View Full Version : Problem installing Spybot - might be infected?
danny12345
2012-06-26, 23:49
Hi there, have been advised to post on here as I might have a spyware problem. Please see original thread here: http://forums.spybot.info/showthread.php?t=66146
Basically, to give you some further history to the problem, I was having boot up problems which hit a problem with AVG drivers, I researched and found how to delete/rename the driver files but the problem persisted. I eventually fixed it by running a hard drive check which remapped some bad sectors and enabled me to run the windows startup repair tool and I was back in business. I then thought I'd try & tidy things up so uninstalled, AVG, loaded on Avast. Did a full scan with Avast (all clear) and wanted to get spybot, thats when hit the problems (see other thread).
Am now thinking I may have some malware but have no way of checking coz I can't load anything on to check, would really appreciate any help and have attached the requested text file and other text below. Many many thanks for any help or advice you can offer me..
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Nathan at 21:31:56 on 2012-06-26
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.5996.4616 [GMT 1:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Program Files (x86)\Launch Manager\LMutilps32.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Program Files (x86)\Qustodio\qapp\QAppTray.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
C:\Program Files (x86)\Qustodio\qproxy\qengine.exe
C:\Program Files (x86)\Qustodio\qapp\QUpdateService.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR\DMREngine.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uDefault_Page_URL = hxxp://acer.msn.com
mDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [Google Update] "C:\Users\Nathan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Facebook Update] "C:\Users\Nathan\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [BackupManagerTray] "C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [ArcadeMovieService] "C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QAppTray] "C:\Program Files (x86)\Qustodio\qapp\QAppTray.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
dRunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: C:\Windows\system32\qproxy.dll
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{C1EAF5AF-E378-4721-8AA5-22FEA2572A32} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{F093FA71-922C-43CF-9ECE-E5AF997F3FFB} : DhcpNameServer = 192.168.0.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun-x64: [BackupManagerTray] "C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun-x64: [ArcadeMovieService] "C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QAppTray] "C:\Program Files (x86)\Qustodio\qapp\QAppTray.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Nathan\AppData\Roaming\Mozilla\Firefox\Profiles\reb2lmti.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Nathan\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Nathan\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
R1 qwdf64;qwdf64 service;\??\C:\Windows\system32\Drivers\qwdf64.sys --> C:\Windows\system32\Drivers\qwdf64.sys [?]
R1 qwdr64;qwdr64 service;\??\C:\Windows\system32\Drivers\qwdr64.sys --> C:\Windows\system32\Drivers\qwdr64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-3 63928]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-5-12 249648]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2011-7-14 352336]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2011-9-13 872552]
R3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys --> C:\Windows\system32\DRIVERS\L1C62x64.sys [?]
R3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys --> C:\Windows\system32\DRIVERS\NETwNs64.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-6-25 257696]
S3 AmUStor;AM USB Stroage Driver;C:\Windows\system32\drivers\AmUStor.SYS --> C:\Windows\system32\drivers\AmUStor.SYS [?]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-6-7 191752]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
.
=============== Created Last 30 ================
.
2012-06-26 18:29:24 -------- d-----w- C:\Program Files\CCleaner
2012-06-26 18:15:04 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0D1A545D-9AF3-4B18-808D-9D980BFEEA41}\mpengine.dll
2012-06-25 21:14:24 -------- d-----w- C:\Users\Nathan\AppData\Local\Macromedia
2012-06-25 15:40:16 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-25 15:27:53 -------- d-----w- C:\ProgramData\AVAST Software
2012-06-25 15:27:53 -------- d-----w- C:\Program Files\AVAST Software
2012-06-25 15:21:32 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-25 15:21:17 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-25 15:21:06 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-25 15:21:06 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-13 14:59:47 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-06-13 14:59:47 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-06-13 14:59:47 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-06-13 14:59:24 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-06-13 14:59:21 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-06-13 14:59:20 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-06-13 14:59:20 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-06-13 14:58:59 3146752 ----a-w- C:\Windows\System32\win32k.sys
2012-06-13 14:58:54 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-06-13 14:58:52 3216384 ----a-w- C:\Windows\System32\msi.dll
2012-06-13 14:58:51 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-06-13 14:58:46 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-06-13 14:58:46 1462272 ----a-w- C:\Windows\System32\crypt32.dll
2012-06-13 14:58:46 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-06-13 14:58:46 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-06-13 14:58:46 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-06-13 14:58:45 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
.
==================== Find3M ====================
.
2012-06-25 16:02:10 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-18 02:06:48 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-05-18 01:59:14 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-05-18 01:58:39 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-05-18 01:55:22 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-05-18 01:51:30 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-05-17 22:45:37 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-05-05 11:09:42 440688 ----a-w- C:\Windows\System32\qproxy64.dll
2012-05-05 11:09:38 349552 ----a-w- C:\Windows\SysWow64\qproxy.dll
2012-05-05 11:08:00 44280 ----a-w- C:\Windows\System32\drivers\qwdr64.sys
2012-05-05 11:08:00 28408 ----a-w- C:\Windows\System32\drivers\qwdf64.sys
2012-04-23 16:45:28 29944 ----a-r- C:\Windows\System32\drivers\qwfp64.sys
2012-03-30 11:35:47 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 21:32:51.87 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.
Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR
Are you saying that you cant download any programs to run or they just wont run, DDS appears to have run just fine.
I am not looking at anything earthshattering on your log, lets do this, if you cant download the programs, download them from a known clean computer and transfer them by disk
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png
On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
danny12345
2012-07-01, 17:31
Many thanks for your reply ken545, much appreciated.
With regards to aswMBR, when I double click the exe file on my desktop the program runs fine. When I click "Scan" it starts scanning then after a minute or so, it pauses on a file called synccenter.dll then goes to a blue screen (mentioned something about physical memory dump I think) but then reboots the system and brings up the windows repair menu screen. it then counts down and then picks the default option to "start windows normally". After windows loads, it tells me it failed to start correctly and asks if I would like to search for a solution, it also gives the following information:
--------------------------
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 2057
Additional information about the problem:
BCCode: 19
BCP1: 0000000000000020
BCP2: FFFFFA800152DB30
BCP3: FFFFFA800152DB30
BCP4: 0000000004000080
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1
Files that help describe the problem:
C:\Windows\Minidump\070112-19749-01.dmp
C:\Users\Nathan\AppData\Local\Temp\WER-54194-0.sysdata.xml
Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409
If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt
--------------------------
I can attach the .dmp and/or .xml files if it would help?
With regards to MalwareBytes (and spybot as well), I can download the setup files fine, but when I double-click the exe file, (then click "Run" then when asks if it can make changes to computer click "Yes") I then get the following access violation error:
Access Violation at address 719C01C1. Write of Address 00000001
Hope this helps clarify. I am able to install other programs fine, just not (so it seems) anti-spyware programs.
(NB Exactly the same things above happen if I run the .exe files in Safe Mode)
Lets see if you can run this quick check to see if your Master Boot Record is infected.
Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.
Yes, go ahead and attach .dmp if you can
danny12345
2012-07-01, 19:44
Have attached dmp file (had to Zip it) and here is MBR check text as requested:
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: INSYDE
System Manufacturer: Acer
System Product Name: Aspire 5749
Logical Drives Mask: 0x0001000c
Kernel Drivers (total 192):
0x0305D000 \SystemRoot\system32\ntoskrnl.exe
0x03014000 \SystemRoot\system32\hal.dll
0x00BA7000 \SystemRoot\system32\kdcom.dll
0x00C9D000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00CEC000 \SystemRoot\system32\PSHED.dll
0x00D00000 \SystemRoot\system32\CLFS.SYS
0x00EFE000 \SystemRoot\system32\CI.dll
0x00E00000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00EA4000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00D5E000 \SystemRoot\system32\drivers\ACPI.sys
0x00EB3000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00EBC000 \SystemRoot\system32\drivers\msisadrv.sys
0x00EC6000 \SystemRoot\system32\drivers\pci.sys
0x00FBE000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00FCB000 \SystemRoot\System32\drivers\partmgr.sys
0x00FE0000 \SystemRoot\system32\drivers\compbatt.sys
0x00FE9000 \SystemRoot\system32\drivers\BATTC.SYS
0x00DB5000 \SystemRoot\system32\drivers\volmgr.sys
0x00C00000 \SystemRoot\System32\drivers\volmgrx.sys
0x00C5C000 \SystemRoot\System32\drivers\mountmgr.sys
0x01051000 \SystemRoot\system32\drivers\iaStor.sys
0x011A5000 \SystemRoot\system32\drivers\atapi.sys
0x011AE000 \SystemRoot\system32\drivers\ataport.SYS
0x011D8000 \SystemRoot\system32\drivers\amdxata.sys
0x01000000 \SystemRoot\system32\drivers\fltmgr.sys
0x011E3000 \SystemRoot\system32\drivers\fileinfo.sys
0x01257000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01465000 \SystemRoot\System32\Drivers\msrpc.sys
0x014C3000 \SystemRoot\System32\Drivers\ksecdd.sys
0x014DE000 \SystemRoot\System32\Drivers\cng.sys
0x01550000 \SystemRoot\System32\drivers\pcw.sys
0x01561000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x01616000 \SystemRoot\system32\drivers\ndis.sys
0x01709000 \SystemRoot\system32\drivers\NETIO.SYS
0x01769000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01865000 \SystemRoot\System32\drivers\tcpip.sys
0x01A68000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x01AB2000 \SystemRoot\system32\drivers\volsnap.sys
0x01AFE000 \SystemRoot\System32\Drivers\spldr.sys
0x01B06000 \SystemRoot\System32\drivers\rdyboost.sys
0x01B40000 \SystemRoot\System32\Drivers\mup.sys
0x01B52000 \SystemRoot\System32\drivers\hwpolicy.sys
0x01B5B000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01B95000 \SystemRoot\system32\drivers\disk.sys
0x01BAB000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x03D67000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x02E8E000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x02F5B000 \??\C:\Windows\system32\Drivers\qwdf64.sys
