I tried to run aswMBR three times, but in all cases it crashes after the following lines:
...
14:31:32.512 AVAST engine scan C:\Windows\system32
14:34:56.501 Scanning: C:\windows\assembly\GAC_MSIL\Microsoft.visualstudio.Tools.Applications...

The error message was: (translated)

"avast! Antirootkit not running anymore

A problem arrose which resulted in a halt of this program.
The program is closed and you get a message when a solution is available.
Closing program"

Although aswMBR crashed, is it worthwhile if I send DDS.txt and Attach.zip awaiting a solution to the aswMBR-crash? I have them ready to be posted.
Thank you.

Hi and :snwelcome: Joliegew :)

My name is Robybel.

I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Vista and Windows 7 users:

These tools MUST be run from the executable. (.exe) every time you run them
with Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

Having said that....Let's get going!! ;)

============ Next ==============




Scan with OTL

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under Custom Scan paste this in


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
services.exe
/md5stop
%systemroot%\*. /rp /s
%systemdrive%\$Recycle.Bin|@;true;true;true /fp
DRIVES
CREATERESTOREPOINT


Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
You may need two posts to fit them both in.



============ Next ==============



Please read carefully and follow these steps.

Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png


If an infected file is detected, the default action will be Cure, click on Continue.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png


If a suspicious file is detected, the default action will be Skip, click on Continue.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png


It may ask you to reboot the computer to complete the process. Click on Reboot Now.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png


If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

On your next reply please post :

OTL.txt
Extras.txt
TDSSKiller log

Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

Hello Robybel,

Find herewith two zips, the third one you'll find in the next message.
I had to go to another computer with these files, because I didn't succeed in attaching them at the computer that behaves badly; just to let you know this.

Thank you for heling me! :thanks:

This is the third file.
Thanks again.

Hi Joliegew

AdwCleaner

Please download AdwCleaner (http://general-changelog-team.fr/en/tools/15-adwcleaner) by Xplode onto your desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

============ Next ==============



Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) and save it to your desktop.
Quit all other programs
Start RogueKiller.exe
Wait until the Prescan has finished ...
Click on Scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png
Wait for the end of the scan
A report will be created on your desktop.
Click on the Delete button
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png
Next click on the ShortcutsFix
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png
another report will be created on your desktop.


Please post: All RKreport.txt text files located on your desktop.

On your next reply please post :

AdwCleaner log
All RKreport.txt
Let me know what problems you find

Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!

Hi Robybel,

It was difficult to establish what you asked for, especially because AdwCleaner didn't finish, so that no reboot was forced. As you can see in the zip-file, I undertook many, many runs by AdwCleaner, by which I think every time my pc became somewhat better to handle. Nevertheless I spent hours to come so far as I am now. I hope that what I send you makes sense to understand what happened successively. I cropped everything together with RKreport[3], as the zp-file is called. I hope you don't mind.

Thank you in advance!
Joliegew

Hi Joliegew;)

Good job :bigthumb: But:

If you can, don't attach the log, just copy/paste its contents


Please follow this step

http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.



next

Please read carefully and follow these steps.

Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png


If an infected file is detected, the default action will be Cure, click on Continue.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png


If a suspicious file is detected, the default action will be Skip, click on Continue.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png


It may ask you to reboot the computer to complete the process. Click on Reboot Now.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png


If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Hi Robybel,

Only JRT gave output:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.2 (03.15.2013:1)
OS: Windows Vista (TM) Home Premium x86
Ran by LieMaa on wo 20-03-2013 at 15:10:09,08
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\windows nt\currentversion\windows\\AppInit_DLLs
Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\toolbar\webbrowser\\{61d1c847-df80-423a-8c6d-dc03b97e6ebe}



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{2a696bce-44cf-45a4-b905-59cdfa08531a}
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{78875f5c-a685-4405-8dc5-d48dc65452b0}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\LieMaa\appdata\local\adawarebp"

TDSSKiller finished without anything to complain about:yes:

:thanks: again!

Hi Joliegew

The report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt".

The last action?

Edit Can I start offering data for another pc in this thread, or should I start a new thread?

TIA

Edit
http://forums.spybot.info/showthread.php?p=438558#post438558

Hi Joliegew

Please read through these instructions to familarize yourself with what to expect when this tool runs

Refer to the ComboFix User's Guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Again I have to use another computer to try to get help:
ComboFix ended up with a kind of log file, which was shown onto the desktop background without anything else than the log file shown onto the empty desktop. I closed the log and saw only the empty desktop. I could not do anything else than switching off the computer and on again.
I chose for reboot in safe mode, without internet connection.
The result is a list of loaded Windows files, and underneath:
Please wait...

Then, nothing happens anymore...

I tried a normal boot by switching off and on again, becase Ctrl-Alt-Del didn't work. The normal boot resulted in the green progress running startup screen and then a black screen with a normal cursor that can be moved bij the mouse. After some time the standard screen saver by Vista is shown, with three coming and going komets and then the Windows Vista emblem. Much disk activity, that after an hour and longer gets less active. Ctrl-Alt-Del doesn't work.
I tried again the safe boot method, but this didn't work either: Loading files and Please wait...

Hi joliegew

download Farbar Recovery Scan Tool 32-Bit (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/)
Farbar Recovery Scan Tool 64-Bit (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.


On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Hi Robybel,
Following your description I can land at Advanced Boot Options, but then I have only the following options, but not "Repair your computer":
Safe mode
Safe Mode with Networkork
Safe Mode with Command Prompt
Enable Boot Logging
Enable Low Resulution Video
Last Known Good Configuration (advanced)
Directory Services Restore Mode
Debugging Mode
Disable Automatic Restart on sytem failure
Disable Driver Signature Enforcement
Start Windows Normally

What should I choose now?

If I understand well, I can choose from either Advanced Boot Options, or by using Windows installation disk.
I tried also this second option, but I got exactly the same list of options, but no "Repair your computer".
I also cut that off as well, and hope for a new post from you.
TIA

Hi Joliegew ;)

Please remove your windows installation disk and re try my instructions ;)

Hi Robybel,

I'll do that, but as described, I don't get the option Repair your computer, which cannot be found in the list that I get, as I reported.

Joliegew

Hi Joliegew

Please let me know, if you can use this infected pc

How, I cannot remember, but here it is.

Hi joliegew ;)

I have some questions for you


Q1; When did the problem first start?
Q2; What leads you to believe it is malware related?

Q3; Have any of your other onboard protection programs detected anything prior to you posting here?


Please let me know the answer to my questions, as well I can help you with your machine

Q1. Some weeks ago, 2?
Q2. If I get unpredicted behavious of a pc, immediately suspect infection.
Q3. Yes, but I thought I instantly could kill them by various tools available at internet sites. Prior to that my own scanner moved more often than not malware to the trash.

Hi Joliegew ;)

Ok Good

Q1 Please let me know what scanner you used before to ask for help here?
Many scanners are potentially dangerous if used carelessly, and must be used under supervision of an expert, can also remove traces of an infection that could serve as a reference to the helper for the disinfection of the machine

Q2 Lists all security programs have on your machine now (apart the tools that I requested )

;)

Standard I've installed McAfee Internet Security
I tried to fix things with the following software, order not sure, and some I may have used earlier, i.e. not in the last weeks.

Boot Analyzer
Malwarebytes
AdAware
HJackThis
McAfee Security Scan Plus
Avira
Further more I installed lately Ghosteree
Trusteer Raport

This may be of any use?

Hi joliegew

Please follow this steps

Unistall Mcafee
1.Uninstall McAfee using Add/Remove Programs in the Windows Control Panel:

a.Click Start, Search, type Programs and Features, and click Go.
b.Double-click Programs and Features.
c.Select the McAfee SecurityCenter product.
d.Click Uninstall and follow the steps provided.

a.Download MCPR.exe: from http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe.
b.Click Save, and save the file to a folder on your computer.
c.Navigate to the folder where the file was saved.
d.Ensure that all McAfee windows are closed.
e.Right-click MCPR.exe and select Run as Administrator.

Next

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

Note: If you are using Windows Vista/7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://www.eset.com/online-scanner-popup/)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as MyEsetScan. Alternatively, look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
Push the Back button.
Select Uninstall application on close check box and push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png

Hi Robybel,
Thank you for your elaborate list of tasks to undertake, but how can I install something on a computer that won't start at all?

Put the Windows installations disk into your PC and reboot it.

Please go into your BIOS and set the CD/DVD drive to be first boot device or tap a certain key (this key depends on your PC but is usually something like F12) on the post screen, which will then open a menu list so you can choose what device to boot from first, chose the CD/DVD drive.
Save and exit.

download Farbar Recovery Scan Tool 32-Bit (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/)
Farbar Recovery Scan Tool 64-Bit (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) and save it to a flash drive.

Plug the flashdrive into the infected PC.


To enter System Recovery Options by using Windows installation disc:

Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.


On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Still need help?

Due to inactivity this topic will be closed.
If you need help please start a new thread