Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

i want my pc back! Winsys32 Nightmare!

Started by kcooker , Sep 10 2011 11:05 PM

  • This topic is locked This topic is locked

#1
kcooker
Posted 10 September 2011 - 11:05 PM

kcooker

    Member

  • Member
  • PipPip
  • 17 posts
hp pavillion desktop original os windows vista

my installed system
OS Version: Microsoft Windows 7 Ultimate , Service Pack 1, 64 bit
Processor: AMD Phenom™ 9150e Quad-Core Processor, AMD64 Family 16 Model 2 Stepping 3
Processor Count: 4
RAM: 4030 Mb
Graphics Card: NVIDIA GeForce 6150SE nForce 430 (Microsoft Corporation - WDDM), 64 Mb
Hard Drives: C: Total - 463461 MB, Free - 234099 MB;
Motherboard: ECS , Nettle3, 2.2,
Antivirus: avast! Antivirus, Updated and Enabled

i looked in my environmental variables for my system and
ComSpec = %SystemRoot%\system32\cmd.exe
FP_NO_HOST_CHECK = NO
NUMBER_OF_PROCESSORS = 4
OS= windows nt
Path = %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\ System32\WindowsPowerShell\v1.0\
PATHEXT = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE = AMD64
PROCESSOR_IDENTIFIER = AMD64 Family 16 Model 2 Stepping 3, AuthenticAMD
PROCESSOR_LEVEL = 16
PROCESSOR_REVISION = 0203
PSModulePath = %SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
USERNAME = SYSTEM
windir = %SystemRoot%
windows_tracing_flags = 3
windows_tracing_logfile = C:\BVTBin\Tests\installpackage\csilogfile.log
%USERPROFILE%\AppData\Local\Temp

so, a while back i downloaded that update that active xed my hard drive to that imaginary d: drive (i know, not the only one). so, basically i wiped everything out and handed my system over to my friend's brother who knows a ton about computers. he installed a new hard drive, updated drivers, installed windows 7 ultimate svc pack 1, avast, spybot, firefox..etc. it worked fine for a while and then i got that stupid update installed with the active x again (i really despise microsoft update). however, i must have contracted the winsys32 trojan at that time. again sent it off to be fixed.... so on. every couple weeks the winsys32 **** kept taking over and i would try to fix and end up shipping it over to jon.

so, the deal is that he just keeps kinda bandaiding the thing - alll the winsys32 stuff is there and a million times worse than it started out but he figures out a way to re-install win7 winth C:windows actually but the winsys **** is underneath. this last fix, i couldn't connect to the internet (DNS failure). so, i went to the command prompt to fix and it was winsys32cmd.exe -

i know i tried to fix the thing gathering what info i could and id get yelled at for "screwing with it so bad." i later realized that i was trying to fix the winsys32 like and active x. i didn't realize that it was a trojan. im not sure how many there are and all that but, if i can finally get rid of this pest and go back to using windows for more than 3 weeks without meltdowns, id be so happy!!!!

i have a bunch of scans - hijack this, mbr, dds, olt.... your instructions ask for quick olt scan so, i will paste that (i also have a olt custom scan (per pchelp) log and the olt extras log) let me know what you need!!!

ps - i mean it - cookies, carrot cake, footrubs, scan logs, a kidney - anything that will help!!!

kc

OTL logfile created on: 9/11/2011 12:52:58 AM - Run 2
OTL by OldTimer - Version 3.2.27.0 Folder = C:\Users\main\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.94 Gb Total Physical Memory | 2.79 Gb Available Physical Memory | 70.90% Memory free
7.87 Gb Paging File | 6.01 Gb Available in Paging File | 76.38% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 452.60 Gb Total Space | 224.13 Gb Free Space | 49.52% Space Free | Partition Type: NTFS

Computer Name: COMPUTERPC | User Name: main | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/09/11 00:52:40 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Users\main\Desktop\OTL.exe
PRC - [2011/09/06 16:45:30 | 003,722,416 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2011/09/06 16:45:28 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/09/06 16:45:28 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2009/07/13 21:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 21:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV - [2009/06/10 17:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/09/06 16:38:18 | 000,601,944 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2011/09/06 16:38:16 | 000,301,912 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2011/09/06 16:36:41 | 000,058,200 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswTdi.sys -- (aswTdi)
DRV:64bit: - [2011/09/06 16:36:41 | 000,042,328 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr.sys -- (aswRdr)
DRV:64bit: - [2011/09/06 16:36:30 | 000,065,368 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2011/09/06 16:36:14 | 000,024,408 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - [2010/11/20 23:24:43 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV:64bit: - [2010/11/20 23:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 23:23:48 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub)
DRV:64bit: - [2010/11/20 23:23:48 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc)
DRV:64bit: - [2010/11/20 23:23:48 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc)
DRV:64bit: - [2010/11/20 23:23:48 | 000,034,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt)
DRV:64bit: - [2010/11/20 23:23:47 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2010/11/20 23:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 23:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/11/20 23:23:47 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 21:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 21:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 21:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 16:35:38 | 000,707,072 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\netr7364.sys -- (netr7364)
DRV:64bit: - [2009/06/10 16:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
DRV:64bit: - [2009/06/10 16:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 16:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 16:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 16:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 21:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = C0 D0 B5 3F 73 6F CC 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found



O1 HOSTS File: ([2009/06/10 17:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5DB09E9E-B482-4627-AF85-81CB9CD29A1F}: DhcpNameServer = 209.18.47.61 209.18.47.62
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/09/10 19:02:00 | 001,916,416 | ---- | C] (AVAST Software) -- C:\Users\main\Desktop\aswMBR.exe
[2011/09/10 09:24:22 | 000,581,120 | ---- | C] (OldTimer Tools) -- C:\Users\main\Desktop\OTL.exe
[2011/09/10 06:57:32 | 000,000,000 | ---D | C] -- C:\Windows\Panther
[2011/09/10 06:44:16 | 000,000,000 | ---D | C] -- C:\Windows.old.003
[2011/09/10 06:11:47 | 000,000,000 | ---D | C] -- C:\ProgramData\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}
[2011/09/10 06:01:24 | 000,000,000 | ---D | C] -- C:\Windows\SoftwareDistribution
[2011/09/10 05:58:32 | 000,000,000 | ---D | C] -- C:\Windows\Prefetch
[2011/09/10 05:55:35 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\appmgmt
[2011/09/10 05:32:23 | 000,000,000 | ---D | C] -- C:\Users\main\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/09/10 05:32:23 | 000,000,000 | ---D | C] -- C:\hijackthis
[2011/09/10 04:54:45 | 000,055,384 | ---- | C] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2011/09/10 04:51:52 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\DRVSTORE
[2011/09/10 04:51:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Lavasoft
[2011/09/10 04:20:14 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Macromed
[2011/09/10 00:47:06 | 000,000,000 | -H-D | C] -- C:\ProgramData\~0
[2011/09/10 00:46:52 | 000,000,000 | ---D | C] -- C:\Users\main\AppData\Local\PackageAware
[2011/09/10 00:35:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
[2011/09/10 00:35:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2011/09/10 00:35:03 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Spybot - Search & Destroy