0x02F66000 \SystemRoot\System32\Drivers\Null.SYS
0x02F6F000 \SystemRoot\System32\Drivers\Beep.SYS
0x02F76000 \SystemRoot\System32\drivers\vga.sys
0x02F84000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02FA9000 \SystemRoot\System32\drivers\watchdog.sys
0x02FB9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x02FC2000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02FCB000 \SystemRoot\system32\drivers\rdprefmp.sys
0x02FD4000 \SystemRoot\System32\Drivers\Msfs.SYS
0x02FDF000 \SystemRoot\System32\Drivers\Npfs.SYS
0x02E00000 \SystemRoot\system32\DRIVERS\tdx.sys
0x02E22000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02E2F000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x02E41000 \SystemRoot\System32\DRIVERS\netbt.sys
0x0156B000 \SystemRoot\system32\drivers\afd.sys
0x02FF0000 \SystemRoot\System32\Drivers\aswrdr2.sys
0x03D91000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x03D9C000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03DA5000 \SystemRoot\system32\DRIVERS\pacer.sys
0x03DCB000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x03DE1000 \SystemRoot\system32\DRIVERS\netbios.sys
0x01800000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x0181B000 \SystemRoot\system32\drivers\termdd.sys
0x01794000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x03DF0000 \??\C:\Windows\system32\Drivers\qwdr64.sys
0x0182F000 \SystemRoot\system32\drivers\nsiproxy.sys
0x0183B000 \SystemRoot\system32\drivers\mssmbios.sys
0x01846000 \SystemRoot\System32\drivers\discache.sys
0x01400000 \SystemRoot\System32\Drivers\dfsc.sys
0x01BE9000 \SystemRoot\system32\drivers\blbdrive.sys
0x03E39000 \SystemRoot\System32\Drivers\aswSP.SYS
0x03E91000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x04A42000 \SystemRoot\system32\DRIVERS\igdkmd64.sys
0x03EB7000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x03FAB000 \SystemRoot\System32\drivers\dxgmms1.sys
0x04A00000 \SystemRoot\system32\DRIVERS\HECIx64.sys
0x04A11000 \SystemRoot\system32\drivers\usbehci.sys
0x01200000 \SystemRoot\system32\drivers\USBPORT.SYS
0x03E00000 \SystemRoot\system32\drivers\HDAudBus.sys
0x0141E000 \SystemRoot\system32\DRIVERS\L1C62x64.sys
0x058D3000 \SystemRoot\system32\DRIVERS\NETwNs64.sys
0x0613F000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x0614C000 \SystemRoot\system32\drivers\i8042prt.sys
0x0616A000 \SystemRoot\system32\drivers\kbdclass.sys
0x06205000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x06360000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x06362000 \SystemRoot\system32\drivers\mouclass.sys
0x06371000 \??\C:\Windows\system32\drivers\UBHelper.sys
0x06379000 \??\C:\Windows\system32\drivers\NTIDrvr.sys
0x06381000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x0638E000 \SystemRoot\system32\drivers\wmiacpi.sys
0x06397000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x063AD000 \SystemRoot\system32\drivers\CmBatt.sys
0x063B2000 \SystemRoot\system32\drivers\CompositeBus.sys
0x063C2000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x063D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x06179000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x06185000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x061B4000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x061CF000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x05800000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x063FC000 \SystemRoot\system32\drivers\swenum.sys
0x0581A000 \SystemRoot\system32\drivers\ks.sys
0x0585D000 \SystemRoot\system32\DRIVERS\umbus.sys
0x0586F000 \SystemRoot\system32\drivers\usbhub.sys
0x04A22000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x07AC1000 \SystemRoot\system32\drivers\RTKVHD64.sys
0x07D84000 \SystemRoot\system32\drivers\portcls.sys
0x07DC1000 \SystemRoot\system32\drivers\drmk.sys
0x07DE3000 \SystemRoot\system32\drivers\ksthunk.sys
0x07A00000 \SystemRoot\system32\DRIVERS\IntcDAud.sys
0x07A53000 \SystemRoot\System32\Drivers\crashdmp.sys
0x03C00000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x07A61000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x000C0000 \SystemRoot\System32\win32k.sys
0x07A74000 \SystemRoot\System32\drivers\Dxapi.sys
0x07A80000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x00DCA000 \SystemRoot\System32\Drivers\usbvideo.sys
0x07A9D000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00580000 \SystemRoot\System32\TSDDD.dll
0x00650000 \SystemRoot\System32\cdd.dll
0x00C76000 \SystemRoot\system32\drivers\luafv.sys
0x0266F000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x026A6000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x026AF000 \SystemRoot\system32\DRIVERS\Sftvollh.sys
0x026BA000 \SystemRoot\system32\drivers\WudfPf.sys
0x026DB000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x026F0000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x02743000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x02756000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x03A1D000 \SystemRoot\system32\drivers\HTTP.sys
0x03AE6000 \SystemRoot\system32\DRIVERS\bowser.sys
0x03B04000 \SystemRoot\System32\drivers\mpsdrv.sys
