Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

starts and reboots [Solved]

Started by beto18 , Sep 13 2012 09:13 PM

  • This topic is locked This topic is locked

#1
beto18
Posted 13 September 2012 - 09:13 PM

beto18

    Member

  • Member
  • PipPip
  • 24 posts
Hi

I have a laptop that loads up and once the programs load a window pops up and states windows has encountered a problem and wil restart in one minute. I have tried to run the anitvirus i have installed (Microsoft Security Essientals and Malwarebytes Anti malware). Microsoft registers that there are virus detected but cant clean them due to the restart. I have tried safe mode and it does the same thing. I have tried restoring it and no luck. Please help.


WINDOWS 7 HOME PREMIUM x64 service pack 1

DETECTIONS BY MSE (as soon as the notifiction that the computer need to be cleaned appears so does the windows will restart window)

TROJAN:WIN64/SIREFEF.F
VIRUS:WIN64/SIREFEF.B
  • 0

Advertisements

#2
CompCav
Posted 15 September 2012 - 09:07 AM

CompCav

    Member 5k

  • Expert
  • 12,454 posts
Hi, beto18! :welcome: My nick name is CompCav and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any questions or you are unsure about anything, just ask and I will help you out. :)

If you have resolved the issues you were originally experiencing, or have received help elsewhere, please let me know so that this topic can be closed.

Please make sure you are saving and printing the instructions out prior to each fix, this way you will have them on hand just in case you are unable to access this site. One of the steps I will be asking you to do requires you to boot into Safe Mode and this process will be much easier for you to perform if the instructions are printed out for you to follow.

If you are ready to get started, please review and follow these guidelines so that we resolve your issues in a timely and effective manner:
  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
  • Please make sure to carefully read any instructions that I give you. Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. These instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. However, the one thing that you should always do, is to make sure your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Just do a Copy/Paste of the entire contents of the log file inside your post and submit.
  • You must reply within four days failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic. PM me only if I have not responded to your last post in 2 days.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to ultimately reformat your hard drive and reinstall the operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Please have the software and storage media for backing up your data available.






Do you have another computer we can use to download files? If so what is the operating system (i . e. XP, Vista, Windows 7)

Do you have a small USB flash drive to transfer files?

Do you have some blank CD's to make CD's on the good machine?

Do you have the Windows 7 Install disk we could use to boot up from the CD/DVD drive?


For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
Posted Image
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
  • 0

#3
beto18
Posted 15 September 2012 - 05:53 PM

beto18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
thank you for your help.

I have a desktop that im using fro these post.

I dont have a the install disk. The laptop didnt come with one.

I do have blank cds.

Here is the log.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-09-2012 03
Ran by SYSTEM at 15-09-2012 19:34:07
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet002

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [] [x]
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10134560 2010-03-22] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE3 [896032 2010-03-22] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2052392 2010-03-10] (Synaptics Incorporated)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566184 2010-09-28] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [52600 2009-03-09] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe [508216 2009-07-28] (TOSHIBA Corporation)
HKLM\...\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [915320 2010-05-10] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1489760 2010-04-06] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [705368 2010-02-23] (TOSHIBA Corporation)
HKLM\...\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe [238080 2009-10-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [709976 2010-02-05] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [595816 2010-03-19] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [35672 2010-03-03] (TOSHIBA Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2010-03-15] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SVPWUTIL] C:\Program Files (x86)\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL [352256 2010-02-22] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP [423936 2010-03-04] (TOSHIBA Electronics, Inc.)
HKLM-x32\...\Run: [KeNotify] C:\Program Files (x86)\TOSHIBA\Utilities\KeNotify.exe [34160 2009-12-25] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294136 2009-10-06] (TOSHIBA Corporation)
HKLM-x32\...\Run: [TWebCamera] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun [2454840 2010-02-24] (TOSHIBA CORPORATION.)
HKLM-x32\...\Run: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED [3218792 2010-08-17] (Toshiba)
HKLM-x32\...\Run: [ToshibaAppPlace] "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe" [552960 2010-09-23] (Toshiba)
HKLM-x32\...\Run: [Sprint SmartView] "C:\Program Files (x86)\Sprint\Sprint SmartView\SprintSV.exe" -a [75072 2010-12-15] (Sprint)
HKLM-x32\...\Run: [RDVCHG] "C:\Program Files (x86)\Sprint\Sprint SmartView\RDVCHG.exe" [316736 2010-12-15] (C-motech Co.,Ltd)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot [296056 2011-12-17] (RealNetworks, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
HKU\el amigo 2\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-10-31] (Google Inc.)
HKU\el amigo 2\...\Run: [Akamai NetSession Interface] "C:\Users\el amigo 2\AppData\Local\Akamai\netsession_win.exe" [4440896 2012-08-10] (Akamai Technologies, Inc.)
HKU\el amigo 2\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [6595928 2012-05-25] (Yahoo! Inc.)
HKU\el amigo 2\...\Run: [Facebook Update] "C:\Users\el amigo 2\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [138096 2012-08-26] (Facebook Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

==================== Services (Whitelisted) ===================

3 CASprint; "C:\Program Files (x86)\Sprint\Sprint SmartView\ConAppsSvc.exe" /n "CASprint" [124224 2010-12-15] (SmithMicro Inc.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\PC Checkup\SymcPCCULaunchSvc.exe /s [131512 2012-06-23] (Symantec Corporation)
2 NvtlService; "C:\Program Files (x86)\Novatel Wireless\Novacore\Server\NvtlSrvr.exe" [82944 2010-01-11] ()
2 PCCUJobMgr; "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe" /s "PCCUJobMgr" /m "C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\diMaster.dll" /prefetch:1 [132984 2009-08-29] (Symantec Corporation)
3 SprintRcAppSvc; "C:\Program Files (x86)\Sprint\Sprint SmartView\RcAppSvc.exe" /n "SprintRcAppSvc" [120128 2010-12-15] (SmithMicro Inc.)
2 TomTomHOMEService; C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe [92592 2011-12-05] (TomTom)

==================== Drivers (Whitelisted) =====================

3 mbamchameleon; C:\Windows\System32\Drivers\mbamchameleon.sys [29808 2012-06-21] ()
3 MBAMProtector; \??\C:\windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
3 PCTINDIS5X64; \??\C:\windows\system32\PCTINDIS5X64.SYS [43032 2010-12-15] (Smith Micro Inc.)
2 regi; C:\Windows\SysWow64\Drivers\regi.sys [11032 2007-04-17] (InterVideo)
3 swmsflt; C:\Windows\System32\Drivers\swmsflt.sys [47104 2010-12-15] ()
3 SWNC5E00; C:\Windows\System32\Drivers\SWNC5E00.sys [285696 2010-12-15] (Sierra Wireless Inc.)
1 dejsqfgk; \??\C:\windows\system32\drivers\dejsqfgk.sys [x]
1 eaqerdqu; \??\C:\windows\system32\drivers\eaqerdqu.sys [x]
1 qwaqblwl; \??\C:\windows\system32\drivers\qwaqblwl.sys [x]
1 rpmonruo; \??\C:\windows\system32\drivers\rpmonruo.sys [x]
1 vanxdzlm; \??\C:\windows\system32\drivers\vanxdzlm.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-09-15 19:34 - 2012-09-15 19:34 - 00000000 ____D C:\FRST
2012-09-05 18:26 - 2012-09-05 18:26 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-09-05 18:26 - 2012-09-05 18:26 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-09-05 16:28 - 2012-09-05 16:29 - 00040495 ____A C:\M1319.log
2012-09-05 16:28 - 2012-09-05 16:28 - 00000000 ____D C:\Program Files\HP
2012-09-05 16:28 - 2007-12-09 16:00 - 00574100 ____A C:\Windows\System32\hp1022n.img
2012-09-05 16:28 - 2007-12-09 16:00 - 00567296 ____A () C:\Windows\System32\ZSHP1020.EXE
2012-09-05 16:28 - 2007-12-09 16:00 - 00206768 ____A C:\Windows\System32\hp1022.img
2012-09-05 16:28 - 2007-12-09 16:00 - 00128380 ____A C:\Windows\System32\hp1020.img
2012-09-05 16:28 - 2007-12-09 16:00 - 00127488 ____A (Zenographics, Inc.) C:\Windows\System32\ZSPOOL.DLL
2012-09-05 16:28 - 2007-12-09 16:00 - 00115200 ____A (Zenographics, Inc.) C:\Windows\System32\ZLhp1020.DLL
2012-09-05 16:28 - 2007-12-09 16:00 - 00061952 ____A (Zenographics, Inc.) C:\Windows\System32\ZIMF.DLL
2012-09-05 16:28 - 2007-12-09 16:00 - 00049664 ____A (Zenographics, Inc.) C:\Windows\System32\ZTAG.DLL
2012-09-05 16:28 - 2007-12-09 16:00 - 00010632 ____A C:\Windows\System32\ZSHP1020.CHM
2012-08-29 11:08 - 2012-08-29 11:08 - 00676448 ____A (OptimumInstaller) C:\Users\el amigo 2\Downloads\mplayer_Setup.exe
2012-08-26 16:12 - 2012-09-13 07:17 - 00000948 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1253109509-727059575-4217514532-1000UA.job
2012-08-26 16:12 - 2012-09-05 16:17 - 00000926 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1253109509-727059575-4217514532-1000Core.job
2012-08-26 16:12 - 2012-08-26 16:12 - 00000000 ____D C:\Users\el amigo 2\AppData\Local\Facebook
2012-08-26 12:29 - 2012-08-26 12:29 - 00000000 ___RD C:\Program Files (x86)\Skype
2012-08-26 12:27 - 2012-08-26 12:27 - 00946352 ____A (Skype Technologies S.A.) C:\Users\el amigo 2\Downloads\SkypeSetup.exe
2012-08-17 04:25 - 2012-08-17 04:25 - 01228854 ____A C:\Users\el amigo 2\Documents\Photo_00003.bmp

==================== 3 Months Modified Files ==================

2012-09-14 13:19 - 2011-07-02 14:18 - 00065536 _____ C:\Windows\System32\Ikeext.etl
2012-09-14 13:19 - 2010-10-31 23:09 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-09-14 13:18 - 2012-06-22 02:56 - 00014916 ____A C:\Windows\setupact.log
2012-09-14 13:18 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-09-13 19:14 - 2012-04-25 09:21 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-09-13 07:31 - 2009-07-13 21:08 - 00032592 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-09-13 07:17 - 2012-08-26 16:12 - 00000948 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1253109509-727059575-4217514532-1000UA.job
2012-09-13 04:58 - 2010-10-31 23:09 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-09-05 18:27 - 2011-07-28 07:28 - 00001945 ____A C:\Windows\epplauncher.mif
2012-09-05 18:27 - 2011-02-21 03:40 - 01064116 ____A C:\Windows\WindowsUpdate.log
2012-09-05 18:26 - 2011-07-28 07:27 - 00761262 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-09-05 17:14 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-09-05 17:14 - 2009-07-13 20:45 - 00016304 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-09-05 17:05 - 2012-02-02 05:47 - 00001985 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-09-05 16:29 - 2012-09-05 16:28 - 00040495 ____A C:\M1319.log
2012-09-05 16:17 - 2012-08-26 16:12 - 00000926 ____A C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1253109509-727059575-4217514532-1000Core.job
2012-09-05 16:13 - 2009-07-13 21:13 - 00747480 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-29 11:08 - 2012-08-29 11:08 - 00676448 ____A (OptimumInstaller) C:\Users\el amigo 2\Downloads\mplayer_Setup.exe
2012-08-26 12:27 - 2012-08-26 12:27 - 00946352 ____A (Skype Technologies S.A.) C:\Users\el amigo 2\Downloads\SkypeSetup.exe
2012-08-26 12:13 - 2012-02-02 05:48 - 00001080 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-08-22 16:21 - 2012-06-24 06:56 - 00009612 ____A C:\Windows\PFRO.log
2012-08-17 04:25 - 2012-08-17 04:25 - 01228854 ____A C:\Users\el amigo 2\Documents\Photo_00003.bmp
2012-08-15 07:08 - 2012-04-25 09:20 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-15 07:08 - 2011-06-29 06:24 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-27 03:15 - 2011-06-13 17:08 - 00061472 ____A C:\Users\el amigo 2\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-27 03:15 - 2009-07-13 20:45 - 00276800 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-26 09:02 - 2012-07-26 09:02 - 00001017 ____A C:\Users\el amigo 2\Desktop\VirtualDJ Home FREE.lnk
2012-07-26 09:01 - 2012-07-26 09:00 - 36608000 ____A (Microsoft Corporation) C:\Users\el amigo 2\Downloads\install_virtualdj_home_v7.0.5.exe
2012-07-26 08:59 - 2012-07-26 08:59 - 00897888 ____A C:\Users\el amigo 2\Downloads\virtual dj setup.exe
2012-07-03 09:46 - 2011-07-28 08:12 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-06-30 09:09 - 2011-07-06 08:06 - 00000258 _RASH C:\Users\All Users\ntuser.pol
2012-06-30 03:33 - 2012-06-30 03:44 - 01228854 ____A C:\Users\el amigo 2\Documents\Photo_00001.bmp
2012-06-27 10:55 - 2012-06-27 10:55 - 00001108 ____A C:\Users\Public\Desktop\Yahoo! Messenger.lnk
2012-06-23 07:39 - 2012-06-23 07:39 - 00001923 ____A C:\Users\Public\Desktop\PC Checkup.lnk
2012-06-23 04:55 - 2009-07-13 18:36 - 00175616 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2012-06-23 04:55 - 2009-07-13 18:36 - 00152576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2012-06-22 05:56 - 2012-06-22 05:56 - 13085120 ____A (Microsoft Corporation) C:\Users\el amigo 2\Downloads\Silverlight_x64(1).exe
2012-06-22 05:55 - 2012-06-22 05:54 - 13085120 ____A (Microsoft Corporation) C:\Users\el amigo 2\Downloads\Silverlight_x64.exe
2012-06-22 02:56 - 2012-06-22 02:56 - 00000000 ____A C:\Windows\setuperr.log
2012-06-21 08:51 - 2012-06-21 08:51 - 00029808 ____A C:\Windows\System32\Drivers\mbamchameleon.sys

ZeroAccess:
C:\Windows\Installer\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7}
C:\Windows\Installer\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7}\@
C:\Windows\Installer\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7}\L
C:\Windows\Installer\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7}\U
C:\Windows\Installer\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7}\U\00000001.@

ZeroAccess:
C:\Users\el amigo 2\AppData\Local\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7}
C:\Users\el amigo 2\AppData\Local\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7}\@
C:\Users\el amigo 2\AppData\Local\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7}\L
C:\Users\el amigo 2\AppData\Local\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7}\U
C:\Users\el amigo 2\AppData\Local\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7}\U\00000001.@
C:\Users\el amigo 2\AppData\Local\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7}\U\80000000.@
C:\Users\el amigo 2\AppData\Local\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7}\U\800000cb.@

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-07-26 09:02:23
Restore point made on: 2012-08-29 06:31:48
Restore point made on: 2012-09-05 18:32:21
Restore point made on: 2012-09-06 18:47:27
Restore point made on: 2012-09-08 04:05:56
Restore point made on: 2012-09-08 04:49:17
Restore point made on: 2012-09-11 13:17:35
Restore point made on: 2012-09-13 03:51:41
Restore point made on: 2012-09-14 12:51:58

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3835.68 MB
Available physical RAM: 3283.93 MB
Total Pagefile: 3833.83 MB
Available Pagefile: 3267.14 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (TI106050W0B) (Fixed) (Total:452.66 GB) (Free:397.64 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive d: (System) (Fixed) (Total:1.46 GB) (Free:1.27 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: (BETO 4GB) (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 3835 MB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 452 GB 1501 MB
Partition 3 Primary 11 GB 454 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D System NTFS Partition 1500 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C TI106050W0B NTFS Partition 452 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: No

There is no volume associated with this partition.

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3827 MB 19 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F BETO 4GB FAT32 Removable 3827 MB Healthy

=========================================================

Last Boot: 2012-08-27 06:29

==================== End Of Log =============================
  • 0

#4
CompCav
Posted 15 September 2012 - 06:06 PM

CompCav

    Member 5k

  • Expert
  • 12,454 posts
Good job getting the initial file :thumbsup:

We need to perform a file search before preparing the initial fix.


  • Restart your computer like you did before to start FRST and get to this screen:
    Posted Image
  • Type the following into the search box:

services.exe*

  • Press the Search button.
  • Once it completes, a message will pop up indicating that the search is completed.
  • It will make a log (Search.txt) on the flash drive. Please copy and paste it to your reply.

  • 0

#5
beto18
Posted 15 September 2012 - 06:44 PM

beto18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Farbar Recovery Scan Tool (x64) Version: 15-09-2012 03
Ran by SYSTEM at 2012-09-15 20:32:02
Running from F:\

================== Search: "services.exe*" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\winsxs\amd64_microsoft-windows-s..ontroller.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c5f238be3fa63468\services.exe.mui
[2009-07-13 21:35] - [2009-07-13 18:25] - 0017408 ____A (Microsoft Corporation) 6507BF0DC2D1F5F32493C288EAA59277

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

C:\Windows\System32\en-US\services.exe.mui
[2009-07-13 21:35] - [2009-07-13 18:25] - 0017408 ____A (Microsoft Corporation) 6507BF0DC2D1F5F32493C288EAA59277

====== End Of Search ======
  • 0

#6
CompCav
Posted 15 September 2012 - 06:56 PM

CompCav

    Member 5k

  • Expert
  • 12,454 posts
Download the enclosed file. Attached File  fixlist.txt   828bytes   195 downloads

Save it in the USB drive.

Insert the USB drive into the ailing computer. Run FRST as you did before, except that this time around click on the Fix button.

The tool will make a log on the flashdrive (Fixlog.txt) please post it it your reply.

Attempt to boot in Normal Mode. If successful, run Combofix as follows:

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programs being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#7
beto18
Posted 15 September 2012 - 07:24 PM

beto18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ok the laptop is running again. which is awesome so thank you. i cant find the combo fix log to post it.
  • 0

#8
CompCav
Posted 15 September 2012 - 07:26 PM

CompCav

    Member 5k

  • Expert
  • 12,454 posts
It is here:


Please include the C:\ComboFix.txt in your next reply.
  • 0

#9
beto18
Posted 15 September 2012 - 07:39 PM

beto18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ok here is the fix log

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 15-09-2012 03
Ran by SYSTEM at 2012-09-15 21:05:50 Run:1
Running from F:\

==============================================

dejsqfgk service deleted successfully.
eaqerdqu service deleted successfully.
qwaqblwl service deleted successfully.
rpmonruo service deleted successfully.
vanxdzlm service deleted successfully.
C:\windows\system32\drivers\dejsqfgk.sys not found.
C:\windows\system32\drivers\eaqerdqu.sys not found.
C:\windows\system32\drivers\qwaqblwl.sys not found.
C:\windows\system32\drivers\rpmonruo.sys not found.
C:\windows\system32\drivers\vanxdzlm.sys not found.
C:\Windows\Installer\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7} moved successfully.
C:\Users\el amigo 2\AppData\Local\{ac074fcf-d3e7-934a-caa6-9f94cb918cf7} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====


i cant find the combofix log anywhere
  • 0

#10
CompCav
Posted 15 September 2012 - 07:48 PM

CompCav

    Member 5k

  • Expert
  • 12,454 posts
Did it run and complete?
  • 0

Advertisements

#11
beto18
Posted 15 September 2012 - 07:50 PM

beto18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
it did i went to get something to drink and when i came back it was done running and the only thing on the screen was the desktop
  • 0

#12
CompCav
Posted 15 September 2012 - 08:03 PM

CompCav

    Member 5k

  • Expert
  • 12,454 posts
What issues do you still have with the computer?
  • 0

#13
beto18
Posted 15 September 2012 - 08:10 PM

beto18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
none so far its working fine. thank you for your help
  • 0

#14
CompCav
Posted 15 September 2012 - 08:24 PM

CompCav

    Member 5k

  • Expert
  • 12,454 posts
Make sure ComboFix in on your desktop and re run it again. Then post the log. Use the instructions in post #6 to run ComboFix.

Regards,

CompCav
  • 0

#15
beto18
Posted 15 September 2012 - 08:43 PM

beto18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
ok i ran it again and once it ran there was no log but after a few mins a blue cmd box poped up and said that combofix was going to scan my computer and it was creating a restore point. its scaning now
  • 0
Back to Can't Run Any Antivirus or Malware Removal Programs · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Can't Run Any Antivirus or Malware Removal Programs

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP