Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Errors, freezing up, & sometimes rebooting itself upon start up


  • This topic is locked This topic is locked
13 replies to this topic

#1 I Need A Xanax

I Need A Xanax

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 17 January 2013 - 07:10 PM

My computer has recently started having a litany of problems after my kids borrowed it for a month or so, during which time the virus protection lapsed and was not renewed. For the most part, once I sign in, it takes anywhere from 5 to 15 minutes to get to my start page. Then, I will receive several error messages about various programs that will not start. Sometimes, I can go in and turn off some programs through Task Manager, but sometimes it either completely freezes up or reboots. I can only get online if I go through and close several programs and even then, its a crap shoot on whether or not it will continue to work for more than a few minutes. I was able to download an antivirus program, but I really do not know what else I need to do in order to fix whatever damage was done. Thank you in advance for your help.

Edited by hamluis, 18 January 2013 - 08:09 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 I Need A Xanax

I Need A Xanax
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 18 January 2013 - 10:34 AM

I just noticed that in the right hand corner of my desktop, it says:

Windows 7
Build 7601
This copy of windows is not genuine

The version of Windows on my computer is the one that came with the computer.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:35 AM

Posted 18 January 2013 - 01:51 PM

Hello, which AV did you now install?


Reboot into Safe Mode with Networking
How to start Windows 7 in Safe Mode


Please download Rkill by Grinler and save it to your desktop.Link 1
Link 2
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, you will need to run the application again.


Please Download TDSSkiller
Launch it.
Click on change parameters-Select TDLFS file system
Click on "Scan".
Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results.


ADW Cleaner

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


Reboot to Normal mode

Please download Malwarebytes Anti-Malware Posted Image and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When the scan is complete, click OK, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 I Need A Xanax

I Need A Xanax
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 21 January 2013 - 01:55 PM

I downloaded AVG, installed and ran it (it found a couple of Trojans). Unfortunately, now I can't even boot up to safe mode either with or without networking. I can't imagine that is a good sign.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:35 AM

Posted 21 January 2013 - 08:15 PM

I will ask another to look here,you may need access to a machine with a CD or Flash Drive.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 I Need A Xanax

I Need A Xanax
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 21 January 2013 - 09:31 PM

I have access to both. Thank you.

#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:35 AM

Posted 21 January 2013 - 11:23 PM

Lets give it a try. You will need a USB Flash drive.

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flash drive into the infected PC.
  • If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt

    Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/list]

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:35 AM

Posted 22 January 2013 - 09:53 AM

Hello, Just letting you know I moved this to the Virus, Trojan, Spyware, and Malware Removal Logs forum,where it will stay.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 I Need A Xanax

I Need A Xanax
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 22 January 2013 - 08:44 PM

Below is the FRST.txt log as requested. Thank you for your help.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-01-2013 02
Ran by SYSTEM at 22-01-2013 19:22:16
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1612880 2010-01-27] (Logitech, Inc.)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-23] (IDT, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [171520 2009-10-30] (Sun Microsystems, Inc.)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [610872 2009-08-25] ()
HKLM\...\Run: [SynTPEnh] %PROGRAMFILES%\Synaptics\SynTP\SynTPEnh.exe [2096424 2010-05-27] (Synaptics Incorporated)
HKLM\...\Run: [LogMeIn GUI] "C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe" [x]
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [98304 2009-08-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot [210472 2006-10-25] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [WirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [500792 2010-03-23] (Hewlett-Packard Company)
HKLM-x32\...\Run: [QlbCtrl.exe] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start [323640 2010-02-25] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [946352 2012-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Media Codec Update Service] C:\Program Files (x86)\Essentials Codec Pack\WECPUpdate.exe -s [196608 2009-01-25] (MediaCodec.Org)
HKLM-x32\...\Run: [IndexSearch] "C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe" [46368 2007-10-11] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BRMFCWND.EXE /AUTORUN [1159168 2009-05-26] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [PPort11reminder] "C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" [345 2013-01-18] ()
HKLM-x32\...\Run: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun [114688 2008-12-24] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HPCam_Menu] "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\Hewlett-Packard\Media\Webcam" UpdateWithCreateOnce "Software\Hewlett-Packard\Media\Webcam" [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [PaperPort PTD] "C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe" [29984 2007-10-11] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW [1230704 2011-03-21] ()
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [1046984 2013-01-17] ()
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [296096 2012-10-06] (RealNetworks, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [151952 2012-11-28] (Apple Inc.)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [3147384 2012-12-11] (AVG Technologies CZ, s.r.o.)
HKU\Chad\...\Run: [TomTomHOME.exe] "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe" [x]
HKU\Guest\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [x]
HKU\Guest\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\Guest\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)
HKLM-x32\...\Runonce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "C:\Users\Chad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HVKK4LV5\mbar-1.01.0.1016\Data\cleanup.dll",ProcessCleanupScript "C:\Users\Chad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HVKK4LV5\mbar-1.01.0.1016\Data" [x]
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

==================== Services (Whitelisted) ===================

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe" [5814904 2012-11-15] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe" [196664 2012-10-22] (AVG Technologies CZ, s.r.o.)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\STacSV64.exe [247808 2010-03-23] (IDT, Inc.)
2 vToolbarUpdater13.3.2; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe [894920 2013-01-17] ()

==================== Drivers (Whitelisted) =====================

1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [154464 2012-10-22] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [63328 2012-10-15] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [185696 2012-10-02] (AVG Technologies CZ, s.r.o.)
0 Avgloga; C:\Windows\System32\Drivers\Avgloga.sys [225120 2012-09-21] (AVG Technologies CZ, s.r.o.)
0 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [111968 2012-11-15] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [40800 2012-09-14] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [200032 2012-09-21] (AVG Technologies CZ, s.r.o.)
1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [30568 2013-01-17] (AVG Technologies)
3 AX88772; C:\Windows\System32\Drivers\AX88772.sys [79360 2011-06-01] (ASIX Electronics Corp.)
3 BrSerIf; C:\Windows\System32\Drivers\BrSerIf.sys [97280 2006-12-11] (Brother Industries Ltd.)
3 FlyUsb; C:\Windows\System32\Drivers\FlyUsb.sys [24576 2008-04-01] (LeapFrog)
1 kl1; C:\Windows\System32\Drivers\kl1.sys [157712 2009-09-01] (Kaspersky Lab)
3 mbamchameleon; C:\Windows\System32\Drivers\mbamchameleon.sys [36680 2013-01-18] ()
3 mbamswissarmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [155464 2013-01-18] (Malwarebytes Corporation)
0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2010-04-26] (Duplex Secure Ltd.)
3 usbbus; C:\Windows\System32\DRIVERS\lgx64bus.sys [17920 2008-11-11] (LG Electronics Inc.)
3 UsbDiag; C:\Windows\System32\DRIVERS\lgx64diag.sys [27136 2008-11-11] (LG Electronics Inc.)
3 USBModem; C:\Windows\System32\DRIVERS\lgx64modem.sys [33792 2008-11-11] (LG Electronics Inc.)
2 {55662437-DA8C-40c0-AADA-2C816A897A49}; \??\c:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [146928 2009-10-02] (CyberLink Corp.)
2 ccEvtMgr; [x]
2 ccSetMgr; [x]
4 eabfiltr; [x]
2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [x]
4 LMIRfsClientNP; [x]
3 navapsvc; [x]
3 RtsUIR; C:\Windows\System32\DRIVERS\Rts516xIR.sys [x]
3 SAVRT; [x]
1 SAVRTPEL; [x]
0 TfFsMon; C:\Windows\System32\drivers\TfFsMon.sys [x]
3 TfNetMon; \??\C:\Windows\system32\drivers\TfNetMon.sys [x]
0 TfSysMon; C:\Windows\System32\drivers\TfSysMon.sys [x]
3 TlntSvr; [x]
3 USBCCID; C:\Windows\System32\DRIVERS\RtsUCcid.sys [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2013-01-22 19:21 - 2013-01-22 19:21 - 00000000 ____D C:\FRST
2013-01-18 14:03 - 2012-11-22 19:26 - 03149824 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-01-18 14:03 - 2012-11-22 19:13 - 00068608 ____A (Microsoft Corporation) C:\Windows\System32\taskhost.exe
2013-01-18 11:56 - 2013-01-18 11:56 - 00002211 ____A C:\Users\Guest\Desktop\Google Chrome.lnk
2013-01-18 08:18 - 2013-01-18 08:18 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2013-01-18 08:17 - 2013-01-18 08:17 - 00002247 ____A C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2013-01-18 08:17 - 2013-01-18 08:17 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2013-01-18 08:16 - 2013-01-18 08:16 - 00001298 ____A C:\Users\Chad\Desktop\RKreport[3]_SC_01182013_02d1016.txt
2013-01-18 08:12 - 2013-01-18 08:12 - 00002447 ____A C:\Users\Chad\Desktop\RKreport[1]_S_01182013_02d1012.txt
2013-01-18 08:12 - 2013-01-18 08:12 - 00002411 ____A C:\Users\Chad\Desktop\RKreport[2]_D_01182013_02d1012.txt
2013-01-18 08:11 - 2013-01-18 08:18 - 00000000 ____D C:\Users\Chad\Desktop\RK_Quarantine
2013-01-18 08:09 - 2013-01-18 08:09 - 00008391 ____A C:\Users\Chad\Desktop\JRT.txt
2013-01-18 07:58 - 2013-01-18 07:58 - 00000000 ____D C:\Windows\ERUNT
2013-01-18 07:58 - 2013-01-18 07:58 - 00000000 ____D C:\JRT
2013-01-18 07:37 - 2013-01-18 07:37 - 00155464 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2013-01-18 07:37 - 2013-01-18 07:37 - 00036680 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2013-01-17 18:13 - 2013-01-17 18:13 - 00000000 ____A C:\install.rdf
2013-01-17 16:27 - 2013-01-17 16:27 - 00000000 ____D C:\Windows\0BCB9F6762254844AD5FE2DE86934464.TMP
2013-01-17 16:25 - 2013-01-17 16:27 - 00000000 ____D C:\Windows\E51FFEFB68E24516B29335DC83B9767E.TMP
2013-01-17 15:30 - 2013-01-17 15:30 - 00000000 ____D C:\Users\Chad\AppData\Roaming\AVG2013
2013-01-17 15:27 - 2013-01-17 15:27 - 00000925 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-01-17 15:27 - 2013-01-17 15:27 - 00000000 ____D C:\Users\Chad\AppData\Roaming\TuneUp Software
2013-01-17 15:25 - 2013-01-17 15:28 - 00000000 ____D C:\Users\All Users\AVG2013
2013-01-17 15:25 - 2013-01-17 15:25 - 00000000 ____D C:\$AVG
2013-01-17 13:14 - 2013-01-18 12:04 - 00000000 ____D C:\Users\All Users\MFAData
2013-01-17 13:14 - 2013-01-17 19:55 - 00000000 ____D C:\Users\Chad\AppData\Local\Avg2013
2013-01-17 13:14 - 2013-01-17 13:14 - 00000000 ____D C:\Users\Chad\AppData\Local\MFAData
2012-12-23 01:02 - 2012-12-16 09:11 - 00046080 ____A (Adobe Systems) C:\Windows\System32\atmlib.dll
2012-12-23 01:02 - 2012-12-16 06:45 - 00367616 ____A (Adobe Systems Incorporated) C:\Windows\System32\atmfd.dll
2012-12-23 01:02 - 2012-12-16 06:13 - 00295424 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2012-12-23 01:02 - 2012-12-16 06:13 - 00034304 ____A (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll

==================== One Month Modified Files and Folders =======

2013-01-22 19:21 - 2013-01-22 19:21 - 00000000 ____D C:\FRST
2013-01-22 17:13 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-01-22 17:13 - 2009-07-13 20:51 - 00403124 ____A C:\Windows\setupact.log
2013-01-22 17:11 - 2012-04-04 09:32 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-01-22 17:09 - 2010-04-09 18:53 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-01-18 19:17 - 2010-04-09 18:53 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-01-18 19:16 - 2012-12-22 11:13 - 00000372 ____A C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Chad.job
2013-01-18 18:44 - 2010-02-19 00:17 - 01376653 ____A C:\Windows\WindowsUpdate.log
2013-01-18 17:56 - 2010-04-29 09:55 - 00000000 ____D C:\Users\Chad\AppData\Local\CrashDumps
2013-01-18 16:53 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-01-18 16:53 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-01-18 14:26 - 2009-07-13 20:45 - 00618928 ____A C:\Windows\System32\FNTCACHE.DAT
2013-01-18 14:02 - 2010-04-24 01:09 - 00000000 ____D C:\Users\All Users\PopCap Games
2013-01-18 14:02 - 2010-04-24 01:09 - 00000000 ____D C:\Program Files (x86)\PopCap Games
2013-01-18 14:01 - 2010-04-22 19:15 - 00000000 ____D C:\Program Files (x86)\AviSynth 2.5
2013-01-18 13:14 - 2009-07-13 21:08 - 00032614 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-01-18 12:21 - 2010-07-30 07:59 - 00000000 ____D C:\Users\Guest\AppData\Local\CrashDumps
2013-01-18 12:04 - 2013-01-17 13:14 - 00000000 ____D C:\Users\All Users\MFAData
2013-01-18 11:56 - 2013-01-18 11:56 - 00002211 ____A C:\Users\Guest\Desktop\Google Chrome.lnk
2013-01-18 11:00 - 2010-04-23 10:17 - 00000000 ____D C:\users\Guest
2013-01-18 10:18 - 2012-12-22 11:13 - 00000366 ____A C:\Windows\Tasks\ReclaimerUpdateFiles_Chad.job
2013-01-18 08:20 - 2010-02-19 00:19 - 02152476 ____A C:\Windows\PFRO.log
2013-01-18 08:18 - 2013-01-18 08:18 - 00181064 ____A (Sysinternals) C:\Windows\PSEXESVC.EXE
2013-01-18 08:18 - 2013-01-18 08:11 - 00000000 ____D C:\Users\Chad\Desktop\RK_Quarantine
2013-01-18 08:17 - 2013-01-18 08:17 - 00002247 ____A C:\Users\Public\Desktop\Tweaking.com - Windows Repair (All in One).lnk
2013-01-18 08:17 - 2013-01-18 08:17 - 00000000 ____D C:\Program Files (x86)\Tweaking.com
2013-01-18 08:16 - 2013-01-18 08:16 - 00001298 ____A C:\Users\Chad\Desktop\RKreport[3]_SC_01182013_02d1016.txt
2013-01-18 08:12 - 2013-01-18 08:12 - 00002447 ____A C:\Users\Chad\Desktop\RKreport[1]_S_01182013_02d1012.txt
2013-01-18 08:12 - 2013-01-18 08:12 - 00002411 ____A C:\Users\Chad\Desktop\RKreport[2]_D_01182013_02d1012.txt
2013-01-18 08:09 - 2013-01-18 08:09 - 00008391 ____A C:\Users\Chad\Desktop\JRT.txt
2013-01-18 07:58 - 2013-01-18 07:58 - 00000000 ____D C:\Windows\ERUNT
2013-01-18 07:58 - 2013-01-18 07:58 - 00000000 ____D C:\JRT
2013-01-18 07:37 - 2013-01-18 07:37 - 00155464 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2013-01-18 07:37 - 2013-01-18 07:37 - 00036680 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2013-01-18 01:59 - 2010-08-26 06:25 - 00000328 ____A C:\Windows\Tasks\HPCeeScheduleForChad.job
2013-01-17 19:55 - 2013-01-17 13:14 - 00000000 ____D C:\Users\Chad\AppData\Local\Avg2013
2013-01-17 18:23 - 2010-04-24 11:57 - 00000000 ____D C:\Users\Chad\Desktop\Games
2013-01-17 18:21 - 2010-04-24 12:01 - 00000000 ____D C:\Users\Chad\Desktop\Personal
2013-01-17 18:19 - 2010-10-20 01:04 - 00584704 __ASH C:\Users\Chad\Downloads\Thumbs.db
2013-01-17 18:13 - 2013-01-17 18:13 - 00000000 ____A C:\install.rdf
2013-01-17 18:12 - 2010-04-29 19:10 - 00000000 ____D C:\Users\Chad\AppData\Local\MicroVision Applications
2013-01-17 18:11 - 2010-12-02 17:13 - 00000000 ____D C:\Program Files (x86)\TomTom HOME 2
2013-01-17 17:19 - 2010-04-09 18:53 - 00000000 ____D C:\Program Files\Google
2013-01-17 17:19 - 2010-02-19 00:44 - 00000000 ____D C:\Users\All Users\Norton
2013-01-17 17:10 - 2009-10-30 21:31 - 00000000 ____D C:\Program Files (x86)\CyberLink
2013-01-17 17:10 - 2009-10-30 19:42 - 00000000 ____D C:\Program Files (x86)\InstallShield Installation Information
2013-01-17 17:09 - 2010-04-23 23:54 - 00000000 ____D C:\PacSteamT
2013-01-17 16:54 - 2011-03-31 15:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-01-17 16:37 - 2012-06-26 08:52 - 00000000 ____D C:\Program Files (x86)\McAfee Security Scan
2013-01-17 16:35 - 2012-02-20 11:01 - 00000000 ____D C:\Users\All Users\LogMeIn
2013-01-17 16:35 - 2012-02-20 11:01 - 00000000 ____D C:\Program Files (x86)\LogMeIn
2013-01-17 16:27 - 2013-01-17 16:27 - 00000000 ____D C:\Windows\0BCB9F6762254844AD5FE2DE86934464.TMP
2013-01-17 16:27 - 2013-01-17 16:25 - 00000000 ____D C:\Windows\E51FFEFB68E24516B29335DC83B9767E.TMP
2013-01-17 16:27 - 2011-02-19 15:38 - 00000000 ____D C:\Program Files (x86)\LeapFrog
2013-01-17 16:21 - 2010-04-09 18:53 - 00000000 ____D C:\Users\All Users\Google
2013-01-17 16:21 - 2010-04-09 18:53 - 00000000 ____D C:\Program Files (x86)\Google
2013-01-17 16:20 - 2010-04-09 18:53 - 00000000 ____D C:\Users\Chad\AppData\Local\Google
2013-01-17 16:14 - 2010-12-17 22:28 - 00000000 ____D C:\Users\Chad\AppData\Roaming\Amazon
2013-01-17 16:14 - 2010-12-17 22:28 - 00000000 ____D C:\Program Files (x86)\Amazon
2013-01-17 16:13 - 2012-04-04 09:32 - 00697864 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-01-17 16:13 - 2011-06-12 19:22 - 00074248 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-01-17 16:12 - 2010-04-21 16:43 - 00000000 ____D C:\Program Files (x86)\Book-of-Yields 7.0
2013-01-17 15:30 - 2013-01-17 15:30 - 00000000 ____D C:\Users\Chad\AppData\Roaming\AVG2013
2013-01-17 15:28 - 2013-01-17 15:25 - 00000000 ____D C:\Users\All Users\AVG2013
2013-01-17 15:27 - 2013-01-17 15:27 - 00000925 ____A C:\Users\Public\Desktop\AVG 2013.lnk
2013-01-17 15:27 - 2013-01-17 15:27 - 00000000 ____D C:\Users\Chad\AppData\Roaming\TuneUp Software
2013-01-17 15:27 - 2012-05-20 16:08 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2013-01-17 15:26 - 2012-11-19 18:57 - 00030568 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-01-17 15:25 - 2013-01-17 15:25 - 00000000 ____D C:\$AVG
2013-01-17 15:24 - 2010-04-22 21:43 - 00000000 ____D C:\Program Files (x86)\AVG
2013-01-17 13:14 - 2013-01-17 13:14 - 00000000 ____D C:\Users\Chad\AppData\Local\MFAData
2013-01-16 11:54 - 2012-02-20 10:00 - 00000000 ____D C:\Users\Chad\Desktop\Monte
2013-01-16 11:54 - 2010-10-20 14:59 - 02760704 __ASH C:\Users\Chad\Desktop\Thumbs.db
2013-01-03 11:46 - 2012-12-22 11:13 - 00000362 ____A C:\Windows\Tasks\ReclaimerUpdateXML_Chad.job


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 3836.2 MB
Available physical RAM: 3131.35 MB
Total Pagefile: 3834.34 MB
Available Pagefile: 3124.84 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:448.04 GB) (Free:182.88 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:17.42 GB) (Free:2.83 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
4 Drive g: (TRAFFIC) (CDROM) (Total:6.95 GB) (Free:0 GB) UDF
5 Drive h: (CHAD SELF) (Removable) (Total:3.73 GB) (Free:2.08 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 3824 MB 0 B

Partitions of Disk 0:
===============

Disk ID: 29E95222

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 448 GB 200 MB
Partition 3 Primary 17 GB 448 GB
Partition 4 Primary 103 MB 465 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 448 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 17 GB Healthy

=========================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy

=========================================================

Partitions of Disk 1:
===============

Disk ID: C3072E18

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3823 MB 24 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H CHAD SELF FAT32 Removable 3823 MB Healthy

=========================================================

Last Boot: 2013-01-18 01:07

==================== End Of Log =============================

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:35 AM

Posted 22 January 2013 - 11:36 PM

Lets try this fix:

Download the enclosed file. [attachment=134543:fixlist.txt]

Save it next to FRST in the flasdrive.

Run FRST as you did before, except that this time around click on the Fix button and wait.

The tool will make a log in the flashdrive (Fixlog.txt) please post it to your reply.

Attempt to boot in Normal Mode. If successful, launch Malwarebytes Antimalware.

  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Run adwCleaner.

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

Posted Image

Once done it will ask to reboot, allow this
On reboot a log will be produced at C:\ADWCleaner[XX].txt please attach that to your reply.

Edited by JSntgRvr, 22 January 2013 - 11:37 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 I Need A Xanax

I Need A Xanax
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:35 AM

Posted 24 January 2013 - 06:43 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-01-2013 02
Ran by SYSTEM at 2013-01-23 19:04:25 Run:1
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Malwarebytes Anti-Malware (cleanup) Value deleted successfully.
ccEvtMgr service deleted successfully.
ccSetMgr service deleted successfully.
eabfiltr service deleted successfully.
LMIInfo service deleted successfully.
LMIRfsClientNP service deleted successfully.
navapsvc service deleted successfully.
RtsUIR service deleted successfully.
SAVRT service deleted successfully.
SAVRTPEL service deleted successfully.
TfFsMon service deleted successfully.
TfNetMon service deleted successfully.
TfSysMon service deleted successfully.
TlntSvr service deleted successfully.

==== End of Fixlog ====

I attempted to run Malwarebytes, but I am receiving an error stating, "Setup was unable to createthe directory...Error 5: Access is denied.

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:35 AM

Posted 24 January 2013 - 08:48 PM

Was the path of the denied file and folder indicated on the error? How about AdwCleaner?

Edited by JSntgRvr, 24 January 2013 - 08:54 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:35 AM

Posted 24 January 2013 - 08:50 PM

Lets try Combofix.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:35 AM

Posted 05 March 2013 - 11:21 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users