0x03B1C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x03B49000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x03B97000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x0825E000 \SystemRoot\system32\drivers\peauth.sys
0x08304000 \SystemRoot\System32\Drivers\secdrv.SYS
0x0830F000 \SystemRoot\system32\DRIVERS\Sftfslh.sys
0x08200000 \SystemRoot\system32\DRIVERS\Sftplaylh.sys
0x03BBB000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x083D0000 \SystemRoot\System32\drivers\tcpipreg.sys
0x0276E000 \SystemRoot\System32\DRIVERS\srv2.sys
0x08A10000 \SystemRoot\System32\DRIVERS\srv.sys
0x08AA8000 \SystemRoot\system32\DRIVERS\Sftredirlh.sys
0x77A80000 \Windows\System32\ntdll.dll
0x47B90000 \Windows\System32\smss.exe
0xFFDA0000 \Windows\System32\apisetschema.dll
0xFFB90000 \Windows\System32\autochk.exe
0xFFCF0000 \Windows\System32\msvcrt.dll
0xFFC10000 \Windows\System32\advapi32.dll
0xFEE80000 \Windows\System32\shell32.dll
0x77930000 \Windows\System32\urlmon.dll
0xFEE70000 \Windows\System32\nsi.dll
0xFEDD0000 \Windows\System32\comdlg32.dll
0xFED30000 \Windows\System32\clbcatq.dll
0x77830000 \Windows\System32\user32.dll
0xFECC0000 \Windows\System32\gdi32.dll
0xFEAE0000 \Windows\System32\setupapi.dll
0xFE9B0000 \Windows\System32\rpcrt4.dll
0xFE930000 \Windows\System32\difxapi.dll
0xFE900000 \Windows\System32\imm32.dll
0xFE6F0000 \Windows\System32\ole32.dll
0x77C50000 \Windows\System32\normaliz.dll
0xFE690000 \Windows\System32\Wldap32.dll
0xFE640000 \Windows\System32\ws2_32.dll
0xFE5C0000 \Windows\System32\shlwapi.dll
0xFE5B0000 \Windows\System32\lpk.dll
0xFE590000 \Windows\System32\imagehlp.dll
0x77710000 \Windows\System32\kernel32.dll
0xFE4B0000 \Windows\System32\oleaut32.dll
0xFE3E0000 \Windows\System32\usp10.dll
0x775B0000 \Windows\System32\wininet.dll
0x77C40000 \Windows\System32\psapi.dll
0xFE3C0000 \Windows\System32\sechost.dll
0x773A0000 \Windows\System32\iertutil.dll
0xFE2B0000 \Windows\System32\msctf.dll
0xFE210000 \Windows\System32\comctl32.dll
0xFE1F0000 \Windows\System32\devobj.dll
0xFE1B0000 \Windows\System32\wintrust.dll
0xFE040000 \Windows\System32\crypt32.dll
0xFDFD0000 \Windows\System32\KernelBase.dll
0xFDF90000 \Windows\System32\cfgmgr32.dll
0xFDF80000 \Windows\System32\msasn1.dll
Processes (total 77):
0 System Idle Process
4 System
364 C:\Windows\System32\smss.exe
496 csrss.exe
568 C:\Windows\System32\wininit.exe
588 csrss.exe
632 C:\Windows\System32\services.exe
672 C:\Windows\System32\winlogon.exe
684 C:\Windows\System32\lsass.exe
692 C:\Windows\System32\lsm.exe
812 C:\Windows\System32\svchost.exe
904 C:\Windows\System32\svchost.exe
1008 C:\Windows\System32\svchost.exe
420 C:\Windows\System32\svchost.exe
536 C:\Windows\System32\svchost.exe
1044 C:\Windows\System32\svchost.exe
1132 C:\Windows\System32\svchost.exe
1332 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1444 C:\Windows\System32\spoolsv.exe
1472 C:\Windows\System32\svchost.exe
1648 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
1764 C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1796 C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
1900 C:\Program Files\Bonjour\mDNSResponder.exe
1932 C:\Program Files (x86)\Launch Manager\dsiwmis.exe
2012 C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
2020 C:\Program Files (x86)\Launch Manager\LMutilps32.exe
1104 C:\Windows\System32\svchost.exe
1284 C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
1696 C:\Program Files\Acer\Acer Updater\UpdaterService.exe
2120 C:\Windows\System32\dwm.exe
2144 C:\Windows\explorer.exe
2160 C:\Windows\System32\taskhost.exe
2524 C:\Windows\System32\taskeng.exe
2576 C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
2584 C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
2648 C:\Program Files (x86)\Acer\clear.fi\MVP\Kernel\DMR\DMREngine.exe
2664 C:\Program Files (x86)\Qustodio\qproxy\qengine.exe
2704 C:\Program Files (x86)\Qustodio\qapp\QUpdateService.exe
3076 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
3096 C:\Windows\System32\svchost.exe
3176 C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
3432 C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
3756 C:\Windows\System32\svchost.exe
4280 C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe
4292 C:\Windows\System32\igfxtray.exe
4304 C:\Windows\System32\hkcmd.exe
4316 C:\Windows\System32\igfxpers.exe
4360 C:\Windows\System32\igfxsrvc.exe
4428 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
4560 C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
4576 C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
4620 C:\Users\Nathan\AppData\Local\Facebook\Update\FacebookUpdate.exe
4892 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
4900 C:\Windows\System32\igfxext.exe
4908 C:\Program Files (x86)\Launch Manager\LManager.exe
4940 C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe
4976 C:\Program Files (x86)\Qustodio\qapp\QAppTray.exe
5000 C:\Windows\System32\wbem\unsecapp.exe
5012 C:\Program Files (x86)\iTunes\iTunesHelper.exe
5032 C:\Program Files\AVAST Software\Avast\AvastUI.exe
5108 WmiPrvSE.exe
4676 C:\Program Files\iPod\bin\iPodService.exe
5152 C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
5252 C:\Windows\System32\SearchIndexer.exe
5300 C:\Program Files (x86)\Launch Manager\LMworker.exe