[2011/09/10 00:20:51 | 000,301,912 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2011/09/10 00:20:51 | 000,024,408 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2011/09/10 00:20:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2011/09/10 00:20:49 | 000,058,200 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2011/09/10 00:20:49 | 000,042,328 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr.sys
[2011/09/10 00:20:47 | 000,601,944 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2011/09/10 00:20:46 | 000,254,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2011/09/10 00:20:46 | 000,065,368 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2011/09/10 00:20:06 | 000,000,000 | -HSD | C] -- C:\Windows\Installer
[2011/09/10 00:20:02 | 000,199,304 | ---- | C] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2011/09/10 00:20:02 | 000,041,184 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/09/10 00:19:53 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2011/09/10 00:19:53 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2011/09/10 00:18:11 | 000,000,000 | ---D | C] -- C:\Users\main\AppData\Local\Diagnostics
[2011/09/10 00:15:21 | 000,000,000 | R--D | C] -- C:\Users\main\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2011/09/10 00:15:21 | 000,000,000 | R--D | C] -- C:\Users\main\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2011/09/10 00:15:20 | 000,000,000 | R--D | C] -- C:\Users\main\Searches
[2011/09/10 00:15:20 | 000,000,000 | -H-D | C] -- C:\Users\main\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2011/09/10 00:15:10 | 000,000,000 | ---D | C] -- C:\Users\main\AppData\Roaming\Identities
[2011/09/10 00:15:06 | 000,000,000 | R--D | C] -- C:\Users\main\Contacts
[2011/09/10 00:15:04 | 000,000,000 | ---D | C] -- C:\Users\main\AppData\Local\VirtualStore
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\AppData\Local\Temporary Internet Files
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\Templates
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\Start Menu
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\SendTo
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\Recent
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\PrintHood
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\NetHood
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\Documents\My Videos
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\Documents\My Pictures
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\Documents\My Music
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\My Documents
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\Local Settings
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\AppData\Local\History
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\Cookies
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\Application Data
[2011/09/10 00:14:48 | 000,000,000 | -HSD | C] -- C:\Users\main\AppData\Local\Application Data
[2011/09/10 00:14:47 | 000,000,000 | --SD | C] -- C:\Users\main\AppData\Roaming\Microsoft
[2011/09/10 00:14:47 | 000,000,000 | R--D | C] -- C:\Users\main\Videos
[2011/09/10 00:14:47 | 000,000,000 | R--D | C] -- C:\Users\main\Saved Games
[2011/09/10 00:14:47 | 000,000,000 | R--D | C] -- C:\Users\main\Pictures
[2011/09/10 00:14:47 | 000,000,000 | R--D | C] -- C:\Users\main\Music
[2011/09/10 00:14:47 | 000,000,000 | R--D | C] -- C:\Users\main\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2011/09/10 00:14:47 | 000,000,000 | R--D | C] -- C:\Users\main\Links
[2011/09/10 00:14:47 | 000,000,000 | R--D | C] -- C:\Users\main\Favorites
[2011/09/10 00:14:47 | 000,000,000 | R--D | C] -- C:\Users\main\Downloads
[2011/09/10 00:14:47 | 000,000,000 | R--D | C] -- C:\Users\main\Documents
[2011/09/10 00:14:47 | 000,000,000 | R--D | C] -- C:\Users\main\Desktop
[2011/09/10 00:14:47 | 000,000,000 | R--D | C] -- C:\Users\main\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2011/09/10 00:14:47 | 000,000,000 | -H-D | C] -- C:\Users\main\AppData
[2011/09/10 00:14:47 | 000,000,000 | ---D | C] -- C:\Users\main\AppData\Local\Temp
[2011/09/10 00:14:47 | 000,000,000 | ---D | C] -- C:\Users\main\AppData\Local\Microsoft
[2011/09/10 00:14:47 | 000,000,000 | ---D | C] -- C:\Users\main\AppData\Roaming\Media Center Programs
[2011/09/10 00:12:59 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat
[2011/09/10 00:12:59 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat
[2011/09/09 16:50:19 | 000,000,000 | ---D | C] -- C:\Philips
[2011/09/09 16:49:35 | 000,000,000 | ---D | C] -- C:\temp
[2011/08/16 16:52:35 | 000,000,000 | ---D | C] -- C:\Windows.old.002
[2011/08/16 15:16:24 | 000,000,000 | ---D | C] -- C:\NVIDIA
[2011/08/13 21:44:34 | 000,000,000 | ---D | C] -- C:\Windows.old.001

========== Files - Modified Within 30 Days ==========

[2011/09/11 00:52:40 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Users\main\Desktop\OTL.exe
[2011/09/11 00:44:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/09/10 23:41:49 | 000,020,640 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/09/10 23:41:49 | 000,020,640 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/09/10 23:04:22 | 000,001,701 | ---- | M] () -- C:\Users\main\Desktop\WINWORD - Shortcut.lnk
[2011/09/10 22:04:21 | 000,001,939 | ---- | M] () -- C:\Users\main\Documents\ddsattach.rtf
[2011/09/10 22:03:20 | 000,007,019 | ---- | M] () -- C:\Users\main\Documents\hijackthislog.rtf
[2011/09/10 21:53:33 | 000,006,600 | ---- | M] () -- C:\Users\main\Documents\hijackthis2.rtf
[2011/09/10 21:50:08 | 000,006,811 | ---- | M] () -- C:\Users\main\Documents\dds.rtf
[2011/09/10 21:48:51 | 000,007,895 | ---- | M] () -- C:\Users\main\Documents\otlextras.rtf
[2011/09/10 21:46:43 | 000,002,013 | ---- | M] () -- C:\Users\main\Documents\mbr.rtf
[2011/09/10 19:42:16 | 000,099,865 | ---- | M] () -- C:\Users\main\Documents\olw.rtf
[2011/09/10 19:09:57 | 000,000,512 | ---- | M] () -- C:\Users\main\Documents\MBR.dat
[2011/09/10 19:02:11 | 001,916,416 | ---- | M] (AVAST Software) -- C:\Users\main\Desktop\aswMBR.exe
[2011/09/10 10:16:29 | 000,001,449 | ---- | M] () -- C:\Users\main\Desktop\Internet Explorer.lnk
[2011/09/10 07:59:10 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/09/10 07:59:10 | 000,615,122 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/09/10 07:59:10 | 000,103,496 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/09/10 06:57:19 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
[2011/09/10 06:24:18 | 000,005,243 | ---- | M] () -- C:\Users\main\Documents\hijackthis2
[2011/09/10 06:02:16 | 000,116,385 | ---- | M] () -- C:\Windows\SysWow64\license.rtf
[2011/09/10 06:02:16 | 000,116,385 | ---- | M] () -- C:\Windows\SysNative\license.rtf
[2011/09/10 05:59:58 | 000,000,000 | -H-- | M] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2011/09/10 05:32:23 | 000,002,953 | ---- | M] () -- C:\Users\main\Desktop\HiJackThis.lnk
[2011/09/10 05:30:08 | 000,000,078 | -H-- | M] () -- C:\aaw7boot.cmd
[2011/09/10 04:54:45 | 000,055,384 | ---- | M] (Sunbelt Software) -- C:\Windows\SysNative\drivers\SBREDrv.sys
[2011/09/10 03:08:18 | 000,274,320 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/09/10 00:36:43 | 000,001,443 | ---- | M] () -- C:\Users\main\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/09/10 00:35:09 | 000,001,288 | ---- | M] () -- C:\Users\main\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/09/10 00:35:09 | 000,001,264 | ---- | M] () -- C:\Users\main\Desktop\Spybot - Search & Destroy.lnk
[2011/09/10 00:28:49 | 3169,595,392 | -HS- | M] () -- C:\hiberfil.sys
[2011/09/10 00:26:53 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2011/09/10 00:20:51 | 000,001,843 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/09/06 16:45:29 | 000,199,304 | ---- | M] (AVAST Software) -- C:\Windows\SysWow64\aswBoot.exe
[2011/09/06 16:45:29 | 000,041,184 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2011/09/06 16:45:17 | 000,254,400 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2011/09/06 16:38:18 | 000,601,944 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2011/09/06 16:38:16 | 000,301,912 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2011/09/06 16:36:41 | 000,058,200 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2011/09/06 16:36:41 | 000,042,328 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr.sys
[2011/09/06 16:36:30 | 000,065,368 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2011/09/06 16:36:14 | 000,024,408 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys

========== Files Created - No Company Name ==========

[2011/09/10 23:04:22 | 000,001,701 | ---- | C] () -- C:\Users\main\Desktop\WINWORD - Shortcut.lnk
[2011/09/10 21:53:33 | 000,006,600 | ---- | C] () -- C:\Users\main\Documents\hijackthis2.rtf
[2011/09/10 21:52:23 | 000,007,019 | ---- | C] () -- C:\Users\main\Documents\hijackthislog.rtf
[2011/09/10 21:51:18 | 000,001,939 | ---- | C] () -- C:\Users\main\Documents\ddsattach.rtf
[2011/09/10 21:50:08 | 000,006,811 | ---- | C] () -- C:\Users\main\Documents\dds.rtf
[2011/09/10 21:48:51 | 000,007,895 | ---- | C] () -- C:\Users\main\Documents\otlextras.rtf
[2011/09/10 21:46:43 | 000,002,013 | ---- | C] () -- C:\Users\main\Documents\mbr.rtf
[2011/09/10 19:42:15 | 000,099,865 | ---- | C] () -- C:\Users\main\Documents\olw.rtf
[2011/09/10 19:09:57 | 000,000,512 | ---- | C] () -- C:\Users\main\Documents\MBR.dat
[2011/09/10 10:16:29 | 000,001,449 | ---- | C] () -- C:\Users\main\Desktop\Internet Explorer.lnk
[2011/09/10 06:24:17 | 000,005,243 | ---- | C] () -- C:\Users\main\Documents\hijackthis2
[2011/09/10 06:02:00 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2011/09/10 06:01:49 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2011/09/10 05:59:58 | 000,000,000 | -H-- | C] () -- C:\Windows\SysNative\drivers\Msft_User_WpdFs_01_09_00.Wdf
[2011/09/10 05:32:23 | 000,002,953 | ---- | C] () -- C:\Users\main\Desktop\HiJackThis.lnk
[2011/09/10 05:30:08 | 000,000,078 | -H-- | C] () -- C:\aaw7boot.cmd
[2011/09/10 00:36:43 | 000,001,443 | ---- | C] () -- C:\Users\main\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/09/10 00:35:09 | 000,001,288 | ---- | C] () -- C:\Users\main\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/09/10 00:35:09 | 000,001,264 | ---- | C] () -- C:\Users\main\Desktop\Spybot - Search & Destroy.lnk
[2011/09/10 00:20:51 | 000,001,843 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2011/09/10 00:20:46 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
[2011/09/10 00:15:29 | 000,001,415 | ---- | C] () -- C:\Users\main\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
[2011/09/10 00:15:24 | 000,001,449 | ---- | C] () -- C:\Users\main\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2011/09/10 00:14:48 | 000,000,290 | ---- | C] () -- C:\Users\main\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/09/10 00:14:48 | 000,000,272 | ---- | C] () -- C:\Users\main\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2011/08/16 16:01:43 | 3169,595,392 | -HS- | C] () -- C:\hiberfil.sys
[2009/07/14 01:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/13 22:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2009/07/13 22:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2009/07/13 20:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 17:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat

========== LOP Check ==========

[2009/07/14 01:08:49 | 000,002,884 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
  • 0

Advertisements

#2
Essexboy
Posted 11 September 2011 - 04:50 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there nothing jumps out at me there so lets look a bit deeper. What symptoms are you experiencing ?

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply

Posted Image

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#3
kcooker
Posted 11 September 2011 - 02:21 PM

kcooker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ok, the problem is that winsys32 has taken over my computer. my friend has "fixed" it a zillion times but hasnt cleaned out all the winsys32 junk. it hijacks every clean thing and all the kernel re-directy stuff will automatically delete the correct settings for a C:windows system. im stuck in a C:\\\\\\winsys32 system which converts my harddrive to ntfs (?) and a local disk. it is a system that is all wrapped up in no-man's land. installing antivirus or malware doesn't work because the thing hijacks it and makes it a 32.exe*, so all the scans come out normal because it is part of this os.

now im really screwed.... im going to attach my logs and then explain (i had to finally go into safe mode to use a program)

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-10 19:05:40
-----------------------------
19:05:40.509 OS Version: Windows x64 6.1.7601 Service Pack 1
19:05:40.509 Number of processors: 4 586 0x203
19:05:40.509 ComputerName: COMPUTERPC UserName: main
19:05:42.381 Initialize success
19:05:42.506 AVAST engine defs: 11091001
19:06:26.825 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005d
19:06:26.825 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
19:06:28.900 Disk 0 MBR read successfully
19:06:28.900 Disk 0 MBR scan
19:06:28.916 Disk 0 Windows 7 default MBR code
19:06:28.916 Service scanning
19:06:30.366 Modules scanning
19:06:30.366 Disk 0 trace - called modules:
19:06:30.382 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor.sys
19:06:30.382 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004370060]
19:06:30.398 3 CLASSPNP.SYS[fffff8800199f43f] -> nt!IofCallDriver -> [0xfffffa80037ea1a0]
19:06:30.398 5 ACPI.sys[fffff88000e1f7a1] -> nt!IofCallDriver -> \Device\0000005d[0xfffffa80037df530]
19:06:31.240 AVAST engine scan C:\Windows
19:06:32.831 AVAST engine scan C:\Windows\system32
19:07:26.433 AVAST engine scan C:\Windows\system32\drivers
19:07:32.127 AVAST engine scan C:\Users\main
19:08:46.352 AVAST engine scan C:\ProgramData
19:08:52.061 Scan finished successfully
19:09:57.644 Disk 0 MBR has been saved successfully to "C:\Users\main\Documents\MBR.dat"
19:09:57.644 The log file has been saved successfully to "C:\Users\main\Documents\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-11 12:02:21
-----------------------------
12:02:21.833 OS Version: Windows x64 6.1.7601 Service Pack 1
12:02:21.833 Number of processors: 4 586 0x203
12:02:21.833 ComputerName: COMPUTERPC UserName: main
12:02:23.159 Initialize success
12:02:23.268 AVAST engine defs: 11091100
12:02:42.737 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005d
12:02:42.737 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
12:02:44.796 Disk 0 MBR read successfully
12:02:44.796 Disk 0 MBR scan
12:02:44.796 Disk 0 Windows 7 default MBR code
12:02:44.812 Service scanning
12:02:46.294 Modules scanning
12:02:46.294 Disk 0 trace - called modules:
12:02:46.309 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor.sys
12:02:46.309 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004370060]
12:02:46.325 3 CLASSPNP.SYS[fffff8800199f43f] -> nt!IofCallDriver -> [0xfffffa80037ea1a0]
12:02:46.341 5 ACPI.sys[fffff88000e1f7a1] -> nt!IofCallDriver -> \Device\0000005d[0xfffffa80037df530]
12:02:47.074 AVAST engine scan C:\Windows
12:02:48.041 Disk 0 MBR has been saved successfully to "C:\Users\main\Documents\MBR.dat"
12:02:48.041 The log file has been saved successfully to "C:\Users\main\Documents\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-11 12:02:21
-----------------------------
12:02:21.833 OS Version: Windows x64 6.1.7601 Service Pack 1
12:02:21.833 Number of processors: 4 586 0x203
12:02:21.833 ComputerName: COMPUTERPC UserName: main
12:02:23.159 Initialize success
12:02:23.268 AVAST engine defs: 11091100
12:02:42.737 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005d
12:02:42.737 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
12:02:44.796 Disk 0 MBR read successfully
12:02:44.796 Disk 0 MBR scan
12:02:44.796 Disk 0 Windows 7 default MBR code
12:02:44.812 Service scanning
12:02:46.294 Modules scanning
12:02:46.294 Disk 0 trace - called modules:
12:02:46.309 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor.sys
12:02:46.309 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004370060]
12:02:46.325 3 CLASSPNP.SYS[fffff8800199f43f] -> nt!IofCallDriver -> [0xfffffa80037ea1a0]
12:02:46.341 5 ACPI.sys[fffff88000e1f7a1] -> nt!IofCallDriver -> \Device\0000005d[0xfffffa80037df530]
12:02:47.074 AVAST engine scan C:\Windows
12:02:48.041 Disk 0 MBR has been saved successfully to "C:\Users\main\Documents\MBR.dat"
12:02:48.041 The log file has been saved successfully to "C:\Users\main\Documents\aswMBR.txt"
12:03:03.822 AVAST engine scan C:\Windows\system32
12:05:25.620 AVAST engine scan C:\Windows\system32\drivers
12:06:00.205 AVAST engine scan C:\Users\main
12:08:32.056 AVAST engine scan C:\ProgramData
12:08:44.629 Scan finished successfully
12:11:24.171 Disk 0 MBR has been saved successfully to "C:\Users\main\Documents\MBR.dat"
12:11:24.186 The log file has been saved successfully to "C:\Users\main\Documents\aswMBR.txt"


