[resolved] avast has royally screwed my computer. i need help.

I can only type this from my phone as my computer is completely unusable after a failed boot scan. I t is too much to type again so I am linking to my reddit topic. All o f the information is there. I tried to contact avast phone support but my partial deafness coupled with socially awkward penguin-ness left them unable to assist.

http://www.reddit.com/r/techsupport/comments/pkwam/computer_in_infinite_restart_loop_after/

Since you can boot into safe mode are you able to restore to an earlyer point ?

You deleted avast, partially.

Go to http://www.avast.com/uninstall-utility. Download it. Reboot into Windows Safe Mode and put that aswclear in your desktop. Run it (still under Windows Safe Mode). Select the version of avast you installed and the folder where you originally installed it. Run it so to clean avast remnants. Try to boot into Normal Mode. Report back

If you cannot boot into safe mode let me know and I will work outside of windows

Since you can boot into safe mode are you able to restore to an earlyer point ?

I already have; my only restore points were from August, so I used one of those. That may have escalated the problem, actually.

You deleted avast, partially.

Go to http://www.avast.com/uninstall-utility. Download it. Reboot into Windows Safe Mode and put that aswclear in your desktop. Run it (still under Windows Safe Mode). Select the version of avast you installed and the folder where you originally installed it. Run it so to clean avast remnants. Try to boot into Normal Mode. Report back

I am unable to find any Avast files on my computer, so there is nothing to remove. If there are, I can’t find the path to them. There are no files in programfiles nor programdata.

If you cannot boot into safe mode let me know and I will work outside of windows

I am able to boot into safe mode, but safe mode with networking is no longer working (it says I have an internet connection, but IE can’t connect and firefox doesn’t even open).

Thank you all for your input!

Do you have a flash drive and access to another system to download files on ?
This programme will run from a flash drive and save the reports there

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Each quote is a different report.

RogueKiller V7.0.4 [02/08/2012] by Tigzy mail: tigzyRKgmailcom Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Safe mode with network support
User: Kelly [Admin rights]
Mode: Scan – Date : 02/12/2012 00:17:37

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[PROXY IE] HKCU[…]\Internet Settings : ProxyEnable (1) → FOUND
[PROXY IE] HKCU[…]\Internet Settings : ProxyServer (hxxp127.0.0.1:61535) → FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200AAKS-75L9A0 ATA Device +++++
— User —
[MBR] fab8685f424c5137f165ec205ea94457
[BSP] bdf99326810b3ea5b3c85f61013cb3ba : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21084160 | Size: 294949 Mo
User = LL1 … OK!
User = LL2 … OK!

+++++ PhysicalDrive1: SanDisk U3 Cruzer Micro USB Device +++++
— User —
[MBR] da979fee9f2ddab9c8a641682578f7c6
[BSP] 788470fe12ec57aabe933cfdd9c84885 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 239 | Size: 988 Mo
User = LL1 … OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

RogueKiller V7.0.4 [02/08/2012] by Tigzy mail: tigzyRKgmailcom Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6001 Service Pack 1) 32 bits version
Started in : Safe mode with network support
User: Kelly [Admin rights]
Mode: Remove – Date : 02/12/2012 00:17:48

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤
[PROXY IE] HKCU[…]\Internet Settings : ProxyEnable (1) → NOT REMOVED, USE PROXYFIX
[PROXY IE] HKCU[…]\Internet Settings : ProxyServer (hxxp127.0.0.1:61535) → NOT REMOVED, USE PROXYFIX

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200AAKS-75L9A0 ATA Device +++++
— User —
[MBR] fab8685f424c5137f165ec205ea94457
[BSP] bdf99326810b3ea5b3c85f61013cb3ba : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 10240 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21084160 | Size: 294949 Mo
User = LL1 … OK!
User = LL2 … OK!

+++++ PhysicalDrive1: SanDisk U3 Cruzer Micro USB Device +++++
— User —
[MBR] da979fee9f2ddab9c8a641682578f7c6
[BSP] 788470fe12ec57aabe933cfdd9c84885 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 239 | Size: 988 Mo
User = LL1 … OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

Did Avast report malware during the boot scan and give you an option to quarantine or delete ?

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
[*]Use the arrow keys to select the Repair your computer menu item.
[*]Select English as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

[*]Insert the installation disc.
[*]Restart your computer.
[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
[*]Click Repair your computer.
[*]Select English as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Before I continue, this was the file that avast told me was infected:

Appdata\locallow\sun\java\deployment\cache\6.0\1

And I couldn’t get the rest. It listed Java: Agent-Dm as a trojan.