5316 C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
3648 C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
3712 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
1644 C:\Program Files\Windows Media Player\wmpnetwk.exe
2468 C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
3932 C:\Windows\System32\audiodg.exe
3888 C:\Windows\SysWOW64\ctfmon.exe
5996 dllhost.exe
920 dllhost.exe
7112 C:\Users\Nathan\Desktop\MBRCheck.exe
6344 C:\Windows\System32\conhost.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`c6500000 (NTFS)
\\.\Q: --> error 5
PhysicalDrive0 Model Number: WDCWD7500BPVT-22HXZT3, Rev: 01.01A01
Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
Done!
Your Master Boot Record looks fine but lets check to see if there is a hidden partition that your booting from
Download this program to your desktop and run it and post the log please
http://www.bleepingcomputer.com/download/listparts/
danny12345
2012-07-01, 20:58
List parts log as requested:
ListParts by Farbar Version: 23-06-2012
Ran by Nathan (administrator) on 01-07-2012 at 18:56:31
Windows 7 (X64)
Running From: C:\Users\Nathan\Desktop
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 23%
Total physical RAM: 5995.86 MB
Available physical RAM: 4613.83 MB
Total Pagefile: 11989.91 MB
Available Pagefile: 10545.9 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
======================= Partitions =========================
1 Drive c: (Acer) (Fixed) (Total:683.54 GB) (Free:643.44 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 15 GB 1024 KB
Partition 2 Primary 100 MB 15 GB
Partition 3 Primary 683 GB 15 GB
======================================================================================================
Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 PQSERVICE NTFS Partition 15 GB Healthy Hidden
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM RESE NTFS Partition 100 MB Healthy System (partition with boot components)
======================================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Acer NTFS Partition 683 GB Healthy Boot
======================================================================================================
****** End Of Log ******
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
danny12345
2012-07-01, 23:20
Hi got another bluescreen at the end of the scan - it was during the bit where it was creating the log. Windows error report below and dump file attached:
--------------------------------------------
Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 2057
Additional information about the problem:
BCCode: 50
BCP1: FFFFF8600323E6BC
BCP2: 0000000000000001
BCP3: FFFFF800031F6FA2
BCP4: 0000000000000005
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1
Files that help describe the problem:
C:\Windows\Minidump\070112-18844-01.dmp
C:\Users\Nathan\AppData\Local\Temp\WER-57299-0.sysdata.xml
Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409
If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt
--------------------------------------------
However, Laptop reboted after bluescreen and when I checked the C drive the Combofix txt file was there, so have posted it below:
ComboFix 12-07-01.03 - Nathan 01/07/2012 20:53:40.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.5996.4563 [GMT 1:00]
Running from: C:\Users\Nathan\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
((((((((((((((((((((((((( Files Created from 2012-06-01 to 2012-07-01 )))))))))))))))))))))))))))))))
2012-07-01 20:01:40 . 2012-07-01 20:01:40 -------- d-----w- C:\Users\Default\AppData\Local\temp
2012-06-26 21:55:17 . 2012-03-06 23:04:04 337240 ----a-w- C:\Windows\system32\drivers\aswSP.sys
2012-06-26 21:55:17 . 2012-03-06 23:01:32 24408 ----a-w- C:\Windows\system32\drivers\aswFsBlk.sys
2012-06-26 21:55:16 . 2012-03-06 23:02:20 53080 ----a-w- C:\Windows\system32\drivers\aswRdr2.sys
2012-06-26 21:55:16 . 2012-03-06 23:01:57 59224 ----a-w- C:\Windows\system32\drivers\aswTdi.sys
2012-06-26 21:55:15 . 2012-03-06 23:04:06 819032 ----a-w- C:\Windows\system32\drivers\aswSnx.sys
2012-06-26 21:55:15 . 2012-03-06 23:01:52 69976 ----a-w- C:\Windows\system32\drivers\aswMonFlt.sys
2012-06-26 21:54:53 . 2012-03-06 23:15:19 41184 ----a-w- C:\Windows\avastSS.scr
2012-06-26 21:54:51 . 2012-03-06 23:15:14 201352 ----a-w- C:\Windows\SysWow64\aswBoot.exe
2012-06-26 18:29:24 . 2012-06-26 18:29:36 -------- d-----w- C:\Program Files\CCleaner
2012-06-26 18:15:04 . 2012-06-18 02:12:50 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0D1A545D-9AF3-4B18-808D-9D980BFEEA41}\mpengine.dll
2012-06-25 21:14:24 . 2012-06-25 21:14:24 -------- d-----w- C:\Users\Nathan\AppData\Local\Macromedia
2012-06-25 15:40:16 . 2012-06-25 16:02:10 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-25 15:40:14 . 2012-06-25 15:40:14 -------- d-----w- C:\Windows\system32\Macromed
2012-06-25 15:28:32 . 2012-03-06 23:15:03 258520 ----a-w- C:\Windows\system32\aswBoot.exe
2012-06-25 15:27:53 . 2012-06-26 21:54:40 -------- d-----w- C:\ProgramData\AVAST Software
2012-06-25 15:27:53 . 2012-06-26 21:54:40 -------- d-----w- C:\Program Files\AVAST Software
2012-06-25 15:21:32 . 2012-06-02 22:19:43 2428952 ----a-w- C:\Windows\system32\wuaueng.dll
