Alright so I was gone for a day and I put this thing in it’s case to ensure it would be fine. I get back today and when I power it on and log in it says “Prepairing desktop” at first I thought nothing of it then I saw a message box that said “System 32 path not specified” [Found out the actual message please scroll to near the bottom. There should be a link to a Microsoft message board.] and I shut down the system and restarted and everything worked. I’m running all logs now will update with them. I don’t know what happened I’m more spooked than ever and right now I’m assuming my PC might have been compromised. Also for added detail the background was black and only the recycle bin appeared and the whole computer was in Windows 95 mode.
Edit: Also checking the Event Viewer I’ll show you what it tells me:
The IP Helper service failed to start due to the following error:
The system cannot find the path specified.
The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the IKE and AuthIP IPsec Keying Modules service, but this action failed with the following error:
An instance of the service is already running.
The Extensible Authentication Protocol service failed to start due to the following error:
The system cannot find the path specified.
The System Event Notification Service service failed to start due to the following error:
The system cannot find the path specified.
The User Profile Service service failed to start due to the following error:
The system cannot find the path specified.
The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:
An instance of the service is already running.
The Multimedia Class Scheduler service failed to start due to the following error:
The system cannot find the path specified.
Currently running the scans and such might take a bit. Also a techie friend of mine says this is a User Environment failure meaning either the user environment broke or got corrupted and fixed itself on restart. However I’m not ruling out malicious files just yet Malwarebytes is running as we speak and soon aswMBR will be too.
[*]Double-click ServicesRepair.exe.
[*]If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
[*]Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
[*]A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.
OTL log shows no signs of infection. But at the kernel level I need an additional check ( TDSSKiller as aswMBR works at kernel level ) to be 100% sure you are clean.
Ok, thanks for letting me know. How do you mean TDSSKiller conflicts with your AV? What happend when you try to run TDSSK?
When TDSS killer restarted it was to do boot monitoring to run the driver it had. That’s when my AV labeled it when it tried to start before everything else.
[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe
[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”
[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
Please attach the two following logs from the mbar folder:
system-log.txt
and mbar-log-year-month-day (hour-minute-second).txt.
Dude I’m saying the last time I ran it (which was a while back) I clicked scan and I chose boot monitoring and it needed to restart to start the scan. Before it could even scan it was shot down by my AV.
Edit: TDSS killer completed this time without interference by my AV. Uploading log.
You do not use 2 resident av solutions or an av solution with an incompatible on-demand scanner?
Cannot you exclude it in the av solution you use?
Do I get it right you are not an avast user?
You can also temporarily disable your av for the duration of that scan,