Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

my computer is infected

Started by Stuzilla , Apr 13 2015 08:15 PM
In Progress

  • Please log in to reply

#16
RKinner
Posted 15 April 2015 - 09:31 PM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP

The mentions in the addition.txt are taken from the event log.  I wonder if gmer would find anything?  Gmer is supposed to find hidden rootkit files.

 

Download GMER from http://www.gmer.net/download.php Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on http://www.bleepingcomputer.com/forums/topic114351.html to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

    • 0

    Advertisements

    #17
    Stuzilla
    Posted 17 April 2015 - 12:30 PM

    Stuzilla

      Member

    • Topic Starter
    • Member
    • PipPip
    • 17 posts
    GMER 2.1.19357 - http://www.gmer.net
    Rootkit scan 2015-04-17 19:29:10
    Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST3250318AS rev.CC38 232.89GB
    Running: r6v7kqfp.exe; Driver: C:\Users\Suzilla\AppData\Local\Temp\pxldipob.sys
     
     
    ---- User code sections - GMER 2.1 ----
     
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17      0000000075621401 2 bytes JMP 75aeb1ef C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17        0000000075621419 2 bytes JMP 75aeb31a C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17      0000000075621431 2 bytes JMP 75b68f09 C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42      000000007562144a 2 bytes CALL 75ac4885 C:\Windows\syswow64\kernel32.dll
    .text  ...                                                                                                                                    * 9
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17         00000000756214dd 2 bytes JMP 75b68802 C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17  00000000756214f5 2 bytes JMP 75b689d8 C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17         000000007562150d 2 bytes JMP 75b686f8 C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17  0000000075621525 2 bytes JMP 75b68ac2 C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17        000000007562153d 2 bytes JMP 75adfc78 C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17             0000000075621555 2 bytes JMP 75ae68bf C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17      000000007562156d 2 bytes JMP 75b68fc1 C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17        0000000075621585 2 bytes JMP 75b68b22 C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17           000000007562159d 2 bytes JMP 75b686bc C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17        00000000756215b5 2 bytes JMP 75adfd11 C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17      00000000756215cd 2 bytes JMP 75aeb2b0 C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20  00000000756216b2 2 bytes JMP 75b68e84 C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[2600] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31  00000000756216bd 2 bytes JMP 75b68651 C:\Windows\syswow64\kernel32.dll
    .text  C:\Program Files\AVAST Software\Avast\AvastUI.exe[4896] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter                   0000000075ac8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...]
     
    ---- EOF - GMER 2.1 ----
     
     
    here is the log the first time i tried to run the scan it blue screened on me but ran okay the second time and also avast keeping blocking URL's on chrome so there's definitely something nasty lurking

    • 0

    #18
    RKinner
    Posted 17 April 2015 - 02:33 PM

    RKinner

      Malware Expert

    • Expert
    • 24,624 posts
    • MVP

    Not showing much.  let's try Rogue Killer

     

     
    • Download Rogue Killer from 
     
    http://www.adlice.co...res/roguekillerand save it on your desktop.  
  • Quit all programs and pause Avast
  • Start RogueKiller.exe. 
  • Wait until Prescan has finished ...  
  • Click on Scan
    • RGKRScan.png    
  • Wait for the end of the scan.  
  • Send me the RKreport.txt located on your desktop.

    • 0

    #19
    Stuzilla
    Posted 17 April 2015 - 04:15 PM

    Stuzilla

      Member

    • Topic Starter
    • Member
    • PipPip
    • 17 posts
    RogueKiller V10.5.10.0 (x64) [Apr 14 2015] by Adlice Software
     
    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Suzilla [Administrator]
    Started from : C:\Users\Suzilla\Desktop\New folder (3)\RogueKillerX64.exe
    Mode : Scan -- Date : 04/17/2015  23:13:47
     
    ¤¤¤ Processes : 0 ¤¤¤
     
    ¤¤¤ Registry : 8 ¤¤¤
    [Suspicious.Path|Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxldipob (\??\C:\Users\Suzilla\AppData\Local\Temp\pxldipob.sys) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pxldipob (\??\C:\Users\Suzilla\AppData\Local\Temp\pxldipob.sys) -> Found
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Found
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
     
    ¤¤¤ Tasks : 0 ¤¤¤
     
    ¤¤¤ Files : 1 ¤¤¤
    [Suspicious.Path][File] GarageBand.lnk -- C:\Users\Suzilla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GarageBand.lnk [LNK@] C:\ProgramData\{2f2f7393-7e90-1937-2f2f-f73937e9ce4d}\GarageBand.exe --startup=1 -> Found
     
    ¤¤¤ Hosts File : 48 ¤¤¤
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 3dns.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 3dns-1.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 3dns-2.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 3dns-3.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 3dns-4.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activate.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activate-sea.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activate-sjc0.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activate.wip.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activate.wip1.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activate.wip2.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activate.wip3.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 activate.wip4.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 adobe-dns.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 adobe-dns-1.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 adobe-dns-2.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 adobe-dns-3.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 adobe-dns-4.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 adobeereg.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 practivate.adobe
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 practivate.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 practivate.adobe.newoa
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 practivate.adobe.ntp
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 practivate.adobe.ipp
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ereg.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ereg.wip.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ereg.wip1.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ereg.wip2.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ereg.wip3.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ereg.wip4.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 hl2rcv.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 wip.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 wip1.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 wip2.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 wip3.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 wip4.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.adobeereg.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 wwis-dubc1-vip60.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.wip.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.wip1.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.wip2.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.wip3.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 www.wip4.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 wwis-dubc1-vip60.adobe.com
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 crl.verisign.net
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 CRL.VERISIGN.NET
    [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 ood.opsource.net
     
    ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
     
    ¤¤¤ Web browsers : 0 ¤¤¤
     
    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: ST3250318AS ATA Device +++++
    --- User ---
    [MBR] f3081c2a22ad184340315f3217c33de7
    [BSP] 85132da7118154b708d7cf0ced4064bd : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 238373 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    User = LL1 ... OK
    User = LL2 ... OK
     
    +++++ PhysicalDrive1: SAMSUNG HD103SJ ATA Device +++++
    --- User ---
    [MBR] 9579a566a3f826bbd7125727caa8238a
    [BSP] 290ffdb5793a54c81051d44306687226 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    User = LL1 ... OK
    User = LL2 ... OK
     
     
    here you go hopefully we're narrowing it down now

    • 0

    #20
    RKinner
    Posted 17 April 2015 - 06:28 PM

    RKinner

      Malware Expert

    • Expert
    • 24,624 posts
    • MVP

    Not really.  These:

     

    [Suspicious.Path|Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxldipob (\??\C:\Users\Suzilla\AppData\Local\Temp\pxldipob.sys) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pxldipob (\??\C:\Users\Suzilla\AppData\Local\Temp\pxldipob.sys) -> Found

     

     

     
    are actually gmer.
     
    The next two:
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Found
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Found

     

     

    How to remove the user's root profile folder from the Start menu.

    In Windows Vista and later, the user can open their root profile folder in Windows Explorer from the Start menu by clicking Start followed by their username at the top right of the Start menu. This allows them direct access to the folders and files within their user profile.

    If you feel users might mess around with their profiles by doing this, you can remove the user's root profile folder from the Start menu by modifying the registry as follows:

    1. Navigate to the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    2. Create a new REG_DWORD value named Start_ShowUser under this key and assign it the value 0.
    3. When the user next logs on, the user's root profile folder will not be shown on the Start menu.

    To undo this setting, change the value to 1 to display as a link or 2 to display as a menu.

     
    These:
     
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
     
    Just hide the Computer and User Files icons on the desktop.
     
     
    This is the only one which I'm not sure about:
     
    [Suspicious.Path][File] GarageBand.lnk -- C:\Users\Suzilla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GarageBand.lnk [LNK@] C:\ProgramData\{2f2f7393-7e90-1937-2f2f-f73937e9ce4d}\GarageBand.exe --startup=1 -> Found

     

     
     
    Let's try aswMBR.
     
    Download aswMBR.exe 
    to your desktop.
    right click the aswMBR.exe and Run As Administrator
    It may ask you if you wnat to downlo0ad the avast engine.  Don't think you need it so you can decline.
     
    If it crashes when you try and run it try again but uncheck trace disk IO calls first.
     
    Click the "Scan" button to start scan
    On completion of the scan (Note if the Fix button is enabled (not the FixMBR button) and tell me) click save log, save it to your desktop and post in your next reply
     
     

    • 0

    #21
    Stuzilla
    Posted 18 April 2015 - 03:44 PM

    Stuzilla

      Member

    • Topic Starter
    • Member
    • PipPip
    • 17 posts

    link to aswMBR.exe  is broken 


    • 0

    #22
    RKinner
    Posted 18 April 2015 - 06:51 PM

    RKinner

      Malware Expert

    • Expert
    • 24,624 posts
    • MVP

    Appears Avast's link is down.  I have one from February which I have attached.  It is in 7zip format so you will probably need 7zip to unzip it.  (Had to use 7zip in order to get the file small enough for the forum to accept it.)  If you don't have 7zip:  You can get it at:

    http://www.7-zip.org/a/7z920-x64.msi

     

    Once you have it you can right click on the downloaded aswmbr(3).7z and select 7-zip then Extract here.

     

     


    • 0

    #23
    Stuzilla
    Posted 18 April 2015 - 08:09 PM

    Stuzilla

      Member

    • Topic Starter
    • Member
    • PipPip
    • 17 posts
    aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
    Run date: 2015-04-19 02:32:41
    -----------------------------
    02:32:41.284    OS Version: Windows x64 6.1.7601 Service Pack 1
    02:32:41.284    Number of processors: 8 586 0x1A05
    02:32:41.284    ComputerName: THOR  UserName: 
    02:32:41.940    Initialize success
    02:32:41.955    VM: initialized successfully
    02:32:41.955    VM: Intel CPU supported virtualized 
    02:32:45.150    VM: supported disk I/O ataport.SYS
    02:32:48.661    AVAST engine defs: 15041700
    02:32:55.649    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
    02:32:55.649    Disk 0 Vendor: ST3250318AS CC38 Size: 238475MB BusType: 3
    02:32:55.665    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP7T0L0-a
    02:32:55.665    Disk 1 Vendor: SAMSUNG_HD103SJ 1AJ10001 Size: 953869MB BusType: 3
    02:32:55.993    VM: Disk 0 MBR read successfully
    02:32:55.993    Disk 0 MBR scan
    02:32:56.008    Disk 0 Windows 7 default MBR code
    02:32:56.024    Disk 0 Partition 1 80 (A) 07      HPFS/NTFS NTFS          100 MB offset 2048
    02:32:56.039    Disk 0 Boot: NTFS     code=1
    02:32:56.086    Disk 0 Partition 2 00     07      HPFS/NTFS NTFS       238373 MB offset 206848
    02:32:56.305    Disk 0 scanning C:\Windows\system32\drivers
    02:33:12.591    Service scanning
    02:33:43.526    Modules scanning
    02:33:43.526    Disk 0 trace - called modules:
    02:33:43.557    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS pciide.sys 
    02:33:43.557    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007d84790]
    02:33:43.573    3 CLASSPNP.SYS[fffff880018c843f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-1[0xfffffa8007b3a680]
    02:33:43.900    AVAST engine scan C:\Windows
    02:33:53.245    AVAST engine scan C:\Windows\system32
    02:37:40.771    AVAST engine scan C:\Windows\system32\drivers
    02:38:13.188    AVAST engine scan C:\Users\Suzilla
    03:05:26.432    AVAST engine scan C:\ProgramData
    03:07:35.538    Disk 0 statistics 5607720/0/14 @ 1.55 MB/s
    03:07:35.553    Scan finished successfully
    03:08:35.819    Disk 0 MBR has been saved successfully to "C:\Users\Suzilla\Desktop\New folder (3)\MBR.dat"
    03:08:35.824    The log file has been saved successfully to "C:\Users\Suzilla\Desktop\New folder (3)\aswMBR.txt"
     
     
     
    fix button is not enabled

    • 0

    #24
    RKinner
    Posted 23 April 2015 - 03:10 PM

    RKinner

      Malware Expert

    • Expert
    • 24,624 posts
    • MVP

    Sorry for the delay.  We've moved and no wifi at the new house yet.  I'm down at McDonalds now.

     

    Nothing in the log unfortunately.  I wonder if we still get the error.  Can you run vew again and see if you have any new errors about the file?


    • 0

    #25
    Stuzilla
    Posted 27 April 2015 - 11:25 AM

    Stuzilla

      Member

    • Topic Starter
    • Member
    • PipPip
    • 17 posts
    thats not a problem sorry it took me so long to reply i've not really been at the computer for a few days
    here's the requested logs
     
     
    Vino's Event Viewer v01c run on Windows 2008 in English
    Report run at 27/04/2015 18:23:17
     
    Note: All dates below are in the format dd/mm/yyyy
     
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 19/04/2015 01:20:29
    Type: Critical Category: 63
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
     
    Log: 'System' Date/Time: 17/04/2015 17:14:23
    Type: Critical Category: 63
    Event: 41 Source: Microsoft-Windows-Kernel-Power
    The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
     
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 19/04/2015 01:20:45
    Type: Error Category: 0
    Event: 1001 Source: Microsoft-Windows-WER-SystemErrorReporting
    The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000109 (0xa3a039d8b7ccf708, 0xb3b7465f0a4b35da, 0xfffff88002f6f6c0, 0x0000000000000002). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 041915-26348-01.
     
    Log: 'System' Date/Time: 19/04/2015 01:20:43
    Type: Error Category: 0
    Event: 6008 Source: EventLog
    The previous system shutdown at 02:17:23 on ?19/?04/?2015 was unexpected.
     
    Log: 'System' Date/Time: 17/04/2015 17:14:39
    Type: Error Category: 0
    Event: 1001 Source: Microsoft-Windows-WER-SystemErrorReporting
    The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000003b (0x00000000c0000005, 0xfffff800030d6c38, 0xfffff8800c6ff720, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 041715-25428-01.
     
    Log: 'System' Date/Time: 17/04/2015 17:14:38
    Type: Error Category: 0
    Event: 6008 Source: EventLog
    The previous system shutdown at 18:10:57 on ?17/?04/?2015 was unexpected.
     
    Log: 'System' Date/Time: 15/04/2015 19:19:43
    Type: Error Category: 0
    Event: 7011 Source: Service Control Manager
    A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
     
    Log: 'System' Date/Time: 14/04/2015 17:09:54
    Type: Error Category: 0
    Event: 7006 Source: Service Control Manager
    The ScRegSetValueExW call failed for FailureCommand with the following error:  Access is denied.
     
    Log: 'System' Date/Time: 14/04/2015 17:08:43
    Type: Error Category: 0
    Event: 7006 Source: Service Control Manager
    The ScRegSetValueExW call failed for Start with the following error:  Access is denied.
     
    Log: 'System' Date/Time: 14/04/2015 16:58:54
    Type: Error Category: 0
    Event: 7006 Source: Service Control Manager
    The ScRegSetValueExW call failed for Start with the following error:  Access is denied.
     
    Log: 'System' Date/Time: 14/04/2015 16:58:54
    Type: Error Category: 0
    Event: 3002 Source: Microsoft Antimalware
    The event description cannot be found.
     
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - Warning Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 27/04/2015 01:24:13
    Type: Warning Category: 0
    Event: 1014 Source: Microsoft-Windows-DNS-Client
    Name resolution for the name drtest.skype-cr.akadns.net timed out after none of the configured DNS servers responded.
     
    Log: 'System' Date/Time: 26/04/2015 22:22:33
    Type: Warning Category: 0
    Event: 1014 Source: Microsoft-Windows-DNS-Client
    Name resolution for the name drtest.skype-cr.akadns.net timed out after none of the configured DNS servers responded.
     
    Log: 'System' Date/Time: 19/04/2015 11:56:48
    Type: Warning Category: 0
    Event: 1014 Source: Microsoft-Windows-DNS-Client
    Name resolution for the name ukie.info timed out after none of the configured DNS servers responded.
     
    Log: 'System' Date/Time: 19/04/2015 00:00:00
    Type: Warning Category: 0
    Event: 36 Source: Microsoft-Windows-Time-Service
    The time service has not synchronized the system time for 86400 seconds because none of the time service providers provided a usable time stamp. The time service will not update the local system time until it is able to synchronize with a time source. If the local system is configured to act as a time server for clients, it will stop advertising as a time source to clients. The time service will continue to retry and sync time with its time sources. Check system event log for other W32time events for more details. Run 'w32tm /resync' to force an instant time synchronization.
     
    Log: 'System' Date/Time: 15/04/2015 08:25:02
    Type: Warning Category: 0
    Event: 1014 Source: Microsoft-Windows-DNS-Client
    Name resolution for the name drtest.skype-cr.akadns.net timed out after none of the configured DNS servers responded.
     
    Vino's Event Viewer v01c run on Windows 2008 in English
    Report run at 27/04/2015 18:24:01
     
    Note: All dates below are in the format dd/mm/yyyy
     
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Critical Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 14/04/2015 19:28:18
    Type: Error Category: 0
    Event: 513 Source: Microsoft-Windows-CAPI2
    Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
     
    Details:
    AddLegacyDriverFiles: Unable to back up image of binary mezotcin.
     
    System Error:
    The system cannot find the file specified. .
     
    Log: 'Application' Date/Time: 14/04/2015 19:14:31
    Type: Error Category: 0
    Event: 513 Source: Microsoft-Windows-CAPI2
    Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
     
    Details:
    AddLegacyDriverFiles: Unable to back up image of binary mezotcin.
     
    System Error:
    The system cannot find the file specified. .
     
    Log: 'Application' Date/Time: 14/04/2015 19:13:51
    Type: Error Category: 0
    Event: 513 Source: Microsoft-Windows-CAPI2
    Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
     
    Details:
    AddLegacyDriverFiles: Unable to back up image of binary mezotcin.
     
    System Error:
    The system cannot find the file specified. .
     
    Log: 'Application' Date/Time: 14/04/2015 19:09:09
    Type: Error Category: 0
    Event: 513 Source: Microsoft-Windows-CAPI2
    Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
     
    Details:
    AddLegacyDriverFiles: Unable to back up image of binary mezotcin.
     
    System Error:
    The system cannot find the file specified. .
     
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - Warning Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 16/04/2015 02:36:26
    Type: Warning Category: 0
    Event: 1130 Source: .NET Runtime Optimization Service
    .NET Runtime Optimization Service (2.0.50727.5485) - Version or flavor did not match with repository: Microsoft.GroupPolicy.Reporting
     
    Log: 'Application' Date/Time: 16/04/2015 02:36:17
    Type: Warning Category: 0
    Event: 1130 Source: .NET Runtime Optimization Service
    .NET Runtime Optimization Service (2.0.50727.5485) - Version or flavor did not match with repository: Microsoft.MediaCenter.UI
     
    Log: 'Application' Date/Time: 16/04/2015 02:36:17
    Type: Warning Category: 0
    Event: 1130 Source: .NET Runtime Optimization Service
    .NET Runtime Optimization Service (2.0.50727.5485) - Version or flavor did not match with repository: Microsoft.MediaCenter
     
    Log: 'Application' Date/Time: 16/04/2015 02:34:21
    Type: Warning Category: 0
    Event: 1130 Source: .NET Runtime Optimization Service
    .NET Runtime Optimization Service (2.0.50727.5485) - Version or flavor did not match with repository: Microsoft.MediaCenter.Bml
     
    Log: 'Application' Date/Time: 16/04/2015 02:34:17
    Type: Warning Category: 0
    Event: 1130 Source: .NET Runtime Optimization Service
    .NET Runtime Optimization Service (2.0.50727.5485) - Version or flavor did not match with repository: Microsoft.GroupPolicy.Reporting
     
    Log: 'Application' Date/Time: 16/04/2015 02:33:41
    Type: Warning Category: 0
    Event: 1130 Source: .NET Runtime Optimization Service
    .NET Runtime Optimization Service (2.0.50727.5485) - Version or flavor did not match with repository: ehshell
     
    Log: 'Application' Date/Time: 16/04/2015 02:33:29
    Type: Warning Category: 0
    Event: 1130 Source: .NET Runtime Optimization Service
    .NET Runtime Optimization Service (2.0.50727.5485) - Version or flavor did not match with repository: Microsoft.MediaCenter.UI
     
    Log: 'Application' Date/Time: 16/04/2015 02:33:27
    Type: Warning Category: 0
    Event: 1130 Source: .NET Runtime Optimization Service
    .NET Runtime Optimization Service (2.0.50727.5485) - Version or flavor did not match with repository: Microsoft.MediaCenter
     
    Log: 'Application' Date/Time: 16/04/2015 02:29:15
    Type: Warning Category: 0
    Event: 63 Source: Microsoft-Windows-WMI
    A provider, InvProv, has been registered in the Windows Management Instrumentation namespace Root\cimv2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
     
    Log: 'Application' Date/Time: 16/04/2015 02:29:15
    Type: Warning Category: 0
    Event: 63 Source: Microsoft-Windows-WMI
    A provider, InvProv, has been registered in the Windows Management Instrumentation namespace Root\cimv2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
     
    Log: 'Application' Date/Time: 16/04/2015 02:25:47
    Type: Warning Category: 0
    Event: 1530 Source: Microsoft-Windows-User Profiles Service
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   15 user registry handles leaked from \Registry\User\S-1-5-21-3414432899-1644431961-3641730241-1000:
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\SystemCertificates\My
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\SystemCertificates\TrustedPeople
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\SystemCertificates\CA
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\SystemCertificates\Disallowed
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\SystemCertificates\Root
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Policies\Microsoft\SystemCertificates
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Policies\Microsoft\SystemCertificates
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Policies\Microsoft\SystemCertificates
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Policies\Microsoft\SystemCertificates
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\SystemCertificates\SmartCardRoot
    Process 1464 (\Device\HarddiskVolume2\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\SystemCertificates\trust
     
     
    Log: 'Application' Date/Time: 16/04/2015 02:09:49
    Type: Warning Category: 1
    Event: 1020 Source: ASP.NET 4.0.30319.0
    Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.
     
    Log: 'Application' Date/Time: 16/04/2015 02:09:41
    Type: Warning Category: 1
    Event: 1020 Source: ASP.NET 4.0.30319.0
    Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.
     
    Log: 'Application' Date/Time: 15/04/2015 19:14:36
    Type: Warning Category: 0
    Event: 1530 Source: Microsoft-Windows-User Profiles Service
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   0 user registry handles leaked from \Registry\User\S-1-5-21-3414432899-1644431961-3641730241-1000:
     
     
    Log: 'Application' Date/Time: 14/04/2015 19:16:34
    Type: Warning Category: 0
    Event: 10010 Source: Microsoft-Windows-RestartManager
    Application 'C:\Windows\explorer.exe' (pid 3188) cannot be restarted - Application SID does not match Conductor SID..
     
    Log: 'Application' Date/Time: 14/04/2015 18:59:41
    Type: Warning Category: 0
    Event: 1530 Source: Microsoft-Windows-User Profiles Service
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   1 user registry handles leaked from \Registry\User\S-1-5-21-3414432899-1644431961-3641730241-1000:
    Process 5776 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
     
     
    Log: 'Application' Date/Time: 14/04/2015 18:58:57
    Type: Warning Category: 0
    Event: 10010 Source: Microsoft-Windows-RestartManager
    Application 'C:\Users\Suzilla\AppData\Local\Google\Chrome\Application\chrome.exe' (pid 2960) cannot be restarted - Application SID does not match Conductor SID..
     
    Log: 'Application' Date/Time: 14/04/2015 18:58:57
    Type: Warning Category: 0
    Event: 10010 Source: Microsoft-Windows-RestartManager
    Application 'C:\Windows\explorer.exe' (pid 3992) cannot be restarted - Application SID does not match Conductor SID..
     
    Log: 'Application' Date/Time: 14/04/2015 16:56:46
    Type: Warning Category: 0
    Event: 1530 Source: Microsoft-Windows-User Profiles Service
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   1 user registry handles leaked from \Registry\User\S-1-5-21-3414432899-1644431961-3641730241-1000:
    Process 6768 (\Device\HarddiskVolume2\Windows\System32\msiexec.exe) has opened key \REGISTRY\USER\S-1-5-21-3414432899-1644431961-3641730241-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
     
     
     
     

    • 0

    Advertisements

    #26
    RKinner
    Posted 27 April 2015 - 02:59 PM

    RKinner

      Malware Expert

    • Expert
    • 24,624 posts
    • MVP

    You have had two blue screens.  The first one is possibly memory error so you need to run the built-in memory test.

    http://www.sevenforu...stics-tool.html

     

    Also see: http://www.faultwire...0109-*1262.html

     

    The second one is usually a bad driver but can also be caused by memory.  Make sure it is not getting too hot.

     

    I don't see any new errors with our friend so perhaps it has gone away.

     

    We are going on vacation tomorrow and won't be taking a laptop - just the tablet so won't be able to help you until after we get back on May 13th.  You might want to start a new topic and reference this one so some one else can help you while I am gone..


    • 0
    Back to Virus, Spyware, Malware Removal · Next Unread Topic →




    Similar Topics

    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users

    1. Geeks to Go Community
    2. Security
    3. Virus, Spyware, Malware Removal

    As Featured On:

    Microsoft Yahoo BBC MSN PC Magazine Washington Post HP