Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Removal Assistance


  • This topic is locked This topic is locked
28 replies to this topic

#1 unwillingmark

unwillingmark

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 02 November 2012 - 01:31 PM

Hello, I need professional help with my compromised Dell XPS laptop. I just upgraded to Windows 8 and noticed it was running sluggish for a high performance machine, so ran a number of scans displaying results out of my comfort zone.

I followed the forum instructions on preparation, but DDS does not work with Win 8 Pro. I installed GMER to my desktop, but when I opened it (with elevated permission of course), the GUI showed a number of options grayed out, so I could not uncheck IAT/EAT. I ran the scan anyway to get a log file for you.

Thanks much,

Bob

BC AdBot (Login to Remove)

 


#2 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:54 PM

Posted 06 November 2012 - 03:43 AM

Hello Bob :)

  • I will be helping with your computer problems.
  • From this point on, it is very important that you refrain from doing anything else to your computer other than what I have requested of you.
  • I do not mind if you browse the web, do basic tasks, or even test to see if the problem(s) you are experiencing are still occurring with the computer while we are working together, but do not run any tools/fixes unless I or another helper from this thread has asked you to do so.
  • Remember that you came here for help, so allow us to help you :)
  • If something does not run, make a detailed note of what problems you encountered along the way (exact error messages are preferred), but continue onto the next steps until you reach the end of my post.
  • Always do the steps they are listed in (left to right, top to bottom).
  • I prefer that you complete all the steps while you are in Normal Mode. However, I understand that sometimes this is not possible. If you are unsuccessful in getting a tool/fix to run from Normal Mode, but Safe Mode works, then use Safe Mode.
  • If you have a question about something, do not hesitate to ask.

Let's begin:

Posted Image Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).

__

Posted Image Please download OTL.

  • Save it to your desktop.
  • Right mouse click on the OTL icon on your desktop and select Run as Administrator
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the Posted Image text-field.

    drives
    baseservices
    
  • Now click the Posted Image button.
  • Two reports will be created:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Paste the contents of OTL.txt here for me to review but attach Extras.txt

Edited by thisisu, 06 November 2012 - 03:44 AM.


#3 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 07 November 2012 - 11:27 AM

Hi DM,

I'm back in town and will do this directly.

Thanks much for your help. I shall follow your directions to the letter.

Bob

#4 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 07 November 2012 - 12:28 PM

Hi,

I could not get OTL to produce an extras.txt file. I have always had it minimized after the scan... I searched the machine to no avail. Any thoughts?


Here are the two requested logs.

Sorry, I had to attach the OTL log as it would not let me paste it here because of size.

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.07.05

Windows 7 x64 NTFS
Internet Explorer 9.10.9200.16420
thewe_000 :: ARTISAN_REMOTE [administrator]

Protection: Disabled

11/7/2012 11:59:47 AM
mbam-log-2012-11-07 (11-59-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217873
Time elapsed: 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


THX Bob

#5 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 07 November 2012 - 12:29 PM

The OTL Log. Sorry I was quick on the trigger.

#6 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:54 PM

Posted 07 November 2012 - 02:32 PM

Posted Image Please download Vino's Event Viewer to your desktop
  • Double-click VEW.exe to run.
  • Under Select log to query, select:
    • Application
    • System
  • Under Select type to list, select:
    • Error
    • Warning
  • Click the radio button for Number of events
  • Type 20 in the 1 to 20 box.
  • Now click the Run button
  • When the program is finished, Notepad will open.
  • Close Notepad
  • Browse explorer to find C:\VEW.txt
  • This is where the log saved itself.
  • Attach or post the contents of VEW.txt to your next message.


#7 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 07 November 2012 - 10:30 PM

OMG. This is ridiculous...


Vino's Event Viewer v01c run on Windows 7 in English
Report run at 07/11/2012 10:23:00 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 05/11/2012 8:39:52 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program iexplore.exe version 10.0.9200.16384 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 1590 Start Time: 01cdbb266f22caa7 Termination Time: 203 Application Path: C:\Program Files\Internet Explorer\iexplore.exe Report Id: 5c89bc3e-2724-11e2-be70-848f69bfb1f4 Faulting package full name: Faulting package-relative application ID:

Log: 'Application' Date/Time: 05/11/2012 8:16:30 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program iexplore.exe version 10.0.9200.16384 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: ec8 Start Time: 01cdbb266f337b3d Termination Time: 47 Application Path: C:\Program Files\Internet Explorer\iexplore.exe Report Id: 1949da38-2721-11e2-be70-848f69bfb1f4 Faulting package full name: Faulting package-relative application ID:

