I’m hoping someone here can help me. I’m a complete noob, so please forgive me if I don’t use the right techie language here. :-[
I have a Sony Vaio desktop with windows 7 64 ( I think ) bit home premium on it.
I was experiencing some annoying popup thingies on the bottom of my screen whenever I was on the web, and Avast (free) wasn’t detecting anything, and nothing got rid of it.
So like a complete moron ( ugh ) I ran something I found, called Hitman Pro. It found some adware/cookies and deleted them but it also detected 3 things it listed as “suspicious”. I chose to quarantine them and it needed a reboot to complete. Before rebooting, I copied that log to my desktop, just in case.
When I restarted my PC it said unable to start windows, etc.
I tried last known configuration ( no good ), system restore ( can’t do it, but then it’s never functioned ), and of course, I don’t have a recovery disk.
I can’t get into safe mode either.
Windows repair just keeps endlessly looping, and asking to reboot.
I can get to the command prompt…
From there I was able to see the directory of my desktop and get to that log hitmanpro made.
The two files that it seems the ‘hitman’ apparently “took out” (bad pun) are: aswRvrt.sys and aswVmm.sys - which, upon googling, led me here.

Please please please help me…
I’m a digital artist, and while I regularly back up my work, I can’t even begin to tell you what I’d lose if I had to wipe this baby…
I’d be grateful beyond words. And again, my apologies if I sound like a complete moron. :-[

PS : I don’t know if it helps but the dvd drive is working. I was able to see the contents of a dvd I put in, at the F prompt. So I can burn a disk on a borrowed laptop if need be.
( I’m currently at D:\Windows\System32\drivers> thinking maybe I just need to replace those two files? Please don’t laugh if that’s ridiculous…I’m desperate… :-[ :-[

So you have access to the command prompt ?

Download Farbar Recovery Scan Tool x64 to a USB

Insert the USB in the sick computer

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

Essexboy! Yay!!! I got the rockstar!!! LOL ;D

Okay…hang on. As I said, I’m a complete noob.
I’m saving the frbr.exe to the usb? Right?

Yup save FRST to the USB … Insert the USB in the sick computer and then follow the command prompt instructions

Having trouble finding the USB…
There’s (E:) 823 MB free of 9.93 GB
(F:) - my cd/dvd drive
(G:) empty
and
Boot (X:) 30.8 MB free of 33.3 MB

I picked E: as most likely ( ? ) and it’s at E:>
but when I put in E:\frst.exe it says "its not recognized as an internal command, etc… "

It needs to be FRST64.exe try that

I typed at E:>
FRST64.exe
and also
E:\FRST64.exe

both say not recognized as an int. or ext. command, operable program etc.

It was on (G)… :-[

This will damage Avast so we will need to do a clean install on completion

Download the attached fixlist.txt to the same USB as FRST
Run FRST as before and press Fix
On completion reboot to normal windows

Windows Error Recovery
Windows failed to start. A recent…

Launch Startup repair
Start windows normally

Pressed that and got a black screen that just said Hitman Pro for a few seconds…

Now I’m at my normal desktop ( OMG! YAY!!! ) with a message saying system restore did not complete successfully etc. which I closed.

Good, I saw some adware there when I looked at FRST and If you wish I can clear that as well
Also could you repair Avast to ensure that it is now fully functional
Plus I would recommend you uninstall Hitmanpro

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]post the contents of JRT.txt into your next message.

THEN

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

I certainly do want your help with it! Thank you!
Okay… I’ll remove/reinstall Avast and then try to remove Hitman ( although I’ve recently seen quite a few posts online from people who seem to have difficulty with that…)

Not a programme I would recommend as it does seem to brick a few systems

Junkware Removal Log :

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\searchprotection



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\adawarebp
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\speedupmypc
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\adawarebp_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\adawarebp_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\au__rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\au__rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASMANCS



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Marlene\AppData\Roaming\search protection"
Successfully deleted: [Folder] "C:\Users\Marlene\AppData\Roaming\thinstall"
Successfully deleted: [Folder] "C:\Users\Marlene\appdata\local\adawarebp"
Successfully deleted: [Folder] "C:\Users\Marlene\appdata\local\thinstall"



~~~ FireFox

Emptied folder: C:\Users\Marlene\AppData\Roaming\mozilla\firefox\profiles\7gcbibsj.default-1345488266755\minidumps [9 files]



~~~ Event Viewer Logs were cleared

Scan was completed on Wed 11/20/2013 at 13:21:56.28
End of JRT log

Under "Extra Registry " your screencap has the “none” box ticked. Should I tick that, too? ( It opened with “use safe list”. )

No just leave the tick boxes as when it opens just adding the LOP, Purity and all users ones

Duh… you did say not to change any settings… :

Looks like your only problem was adware, if you get that again then come here and we will remove it safely

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands
[CREATERESTOREPOINT]

:OTL
DRV - [2011/04/01 02:22:04 | 000,017,152 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys -- (Lavasoft Kernexplorer)
IE - HKU\S-1-5-21-151721948-3701362946-3784329648-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421;<local>;*.local
[2012/10/15 18:09:37 | 000,000,000 | ---D | M] (Lavasoft Search Plugin) -- C:\Users\Marlene\AppData\Roaming\Mozilla\Firefox\Profiles\4kp0ws3w.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
[2012/10/15 18:09:37 | 000,000,000 | ---D | M] (Lavasoft Search Plugin) -- C:\Users\Marlene\AppData\Roaming\Mozilla\Firefox\Profiles\7gcbibsj.default-1345488266755\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] UnHackMe Rootkit Check File not found
[2013/11/20 13:00:28 | 000,000,408 | ---- | M] () -- C:\Windows\tasks\Ad-Aware Update (Weekly).job
[2013/11/19 17:35:54 | 000,023,112 | ---- | M] () -- C:\Windows\SysNative\drivers\hitmanpro35.sys
[2012/10/15 18:08:48 | 000,000,000 | ---D | M] -- C:\Users\Marlene\AppData\Roaming\Ad-Aware Antivirus
[2012/10/12 18:16:31 | 000,000,298 | ---- | C] () -- C:\Windows\Tasks\Hitman Pro 3.5 Boot Task.job

:Files
C:\Program Files (x86)\Lavasoft

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Okay here’s the result of the quick scan…

Is the computer behaving itself now ?