2012-06-25 15:21:32 . 2012-06-02 22:19:42 57880 ----a-w- C:\Windows\system32\wuauclt.exe
2012-06-25 15:21:32 . 2012-06-02 22:19:42 44056 ----a-w- C:\Windows\system32\wups2.dll
2012-06-25 15:21:32 . 2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\system32\wucltux.dll
2012-06-25 15:21:17 . 2012-06-02 22:19:46 38424 ----a-w- C:\Windows\system32\wups.dll
2012-06-25 15:21:17 . 2012-06-02 22:19:23 701976 ----a-w- C:\Windows\system32\wuapi.dll
2012-06-25 15:21:17 . 2012-06-02 22:15:08 99840 ----a-w- C:\Windows\system32\wudriver.dll
2012-06-25 15:21:06 . 2012-06-02 14:19:42 186752 ----a-w- C:\Windows\system32\wuwebv.dll
2012-06-25 15:21:06 . 2012-06-02 14:15:12 36864 ----a-w- C:\Windows\system32\wuapp.exe
2012-06-13 14:59:47 . 2012-04-26 05:41:56 77312 ----a-w- C:\Windows\system32\rdpwsx.dll
2012-06-13 14:59:47 . 2012-04-26 05:41:55 149504 ----a-w- C:\Windows\system32\rdpcorekmts.dll
2012-06-13 14:59:47 . 2012-04-26 05:34:27 9216 ----a-w- C:\Windows\system32\rdrmemptylst.exe
2012-06-13 14:59:24 . 2012-05-01 05:40:20 209920 ----a-w- C:\Windows\system32\profsvc.dll
2012-06-13 14:59:21 . 2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\system32\ntoskrnl.exe
2012-06-13 14:59:20 . 2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-06-13 14:59:20 . 2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-06-13 14:58:59 . 2012-05-15 01:32:33 3146752 ----a-w- C:\Windows\system32\win32k.sys
2012-06-13 14:58:54 . 2012-04-28 03:55:21 210944 ----a-w- C:\Windows\system32\drivers\rdpwd.sys
2012-06-13 14:58:52 . 2012-04-07 12:31:40 3216384 ----a-w- C:\Windows\system32\msi.dll
2012-06-13 14:58:51 . 2012-04-07 11:26:29 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-06-13 14:58:46 . 2012-04-24 05:37:37 184320 ----a-w- C:\Windows\system32\cryptsvc.dll
2012-06-13 14:58:46 . 2012-04-24 05:37:37 140288 ----a-w- C:\Windows\system32\cryptnet.dll
2012-06-13 14:58:46 . 2012-04-24 05:37:36 1462272 ----a-w- C:\Windows\system32\crypt32.dll
2012-06-13 14:58:46 . 2012-04-24 04:36:42 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-06-13 14:58:46 . 2012-04-24 04:36:42 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-06-13 14:58:45 . 2012-04-24 04:36:42 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2012-06-25 16:02:10 . 2011-07-14 08:54:20 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-05 11:09:42 . 2012-05-05 17:50:58 440688 ----a-w- C:\Windows\system32\qproxy64.dll
2012-05-05 11:09:38 . 2012-05-05 17:50:58 349552 ----a-w- C:\Windows\SysWow64\qproxy.dll
2012-05-05 11:08:00 . 2012-05-05 17:51:23 44280 ----a-w- C:\Windows\system32\drivers\qwdr64.sys
2012-05-05 11:08:00 . 2012-05-05 17:51:23 28408 ----a-w- C:\Windows\system32\drivers\qwdf64.sys
2012-04-23 16:45:28 . 2012-04-23 16:45:28 29944 ----a-r- C:\Windows\system32\drivers\qwfp64.sys
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
[7] 2012-05-18 02:47:36 . DE469470D93DEB4A1A81EDE72B848198 . 17807360 . . [9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)] .. C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.16446_none_87d0b277f4d8f45c\mshtml.dll
[7] 2012-05-18 01:35:14 . BE1E4779329040ED334651CD877C416D . 17807360 . . [9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)] .. C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.20551_none_884a7de50e033164\mshtml.dll
[7] 2012-02-28 07:34:23 . D785A16A6F03F76CB862F28C9F8C9672 . 17790976 . . [9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)] .. C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.16443_none_87cdb199f4dba857\mshtml.dll
[7] 2012-02-28 03:54:51 . 97BB8C752A400556A4FF2E1AAFA0A138 . 17790976 . . [9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)] .. C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.20548_none_885c4fd70df4c6d4\mshtml.dll
[7] 2011-12-14 07:43:42 . E61288581AD9E647ABEFB1489B250B5C . 17790464 . . [9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)] .. C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.16441_none_87cbb105f4dd75a9\mshtml.dll
[7] 2011-12-14 06:57:02 . 153963F44A26A7840ACDF52C2CD1B9DC . 17790464 . . [9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)] .. C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.20546_none_885a4f430df69426\mshtml.dll
[7] 2011-11-04 03:06:02 . 5770C4BA825C42D6EFD9486029747108 . 17786368 . . [9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)] .. C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.20544_none_88584eaf0df86178\mshtml.dll
[7] 2011-11-04 02:38:28 . E7BD23BEC69CF23436EEDE9B18DE186D . 17786368 . . [9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)] .. C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.16440_none_87cab0bbf4de5c52\mshtml.dll
[7] 2011-09-13 22:47:19 . 82682BA2DF50B94CD798B8315B3F7896 . 17773056 . . [9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)] .. C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.16421_none_87e150ddf4cd3dc7\mshtml.dll
[7] 2011-04-23 01:37:29 . 8C18BFBF9A4A6EC794212BF266D4EF99 . 17773568 . . [9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)] .. C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.16430_none_87d580a7f4d64061\mshtml.dll
[7] 2011-04-23 00:34:46 . BB8E60EE55E3B48F893E71A09C2D420B . 17773568 . . [9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)] .. C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.20530_none_885f1d730df3e02b\mshtml.dll