(I don’t think it’s a trojan; there was a post here about a year ago about this possible being a false positive).

I’ll go ahead and run that now, but I don’t know if this changes anything.

The log exceeds the character limit, so here is part one:

Scan result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 11-02-2012 Ran by SYSTEM at 2012-02-11 23:56:35 Running from F:\ Windows Vista (TM) Home Basic Service Pack 1 (X86) OS Language: English(US) The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM.…\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide [1008184 2008-01-20] (Microsoft Corporation)
HKLM.…\Run: [RtHDVCpl] RtHDVCpl.exe
HKLM.…\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [141848 2008-04-21] (Intel Corporation)
HKLM.…\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [166424 2008-04-21] (Intel Corporation)
HKLM.…\Run: [Persistence] C:\Windows\system32\igfxpers.exe [133656 2008-04-21] (Intel Corporation)
HKLM.…\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup [30192 2010-08-15] (Google)
HKLM.…\Run: [mcagent_exe] “C:\Program Files\McAfee.com\Agent\mcagent.exe” /runkey [1218008 2010-02-11] (McAfee, Inc.)
HKLM.…\Run: [dscactivate] “C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe” [16384 2008-03-11] ( )
HKLM.…\Run: [Dell DataSafe Online] “C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe” /m [1742064 2008-10-03] ()
HKLM.…\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime [421888 2010-09-08] (Apple Inc.)
HKLM.…\Run: [SunJavaUpdateSched] “C:\Program Files\Common Files\Java\Java Update\jusched.exe” [248552 2010-05-14] (Sun Microsystems, Inc.)
HKLM.…\Run: [Zune Launcher] “c:\Program Files\Zune\ZuneLauncher.exe” [158448 2009-09-04] (Microsoft Corporation)
HKLM.…\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [35760 2010-06-19] (Adobe Systems Incorporated)
HKLM.…\Run: [Adobe ARM] “C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [976832 2010-06-09] (Adobe Systems Incorporated)
HKLM.…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” [421160 2010-11-17] (Apple Inc.)
HKLM.…\Run: [Malwarebytes’ Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript [1047656 2011-07-06] (Malwarebytes Corporation)
HKLM.…\Run: [AdobeAAMUpdater-1.0] “C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe” [500208 2010-03-05] (Adobe Systems Incorporated)
HKLM.…\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM.…\Run: [AdobeCS5ServiceManager] “C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe” -launchedbylogin [406992 2010-02-22] (Adobe Systems Incorporated)
HKLM.…\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM.…\Run:
HKLM.…\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide [165208 2010-05-07] (Logitech Inc.)
HKU\Kelly.…\Run: [swg] “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [39408 2008-11-29] (Google Inc.)
HKU\Kelly.…\Run: [Aim6]
HKU\Kelly.…\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background [3883856 2009-07-26] (Microsoft Corporation)
HKU\Kelly.…\Run: [DW6] “C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe”
HKU\Kelly.…\Run: [Logitech Vid] “C:\Program Files\Logitech\Vid\Vid.exe” -bootmode [6061400 2010-05-11] (Logitech Inc.)
HKU\Kelly.…\Run: [Logitech Vid HD] “C:\Program Files\Logitech\Vid\vid.exe” -bootmode [6061400 2010-05-11] (Logitech Inc.)
HKLM.…\RunOnce: [*Restore] C:\Windows\system32\rstrui.exe /RUNONCE [318464 2008-11-29] (Microsoft Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

================================ Services (Whitelisted) ==================

2 AdobeActiveFileMonitor7.0; C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [169312 2008-09-16] (Adobe Systems Incorporated)
2 DockLoginService; C:\Program Files\Dell\DellDock\DockLogin.exe [155648 2008-09-23] (Stardock Corporation)
3 GameConsoleService; “C:\Program Files\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe” [164600 2008-07-04] (WildTangent, Inc.)
3 GoogleDesktopManager-051210-111108; “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” [30192 2010-08-15] (Google)
3 GoToAssist; “C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe” Start=service [16680 2008-11-29] (Citrix Online, a division of Citrix Systems, Inc.)
2 LVPrcSrv; “C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcSrv.exe” [162648 2010-05-07] (Logitech Inc.)
2 McAfee SiteAdvisor Service; “C:\Program Files\McAfee\SiteAdvisor\McSACore.exe” [88176 2011-02-16] (McAfee, Inc.)
2 mcmscsvc; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [865832 2010-02-11] (McAfee, Inc.)
3 McODS; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [378184 2007-11-07] (McAfee, Inc.)
2 McShield; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [144704 2007-07-24] (McAfee, Inc.)
3 McSysmon; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [695624 2007-12-05] (McAfee, Inc.)
2 MpfService; “C:\Program Files\McAfee\MPF\MPFSrv.exe” [856864 2007-07-18] (McAfee, Inc.)
2 MSK80Service; “C:\Program Files\McAfee\MSK\MskSrver.exe” [23880 2007-11-26] (McAfee, Inc.)
3 SwitchBoard; “C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe” [517096 2010-02-19] (Adobe Systems Incorporated)
2 TabletServiceWacom; C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe [4767600 2010-09-20] (Wacom Technology, Corp.)
2 Viewpoint Manager Service; “C:\Program Files\Viewpoint\Common\ViewpointService.exe” [24652 2007-01-04] (Viewpoint Corporation)
2 McNASvc; “c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe”
2 McProxy; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
3 ZuneNetworkSvc; “c:\Program Files\Zune\ZuneNss.exe”
3 ZuneWlanCfgSvc; c:\Windows\system32\ZuneWlanCfgSvc.exe

========================== Drivers (Whitelisted) =============

1 ASPI32; C:\Windows\System32\Drivers\ASPI32.sys [25244 1999-09-10] (Adaptec)
3 lvpopflt; C:\Windows\System32\DRIVERS\lvpopflt.sys [114784 2010-05-14] (Logitech Inc.)
3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25824 2010-05-07] ()
3 LVRS; C:\Windows\System32\DRIVERS\lvrs.sys [276448 2010-05-14] (Logitech Inc.)
3 LVUVC; C:\Windows\System32\DRIVERS\lvuvc.sys [6842592 2010-05-14] (Logitech Inc.)
3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [79304 2007-11-22] (McAfee, Inc.)
3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [35240 2007-11-22] (McAfee, Inc.)
1 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [201320 2007-11-22] (McAfee, Inc.)
3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [33832 2007-11-22] (McAfee, Inc.)
3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [40488 2007-12-02] (McAfee, Inc.)
1 MPFP; C:\Windows\System32\Drivers\Mpfp.sys [125728 2007-07-13] (McAfee, Inc.)
4 Mraid35x; C:\Windows\System32\drivers\mraid35x.sys [33384 2006-11-02] (LSI Logic Corporation)
4 SiSRaid2; C:\Windows\System32\drivers\sisraid2.sys [41016 2008-01-20] (Microsoft Corporation)
4 UlSata; C:\Windows\System32\drivers\ulsata.sys [98408 2006-11-02] (Promise Technology, Inc.)
4 ulsata2; C:\Windows\System32\drivers\ulsata2.sys [115816 2008-01-20] (Promise Technology, Inc.)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys
3 WacomVKHid; C:\Windows\System32\DRIVERS\WacomVKHid.sys

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-02-11 23:56 - 2012-02-11 23:56 - 0000000 ____D C:\FRST
2012-02-11 21:17 - 2012-02-12 09:10 - 1202688 ____A C:\Users\Kelly\Desktop\RogueKiller.exe
2012-02-11 21:17 - 2012-02-11 21:17 - 0001636 ____A C:\Users\Kelly\Desktop\RKreport[2].txt
2012-02-11 21:17 - 2012-02-11 21:17 - 0001576 ____A C:\Users\Kelly\Desktop\RKreport[1].txt
2012-02-11 21:17 - 2012-02-11 21:17 - 0000000 ____D C:\Users\Kelly\Desktop\RK_Quarantine
2012-02-11 14:11 - 2012-02-11 18:56 - 268435456 __ASH C:\Windows\System32\temppf.sys
2012-02-11 13:03 - 2012-02-11 13:03 - 0001435 ____A C:\aswBoot.log
2012-02-11 13:02 - 2012-02-11 13:17 - 0000000 ____D C:\Windows\pss
2012-02-11 08:07 - 2012-02-11 08:07 - 0000000 __SHD C:\found.001
2012-02-05 12:31 - 2012-02-05 12:31 - 0000000 ____D C:\Users\Kelly\Downloads\VisualBoyAdvance-1.7.2
2012-02-05 12:30 - 2012-02-05 12:30 - 0611913 ____A C:\Users\Kelly\Downloads\VisualBoyAdvance-1.7.2.zip
2012-02-04 14:35 - 2012-02-09 19:48 - 0014015 ____A C:\Users\Kelly\Documents\character.docx
2012-02-04 14:35 - 2012-02-04 14:35 - 0010932 ____A C:\Users\Kelly\Documents\character2.docx
2012-01-31 13:51 - 2012-01-31 13:51 - 0780589 ____A C:\Users\Kelly\Desktop\nevermore.psd
2012-01-29 07:28 - 2012-01-29 07:29 - 2887264 ____A C:\Users\Kelly\Downloads\gedit-3.2.6.tar.xz
2012-01-29 07:28 - 2012-01-29 07:28 - 0000000 ____A C:\Users\Kelly\pwd
2012-01-26 18:39 - 2012-01-26 18:39 - 3805553 ____A C:\Users\Kelly\Desktop\sweet.psd
2012-01-21 11:52 - 2012-01-21 11:52 - 9429931 ____A C:\Users\Kelly\Desktop\blergh.psd

Actually, make that 3 posts.