ComboFix 11-09-11.02 - main 09/11/2011 12:14:03.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4030.2834 [GMT -4:00]
Running from: c:\users\main\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-11 to 2011-09-11 )))))))))))))))))))))))))))))))
.
.
2011-09-11 16:18 . 2011-09-11 16:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-10 09:55 . 2011-09-10 09:55 -------- d-----w- c:\windows\system32\appmgmt
2011-09-10 09:32 . 2011-09-10 09:32 -------- d-----w- C:\hijackthis
2011-09-10 09:30 . 2011-09-10 09:30 78 ---ha-w- C:\aaw7boot.cmd
2011-09-10 08:54 . 2011-09-10 08:54 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-10 08:51 . 2011-09-10 09:55 -------- dc----w- c:\windows\system32\DRVSTORE
2011-09-10 08:51 . 2011-09-10 09:55 -------- d-----w- c:\programdata\Lavasoft
2011-09-10 08:20 . 2011-09-10 08:20 -------- d-----w- c:\windows\SysWow64\Macromed
2011-09-10 04:35 . 2011-09-11 06:31 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-09-10 04:35 . 2011-09-11 06:31 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-09-10 04:20 . 2011-09-06 20:38 301912 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-10 04:20 . 2011-09-06 20:36 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-10 04:20 . 2011-09-06 20:36 58200 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-10 04:20 . 2011-09-06 20:36 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-10 04:20 . 2011-09-06 20:38 601944 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-10 04:20 . 2011-09-06 20:45 254400 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-10 04:20 . 2011-09-06 20:36 65368 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-09-10 04:20 . 2011-09-10 09:55 -------- d-sh--w- c:\windows\Installer
2011-09-10 04:20 . 2011-09-06 20:45 41184 ----a-w- c:\windows\avastSS.scr
2011-09-10 04:20 . 2011-09-06 20:45 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-09-10 04:19 . 2011-09-10 04:19 -------- d-----w- c:\programdata\AVAST Software
2011-09-10 04:19 . 2011-09-10 04:19 -------- d-----w- c:\program files\AVAST Software
2011-09-10 04:14 . 2011-09-10 04:15 -------- d-----w- c:\users\main
2011-09-10 04:12 . 2011-09-10 04:12 -------- d-----w- c:\windows\SysWow64\Wat
2011-09-10 04:12 . 2011-09-10 04:12 -------- d-----w- c:\windows\system32\Wat
2011-09-09 20:50 . 2011-09-09 20:50 -------- d-----w- C:\Philips
2011-09-09 20:49 . 2011-09-09 20:53 -------- d-----w- C:\temp
2011-08-16 20:52 . 2011-08-16 20:52 -------- d-----w- C:\Windows.old.002
2011-08-16 19:16 . 2011-08-16 19:20 -------- d-----w- C:\NVIDIA
2011-08-14 01:44 . 2011-08-14 01:44 -------- d-----w- C:\Windows.old.001
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-10 04:13 . 2010-11-21 03:24 14848 ----a-w- c:\windows\system32\slwga.dll
2011-09-10 04:13 . 2010-11-21 03:24 419840 ----a-w- c:\windows\system32\systemcpl.dll
2011-09-10 04:13 . 2010-11-21 03:23 13824 ----a-w- c:\windows\SysWow64\slwga.dll
2011-09-10 04:13 . 2010-11-21 03:24 833024 ----a-w- c:\windows\SysWow64\user32.dll
2011-09-10 04:13 . 2010-11-21 03:24 1008640 ----a-w- c:\windows\system32\user32.dll
2011-07-03 01:18 . 2011-07-21 12:03 12535496 ----a-w- C:\lpuninstall.exe
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2011-09-10 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2011-09-10 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S3 netr7364;USB Wireless 802.11 b/g Adaptor Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\bm_installer.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
.
**************************************************************************
.
Completion time: 2011-09-11 12:28:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-11 16:28
.
Pre-Run: 240,830,783,488 bytes free
Post-Run: 240,731,275,264 bytes free
.
- - End Of File - - 0B4BF2B0B7D8A16363F56F1D485144CA


