BleepingComputer.com: Unable to Run MalwareBytes or hijack this!

Hello,

I am walking through the process of trying to disinfect my computer. When I try to run Malwarebytes, I get this error:
Run-time error '48':
File not found: advpack

If I try to run some programs, like registry mechanic, I get this error:

Windows\system32\snmpapi.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or software vendor for support.

Trying to run hijack this, I get this error:


Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

Not sure what to do at this point. Please can anyone help??!!

This post has been edited by Budapest: 26 July 2011 - 04:49 PM
Reason for edit: Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest

Hi Chris Klong,

to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• Please do not attach logs or put logs in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can also help.
  
• Do not run anything while running a fix.
  
• If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

---

Download Security Check by screen317 from here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt.
  
• Please post the contents of that document.

Please download MiniToolBox and run it.

Checkmark following boxes:

• Report IE Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List last 10 Event Viewer log
  
• List Users, Partitions and Memory size

Click Go and post the result.Please download MiniToolBox and run it.


It sounds like something is getting corrupted during the install Malwarebytes install. Try downloading it from here, and follow these instructions to reinstall.

Rerun Malwarebytes
Open Malwarebytes, click on the Update tab, and click the check for Updates button.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you have trouble updating, troubleshoot Malwarebytes' Anti-Malware

Reboot into Normal mode. Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  
• An icon will be created on your desktop. Double-click that icon to launch the program.
  
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  
• In the Main Menu, click the Preferences... button.
  
• Click the Scanning Control tab.
  
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
    
  • Scan for tracking cookies.
    
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
  
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  
• On the left, make sure you check C:\Fixed Drive.
  
• On the right, under "Complete Scan", choose Perform Complete Scan.
  
• Click "Next" to start the scan. Please be patient while it scans your computer.
  
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  
• Make sure everything has a checkmark next to it and click "Next".
  
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  
• If asked if you want to reboot, click "Yes".
  
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
    
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.


In your next reply, please include:

• Security Check log
  
• MiniToolBox log
  
• Malwarebytes log
  
• SuperAntiSpyware log
  
• GMER log
  
• How's the computer running now? Please provide a detailed description any remaining problems, detailed word-for-word error messages that you are receiving, and/or screenshots of strange behavior.

This post has been edited by jntkwx: 27 July 2011 - 05:36 AM

Thanks Jason,

Here's the first two logs you requested:

Results of screen317's Security Check version 0.99.18
Windows 7 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java™ 6 Update 20
Out of date Java installed!
Adobe Flash Player 10.3.181.26
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
``````````End of Log````````````




MiniToolBox by Farbar
Ran by Chris-7 (administrator) on 27-07-2011 at 06:10:22
Windows 7 Ultimate (X64)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
ProxyServer: http=127.0.0.1:52505
========================= Hosts content: =================================
127.0.0.1 localhost
127.0.0.1 localhost

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Chris-7-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : 1call.local
Description . . . . . . . . . . . : Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
Physical Address. . . . . . . . . : 00-15-AF-0E-C5-CA
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller #2
Physical Address. . . . . . . . . : 00-1A-92-42-80-BF
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
Physical Address. . . . . . . . . : 00-1A-92-42-7A-7F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::557f:a565:832b:60f2%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.64(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, July 27, 2011 5:52:26 AM
Lease Expires . . . . . . . . . . : Thursday, July 28, 2011 5:52:27 AM
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 234887826
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-2F-D0-A7-00-1A-92-42-7A-7F
DNS Servers . . . . . . . . . . . : 192.168.1.254
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.gateway.2wire.net:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:288e:ab2:b901:abf8(Preferred)
Link-local IPv6 Address . . . . . : fe80::288e:ab2:b901:abf8%18(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: home
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.227.50
74.125.227.48
74.125.227.52
74.125.227.49
74.125.227.51


Pinging google.com [74.125.227.50] with 32 bytes of data:
Reply from 74.125.227.50: bytes=32 time=12ms TTL=55
Reply from 74.125.227.50: bytes=32 time=13ms TTL=55

Ping statistics for 74.125.227.50:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 12ms, Maximum = 13ms, Average = 12ms
Server: home
Address: 192.168.1.254

Name: yahoo.com
Addresses: 72.30.2.43
98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65


Pinging yahoo.com [72.30.2.43] with 32 bytes of data:
Reply from 72.30.2.43: bytes=32 time=56ms TTL=55
Reply from 72.30.2.43: bytes=32 time=56ms TTL=55

Ping statistics for 72.30.2.43:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 56ms, Maximum = 56ms, Average = 56ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
15...00 15 af 0e c5 ca ......Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter
13...00 1a 92 42 80 bf ......Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller #2
11...00 1a 92 42 7a 7f ......Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
18...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.64 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.64 276
192.168.1.64 255.255.255.255 On-link 192.168.1.64 276
192.168.1.255 255.255.255.255 On-link 192.168.1.64 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.64 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.64 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
18 58 ::/0 On-link
1 306 ::1/128 On-link
18 58 2001::/32 On-link
18 306 2001:0:4137:9e76:288e:ab2:b901:abf8/128
On-link
11 276 fe80::/64 On-link
18 306 fe80::/64 On-link
18 306 fe80::288e:ab2:b901:abf8/128
On-link
11 276 fe80::557f:a565:832b:60f2/128
On-link
1 306 ff00::/8 On-link
18 306 ff00::/8 On-link
11 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/27/2011 06:10:22 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/27/2011 06:07:07 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/27/2011 06:03:04 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/27/2011 05:57:23 AM) (Source: Microsoft Office 14) (User: )
Description: Microsoft Outlook: Rejected Safe Mode action : Outlook failed to start correctly last time. Starting Outlook in safe mode will help you correct or isolate a startup problem in order to successfully start the program. Some functionality may be disabled in this mode.

Do you want to start Outlook in safe mode?.
Rejected Safe Mode action : Microsoft Outlook.

Error: (07/27/2011 05:55:41 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {70bcd6e8-650e-430d-a7a8-b33bea3f929e}

Error: (07/27/2011 05:55:41 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(.DEFAULT). hr = 0x80070539, The security ID structure is invalid.
.


Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: Shadow Copy Optimization Writer
Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
Writer Name: Shadow Copy Optimization Writer
Writer Instance ID: {ef1318ec-64d2-445d-8ed3-f60b10d54150}

Error: (07/27/2011 05:54:38 AM) (Source: Application Error) (User: )
Description: Faulting application name: iTunes.exe, version: 10.2.2.12, time stamp: 0x4da738b4
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x9b8
Faulting application start time: 0xiTunes.exe0
Faulting application path: iTunes.exe1
Faulting module path: iTunes.exe2
Report Id: iTunes.exe3

Error: (07/27/2011 05:54:26 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/27/2011 05:52:29 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"1".
Dependent Assembly Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/27/2011 03:00:10 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(.DEFAULT). hr = 0x80070539, The security ID structure is invalid.
.


Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: Shadow Copy Optimization Writer
Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
Writer Name: Shadow Copy Optimization Writer
Writer Instance ID: {d9c50c16-aaa3-4cc6-8f74-b7a3323c4621}


System errors:
=============
Error: (07/27/2011 05:56:07 AM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

Feature: %%835

Error Code: 0x80004005

Error description: Unspecified error

Reason: %%842

Error: (07/27/2011 05:53:09 AM) (Source: Service Control Manager) (User: )
Description: The FlipShare Service service failed to start due to the following error:
%%1053

Error: (07/27/2011 05:53:09 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the FlipShare Service service to connect.

Error: (07/27/2011 05:52:21 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 5:49:18 AM on ?7/?27/?2011 was unexpected.

Error: (07/26/2011 10:59:14 PM) (Source: volsnap) (User: )
Description: The shadow copies of volume D: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (07/26/2011 07:10:31 PM) (Source: volsnap) (User: )
Description: The shadow copies of volume D: were deleted because the shadow copy storage could not grow in time. Consider reducing the IO load on the system or choose a shadow copy storage volume that is not being shadow copied.

Error: (07/26/2011 03:23:07 PM) (Source: NetBT) (User: )
Description: A duplicate name has been detected on the TCP network. The IP address of
the computer that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.

Error: (07/26/2011 02:48:45 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.

Error: (07/26/2011 02:46:44 PM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.

Feature: %%835

Error Code: 0x80004005

Error description: Unspecified error

Reason: %%842

Error: (07/26/2011 02:46:00 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service failed to start due to the following error:
%%1053


Microsoft Office Sessions:
=========================
Error: (07/27/2011 06:10:22 AM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"D:\Windows\system32\conhost.exe

Error: (07/27/2011 06:07:07 AM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"D:\Windows\system32\conhost.exe

Error: (07/27/2011 06:03:04 AM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"D:\Windows\system32\conhost.exe

Error: (07/27/2011 05:57:23 AM) (Source: Microsoft Office 14)(User: )
Description: Microsoft OutlookOutlook failed to start correctly last time. Starting Outlook in safe mode will help you correct or isolate a startup problem in order to successfully start the program. Some functionality may be disabled in this mode.

Do you want to start Outlook in safe mode?

Error: (07/27/2011 05:55:41 AM) (Source: VSS)(User: )
Description: 0x80070005, Access is denied.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {70bcd6e8-650e-430d-a7a8-b33bea3f929e}

Error: (07/27/2011 05:55:41 AM) (Source: VSS)(User: )
Description: ConvertStringSidToSid(.DEFAULT)0x80070539, The security ID structure is invalid.


Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: Shadow Copy Optimization Writer
Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
Writer Name: Shadow Copy Optimization Writer
Writer Instance ID: {ef1318ec-64d2-445d-8ed3-f60b10d54150}

Error: (07/27/2011 05:54:38 AM) (Source: Application Error)(User: )
Description: iTunes.exe10.2.2.124da738b4unknown0.0.0.000000000c0000005000000009b801cc4c4b6d9647e5D:\Program Files (x86)\iTunes\iTunes.exeunknownd278b0a9-b83e-11e0-812c-001a92427a7f

Error: (07/27/2011 05:54:26 AM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"D:\Windows\system32\conhost.exe

Error: (07/27/2011 05:52:29 AM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.SystemCompatible,processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.7600.16823"D:\Windows\system32\conhost.exe

Error: (07/27/2011 03:00:10 AM) (Source: VSS)(User: )
Description: ConvertStringSidToSid(.DEFAULT)0x80070539, The security ID structure is invalid.


Operation:
OnIdentify event
Gathering Writer Data

Context:
Execution Context: Shadow Copy Optimization Writer
Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
Writer Name: Shadow Copy Optimization Writer
Writer Instance ID: {d9c50c16-aaa3-4cc6-8f74-b7a3323c4621}


========================= Memory info: ===================================

Percentage of memory in use: 48%
Total physical RAM: 4095.12 MB
Available physical RAM: 2115.9 MB
Total Pagefile: 8188.38 MB
Available Pagefile: 6029.18 MB
Total Virtual: 4095.88 MB
Available Virtual: 3969.31 MB

========================= Partitions: =====================================

1 Drive c: (Munchies) (Fixed) (Total:203.36 GB) (Free:94.75 GB) NTFS
2 Drive d: () (Fixed) (Total:94.73 GB) (Free:15.01 GB) NTFS
3 Drive e: (Thai_ger Graphics) (Fixed) (Total:273.44 GB) (Free:58.66 GB) NTFS
4 Drive f: (Fun_Stuff) (Fixed) (Total:192.32 GB) (Free:125.01 GB) NTFS
7 Drive i: (Grab_Bag) (Fixed) (Total:1862.89 GB) (Free:1856.69 GB) NTFS
8 Drive j: (My Book Backup) (Fixed) (Total:931.51 GB) (Free:141.16 GB) NTFS
10 Drive m: (Iomega HDD Backup) (Fixed) (Total:1397.26 GB) (Free:138.43 GB) NTFS
11 Drive o: (Original Files) (Fixed) (Total:465.75 GB) (Free:243.5 GB) NTFS
12 Drive q: (My Book) (Fixed) (Total:930.86 GB) (Free:173 GB) NTFS
13 Drive r: (WD SmartWare) (CDROM) (Total:0.43 GB) (Free:0 GB) UDF
14 Drive t: (Iomega HDD) (Fixed) (Total:1397.26 GB) (Free:142.25 GB) NTFS

========================= Users: ========================================

User accounts for \\CHRIS-7-PC

Administrator Chris-7 Guest
LogMeInRemoteUser


== End of log ==



I tried running the malware steps of uninstalling, reinstalling, but first the link you gave gives me a 404 error.

Do you want me to do the other steps after that, skipping the malwarebytes stuff?

This post has been edited by Chris Klong: 27 July 2011 - 08:10 AM

Hi Chris Klong,

Oops, sorry about the broken link. Please follow these instructions:

