Tech Support Forum banner
Status
Not open for further replies.

Rootkit found by Avast - Internet Not working properly

4K views 10 replies 3 participants last post by  chemist 
#1 · (Edited by Moderator)
Hey guys

My laptop suddenly got a problem where it would disconnect from the internet every 10 seconds. I'm connecting via wireless, and it would say something like 'no connections found' every 10 seconds, then it would detect the internet nad connect for 10 seconds and repeat.

I scanned with avast and it found a rootkit. I tried to quarantine, repair and remove one of the viruses but it wouldn't work (I attached the screenshots showing the errors).

Also, I ran combofix (sorry, I only just read in the sticky to not run it before hand).

Here is the DDS log:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16476 BrowserJavaVersion: 10.11.2
Run by Winston at 5:49:57 on 2014-12-19
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3005.2126 [GMT 11:00]
.
AV: avast! Antivirus *Enabled/Outdated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Outdated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRunOnce: [SPReview] "c:\windows\system32\spreview\SPReview.exe" /sp:1 /errorfwlink:"http://go.microsoft.com/fwlink/?LinkID=122915" /build:7601
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
TCP: NameServer = 192.168.23.1
TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09} : DHCPNameServer = 192.168.23.1
TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09}\6594E405541425C4D20584551555F434 : DHCPNameServer = 8.8.8.8 203.162.4.190
TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09}\84E45402C4566756C60253 : DHCPNameServer = 192.168.7.1
TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09}\84E45402C4566756C60263 : DHCPNameServer = 192.168.6.6
TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09}\E47414E4028414026463F514 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09}\E47414E4F58414F56443F524 : DHCPNameServer = 192.168.1.1 8.8.8.8 203.162.4.190
TCP: Interfaces\{42E95756-CBA2-4E9A-BB73-330EE4470D09}\E47414E4F58414F56463F524 : DHCPNameServer = 192.168.1.1 8.8.8.8 203.162.4.190
TCP: Interfaces\{DB27DB31-3B9B-4BB9-907B-116D3339D06C} : DHCPNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\39.0.2171.95\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\winston\appdata\roaming\mozilla\firefox\profiles\jspm1w5f.default\
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_15_0_0_246.dll
FF - ExtSQL: 2014-12-04 04:10; firefox-hotfix@mozilla.org; c:\users\winston\appdata\roaming\mozilla\firefox\profiles\jspm1w5f.default\extensions\firefox-hotfix@mozilla.org.xpi
FF - ExtSQL: 2014-12-10 15:56; faststartff@gmail.com; c:\users\winston\appdata\roaming\mozilla\firefox\profiles\jspm1w5f.default\extensions\faststartff@gmail.com
FF - ExtSQL: !HIDDEN! 2014-12-10 15:56; faststartff@gmail.com; c:\users\winston\appdata\roaming\mozilla\firefox\profiles\jspm1w5f.default\extensions\faststartff@gmail.com
.
============= SERVICES / DRIVERS ===============
.
R1 {3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw;{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw;c:\windows\system32\drivers\{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw.sys [2014-12-10 43144]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-12-19 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-12-19 361032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2014-12-19 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-12-19 58680]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-12-19 44808]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2010-4-1 1009184]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2012-8-26 157776]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-7-14 311296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2014-12-11 315496]
S2 WindowsMangerProtect;WindowsMangerProtect Service;c:\programdata\windowsmangerprotect\protectwindowsmanager.exe -service --> c:\programdata\windowsmangerprotect\ProtectWindowsManager.exe -service [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 Desura Install Service;Desura Install Service;c:\program files\common files\desura\desura_service.exe [2012-12-22 131912]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-12-14 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2014-12-18 17:36:02 -------- d-sh--w- C:\$RECYCLE.BIN
2014-12-18 17:09:12 -------- d-----w- c:\users\winston\appdata\local\temp
2014-12-18 16:53:38 98816 ----a-w- c:\windows\sed.exe
2014-12-18 16:53:38 256000 ----a-w- c:\windows\PEV.exe
2014-12-18 16:53:38 208896 ----a-w- c:\windows\MBR.exe
2014-12-18 16:52:21 -------- d-----w- c:\windows\system32\SPReview
2014-12-18 14:56:01 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-12-18 14:55:56 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-12-18 14:55:54 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-12-18 14:55:24 41224 ----a-w- c:\windows\avastSS.scr
2014-12-18 13:29:00 -------- d-----w- C:\c51a5d5eba08c576c3d6a4aa131b
2014-12-17 05:52:53 -------- d-----w- c:\users\winston\appdata\roaming\3909
2014-12-17 05:36:16 9054624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5687b376-2cc8-4325-98c6-7cc336338692}\mpengine.dll
2014-12-13 16:51:23 -------- d-----w- c:\users\winston\appdata\local\mslug3
2014-12-13 16:51:02 -------- d-----w- c:\programdata\Package Cache
2014-12-10 18:59:39 -------- d-----w- c:\windows\system32\appraiser
2014-12-10 16:20:18 1160872 ----a-w- c:\windows\system32\aitstatic.exe
2014-12-10 16:20:17 728576 ----a-w- c:\windows\system32\appraiser.dll
2014-12-10 16:20:17 610304 ----a-w- c:\windows\system32\invagent.dll
2014-12-10 16:20:17 337920 ----a-w- c:\windows\system32\generaltel.dll
2014-12-10 16:20:17 315392 ----a-w- c:\windows\system32\devinv.dll
2014-12-10 05:19:47 -------- d-----w- c:\users\winston\appdata\roaming\OpenOffice
2014-12-10 05:15:24 -------- d-----w- c:\program files\OpenOffice 4
2014-12-10 05:03:49 43144 ----a-w- c:\windows\system32\drivers\{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw.sys
2014-12-10 04:56:33 -------- d-----w- c:\programdata\WindowsMangerProtect
2014-12-10 04:56:30 -------- d-----w- c:\program files\360
2014-12-10 04:56:22 -------- d-----w- c:\users\winston\appdata\roaming\sweet-page
2014-12-04 17:04:47 -------- d-s---w- c:\windows\system32\CompatTel
2014-12-04 12:36:35 -------- d-----w- c:\windows\AutoKMS
2014-12-04 12:34:51 -------- d-----w- c:\programdata\Microsoft Toolkit
2014-12-02 15:26:51 -------- d-----w- c:\users\winston\appdata\local\Robot Entertainment
2014-12-02 07:01:23 -------- d-----w- c:\users\winston\appdata\local\Skype
2014-12-02 07:01:01 -------- d-----r- c:\program files\Skype
2014-12-01 12:16:11 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2014-12-01 12:16:11 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2014-12-01 12:16:10 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2014-12-01 11:28:20 -------- d-----w- c:\users\winston\appdata\roaming\BANDISOFT
2014-12-01 11:27:09 -------- d-----w- c:\program files\Bandicam
2014-12-01 11:27:03 -------- d-----w- c:\program files\BandiMPEG1
.
==================== Find3M ====================
.
2014-12-09 19:17:19 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-09 19:17:19 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-11-24 03:04:58 229000 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 5:50:42.53 ===============


