Possible Failed Rootkit Removal

I caught a nasty bug about a week ago and I've been running different scans all week but it keeps coming back. After following the READ ME section, and performing all the scanners in a row, it did pick out that I had a tcp/ip stack rootkit. I finished all the scans, collected logs and there seems to be no more Google Chrome redirects, however, Chrome takes a long time to load pages.

 

Here are the other scans, RootRepeal crashed and produced 3 seperate logs. Attaching the 3rd crash log next.

 

**UPDATE** CD Rom drive missing again. I suspect one of the cleaners detected a corrupt cdrom.sys file. Windows troubleshooter failed to re-install it and Internet redirect is back and happening across all browsers (IE, Firefox, Chrome)

 

Another Update, in case it's of any help. I dual boot Windows and Ubuntu Linux, so I can access the windows files from a safe place.

 

Hi and welcome to Major Geeks, Larceny82!

Code:

    372 GB  \\.\PhysicalDrive0   RE: Unknown MBR code

Do you have your Windows 7 Boot CD/DVD? We should attempt to restore a clean MBR (Master boot record) to your system if you are still experiencing redirects.

It is also recommended that you back up your data to another source before we continue. Usually this process goes without fail but better safe than sorry.

Answer my above question about the windows 7 DVD and let me know when you are ready to proceed.

 

Thanks for the quick response!

I don't have the original, however, I can get a copy of a Windows 7 DVD (yes, it's legit). Does the dvd have to be the original or are we just pulling a default MBR?

Also, all of my music, games, documents and such I keep on a separate hard drive.

 

We're just restoring a default Windows 7 MBR. It would just be nice if you had the disc just incase you weren't able to boot from the hdd anymore. It's rarely ever a problem, more a safety precaution.

Let's try this first as locating a disc may not even be necessary.

http://img684.imageshack.us/img684/6489/aswmbr.gif Please download aswMBR to your desktop.

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [FixMBR] button.
• Follow the rest of the prompts

http://img707.imageshack.us/img707/6703/generalxpicon.gif When you get back into Windows, rescan with MBRCheck and attach the latest log. (How to attach)

 

After I clicked the FixMBR Button, it just said Initialized, and then MBR fixed and didn't give me any other prompts.

 

http://img684.imageshack.us/img684/6489/aswmbr.gif Scan with aswMBR

• Double-click aswMBR.exe to run (Vista/7 right-click and select Run as Administrator)
• Select No when asked "Would you like to download latest Avast! virus definitions?"
• Click the [Scan] button.
• On completion of the scan click [Save log], save it to your desktop and attach this log to your next message. (How to attach)

 

The MBR seems to have been restored because it overwrote the GRUB menu for dual booting (I'll worry about that later)

 

http://img850.imageshack.us/img850/4746/programsandfeatureswin7.gif From Programs and Features (via Control Panel), please uninstall the below:

• Driver Whiz
• Vuze Remote Toolbar <-- Source of conduit
• Vuze <-- Source of conduit

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

/!\ Please Disable Spybot's TeaTimer
Leave it disabled for the remainder of malware removal.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]File::[/COLOR]
C:\Windows\System32\tdcmdpst.dll
C:\Users\Larceny\AppData\Roaming\Pqukd.txt
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\Windows\system32\drivers\afd.sys
C:\Windows\system32\drivers\nsiproxy.sys
C:\Windows\system32\drivers\tdx.sys
c:\Windows\system32\drivers\tcpip.sys
c:\windows\system32\drivers\cdrom.sys
c:\windows\system32\drivers\ndisuio.sys
C:\Windows\system32\drivers\dfsc.sys
[COLOR="DarkRed"]Folder::[/COLOR]
c:\windows\$NtUninstallKB41664$
C:\Program Files\AVG
C:\$AVG
C:\Windows\B9DB4C7601A446D58910F7AA6376DBAF.TMP
C:\Program Files\Vuze
c:\program files\Vuze_Remote
c:\program files\ConduitEngine
[COLOR="DarkRed"]RegLock::[/COLOR]
[HKEY_USERS\S-1-5-21-1519333054-607781042-2488702932-1000\Software\SecuROM\License information*]
"datasecu"=hex:ad,7d,83,34,25,dd,4a,d4,32,79,73,0f,96,bb,65,bb,b5,43,45,38,f4,
   59,3d,5d,bc,3d,53,aa,6e,9d,2c,47,3c,75,b0,9d,12,83,d9,a4,7f,c3,f3,fb,5c,df,\
"rkeysecu"=hex:ee,a9,91,40,f2,cb,e1,67,6d,c4,f9,5f,0a,a5,6e,f5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
[COLOR="DarkRed"]RegNull::[/COLOR]
[HKEY_USERS\S-1-5-21-1519333054-607781042-2488702932-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{668AC111-C8FF-9786-A8D5-783B575AC74F}*]
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"=-
[-HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"=-
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
[-HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
[-HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"=-
"{30F9B915-B755-4826-820B-08FBA6BD249D}"=-
[-HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
[-HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}] 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[COLOR="DarkRed"]SecCenter::[/COLOR]
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img707.imageshack.us/img707/6703/generalxpicon.gif Download SystemLook from one of the links below and save it to your desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy and Paste the content of the following code box into the main text-field:

Code:

[COLOR="DarkRed"]:filefind[/COLOR]
netbt.sys
tdx.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan and a file entitled SystemLook.txt will be created on your desktop.
• Attach that file to your next message. (How to attach)

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Successfully ran tdsskiller and the combo fix. It cleared my profile desktop, can't run chrome or Firefox and the Internet isn't connecting. I'll get the two logs I have as soon as I can.

 

**Update**. Windows seems to have split modes now. One will load up fine, but the other seems to be bare bones. All the files from my desktop are gone, no background, no command prompt. The other works and loads fine...if it loads. I am still unable to access the Internet and after a bit of research on that I'm thinking the last combo fix cleared all the infected sys and dll files?

 

Is there a way you can get me the TDSSKiller and ComboFix logs so I can see what happened?

If you cannot do this, here is what I'd like you to do:

http://img827.imageshack.us/img827/1263/frst.gif For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Include a checkmark in "Driver MD5"
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

I should be able to fix the network adapter and get you those logs tomorrow, in the mean time, I found something curious. My home folder has 2 copies of all the system folders (documents, pictures, desktop, etc). One is empty and the other has my docs and such. Just FYI. I'll get those logs tomorrow night

 

Interesting indeed. We should be able to get it sorted out.

OK.

 

Okay, we've recovered from the SNAFU. It turns out I'm just not that bright. ComboFIX actually says "if your internet stops working, reboot once, if it still doesn't work, run ComboFix again"

I ran TDSSKiller, which got my desktop back and rerean Combofix which got my internet up and running. I'm posting both sets of Logs.

 

Looks OK. Both are finding a lot of infected drivers.

http://img196.imageshack.us/img196/3557/tdsskiller.gif I'd like you run TDSSKiller once more with the same parameters as before, and then attach that log.

Then, complete the rest the instructions from post #11.

-> Start with SystemLook. End with GetLogs.bat

 

Done, Starting the process from Step #11.

 

Sorry for the delay. Here are the files you wanted. I also ran another instance of TDSSKiller.

 

Also, a few more strange habits. When I boot the computer in the morning, it will have me log in, then immediately reboot. Upon the second log in, the internet doesn't work. Running Combofix clears up that problem, but after about 20 mins my CPU starts running at 100% :confused

 

http://img862.imageshack.us/img862/8218/win32kdiag.gif Please download Win32kDiag to the root of your C:\ drive. It must be saved here or the below will not work!

• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  C:\win32kdiag.exe -f -r
  
• When it's finished, there will be a log called Win32kDiag.txt on your desktop.
• Attach this log to your next message. (How to attach)

Download Junction by Mark Russinovich to your desktop.

• Extract junction.exe to your desktop.
• Now press and hold the http://img849.imageshack.us/img849/4325/windowkey.gif Windows key on your keyboard, then press the letter r on your keyboard.
• This opens the Run dialog box.
• Then copy the below bold text and paste it into the Open: text-field and press ENTER.
  cmd /c %userprofile%\desktop\junction -s c:\ >%userprofile%\desktop\junction.txt
  
• When it's finished, there will be a log called junction.txt on your desktop.
• Attach this log to your next message. (How to attach items to your post)

 

Files are failing to upload. I'll upload them at work and you'll have them in a few hours.

 

Ok, no problem. Thanks for the heads up.

 

Hm, it is giving me an error when I try to upload from work or home:


"Your submission could not be processed because a security token was missing."

:confused

 

I think I might have the cause. The .txt file limit is 375kb, the junction file is 17MB and the Win32kDiag is 2.1mb. Files have been zipped and attached. Sorry for the delay.

 

That was the issue.

 

http://img406.imageshack.us/img406/3189/windowsrepair.gif Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.

• Now open Repair_Windows.exe
• Go to Start Repairs tab.
• Choose "Custom Mode" and press "Start".
• Create a System Restore point if prompted.
• In the Custom Mode window, select the following repair options:
  • Reset Registry Permissions
  • Reset File Permissions
  • Repair Hosts File
  • Remove Policies Set By Infections
  • Repair Winsock & DNS Cache
• Now click the Start button.
• Be patient while the tool repairs the selected items.
• If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DDS::[/COLOR]
uInternet Settings,ProxyOverride = *.local
[COLOR="DarkRed"]Driver::[/COLOR]
mcproxy
se27unic
nvmpu401
[COLOR="DarkRed"]FCopy::[/COLOR]
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_626c324d55864070\netbt.sys | C:\Windows\System32\drivers\netbt.sys
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys | C:\Windows\System32\drivers\tdx.sys
[COLOR="DarkRed"]File::[/COLOR]
c:\windows\System32\tdcmdpst.dll
c:\users\Larceny\AppData\Roaming\Pqukd.txt
[COLOR="DarkRed"]FileLook::[/COLOR]
C:\Windows\system32\DRIVERS\cdrom.sys
[COLOR="DarkRed"]Folder::[/COLOR]
c:\windows\$NtUninstallKB41664$
c:\windows\system32\%LocalAppData%
[COLOR="DarkRed"]NetSvc::[/COLOR]
mcproxy
se27unic
nvmpu401

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions (NEW VERSION): TDSSKiller - How to run

http://img850.imageshack.us/img850/4124/mbam.gif I'd like you to update MBAM and run another Quick Scan. Attach the latest log. (How to attach)

http://img205.imageshack.us/img205/1894/otl.gif Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce
  

• Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

Let me know how the system is running after you have completed these steps.

 

This might take me a while to complete. Every time I run a different scanner and reboot, I lose Internet connectivity and have to rerun combo fix. If there's an easier way or this will affect my results, please let me know. Again, I really appreciate all your help an patience.

 

I would prefer if could download the updated programs from a clean computer and then transfer them to the infected computer.

Take your time, if you have problems, let me know.

 

This is where we stand. I think we're getting closer because malwarebytes, tdsskiller and combo fix aren't returning any findings. However, I think something may still be wrong with my afd.sys file because I am still unable to connect to the Internet unless I run combo fix, but after the reboot, nothing will open because they're trying to use files that have been marked for deletion, and then another reboot starts the cycle over. I have all the logs you requested and now it's just a matter of getting them to you.

 

You had a new variant of ZeroAccess, but I think we have eliminated the source of infection in the most recent CFScript. Attach your logs whenever you are ready. No rush.

 

That's great to hear, I'll get the logs up as soon as I can, but Ive still got that quarantined afd.sys file so I'm still lacking Internet access.

 

Also, I know I've already mentioned this and I hate to keep bringing it up, but my dchp service will only start on the first boot after I run combo fix, but then nothing else works because they're all trying to use a file that's been marked for deletion. In the super antispyware quarantine folder are all the afd.sys and afd registry entries. Is there a way to get them out cleanly? Eg if I restored them and then reran the last combo fix script?

 

I am not sure exactly what you are doing.

Which steps have you completed already in post #28?

I understand that your internet is broken. This is normal for this type of infection, but it is fixable. Were you unable to download the tools requested from a clean computer and then transfer them to the infected computer? This is what I would have preferred you to do.

I do not want you to keep running ComboFix on your own just to get internet access temporarily.

And it is not a good idea to restore the infected afd.sys file from the SAS quarantine folder.

 

Are you unable to do this?

If possible, can you attach these logs from a clean computer with internet access? Let me know what problems you have encountered with this.

I will need some sort of new logs in order to determine what needs to be fixed.

 

Understood, I just need to get a flash drive. It should only be a few days. I apologize for the delay.

 

No need to apologize.

Just out of curiosity, does your Linux partition have internet access? Is that how you are typing now or are you using another PC?

I was going to suggest that maybe you can use the Linux partition to access your Windows partition to access the updated logs.

Regardless, there is no rush. I'll be here Just trying to give you an alternative.

 

By the way, I don't think it was afd.sys that was infected. tdx.sys was infected and quarantined by SAS.

and netbt.sys is missing but isn't necessarily required in order to get DHCP running.

According to your latest MGlogs.zip DHCP was turned on.

 

Unfortunately, when we fixed the MBR of Windows, it overrode the changes that GRUB had made, so I no longer have access to Linux. I have been checking and updating via my phone. I'm at work right now, but I have access to a flash drive and will be uploading the logs soon. Thanks again for all of your help.

 

No problem, thanks for the heads up.

 

Logs.

 

Logs pt 2. Also, as I mentioned, these are from the 18th.

 

========WARNING========
The below is specifically for Larceny82's computer
Do NOT run the below if you are not Larceny82
Doing so may damage your PC!
========WARNING========

Attached is fixme.zip

Inside is:

• afd.reg
• fix.bat

Extract both files to the infected computer's desktop.

First double-click afd.reg and allow it to merge into the registry. You should receive a successful message. If you received a successful message, reboot your PC.

Once you have rebooted...

Now run the fix.bat file by right-mouse clicking it and selecting "Run as Administrator".

This will reboot your PC again.

When the PC has rebooted, attach fixlog.txt (it's on your desktop) to your next message.

Test to see if the internet is working now.

 

At work right now. I'll get this done when I get home. Again, I can't thank you enough for all the help! *bows down*

 

No problem. I will have to review your logs again but last I checked they were clean, besides an infected afd.sys file that ComboFix kept using to replace the missing afd.sys driver.

The fix I provided should delete this bad copy of afd.sys and restore a clean copy to the drivers folder.

 

I did what you told me to and AFD.sys fix didn't work...so I did what you told me not to and reran combo fix to get you this log :-o Don't ask, I'm not that bright. Both logs are attached.

 

Did you run afd.reg first?

The file copied successfully I am not sure why ComboFix is saying it is missing.

I thought you had a flash drive?

 

Ran the .reg file first, rebooted, ran the bat file and rebooted. Also, I have access to a flash drive, just not local right now.

 

Let's see what has changed:

http://img17.imageshack.us/img17/3214/baticonvista7.gif Now run C:\MGtools\GetLogs.bat by right-mouse clicking it and then selecting Run as Administrator
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Scan with the below as well:

http://img97.imageshack.us/img97/8120/fss.gif Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure all the options are checked
• Press "Scan".
• It will create a log (FSS.txt) in the same directory the tool was run.
• Please attach FSS.txt to your next message. (How to attach)