I'm not sure if its configuration or infection

[canamalar]

Problems when rebooting, CPU 100% froze
message on earlier boot
Failed to connect to windows service, windows could not connect to system event notification service service.

System is hanging on 100% can't get report of OTL scan posted, will try again tomorrow, had enough for tonight.

 

[Fiery]

System care antivirus is a rogue. Rogues are fake malware that tries to trick users into paying money to fix non-existent problems. It sounds like you got reinfected with a virus. It's probably blocking OTL from running. We have to use system recovery.

Download Farbar Recovery Scan Tool from the below link:
<ul><li>For 32 bit systems download <a title="External link" href="http://download.bleepingcomputer.com/farbar/FRST.exe" rel="nofollow external"><>Farbar Recovery Scan Tool</></a> and save it to a USB/flash drive.
</li>

<li>Plug the flashdrive into the infected PC.</li>

<li>Enter <>System Recovery Options</>.</li>

<>To enter System Recovery Options from the Advanced Boot Options:</>
<ul>
<li>Restart the computer.</li>
<li>As soon as the BIOS is loaded begin tapping the<> F8</> key until Advanced Boot Options appears.</li>
<li>Use the arrow keys to select the <>Repair your computer</> menu item.</li>
<li>Select <>US</> as the keyboard language settings, and then click <>Next</>.</li>
<li>Select the operating system you want to repair, and then click <>Next</>.</li>
<li>Select your user account an click <>Next</>.</li>
</ul>

<li>On the System Recovery Options menu you will get the following options:</span>
<pre>Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt</pre>
<ol>
<li>Select <>Command Prompt</></li>
<li>In the command window type in <>notepad</> and press <>Enter</>.</li>
<li>The notepad opens. Under File menu select <>Open</>.</li>
<li>Select "Computer" and find your flash drive letter and close the notepad.</li>
<li>In the command window type <><span style="color: #ff0000;">e</span>:\frst.exe</> and press <>Enter</>
<>Note:</><span style="color: #ff0000;"> Replace letter <>e</> with the drive letter of your flash drive.</span></li>
<li>The tool will start to run.</li>
<li>When the tool opens click <>Yes</> to disclaimer.</li>
<li>Press <>Scan</> button.</li>
<li><>FRST</> will let you know when the scan is complete and has written the <>FRST.txt</> to file, close the message.
<li>Type exit</li>
<li>Please copy and paste FRST.txt in your next reply</li></li>
</ol>
</ul>

 

[canamalar]

Hi,
I reboooted pressing the F8 button and selected
last known good configuration

I have just logged on and it appears to have found the restore point set last week but not sure, certainly seems like it.
However I am still getting the message,
Failed to connect to windows service (could not connect to the System Event Notification Service service)
I did manage to get OTL working during the problems report attached.
I will run it again and attach the current status later today.

 

[canamalar]

before I carry out the last set of instructions, I ran OTL scan to the same setting as our original OTL scan, see attachment

I have noticed two new desktop.ini files have appeared on my desktop

 

[canamalar]

Oh, and since my last restoration the laptop is going like a dream from the bootlog, last known good configuration.

All this grief over trying to get rid of an icon\shortcut which wont delete, I'm still very suspicious about it though, its cause major grief over the last few days.

 

[canamalar]

Tried to start the scan with frst but when I press F8 with the flash drive in I get
No bootable partition in table
message, and the system stops

 

[canamalar]

Just a though, could my flash drive be infected ?

 

[Fiery]

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
[2013/04/29 09:39:49 | 000,000,000 | ---D | C] -- C:\ProgramData\00C2DB995DA62C1D000000C2DADB30CB
O20 - AppInit_DLLs: (c:\progra~2\browse~1\25911~1.18\{c16c1~1\mngr.dll) - File not found

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Don't think your USB is infected, you can scan your USB with malwarebytes

 

[canamalar]

Fix report All Processes killed
========== OTL ==========
Folder C:\ProgramData\00C2DB995DA62C1D000000C2DADB30CB\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\progra~2\browse~1\25911~1.18\{c16c1~1\mngr.dll deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 33692 bytes
-> No Temporary Internet Files cache folder defined!
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users
-> No Temporary Internet Files cache folder defined!

User: Default
->Temp folder emptied: 0 bytes
-> No Temporary Internet Files cache folder defined!
->Flash cache emptied: 0 bytes

User: Default User
-> No Temporary Internet Files cache folder defined!

User: Public
-> No Temporary Internet Files cache folder defined!

User: sony
->Temp folder emptied: 131449 bytes
-> No Temporary Internet Files cache folder defined!
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 622 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1205194 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 9662351 bytes

Total Files Cleaned = 11.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 05012013_052505

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

[Fiery]

Is System care antivirus gone?

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

 

[canamalar]

Ran the scan, no malware found.

Since I last restored the problems seem to have disappeared, just the icon\shortcut issue, which I have not went near since I restored

Is System care antivirus gone?

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

 

[Fiery]

Ok.

The shortcut issue is a strange one. Have you tried deleting it in safe mode?

 

[canamalar]

yes, tried everything I can think of, even fileassasin cant see it.
everything I've tried comes up with the same result
nothing can see the file, yet I can put things into it and retrieve them
when I put something in, it replecates itself onto the desktop.
As I said before, the worrying thing is anytime I go near it, I get problems with the rest of the systems
If you remember, our second round of problems started with trying to get rid of this, as soon as I started trying to get rid a lot of the problems resumed.
The microsoft helper found that there is a space in the file name and identified it was not just a space but a "special space" as he called it.
He said it looked like a deliberate code to avoid detection, we ran checks using the command prompt which still could not find it, I will paste the relevant correspondence

 

[canamalar]

I was asked to do the following
Start - All Programs - Accessories - Right click Command Prompt and choose Run As Administrator.
Type (or copy and paste by right clicking in the Command Prompt window and choosing Paste).

You can copy the output by right clicking the window, choosing Mark, selecting the text,
and press Enter. Not all commands will necessarily find anything.

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\e
xplorer\Desktop\NameSpace" /s

reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\e
xplorer\Desktop\NameSpace" /s

dir "%userprofile%\desktop\*.*" /a

dir "%public%\desktop\*.*" /a

The result was

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Windows\system32>reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\e
ERROR: The system was unable to find the specified registry key or value.

C:\Windows\system32>xplorer\Desktop\SpeedTouch330" /s
The system cannot find the path specified.

C:\Windows\system32>reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\e
ERROR: The system was unable to find the specified registry key or value.

C:\Windows\system32>xplorer\Desktop\SpeedTouch330" /s
The system cannot find the path specified.

C:\Windows\system32>reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\e
ERROR: The system was unable to find the specified registry key or value.

C:\Windows\system32>xplorer\Desktop\SpeedTouch330" /s
The system cannot find the path specified.

C:\Windows\system32>dir "%userprofile%\desktop\*.*" /a
Volume in drive C has no label.
Volume Serial Number is 00BE-2C1D

Directory of C:\Users\sony\desktop
26/04/2013 10:27 <DIR> .
26/04/2013 10:27 <DIR> ..
23/04/2013 16:22 <DIR> Air Dwg
20/01/2008 01:01 282 desktop.ini
23/04/2013 00:18 1,941,003 Mech Prog.xlsx
21/04/2013 22:31 1,289,791 CAS (Autosaved).xlsx
22/04/2013 13:00 15,105 CAS.pdf
26/04/2013 10:27 0 New Microsoft Office Word Document.docx
21/04/2013 07:25 19,619 Initial Cooling Load.pdf
26/04/2013 10:10 <DIR> SpeedTouch330
26/04/2013 10:27 162 ~$w Microsoft Office Word Document.docx
7 File(s) 3,265,962 bytes
4 Dir(s) 24,054,710,272 bytes free

C:\Windows\system32>dir "%userprofile%\desktop\*.*" /a
Volume in drive C has no label.
Volume Serial Number is 00BE-2C1D
Directory of C:\Users\sony\desktop
26/04/2013 10:27 <DIR> .
26/04/2013 10:27 <DIR> ..
23/04/2013 16:22 <DIR> Air Dwg
20/01/2008 01:01 282 desktop.ini
23/04/2013 00:18 1,941,003 Mech Prog.xlsx
21/04/2013 22:31 1,289,791 CAS (Autosaved).xlsx
22/04/2013 13:00 15,105 CAS.pdf
26/04/2013 10:27 0 New Microsoft Office Word Document.docx
21/04/2013 07:25 19,619 Initial Cooling Load.pdf
26/04/2013 10:10 <DIR> SpeedTouch330
26/04/2013 10:27 162 ~$w Microsoft Office Word Document.docx
7 File(s) 3,265,962 bytes
4 Dir(s) 24,054,710,272 bytes free

C:\Windows\system32>dir "%public%\desktop\*.*" /a
Volume in drive C has no label.
Volume Serial Number is 00BE-2C1D
Directory of C:\Users\Public\desktop
26/04/2013 09:23 <DIR> .
26/04/2013 09:23 <DIR> ..
07/02/2010 05:17 340 desktop.ini
20/02/2013 13:26 969 GlobeTrotter Connect.lnk
2 File(s) 1,309 bytes
2 Dir(s) 24,053,940,224 bytes free

C:\Windows\system32>

 

[canamalar]

He then asked me to enter

icacls "%userprofile%\desktop\SpeedTouch330"

resulted

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>icacls "%userprofile%\desktop\SpeedTouch330"
The system cannot find the file specified.
Successfully processed 0 files; Failed processing 1 files

C:\Windows\system32>icacls "%userprofile%\desktop\SpeedTouch330"
The system cannot find the file specified.
Successfully processed 0 files; Failed processing 1 files

C:\Windows\system32

then
Something wierd here. We saw it with the dir command.

icacls "%userprofile%\desktop\*.*"

dir "%userprofile%\desktop\*.*" /a /q

for /f "usebackq delims=" %A in (`dir "%userprofile%\desktop\*.*" /b /ad`) do attrib "%userprofile%\desktop\%A"

Just copy the lines about speed touch.


the result with info about other files removed

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>dir "%userprofile%\desktop\*.*" /a /q
Volume in drive C has no label.
Volume Serial Number is 00BE-2C1D

Directory of C:\Users\sony\desktop

26/04/2013 10:27 <DIR> sony-PC\sony .
26/04/2013 10:27 <DIR> NT AUTHORITY\SYSTEM ..
20/01/2008 01:01 282 sony-PC\sony desktop.ini
26/04/2013 10:10 <DIR> ... SpeedTouch330
7 File(s) 3,265,962 bytes
4 Dir(s) 24,010,715,136 bytes free

C:\Windows\system32>
C:\Windows\system32>for /f "usebackq delims=" %A in (`dir "%userprofile%\desktop
\*.*" /b /ad`) do attrib "%userprofile%\desktop\%A"

C:\Windows\system32>attrib "C:\Users\sony\desktop\SpeedTouch330 "
File not found - C:\Users\sony\desktop\SpeedTouch330

C:\Windows\system32>

 

[canamalar]

then

Shift + Right click the folder on the desktop and choose Copy As Path. Paste it into notepad. See if there are spaces at the end or anything unusual about the name.

Notepad result

"C:\Users\sony\Desktop\SpeedTouch330 "

space between 330 and " at the end


then

What steps do you have to take to make it reappear? How do you remove it.

A space at the end is an illegal filename. A common trick to prevent something being removed.

icacls "C:\Users\sony\Desktop\SpeedTouch330 "
attrib "C:\Users\sony\Desktop\SpeedTouch330 "

And if you want to delete it this special syntax may allow it.

rd "\\.\C:\Users\sony\Desktop\SpeedTouch330 " /s

Of course I'm hoping it's a normal and not a special space.

result

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>icacls "%userprofile%\desktop\SpeedTouch330 "
The system cannot find the file specified.
Successfully processed 0 files; Failed processing 1 files

C:\Windows\system32>reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\e
ERROR: The system was unable to find the specified registry key or value.

C:\Windows\system32> xplorer\Desktop\SpeedTouch330 " /s
The system cannot find the path specified.

C:\Windows\system32>reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\e
ERROR: The system was unable to find the specified registry key or value.

C:\Windows\system32> xplorer\Desktop\SpeedTouch330 " /s
The system cannot find the path specified.

C:\Windows\system32>icacls "C:\Users\sony\Desktop\SpeedTouch330 "
The system cannot find the file specified.
Successfully processed 0 files; Failed processing 1 files

C:\Windows\system32>attrib "C:\Users\sony\Desktop\SpeedTouch330 "
File not found - C:\Users\sony\Desktop\SpeedTouch330

C:\Windows\system32>rd "\\.\C:\Users\sony\Desktop\SpeedTouch330 " /s
\\.\C:\Users\sony\Desktop\SpeedTouch330 , Are you sure (Y/N)? Y
The system cannot find the file specified.

C:\Windows\system32>

I was then directed to fileassasin and microsoft security scanner, by this time the laptop was back to its frustrating worst.

 

[canamalar]

Sorry for cluttering up the page

 

[Fiery]

After some thought, i might have an idea.

Open OTL. Under custom scan/fixes, copy & paste:

"%userprofile%\desktop\*.* /U
"%userprofile%\desktop\*.*

Click the none button on the top and press run scan

 

[canamalar]

A strange thing happened this morning when I started up,
I started up in administrator safe mode and ran the malware root kit tool, again no malware found.

I restarted in normal mode and the system started as normal requesting password and booted up.

Before the desktop appeared the screen went blue and the command prompt system32\cmd.exe appeared for about a minute then the desktop appeared.
I checked the performance monitor which showed CPU usage to be between 4% and 20% I then switched on my WLAN and the CPU usage jumped to 100% as normal but did not settle back down as normal it continues to sit at 100%.

Windows solution centre opened and is looking for anti malware service executable MgTelemetery solutions
Never seen this on the solutions centre before so taking it as a good thing

 

[canamalar]

back to its frustrating worst, even when sitting idle the cpu usage is 100%

the scan above attached as OTL- desktop

I then set the parameters to all and 360 days and scanned

I've attached the extras - extras full desk

I uninstalled Rapport as I noted lots of page faults when looking at the task manager, I will reinstall it at a later date if I need it.

I then repeated the scan you asked me to do in our original session with LOP and parity check

After some thought, i might have an idea.

Open OTL. Under custom scan/fixes, copy & paste:

"%userprofile%\desktop\*.* /U
"%userprofile%\desktop\*.*

Click the none button on the top and press run scan