1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Vista Won't Start, Normally Or Repair Mode, Black Screen

Discussion in 'Malware Removal Help' started by CarolsSis, Jun 23, 2012.

  1. etavares

    etavares Malware Removal Specialist - Moderator

    Joined:
    Aug 6, 2011
    Messages:
    259
    Location:
    USA (GMT -5)
    OK, since it's mbr.txt.dat, let's do this instead. I'd strongly prefer to get the actual file, instead of cut and paste for this one. We are only renaming it to txt so you can attach it. :)

    Click Start (The Windows orb) --> Computer
    Press Alt-T in the Computer window to bring up the Tools menu then click Folder Options
    Click the View tab.
    Under Advanced Settings, find Hide extensions for known file types and uncheck the box next to it.
    Click OK.
    Close the Computer window.
    You should see mbr.txt.dat on your desktop.
    Right-click mbr.txt.dat and click Rename
    Delete the .dat so it's only mbr.txt then press Enter to accept the new name.
    It will warn you about changing the file type, click Yes to allow it.
    Attach mbr.txt in your reply.
     
  2. CarolsSis

    CarolsSis Registered Members

    Joined:
    Aug 28, 2011
    Messages:
    206
    Location:
    home
    Operating System:
    Windows Vista Enterprise
  3. CarolsSis

    CarolsSis Registered Members

    Joined:
    Aug 28, 2011
    Messages:
    206
    Location:
    home
    Operating System:
    Windows Vista Enterprise
    It's in the next post, somehow skipped this one.
     
  4. etavares

    etavares Malware Removal Specialist - Moderator

    Joined:
    Aug 6, 2011
    Messages:
    259
    Location:
    USA (GMT -5)
    Hello, Carolsis.
    OK, perfect. Thanks! It is very odd...not a clear virus, but not necessarily a typical partition table. It has a fairly rare partition type for your C:\ drive. I'm loath to touch it right now until we rule out other options. It probably is legitimate, depending how you answer these questions: How old is this computer? What brand/model is it?






    Next, please download ComboFix from one of these locations:
    * IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
    • Double click on etavaresCF.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

    Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

    etavares
     
  5. CarolsSis

    CarolsSis Registered Members

    Joined:
    Aug 28, 2011
    Messages:
    206
    Location:
    home
    Operating System:
    Windows Vista Enterprise
    It's an Acer Aspire laptop, model 4720Z. I think I received it in January 2008, 5 years. I saw the operating system files on C drive, not sure why it's such a high amount and not (apparently) in a partition. Also files on D drive appear to be system files too. This laptop has Empowering technology from Acer embedded on it. When I tried to register it with Acer, it didn't work. At one point I removed the eAudio empowering section, it was interfering with my sound, not compatible with one in Windows. I have many questions regarding what is on both drives, in partitions, and free space. Maybe we should discuss those issues soon.

    I can't find where to disable any of my anti programs. Spybot, Malwarebytes, Avast.
     
  6. CarolsSis

    CarolsSis Registered Members

    Joined:
    Aug 28, 2011
    Messages:
    206
    Location:
    home
    Operating System:
    Windows Vista Enterprise
    I didn't get either of those boxes about the recovery console. It just started AutoRun. Flashed on ERUNT, I think it said it was backing up files, went off too quickly. rebooted.
    Have no internet connection, or email. Message reads, Illegal operation attempted on registry key that is marked for deletion after trying IE and Mail. Also same message for file on Notepad with the log file. The laptop is off, cant' post on it. Will wait for your instruction.
    Log note at end of autorun, said windows32\services.exe file was infected. successfully restored.
     
  7. etavares

    etavares Malware Removal Specialist - Moderator

    Joined:
    Aug 6, 2011
    Messages:
    259
    Location:
    USA (GMT -5)
    That error will go away when you reboot. Please reboot and attach C:\combofix.txt
     
  8. CarolsSis

    CarolsSis Registered Members

    Joined:
    Aug 28, 2011
    Messages:
    206
    Location:
    home
    Operating System:
    Windows Vista Enterprise
    1. I have no internet connection with laptop, email program does not come on.
    2. the log from combo.fix is gone. when I clicked on it, it dissappeared. Double checked,(notepad, wordpad, downloads) it is not on the computer anywhere. I was going to post the log here.
    3. I booted into safe mode,chose Repair computer, got 10 notices from Spybot, wrote them all down. Last one is to disable registry tool.
    4.There is a windows shield on top of Combo.fix on desktop.
     
  9. etavares

    etavares Malware Removal Specialist - Moderator

    Joined:
    Aug 6, 2011
    Messages:
    259
    Location:
    USA (GMT -5)
    Hello, Carolsis.
    Hi Carolsis,

    Please do not do any scans or fixes that I haven't specifically asked for...it takes us back to square one. The spybot likely detected Combofix as the issue...spyware programs often detect our tools as viruses since they do things like edit the registry. WIthout seeing your Spybot log, I can't speak to this. Did you disable Spybot before running Combofix?

    For these, please use a USB flash drive to transfer the programs over to the computer with the issues and to get the logfiles back.



    Step 1

    1. Download TDSSKiller.exe and save it to your desktop.
    2. Double-click TDSSKiller.exe to run it.
    3. Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
    4. Click Start scan and allow it to scan for Malicious objects.
    5. If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
    6. If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
    7. It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
    8. A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
      for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
    9. If no reboot is required, click on Report. A log file should appear.
    10. Please post the contents of the logfile in your next reply



    Step 2

    Download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    If you have a 64-bit system, please download the 64 bit version from here:
    SystemLook (64-bit)

    • Double-click SystemLook.exe to run it.
    • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
    • Copy and Paste the content of the following codebox into the main textfield under "File":
      Code:
      :filefind
      combofix.txt
      :dir
      C;\qoobox /s
      
    • Please Confirm everything is copied and Pasted as I have provided above
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan.
    • Please post this log in your next reply.


    Note: The log can also be found on your Desktop entitled SystemLook.txt
    2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