If you are having any problems with Malwarebytes' Anti-Malware protection please do the following.

1. Uninstall Malwarebytes' Anti-Malware. Go to Start, Control Panel, Programs and Features. Select Malwarebytes' and click Uninstall.
2. Restart your computer (very important).
3. Download and run this utility.
4. It will ask to restart your computer (please allow it to).
5. After your computer restarts, please download Malwarebytes Anti-Malware and save it to your desktop.

Download Link 1
Download Link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

Then continue with steps 4 and 5 from my first post.

In your next reply, please include:

• Malwarebytes log
  
• SuperAntiSpyware log
  
• GMER log
  
• How's the computer running now? Please provide a detailed description any remaining problems, detailed word-for-word error messages that you are receiving, and/or screenshots of strange behavior.

When I start the uninstall process, the error message

comes up:

Run-time error '48':
File not found: advpack

I click "OK" and MalwareBytes uninstalls. I get the message:

MalwareBytes' Anti-Malware was successfully removed from your computer.

I restarted and ran the utility without any problems and restarted my computer.

I downloaded from Link 1, and installed MalwareBytes.

The install had no problems, but when I clicked finished (After leaving the Run Now and Update Now checked), The error popped up:

Run-time error '48':
File not found: advpack

Clicking "OK" makes the error pop up again. I click "OK" and it goes away and nothing else happens. I renamed mbam.exe to:

mbam.com
iexplore.exe
explorer.exe
userinit.exe
winlogon.exe

and all of them came up with the 48 error.

ran rkill. Log of rkill:

This log file is located at D:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 07/27/2011 at 10:00:14.
Operating System: Windows 7 Ultimate


Processes terminated by Rkill or while it was running:

D:\Windows\SysWOW64\rundll32.exe


Rkill completed on 07/27/2011 at 10:01:11.

-----------------------------------------------------


Running mbam.exe still throws the "error '48'"

Should I continue through your notes or do something else?

This post has been edited by Chris Klong: 27 July 2011 - 10:04 AM

Hi Chris Klong,

I want to try and get Malwarebytes' to work before continuing on.

Let's try repairing corrupt operating system files.
Please follow the directions here: http://www.bleepingcomputer.com/forums/topic43051.html

1. Uninstall Malwarebytes' Anti-Malware. Go to Start, Control Panel, Programs and Features. Select Malwarebytes' and click Uninstall.
2. Restart your computer (very important).
3. Download and run this utility.
4. It will ask to restart your computer (please allow it to).

After your computer restarts, let's try rebooting into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu with several options. Press the down arrow key on your keyboard until Safe Mode with Networking is selected. Press Enter.

Please see here for additional details.

Still in Safe Mode with Networking, download Malwarebytes Anti-Malware and save it to your desktop.

Download Link 1
Download Link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
• Double-click on mbam-setup.exe to install the application.
  For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
    
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware

Reboot into Normal Mode, then continue with steps 4 and 5 from my first post.

In your next reply, please include:

• Malwarebytes log
  
• SuperAntiSpyware log
  
• GMER log
  
• How's the computer running now? Please provide a detailed description any remaining problems, detailed word-for-word error messages that you are receiving, and/or screenshots of strange behavior.

ran updates after running the program...had 5 updates SP 1 for 7x64, Office SP1, and three others.

on restart, this error comes up

RunDLL
There was a problem starting advpack.dll
advpack.dll is not a valid Win32 application.

"Setting up personalized settings for:"
like it's a new user

"Windows Service Pack 1 is now installed"

uninstall MalwareBytes
- Run-time error '48':
File not found: advpack

Clicked "OK"

"Malwarebytes' Anti-Malware was successfully removed form your computer.

restarted computer in safe mode

installed Malwarebytes...

got the Run-time '48' error when I tried to run it in safe mode.

Hi Chris Klong,

Let's skip Malwarebytes for now.

Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  
• An icon will be created on your desktop. Double-click that icon to launch the program.
  
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  
• In the Main Menu, click the Preferences... button.
  
• Click the Scanning Control tab.
  
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
    
  • Scan for tracking cookies.
    
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
  
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  
• On the left, make sure you check C:\Fixed Drive.
  
• On the right, under "Complete Scan", choose Perform Complete Scan.
  
• Click "Next" to start the scan. Please be patient while it scans your computer.
  
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  
• Make sure everything has a checkmark next to it and click "Next".
  
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  
• If asked if you want to reboot, click "Yes".
  
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
    
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.


In your next reply, please include:

• SuperAntiSpyware log
  
• GMER log
  
• How's the computer running now? Please provide a detailed description any remaining problems, detailed word-for-word error messages that you are receiving, and/or screenshots of strange behavior.

Superantispyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/27/2011 at 04:03 PM

Application Version : 4.55.1000

Core Rules Database Version : 7472
Trace Rules Database Version: 5284

Scan type : Complete Scan
Total Scan Time : 00:08:13

Memory items scanned : 674
Memory threats detected : 0
Registry items scanned : 14003
Registry threats detected : 2
File items scanned : 275
File threats detected : 66

Adware.Tracking Cookie
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@a1.interclick[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@ad.wsod[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@interclick[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@cn.clickable[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@eyewonder[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@media.adfrontiers[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@pro-market[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@media6degrees[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@cdn1.trafficmp[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@bs.serving-sys[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@ru4[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@questionmarket[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@overture[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@fastclick[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@doubleclick[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@pointroll[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@ad.yieldmanager[3].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@richmedia.yahoo[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@burstbeacon[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@lucidmedia[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@www.burstnet[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@adinterax[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@www.burstbeacon[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@collective-media[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@invitemedia[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@ads.pointroll[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@ads.monster[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@tribalfusion[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@www.find-fast-answers[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@account.live[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@ad.yieldmanager[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@zedo[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@chitika[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@statcounter[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@msnportal.112.2o7[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@ads.nba[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@at.atwola[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@trafficmp[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@content.yieldmanager[5].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@kontera[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@serving-sys[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@yieldmanager[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@in.getclicky[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@googleads.g.doubleclick[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@imrworldwide[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@click.tigeronline[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@tacoda.at.atwola[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@mediaplex[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@burstnet[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@realmedia[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@ads.undertone[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@advertising[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@ads.pubmatic[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@apmebf[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@revsci[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@atdmt[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@mediabrandsww[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@casalemedia[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@2o7[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@specificclick[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@msnbc.112.2o7[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@advertise[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@insightexpressai[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@adbrite[2].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@afaservice.122.2o7[1].txt
D:\Users\Chris-7\AppData\Roaming\Microsoft\Windows\Cookies\chris-7@content.yieldmanager[4].txt

Security.HiJack[ImageFileExecutionOptions]
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE#Debugger


The Gamr log said that there was nothing to be done (no files found)

My computer is not acting any different programs won't open, getting that error 48 message.

Hi Chris Klong,

Let's try this:

Please download SystemLook and save it to your Desktop.

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :reg
  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ /s
  
  :filefind
  advpack.dll

  
  
• Click the Look button to start the scan. It may take a couple minutes to scan. Please be patient.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook 04.09.10 by jpshortstuff
Log created at 09:13 on 28/07/2011 by Chris-7
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\]
(No values found)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\accicons.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\clview.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\cnfnot32.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\cqw32.exe]
(No values found)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\DllNXOptions]
"mscoree.dll"= 0x0000000001 (1)
"mscorwks.dll"= 0x0000000001 (1)
"mso.dll"= 0x0000000001 (1)
"msjava.dll"= 0x0000000001 (1)
"msci_uno.dll"= 0x0000000001 (1)
"jvm.dll"= 0x0000000001 (1)
"jvm_g.dll"= 0x0000000001 (1)
"javai.dll"= 0x0000000001 (1)
"vb40032.dll"= 0x0000000001 (1)
"vbe6.dll"= 0x0000000001 (1)
"ums.dll"= 0x0000000001 (1)
"main123w.dll"= 0x0000000001 (1)
"udtapi.dll"= 0x0000000001 (1)
"mscorsvr.dll"= 0x0000000001 (1)
"eMigrationmmc.dll"= 0x0000000001 (1)
"eProcedureMMC.dll"= 0x0000000001 (1)
"eQueryMMC.dll"= 0x0000000001 (1)
"EncryptPatchVer.dll"= 0x0000000001 (1)
"Cleanup.dll"= 0x0000000001 (1)
"divx.dll"= 0x0000000001 (1)
"divxdec.ax"= 0x0000000001 (1)
"fullsoft.dll"= 0x0000000001 (1)
"NSWSTE.dll"= 0x0000000001 (1)
"ASSTE.dll"= 0x0000000001 (1)
"NPMLIC.dll"= 0x0000000001 (1)
"PMSTE.dll"= 0x0000000001 (1)
"AVSTE.dll"= 0x0000000001 (1)
"NAVOPTRF.dll"= 0x0000000001 (1)
"DRMINST.dll"= 0x0000000001 (1)
"TFDTCTT8.dll"= 0x0000000001 (1)
"DJSMAR00.dll"= 0x0000000001 (1)
"xlmlEN.dll"= 0x0000000001 (1)
"ISSTE.dll"= 0x0000000001 (1)
"symlcnet.dll"= 0x0000000001 (1)
"ppw32hlp.dll"= 0x0000000001 (1)
"Apitrap.dll"= 0x0000000001 (1)
"Vegas60k.dll"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\dw20.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\dwtrig20.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\ehshell.exe]
"Debugger"=""D:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" -MceShellRedirect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\excel.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\excelcnv.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\graph.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\groove.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\iexplore.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)
"DisableUserModeCallbackFilter"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\infopath.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\msaccess.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\msohtmed.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\msosync.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\msoxmled.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\mspub.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\mstordb.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\mstore.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\ois.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\onelev.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\onenote.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\onenotem.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\ose.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\outlook.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\powerpnt.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\scanost.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\scanpst.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\selfcert.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\vpreview.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\Winword.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\wordconv .exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\wpwin8.EXE]
(No values found)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\wxp.exe]
"DisableExceptionChainValidation"= 0x0000000000 (0)


========== filefind ==========

Searching for "advpack.dll"
D:\Windows\System32\advpack.dll --a---- 160256 bytes [23:58 13/07/2009] [01:40 14/07/2009] 5FBD7BEC6CD3DCAA6A87A7F70CE8AF44
D:\Windows\SysWOW64\advpack.dll --a---- 126464 bytes [23:42 13/07/2009] [01:14 14/07/2009] BB41A9DB2F2B5754CA6D9692E30C8EBA
D:\Windows\winsxs\amd64_microsoft-windows-advpack_31bf3856ad364e35_8.0.7600.16385_none_227a9e5883838d14\advpack.dll --a---- 160256 bytes [23:58 13/07/2009] [01:40 14/07/2009] 5FBD7BEC6CD3DCAA6A87A7F70CE8AF44
D:\Windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_8.0.7600.16385_none_c65c02d4cb261bde\advpack.dll --a---- 126464 bytes [23:42 13/07/2009] [01:14 14/07/2009] BB41A9DB2F2B5754CA6D9692E30C8EBA

-= EOF =-

Let's try repairing corrupt operating system files.
Please follow the directions here: http://www.bleepingcomputer.com/forums/topic43051.html

Rerun SystemLook

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  ehshell.exe

  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

This post has been edited by jntkwx: 28 July 2011 - 10:55 AM

I ran the file, and it ran, but I stepped away and when I came back, there was nothing on the screen.

I looked at Windows Update, and it said there were not updates to run.

I had run this system check thing before per your request on post #6 and ran updates afterwards.

The fact that it didn't give you errors is good.

RogueKiller

• Download RogueKiller on the desktop
  
• Close all the running processes
  
• Under Vista/Seven, right click -> Run as Administrator
  
• Otherwise just double-click on RogueKiller.exe
  
• When prompted, type 1 (SCAN) then Enter
  
• A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  
• If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename in winlogon.exe (or winlogon.com) and try again

This post has been edited by jntkwx: 28 July 2011 - 11:25 AM

The process runs and when I press enter, it searches through the files, and then it goes back to the beginning (where I can "enter my choice and press enter"). NO report is shown. I've been having problems with opening notepad, but when I ran the systemlook.exe file, notepad opened up with the report.