[7] 2010-11-21 03:24:42 . 1C8B787BAA52DEAD1A6FEC1502D652F0 . 8988160 . . [8.00.7601.17514 (win7sp1_rtm.101119-1850)] .. C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_8.0.7601.17514_none_8c235f42afcafdda\mshtml.dll
[7] 2012-05-18 02:47:36 . DE469470D93DEB4A1A81EDE72B848198 . 17807360 . . [9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)] .. C:\Windows\system32\mshtml.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Facebook Update"="C:\Users\Nathan\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-01-19 20:07:17 137536]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Norton Online Backup"="C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 22:33:10 1155928]
"BackupManagerTray"="C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" [2011-04-24 01:28:38 297280]
"LManager"="C:\Program Files (x86)\Launch Manager\LManager.exe" [2011-03-14 11:44:36 1081424]
"ArcadeMovieService"="C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe" [2011-05-09 17:41:56 177448]
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
"QAppTray"="C:\Program Files (x86)\Qustodio\qapp\QAppTray.exe" [2012-05-05 11:08:04 1711960]
"APSDaemon"="C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 20:28:32 59240]
"iTunesHelper"="C:\Program Files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 04:09:24 421736]
"avast"="C:\Program Files\AVAST Software\Avast\avastUI.exe" [2012-03-06 23:15:17 4241512]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IsMyWinLockerReboot"="msiexec.exe" [2010-11-21 03:24:28 73216]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qwdf64.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qwdr64.sys]
@="Driver"
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [x]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys [x]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys [x]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys [x]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 14:27:14 138576]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-25 16:02:11 257696]
R3 AmUStor;AM USB Stroage Driver;C:\Windows\system32\drivers\AmUStor.SYS [2011-01-14 03:01:44 74840]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
R3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-06-07 11:25:12 191752]
R3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 17:59:12 206072]
R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 21:34:24 4925184]
R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-21 03:24:33 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys [2010-11-21 03:23:47 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe [2011-12-29 15:30:35 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 01:10:10 57184]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 qwdf64;qwdf64 service;C:\Windows\system32\Drivers\qwdf64.sys [2012-05-05 11:08:00 28408]
S1 qwdr64;qwdr64 service;C:\Windows\system32\Drivers\qwdr64.sys [2012-05-05 11:08:00 44280]
S1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys [2009-07-14 00:07:22 59904]
S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-03 21:53:50 63928]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;C:\Windows\system32\drivers\aswMonFlt.sys [2012-03-06 23:01:52 69976]
S2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-05-12 15:59:00 249648]
S2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 14:22:40 822624]
S2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2011-03-14 11:44:36 352336]
S2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2011-05-10 13:01:08 872552]
S2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2011-05-26 06:40:48 29696]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-09-14 01:32:32 13336]
S2 Live Updater Service;Live Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2011-04-22 16:44:14 244624]
S2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [2011-04-24 01:29:20 256832]
S2 qengine;qengine;C:\Program Files (x86)\Qustodio\qproxy\qengine.exe [2012-05-05 11:09:06 3622768]
S2 qupdate;qupdate;C:\Program Files (x86)\Qustodio\qapp\QUpdateService.exe [2012-05-05 11:08:10 1610584]
S2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 08:30:18 508776]
S2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-02-01 05:24:42 2656280]
S3 IntcDAud;Intel(R) Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys [2010-10-14 17:28:16 317440]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C62x64.sys [2011-04-20 09:24:56 169584]
S3 MEIx64;Intel(R) Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys [2010-10-19 08:34:26 56344]
S3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETwNs64.sys [2011-01-04 03:29:46 8507392]
S3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 08:30:10 764264]
S3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 08:30:18 268648]
S3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 08:30:18 25960]
S3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 08:30:22 22376]
S3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 08:30:22 219496]
Hi,
Thats not the complete Combofix log, I need to see the whole thing. It removed nothing bad.
ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.
danny12345
2012-07-03, 17:57
this keeps getting weirder...
I ran the ESET scan, it said it found 11 threats but when click on the "show threats" option its completely blank and does nothing when I click on "export to text file" - have attached screenshots to show what I mean...
During the scan it said the threat(s) it had found was "a variant of Win32/InstallCore.Q application" if that helps...?
danny12345
2012-07-03, 18:07
Further to my last post had a hunt around and found this log file in the ESET folder on my C drive. Hope it helps...
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=cc3452bfff8a544db48359f98dc0921e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-02 10:21:16
# local_time=2012-07-02 11:21:16 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 100 94 515010 93718164 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=117664
# found=11
# cleaned=0
# scan_time=14562
C:\Users\Nathan\Downloads\ancient-jewels (1).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels (2).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels (3).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels (4).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels (5).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels (6).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels (7).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels.exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\speedy-bubbles (1).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\speedy-bubbles (2).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\speedy-bubbles.exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=cc3452bfff8a544db48359f98dc0921e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-07-03 02:17:57
# local_time=2012-07-03 03:17:57 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 100 94 581296 93784450 0 0
# compatibility_mode=8192 67108863 100 0 66592 66592 0 0
# scanned=117669
# found=11
# cleaned=0
# scan_time=5677
C:\Users\Nathan\Downloads\ancient-jewels (1).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels (2).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels (3).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels (4).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels (5).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels (6).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels (7).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\ancient-jewels.exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\speedy-bubbles (1).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\speedy-bubbles (2).exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Nathan\Downloads\speedy-bubbles.exe a variant of Win32/InstallCore.Q application (unable to clean) 00000000000000000000000000000000 I
Sometimes game sites are a little iffy, this is what I would do
C:\Users\Nathan\Downloads\speedy-bubbles
Go into your Downloads folder and delete everything related to speedy-bubbles, but dont delete the Download folder itself.
How are things running now ?
danny12345
2012-07-03, 20:46
Deleted those files but still can't install spybot or malwarebytes. Still getting Access violation error - slightly different numbers from before:
"Access violation at address 713201C1. Write of address 00000001"
:sad:
Is it possible that the bad sectors from my original problem are still messed up and interfering with things?
danny12345
2012-07-03, 21:46
...just been having a think about all this and am wondering if it might be best to just restore the laptop to factory settings - its only about 6 months old and is primarily used for surfing so would be easy enough to backup the small amount of documents I have and start from scratch again...would be easy enough to set up browsers, etc again and this time I'd get spybot on from the start.
If by any chance this was malware causing the problems, would restoring factory settings get rid of it?
Do you recommend putting any other anti-spyware programs to run alongside SB S&D?
First do this
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, if it says this file has been checked before, have them recheck it. When the scan is done just copy and paste the link back to this forum for me to see.
C:\Windows\system32\qproxy.dll <--This file
If the site is busy you can try this one
http://virusscan.jotti.org/en
danny12345
2012-07-04, 00:11
here's the link...
https://www.virustotal.com/file/564b07c90a4440a2b977dd0cc75bfe2d49a26d418ec7105573c6fc20a96fa470/analysis/1341349695/
Great, that file is fine , just a double check.
What I would like you to do is go to this windows forum, all of us forms work together so you can link them to this thread so they can see what we have done and let them help you restoring your computer to factory defaults, I am just concerned about the sectors in the hard drive, lets hope there not damaged, its possible that a reformat and clean install of windows is what you may need
http://forums.whatthetech.com/index.php?showforum=119
I would be interested to see what they have to say
Ken :)
danny12345
2012-07-04, 20:39
Thank you so much for all your help Ken545, its really appreciated all that you've done for us.
:thanks:
Your very welcome,
Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system
Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png
How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/index.php?showtopic=57817)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Safe Surfn
Ken
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.