so because of the funky system settings i couldnt completely disable all the antivirus and stuff - the way it is there all multiple copies on all differen't accounts..etc running that i can't turn off. also, i believe i am locked out of a cucial portion of the registry.

so, i ran combofix, it restarted my computer and i cant run anything. i don't know what to do now or if i am just massively screwed. combofix set things to be deleted from the registry (all the programs) but they are just there and i can't work anything. so... what do i do now????
  • 0

#4
kcooker
Posted 11 September 2011 - 02:39 PM

kcooker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
can i run combofix in safemode??
  • 0

#5
Essexboy
Posted 11 September 2011 - 03:37 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
If the notification is that a registry key is marked for deletion then just reboot and that will be cleared - it is a minor bug in combofix and does no harm

Also you should only be working one forum as the advice may conflict - let me know which forum you will stay with
  • 0

#6
kcooker
Posted 11 September 2011 - 03:57 PM

kcooker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
how do i know if there are alerts? i have re-booted and nothing happens and i get stuck in the frozen state that i told you about.

i started talking with you first. ive been trying to get back with you but the winsys has also hijacked my phone when i connect to wifi so... im super frustrated.

i don't mean to sound dumb, but what do i do from here???

thanks.

kc
  • 0

#7
kcooker
Posted 11 September 2011 - 09:52 PM

kcooker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
oh, in reply to running anti malware and antispyware for my prework, i don't know if i mentioned this but the programs get converted into 32.exe* and what not so, those programs don't pick up that this is the actual problem.

i don't know if this would also severly effect my other scans also? i want to get back to a correct registry on an actual harddisk with my valid os.

let me know what you think.
  • 0

#8
Essexboy
Posted 12 September 2011 - 11:29 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets work outside of windows where there is no interference

Please download the following programmes to your desktop:

Dr Web Live CD

ImgBurn

Install IMGBurn
  • Double click Dr Web
  • IMGBurn will open
  • Burn the ISO to a cd
  • Reboot the infected computer with the CD in the drive
  • Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
  • As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

    Posted Image
  • Use arrow keys to select DrWeb-LiveCD (Default)
  • When the system is loaded, check the disks or folders you want to scan, and click on “Start”.

    Posted Image
  • The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
  • Once completed reboot to normal windows
  • No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist

  • 1

#9
kcooker
Posted 14 September 2011 - 08:12 PM

kcooker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
hi there

sorry it took so long

ok, things are really messed up. im not sure if i should start this process over - let me know what you think.

this is what i figured out -

remote things keep connecting to my computer via ipv6 and changing things around. i know that i need to work outside this imaginary environment that im in but things are reaaaly messed up now.

my place here on the computer is linked to some network and whatever is controlling that network is controlling my pc.

how should i proceed? what do you need me to run? should i even attempt to download an antivirus/malware again?

i think i found the little extentions and wierd drivers that are on my system now but i don't know what to do.


i believe it is coming from my cell phone. should i turn it off and then go on?
  • 0

#10
kcooker
Posted 14 September 2011 - 08:23 PM

kcooker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
oh, i dont really have a cd drive, my printer is turned into something else also
  • 0

Advertisements

#11
Essexboy
Posted 15 September 2011 - 10:34 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK lets try this next

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll|c:\windows\SysWOW64\user32.dll
c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll|c:\windows\system32\user32.dll

Save this as CFScript.txt, in the same location as ComboFix.exe
Posted Image

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#12
kcooker
Posted 16 September 2011 - 08:25 PM

kcooker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
i really appreciate you putting up with me, i just wanted to tell you that.

ok, this is what happened

first, i did get that pc doctor disk made. i also saved all the programs you have had me use so far.

i ran the combofix scan with the script that you told me to use. however, i had no idea windows defender was running.

ComboFix 11-09-16.01 - main 09/16/2011 21:12:21.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4030.2926 [GMT -4:00]
Running from: C:\Users\main.ComputerPC\Desktop\ComboFix.exe
Command switches used :: C:\Users\main.ComputerPC\Desktop\cfscript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

so, after it rebooted i was stuck in the same situation as before - i can't use any of the programs - internet, whatever. i really only wanted to use the internet to communicate with you. the only way i have figured out how to do this is to use explorer (64) in safe mode. i am also dually logged on - me as an admin and the pcadmin. each kind of using different os or something. what should i do next? i think it fixed stuff but when i log on, i can't use anything. if it did fix stuff, how do i get it to fix it so ill be able to use my desktop. i also figured out yesterday that my desktop whatever is in a windows shell or something.

i know that once i get this all fixed (im hoping we can do it)im going to need help with the drivers and configuring the ipv6/remote computer crap. the drivers are certified by the auto windows32 certificates. i did some research and this winsys32 thing seemed to be dropped in with an active x (which i keep aquireing from adobe).
i looked up some things about this fricken [bleep], which i attached.

i also know that there are other trojan things that dropped in because of the free acess to my computer.

what should i do now? should undo the combo fix run and run it again disabling windows defender? all i know is that every time i do the combo fix thing, i end up on a desktop with crap that doesn't work (obviously stuff that combo fix disabled or whatever). how do i make this so it actually fixes it? should i be doing all of this stuff in safe mode?

do you need me to run new otl, aswmbr logs? should i try the pc doc thing? the bottom line is the thing messed up my registry and all the other crap let in messed it up more.

the guy that has been "fixing" the computer never got rid of the crap and kinda installed stuff over it so after a little bit, it ends up taking over again.

sorry, kind of venting. let me know what you think.

kc

Attached Files


  • 0

#13
kcooker
Posted 16 September 2011 - 09:39 PM

kcooker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
i still have that QOObox file with all of the stuff i did now and before. i keep trying to copy it and paste it or attach it but it won't let me - hold on. i compressed it and attached it - i don't know if it worked or if you need it. im just trying to give you as much info as i can.

i also have syswow64 running.

in the hpcomputer c:drive there are a bunch of locked folders, one of them being recovery.

under the system file

i have an ado folder and under the enus foler are a billion options,msadc folder,MSAPI,and oledb

ok, ill stop now. im just frustrated.

thanks again for your help.

kc

Attached Files


  • 0

#14
Essexboy
Posted 17 September 2011 - 04:38 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

so, after it rebooted i was stuck in the same situation as before - i can't use any of the programs - internet, whatever

If this occurs after a combofix run then a reboot will cure it when Combofix releases the registry

There will be a lot of locked folders on your system, these are to do with seytem recovery, restore and critical system files

Could you post the c:\combofix.txt please
  • 0

#15
kcooker
Posted 17 September 2011 - 04:54 AM

kcooker

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
this is all the combofix text said


ComboFix 11-09-16.01 - main 09/16/2011 21:12:21.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4030.2926 [GMT -4:00]
Running from: C:\Users\main.ComputerPC\Desktop\ComboFix.exe
Command switches used :: C:\Users\main.ComputerPC\Desktop\cfscript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

i've restarted the computer several times. im able to do things now in my window because i went back before the last combofix.

i just ran new olt logs. i don't know if that will help.

ive made several dvds with the combofix program and logs, all the programs ive used or were reccomended, a disk devoted to olt, the other olt programs, my logs, users guides.

kc
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP