.0999 1908 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys
23:13:10.0015 1908 BrUsbSer - ok
23:13:10.0015 1908 BrUsbSIb (80082ad46578f0d3270d2e56d6433082) C:\Windows\system32\DRIVERS\BrUsbSIb.sys
23:13:10.0015 1908 BrUsbSIb - ok
23:13:10.0046 1908 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys
23:13:10.0046 1908 BTHMODEM - ok
23:13:10.0077 1908 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
23:13:10.0093 1908 cdfs - ok
23:13:10.0109 1908 cdrom (c025aa69be3d0d25c7a2e746ef6f94fc) C:\Windows\system32\DRIVERS\cdrom.sys
23:13:10.0109 1908 cdrom - ok
23:13:10.0155 1908 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys
23:13:10.0155 1908 circlass - ok
23:13:10.0202 1908 CLFS (3dca9a18b204939cfb24bea53e31eb48) C:\Windows\system32\CLFS.sys
23:13:10.0202 1908 CLFS - ok
23:13:10.0249 1908 CmBatt (b52d9a14ce4101577900a364ba86f3df) C:\Windows\system32\DRIVERS\CmBatt.sys
23:13:10.0249 1908 CmBatt - ok
23:13:10.0280 1908 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
23:13:10.0280 1908 cmdide - ok
23:13:10.0280 1908 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\DRIVERS\compbatt.sys
23:13:10.0280 1908 Compbatt - ok
23:13:10.0296 1908 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
23:13:10.0296 1908 crcdisk - ok
23:13:10.0358 1908 CSCrySec (ab1201f8de199e764da9a32abf71049c) C:\Windows\system32\DRIVERS\CSCrySec.sys
23:13:10.0358 1908 CSCrySec - ok
23:13:10.0374 1908 CSVirtualDiskDrv (a6eed705bb510fa6b0f9f097165a3395) C:\Windows\system32\DRIVERS\CSVirtualDiskDrv.sys
23:13:10.0374 1908 CSVirtualDiskDrv - ok
23:13:10.0389 1908 DfsC (8b722ba35205c71e7951cdc4cdbade19) C:\Windows\system32\Drivers\dfsc.sys
23:13:10.0389 1908 DfsC - ok
23:13:10.0421 1908 disk (b0107e40ecdb5fa692ebf832f295d905) C:\Windows\system32\drivers\disk.sys
23:13:10.0421 1908 disk - ok
23:13:10.0452 1908 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys
23:13:10.0452 1908 drmkaud - ok
23:13:10.0514 1908 DXGKrnl (b8e554e502d5123bc111f99d6a2181b4) C:\Windows\System32\drivers\dxgkrnl.sys
23:13:10.0530 1908 DXGKrnl - ok
23:13:10.0577 1908 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
23:13:10.0577 1908 E1G60 - ok
23:13:10.0623 1908 Ecache (5f94962be5a62db6e447ff6470c4f48a) C:\Windows\system32\drivers\ecache.sys
23:13:10.0623 1908 Ecache - ok
23:13:10.0670 1908 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
23:13:10.0670 1908 elxstor - ok
23:13:10.0701 1908 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys
23:13:10.0701 1908 ErrDev - ok
23:13:10.0764 1908 EverestDriver - ok
23:13:10.0795 1908 exfat (486844f47b6636044a42454614ed4523) C:\Windows\system32\drivers\exfat.sys
23:13:10.0811 1908 exfat - ok
23:13:10.0826 1908 fastfat (1a4bee34277784619ddaf0422c0c6e23) C:\Windows\system32\drivers\fastfat.sys
23:13:10.0826 1908 fastfat - ok
23:13:10.0842 1908 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
23:13:10.0842 1908 fdc - ok
23:13:10.0889 1908 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
23:13:10.0889 1908 FileInfo - ok
23:13:10.0904 1908 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
23:13:10.0904 1908 Filetrace - ok
23:13:10.0935 1908 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
23:13:10.0935 1908 flpydisk - ok
23:13:10.0951 1908 FltMgr (e3041bc26d6930d61f42aedb79c91720) C:\Windows\system32\drivers\fltmgr.sys
23:13:10.0951 1908 FltMgr - ok
23:13:10.0998 1908 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys
23:13:10.0998 1908 Fs_Rec - ok
23:13:11.0013 1908 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
23:13:11.0029 1908 gagp30kx - ok
23:13:11.0060 1908 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
23:13:11.0060 1908 GEARAspiWDM - ok
23:13:11.0138 1908 HdAudAddService (df45f8142dc6df9d18c39b3effbd0409) C:\Windows\system32\drivers\HdAudio.sys
23:13:11.0138 1908 HdAudAddService - ok
23:13:11.0201 1908 HDAudBus (f942c5820205f2fb453243edfec82a3d) C:\Windows\system32\DRIVERS\HDAudBus.sys
23:13:11.0216 1908 HDAudBus - ok
23:13:11.0247 1908 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
23:13:11.0263 1908 HidBth - ok
23:13:11.0279 1908 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys
23:13:11.0279 1908 HidIr - ok
23:13:11.0325 1908 HidUsb (443bdd2d30bb4f00795c797e2cf99edf) C:\Windows\system32\DRIVERS\hidusb.sys
23:13:11.0325 1908 HidUsb - ok
23:13:11.0357 1908 hitmanpro35 (8ab06ddaf6fe854db1e28f7c0ab1fce3) C:\Windows\system32\drivers\hitmanpro36.sys
23:13:11.0357 1908 hitmanpro35 - ok
23:13:11.0388 1908 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
23:13:11.0388 1908 HpCISSs - ok
23:13:11.0450 1908 HTTP (098f1e4e5c9cb5b0063a959063631610) C:\Windows\system32\drivers\HTTP.sys
23:13:11.0450 1908 HTTP - ok
23:13:11.0481 1908 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
23:13:11.0497 1908 i2omp - ok
23:13:11.0513 1908 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
23:13:11.0513 1908 i8042prt - ok
23:13:11.0544 1908 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
23:13:11.0544 1908 iaStorV - ok
23:13:11.0684 1908 igfx (3c3f27002abc69c5afe29cbe6cf7addf) C:\Windows\system32\DRIVERS\igdkmd64.sys
23:13:11.0793 1908 igfx - ok
23:13:11.0825 1908 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
23:13:11.0825 1908 iirsp - ok
23:13:11.0887 1908 IntcAzAudAddService (ce57d1a91272a35989837b868c8366df) C:\Windows\system32\drivers\RTKVHD64.sys
23:13:11.0918 1908 IntcAzAudAddService - ok
23:13:11.0949 1908 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys
23:13:11.0949 1908 intelide - ok
23:13:11.0981 1908 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
23:13:11.0981 1908 intelppm - ok
23:13:12.0027 1908 IpFilterDriver (d8aabc341311e4780d6fce8c73c0ad81) C:\Windows\system32\DRIVERS\ipfltdrv.sys
23:13:12.0027 1908 IpFilterDriver - ok
23:13:12.0043 1908 IpInIp - ok
23:13:12.0074 1908 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
23:13:12.0074 1908 IPMIDRV - ok
23:13:12.0105 1908 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
23:13:12.0105 1908 IPNAT - ok
23:13:12.0121 1908 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
23:13:12.0121 1908 IRENUM - ok
23:13:12.0152 1908 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
23:13:12.0152 1908 isapnp - ok
23:13:12.0183 1908 iScsiPrt (e4fdf99599f27ec25d2cf6d754243520) C:\Windows\system32\DRIVERS\msiscsi.sys
23:13:12.0199 1908 iScsiPrt - ok
23:13:12.0215 1908 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
23:13:12.0215 1908 iteatapi - ok
23:13:12.0230 1908 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
23:13:12.0230 1908 iteraid - ok
23:13:12.0261 1908 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
23:13:12.0261 1908 kbdclass - ok
23:13:12.0293 1908 kbdhid (bf8783a5066cfecf45095459e8010fa7) C:\Windows\system32\DRIVERS\kbdhid.sys
23:13:12.0293 1908 kbdhid - ok
23:13:12.0371 1908 kl1 (db449f50e5141458eb58e64ffac4863f) C:\Windows\system32\DRIVERS\kl1.sys
23:13:12.0371 1908 kl1 - ok
23:13:12.0386 1908 KLBG (87200a8afe40532baa4d2b24a7ba0eea) C:\Windows\system32\DRIVERS\klbg.sys
23:13:12.0386 1908 KLBG - ok
23:13:12.0449 1908 KLIF (34d49307217b20e5a845b7db50cdd4fa) C:\Windows\system32\DRIVERS\klif.sys
23:13:12.0449 1908 KLIF - ok
23:13:12.0464 1908 KLIM6 (630f22545379437737cf4172f09fe449) C:\Windows\system32\DRIVERS\klim6.sys
23:13:12.0464 1908 KLIM6 - ok
23:13:12.0511 1908 klmouflt (786791291939abb11f6d0f040da23912) C:\Windows\system32\DRIVERS\klmouflt.sys
23:13:12.0511 1908 klmouflt - ok
23:13:12.0573 1908 KSecDD (2758d174604f597bbc8a217ff667913d) C:\Windows\system32\Drivers\ksecdd.sys
23:13:12.0573 1908 KSecDD - ok
23:13:12.0605 1908 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
23:13:12.0605 1908 ksthunk - ok
23:13:12.0636 1908 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
23:13:12.0636 1908 lltdio - ok
23:13:12.0683 1908 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
23:13:12.0683 1908 LSI_FC - ok
23:13:12.0714 1908 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
23:13:12.0714 1908 LSI_SAS - ok
23:13:12.0745 1908 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
23:13:12.0745 1908 LSI_SCSI - ok
23:13:12.0776 1908 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
23:13:12.0776 1908 luafv - ok
23:13:12.0792 1908 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
23:13:12.0792 1908 megasas - ok
23:13:12.0823 1908 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
23:13:12.0823 1908 MegaSR - ok
23:13:12.0839 1908 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
23:13:12.0839 1908 Modem - ok
23:13:12.0854 1908 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
23:13:12.0854 1908 monitor - ok
23:13:12.0870 1908 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
23:13:12.0870 1908 mouclass - ok
23:13:12.0885 1908 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
23:13:12.0885 1908 mouhid - ok
23:13:12.0901 1908 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
23:13:12.0901 1908 MountMgr - ok
23:13:12.0932 1908 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
23:13:12.0932 1908 mpio - ok
23:13:12.0963 1908 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
23:13:12.0963 1908 mpsdrv - ok
23:13:13.0010 1908 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
23:13:13.0010 1908 Mraid35x - ok
23:13:13.0041 1908 MRxDAV (7c1de4aa96dc0c071611f9e7de02a68d) C:\Windows\system32\drivers\mrxdav.sys
23:13:13.0041 1908 MRxDAV - ok
23:13:13.0073 1908 mrxsmb (1485811b320ff8c7edad1caebb1c6c2b) C:\Windows\system32\DRIVERS\mrxsmb.sys
23:13:13.0073 1908 mrxsmb - ok
23:13:13.0088 1908 mrxsmb10 (3b929a60c833fc615fd97fba82bc7632) C:\Windows\system32\DRIVERS\mrxsmb10.sys
23:13:13.0104 1908 mrxsmb10 - ok
23:13:13.0104 1908 mrxsmb20 (c64ab3e1f53b4f5b5bb6d796b2d7bec3) C:\Windows\system32\DRIVERS\mrxsmb20.sys
23:13:13.0104 1908 mrxsmb20 - ok
23:13:13.0135 1908 msahci (aa459f2ab3ab603c357ff117cae3d818) C:\Windows\system32\drivers\msahci.sys
23:13:13.0135 1908 msahci - ok
23:13:13.0166 1908 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
23:13:13.0166 1908 msdsm - ok
23:13:13.0213 1908 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
23:13:13.0213 1908 Msfs - ok
23:13:13.0229 1908 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
23:13:13.0229 1908 msisadrv - ok
23:13:13.0260 1908 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
23:13:13.0260 1908 MSKSSRV - ok
23:13:13.0275 1908 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
23:13:13.0275 1908 MSPCLOCK - ok
23:13:13.0291 1908 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
23:13:13.0291 1908 MSPQM - ok
23:13:13.0338 1908 MsRPC (dc6ccf440cdede4293db41c37a5060a5) C:\Windows\system32\drivers\MsRPC.sys
23:13:13.0338 1908 MsRPC - ok
23:13:13.0369 1908 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
23:13:13.0369 1908 mssmbios - ok
23:13:13.0400 1908 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
23:13:13.0400 1908 MSTEE - ok
23:13:13.0431 1908 Mup (0cc49f78d8aca0877d885f149084e543) C:\Windows\system32\Drivers\mup.sys
23:13:13.0431 1908 Mup - ok
23:13:13.0494 1908 NativeWifiP (2007b826c4acd94ae32232b41f0842b9) C:\Windows\system32\DRIVERS\nwifi.sys
23:13:13.0494 1908 NativeWifiP - ok
23:13:13.0525 1908 NDIS (65950e07329fcee8e6516b17c8d0abb6) C:\Windows\system32\drivers\ndis.sys
23:13:13.0541 1908 NDIS - ok
23:13:13.0556 1908 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
23:13:13.0556 1908 NdisTapi - ok
23:13:13.0572 1908 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
23:13:13.0572 1908 Ndisuio - ok
23:13:13.0587 1908 NdisWan (f8158771905260982ce724076419ef19) C:\Windows\system32\DRIVERS\ndiswan.sys
23:13:13.0587 1908 NdisWan - ok
23:13:13.0603 1908 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
23:13:13.0603 1908 NDProxy - ok
23:13:13.0619 1908 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
23:13:13.0619 1908 NetBIOS - ok
23:13:13.0650 1908 netbt (fc2c792ebddc8e28df939d6a92c83d61) C:\Windows\system32\DRIVERS\netbt.sys
23:13:13.0650 1908 netbt - ok
23:13:13.0790 1908 NETw5v64 (263796d4f50df61c0c7ca86f746b5767) C:\Windows\system32\DRIVERS\NETw5v64.sys
23:13:13.0884 1908 NETw5v64 - ok
23:13:13.0915 1908 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
23:13:13.0915 1908 nfrd960 - ok
23:13:13.0931 1908 NPF - ok
23:13:13.0977 1908 Npfs (b298874f8e0ea93f06ec40aa8d146478) C:\Windows\system32\drivers\Npfs.sys
23:13:13.0977 1908 Npfs - ok
23:13:13.0993 1908 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
23:13:13.0993 1908 nsiproxy - ok
23:13:14.0055 1908 Ntfs (bac869dfb98e499ba4d9bb1fb43270e1) C:\Windows\system32\drivers\Ntfs.sys
23:13:14.0087 1908 Ntfs - ok
23:13:14.0102 1908 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
23:13:14.0102 1908 Null - ok
23:13:14.0149 1908 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
23:13:14.0149 1908 nvraid - ok
23:13:14.0180 1908 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
23:13:14.0180 1908 nvstor - ok
23:13:14.0211 1908 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
23:13:14.0211 1908 nv_agp - ok
23:13:14.0211 1908 NwlnkFlt - ok
23:13:14.0227 1908 NwlnkFwd - ok
23:13:14.0258 1908 ohci1394 (7b58953e2f263421fdbb09a192712a85) C:\Windows\system32\drivers\ohci1394.sys
23:13:14.0258 1908 ohci1394 - ok
23:13:14.0289 1908 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
23:13:14.0289 1908 Parport - ok
23:13:14.0336 1908 partmgr (f9b5eda4c17a2be7663f064dbf0fe254) C:\Windows\system32\drivers\partmgr.sys
23:13:14.0336 1908 partmgr - ok
23:13:14.0367 1908 pci (47ab1e0fc9d0e12bb53ba246e3a0906d) C:\Windows\system32\drivers\pci.sys
23:13:14.0367 1908 pci - ok
23:13:14.0383 1908 pciide (8d618c829034479985a9ed56106cc732) C:\Windows\system32\drivers\pciide.sys
23:13:14.0383 1908 pciide - ok
23:13:14.0430 1908 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
23:13:14.0430 1908 pcmcia - ok
23:13:14.0492 1908 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
23:13:14.0492 1908 PEAUTH - ok
23:13:14.0570 1908 PptpMiniport (23386e9952025f5f21c368971e2e7301) C:\Windows\system32\DRIVERS\raspptp.sys
23:13:14.0570 1908 PptpMiniport - ok
23:13:14.0601 1908 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys
23:13:14.0601 1908 Processor - ok
23:13:14.0664 1908 PSched (c5ab7f0809392d0da027f4a2a81bfa31) C:\Windows\system32\DRIVERS\pacer.sys
23:13:14.0664 1908 PSched - ok
23:13:14.0711 1908 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
23:13:14.0726 1908 ql2300 - ok
23:13:14.0773 1908 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
23:13:14.0773 1908 ql40xx - ok
23:13:14.0804 1908 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
23:13:14.0804 1908 QWAVEdrv - ok
23:13:14.0820 1908 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
23:13:14.0820 1908 RasAcd - ok
23:13:14.0882 1908 Rasl2tp (ac7bc4d42a7e558718dfdec599bbfc2c) C:\Windows\system32\DRIVERS\rasl2tp.sys
23:13:14.0882 1908 Rasl2tp - ok
23:13:14.0929 1908 RasPppoe (4517fbf8b42524afe4ede1de102aae3e) C:\Windows\system32\DRIVERS\raspppoe.sys
23:13:14.0929 1908 RasPppoe - ok
23:13:14.0929 1908 RasSstp (c6a593b51f34c33e5474539544072527) C:\Windows\system32\DRIVERS\rassstp.sys
23:13:14.0945 1908 RasSstp - ok
23:13:14.0960 1908 rdbss (322db5c6b55e8d8ee8d6f358b2aaabb1) C:\Windows\system32\DRIVERS\rdbss.sys
23:13:14.0960 1908 rdbss - ok
23:13:14.0976 1908 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
23:13:14.0976 1908 RDPCDD - ok
23:13:15.0023 1908 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys
23:13:15.0023 1908 rdpdr - ok
23:13:15.0023 1908 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
23:13:15.0038 1908 RDPENCDD - ok
23:13:15.0069 1908 RDPWD (5c141fc457f1ac833664789235aca673) C:\Windows\system32\drivers\RDPWD.sys
23:13:15.0069 1908 RDPWD - ok
23:13:15.0101 1908 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
23:13:15.0101 1908 rspndr - ok
23:13:15.0147 1908 RSUSBSTOR (8c22f21c924413d4e109995f748e18bb) C:\Windows\system32\Drivers\RtsUStor.sys
23:13:15.0147 1908 RSUSBSTOR - ok
23:13:15.0194 1908 RTL8169 (b263b3aebcde2210d1cc25756601b8ea) C:\Windows\system32\DRIVERS\Rtlh64.sys
23:13:15.0194 1908 RTL8169 - ok
23:13:15.0210 1908 RtsUIR - ok
23:13:15.0241 1908 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
23:13:15.0241 1908 sbp2port - ok
23:13:15.0288 1908 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
23:13:15.0288 1908 secdrv - ok
23:13:15.0319 1908 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys
23:13:15.0319 1908 Serenum - ok
23:13:15.0350 1908 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys
23:13:15.0350 1908 Serial - ok
23:13:15.0381 1908 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
23:13:15.0381 1908 sermouse - ok
23:13:15.0397 1908 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
23:13:15.0397 1908 sffdisk - ok
23:13:15.0428 1908 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
23:13:15.0428 1908 sffp_mmc - ok
23:13:15.0444 1908 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
23:13:15.0444 1908 sffp_sd - ok
23:13:15.0459 1908 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys
23:13:15.0475 1908 sfloppy - ok
23:13:15.0491 1908 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
23:13:15.0491 1908 SiSRaid2 - ok
23:13:15.0522 1908 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
23:13:15.0522 1908 SiSRaid4 - ok
23:13:15.0553 1908 Smb (290b6f6a0ec4fcdfc90f5cb6d7020473) C:\Windows\system32\DRIVERS\smb.sys
23:13:15.0553 1908 Smb - ok
23:13:15.0600 1908 spldr (386c3c63f00a7040c7ec5e384217e89d) C:\Windows\system32\drivers\spldr.sys
23:13:15.0600 1908 spldr - ok
23:13:15.0631 1908 srv (880a57fccb571ebd063d4dd50e93e46d) C:\Windows\system32\DRIVERS\srv.sys
23:13:15.0631 1908 srv - ok
23:13:15.0662 1908 srv2 (a1ad14a6d7a37891fffeca35ebbb0730) C:\Windows\system32\DRIVERS\srv2.sys
23:13:15.0662 1908 srv2 - ok
23:13:15.0693 1908 srvnet (4bed62f4fa4d8300973f1151f4c4d8a7) C:\Windows\system32\DRIVERS\srvnet.sys
23:13:15.0693 1908 srvnet - ok
23:13:15.0725 1908 StillCam (14b4db4381e4a55f570d8bb699b791d6) C:\Windows\system32\DRIVERS\serscan.sys
23:13:15.0725 1908 StillCam - ok
23:13:15.0740 1908 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
23:13:15.0740 1908 swenum - ok
23:13:15.0787 1908 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
23:13:15.0787 1908 Symc8xx - ok
23:13:15.0803 1908 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
23:13:15.0803 1908 Sym_hi - ok
23:13:15.0818 1908 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
23:13:15.0818 1908 Sym_u3 - ok
23:13:15.0881 1908 SynTP (d8edb37f6e235a47e12f1eafd85c2b6f) C:\Windows\system32\DRIVERS\SynTP.sys
23:13:15.0881 1908 SynTP - ok
23:13:15.0959 1908 Tcpip (2cc45d932bd193cd4117321d469ad6b2) C:\Windows\system32\drivers\tcpip.sys
23:13:15.0990 1908 Tcpip - ok
23:13:16.0021 1908 Tcpip6 (2cc45d932bd193cd4117321d469ad6b2) C:\Windows\system32\DRIVERS\tcpip.sys
23:13:16.0021 1908 Tcpip6 - ok
23:13:16.0083 1908 tcpipreg (c7e72a4071ee0200e3c075dacfb2b334) C:\Windows\system32\drivers\tcpipreg.sys
23:13:16.0083 1908 tcpipreg - ok
23:13:16.0130 1908 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
23:13:16.0130 1908 TDPIPE - ok
23:13:16.0161 1908 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
23:13:16.0161 1908 TDTCP - ok
23:13:16.0193 1908 tdx (458919c8c42e398dc4802178d5ffee27) C:\Windows\system32\DRIVERS\tdx.sys
23:13:16.0193 1908 tdx - ok
23:13:16.0224 1908 TermDD (8c19678d22649ec002ef2282eae92f98) C:\Windows\system32\DRIVERS\termdd.sys
23:13:16.0224 1908 TermDD - ok
23:13:16.0286 1908 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
23:13:16.0286 1908 tssecsrv - ok
23:13:16.0333 1908 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
23:13:16.0333 1908 tunmp - ok
23:13:16.0380 1908 tunnel (30a9b3f45ad081bffc3bcaa9c812b609) C:\Windows\system32\DRIVERS\tunnel.sys
23:13:16.0380 1908 tunnel - ok
23:13:16.0411 1908 TVALZ (9a744cc3d804ec38a6c2c65bc3c6fcd8) C:\Windows\system32\DRIVERS\TVALZ_O.SYS
23:13:16.0411 1908 TVALZ - ok
23:13:16.0442 1908 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
23:13:16.0442 1908 uagp35 - ok
23:13:16.0473 1908 udfs (faf2640a2a76ed03d449e443194c4c34) C:\Windows\system32\DRIVERS\udfs.sys
23:13:16.0489 1908 udfs - ok
23:13:16.0520 1908 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
23:13:16.0520 1908 uliagpkx - ok
23:13:16.0551 1908 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
23:13:16.0551 1908 uliahci - ok
23:13:16.0567 1908 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
23:13:16.0583 1908 UlSata - ok
23:13:16.0598 1908 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
23:13:16.0614 1908 ulsata2 - ok
23:13:16.0629 1908 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
23:13:16.0629 1908 umbus - ok
23:13:16.0692 1908 USBAAPL64 (aa33fc47ed58c34e6e9261e4f850b7eb) C:\Windows\system32\Drivers\usbaapl64.sys
23:13:16.0692 1908 USBAAPL64 - ok
23:13:16.0723 1908 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys
23:13:16.0723 1908 usbccgp - ok
23:13:16.0739 1908 USBCCID - ok
23:13:16.0754 1908 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys
23:13:16.0754 1908 usbcir - ok
23:13:16.0785 1908 usbehci (827e44de934a736ea31e91d353eb126f) C:\Windows\system32\DRIVERS\usbehci.sys
23:13:16.0785 1908 usbehci - ok
23:13:16.0801 1908 usbhub (bb35cd80a2ececfadc73569b3d70c7d1) C:\Windows\system32\DRIVERS\usbhub.sys
23:13:16.0817 1908 usbhub - ok
23:13:16.0832 1908 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys
23:13:16.0832 1908 usbohci - ok
23:13:16.0863 1908 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys
23:13:16.0863 1908 usbprint - ok
23:13:16.0910 1908 usbscan (ea0bf666868964fbe8cb10e50c97b9f1) C:\Windows\system32\DRIVERS\usbscan.sys
23:13:16.0910 1908 usbscan - ok
23:13:16.0957 1908 USBSTOR (b854c1558fca0c269a38663e8b59b581) C:\Windows\system32\DRIVERS\USBSTOR.SYS
23:13:16.0957 1908 USBSTOR - ok
23:13:16.0973 1908 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys
23:13:16.0973 1908 usbuhci - ok
23:13:17.0004 1908 usbvideo (fc33099877790d51b0927b7039059855) C:\Windows\system32\Drivers\usbvideo.sys
23:13:17.0004 1908 usbvideo - ok
23:13:17.0051 1908 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
23:13:17.0051 1908 vga - ok
23:13:17.0082 1908 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
23:13:17.0082 1908 VgaSave - ok
23:13:17.0113 1908 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
23:13:17.0113 1908 viaide - ok
23:13:17.0144 1908 volmgr (2b7e885ed951519a12c450d24535dfca) C:\Windows\system32\drivers\volmgr.sys
23:13:17.0160 1908 volmgr - ok
23:13:17.0207 1908 volmgrx (cec5ac15277d75d9e5dec2e1c6eaf877) C:\Windows\system32\drivers\volmgrx.sys
23:13:17.0207 1908 volmgrx - ok
23:13:17.0238 1908 volsnap (5280aada24ab36b01a84a6424c475c8d) C:\Windows\system32\drivers\volsnap.sys
23:13:17.0253 1908 volsnap - ok
23:13:17.0285 1908 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
23:13:17.0285 1908 vsmraid - ok
23:13:17.0316 1908 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
23:13:17.0316 1908 WacomPen - ok
23:13:17.0363 1908 Wanarp (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
23:13:17.0363 1908 Wanarp - ok
23:13:17.0363 1908 Wanarpv6 (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
23:13:17.0363 1908 Wanarpv6 - ok
23:13:17.0409 1908 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
23:13:17.0409 1908 Wd - ok
23:13:17.0441 1908 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys
23:13:17.0456 1908 Wdf01000 - ok
23:13:17.0550 1908 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\drivers\wmiacpi.sys
23:13:17.0550 1908 WmiAcpi - ok
23:13:17.0597 1908 WpdUsb (5e2401b3fc1089c90e081291357371a9) C:\Windows\system32\DRIVERS\wpdusb.sys
23:13:17.0597 1908 WpdUsb - ok
23:13:17.0643 1908 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
23:13:17.0643 1908 ws2ifsl - ok
23:13:17.0675 1908 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys
23:13:17.0675 1908 WUDFRd - ok
23:13:17.0706 1908 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
23:13:17.0768 1908 \Device\Harddisk0\DR0 - ok
23:13:17.0768 1908 Boot (0x1200) (28baecf6bc97844b20ad4be916b018e3) \Device\Harddisk0\DR0\Partition0
23:13:17.0768 1908 \Device\Harddisk0\DR0\Partition0 - ok
23:13:17.0768 1908 ============================================================
23:13:17.0768 1908 Scan finished
23:13:17.0768 1908 ============================================================
23:13:17.0784 1740 Detected object count: 0
23:13:17.0784 1740 Actual detected object count: 0
23:26:42.0447 1780 Deinitialize success
Hi ASB2012
While I'm thinking of it, if there are no infections,There may still be an infection, we just haven't found one yet. Likewise, it may have been a coincidence and something else could be causing it.
I have a few questions to ask about the laptop and some more scans to run.
Have you had any other symptoms that suggest an infection (search redirects, pop ups etc)?
How long do you get in normal mode before the laptop powers off?
Can you hear the laptop's fan spin?
If so, does it sound louder than normal?
Does the base of the laptop seem hot?
Do you have a Windows Vista installation DVD?
OTL Scan
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Right click on the icon and select Run as Administrator to run it. Make sure all other windows are closed to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Check the boxes beside LOP Check and Purity Check.
Under Custom Scans/Fixes copy/paste the contents of the code box below.
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
del c:\commands.txt^|y /hide /c
/wait
del c:\diskreport.txt^|y /hide /c Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
I seem to recall redirects (which I denied) and more popups than usual although I had popups blocked.
Fan doesn't sound any louder and I also use a cooling mat fan.
Doesn't seem hot, no more than since I bought it a few years ago.
Only began having this problem around March 12-13 when icons and shortcuts didn't work, system was slow and would 'hang' on everything, and then started powering off.
I tried several times to run the OTL scan, as instructed.
Each time it would scan for about a minute, but when it got to "Scanning Firefox settings" nothing happened further - it would stop responding as indicated in the "Task Manager" I tried three times. Also tried without "run as administrator." No other programs were open. Tried with and without internet connected.
What to do now?
Thanks!
Hi ASB2012,
Lets disable Malwarebytes and Kaspersky's self defense mechanism as they may be interfering.
The rkill tool should then terminate any known malicious programs that are blocking OTL.
Disable MBAM Real-Time protection
Right-click on the MBAM icon in the System Tray and uncheck Enable Protection.
When asked, "Are you sure you want to disable the MBAM Protection Module?", click Yes.
Right-click on the MBAM icon again and then uncheck Start with Windows.
Restart your computer for the changes to take effect.
Disable Kaspersky Pure Self Defense
Open Kaspersky Pure.
In the right upper corner click the Settings link
In the left part of the Settings window select the Self-Defense item
Uncheck Enable Self-Defense in the right part of the window.
In the right lower corner click the OK button
Close the main application window.
http://i.imgur.com/wbtjh.gif
Download/run Rkill
Please download Rkill from one of the following links and save to your Desktop:
One (http://download.bleepingcomputer.com/grinler/rkill.exe), Two (http://download.bleepingcomputer.com/grinler/rkill.com),Three (http://download.bleepingcomputer.com/grinler/rkill.scr) or Four (http://download.bleepingcomputer.com/grinler/rkill.pif)
Right click on Rkill and select Run as Administrator to run it.
A command window will open then disappear upon completion, this is normal.
When finished, Notepad will open with a log called, "rkill.log".
Please copy and paste the contents of the rkill.log in your next reply.
The file is automatically saved... located at C:\rkill.log.
Please leave Rkill on the Desktop until otherwise advised.Note: If your security software warns about Rkill, please ignore and allow the download to continue.
Now run the OTL scan using the instructions here (http://forums.spybot.info/showpost.php?p=423194&postcount=6). Let me know how you get on.
Since I can only run in safe mode, the MBAB and Kaspersky are not running and the icons do not appear in the system tray. When I try to run them from the Start Programs Button, it gives a message that they are not available in safe mode.
So should I uninstall these programs?
Also, the WIndows Installer Service is not available in safe mode either. So even if I wanted to uninstall or modify Kaspersky Pure, IDK how I would be able to do that.
Just uninstall Mbam for now, while you are there please also uninstall the below programs.
IncrediMail MediaBar 2 Toolbar
Java(TM) 6 Update 29
Malwarebytes Anti-Malware version 1.60.0.1800
SpywareBlaster 4.6
Trend Micro RUBotted 2.0 Beta
Reboot the Computer and try running rkill followed by the OTL scan.
diver79.
Just got your last reply now about the Installer service.
That is not normal behaviour, you should be able to remove programs while in safe mode. Please post any error messages you get when you try to uninstall the programs in the previous list.
thanks,
diver79
Since I couldn't do anything about Kaspersky and MBAB, I ran Rkill anyway. Here is that log. Now I'll try again to run OTL and will be back shortly.
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Rkill was run on 03/19/2012 at 15:36:24.
Operating System: Windows (TM) Vista Home Premium
Processes terminated by Rkill or while it was running:
Rkill completed on 03/19/2012 at 15:36:27.
I uninstalled Malwarebytes from the add/remove in control panel.
Tried again to run OTL. Still hanging/not responding when it gets to scanning Firefox settings.
I hate to have to uninstall Kaspersky but will if I have to.
I could also uninstall firefox and use internet explorer temporarily if need be.
Please advise at your convenience.
Thank You.
Oh, I just refreshed page and saw your post about uninstalling all those programs. Will get right to it.
Thanks
I have uninstalled everything on your list EXCEPT Java Update, and RUBottled doesn't show in the programs list.
When I tried to uninstall Java (and also Trend Micro Browser Guard), I received message that "The Windows Installer Service could not be accessed. This can occur if Windows Installer is not correctly installed. Contact your support personnel for assistance."
Then I tried control panel - admin= services and changed "manual" to "automatic" and tried to "start" the Windows Installer service. Then got the message that "ERROR: 1084: This service cannot be started in Safe Mode."
So I rebooted at safe mode dos prompt and tried to start service with
C:\sc start windows installer and received message that "Start Service: Open Source FAILED 1060: Specified service does not exist as an installed service.
I tried to reboot and then run OTL again, but it still hangs/not responding when it gets to scanning Firefox Settings.
Hi ASB2012,
I want to try running system file checker, you may need the Vista installation disk for it to work. If you have it, insert it into your CD/DVD drive, if not just follow the instructions without it.
Click Start > All Programs > Accessories
Right click on the Command Prompt option and select Run as Administrator.
At the command prompt type the following command and press Enter.
sfc /scannowAllow the scan to complete, it may take a while.
Reboot the PC and let me know if there is any change in its performance.
Now try the OTL instructions again.
I'll try. Do not have an installation CD. When I had the hard drive replaced, on July 20 or so, the technician at the comp store (not a staples type place) re-installed the Vista Operating system. Did not have a disk.
There is a 33MB File Folder called "BOOT" in my COMPUTER C: folder which is dated 6/22/11. Also ChipSet Driver file created 6/22/11 shows 'modified 3/18/12'
Will try above without having disk and reply when finished.
Thanks
C:\Users\Alicia\ sfc \scannow
"Windows Resource Protection did not find any integrity violations"
Then I ran
C:\CHKDSK
"Windows has checked the file system and found no problems"
rebooted.
Firewall is Off but I added Rkill.exe and OTL.exe to 'excepted' program list nonetheless.
Tried again to run OTL.exe but again it hangs/not responding when getting to the 'Scanning Firefox Settings" line.
I suppose I could uninstall Firefox if the system will let me without giving me the "Windows Installer not found" message.
There were 6 Microsoft Securitiy Updates on March 15th. Should I uninstall those?
There were 6 Microsoft Securitiy Updates on March 15th. Should I uninstall those?No, it is unlikely that these are related to your issues.
I'd like to attempt a startup repair. First you will need to create a system recovery disk.
Create System Recovery disk
Click on the Start button.
In the Search programs and files text box type recdisc and press Return.
The Create a System Repair Disk window should open.
Ensure your CD/DVD writer drive is selected and that there is a blank disk in the drive.
Click on the Create Disk button and allow the process to finish.
Startup Repair
Ensure the CD you just created is inserted and restart the computer.
If prompted, press any key to boot from the System recovery Disk.
Select your language preferences and click Next.
Click on Repair your computer.
Select your Operating System and click Next
Select Startup Repair from the list and click Next.
If this runs successfully please boot into normal mode and see if there are any improvements in stability.
I don't think I have CDs that will work. Can I use an external hard drive?
The Create a System Repair Disk window should open ....BUT IT DID NOT. Nothing happened at all.
In the Windows\System32 folder there is a file called rescue.exe but when I click on it nothing happens. I looked at its properties and for users and admin it should be 'read and execute' and for a "trusted installer" there are full control permissions.
What to try?
The windows system32 file that I cannot get to open is actually called recdisc.exe
I've tried booting to safe mode directory services repair. Could do more in that mode but eventually it cut off also.
Tried to get the events log from Everest Ultimate Edition, though it was such a large file, it eventually got near the end and then hung. Copied it into word but couldn't save in safe mode.
Also tried to check system stability while in Everest Ultimate Edition but again the power cut off even while in several different safe boot modes.
Cannot get to the recdisc.exe or recover.exe by any means at least in safe mode. Still cannot boot normally without power cutting off.
When I google ISO I can see that I can download vista rescue but don't know if these are legitimate options. It appears that there are only priviledges for a 'trusted installer' to use the recdisc.exe and recover.exe. Perhaps either because I'm in safe mode or I have to take the laptop back and pay them to recover for me????
Also I cannot uninstall firefox for some reason, although I was able to uninstall the Java6 update without a problem while in directory service repair mode. The OTL still hangs when it gets to 'scanning firefox settings.' so I thought perhaps if I uninstall firefox it would work, though can't uninstall it.
Any other ideas? Appreciate your assistance and I really don't want to have to take laptop in for reinstallation. New battery and charger haven't arrived yet as expected.
Hi ASB2012,
I want you to download Kaspersky's rescue disk and create a bootable USB drive with it.
This will allow us to scan the computer outside of the Operating System (and hopefully whatever is causing the shutdown).
Download the following files to your Desktop.
http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso
http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/rescue2usb.exe
Run the downloaded file rescue2usb.exe.
On the Kaspersky USB Rescue Disk Maker window, click Browse... and select the kav_rescue_10.iso file downloaded earlier.
Under the USB Medium section select your USB device from the drop-down menu.
Click START.
Wait until the process is complete.
Configure the computer to boot from USB
Turn off the Computer
Turn on the computer and repeatedly tap either the DEL or F2 keys to enter the BIOS.
If neither of these work you may try the following keys instead;F1, F8, F10, F11, F12.
Look for Boot options in the BIOS and sure that Removable Devices is top of the list.
More information http://pcsupport.about.com/od/fixtheproblem/ss/bootorderchange_3.htm
Boot to KAS Rescue
Restart your computer (with the USB drive inserted). After reboot, a message will appear on the screen: Press any key to enter the menu. Press any key...
Select English as the Language using the keyboard.
Press the 1 key to accept the agreement.
Select Kaspersky Rescue Disk. Graphic Mode
Update Anti-Virus Database
In the bottom left hand corner click on the blue Start button and select Kaspersky Rescue Disk from the open menu.
Select the My Update Center tab.
Select Start Update
If the update fails it will be due to a connection problem, either you need to enter your wireless settings or you have DHCP turned off at the router. See here (http://support.kaspersky.com/viruses/rescuedisk/main?qid=208286087)for info on solving this problem.
Start Scan
At the Kaspersky Rescue Disk window go to the Objects Scan tab.
Check all the checkboxes and select Start Objects Scan.
If anything is found choose Skip. We will deal with it later.
When the scan is finished click on the Report link at the top of the screen.
Click on Detailed report and click Save.
Save the report to your USB disk and post its contents in your next reply.
I'll try this.
When I attempted to update Kaspersky earlier, the PC again shut off on me.
I took a look at the system stability report from Everest Ultimate Edition, but I couldn't make heads or tails out of it. It doesn't seem to recognize any fans,
but My Device manager says that the ACPI Fan is working properly.
I received the new battery and charger which I will charge up tonight and see if it helps. It may be tomorrow before I can get back with you.
Thanks for your assistance.
Does this only apply to Kaspersky Internet Security?
My laptop is running Kaspersky PURE.
Hi ASB2012,
If the PC shut off while you were running the Kaspersky Rescue Disk, then the problem is hardware related and not malware or software.
All of the scans I have run so far have not showed any infection. The PC shutting off while running KAS Redcue disk tells me that the fault is present when Windows is not running. Therefore the problem must be hardware related.
Everest not picking up your fans may just be that it does not recognise that particular fan. Device manager will only tell you that the driver for the fan controller is working properly. It does not know if the fan is spinning or not.
If you continue to have shut down problems after replacing the battery I would start monitoring the processor's temperature, as I have seen overheating cause this issue before.
There are many tools available for this. Below are some I have used before.
http://www.almico.com/speedfan.php
http://www.techpowerup.com/realtemp/
Unless you have any more questions this topic will be closed, as I do not believe the issue relates to malware.
THe laptop shut down while running the Kaspersky Daily Update.
That was prior to getting your message about the rescue disc.
I plugged in an external USB and for some reason there was an error with that.
So now I'm checking it and it takes awhile as there's a lot on it.
I was able to save the Kasp Rescue ISO to an 8GB USB drive so I will try to run that tonight or tomorrow morning.
So, let me see what happens with the rescue and then we'll know whether to close out or not. Again, I have to ask why spybot identified the TrojanC-05 if there isn't one on my machine? It found the same on PC at my mother's house (she emails me a lot) and she had been having similar issues with hangups and non-working icons, etc...
So keep open please until I check back with you sometime tomorrow.
Thank You.
Hi ASB2012,
No problem, I had thought you were referring to updating within the rescue disk. I wont rule out a malware problem just yet.
Again, I have to ask why spybot identified the TrojanC-05 if there isn't one on my machine? Is Spybot still detecting this trojan?
Let me know how you get on with the rescue disk and if the new battery made any difference.
diver79.
The new battery and adapter seemed to make some difference. I thought all was lovely, as the laptop stayed after opening windows normally. So then I still could not run the OTL scan without getting stuck on firefos. Also I still could not uninstall firefox. So I went to the external drive and copied earlier versions of the firefox uninstall folder. Was then able to uninstall firefox and run the OTL.exe.
I've attached those two files.
I then tried the rescue you instructed when booting from USB. THEN the laptop cut off after only 3 minutes of the runing scan. Tried again and same thing happened.
Then I went to run it in text mode rather than graphic mode. It has been running awhile and is at 41% scanning the C:/ drive. However, I don't know how to make it give a report even though I did read the command line syntax, I'm not a laptop programmer!
Please take a look at the attached OTL reports and let me know if there is anything obvious.
I will be back after the rescue finishes (or stops).
I also noticed that on the external drive there is a file named rescuecd.iso dated 7-16-11 which is just after I hd the new hard drive installed. Is there anything I can do with this file? I also have a folder called Kaspersky Restore Utility dated 10-11-11. also a file called BOOKSECT.bak from 6-22-11.
Thank You!
9333
9334
The scan via text mode finished 100% scanning C:/ though then I didn't know how to get any report. When I tried typing in command line, it started before I finished typing, so ....
I rebooted windows normally and will try running spybot to see if the TrojanC-05 shows up again.
Hi ASB2012,
The files on the external drive all relate to the rescue CD.
Did the command line scan give you any on screen results, did it find anything?
Also, has there been any previous infections on this machine (other than what Spybot now detects)?
I want to have a look at the status of your hard disk.
Check Hard Disk For Errors
Open an Elevated Command Prompt
You will be switching between command prompt and browser windows.
Press the http://i526.photobucket.com/albums/cc345/MPKwings/StartButtonVista.gif button
In the Start Menu search box area type:
cmd
Right click on cmd.exe (at top of the menu)... click on Run As Administrator.
A black screen will open. You should see the elevated command prompt open to C:\Windows\System32
Leave it open...
Go back to your browser.
On the Browser screen
Copy the following command line (including the quotes):
chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt"
Go back to the open (black screen) command prompt.
At the Command Prompt window.
Right click on the window title "Administrator Command Prompt" area. A menu will appear.
Select Edit... then choose Paste. You should see the chkdsk command string you copied, in the black window.
Press Enter ... Chkdsk will now start checking your hard drive. DO NOT CLOSE the Command Prompt window!
The Chkdsk process can take a while, depending on the size of your hard drive.
A file named checkhd.txt will appear on your desktop while Chkdsk is running.
When your hard drive light stop flashing constantly... Open the checkhd.txt file.
You should see totals of bytes on the drive, bytes in files...etc. If you do not see these totals, Chkdsk is still running, close the file, wait a little longer.
Please post the contents of the checkhd.txt file, in your next reply.
Did anything show up on the OTL files I had attached earlier?
I haven't had any other problems with this laptop since I had the harddrive replaced. I believe the original harddrive was hacked and copied on 5-25-11 and so I shutdown the laptop until I took it in and had the harddrive totally replaced in June 2011. Have not had any issues since then ... not until around March 12 as I said at beginning of this entire post when I updated firefox, windows, etc., and spybot found the TrojanC-05.
I was able to run spybot last night and it did not find anything this time.
Is there something in the string you posted that is wrong and making that not run? An extra space or something?
Followed your instructions. However, when I cut & pasted that command line into the black box and hit 'enter' all I got was a blinking curser. Nothing else would happen. Tried several times.
So then I typed CHKDSK after the C:\Windows\System32> prompt and the schdsk started running and placed the checkhd.txt on the desktop. However, this file didn't contain all that was listed in the black box so I copied and pasted that in a file called CHKDSK.txt and have attached both. The CHKDSK said that there were issues and I needed to run CHKDSK with /F but could only schedule that to run at restart, which I did.
Restarted laptop and this program ran but then dissappeared b4 I could read anything and I didn't know how to get a report before the laptop started up.
9339
9340
Hi ASB2012,
There are a few items that need removing from the OTL log but I do not think they would cause the issue you are having.
The chkdsk scan does not show a significant problem with the Hard drive. The error it finds is a known issue with Windows Vista. See here (http://support.microsoft.com/kb/976329)for more info.
I will run a fix with OTL to get rid of some files and then I want you to upload a file for analysis.
Create a System Restore Point
Right-click on the Computer icon and select Properties.
In the left pane under Tasks ... click on System protection.
If UAC prompts for an administrator password or approval, type the password or give your "permission to continue".
Select the System Protection tab ...then choose Create.
In the System Restore dialog box, type a description for the restore point ... click Create, again.
A window will pop up with "The Restore Point was created successfully" confirmation message.
Click OK ...then close the System Restore dialog.
Please leave the System Restore function "turned on" until we are finished and I give you the 'all clean' sign.
If you have successfully created a System Restore Point...we can proceed.
Run OTL Script
We need to run an OTL Fix
Right-click OTL.exe and select Run as Administrator.
Copy and Paste the following code into the http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/customFix.png textbox. Do not include the word Code
:processes
killallprocesses
:otl
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2724386
IE - HKCU\..\URLSearchHook: {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - No CLSID value found
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2724386
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0} - No CLSID value found.
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:5C321E34
:commands
[CREATERESTOREPOINT]
[REBOOT]
Then click the Run Fix button at the top.
Click http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/btnOK.png.
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
Online Antivirus file scan
Upload file(s) to VirusTotal (VT) for an online scan. Click here. (http://www.virustotal.com)
Click on the Browse button or the white box beside it. A File Upload prompt will open.
Copy and paste the following file and its path to upload:
c:\windows\system32\plasrv.exe
Press Open, then Send file. The file will be uploaded for testing.
If there is any indication or prompt that the file has been scanned before, please proceed to have the file rescanned or reanalyzed.
Please wait for all the scanners to finish, then copy and paste the result into Notepad and save it to a convenient place.
Post the results in your next response.
Alternatively, if VirusTotal is busy or inaccessible, you may try Jotti (http://virusscan.jotti.org/) or VirScan (http://virscan.org/) (VS) with similar steps.
A result from either one of the above scanners would be sufficient.
When browsing for the plasrv.exe file I got the message that "File not found" but when I went to My Computer to the windows system 32 folder I could see it. In order to scan the plasrv.exe file I had to copy it to the desktop and put that location in the browse window of the online scan. It seems that the tech who reinstalled my operating system gave full permissions ONLY to "Trusted Installer" and that all others (System, Administrators, Users) only have permissions to "read" and "read and execute" on all these files that I need in order to do any type of restore, repair, etc. I've never had anyone do that to me before!
Attached are the log/txt files for your latest requests.
9342
9343
9344
The C:\Windows\System32 and \SysWOW64 folders are full of files but is there any reason why the C:\Windows\System folder is empty?
Seemed Odd.
What would be the name of the file used to Repair at Startup? Perhaps there is one somewhere but I cannot locate because it is once again locked to all but a trusted installer.
Thanks
Hi ASB2012,
Has there been any change in the PC's behaviour since running the fix? You seem to be able to run some scans in normal mode now, is this correct?
The C:\Windows\System32 and \SysWOW64 folders are full of files but is there any reason why the C:\Windows\System folder is empty?It is normal for C:\Windows\System to be empty, it is there so that older programs that reference this location can be redirected to the new C:\Windows\SYSWOW64 folder.
What would be the name of the file used to Repair at Startup?recdisc.exe is the executable to launch the startup repair disk creator. Is this what you are referring to?
The permissions issue is suspicious alright, the following tool will look for files with modified permissions which may help.
Please download Junction.zip (http://download.sysinternals.com/Files/Junction.zip) and save it to your desktop.
Right click Junction.zip and choose extract all...
When the Compressed Folders Extraction wizard opens, click Next
Click Browse
When the "select a destination" box opens, click My Computer > Local Disk (C) > Windows > OK
Back at the Extraction Wizard, click Next.
Untick "Show Extracted Files" and click Finish
Copy all text in the code box (below)...to Notepad, Do not include the word Code:
@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files.
http://i526.photobucket.com/albums/cc345/MPKwings/batfileicon.gif
junc.bat<<------------- you should see this on your desktop.
Right click on junc.bat and select " Run as administrator " to execute it.
A black CMD window will flash, then disappear...this is normal.
A file should appear on your Desktop. Please post the contents of this file.
Will get ck with you as soon I get this one done.
I checked the Kaspersky log for March 12th and there were a TON of "allowed" banners regarding Facebook Add-ons and such although I don't even use facebook. This was about the time that Mozilla said I needed to update. I've deleted Firefox.
Thought things were better as the laptop at least stays on when starting windows normally.
However, yesterday and today, EVERYTHING is extremely slow again, especially IE (I'm running IE7 as I don't trust the new ones they keep coming up with) just as it was when all of this started in middle of march. Takes forwever to open tabs in IE, or items on desktop, forever to close anything.
Also, I tried to run Kaspersky Back-Up and it stopped after 19.8GB (out of 76 or so) indicating "Write Error".
Will try and run this one= you've indicated
BTW, I checked Microsoft and many forums and read that many of the system files in Vista are given "trusted installer" permissions by default in order to keep users from messing them up. You have to jump through hoops in order to 'take ownership' of one of these files.
And yes, the restore.exe is what I want to get at but it has 'trusted installer' permissions. If I copy the file to desktop it shows 'full control' for system, administrator, etc, but when you click on it it still will not run.
the file you mentioned, recdisk.exe yes I tried to get that one too. It also shows permissions for system, admin when copied to desktop but also it will not run when selected.
The black cmd.exe box just stays on the screen whilst the curser blinks.
I was looking for a file and went to
Computer>C:
The documents & settings folder is now a 'shortcut' and when I try to select it it says "access denied"
I looked at properties and there are NO permissions listed at all. I tried to add full control for admin and again, "access denied"
It didn't used to be like this. I used to be able to select the Documents & Settings folder and see all files within.
In fact, now I see that I'm denied access to:
users>alicia
cookies
local settings
my documents
print hood
recent
send to
start menu
templates
and all these files show a 'shortcut' arrow whereas before it was a regular file icon. I used to be able to go to these files, to 'cookies' for example and delete all cookies. Now I'm denied access?
IDK what is going on with all of this?
Try running the junction batch file again. Leave the window open until it finishes scanning. It may take a while.
I think that the infection Spybot identified has removed your permissions to various files/folders. Junction will show us what files have been modified so we can fix them. Please do not alter any more files as it will interfere with Junctions findings.
If you cannot get Junction to produce a log, try using the instructions below.
Also, please do not attach the logs I request, paste them into the post.
Click Start > All Programs > Accessories > Run
Copy and paste the contents of the codebox below into the run box.
(Do Not include Code:) Then click OK:[/list]
cmd /c junction -s c:\ >log.txt&log.txt&del log.txt
A command window will open and the system will be scanned. (Click Agree to the prompt)
Please be patient & wait untill a log file opens in notepad.
Copy and paste the contents of that file in your next reply.
Will paste into reply from now on. Sorry. Thought some of the logs were so long that I was supposed to attach.
Tried to do as suggested in your post above.
The black box flashed and went away.
There was nothing to "agree" to, just a "run" to select
There's no indication anything is happening. After pasting the string in the run box, and selected "OK" nothing happened
How do I know if the scan is actually running?
There really is something wrong here, not hardware.
I just hovered over the email icon and noted "you have 1050 new emails" What in the world?
I've tried several times.
Black box flashes and goes away.
Curser just stays at same spot on screen.
No file ever appears on desktop.
I also noted that Windows Defender definition updates were revised/updated on March 12, 2012.
This was about on the day my problems started.
It runs in 'real time' and updates daily. I don't know if it is possible to 'rollback' the WD updates, but would this be something to consider?
Hi ASB2012,
You may have contracted the latest version of the TDL rootkit. This infection can only be properly detected by looking at your computer's disk configuration from an external bootable environment.
If this is the infection, we will be able to deal with the other issues once it has been removed.
Download and save a copy of the latest Puppy ISO file (http://puppylinux.org/main/Download%20Latest%20Release.htm)
Download and save a copy of Unetbootin (http://unetbootin.sourceforge.net/)for Windows.
Insert an empty formatted USB drive into a USB port on the computer that's being used to create the bootable USB.
Launch Unetbootin ....
Ensure that Disk Image is selected.
Using the browse button ... browse to and select the Puppy ISO file.
Ensure that Type: is set to USB Drive and that the Drive: letter corresponds to the USB drive. (it must not under any circumstances be set to your main drive (C:\))
Click OK
Unetbootin will now copy the Puppy files to the USB and make it a bootable device.
Next
Insert your USB into the computer and Boot into Puppy.
When fully booted you should see a Desktop similar to the one below.
http://i1090.photobucket.com/albums/i366/garyr56/TDL4%20Partition%20Sector%20Infection/Puppy53Desktop.jpg
Next
Click on each of the drive items found in the bottom left corner to mount them (when mounted they will have a red cross next to them). In this example SDA is the hard drive and has 3 partitions, SDB is the USB drive that Puppy was loaded from.
http://i1090.photobucket.com/albums/i366/garyr56/TDL4%20Partition%20Sector%20Infection/Puppy53Drives.jpg
Next
Launch GParted Menu > System > GParted partition manager, when launched the following box will open ....
http://i1090.photobucket.com/albums/i366/garyr56/TDL4%20Partition%20Sector%20Infection/GParted1.jpg
Click to select All Drives then click Okay
GParted will scan the computer and then display a window similar to this ....
http://i1090.photobucket.com/albums/i366/garyr56/TDL4%20Partition%20Sector%20Infection/GParted2.jpg
.... and it is this window that I need you to take a screen shot of, so that I can see whether you have a TDL4 infection or not.
To take a screenshot in Puppy ....
With the GParted window open ...
Click menu > Graphic > mtPaint-snapshot screen capture
A small window will open ....
Click Capture Now
Click OK
The mtPaint program will open ....
Click File > Save
Double click on ../
Double click on mnt/
Double click on sdb1/
Set File Format to JPEG
Enter screenshot1 into the text box
Click OK
This will save a file screenshot1.jpeg into the USB drive.
Next
Click menu > shutdown > power off computer
If prompted to save the session click on No
Puppy will now close down.
Remove the USB drive and boot into normal Windows.
Insert the USB drive again and please post me the screenshot you took whilst in Puppy (you'll have to host it somewhere like Photobucket or Image Shack and post the link).
I followed instructions to the 't'
Changed Boot to USB
When inserted USB and attempted restart I received the message that
BOOTMGR is missing
Press CTRL ALT DEL to restart
When pressed CTRL ALT DEL nothing would happen.
Did it matter what type file the USB was formatted?
Should the empty USB drive be formatted using NTFS, FAT32 or just which?
Thanks
And should I select "quick format" or leave that unmarked?
I figured it may be awhile until you came back here, so I reformatted USB with FAT32, followed instructions again and everything seemed to work as you instructed.
Here is the screenshot on photobucket.
http://s1158.photobucket.com/albums/p618/PBASB2012/?action=view¤t=screenshot1.jpg
Also from my usb drive/desktop, just in case
9349
Thanks
Hi,
Good work getting the screenshot! Unfortunately it did not reveal anything that would indicate an infection.
I still think that there are permission errors on the computer. I've tried running the Junction batch file on my computer and it works fine.
It takes a few minutes to produce the log. Can you follow the instructions again and see if you can get it to produce a log.
Junction instructions (http://forums.spybot.info/showpost.php?p=423449&postcount=39)
When I paste the string in the box and hit 'enter' the black box immediately flashes and disappears.
The string you supplied which I pasted was
cmd /c junction -s c:\ >log.txt&log.txt&del log.txt
again, it flashes (so quick you cannot read anything on it) and disappears.
This is the correct set of instructions as previously posted http://forums.spybot.info/showpost.php?p=423449&postcount=39
This is the one that should work for your OS.
It tells me that there is already a file in the destination directory named eula.txt dated 7-28-2006 and asks if I want to
copy and replace (which is what I did before)
dont copy [no files changed. leave 3-26-12 file in destination folder???]
keep both files [new one will be eula(2).txt]
It also asks the same replace question for the file junction.exe dated 9-7-2010.
Should I hunt for these files and delete them and then download junction fresh?
And as instructed, these files go to Windows folder, and NOT any windows subfolder, is that correct?
Yes, delete all existing files and download a fresh copy of junction.
When you extract junction it should go to c:\windows.
I did a search for eula.txt and came up with a LOT of them (just searched, didn't change or delete any of them). There are about 65 files assoc with 'eula', some of which are:
eula.txt (type: txt, Opens with Notepad)
C:\Program Files (x86)\MSECache\ExPdfXps\1033
Created: Friday, October 27, 2006, 6:31:08 PM
Modified: Friday, October 27, 2006, 6:31:08 PM
Accessed: Wednesday, March 21, 2012, 5:19:06 PM
Eula.txt
Text Document
Modified: 7/28/2006 9:32 AM
Location: (Archive Root Directory)
Method: Deflated
CRC-32: 46A7FB70
Size 7KB, Compressed 4KB
Eula.txt (Type txt, Opens with Notepad)
Location: C:\Windows
Created: Friday, 5Friday, July 28, 2006, 9:32:44 AM
Modified: Today, March 26, 2012, 44 minutes ago
Accessed: Friday, July 28, 2006, 9:32:44 AM
message says "this file came from another computer and might be
blocked to help protect this computer"
Eula.txt (0 bytes)
Origin: $RISQ38X.zip
Deleted: Today, March 26, 2012, 6:45:31 PM
IDK how this could be. the deleted time is 4 miniutes ago and I didn't
delete anything.
Eula.txt (0 byte)
Origin: $RASFTQC.zip
Deleted: Today, March 26, 2012, 6:47:49 PM
IDK how this could be. the deleted time is 2 miniutes ago and I didn't
delete anything.
There are a lot of other eula files under various names in the folder:
C:\Users\Alicia\New Folder\Phone SD\mediamove for Lexar Media.app\Contents\Resources\Java\resources\license
And also a lot of this type file:
FL_eula-exp_txt_amd64_[various 3 letter code] 3243236F.....
I sent the last post before seeing your instruction to delete eula files. Should I delete all 65 of these files?
I deleted any recent junction.exe and eula.txt files. and redownloaded the junction.exe and followed your instructions again.
Although I got different screens than before (such as UAC screens), when I right-clicked on the junc.bat file and selected run as admin, then the black cmd box appeared and stayed there. All that happened is a blinking "-" and nothing else.
Then after just waiting awhile, a Notepad box popped up with the following contents: I'm not exactly sure if this was what I was supposed to end up with, but here is the contents that were displayed:
Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
\\?\c:\\Documents and Settings: JUNCTION
Print Name : C:\Users
Substitute Name: C:\Users
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
Failed to open \\?\c:\\System Volume Information: Access is denied.
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
\\?\c:\\ProgramData\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\ProgramData\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\ProgramData\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\ProgramData\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\ProgramData\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\ProgramData\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
...
...
...
...
...
...
Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\15440e46511cf09913864dfed395f976_0c3038ea-fe3d-4f29-803d-8b3e12d13861: Access is denied.
..\\?\c:\\Users\All Users: SYMBOLIC LINK
Print Name : C:\ProgramData
Substitute Name: \??\C:\ProgramData
\\?\c:\\Users\Default User: JUNCTION
Print Name : C:\Users\Default
Substitute Name: C:\Users\Default
\\?\c:\\Users\Alicia\Cookies: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Cookies
\\?\c:\\Users\Alicia\Local Settings: JUNCTION
Print Name : C:\Users\Alicia\AppData\Local
Substitute Name: C:\Users\Alicia\AppData\Local
\\?\c:\\Users\Alicia\My Documents: JUNCTION
Print Name : C:\Users\Alicia\Documents
Substitute Name: C:\Users\Alicia\Documents
\\?\c:\\Users\Alicia\NetHood: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Network Shortcuts
\\?\c:\\Users\Alicia\PrintHood: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
\\?\c:\\Users\Alicia\Recent: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Recent
\\?\c:\\Users\Alicia\SendTo: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\SendTo
\\?\c:\\Users\Alicia\Start Menu: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Start Menu
\\?\c:\\Users\Alicia\Templates: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Templates
\\?\c:\\Users\Alicia\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Alicia\AppData\Local
Substitute Name: C:\Users\Alicia\AppData\Local
\\?\c:\\Users\Alicia\AppData\Local\History: JUNCTION
Print Name : C:\Users\Alicia\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Alicia\AppData\Local\Microsoft\Windows\History
\\?\c:\\Users\Alicia\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Alicia\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Alicia\AppData\Local\Microsoft\Windows\Temporary Internet Files
.
...
...
...
...
.\\?\c:\\Users\Alicia\Desktop\Other Program Shortcuts\Documents\My Music: JUNCTION
Print Name : C:\Users\Alicia\Music
Substitute Name: C:\Users\Alicia\Music
\\?\c:\\Users\Alicia\Desktop\Other Program Shortcuts\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Alicia\Pictures
Substitute Name: C:\Users\Alicia\Pictures
\\?\c:\\Users\Alicia\Desktop\Other Program Shortcuts\Documents\My Videos: JUNCTION
Print Name : C:\Users\Alicia\Videos
Substitute Name: C:\Users\Alicia\Videos
..
...
...
...
..\\?\c:\\Users\All Users\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Users\All Users\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Users\All Users\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Users\All Users\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Users\All Users\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Users\All Users\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
.
...
...
...
...
...
.
Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\15440e46511cf09913864dfed395f976_0c3038ea-fe3d-4f29-803d-8b3e12d13861: Access is denied.
..\\?\c:\\Users\Default\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming
Substitute Name: C:\Users\Default\AppData\Roaming
\\?\c:\\Users\Default\Cookies: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies
\\?\c:\\Users\Default\Local Settings: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local
\\?\c:\\Users\Default\My Documents: JUNCTION
Print Name : C:\Users\Default\Documents
Substitute Name: C:\Users\Default\Documents
\\?\c:\\Users\Default\NetHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
\\?\c:\\Users\Default\PrintHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
\\?\c:\\Users\Default\Recent: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
\\?\c:\\Users\Default\SendTo: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
\\?\c:\\Users\Default\Start Menu: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
\\?\c:\\Users\Default\Templates: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local
\\?\c:\\Users\Default\AppData\Local\History: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History
\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
\\?\c:\\Users\Default\Documents\My Music: JUNCTION
Print Name : C:\Users\Default\Music
Substitute Name: C:\Users\Default\Music
\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Default\Pictures
Substitute Name: C:\Users\Default\Pictures
\\?\c:\\Users\Default\Documents\My Videos: JUNCTION
Print Name : C:\Users\Default\Videos
Substitute Name: C:\Users\Default\Videos
\\?\c:\\Users\Public\Documents\My Music: JUNCTION
Print Name : C:\Users\Public\Music
Substitute Name: C:\Users\Public\Music
\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Public\Pictures
Substitute Name: C:\Users\Public\Pictures
\\?\c:\\Users\Public\Documents\My Videos: JUNCTION
Print Name : C:\Users\Public\Videos
Substitute Name: C:\Users\Public\Videos
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
.
Failed to open \\?\c:\\Windows\System32\LogFiles\WMI\RtBackup: Access is denied.
..
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
No need to delete the EULA.txt files. Will look into the log later today and post new instructions.
I already deleted the old eula.txt and then it finally ran and produced log above.
Thank You. I'll check back later for instructions.
Can you check that you have posted the full junction log. Just want to make sure there is nothing missing.
Please download GrantPerms.zip (http://download.bleepingcomputer.com/farbar/GrantPerms.zip) by Farbar and save it to your desktop.
Right click GrantPerms.zip and choose extract all...
When the Compressed Folders Extraction wizard opens, click Next > Next > Finish.
Enter the GrantPerms folder & Right click GrantPerms.exe and select Run as Administator.
Copy and paste the contents of the codebox below into the whitebox (Do Not include Code:)
c:\\Windows\System32\LogFiles\WMI\RtBackup
Now Click Unlock
When it's done, click "OK".
Now click List Permissions and post contents of the log file that opens (Perms.txt)
A copy of Perms.txt will be saved in the same directory the tool is run.
Re-run Junction batch file
Copy all text in the code box (below)...to Notepad, Do not include the word Code:
@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files.
http://i526.photobucket.com/albums/cc345/MPKwings/batfileicon.gif
junc.bat<<------------- you should see this on your desktop.
Right click on junc.bat and select " Run as administrator " to execute it.
A black CMD window will flash, then disappear...this is normal.
A file should appear on your Desktop. Please post the contents of this file.
Let me know how the PC is performing after running the grantperms fix.
Thanks for the instructions. Logs posted below.
BTW: Each time the laptop is scheduled to run Kaspersky Back Up task, it stops and says the task could not be completed.
I will see how it goes after running the grantperms - will see if I can access something, and get back to you.
HERE IS THE GRANTPERMS TEXT
GrantPerms by Farbar
Ran by Alicia (administrator) at 2012-03-27 21:35:08
===============================================
\\?\c:\\Windows\System32\LogFiles\WMI\RtBackup
Owner: BUILTIN\Administrators
DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
HERE IS THE ENTIRE NEW JUNCTION LOG
Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
\\?\c:\\Documents and Settings: JUNCTION
Print Name : C:\Users
Substitute Name: C:\Users
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
Failed to open \\?\c:\\System Volume Information: Access is denied.
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
\\?\c:\\ProgramData\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\ProgramData\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\ProgramData\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\ProgramData\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\ProgramData\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\ProgramData\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
...
...
...
...
...
...
Failed to open \\?\c:\\ProgramData\Microsoft\Crypto\RSA\MachineKeys\15440e46511cf09913864dfed395f976_0c3038ea-fe3d-4f29-803d-8b3e12d13861: Access is denied.
..\\?\c:\\Users\All Users: SYMBOLIC LINK
Print Name : C:\ProgramData
Substitute Name: \??\C:\ProgramData
\\?\c:\\Users\Default User: JUNCTION
Print Name : C:\Users\Default
Substitute Name: C:\Users\Default
\\?\c:\\Users\Alicia\Cookies: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Cookies
\\?\c:\\Users\Alicia\Local Settings: JUNCTION
Print Name : C:\Users\Alicia\AppData\Local
Substitute Name: C:\Users\Alicia\AppData\Local
\\?\c:\\Users\Alicia\My Documents: JUNCTION
Print Name : C:\Users\Alicia\Documents
Substitute Name: C:\Users\Alicia\Documents
\\?\c:\\Users\Alicia\NetHood: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Network Shortcuts
.\\?\c:\\Users\Alicia\PrintHood: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
\\?\c:\\Users\Alicia\Recent: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Recent
\\?\c:\\Users\Alicia\SendTo: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\SendTo
\\?\c:\\Users\Alicia\Start Menu: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Start Menu
\\?\c:\\Users\Alicia\Templates: JUNCTION
Print Name : C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Alicia\AppData\Roaming\Microsoft\Windows\Templates
\\?\c:\\Users\Alicia\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Alicia\AppData\Local
Substitute Name: C:\Users\Alicia\AppData\Local
\\?\c:\\Users\Alicia\AppData\Local\History: JUNCTION
Print Name : C:\Users\Alicia\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Alicia\AppData\Local\Microsoft\Windows\History
\\?\c:\\Users\Alicia\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Alicia\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Alicia\AppData\Local\Microsoft\Windows\Temporary Internet Files
...
...
...
...
..\\?\c:\\Users\Alicia\Desktop\Other Program Shortcuts\Documents\My Music: JUNCTION
Print Name : C:\Users\Alicia\Music
Substitute Name: C:\Users\Alicia\Music
\\?\c:\\Users\Alicia\Desktop\Other Program Shortcuts\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Alicia\Pictures
Substitute Name: C:\Users\Alicia\Pictures
\\?\c:\\Users\Alicia\Desktop\Other Program Shortcuts\Documents\My Videos: JUNCTION
Print Name : C:\Users\Alicia\Videos
Substitute Name: C:\Users\Alicia\Videos
.
...
...
...
...\\?\c:\\Users\All Users\Application Data: JUNCTION
Print Name : C:\ProgramData
Substitute Name: C:\ProgramData
\\?\c:\\Users\All Users\Desktop: JUNCTION
Print Name : C:\Users\Public\Desktop
Substitute Name: C:\Users\Public\Desktop
\\?\c:\\Users\All Users\Documents: JUNCTION
Print Name : C:\Users\Public\Documents
Substitute Name: C:\Users\Public\Documents
\\?\c:\\Users\All Users\Favorites: JUNCTION
Print Name : C:\Users\Public\Favorites
Substitute Name: C:\Users\Public\Favorites
\\?\c:\\Users\All Users\Start Menu: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Start Menu
Substitute Name: C:\ProgramData\Microsoft\Windows\Start Menu
\\?\c:\\Users\All Users\Templates: JUNCTION
Print Name : C:\ProgramData\Microsoft\Windows\Templates
Substitute Name: C:\ProgramData\Microsoft\Windows\Templates
...
...
...
...
...
...
Failed to open \\?\c:\\Users\All Users\Microsoft\Crypto\RSA\MachineKeys\15440e46511cf09913864dfed395f976_0c3038ea-fe3d-4f29-803d-8b3e12d13861: Access is denied.
.\\?\c:\\Users\Default\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming
Substitute Name: C:\Users\Default\AppData\Roaming
\\?\c:\\Users\Default\Cookies: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies
\\?\c:\\Users\Default\Local Settings: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local
\\?\c:\\Users\Default\My Documents: JUNCTION
Print Name : C:\Users\Default\Documents
Substitute Name: C:\Users\Default\Documents
\\?\c:\\Users\Default\NetHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts
\\?\c:\\Users\Default\PrintHood: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts
\\?\c:\\Users\Default\Recent: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent
\\?\c:\\Users\Default\SendTo: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo
\\?\c:\\Users\Default\Start Menu: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu
\\?\c:\\Users\Default\Templates: JUNCTION
Print Name : C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
Substitute Name: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates
\\?\c:\\Users\Default\AppData\Local\Application Data: JUNCTION
Print Name : C:\Users\Default\AppData\Local
Substitute Name: C:\Users\Default\AppData\Local
\\?\c:\\Users\Default\AppData\Local\History: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\History
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\History
\\?\c:\\Users\Default\AppData\Local\Temporary Internet Files: JUNCTION
Print Name : C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
Substitute Name: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files
\\?\c:\\Users\Default\Documents\My Music: JUNCTION
Print Name : C:\Users\Default\Music
Substitute Name: C:\Users\Default\Music
\\?\c:\\Users\Default\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Default\Pictures
Substitute Name: C:\Users\Default\Pictures
\\?\c:\\Users\Default\Documents\My Videos: JUNCTION
Print Name : C:\Users\Default\Videos
Substitute Name: C:\Users\Default\Videos
\\?\c:\\Users\Public\Documents\My Music: JUNCTION
Print Name : C:\Users\Public\Music
Substitute Name: C:\Users\Public\Music
\\?\c:\\Users\Public\Documents\My Pictures: JUNCTION
Print Name : C:\Users\Public\Pictures
Substitute Name: C:\Users\Public\Pictures
\\?\c:\\Users\Public\Documents\My Videos: JUNCTION
Print Name : C:\Users\Public\Videos
Substitute Name: C:\Users\Public\Videos
..
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
..
See screenshots in attached document (I didn't know how to take screenshots of these items and post to photobucket so I saved as both a word and pdf)
I’m still denied access to all the files with the Arrow Icon in
C:\Users\All Users
C:\Users\Alicia
C:\Users\Public\Public Documents
Additionally, access is blocked to the Backup Task in Kaspersky Pure. It was backed up 171 days ago as shown but when I go to select the “Restore” it tells me there is no data to restore!
9368
Hi ASB2012,
The arrow on the folders in the screenshot indicate that these files are merely shortcuts to another folder. They are not the actual folders you are looking for.
I also believe that these files are hidden protected Operating System Files. I would not be concerned with them once you can access your actual libraries e.g. C:\Users\Alicia\Documents etc.
I would reccomend that you turn on Hide Protected Operating System Files.
You can do this by going to Computer > Organise > Folder and Search Options.
Select the View Tab
Check the box next to Hide Protected Operating System Files.
I cannot tell what is causing the Kaspersky backup issue. You will need to contact Kaspersky support for this.
As far as I can tell there is no malware on your computer. Please follow the steps below to cleanup the tools we used earlier.
Run OTL Script
We need to run an OTL Fix
Right-click OTL.exe and select Run as Administrator to start the program.
Copy and Paste the following code into the http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/customFix.png textbox. Do not include the word Code
:commands
[emptytemp]
[clearallrestorepoints]
Then click the Run Fix button at the top.
Click http://billy-oneal.com/Canned%20Speeches/speechimages/OTL/btnOK.png.
OTL may ask to reboot the machine. Please do so if asked.
The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
Clean up with OTL
Right-click OTL.exe and select Run as Administrator to start the program. This will remove all the tools we used to clean your pc.
Close all other programs apart from OTL as this step will require a reboot
On the OTL main screen, press the CleanUp! button
Say Yes to the prompt and then allow the program to reboot your computer.
Additional Security Tips.
Update your Antivirus programs and other programs regularly.
Secunia Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/) - Copyright © Secunia. This app will monitor programs on your computer for known vulnerabilities. You can set it to auto-update for you, or just prompt you if an update is available. I highly recommend it.
F-secure Health Check (http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/health-check/) - Copyright © F-Secure Corporation. F-Secure Health Check is a free application that tells you if your computer is protected and helps you fix possible security issues.
Thank You so much for all your time and assistance. I greatly appreciate your perseverence!
All processes killed
========== COMMANDS ==========
[EMPTYTEMP]
User: Alicia
->Temp folder emptied: 46866930 bytes
->Temporary Internet Files folder emptied: 19108231 bytes
->Java cache emptied: 58820 bytes
->Flash cache emptied: 8056 bytes
User: All Users
User: AppData
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56468 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49984 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 322913 bytes
Total Files Cleaned = 63.00 mb
Restore point Set: OTL Restore Point
OTL by OldTimer - Version 3.2.39.2 log created on 03282012_205624
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
Thank You so much for all your time and assistance. I greatly appreciate your perseverence!Glad I could help.
You can now delete any tools still remaining on the machine.
This topic will be closed shortly unless you have any further issues.
Diver79.
I have no idea what the problem is, but it is happening again.
Last night after running the OTL Fix and Clean-up everything seemed to be okay.
Then I installed the latest one windows update.
Tonight when I turned on windows normally, it HANGS on everything, even the welcome screen.
Anytime I selected a program, it took forever to load if at all.
I had to again start in safe mode in order to get to my email.
Then I had to do a System Restore back to 9:02pm last night.
I'm going to try again to shutdown and restart windows normally and see what happens.
Hi ASB2012,
I'm afraid I cannot help you any more with this problem as I can find no evidence of malware on the machine.
You could try posting your problem in this forum Microsoft Windows™ (http://forums.whatthetech.com/index.php?showforum=119) at WhatTheTech.
Sorry I couldn't have been more helpfull.
Diver79.