    etavares
     
  10. CarolsSis

    CarolsSis Registered Members

    Joined:
    Aug 28, 2011
    Messages:
    206
    Location:
    home
    Operating System:
    Windows Vista Enterprise
    ComboFix 12-07-08.01 - Jan 07/08/2012 19:01:16.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1080 [GMT -7:00]
    Running from: c:\users\Jan\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Infected copy of c:\windows\system32\Services.exe was found and disinfected
    Restored copy from - c:\windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-09 to 2012-07-09 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-09 02:09 . 2012-07-09 02:09 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-06 14:18 . 2012-06-18 10:14 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ADD1E029-F9FD-4316-9ACB-67D5703D4231}\mpengine.dll
    2012-07-02 04:00 . 2012-07-02 04:00 -------- d-----w- C:\EGIS_Drive
    2012-07-01 11:55 . 2009-09-23 18:50 398336 ----a-w- c:\windows\system32\TVWizudlg.exe
    2012-07-01 11:55 . 2009-09-23 18:49 140288 ----a-w- c:\windows\system32\igfxtvcx.dll
    2012-07-01 01:32 . 2012-07-01 01:32 -------- d-----w- c:\windows\MATS
    2012-07-01 01:32 . 2012-07-01 01:33 -------- d-----w- c:\program files\Microsoft Fix it Center
    2012-07-01 00:53 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2012-07-01 00:53 . 2012-03-01 14:46 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2012-07-01 00:53 . 2012-02-29 14:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2012-07-01 00:53 . 2012-02-29 13:41 1069056 ----a-w- c:\windows\system32\DWrite.dll
    2012-07-01 00:53 . 2012-03-01 14:46 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2012-07-01 00:53 . 2012-02-29 13:44 683008 ----a-w- c:\windows\system32\d2d1.dll
    2012-07-01 00:43 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-07-01 00:43 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-07-01 00:43 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-07-01 00:43 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-07-01 00:43 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
    2012-07-01 00:42 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-07-01 00:42 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-07-01 00:42 . 2012-06-02 22:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-07-01 00:42 . 2012-06-02 22:12 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-30 17:28 . 2012-06-30 17:28 -------- d-----w- c:\program files\Windows Portable Devices
    2012-06-30 17:19 . 2009-09-10 02:00 92672 ----a-w- c:\windows\system32\UIAnimation.dll
    2012-06-30 17:19 . 2009-09-10 02:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
    2012-06-30 17:19 . 2009-09-10 02:00 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
    2012-06-30 17:16 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
    2012-06-30 17:16 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
    2012-06-30 17:16 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
    2012-06-30 17:16 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
    2012-06-30 17:15 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
    2012-06-30 17:15 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
    2012-06-30 17:15 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
    2012-06-30 17:15 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
    2012-06-30 17:15 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
    2012-06-30 17:15 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
    2012-06-30 17:15 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
    2012-06-30 17:15 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
    2012-06-30 17:06 . 2012-02-29 15:11 5120 ----a-w- c:\windows\system32\wmi.dll
    2012-06-30 17:06 . 2012-02-29 15:11 172032 ----a-w- c:\windows\system32\wintrust.dll
    2012-06-30 17:06 . 2012-02-29 15:09 157696 ----a-w- c:\windows\system32\imagehlp.dll
    2012-06-30 17:06 . 2012-02-29 13:32 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
    2012-06-30 16:58 . 2012-06-30 16:58 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
    2012-06-30 16:58 . 2012-06-30 16:58 519680 ----a-w- c:\windows\system32\d3d11.dll
    2012-06-30 16:58 . 2012-06-30 16:58 369664 ----a-w- c:\windows\system32\WMPhoto.dll
    2012-06-30 16:58 . 2012-06-30 16:58 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
    2012-06-30 16:58 . 2012-06-30 16:58 252928 ----a-w- c:\windows\system32\dxdiag.exe
    2012-06-30 16:58 . 2012-06-30 16:58 195584 ----a-w- c:\windows\system32\dxdiagn.dll
    2012-06-30 16:58 . 2012-06-30 16:58 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
    2012-06-30 16:30 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2012-06-30 16:30 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll
    2012-06-30 16:30 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
    2012-06-30 16:30 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
    2012-06-30 16:30 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
    2012-06-30 16:30 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
    2012-06-30 16:30 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
    2012-06-30 16:30 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
    2012-06-30 16:30 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-06-30 16:30 . 2011-10-14 16:03 189952 ----a-w- c:\windows\system32\winmm.dll
    2012-06-30 16:30 . 2011-10-14 16:00 23552 ----a-w- c:\windows\system32\mciseq.dll
    2012-06-30 16:29 . 2011-11-18 20:23 1205064 ----a-w- c:\windows\system32\ntdll.dll
    2012-06-30 16:29 . 2011-10-14 16:02 429056 ----a-w- c:\windows\system32\EncDec.dll
    2012-06-30 16:29 . 2012-03-20 23:28 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
    2012-06-30 16:29 . 2012-03-30 12:39 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2012-06-30 16:27 . 2011-11-16 16:23 377344 ----a-w- c:\windows\system32\winhttp.dll
    2012-06-30 16:13 . 2012-01-09 15:54 613376 ----a-w- c:\windows\system32\rdpencom.dll
    2012-06-30 15:45 . 2011-08-13 04:43 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
    2012-06-30 15:31 . 2009-01-08 01:20 265720 ----a-w- c:\program files\Internet Explorer\msdbg2.dll
    2012-06-30 15:31 . 2009-01-08 01:20 355832 ----a-w- c:\program files\Internet Explorer\pdm.dll
    2012-06-30 15:04 . 2012-06-30 15:05 -------- d-----w- c:\windows\system32\ca-ES
    2012-06-30 15:04 . 2012-06-30 15:05 -------- d-----w- c:\windows\system32\eu-ES
    2012-06-30 15:04 . 2012-06-30 15:05 -------- d-----w- c:\windows\system32\vi-VN
    2012-06-30 15:00 . 2012-06-30 15:00 -------- d-----w- c:\windows\system32\SPReview
    2012-06-30 14:44 . 2009-04-11 06:28 928768 ----a-w- c:\windows\system32\scavenge.dll
    2012-06-30 14:44 . 2009-04-11 06:27 57856 ----a-w- c:\windows\system32\compcln.exe
    2012-06-30 14:42 . 2009-04-11 06:28 564224 ----a-w- c:\windows\system32\emdmgmt.dll
    2012-06-30 14:41 . 2009-04-11 06:28 52224 ----a-w- c:\windows\system32\mmci.dll
    2012-06-30 14:40 . 2009-04-11 06:28 99840 ----a-w- c:\windows\system32\ulib.dll
    2012-06-30 14:37 . 2012-06-30 14:37 -------- d-----w- c:\windows\system32\EventProviders
    2012-06-30 13:29 . 2009-11-08 17:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2012-06-30 13:29 . 2009-11-08 17:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2012-06-30 13:29 . 2009-11-08 17:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2012-06-30 13:29 . 2009-11-08 17:55 297808 ----a-w- c:\windows\system32\mscoree.dll
    2012-06-30 13:29 . 2009-11-08 17:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2012-06-30 06:38 . 2012-06-30 06:39 -------- d-----w- c:\program files\Google
    2012-06-30 06:38 . 2012-06-28 12:52 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2012-06-30 06:38 . 2012-06-28 12:52 353688 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2012-06-30 06:38 . 2012-06-28 12:52 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2012-06-30 06:38 . 2012-06-28 12:52 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2012-06-30 06:38 . 2012-06-28 12:52 721000 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2012-06-30 06:37 . 2012-06-28 12:52 57656 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2012-06-30 06:36 . 2012-06-28 12:52 41224 ----a-w- c:\windows\avastSS.scr
    2012-06-30 06:36 . 2012-06-28 12:51 227648 ----a-w- c:\windows\system32\aswBoot.exe
    2012-06-30 06:36 . 2012-06-30 06:36 -------- d-----w- c:\programdata\AVAST Software
    2012-06-30 06:36 . 2012-06-30 06:36 -------- d-----w- c:\program files\AVAST Software
    2012-06-30 05:51 . 2012-06-30 06:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-06-30 05:51 . 2012-06-30 05:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-06-30 05:28 . 2012-06-30 05:28 -------- d-----w- c:\programdata\Malwarebytes
    2012-06-30 05:28 . 2012-06-30 05:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2012-06-30 05:28 . 2012-04-04 22:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-30 03:54 . 2008-05-27 04:59 18904 ----a-w- c:\windows\system32\StructuredQuerySchemaTrivial.bin
    2012-06-30 03:04 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2012-06-30 03:04 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
    2012-06-30 03:04 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2012-06-30 03:02 . 2012-06-30 03:02 -------- d-----w- c:\program files\MSXML 4.0
    2012-06-30 02:56 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
    2012-06-30 02:55 . 2010-10-12 13:41 515584 ----a-w- c:\program files\Windows Mail\wab.exe
    2012-06-30 02:55 . 2010-10-12 15:53 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
    2012-06-30 02:55 . 2010-10-12 13:41 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
    2012-06-30 02:55 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
    2012-06-30 02:53 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-30 02:53 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
    2012-06-30 02:53 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
    2012-06-30 02:53 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
    2012-06-30 02:53 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
    2012-06-30 02:53 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
    2012-06-30 02:53 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
    2012-06-30 02:53 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
    2012-06-30 02:53 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
    2012-06-30 02:52 . 2009-04-11 06:27 53248 ----a-w- c:\windows\system32\rrinstaller.exe
    2012-06-30 02:52 . 2009-04-11 06:27 24576 ----a-w- c:\windows\system32\mfpmp.exe
    2012-06-30 02:52 . 2009-04-11 04:54 2048 ----a-w- c:\windows\system32\mferror.dll
    2012-06-30 02:52 . 2009-07-11 19:01 513536 ----a-w- c:\windows\system32\wlansvc.dll
    2012-06-30 02:52 . 2009-07-11 19:01 302592 ----a-w- c:\windows\system32\wlansec.dll
    2012-06-30 02:52 . 2009-07-11 19:01 293376 ----a-w- c:\windows\system32\wlanmsm.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-06-30 16:58 . 2012-06-30 16:58 4096 ----a-w- c:\windows\system32\drivers\en-US\dxgkrnl.sys.mui
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-06-28 12:51 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
    "RtHDVCpl"="RtHDVCpl.exe" [2007-05-28 4472832]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-11-30 102400]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
    "eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144]
    "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-01-03 521776]
    "PlayMovie"="c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2008-01-22 200704]
    "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-01-02 707080]
    "Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
    "Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-06-28 4273976]
    "Skytel"="Skytel.exe" [2007-05-28 1826816]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-10-02 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-10-02 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-10-02 150552]
    .
    c:\users\Jan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    ERUNT AutoBackup.lnk - c:\users\Jan\Desktop\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-13 535336]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-06-30 06:38]
    .
    2012-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2012-06-30 06:38]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://azstarnet.com/?guid=on
    mStart Page = hxxp://en.us.acer.yahoo.com
    TCP: DhcpNameServer = 192.168.1.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-eRecoveryService - (no file)
    .
    .
    .
    **************************************************************************
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files:
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
    "ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(2920)
    c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\system32\agrsmsvc.exe
    c:\acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
    c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
    c:\acer\Empowering Technology\eNet\eNet Service.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\acer\Mobility Center\MobilityService.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
    c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
    c:\acer\Empowering Technology\ePower\ePowerSvc.exe
    c:\program files\Spybot - Search & Destroy\SDWinSec.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\system32\igfxsrvc.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-07-08 19:18:14 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-09 02:18
    .
    Pre-Run: 22,256,689,152 bytes free
    Post-Run: 21,841,752,064 bytes free
    .
    - - End Of File - - 526A3933F84C8F76521B5B88E89CD602
     
  11. CarolsSis

    CarolsSis Registered Members

    Joined:
    Aug 28, 2011
    Messages:
    206
    Location:
    home
    Operating System:
    Windows Vista Enterprise
    Did not do any scans. When I booted to safe mode, the spybot boxes came up on their own, must not have "turned it off".
    2. SystemLook is already saved in downloads. Can't copy and paste from your box, same problem, when I highlight it, then click to move it, the highlight turns off or SystemLook minimizes to tray. Can I copy it by typing it in?
    3. Did combofix find if I have a microsoft windows recovery console? The question box did not come up when program ran. The combofix did not have any question boxes.
     
  12. etavares

    etavares Malware Removal Specialist - Moderator

    Joined:
    Aug 6, 2011
    Messages:
    259
    Location:
    USA (GMT -5)
    Hello, Carolsis.

    Recovery Console is specific to XP. Vista and 7 made it easy and install the Recovery Environment automatically. So, you weren't prompted since you already have the recovery environment.

    Don't worry about SystemLook for now...you found the combofix log.


    We removed a pretty bad virus with Combofix. I have to give you this warning:

    Backdoor Warning
    One or more of the identified infections is a backdoor trojan.

    This allows hackers to remotely control your computer, steal critical system information and download and execute files.

    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

    Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
    When Should I Format, How Should I Reinstall

    We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below. This virus does often break internet, but we can fix it.



    Please download Farbar Service Scanner and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    etavares
     
  13. CarolsSis

    CarolsSis Registered Members

    Joined:
    Aug 28, 2011
    Messages:
    206
    Location:
    home
    Operating System:
    Windows Vista Enterprise
    I want to make sure both of my machines are secure. I don't use the laptop now for financial transactions, but who knows what the future holds? I'd much prefer security, it's worth more than gold.
    Laptop has internet connections, has had since I booted to safe mode. I had changed passwords, both on laptop and router, but before combofix. Can do it again. My choice is to re-install after format. My question is, will I be able to re-install with only recovery discs? Thanks so much.
     
  14. etavares

    etavares Malware Removal Specialist - Moderator

    Joined:
    Aug 6, 2011
    Messages:
    259
    Location:
    USA (GMT -5)
    You can reinstall with recovery disks. I would prefer to use the onboard recovery. It appears you do have it. To reformat it and restore it to the condition it was in the day you bought it, please repeatedly tap Alt-F10 as your computer boots up. You can find the exact instructions here, and we want to restore it to "factory default".

    http://support.acer.com/acerpanam/desktop/0000/acer/aspiree360/aspiree360faq40.shtml
     
  15. etavares

    etavares Malware Removal Specialist - Moderator

    Joined:
    Aug 6, 2011
    Messages:
    259
    Location:
    USA (GMT -5)
    PS> please don't miss my post above, but you will want to back up any irreplaceable files...photos, documents, movies. Don't back up programs...we can just reinstall a clean, uninfected copy.
     
  16. CarolsSis

    CarolsSis Registered Members

    Joined:
    Aug 28, 2011
    Messages:
    206
    Location:
    home
    Operating System:
    Windows Vista Enterprise
    Farbar Service Scanner Version: 08-07-2012
    Ran by Jan (administrator) on 11-07-2012 at 08:55:30
    Running from "C:\Users\Jan\Downloads"
    Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
    Boot Mode: Normal
    ****************************************************************
    Internet Services:
    ============
    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo IP is accessible.
    Yahoo.com is accessible.

    Windows Firewall:
    =============
    Firewall Disabled Policy:
    ==================

    System Restore:
    ============
    System Restore Disabled Policy:
    ========================

    Security Center:
    ============
    Windows Update:
    ============
    Windows Autoupdate Disabled Policy:
    ============================

    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys
    [2012-06-30 09:29] - [2012-03-30 05:39] - 0905600 ____A (Microsoft Corporation) 27D470DABC77BC60D0A3B0E4DEB6CB91
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit

    **** End of log **** I'll print instructions from Acer, just for safety's sake. thanks so much.
     
  17. CarolsSis

    CarolsSis Registered Members

    Joined:
    Aug 28, 2011
    Messages:
    206
    Location:
    home
    Operating System:
    Windows Vista Enterprise
    1. I want to thank you for your patience and time in helping me with this problem.
    2. I have the recovery done, seems to have a few glitches, but nothing I can't handle. Mostly updates.
    3. I'd like to know what the names of all the malware and trojans were. Mostly curiousity.
    Thanks again, so much, it's been quite a learning experience for me, and I can't thank you enough for all te help you've given me.
     
  18. etavares

    etavares Malware Removal Specialist - Moderator

    Joined:
    Aug 6, 2011
    Messages:
    259
    Location:
    USA (GMT -5)
  19. CarolsSis

    CarolsSis Registered Members

    Joined:
    Aug 28, 2011
    Messages:
    206
    Location:
    home
    Operating System:
    Windows Vista Enterprise
    Yeaheay! It's all done, well mostly. Still doing the seemingly endless installation of updates. It appears to have been a sucess. Checked out the link, how scary. First time I've ever had such a big problem with virus, malware, never a trojan.
    Thanks so much, I can't say it enough. I'm so relieved, maybe I can sleep now. You're worth your weight in gold, at least to me.
    I have questions about other things, removal of games, uninstall program, defrag, Windows features, disk usage on C and D drives. Don't know if I should post those here or what.
    Thanks again, so much. After 21 days of messing with this, you managed to stick with me and help me get it done. Invaluable, to me, anyway.
     
  20. BeeCeeBee

    BeeCeeBee ADMINISTRATOR IN MEMORY

    Joined:
    Apr 20, 2009
    Messages:
    7,201
    Location:
    New Jersey "Stronger than the Storm"
    Operating System:
    Windows 7
    There is no point in posting other questions in a malware removal thread. You are more than welcome to post them in another area of the forums. :)
     

Share This Page