Here is the GMER log:

GMER 2.1.19357 - GMER - Rootkit Detector and Remover
Rootkit scan 2014-12-19 06:31:26
Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Hitachi_HTS545032B9A300 rev.PB3OC64G 298.09GB
Running: gmer.exe; Driver: C:\Users\Winston\AppData\Local\Temp\pwlorfow.sys


---- System - GMER 2.1 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8EE394BA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8F544C22]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8EE39ED6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8EE44FA8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8EE44FF4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8EE45176]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8EE44F16]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8F544FA6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8EE44F5E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8EE3A11C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8EE3A2F4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8EE45130]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8EE3A93E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8EE39508]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8F544CEA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8F5433EC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8EE39556]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8EE3E534]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8EE3B3A6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8EE44FD2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8EE45016]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8EE4519A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8EE44F3C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8EE450BA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8EE44F86]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8EE45154]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8F544E4A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8EE3B272]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x8EE3AF86]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8EE395A4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8EE395F2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8EE3A7BE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8EE391FA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8EE393AA]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8EE39350]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8EE3AAF8]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8EE3AC54]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8EE3941A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x8F544EFE]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8EE3A636]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x8F54341C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8EE39640]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8F544D96]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8F55DE56]
Code 92A48BFC ZwTraceEvent
Code 92A48BFB NtTraceEvent
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 2.1 ----

.text ntkrnlpa.exe!NtTraceEvent 82A7E0F4 5 Bytes JMP 92A48C00
.text ntkrnlpa.exe!ZwRollbackTransaction + 13F9 82A8E829 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB3132 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 82ABA904 4 Bytes [BA, 94, E3, 8E]
.text ntkrnlpa.exe!RtlSidHashLookup + 24C 82ABA92C 4 Bytes [22, 4C, 54, 8F] {AND CL, [ESP+EDX*2-0x71]}
.text ntkrnlpa.exe!RtlSidHashLookup + 2AC 82ABA98C 4 Bytes [D6, 9E, E3, 8E] {SALC ; SAHF ; JECXZ 0xffffff92}
.text ntkrnlpa.exe!RtlSidHashLookup + 300 82ABA9E0 8 Bytes [A8, 4F, E4, 8E, F4, 4F, E4, ...] {TEST AL, 0x4f; IN AL, 0x8e; HLT ; DEC EDI; IN AL, 0x8e}
.text ntkrnlpa.exe!RtlSidHashLookup + 30C 82ABA9EC 4 Bytes [76, 51, E4, 8E] {JBE 0x53; IN AL, 0x8e}
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C5545B 5 Bytes JMP 8F55ACF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 82C6F16D 5 Bytes JMP 8F55C828 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82CB98C0 4 Bytes CALL 8EE3BA8D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 2 82CC188D 5 Bytes JMP 92A48DE0
PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82CC19AD 4 Bytes CALL 8EE3BAA3 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
PAGE ntkrnlpa.exe!NtRequestWaitReplyPort + 2 82CC32B5 5 Bytes JMP 92A48D40
PAGE ntkrnlpa.exe!NtRequestPort + 2 82CD7519 5 Bytes JMP 92A48CA0
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82D27618 2 Bytes JMP 8F55DE5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx + 3 82D2761B 4 Bytes [83, 0C, CC, CC] {OR DWORD [ESP+ECX*8], -0x34}
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\Users\Winston\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
? C:\Users\Winston\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !
.text kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]

---- User code sections - GMER 2.1 ----

.text C:\Windows\system32\csrss.exe[412] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\wininit.exe[464] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\csrss.exe[472] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\services.exe[520] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text ...
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1404] kernel32.dll!SetUnhandledExceptionFilter 768D3122 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1404] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\System32\spoolsv.exe[1536] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\svchost.exe[1584] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\conhost.exe[1648] ntdll.dll!LdrUnloadDll 77B5BD1F 5 Bytes JMP 000B03FC
.text C:\Windows\system32\conhost.exe[1648] ntdll.dll!LdrLoadDll 77B5F425 5 Bytes JMP 000B01F8
.text C:\Windows\system32\conhost.exe[1648] KERNEL32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\conhost.exe[1648] USER32.dll!UnhookWindowsHookEx 7605CC7B 5 Bytes JMP 000C0A08
.text C:\Windows\system32\conhost.exe[1648] USER32.dll!UnhookWinEvent 7605D924 5 Bytes JMP 000C03FC
.text C:\Windows\system32\conhost.exe[1648] USER32.dll!SetWindowsHookExW 7606210A 5 Bytes JMP 000C0804
.text C:\Windows\system32\conhost.exe[1648] USER32.dll!SetWinEventHook 7606507E 5 Bytes JMP 000C01F8
.text C:\Windows\system32\conhost.exe[1648] USER32.dll!SetWindowsHookExA 76086DFA 5 Bytes JMP 000C0600
.text C:\Windows\System32\svchost.exe[1692] ntdll.dll!LdrUnloadDll 77B5BD1F 5 Bytes JMP 000E03FC
.text C:\Windows\System32\svchost.exe[1692] ntdll.dll!LdrLoadDll 77B5F425 5 Bytes JMP 000E01F8
.text C:\Windows\System32\svchost.exe[1692] KERNEL32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1692] USER32.dll!UnhookWindowsHookEx 7605CC7B 5 Bytes JMP 00100A08
.text C:\Windows\System32\svchost.exe[1692] USER32.dll!UnhookWinEvent 7605D924 5 Bytes JMP 001003FC
.text C:\Windows\System32\svchost.exe[1692] USER32.dll!SetWindowsHookExW 7606210A 5 Bytes JMP 00100804
.text C:\Windows\System32\svchost.exe[1692] USER32.dll!SetWinEventHook 7606507E 5 Bytes JMP 001001F8
.text C:\Windows\System32\svchost.exe[1692] USER32.dll!SetWindowsHookExA 76086DFA 5 Bytes JMP 00100600
.text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1712] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1752] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1792] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\ctfmon.exe[1892] ntdll.dll!LdrUnloadDll 77B5BD1F 5 Bytes JMP 000E03FC
.text C:\Windows\system32\ctfmon.exe[1892] ntdll.dll!LdrLoadDll 77B5F425 5 Bytes JMP 000E01F8
.text C:\Windows\system32\ctfmon.exe[1892] KERNEL32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\ctfmon.exe[1892] USER32.dll!UnhookWindowsHookEx 7605CC7B 5 Bytes JMP 000F0A08
.text C:\Windows\system32\ctfmon.exe[1892] USER32.dll!UnhookWinEvent 7605D924 5 Bytes JMP 000F03FC
.text C:\Windows\system32\ctfmon.exe[1892] USER32.dll!SetWindowsHookExW 7606210A 5 Bytes JMP 000F0804
.text C:\Windows\system32\ctfmon.exe[1892] USER32.dll!SetWinEventHook 7606507E 5 Bytes JMP 000F01F8
.text C:\Windows\system32\ctfmon.exe[1892] USER32.dll!SetWindowsHookExA 76086DFA 5 Bytes JMP 000F0600
.text C:\Windows\system32\svchost.exe[1940] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\System32\svchost.exe[1976] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2024] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\taskhost.exe[2100] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\System32\WUDFHost.exe[2184] ntdll.dll!LdrUnloadDll 77B5BD1F 5 Bytes JMP 000E03FC
.text C:\Windows\System32\WUDFHost.exe[2184] ntdll.dll!LdrLoadDll 77B5F425 5 Bytes JMP 000E01F8
.text C:\Windows\System32\WUDFHost.exe[2184] KERNEL32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\System32\WUDFHost.exe[2184] USER32.dll!UnhookWindowsHookEx 7605CC7B 5 Bytes JMP 00100A08
.text C:\Windows\System32\WUDFHost.exe[2184] USER32.dll!UnhookWinEvent 7605D924 5 Bytes JMP 001003FC
.text C:\Windows\System32\WUDFHost.exe[2184] USER32.dll!SetWindowsHookExW 7606210A 5 Bytes JMP 00100804
.text C:\Windows\System32\WUDFHost.exe[2184] USER32.dll!SetWinEventHook 7606507E 5 Bytes JMP 001001F8
.text C:\Windows\System32\WUDFHost.exe[2184] USER32.dll!SetWindowsHookExA 76086DFA 5 Bytes JMP 00100600
.text C:\Windows\system32\Dwm.exe[2200] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\svchost.exe[2596] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\wuauclt.exe[2784] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\AUDIODG.EXE[2936] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Program Files\iTunes\iTunesHelper.exe[3144] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text ...
.text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] ntdll.dll!LdrUnloadDll 77B5BD1F 5 Bytes JMP 000F03FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] ntdll.dll!LdrLoadDll 77B5F425 5 Bytes JMP 000F01F8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] KERNEL32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] USER32.dll!UnhookWindowsHookEx 7605CC7B 5 Bytes JMP 00110A08
.text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] USER32.dll!UnhookWinEvent 7605D924 5 Bytes JMP 001103FC
.text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] USER32.dll!SetWindowsHookExW 7606210A 5 Bytes JMP 00110804
.text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] USER32.dll!SetWinEventHook 7606507E 5 Bytes JMP 001101F8
.text C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe[3772] USER32.dll!SetWindowsHookExA 76086DFA 5 Bytes JMP 00110600
.text C:\Windows\Explorer.exe[3864] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]
.text C:\Windows\system32\svchost.exe[4088] kernel32.dll!GetBinaryTypeW + 70 768E7934 1 Byte [62]

---- Devices - GMER 2.1 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 2.1 ----
 

Attachments

See less See more
4
#2 · (Edited by Moderator)
Here is the attach log (from DDS)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 12/12/2012 12:26:44 AM
System Uptime: 19/12/2014 4:17:03 AM (1 hours ago)
.
Motherboard: MEDION | | E7212
Processor: Pentium(R) Dual-Core CPU T4500 @ 2.30GHz | U2E1 | 1196/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 297 GiB total, 179.736 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Base System Device
Device ID: PCI\VEN_197B&DEV_2382&SUBSYS_408C17C0&REV_20\4&194AEC5E&0&00E4
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_197B&DEV_2382&SUBSYS_408C17C0&REV_20\4&194AEC5E&0&00E4
Service:
.
Class GUID:
Description: Base System Device
Device ID: PCI\VEN_197B&DEV_2383&SUBSYS_408C17C0&REV_20\4&194AEC5E&0&03E4
Manufacturer:
Name: Base System Device
PNP Device ID: PCI\VEN_197B&DEV_2383&SUBSYS_408C17C0&REV_20\4&194AEC5E&0&03E4
Service:
.
Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: BAPIDRV
Device ID: ROOT\LEGACY_BAPIDRV\0000
Manufacturer:
Name: BAPIDRV
PNP Device ID: ROOT\LEGACY_BAPIDRV\0000
Service: BAPIDRV
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft Teredo Tunneling Adapter
Device ID: ROOT\*TEREDO\0000
Manufacturer: Microsoft
Name: Microsoft Teredo Tunneling Adapter
PNP Device ID: ROOT\*TEREDO\0000
Service: tunnel
.
==== System Restore Points ===================
.
RP156: 17/12/2014 3:04:43 AM - Windows 7 Service Pack 1
RP157: 17/12/2014 5:27:56 AM - Windows Update
RP158: 17/12/2014 4:59:42 PM - Windows Update
RP159: 17/12/2014 7:51:03 PM - Windows Update
RP160: 18/12/2014 3:01:29 AM - Windows Update
RP161: 18/12/2014 5:42:38 AM - Windows Update
RP162: 18/12/2014 6:01:31 PM - Windows Update
RP163: 19/12/2014 12:28:33 AM - Windows Update
RP164: 19/12/2014 1:42:46 AM - Windows Update
RP165: 19/12/2014 1:54:45 AM - avast! Free Antivirus Setup
RP166: 19/12/2014 3:51:24 AM - Windows Update
.
==== Installed Programs ======================
.
Adobe Flash Player 15 Plugin
Adobe Reader XI (11.0.10)
Any Video Converter 5 5.0.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
Bandicam
Bandisoft MPEG-1 Decoder
Bastion - Demo
Battle for Wesnoth 1.10.7
Bonjour
Braid Demo
CamStudio OSS Desktop Recorder
Counter-Strike: Source
Counter-Strike: Source Beta
D3DX10
Desura
Desura: The Stanley Parable
Divekick
Don't Starve Together Beta
Dota 2
Fated Haven: Chapter One (DEMO)
Garry's Mod
GIMP 2.8.2
Google Chrome
Google Update Helper
Heroes of Newerth
Home
iTunes
Java 7 Update 11
Java Auto Updater
Lone Survivor
METAL SLUG 3
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.60610
Microsoft XNA Framework Redistributable 3.1
Movie Maker
Mozilla Firefox 34.0.5 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSVCRT110
No Hands SEO Trial
OpenOffice 4.1.1
Opera 12.12
Orcs Must Die! 2
Papers, Please
Photo Common
Photo Gallery
Portal 2
RPG MAKER VX Ace
RPG MAKER VX Ace RTP
Sandboxie 3.74 (32-bit)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Skype™ 7.0
Source SDK Base 2007
Steam
To the Moon
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
VLC media player 2.0.5
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Movie Maker 2.6
WindowsMangerProtect20.0.0.1277
WinRAR 4.20 (32-bit)
.
==== Event Viewer Messages From Past Week ========
.
19/12/2014 4:35:00 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
19/12/2014 4:24:07 AM, Error: Service Control Manager [7034] - The WindowsMangerProtect Service service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================
 
#3 · (Edited by Moderator)
Here is the combofix log (though note I had to scan again because I didn't save the log the first time)

ComboFix 14-12-14.01 - Winston 19/12/2014 4:25.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3005.1885 [GMT 11:00]
Running from: c:\users\Winston\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Outdated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Outdated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-11-18 to 2014-12-18 )))))))))))))))))))))))))))))))
.
.
2014-12-18 17:34 . 2014-12-18 17:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-12-18 17:09 . 2014-12-18 17:35 -------- d-----w- c:\users\Winston\AppData\Local\temp
2014-12-18 16:52 . 2014-12-18 16:52 -------- d-----w- c:\windows\system32\SPReview
2014-12-18 14:56 . 2012-10-30 22:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2014-12-18 14:56 . 2012-10-30 22:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2014-12-18 14:56 . 2012-10-15 15:59 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-12-18 14:55 . 2012-10-30 22:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2014-12-18 14:55 . 2012-10-30 22:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-12-18 14:55 . 2012-10-30 22:51 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-12-18 14:55 . 2012-10-30 22:51 41224 ----a-w- c:\windows\avastSS.scr
2014-12-18 14:55 . 2012-10-30 22:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2014-12-18 13:29 . 2014-12-18 13:29 -------- d-----w- C:\c51a5d5eba08c576c3d6a4aa131b
2014-12-17 05:52 . 2014-12-17 05:52 -------- d-----w- c:\users\Winston\AppData\Roaming\3909
2014-12-17 05:36 . 2014-12-02 11:01 9054624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5687B376-2CC8-4325-98C6-7CC336338692}\mpengine.dll
2014-12-13 16:51 . 2014-12-13 16:51 -------- d-----w- c:\users\Winston\AppData\Local\mslug3
2014-12-13 16:51 . 2014-12-13 16:51 -------- d-----w- c:\programdata\Package Cache
2014-12-04 12:36 . 2014-12-04 15:24 -------- d-----w- c:\windows\AutoKMS
2014-12-04 12:34 . 2014-12-04 12:34 -------- d-----w- c:\programdata\Microsoft Toolkit
2014-12-02 15:26 . 2014-12-02 15:26 -------- d-----w- c:\users\Winston\AppData\Local\Robot Entertainment
2014-12-02 07:01 . 2014-12-02 07:01 -------- d-----w- c:\users\Winston\AppData\Local\Skype
2014-12-02 07:01 . 2014-12-02 07:01 -------- d-----w- c:\program files\Common Files\Skype
2014-12-02 07:01 . 2014-12-18 16:50 -------- d-----r- c:\program files\Skype
2014-12-01 12:16 . 2008-10-14 19:22 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2014-12-01 12:16 . 2008-10-14 19:22 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2014-12-01 12:16 . 2008-10-14 19:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2014-12-01 11:28 . 2014-12-01 11:28 -------- d-----w- c:\users\Winston\AppData\Roaming\BANDISOFT
2014-12-01 11:27 . 2014-12-01 11:27 -------- d-----w- c:\program files\Bandicam
2014-12-01 11:27 . 2014-12-01 11:27 -------- d-----w- c:\program files\BandiMPEG1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-12-09 19:17 . 2012-12-21 11:35 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-09 19:17 . 2012-12-21 11:35 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-11-29 16:29 . 2012-07-17 03:37 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-11-24 03:04 . 2012-12-12 01:21 229000 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2012-08-25 545552]
"Steam"="c:\program files\Steam\Steam.exe" [2014-11-18 1940160]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2014-12-11 30877280]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-11-20 1021128]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2014-12-18 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R1 BAPIDRV;BAPIDRV;c:\windows\system32\DRIVERS\BAPIDRV.sys [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2014-12-10 315496]
R2 WindowsMangerProtect;WindowsMangerProtect Service;c:\programdata\WindowsMangerProtect\ProtectWindowsManager.exe [2014-12-10 484352]
R3 Desura Install Service;Desura Install Service;c:\program files\Common Files\Desura\desura_service.exe [2012-12-22 131912]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-12-14 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S1 {3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw;{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw;c:\windows\system32\drivers\{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw.sys [2014-12-09 43144]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 58680]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-03-31 1009184]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-12-12 04:38 1087816 ----a-w- c:\program files\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-21 19:17]
.
2014-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-12 01:25]
.
2014-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-12 01:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.23.1
FF - ProfilePath - c:\users\Winston\AppData\Roaming\Mozilla\Firefox\Profiles\jspm1w5f.default\
FF - ExtSQL: 2014-12-04 04:10; firefox-hotfix@mozilla.org; c:\users\Winston\AppData\Roaming\Mozilla\Firefox\Profiles\jspm1w5f.default\extensions\firefox-hotfix@mozilla.org.xpi
FF - ExtSQL: 2014-12-10 15:56; faststartff@gmail.com; c:\users\Winston\AppData\Roaming\Mozilla\Firefox\Profiles\jspm1w5f.default\extensions\faststartff@gmail.com
FF - ExtSQL: !HIDDEN! 2014-12-10 15:56; faststartff@gmail.com; c:\users\Winston\AppData\Roaming\Mozilla\Firefox\Profiles\jspm1w5f.default\extensions\faststartff@gmail.com
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-12-19 04:37:05
ComboFix-quarantined-files.txt 2014-12-18 17:37
ComboFix2.txt 2014-12-18 17:09
.
Pre-Run: 193,186,295,808 bytes free
Post-Run: 192,924,495,872 bytes free
.
- - End Of File - - 698340EBD596111CEC67CBCB5CA121AD
A36C5E4F47E84449FF07ED3517B43A31
 
#4 ·
winstincts,

Hi and welcome to TSF.

I am currently reviewing your logs. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

http://www.techsupportforum.com/forums/f50/please-read-who-is-helping-you-93034.html

You may wish to Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools (near the top), then click Subscribe to this Thread. Make sure it is set to Instant Notification by email, then click Add Subscription.

Please be patient with me during this time.
 
#6 · (Edited)
Hello winstincts. Sorry for the delay. Drew is away from the keyboard momentarily.

Please do not wrap logs in quote or codeboxes. It makes the logs harder to read. Thanks.

--------------------------------------------------------

Please go to: VirusTotal
  • Click the Choose File button.
  • Please copy/paste the following bolded text into the 'File name:' box:

    c:\windows\system32\csrsrv.dll

  • Click Open then click the Scan it! button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already analyzed: click Reanalyse
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
  • Please repeat for the following file:

    c:\windows\system32\drivers\{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw.sys
--------------------------------------------------------

AV: avast! Antivirus *Enabled/Outdated*
avast! should be updated regularly. Are you having trouble updating it?

Please update avast! and see if it still detects the file as a rootkit.

--------------------------------------------------------

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\ComboFix2.txt

A text file should open. Please copy/paste the contents of that file in your next reply.

--------------------------------------------------------
 
#7 ·
Hi,

Thanks for the reply. I'll update avast and scan it again.

Here's the 2 links:

https://www.virustotal.com/en/file/...16aecba15ff87b0ea40cccb9/analysis/1419417633/

https://www.virustotal.com/en/file/...92129103860390ad39ebfea7/analysis/1419417472/


Combofix2.txt


ComboFix 14-12-14.01 - Winston 19/12/2014 3:55.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.3005.1821 [GMT 11:00]
Running from: c:\users\Winston\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Outdated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Outdated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2014-11-18 to 2014-12-18 )))))))))))))))))))))))))))))))
.
.
2014-12-18 17:06 . 2014-12-18 17:06 -------- d-----w- c:\users\Winston\AppData\Local\temp
2014-12-18 17:06 . 2014-12-18 17:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-12-18 16:52 . 2014-12-18 16:52 -------- d-----w- c:\windows\system32\SPReview
2014-12-18 14:56 . 2012-10-30 22:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2014-12-18 14:56 . 2012-10-30 22:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2014-12-18 14:56 . 2012-10-15 15:59 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-12-18 14:55 . 2012-10-30 22:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2014-12-18 14:55 . 2012-10-30 22:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-12-18 14:55 . 2012-10-30 22:51 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-12-18 14:55 . 2012-10-30 22:51 41224 ----a-w- c:\windows\avastSS.scr
2014-12-18 14:55 . 2012-10-30 22:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2014-12-18 13:29 . 2014-12-18 13:29 -------- d-----w- C:\c51a5d5eba08c576c3d6a4aa131b
2014-12-18 10:38 . 2014-12-18 17:00 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5687B376-2CC8-4325-98C6-7CC336338692}\offreg.dll
2014-12-17 05:52 . 2014-12-17 05:52 -------- d-----w- c:\users\Winston\AppData\Roaming\3909
2014-12-17 05:36 . 2014-12-02 11:01 9054624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5687B376-2CC8-4325-98C6-7CC336338692}\mpengine.dll
2014-12-13 16:51 . 2014-12-13 16:51 -------- d-----w- c:\users\Winston\AppData\Local\mslug3
2014-12-13 16:51 . 2014-12-13 16:51 -------- d-----w- c:\programdata\Package Cache
2014-12-04 12:36 . 2014-12-04 15:24 -------- d-----w- c:\windows\AutoKMS
2014-12-04 12:34 . 2014-12-04 12:34 -------- d-----w- c:\programdata\Microsoft Toolkit
2014-12-02 15:26 . 2014-12-02 15:26 -------- d-----w- c:\users\Winston\AppData\Local\Robot Entertainment
2014-12-02 07:01 . 2014-12-02 07:01 -------- d-----w- c:\users\Winston\AppData\Local\Skype
2014-12-02 07:01 . 2014-12-02 07:01 -------- d-----w- c:\program files\Common Files\Skype
2014-12-02 07:01 . 2014-12-18 16:50 -------- d-----r- c:\program files\Skype
2014-12-01 12:16 . 2008-10-14 19:22 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2014-12-01 12:16 . 2008-10-14 19:22 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2014-12-01 12:16 . 2008-10-14 19:22 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2014-12-01 11:28 . 2014-12-01 11:28 -------- d-----w- c:\users\Winston\AppData\Roaming\BANDISOFT
2014-12-01 11:27 . 2014-12-01 11:27 -------- d-----w- c:\program files\Bandicam
2014-12-01 11:27 . 2014-12-01 11:27 -------- d-----w- c:\program files\BandiMPEG1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-12-09 19:17 . 2012-12-21 11:35 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-09 19:17 . 2012-12-21 11:35 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-11-29 16:29 . 2012-07-17 03:37 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-11-24 03:04 . 2012-12-12 01:21 229000 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2012-08-25 545552]
"Steam"="c:\program files\Steam\Steam.exe" [2014-11-18 1940160]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2014-12-11 30877280]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-11-20 1021128]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-02 252848]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2014-12-18 280576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R1 BAPIDRV;BAPIDRV;c:\windows\system32\DRIVERS\BAPIDRV.sys [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2014-12-10 315496]
R2 WindowsMangerProtect;WindowsMangerProtect Service;c:\programdata\WindowsMangerProtect\ProtectWindowsManager.exe [2014-12-10 484352]
R3 Desura Install Service;Desura Install Service;c:\program files\Common Files\Desura\desura_service.exe [2012-12-22 131912]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-12-14 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
S1 {3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw;{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw;c:\windows\system32\drivers\{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw.sys [2014-12-09 43144]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-10-30 58680]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-03-31 1009184]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-12-12 04:38 1087816 ----a-w- c:\program files\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-21 19:17]
.
2014-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-12 01:25]
.
2014-12-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-12-12 01:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.23.1
FF - ProfilePath - c:\users\Winston\AppData\Roaming\Mozilla\Firefox\Profiles\jspm1w5f.default\
FF - ExtSQL: 2014-12-04 04:10; firefox-hotfix@mozilla.org; c:\users\Winston\AppData\Roaming\Mozilla\Firefox\Profiles\jspm1w5f.default\extensions\firefox-hotfix@mozilla.org.xpi
FF - ExtSQL: 2014-12-10 15:56; faststartff@gmail.com; c:\users\Winston\AppData\Roaming\Mozilla\Firefox\Profiles\jspm1w5f.default\extensions\faststartff@gmail.com
FF - ExtSQL: !HIDDEN! 2014-12-10 15:56; faststartff@gmail.com; c:\users\Winston\AppData\Roaming\Mozilla\Firefox\Profiles\jspm1w5f.default\extensions\faststartff@gmail.com
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-12-19 04:09:09
ComboFix-quarantined-files.txt 2014-12-18 17:09
.
Pre-Run: 192,615,219,200 bytes free
Post-Run: 193,146,630,144 bytes free
.
- - End Of File - - 51BDC04EA8D90B45A91E4D3DCF1BF474
A36C5E4F47E84449FF07ED3517B43A31
 
#8 ·
winstincts,

Thanks for the links and the log.


Did avast! still detect the file after updating avast!? Not sure but did you move, repair, or delete the other csrsrv.dll that you moved to the chest?


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code:
http://www.techsupportforum.com/forums/f50/rootkit-found-by-avast-internet-not-working-properly-933258.html#post5904826

Driver::
{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw

Collect::
c:\windows\system32\drivers\{3283b201-5c22-4a7d-8767-24ec5d376ea3}Gw.sys

DirLook::
c:\users\Winston\AppData\Roaming\3909

ClearJavaCache::
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

-----------------------------------------

Please uninstall the following via Start->(or Computer)->Control Panel->(Programs)->Programs and Features if it still exists.

WindowsMangerProtect20.0.0.1277<<Please read this

Also delete the following Folders if they still exist:

C:\Program Files\WindowsMangerProtect

-----------------------------------------

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[RX].txt) will open in Notepad for review. (where X = random number)
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
 
#11 ·
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top