Viruses 00000008 , 80000032 , 80000064 cant remove them at all

Viruses and worms
1

Well i have had computers all my life and this is the first time i get hit by a virus. first i had Microsoft security essentials and it detected these viruses but did not do anything. and the laptop started to reboot by it self popping out a message that windows has encountered a critical error. i tried a few things and it stopped restarting but the virus remained. so i downloaded avast and did a reboot scan it detected alot of things and the computer was somehow better, but now ever 5 sec it detects one of these viruses listed in the Subject in the windows installer files, i did boot scans more than once but it doesnt get fixed. windows sometimes wouldn’t start but after a while it would. i looked at other forums, but it was clearly stated that i shouldn’t try any solution because they were meant to whatever system on that forum. so could you please help me to remove these viruses. thank you.

2

Please follow the steps in this thread and attach the logs here

http://forum.avast.com/index.php?topic=53253.0

3

here is the log you asked for sir

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.11.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
7arony :: 7ARONY-PC [administrator]

7/11/2012 7:44:18 PM
mbam-log-2012-07-11 (19-44-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 233832
Time elapsed: 3 minute(s), 34 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{65bcd620-07dd-012f-819f-073cf1b8f7c6} (Adware.GamePlayLab) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{11111111-1111-1111-1111-110011221158} (Adware.GamePlayLab) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki (PUP.Funmoods) → Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Users\7arony\AppData\Local\Temp\131470981.Uninstall\Uninstall.exe (Adware.Agent) → Quarantined and deleted successfully.
C:\Users\7arony\AppData\Local\Temp\is1293846689\IWantThisAD_US.exe (Adware.GamePlayLabs) → Quarantined and deleted successfully.
C:\Users\7arony\AppData\Local\Temp\is1438683437\IWantThis.exe (Adware.GamePlayLabs) → Quarantined and deleted successfully.
C:\Windows\Installer{3329dffd-f3f1-5768-ddbe-f6efec66dca6}\U\00000008.@ (Trojan.Dropper.BCMiner) → Quarantined and deleted successfully.

(end)

4

If I could have the OTL one as well please

5

Sorry for being late i have the black screen after i login into windows 7 after rebootinh

6

Are you able to get to safe mode ?

7

Sorry for the very late reply, my computer wouldn’t go through the black screen. i will get the OTL one now

8

Are you now stuck in safe mode then ?

9

nop I looked up my Iphone and i was able to open the browser using task manager and found a solution

10

actually Avast has stopped detecting viruses 3 days ago, maybe because i tried restoring it. should i redo the first log again?

11

is it normal for the OTL log to be over 2000 characters?

12

Yes, as it will look at a lot of areas. You should be able to attach the log quite happily

What was the cause of the black screen ?

13

i am not really sure why the black screen occurred but i used this fix and did not happen again

http://www.ghacks.net/2009/12/01/windows-7-black-screen-of-death-fix/

14

OTL log

15

here is the aswMBR.exe log

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-18 15:24:21

15:24:21.050 OS Version: Windows x64 6.1.7601 Service Pack 1
15:24:21.051 Number of processors: 4 586 0x2A07
15:24:21.051 ComputerName: 7ARONY-PC UserName: 7arony
15:24:23.881 Initialize success
15:24:23.941 AVAST engine defs: 12071800
15:24:26.430 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
15:24:26.431 Disk 0 Vendor: WDC_WD50 01.0 Size: 476940MB BusType: 3
15:24:26.447 Disk 0 MBR read successfully
15:24:26.453 Disk 0 MBR scan
15:24:26.462 Disk 0 Windows VISTA default MBR code
15:24:26.474 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 101 MB offset 63
15:24:26.497 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 20000 MB offset 212992
15:24:26.523 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 456835 MB offset 41172992
15:24:26.529 Disk 0 scanning C:\Windows\system32\drivers
15:24:33.359 Service scanning
15:24:46.833 Modules scanning
15:24:46.853 Disk 0 trace - called modules:
15:24:46.903 ntoskrnl.exe CLASSPNP.SYS disk.sys stdcfltn.sys ACPI.sys iaStor.sys hal.dll
15:24:47.233 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8007e57060]
15:24:47.245 3 CLASSPNP.SYS[fffff8800180143f] → nt!IofCallDriver → [0xfffffa8007cd4890]
15:24:47.258 5 stdcfltn.sys[fffff88001b30c52] → nt!IofCallDriver → [0xfffffa8005f57550]
15:24:47.273 7 ACPI.sys[fffff88000d6a7a1] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8005f5b050]
15:24:48.634 AVAST engine scan C:\Windows
15:24:51.134 AVAST engine scan C:\Windows\system32
15:25:27.722 File: C:\Windows\system32\services.exe INFECTED Win32:Sirefef-ZT [Trj]
15:25:42.382 File: C:\Windows\assembly\GAC_32\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
15:25:43.195 File: C:\Windows\assembly\GAC_64\Desktop.ini INFECTED Win32:Sirefef-PL [Rtk]
15:26:27.358 AVAST engine scan C:\Windows\system32\drivers
15:26:35.568 AVAST engine scan C:\Users\7arony
15:27:28.212 Disk 0 MBR has been saved successfully to “C:\Users\7arony\Desktop\MBR.dat”
15:27:28.218 The log file has been saved successfully to “C:\Users\7arony\Desktop\aswMBR.txt”

16

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL IE - HKU\S-1-5-21-3842937120-766057847-3462755459-1001\..\SearchScopes\{56DFBC98-EEA2-4E22-BE8D-9B09D7CDDE2B}: "URL" = http://start.funmoods.com/results.php?f=4&a=ironto&q={searchTerms} IE - HKU\S-1-5-21-3842937120-766057847-3462755459-1001\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb133/?search={searchTerms}&loc=IB_DS&a=6R8pFu2e5e&i=26 FF - prefs.js..browser.search.order.1: "Search the web (Babylon)" FF - prefs.js..keyword.URL: "http://mystart.incredibar.com/mb133/?loc=IB_DS&a=6R8pFu2e5e&&i=26&search=" [2012/03/30 13:08:52 | 000,001,800 | ---- | M] () -- C:\Users\7arony\AppData\Roaming\Mozilla\Firefox\Profiles\j6saezgv.default\searchplugins\funmoods.xml [2012/04/12 08:37:09 | 000,002,203 | ---- | M] () -- C:\Users\7arony\AppData\Roaming\Mozilla\Firefox\Profiles\j6saezgv.default\searchplugins\MyStart Search.xml [2012/03/01 00:14:57 | 000,002,310 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml O3 - HKU\S-1-5-21-3842937120-766057847-3462755459-1001\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.

:Files
ipconfig /flushdns /c
C:\Windows\Installer{3329dffd-f3f1-5768-ddbe-f6efec66dca6}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

17

OTL quick scan log

18

ok i ran all this and here is the log attached

19

I tried rebooting again, i still get the black screen after i log in

20

I am not sure what causes the black screen after logon, but i rebooted again and no black screen appeared