7 replies to this topic

[KayLatvia]

OK first my background: I write computer programs but not for work. Have built many a PC from scratch, and back in the days before ghosting drives I have removed viruses, but now I don't even bother--I just reinstall from an old ghosted HD image.

But this recent virus (or malware, etc) has made me curious as to what it is, so I'm asking the board whether we can try and identify it. If successful, I will donate to this org at least USD $25.

System: Intel i5, new, SATA drives, 4 MB RAM, worked fine. Bought in Thailand, where there's lots of cracked programs but trust me, it's not that (I know it's hard to believe, but I've not had problems with such machines before--let's ignore the issue of a secret rootkit keylogging everything I type--the issue for this post is the immediate problem I outline below, not any possible counterfeit programs that may or may not be on this system)

Virus: automatic reboot after a few minutes with a warning message: 'Windows has encountered a critical problem and will restart automatically in one minute'. I have researched this and sometimes it's due to a hardware problem, but in this case, with new hardware that worked for 2 months without a single problem, I doubt it.

Reason I want to find this virus: my ghost image on this PC (a Intel i5) is over a month old, and though I don't do anything important on this machine (I'm posting from my laptop, where I do my real work), I have made some tweaks in the last 30 days and if I reinstall the image I lose those tweaks.

Problem started when a computer geek friend who is heavily into security gave me some data using a USB thumb drive. He joked: "I hope you don't catch a virus" after explaining how USB drivers can fool a PC and how USB drives spread viruses. I'm 90% sure it's because of this incident--since the problems started right after I plugged in the USB drive. But, there's a 10% chance IMO that it's Google Desktop Search--since the index got corrupted, I got a message from Google Desktop Search asking me to uninstall the program and reinstall it--and I did uninstall it, but the problem persists. That said, I doubt Google is at fault since their programmers are pretty good. I think it's my geek friend's machine was infected (ironically--I will needle him now) with a virus that got on my USB stick.

The logs I attached herein. I'm typing this in a middle of a huge electrical storm in Thailand, but I'll check back in a few hours or within a day since it's late evening on Sunday but Monday morning here.

Kay

DDS.txt inline below, the other two files, Attach.txt and Ark.txt, are attached as Zip files


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 7:44:14 on 2011-08-15
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3241.2018 [GMT 7:00]
.
AV: COMODO Antivirus *Enabled/Updated* {675CEE69-9702-A524-3989-6D7CC8BF3695}
SP: COMODO Defense+ *Enabled/Updated* {DC3D0F8D-B138-AAAA-0339-560EB3387C28}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: COMODO Firewall *Enabled* {5F676F4C-DD6D-A47C-12D6-C449366C71EE}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Acronis\DiskDirector\OSS\reinstall_svc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Windows\System32\StikyNot.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Administrator\Downloads\vddi7lgm.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [Google Update] "c:\users\administrator\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [gStart] c:\garmin\gStart.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [<NO NAME>]
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [KeePass 2 PreLoad] "c:\program files\keepass password safe 2\KeePass.exe" --preload
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [UpdatePDRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\8.0"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: ??&????????? Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {7F245E01-651F-48E5-8A85-4752EC65E4ED} - hxxp://192.168.1.126:1026/Cisco210Viewer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.157.1
TCP: Interfaces\{3CBF1114-AA0A-4AF8-8E9C-B70480A9C499} : DhcpNameServer = 192.168.157.1
TCP: Interfaces\{69767670-D613-4EC2-AE9D-C1ABF869941E} : DhcpNameServer = 203.144.206.29 203.144.206.49
TCP: Interfaces\{69767670-D613-4EC2-AE9D-C1ABF869941E}\169627C6966756 : DhcpNameServer = 168.95.1.1
TCP: Interfaces\{69767670-D613-4EC2-AE9D-C1ABF869941E}\332626D277C616E6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{69767670-D613-4EC2-AE9D-C1ABF869941E}\4505D2C494E4B4F5445314532324 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C6548D16-39DD-485E-B744-69E903176900} : DhcpNameServer = 192.168.60.2
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\96bqwrm7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\adobe\acrobat 10.0\acrobat\browser\wcfirefoxextn\components\WCFirefoxExtn.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40818.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\administrator\appdata\local\google\update\1.3.21.65\npGoogleUpdate3.dll
.
============= SERVICES / DRIVERS ===============
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2011-4-10 57112]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);c:\windows\system32\drivers\tdrpm273.sys [2011-4-9 752128]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2011-1-6 17256]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2011-1-6 236600]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-1-6 35768]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-4-9 218688]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 afcdpsrv;Acronis Nonstop Backup service;c:\program files\common files\acronis\cdp\afcdpsrv.exe [2011-4-9 3975088]
R2 OS Selector;Acronis OS Selector activator;c:\program files\acronis\diskdirector\oss\reinstall_svc.exe [2010-5-25 2139400]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2011-4-1 2656280]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2011-3-25 539248]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [2011-4-9 163232]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2011-4-1 269824]
R3 MEI;Intel® Management Engine Interface;c:\windows\system32\drivers\HECI.sys [2011-4-1 41088]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-4-27 64904]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-4-27 146568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver;c:\windows\system32\drivers\JME.sys [2011-1-22 98928]
S3 netr73;RT73 USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr73.sys [2009-6-11 545792]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-4-1 189440]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-9-10 11520]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-12 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-12 136176]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-08-15 00:32:56 -------- d-----w- c:\users\administrator\appdata\roaming\Malwarebytes
2011-08-15 00:32:51 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-15 00:32:51 -------- d-----w- c:\programdata\Malwarebytes
2011-08-15 00:32:48 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-15 00:32:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-11 13:35:19 -------- d--h--w- c:\program files\Zero G Registry
2011-08-11 13:35:19 -------- d-----w- c:\program files\Britannica 10.0
2011-08-11 13:33:03 -------- d--h--w- c:\users\administrator\InstallAnywhere
2011-07-28 17:39:09 -------- d-----w- c:\program files\RootKitScanner_GMER
2011-07-28 03:38:18 -------- dc----w- c:\users\administrator\appdata\local\MigWiz
2011-07-18 09:57:57 -------- d-----w- c:\users\administrator\appdata\local\COMODO
2011-07-18 08:00:02 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-07-18 08:00:02 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-07-17 13:07:15 -------- d-----w- c:\windows\Profiles
.
==================== Find3M ====================
.
.
============= FINISH: 7:46:40.94 ===============

Attached Files

•  Attach.zip   4.13K   17 downloads
•  ark.zip   27.5K   13 downloads

[KayLatvia]

I ran MSERT (Microsoft Safety Scanner 1.0.3001.0) - a.k.a. Microsoft Security Emergency Response Tool - latest version downloaded from Microsoft, and no viruses were found. I am doing the same using Malwarebytes' Anti-Malware in "Full Scan" mode and I suspect the same will happen.

So far no crashes, but I'm running under "Safe Mode". I've read that some viruses that give the "Windows has encountered a critical problem" error message seem to lie dormant in Safe Mode.

Further, at least once when rebooting I got, alongside the Administrator account (one account named Administrator--sorry I should change it I know) a hidden "Oher User" icon--I've never seen this before. I could not find it in the Accounts section of the Control Panel. I assume this was the work of the virus, but I've not seen it since. Strange.

Please examine my files and let me know what files I should not be loaded in non-Safe Mode. For instance, I don't run Garmin's map program though it's loaded on my machine. I don't some other programs.

What are the chances that, since I'm in Safe Mode, that it's a driver problem not a virus? Since MSERT is not showing any viruses? And I bet Malwarebytes, which is running now for 15 minutes without showing any viruses found, also does not find any problems? But why would the driver problem manifest itself either after Google Desktop (which BTW is designed for XP, not Windows 7, and is being phased out by Google, unfortunately) crashed (and which I uninstalled) or, after I plugged in a USB stick (generic, not a Kingston, which seem to be more foolproof) that was FAT32 formatted, and had not been used much if at all on this i5 PC, and somehow some corrupt driver on the USB stick somehow 'infected' my i5 PC?

Kay

[KayLatvia]

This problem may be related to a Google Desktop Search database being corrupted (coincidentally at the very same moment, or shortly just before, the suspect USB stick was inserted into my PC). This is somewhat improbable in my mind, but it's possible since when I tried to reinstall Google Desktop Search I got a message from Google's installer saying "could not upgrade database. There may not be enough free space on the drive or another program may be locking the database.... D 80070020 5.9.1005.12345 "

I tried 'repairing' Google but no luck... I just had the system reboot.

I found this link: http://desktop.googl...py?answer=12354 and I am going through the steps now (trying 'overinstall' then 'uninstall' at the moment).

I will keep this post updated in cases others have the same problem. Very annoying because this problem, if it is Google's fault, mimics an undetectable virus. BTW Malwarebytes did not detect any malware, just as I thought.

Kay

[KayLatvia]

Just a quick note: I removed Google Desktop from the system. After about an hour of running Windows I have yet to see a re-occurrence of the problem. Before the problem would manifest itself within minutes (when the computer was idle, in non-Safe Mode, so presumably Google Desktop was working on indexing. So it looks like Google Desktop rather than some unknown malware was the problem. It seems Google Desktop, which is being phased out by Google, was written for Windows XP more so than Vista/7 and causes problems if the index used in the program becomes corrupted. This problem mimics a virus or malware.

I will update this if conditions change.

I still intend to donate something, since this forum, a successor to CastleCops, is useful.

For now I close this thread.

Kay

[KayLatvia]

Unfortunately I spoke too soon--it's back. I get the same error now, "Windows has encountered a critical problem and will restart automatically in one minute". This problem from what I've read on the net could be either a bad software driver or a virus. It's hard to tell. Running Malwarebytes in "Full Scan" mode now...but I doubt it catches anything, as last time it did not.

Perhaps I have a rootkit since this is in all probability a counterfeit Windows 7 OS? But see my original files uploaded--no rootkit there? And doubtful I have a rootkit now because I've used these potentially counterfeit Windows OSes for years without problems, and this one for two months without a problem. Besides if it was a rootkit designed to compromise my system it would not advertise itself in this way but stay silent. I think this might be a virus that is not yet on anybody's radar screen, or perhaps a bad driver. I notice for example that this version of Windows 7 does not handle "encrypted" folders very well, and I did set up such an encrypted folder.

I will hold this thread open a while longer. I would like to catch this virus, as an academic exercise, but the easiest thing to do is to go back to the hard drive image snapshot before these problems started, using Acronis.

[KayLatvia]

KayLatvia, on 16 August 2011 - 01:23 AM, said:

Unfortunately I spoke too soon--it's back. I get the same error now, "Windows has encountered a critical problem and will restart automatically in one minute". This problem from what I've read on the net could be either a bad software driver or a virus. It's hard to tell. Running Malwarebytes in "Full Scan" mode now...but I doubt it catches anything, as last time it did not.

Perhaps I have a rootkit since this is in all probability a counterfeit Windows 7 OS? But see my original files uploaded--no rootkit there? And doubtful I have a rootkit now because I've used these potentially counterfeit Windows OSes for years without problems, and this one for two months without a problem. Besides if it was a rootkit designed to compromise my system it would not advertise itself in this way but stay silent. I think this might be a virus that is not yet on anybody's radar screen, or perhaps a bad driver. I notice for example that this version of Windows 7 does not handle "encrypted" folders very well, and I did set up such an encrypted folder.

I will hold this thread open a while longer. I would like to catch this virus, as an academic exercise, but the easiest thing to do is to go back to the hard drive image snapshot before these problems started, using Acronis.

I found, using a stand alone CD by Kaspersky, that this virus (which escaped my other anti-virus programs) may be responsible: TrojanDownloder. Win32.Agent

I removed this virus, and for now the system is not acting up.

Kay

[screen317]

Hi and welcome to Malwarebytes.


Looks like you got the situation under control. Anything else I can help with?

[screen317]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.