Log: 'Application' Date/Time: 05/11/2012 7:23:18 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program iexplore.exe version 10.0.9200.16384 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: bc8 Start Time: 01cdbb261a0dcd65 Termination Time: 16 Application Path: C:\Program Files\Internet Explorer\iexplore.exe Report Id: aa7b2c4a-2719-11e2-be70-848f69bfb1f4 Faulting package full name: Faulting package-relative application ID:

Log: 'Application' Date/Time: 05/11/2012 7:20:51 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program iexplore.exe version 10.0.9200.16384 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 9cc Start Time: 01cdbb254134def9 Termination Time: 0 Application Path: C:\Program Files\Internet Explorer\iexplore.exe Report Id: 530b0d67-2719-11e2-be70-848f69bfb1f4 Faulting package full name: Faulting package-relative application ID:

Log: 'Application' Date/Time: 05/11/2012 7:13:38 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program iexplore.exe version 10.0.9200.16384 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: d90 Start Time: 01cdbb1ede93980e Termination Time: 16 Application Path: C:\Program Files\Internet Explorer\iexplore.exe Report Id: 50d5525a-2718-11e2-be70-848f69bfb1f4 Faulting package full name: Faulting package-relative application ID:

Log: 'Application' Date/Time: 05/11/2012 6:58:49 AM
Type: Error Category: 2414
Event: 2486 Source: Microsoft-Windows-Immersive-Shell
App microsoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.People did not launch within its allotted time.

Log: 'Application' Date/Time: 05/11/2012 6:57:12 AM
Type: Error Category: 2414
Event: 2486 Source: Microsoft-Windows-Immersive-Shell
App microsoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.People did not launch within its allotted time.

Log: 'Application' Date/Time: 05/11/2012 5:53:07 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program iexplore.exe version 10.0.9200.16384 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 138c Start Time: 01cdbb184643da3f Termination Time: 0 Application Path: C:\Program Files\Internet Explorer\iexplore.exe Report Id: 117c4a82-270d-11e2-be70-848f69bfb1f4 Faulting package full name: Faulting package-relative application ID:

Log: 'Application' Date/Time: 05/11/2012 5:38:47 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program iexplore.exe version 10.0.9200.16384 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: f3c Start Time: 01cdbb1622411a5b Termination Time: 16 Application Path: C:\Program Files\Internet Explorer\iexplore.exe Report Id: 106bf8c0-270b-11e2-be70-848f69bfb1f4 Faulting package full name: Faulting package-relative application ID:

Log: 'Application' Date/Time: 02/11/2012 4:13:12 AM
Type: Error Category: 101
Event: 1002 Source: Application Hang
The program cpdys1o4.exe version 1.0.15.15641 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel. Process ID: 4f0 Start Time: 01cdb8af3b8ce19c Termination Time: 0 Application Path: C:\Users\thewe_000\Desktop\cpdys1o4.exe Report Id: 9a6607d4-24a3-11e2-be6e-848f69bfb1f4 Faulting package full name: Faulting package-relative application ID:

Log: 'Application' Date/Time: 02/11/2012 3:29:53 AM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: aswMBR.exe, version: 0.9.9.1665, time stamp: 0x4f5f9c86 Faulting module name: ntdll.dll, version: 6.2.9200.16420, time stamp: 0x505aaa82 Exception code: 0xc0000005 Fault offset: 0x0004f44d Faulting process id: 0xc20 Faulting application start time: 0x01cdb8a9ec5f4555 Faulting application path: C:\Users\thewe_000\Desktop\aswMBR.exe Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll Report Id: 906786ba-249d-11e2-be6c-848f69bfb1f4 Faulting package full name: Faulting package-relative application ID:

Log: 'Application' Date/Time: 01/11/2012 9:29:27 PM
Type: Error Category: 5973
Event: 5973 Source: Microsoft-Windows-Immersive-Shell
Activation of app DefaultBrowser_NOPUBLISHERID!Chrome failed with error: This app can't be activated from an elevated context. See the Microsoft-Windows-TWinUI/Operational log for additional information.

Log: 'Application' Date/Time: 01/11/2012 9:29:19 PM
Type: Error Category: 5973
Event: 5973 Source: Microsoft-Windows-Immersive-Shell
Activation of app DefaultBrowser_NOPUBLISHERID!Chrome failed with error: This app can't be activated from an elevated context. See the Microsoft-Windows-TWinUI/Operational log for additional information.

Log: 'Application' Date/Time: 01/11/2012 8:33:13 PM
Type: Error Category: 100
Event: 1000 Source: Application Error
Faulting application name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Faulting module name: RootkitRevealer.exe, version: 1.71.0.0, time stamp: 0x44e255aa Exception code: 0xc0000005 Fault offset: 0x000040cd Faulting process id: 0xb7c Faulting application start time: 0x01cdb8701b555cfe Faulting application path: C:\Users\thewe_000\Downloads\RootkitRevealer\RootkitRevealer.exe Faulting module path: C:\Users\thewe_000\Downloads\RootkitRevealer\RootkitRevealer.exe Report Id: 5afdc53c-2463-11e2-be6c-848f69bfb1f4 Faulting package full name: Faulting package-relative application ID:

Log: 'Application' Date/Time: 01/11/2012 2:51:49 AM
Type: Error Category: 0
Event: 78 Source: SideBySide
Activation context generation failed for "C:\Users\thewe_000\AppData\Local\Temp\IDC2.tmp\ESETSmartInstaller.exe".Error in manifest or policy file "" on line . A component version required by the application conflicts with another component version already active. Conflicting components are:. Component 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16384_none_418c2a697189c07f.manifest. Component 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16384_none_893961408605e985.manifest.

Log: 'Application' Date/Time: 01/11/2012 12:31:01 AM
Type: Error Category: 0
Event: 1026 Source: .NET Runtime
Application: wwahost.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Exception
Stack:
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
at System.Threading.ThreadPoolWorkQueue.Dispatch()


Log: 'Application' Date/Time: 31/10/2012 4:50:34 PM
Type: Error Category: 0
Event: 1014 Source: Office Software Protection Platform Service
Acquisition of End User License failed. hr=0xC004C032 Sku Id=3850c794-b06f-4633-b02f-8ac4df0a059f

Log: 'Application' Date/Time: 31/10/2012 4:50:34 PM
Type: Error Category: 0
Event: 8200 Source: Office Software Protection Platform Service
License acquisition failure details. hr=0xC004C032

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 02/11/2012 4:48:14 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 122894 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:47:14 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 119054 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:46:14 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 115214 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:45:14 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 111374 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:44:14 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 107534 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:43:14 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 103694 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:42:14 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5042 flush attempts, and successfully flushed 0 buffers. It has run 99854 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:41:14 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 7168 flush attempts, and successfully flushed 0 buffers. It has run 96012 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:40:14 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 92171 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:39:14 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5041 flush attempts, and successfully flushed 0 buffers. It has run 88331 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:38:14 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 84490 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:37:14 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 80650 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:36:13 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 76810 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:35:13 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 72970 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:34:13 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 69130 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:33:13 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 65290 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:32:13 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 61450 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:31:13 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5040 flush attempts, and successfully flushed 0 buffers. It has run 57610 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:30:13 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5041 flush attempts, and successfully flushed 0 buffers. It has run 53770 times since maintenance was triggered.

Log: 'Application' Date/Time: 02/11/2012 4:29:13 PM
Type: Warning Category: 7
Event: 910 Source: ESENT
taskhostex (2780) The database cache size maintenance task has taken 60 seconds without completing. This may result in severe performance degradation. Current cache size is 23 buffers above the configured cache limit (243 percent of target). Cache size maintenance evicted 0 buffers, made 5044 flush attempts, and successfully flushed 0 buffers. It has run 49929 times since maintenance was triggered.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 02/11/2012 3:14:36 PM
Type: Critical Category: 63
Event: 41 Source: Microsoft-Windows-Kernel-Power
The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 02/11/2012 6:31:05 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {B77C4C36-0154-4C52-AB49-FAA03837E47F} and APPID {EA022610-0748-4C24-B229-6C507EBDFDBB} to the user Artisan_Remote\thewe_000 SID (S-1-5-21-50942023-4108141571-387938340-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 02/11/2012 6:30:26 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {B77C4C36-0154-4C52-AB49-FAA03837E47F} and APPID {EA022610-0748-4C24-B229-6C507EBDFDBB} to the user Artisan_Remote\thewe_000 SID (S-1-5-21-50942023-4108141571-387938340-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 02/11/2012 6:29:19 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {B77C4C36-0154-4C52-AB49-FAA03837E47F} and APPID {EA022610-0748-4C24-B229-6C507EBDFDBB} to the user Artisan_Remote\thewe_000 SID (S-1-5-21-50942023-4108141571-387938340-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 02/11/2012 6:26:12 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {B77C4C36-0154-4C52-AB49-FAA03837E47F} and APPID {EA022610-0748-4C24-B229-6C507EBDFDBB} to the user Artisan_Remote\thewe_000 SID (S-1-5-21-50942023-4108141571-387938340-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 02/11/2012 6:25:43 PM
Type: Error Category: 0
Event: 10016 Source: Microsoft-Windows-DistributedCOM
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {B77C4C36-0154-4C52-AB49-FAA03837E47F} and APPID {EA022610-0748-4C24-B229-6C507EBDFDBB} to the user Artisan_Remote\thewe_000 SID (S-1-5-21-50942023-4108141571-387938340-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Log: 'System' Date/Time: 02/11/2012 4:40:41 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 02/11/2012 3:14:58 PM
Type: Error Category: 0
Event: 6008 Source: EventLog
The previous system shutdown at 10:51:08 AM on ?11/?2/?2012 was unexpected.

Log: 'System' Date/Time: 02/11/2012 3:02:02 PM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The Advanced SystemCare Service 6 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Log: 'System' Date/Time: 02/11/2012 3:01:52 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The AdvancedSystemCareAntivirus service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 02/11/2012 2:50:27 PM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The Advanced SystemCare Service 5 service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 02/11/2012 3:01:59 AM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The Advanced SystemCare Service 5 service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Log: 'System' Date/Time: 02/11/2012 2:55:44 AM
Type: Error Category: 0
Event: 7034 Source: Service Control Manager
The NVIDIA Stereoscopic 3D Driver Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 02/11/2012 2:46:05 AM
Type: Error Category: 0
Event: 1060 Source: Application Popup
The event description cannot be found.

Log: 'System' Date/Time: 02/11/2012 2:46:05 AM
Type: Error Category: 0
Event: 1060 Source: Application Popup
The event description cannot be found.

Log: 'System' Date/Time: 02/11/2012 2:35:04 AM
Type: Error Category: 0
Event: 1060 Source: Application Popup
The event description cannot be found.

Log: 'System' Date/Time: 02/11/2012 2:35:04 AM
Type: Error Category: 0
Event: 1060 Source: Application Popup
The event description cannot be found.

Log: 'System' Date/Time: 02/11/2012 2:34:36 AM
Type: Error Category: 0
Event: 1060 Source: Application Popup
The event description cannot be found.

Log: 'System' Date/Time: 01/11/2012 7:22:16 PM
Type: Error Category: 0
Event: 7030 Source: Service Control Manager
The ESET Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Log: 'System' Date/Time: 30/10/2012 9:02:05 PM
Type: Error Category: 0
Event: 10010 Source: Microsoft-Windows-DistributedCOM
The server {4AA0A5C4-1B9B-4F2E-99D7-99C6AEC83474} did not register with DCOM within the required timeout.

Log: 'System' Date/Time: 30/10/2012 8:46:24 PM
Type: Error Category: 0
Event: 8003 Source: bowser
The master browser has received a server announcement from the computer ARTISAN_REMOTE that believes that it is the master browser for the domain on transport NetBT_Tcpip_{A66DF4F7-383B-4205-9194-0371D200EDC0}. The master browser is stopping or an election is being forced.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 02/11/2012 3:16:51 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.

Log: 'System' Date/Time: 02/11/2012 3:16:33 PM
Type: Warning Category: 0
Event: 1 Source: RTL8168
Realtek PCIe GBE Family Controller is disconnected from network.

Log: 'System' Date/Time: 02/11/2012 3:15:03 PM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.

Log: 'System' Date/Time: 02/11/2012 3:14:43 PM
Type: Warning Category: 0
Event: 1 Source: RTL8168
Realtek PCIe GBE Family Controller is disconnected from network.

Log: 'System' Date/Time: 02/11/2012 2:44:31 PM
Type: Warning Category: 1014
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name cloudupload.iobit.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 02/11/2012 5:44:46 AM
Type: Warning Category: 1014
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name www.lsygw.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 02/11/2012 3:37:51 AM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.

Log: 'System' Date/Time: 02/11/2012 3:37:32 AM
Type: Warning Category: 0
Event: 1 Source: RTL8168
Realtek PCIe GBE Family Controller is disconnected from network.

Log: 'System' Date/Time: 02/11/2012 3:31:27 AM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.

Log: 'System' Date/Time: 02/11/2012 3:31:05 AM
Type: Warning Category: 0
Event: 1 Source: RTL8168
Realtek PCIe GBE Family Controller is disconnected from network.

Log: 'System' Date/Time: 02/11/2012 1:42:52 AM
Type: Warning Category: 1014
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name downloads.andymanchesta.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 02/11/2012 12:35:00 AM
Type: Warning Category: 1014
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name appexbingweather.trafficmanager.net timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 01/11/2012 11:23:28 PM
Type: Warning Category: 1014
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name mscrl.microsoft.com timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 01/11/2012 9:28:54 PM
Type: Warning Category: 7
Event: 37 Source: Microsoft-Windows-Kernel-Processor-Power
The speed of processor 0 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 3 seconds since the last report.

Log: 'System' Date/Time: 01/11/2012 7:42:09 PM
Type: Warning Category: 1014
Event: 1014 Source: Microsoft-Windows-DNS-Client
Name resolution for the name 247.142.121.74.in-addr.arpa. timed out after none of the configured DNS servers responded.

Log: 'System' Date/Time: 01/11/2012 1:15:52 AM
Type: Warning Category: 0
Event: 4 Source: MEIx64
The Intel® Management Engine Interface is being disabled.

Log: 'System' Date/Time: 01/11/2012 1:02:34 AM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.

Log: 'System' Date/Time: 01/11/2012 1:01:48 AM
Type: Warning Category: 0
Event: 1 Source: RTL8168
Realtek PCIe GBE Family Controller is disconnected from network.

Log: 'System' Date/Time: 01/11/2012 12:21:36 AM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.

Log: 'System' Date/Time: 01/11/2012 12:21:03 AM
Type: Warning Category: 0
Event: 1 Source: RTL8168
Realtek PCIe GBE Family Controller is disconnected from network.

#8 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:54 PM

Posted 07 November 2012 - 11:15 PM

Did this computer come with a NVIDIA graphics card or is this something you or someone else has added to the system?
There are appears to be a multitude of problems but none that are malware related (yet).
Some of them might be NVIDIA related.
Let me know.

#9 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 08 November 2012 - 12:33 AM

Hi DM,

Yes, my Dell laptop came with an NVidia GT-550 1GB card.

#10 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:54 PM

Posted 08 November 2012 - 01:39 AM

Hello,

Try this:

  • From the Metro GUI menu (where the tiles are), right-mouse click anywhere on the screen.
  • A sub-menu on the bottom should appear.
  • In the bottom right corner, there should be a button called "All apps".
  • Click this button.
  • From this new list, locate "Command Prompt" but do not open it yet.
  • Right-mouse click on "Command Prompt" and select "Run as administrator" from the sub-menu on the bottom of the screen.
  • You should now be on the desktop with a Administrator: Command Prompt window open.
  • Type this command into this Administrator: Command Prompt window and press ENTER afterwards.
    • chkdsk c: /offlinescanandfix
  • Here is a picture incase that helps to distinguish where the spaces are.

    Posted Image
  • If you receive the same notification above, press Y and then ENTER
  • You can now type exit and press ENTER.
  • Now reboot your computer and let chkdsk run.
  • Let me know once you have done this and I will give you additional steps to perform.


#11 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 08 November 2012 - 01:07 PM

Done.

#12 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:54 PM

Posted 08 November 2012 - 02:59 PM

Open the command prompt window again (as Administrator) and enter in this command:

sfc /scannow

Let me know once finished.

#13 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 08 November 2012 - 05:25 PM

Done.

#14 thisisu

thisisu

  • Malware Response Team
  • 2,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:54 PM

Posted 08 November 2012 - 05:37 PM

Posted Image Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please post the contents of JRT.txt into your next message.

__

Now reboot your computer (don't skip this step!!)

__

Now run another scan with Vino's Event Viewer
Post the latest VEW.txt for me to review.

#15 unwillingmark

unwillingmark
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 09 November 2012 - 01:03 AM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 09/11/2012 3:58:49 AM
Type: Warning Category: 0
Event: 11 Source: Microsoft-Windows-Wininit
Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.

Log: 'System' Date/Time: 09/11/2012 3:58:35 AM
Type: Warning Category: 0
Event: 1 Source: RTL8168
Realtek PCIe GBE Family Controller is disconnected from network.






~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 2.8.7 (11.08.2012)
OS: Windows 8 Pro x64
Ran by thewe_000 on Thu 11/08/2012 at 22:47:41.06
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 11/08/2012 at 22:52:40.43
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users