============ 3 Months Modified Files and Folders ===============

2012-02-11 23:56 - 2012-02-11 23:56 - 0000000 ____D C:\FRST
2012-02-11 21:40 - 2011-02-19 15:32 - 0511966 ____A C:\Windows\ntbtlog.txt
2012-02-11 21:40 - 2008-11-29 17:21 - 0045787 ____A C:\Windows\System32\Config.MPF
2012-02-11 21:18 - 2006-11-02 02:33 - 0690960 ____A C:\Windows\System32\PerfStringBackup.INI
2012-02-11 21:17 - 2012-02-11 21:17 - 0001636 ____A C:\Users\Kelly\Desktop\RKreport[2].txt
2012-02-11 21:17 - 2012-02-11 21:17 - 0001576 ____A C:\Users\Kelly\Desktop\RKreport[1].txt
2012-02-11 21:17 - 2012-02-11 21:17 - 0000000 ____D C:\Users\Kelly\Desktop\RK_Quarantine
2012-02-11 21:12 - 2008-12-25 07:03 - 0000000 ____D C:\Users\Kelly\AppData\Roaming\Adobe
2012-02-11 19:55 - 2011-08-26 13:54 - 0000000 ____D C:\Windows\System32\logishrd
2012-02-11 19:55 - 2006-11-02 04:58 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-02-11 18:56 - 2012-02-11 14:11 - 268435456 __ASH C:\Windows\System32\temppf.sys
2012-02-11 18:56 - 2008-11-29 12:06 - 1952994 ____A C:\Windows\WindowsUpdate.log
2012-02-11 18:06 - 2008-12-25 06:59 - 0000000 ____D C:\users\Kelly
2012-02-11 18:06 - 2006-11-02 02:22 - 38010880 ____A C:\Windows\System32\config\software_previous
2012-02-11 18:06 - 2006-11-02 02:22 - 20709376 ____A C:\Windows\System32\config\system_previous
2012-02-11 18:05 - 2011-08-26 13:53 - 0000000 ____D C:\Program Files\Common Files\LogiShrd
2012-02-11 18:05 - 2011-07-14 09:25 - 0000000 ____D C:\Users\Kelly\AppData\Roaming\uTorrent
2012-02-11 18:05 - 2011-02-19 15:59 - 0000000 ____D C:\Program Files\Malwarebytes’ Anti-Malware
2012-02-11 18:05 - 2009-04-19 05:24 - 0000000 ____D C:\Windows\Minidump
2012-02-11 18:05 - 2009-01-17 11:53 - 0000000 ____D C:\Users\Kelly\AppData\Local\Microsoft Help
2012-02-11 18:05 - 2008-12-25 10:56 - 0000000 ____D C:\Program Files\Mozilla Firefox
2012-02-11 18:05 - 2008-11-29 17:17 - 0000000 ____D C:\Program Files\Google
2012-02-11 18:05 - 2006-11-02 04:35 - 0000000 ____D C:\Windows\twain_32
2012-02-11 18:05 - 2006-11-02 03:18 - 0000000 ___RD C:\users\Public
2012-02-11 18:05 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\spool
2012-02-11 18:05 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\Msdtc
2012-02-11 18:05 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\registration
2012-02-11 18:04 - 2011-08-26 13:54 - 0000000 ____D C:\Windows\LastGood.Tmp
2012-02-11 18:03 - 2011-08-17 19:46 - 0000000 ____D C:\Users\All Users\NexonUS
2012-02-11 18:03 - 2011-08-17 19:46 - 0000000 ____D C:\ProgramData\NexonUS
2012-02-11 17:32 - 2006-11-02 02:22 - 31457280 ____A C:\Windows\System32\config\components_previous
2012-02-11 17:28 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\security_previous
2012-02-11 17:28 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\sam_previous
2012-02-11 17:28 - 2006-11-02 02:22 - 0262144 ____A C:\Windows\System32\config\default_previous
2012-02-11 14:11 - 2010-12-22 15:50 - 0000868 ____A C:\Windows\Tasks\Google Software Updater.job
2012-02-11 13:17 - 2012-02-11 13:02 - 0000000 ____D C:\Windows\pss
2012-02-11 13:12 - 2010-09-21 12:04 - 0000880 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-02-11 13:03 - 2012-02-11 13:03 - 0001435 ____A C:\aswBoot.log
2012-02-11 12:18 - 2011-08-03 11:04 - 0000000 ____D C:\Program Files\Blender Foundation
2012-02-11 12:17 - 2011-08-28 10:23 - 0000000 ____D C:\Nexon
2012-02-11 11:55 - 2008-12-25 06:59 - 0000000 ____D C:\Users\Kelly\AppData\LocalLow
2012-02-11 09:42 - 2009-02-23 16:37 - 0002032 ____A C:\Users\Kelly\AppData\Local\d3d9caps.dat
2012-02-11 08:07 - 2012-02-11 08:07 - 0000000 __SHD C:\found.001
2012-02-11 08:00 - 2008-11-29 17:19 - 0000000 ____D C:\Program Files\McAfee
2012-02-11 04:50 - 2011-11-06 04:21 - 0000000 ____D C:\Program Files\Steam
2012-02-11 04:50 - 2008-11-29 17:19 - 0000000 ____D C:\Program Files\Common Files\McAfee
2012-02-11 04:48 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\config\TxR
2012-02-11 04:48 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\System32\config\Journal
2012-02-10 19:26 - 2009-10-16 14:23 - 0000000 ____D C:\Users\Kelly\Tracing
2012-02-09 19:48 - 2012-02-04 14:35 - 0014015 ____A C:\Users\Kelly\Documents\character.docx
2012-02-06 13:16 - 2011-07-19 09:04 - 0000000 ____D C:\Users\Kelly\Desktop\Misc Files
2012-02-05 12:31 - 2012-02-05 12:31 - 0000000 ____D C:\Users\Kelly\Downloads\VisualBoyAdvance-1.7.2
2012-02-05 12:30 - 2012-02-05 12:30 - 0611913 ____A C:\Users\Kelly\Downloads\VisualBoyAdvance-1.7.2.zip
2012-02-04 14:35 - 2012-02-04 14:35 - 0010932 ____A C:\Users\Kelly\Documents\character2.docx
2012-02-03 14:42 - 2008-01-20 19:02 - 0133204 ____A C:\Windows\PFRO.log
2012-01-31 13:51 - 2012-01-31 13:51 - 0780589 ____A C:\Users\Kelly\Desktop\nevermore.psd
2012-01-29 07:29 - 2012-01-29 07:28 - 2887264 ____A C:\Users\Kelly\Downloads\gedit-3.2.6.tar.xz
2012-01-29 07:28 - 2012-01-29 07:28 - 0000000 ____A C:\Users\Kelly\pwd
2012-01-28 08:27 - 2008-12-25 07:01 - 0000000 ____D C:\Users\Kelly\AppData\Local\Google
2012-01-26 18:39 - 2012-01-26 18:39 - 3805553 ____A C:\Users\Kelly\Desktop\sweet.psd
2012-01-25 13:27 - 2011-12-12 19:14 - 0014348 ____A C:\Users\Kelly\Documents\eart h2.docx
2012-01-21 11:52 - 2012-01-21 11:52 - 9429931 ____A C:\Users\Kelly\Desktop\blergh.psd
2012-01-16 06:44 - 2011-12-30 12:04 - 0000000 ____D C:\Users\Kelly\Desktop\skyrim costume
2012-01-10 19:44 - 2012-01-10 19:43 - 0000000 ____D C:\Users\Kelly\Downloads\Skyrim_MP3
2012-01-07 20:10 - 2012-01-07 20:10 - 0011327 ____A C:\Users\Kelly\Documents\s1.docx
2012-01-06 15:06 - 2012-01-06 15:00 - 0000000 ____D C:\Users\Kelly\Downloads\decoratorAssistant_v1-2-2475
2012-01-06 15:00 - 2012-01-06 15:00 - 0045777 ____A C:\Users\Kelly\Downloads\decoratorAssistant_v1-2-2475.zip
2012-01-06 14:59 - 2012-01-06 14:06 - 0000000 ____D C:\Users\Kelly\Downloads\ScriptDragon_1.3.10.0(1)
2012-01-06 14:06 - 2012-01-06 14:06 - 1264675 ____A C:\Users\Kelly\Downloads\ScriptDragon_1.3.10.0.zip
2012-01-06 14:06 - 2012-01-06 14:06 - 1264675 ____A C:\Users\Kelly\Downloads\ScriptDragon_1.3.10.0(1).zip
2012-01-02 18:10 - 2012-01-02 18:10 - 0010255 ____A C:\Users\Kelly\Documents\quote.docx
2012-01-02 18:04 - 2012-01-02 18:04 - 0012397 ____A C:\Users\Kelly\Documents\one pager 2.docx
2011-12-29 11:41 - 2011-12-29 11:36 - 0000000 ____D C:\Users\Kelly\Documents\Agot
2011-12-29 09:30 - 2009-01-12 16:17 - 0000000 ____D C:\Users\Kelly\AppData\Local\Adobe
2011-12-28 20:22 - 2006-11-02 04:49 - 0143369 ____A C:\Windows\setupact.log
2011-12-15 17:51 - 2011-12-15 17:49 - 0013752 ____A C:\Users\Kelly\Documents\Just me and My Mannequin.docx
2011-12-15 17:51 - 2011-12-15 16:17 - 0011338 ____A C:\Users\Kelly\Documents\Ode to the Occupant.docx
2011-12-15 16:16 - 2011-11-06 19:47 - 0026291 ____A C:\Users\Kelly\Documents\nclb.docx
2011-12-15 15:57 - 2011-11-14 14:53 - 0011107 ____A C:\Users\Kelly\Documents\wip.docx
2011-12-14 19:24 - 2011-12-14 19:24 - 0011764 ____A C:\Users\Kelly\Documents\earth 3.docx
2011-12-11 08:34 - 2011-12-09 17:54 - 0011031 ____A C:\Users\Kelly\Documents\The Kings of Earth and Water.docx
2011-12-10 14:22 - 2011-12-10 14:22 - 0186348 ____A C:\Users\Kelly\Desktop\2011-12-10_00018.jpg
2011-11-22 04:56 - 2011-11-22 04:56 - 0000215 ____A C:\Users\Kelly\Desktop\The Elder Scrolls V Skyrim.url
2011-11-21 19:05 - 2011-11-21 19:05 - 0000000 ____D C:\Users\Kelly\AppData\Local\Skyrim
2011-11-21 19:01 - 2011-11-21 19:01 - 0000000 ____D C:\Users\Kelly\Documents\My Games
2011-11-21 19:01 - 2006-11-02 03:18 - 0000000 ____D C:\Windows\Microsoft.NET
2011-11-21 06:18 - 2011-11-21 06:18 - 0000213 ____A C:\Users\Kelly\Desktop\Portal 2.url
2011-11-20 17:21 - 2011-11-20 17:21 - 0000000 ____D C:\Users\Kelly\AppData\Roaming\ATI
2011-11-20 17:21 - 2011-11-20 17:21 - 0000000 ____D C:\Users\Kelly\AppData\Local\ATI
2011-11-20 17:21 - 2011-11-20 17:21 - 0000000 ____D C:\Users\All Users\ATI
2011-11-20 17:21 - 2011-11-20 17:21 - 0000000 ____D C:\ProgramData\ATI
2011-11-20 17:03 - 2011-11-20 17:01 - 0000000 ____D C:\Program Files\ATI Technologies
2011-11-20 17:01 - 2011-11-20 17:01 - 0000000 ____D C:\Program Files\ATI
2011-11-20 17:00 - 2011-11-20 17:00 - 0000000 ____D C:\AMD
2011-11-20 07:10 - 2011-11-20 07:10 - 0000000 ____D C:\Program Files\Futuremark
2011-11-20 07:10 - 2008-11-29 17:14 - 0000000 ____D C:\Program Files\InstallShield Installation Information
2011-11-18 15:35 - 2011-11-18 15:35 - 0000000 __SHD C:\found.000
2011-11-14 12:49 - 2009-11-03 14:30 - 0000000 ____D C:\Program Files\Pando Networks
2011-11-14 12:48 - 2011-08-17 19:46 - 0000000 ____D C:\Users\All Users\NexonUS(492)
2011-11-14 12:48 - 2011-08-17 19:46 - 0000000 ____D C:\ProgramData\NexonUS(492)

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2008-12-25 08:09] - [2008-10-28 22:29] - 2927104 ____A (Microsoft Corporation) 4F554999D7D5F05DAAEBBA7B5BA1089D

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys
[2008-01-20 18:32] - [2008-01-20 18:32] - 0227896 ____A (Microsoft Corporation) D8B4A53DD2769F226B3EB374374987C9

========================= Memory info ======================

Percentage of memory in use: 23%
Total physical RAM: 2045.45 MB
Available physical RAM: 1563.54 MB
Total Pagefile: 1861.95 MB
Available Pagefile: 1640.15 MB
Total Virtual: 2047.88 MB
Available Virtual: 1974.32 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:288.04 GB) (Free:195 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:2.73 GB) NTFS
3 Drive e: (VISTA_SP1_HOMEBASIC) (CDROM) (Total:2.87 GB) (Free:0 GB) UDF
4 Drive f: () (Removable) (Total:0.96 GB) (Free:0.34 GB) FAT
5 Drive g: (U3System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt


Disk 0 Online 298 GB 0 B
Disk 1 Online 983 MB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset


Partition 1 OEM 55 MB 32 KB
Partition 2 Primary 10 GB 55 MB
Partition 3 Primary 288 GB 10 GB

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 5 FAT Partition 55 MB Healthy Hidden

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 2 D RECOVERY NTFS Partition 10 GB Healthy

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 3 C OS NTFS Partition 288 GB Healthy

Partitions of Disk 1:

Partition ### Type Size Offset


Partition 1 Primary 988 MB 120 KB

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info


  • Volume 4 F FAT Removable 988 MB Healthy

==========================================================
TDL4: custom:26000022

==========================================================

Last Boot: 2012-02-11 07:33

======================= End Of Log ==========================

You can use the “Attachments and other options” link (before you click on “post”) to attach the text files (logs / reports). It will be easier for you and for essexboy.

Sorry for the interruption.

Ah. I totally missed that.

You have a tdl4 infection in the volsnap file… But Avast did not touch that

I will try to reset your system back to the last good boot

Download the attached fixlist.txt to the flash drive that has FRST
Run FRST and press the fix button
Reboot to normal windows

THEN

Download aswMBR.exe ( 4.1mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

Here you go.

From that I assume you are back in

All Avast is picking up there is McAfee

No indication of a TDL4

How is the computer behaving ?

Relatively fine, save for that it can’t boot normally. Everything works in safe mode, and I have managed to get internet.

When I start the computer after it was completely turned off, it attempts to boot in normal mode, but when the login screen loads, it is blocky as one would find in safe mode. That’s the only abnormality I can see.

Again, sorry for the interruption. Essexboy is probably going to be back tomorrow.

In the meantime…

If there are remnants of some old tool (McAfee?), that’s part of the problem (independently of some other possible issue, malware or whatever else).

So, you should still run the removal utility for avast (even if no folder was left). Some other items were left over (services, drivers, registry keys…) when you manually deleted those folders. The same goes to other security tools, like McAfee for example.

Find some specific security removal utilities (according to the security tools you used to have) at http://singularlabs.com/uninstallers/security-software/.

Since you can only boot into Windows Safe Mode, then run the respective removal utilities under that condition, even if the respective info says to run under Normal Mode.

Alternatively, wait for instructions from essexboy tomorrow.

Since this seems to be the time to but in,
May I suggest that you wait for essexboy. He is the trained expert
and usually has a systematic way of doing things.
Since he’s already revived your dead system, I think he’s heading in the right direction. :slight_smile: