Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I keep getting the "your computer was unable to start" thing


  • This topic is locked This topic is locked
191 replies to this topic

#1 tbonziron

tbonziron

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 25 July 2013 - 12:14 AM

Hello, well, I've seen quite a few of these here but it seems that each computer is specific to the reports that come out of it. PLEASE HELP.
 
It's a Dell Inspiron N7110 that I JUST got from my wife as a gift and now it's screwed up! I believe this happened when I had 15 Windows updates that failed to do so and after successfully getting them installed (after an hour or more). Now, the laptop is dead, can't do anything. That's ALL it does is loop this "your computer was unable to start" "startup repair is checking your system for problems". it all started when I lost all of my USB drives. They were listed in Device Manager but were unable to be accessed because of "a corrupt or malicious file" that's all I got was the Yield sign on all of my "Removable Drives". I tried to update the drivers but it said they were current so I uninstalled them thinking when I restarted the laptop it would find New Hardware and load them and the drivers. I think it's two different problems. I did download FRST? and have done all the instructions to command prompt with "computer" open and the drives listed. which one do I open with FSRT, "recovery (D:)" "Boot (X:)" "CD Drive (E:) with my disc W7SP 1_HOMEPREMIUM" or "Removable Disk (F:)?
 
I appreciate all of your help, thank you!!

I've already downloaded the fsrt scanner, I had to download it to my SD card, all of my USB drives are gone. There's only 3 hard drives and D: and F: none other and I have 4 however my Logitech wireless mouse is still working and it's in a USB port but not showing up in "my computer" anyway this is what FRST said.
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-07-2013
Ran by SYSTEM on 25-07-2013 06:41:49
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6561384 2010-12-14] (Realtek Semiconductor)
HKLM\...\Run: [BTMTrayAgent] - rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [x]
HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\QuickSet.exe [4479648 2011-01-25] (Dell Inc.)
HKLM-x32\...\Run: [Dell Webcam Central] - "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [RemoteControl9] - "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe" [87336 2010-10-01] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] - "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe" [50472 2010-09-17] (CyberLink Corp.)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [RoxWatchTray] - "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] - "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [514544 2010-11-17] ()
HKLM-x32\...\Run: [APSDaemon] - "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [mcui_exe] - "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [454600 2013-02-28] (McAfee, Inc.)
HKLM-x32\...\Run: [mcpltui_exe] - "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [454600 2013-02-28] (McAfee, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] - "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-05-31] (Apple Inc.)
HKU\Tom's Lap\...\Run: [Facebook Update] - "C:\Users\Tom's Lap\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [x]
HKU\Tom's Lap\...\Run: [PC_GIZMOS] - "C:\Users\Tom's Lap\AppData\Roaming\PC-Gizmos\PC_137133.en_78.exe" --update [2160208 2013-07-23] (PC Gizmos)
AppInit_DLLs:    [0 ] ()

==================== Services (Whitelisted) =================

S2 0091061374599822mcinstcleanup; C:\Windows\TEMP\009106~1.EXE [833616 2013-02-27] (McAfee, Inc.)
S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [388680 2013-06-15] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1017016 2013-02-28] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-04-03] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-04-03] (McAfee, Inc.)
S2 MOBKbackup; C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe [231224 2010-04-13] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-04-03] (McAfee, Inc.)
S3 DellProf; C:\Windows\System32\drivers\DellProf.sys [22096 2012-04-19] (Dell Computer Corporation)
S3 FLxHCIh; C:\Windows\system32\drivers\FLxHCIh.sys [67136 2011-07-06] (Fresco Logic)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197264 2012-05-28] (McAfee, Inc.)
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [36680 2013-05-21] ()
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [36680 2013-05-21] ()
S0 McPvDrv; C:\Windows\System32\drivers\McPvDrv.sys [74560 2013-04-22] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179664 2013-04-03] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309968 2013-04-03] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [516608 2013-04-03] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [772944 2013-04-03] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [337120 2013-02-18] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [95856 2013-02-18] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [342416 2013-04-03] (McAfee, Inc.)
S1 MOBKFilter; C:\Windows\System32\DRIVERS\MOBK.sys [66040 2010-04-13] (Mozy, Inc.)
S3 ApfiltrService; system32\DRIVERS\Apfiltr.sys [x]
S3 Delldiag; \??\C:\__de11ctstestfolder20120wdcsa__\7110\WBT_W64\DDDriver.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-07-25 06:41 - 2013-07-25 06:41 - 00000000 ____D C:\FRST
2013-07-23 10:17 - 2013-07-23 10:17 - 00000000 ____D C:\ProgramData\PBDACN
2013-07-23 00:09 - 2013-06-11 15:43 - 14329856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-07-23 00:09 - 2013-06-11 15:43 - 02877440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-07-23 00:09 - 2013-06-11 15:43 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-07-23 00:09 - 2013-06-11 15:43 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-07-23 00:09 - 2013-06-11 15:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-07-23 00:09 - 2013-06-11 15:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-07-23 00:09 - 2013-06-11 15:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-07-23 00:09 - 2013-06-11 15:42 - 13760512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-07-23 00:09 - 2013-06-11 15:42 - 02046976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-07-23 00:09 - 2013-06-11 15:42 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-07-23 00:09 - 2013-06-11 15:42 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-07-23 00:09 - 2013-06-11 15:42 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-07-23 00:09 - 2013-06-11 15:42 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-07-23 00:09 - 2013-06-11 15:26 - 02241024 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-07-23 00:09 - 2013-06-11 15:26 - 01365504 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-07-23 00:09 - 2013-06-11 15:26 - 00051712 _____ (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-07-23 00:09 - 2013-06-11 15:25 - 19238912 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-07-23 00:09 - 2013-06-11 15:25 - 15404032 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-07-23 00:09 - 2013-06-11 15:25 - 03958784 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-07-23 00:09 - 2013-06-11 15:25 - 02648576 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-07-23 00:09 - 2013-06-11 15:25 - 00855552 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-07-23 00:09 - 2013-06-11 15:25 - 00603136 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-07-23 00:09 - 2013-06-11 15:25 - 00526336 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-07-23 00:09 - 2013-06-11 15:25 - 00136704 _____ (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-07-23 00:09 - 2013-06-11 15:25 - 00067072 _____ (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-07-23 00:09 - 2013-06-11 15:25 - 00053248 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-07-23 00:09 - 2013-06-11 15:25 - 00039936 _____ (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-07-23 00:09 - 2013-06-11 14:51 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-07-23 00:09 - 2013-06-11 14:50 - 00089600 _____ (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-07-23 00:09 - 2013-06-06 19:22 - 02706432 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-07-23 00:09 - 2013-06-06 18:37 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-07-22 23:58 - 2013-06-04 19:34 - 03153920 _____ (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-07-22 23:58 - 2013-06-03 22:00 - 00624128 _____ (Microsoft Corporation) C:\Windows\System32\qedit.dll
2013-07-22 23:58 - 2013-06-03 20:53 - 00509440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2013-07-22 23:58 - 2013-05-05 22:03 - 01887744 _____ (Microsoft Corporation) C:\Windows\System32\WMVDECOD.DLL
2013-07-22 23:58 - 2013-05-05 20:56 - 01620480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2013-07-22 23:58 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-22 23:58 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-22 23:47 - 2013-07-22 23:47 - 00269040 _____ C:\Windows\Minidump\072313-22698-01.dmp
2013-07-20 13:52 - 2013-07-20 13:52 - 00000000 ____D C:\Users\Tom's Lap\AppData\Roaming\Roxio Log Files
2013-07-19 02:15 - 2013-07-23 09:27 - 00000000 ____D C:\Windows\System32\MRT
2013-07-12 00:11 - 2013-07-23 02:29 - 00000000 ____D C:\298746abccb377123380
2013-07-10 11:04 - 2013-07-24 14:49 - 00000000 ____D C:\Windows\Minidump
2013-07-10 11:04 - 2013-07-22 23:47 - 176364280 _____ C:\Windows\MEMORY.DMP
2013-07-10 11:04 - 2013-07-10 11:04 - 00269040 _____ C:\Windows\Minidump\071013-21418-01.dmp
2013-07-09 20:51 - 2013-07-09 20:51 - 00000000 ____D C:\Users\Tom's Lap\AppData\Local\{8995FE65-B7F4-4DC7-BA63-8B59E7C6D862}
2013-07-09 12:15 - 2013-07-24 14:49 - 00000000 ____D C:\Users\Tom's Lap\Documents\Stronghold Crusader
2013-07-07 07:01 - 2013-07-08 10:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-06-30 11:14 - 2013-06-30 11:14 - 00001952 _____ C:\Users\Tom's Lap\Desktop\AEINV_WER_{57BA0C97-009A-4ED7-8256-A23F37A5F518}_20130303_191027 - Shortcut.lnk
2013-06-25 07:59 - 2013-06-25 08:00 - 08428299 _____ (Nav N Go Kft.) C:\Users\Tom's Lap\Downloads\Motonav_Toolbox_Setup(1).exe.part

==================== One Month Modified Files and Folders =======

2013-07-25 06:41 - 2013-07-25 06:41 - 00000000 ____D C:\FRST
2013-07-24 14:49 - 2013-07-10 11:04 - 00000000 ____D C:\Windows\Minidump
2013-07-24 14:49 - 2013-07-09 12:15 - 00000000 ____D C:\Users\Tom's Lap\Documents\Stronghold Crusader
2013-07-24 14:49 - 2012-07-10 10:31 - 00000000 ____D C:\users\Tom's Lap
2013-07-24 14:49 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-07-24 14:48 - 2013-01-11 23:06 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-07-24 14:48 - 2012-11-28 13:38 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2013-07-24 14:48 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-07-24 08:02 - 2013-01-02 14:03 - 00000000 ____D C:\Users\Tom's Lap\Documents\Dell WebCam Central
2013-07-23 10:17 - 2013-07-23 10:17 - 00000000 ____D C:\ProgramData\PBDACN
2013-07-23 09:27 - 2013-07-19 02:15 - 00000000 ____D C:\Windows\System32\MRT
2013-07-23 09:24 - 2012-07-10 17:17 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-07-23 09:24 - 2012-07-10 17:17 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-07-23 09:24 - 2012-07-10 17:17 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-07-23 09:24 - 2012-07-10 17:17 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-23 09:24 - 2012-06-18 20:28 - 01648939 _____ C:\Windows\WindowsUpdate.log
2013-07-23 09:23 - 2012-07-10 23:40 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-07-23 09:23 - 2012-07-10 23:40 - 00000000 ____D C:\ProgramData\Skype
2013-07-23 09:16 - 2012-06-18 21:08 - 00000000 ____D C:\Program Files (x86)\McAfee
2013-07-23 09:14 - 2009-07-13 20:45 - 00020880 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-23 09:14 - 2009-07-13 20:45 - 00020880 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-23 09:12 - 2009-07-13 21:13 - 00727374 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-23 09:09 - 2012-09-22 12:19 - 00000000 __RSD C:\Users\Tom's Lap\Documents\McAfee Vaults
2013-07-23 09:07 - 2013-03-29 23:12 - 00000157 _____ C:\Users\Tom's Lap\AppData\Roaming\uninstall.bat
2013-07-23 09:07 - 2013-03-29 22:52 - 00000000 ____D C:\Users\Tom's Lap\AppData\Roaming\PC-Gizmos
2013-07-23 09:07 - 2012-06-18 21:03 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-07-23 09:06 - 2012-06-18 21:14 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2013-07-23 09:06 - 2012-06-18 21:14 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2013-07-23 09:05 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-23 09:05 - 2009-07-13 20:51 - 00068661 _____ C:\Windows\setupact.log
2013-07-23 09:05 - 2009-07-13 20:45 - 00378696 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-23 07:52 - 2012-12-27 17:47 - 00000944 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3190664343-1749693004-3080167251-1003UA.job
2013-07-23 02:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sk-SK
2013-07-23 02:29 - 2013-07-12 00:11 - 00000000 ____D C:\298746abccb377123380
2013-07-23 02:29 - 2013-02-02 22:11 - 00000000 ____D C:\Users\Tom's Lap\Documents\Stronghold
2013-07-23 02:29 - 2012-07-10 17:17 - 00000000 ____D C:\Windows\System32\Macromed
2013-07-23 02:29 - 2012-06-18 21:00 - 00000000 ____D C:\Program Files (x86)\Windows Live
2013-07-23 02:29 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-07-23 02:23 - 2012-07-16 10:08 - 00000000 ____D C:\Users\Tom's Lap\AppData\Roaming\SoftGrid Client
2013-07-23 00:17 - 2010-11-20 23:17 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-23 00:17 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-23 00:17 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-23 00:10 - 2012-08-19 00:00 - 78185248 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-07-22 23:47 - 2013-07-22 23:47 - 00269040 _____ C:\Windows\Minidump\072313-22698-01.dmp
2013-07-22 23:47 - 2013-07-10 11:04 - 176364280 _____ C:\Windows\MEMORY.DMP
2013-07-20 13:52 - 2013-07-20 13:52 - 00000000 ____D C:\Users\Tom's Lap\AppData\Roaming\Roxio Log Files
2013-07-20 08:02 - 2013-01-23 18:45 - 00094208 _____ C:\Users\Tom's Lap\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-18 17:19 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-07-11 16:52 - 2012-12-27 17:47 - 00000922 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3190664343-1749693004-3080167251-1003Core.job
2013-07-11 08:09 - 2013-04-11 13:32 - 00003966 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{3A3066C4-E45D-4E54-AE31-87CFA51C9805}
2013-07-10 11:04 - 2013-07-10 11:04 - 00269040 _____ C:\Windows\Minidump\071013-21418-01.dmp
2013-07-10 10:33 - 2013-04-18 10:25 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-07-10 10:30 - 2012-07-16 11:54 - 00000000 __RHD C:\MSOCache
2013-07-09 20:51 - 2013-07-09 20:51 - 00000000 ____D C:\Users\Tom's Lap\AppData\Local\{8995FE65-B7F4-4DC7-BA63-8B59E7C6D862}
2013-07-08 10:53 - 2013-07-07 07:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-06-30 11:14 - 2013-06-30 11:14 - 00001952 _____ C:\Users\Tom's Lap\Desktop\AEINV_WER_{57BA0C97-009A-4ED7-8256-A23F37A5F518}_20130303_191027 - Shortcut.lnk
2013-06-30 10:30 - 2010-11-20 19:47 - 00052226 _____ C:\Windows\PFRO.log
2013-06-25 08:00 - 2013-06-25 07:59 - 08428299 _____ (Nav N Go Kft.) C:\Users\Tom's Lap\Downloads\Motonav_Toolbox_Setup(1).exe.part

==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-07-19 02:12:20
Restore point made on: 2013-07-19 02:15:40
Restore point made on: 2013-07-20 13:54:05
Restore point made on: 2013-07-20 13:54:58
Restore point made on: 2013-07-23 00:00:36
Restore point made on: 2013-07-23 09:21:59
Restore point made on: 2013-07-23 09:25:08

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 3990.17 MB
Available physical RAM: 3226.36 MB
Total Pagefile: 3988.32 MB
Available Pagefile: 3207.75 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (OSDisk) (Fixed) (Total:452.09 GB) (Free:395.23 GB) NTFS (Disk=0 Partition=1)
Drive d: (Recovery) (Fixed) (Total:13.67 GB) (Free:2.27 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive f: (SD) (Removable) (Total:7.39 GB) (Free:7.39 GB) FAT32 (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: FABE46E6)
Partition 1: (Not Active) - (Size=452 GB) - (Type=07 NTFS)
Partition 2: (Active) - (Size=14 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)


LastRegBack: 2013-07-23 13:31

==================== End Of Log ============================


Edited by hamluis, 25 July 2013 - 12:47 PM.
Merged posts, moved topic from Win 7 to Malwware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:10 PM

Posted 28 July 2013 - 08:04 PM

Greetings tbonziron and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me some time to review the information you have provided and I will reply as soon as possible.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 tbonziron

tbonziron
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 28 July 2013 - 08:22 PM

Hi Gary, First let me say THANK YOU SO MUCH for helping me. I know you have so many other folks you're trying to help. It must get overwhelming at times. Please, call me Tom and I can assure you I will follow your instructions to the letter and promptly.



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:10 PM

Posted 28 July 2013 - 08:26 PM

Greetings,

Do you recall the date when your computer started the loop?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 tbonziron

tbonziron
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 29 July 2013 - 08:25 PM

it actually did it one time on the 23rd but I was able to log on normal but after 3 times of BSOD and the loop but that was the LAST time it booted normally.

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:10 PM

Posted 29 July 2013 - 09:58 PM

OK thanks for the information Tom. And you are welcome for the help, it is my pleasure.

Let's try this first and see how we do.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • From a clean computer press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
LastRegBack: 2013-07-23 13:31
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options (press F8 during boot up) and select Command Prompt.
  • Run FRST as you did the first time and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the flashdrive (Fixlog.txt) please post it to your reply.
  • Please attempt to boot your computer into Normal Mode, or if not, Safe Mode
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • How did we do?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 tbonziron

tbonziron
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 30 July 2013 - 03:15 PM

Gary, before we complete these instructions I must let you know that after we hit F8 while boot it comes up with the normal boot asking for command with networking and so on but, when I choose "Safe Mode with Command Prompt", it's "loading files" FOREVER then a 2 minute black screen. Then says something, something, something stopped PWE- Rom" Then it starts up again and the BSOD, then the "your computer was unable to start" "startup repair is checking your system for problems" for about 5 minutes then the computer boots up again Normally asking for my password and All is well in the land and I get this box in the middle that "Windows has recovered from an unexpected shutdown" (windows can check online for a solution to the problem) and then "in problem details" it says

 

Problem signature:
  Problem Event Name: BlueScreen
  OS Version: 6.1.7601.2.1.0.768.3
  Locale ID: 1033

Additional information about the problem:
  BCCode: 6b
  BCP1: 0000000000000000
  BCP2: 0000000000000000
  BCP3: 0000000000000000
  BCP4: 0000000000000000
  OS Version: 6_1_7601
  Service Pack: 1_0
  Product: 768_1

Files that help describe the problem:
  C:\Windows\Minidump\073013-61963-01.dmp
  C:\Users\Tom's Lap\AppData\Local\Temp\WER-257713-0.sysdata.xml

 

Sorry I DON'T want to waste your time but I thought you should know in case this info changes an attack plan. I will impatiently wait a response so we can move on. Thanks again SO MUCH for sticking with me. 

 

 



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:10 PM

Posted 30 July 2013 - 04:09 PM

Hi Tom,

So your computer is booting up again and is not stuck in the Repair Loop?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 tbonziron

tbonziron
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 30 July 2013 - 06:04 PM

it does after all that weird stuff and the BSOD and even the next time I restarted it, it went through the same thing as before, BSOD, computer could not start, looking for problem, black screen, boot something with the PWE- Rom lag for 2-3 minutes then it boots to the welcome screen so eventually after 3-4 boots but now I have 3 more "user accts" they all have the same permissions and there's an "unknown user with a big long name and full permissions and even special control and my "system" user is gone. I don't know, this is so screwed up. I'll run what you asked me to and post it, it also popped 3 times in my last log in that "I'm not using a genuine copy of windows and if I want to "register this online" OH and whenever I want to open any program it asks me "Do you want to allow the following program from an unknown publisher to make changes to this computer?" and the CLSID: and a HUGE number after it 



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:10 PM

Posted 30 July 2013 - 06:28 PM

Hi Tom,

Lots going on. You said this is a new computer. Just curious at this point, how troublesome would it be to revert the computer back to the factory condition. Do you have a lot of files/programs, etc.?

Please do this.

===================================================

Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.

sUBs, the author of Combofix, recommends you to uninstall AVG or CA Internet Security before running the program. If you have either of these programs on your computer please uninstall them using AppRemover which can be downloaded here. We will be sure to reinstall the Antivirus program once we are finished using Combofix.
  • Please download ComboFix from one of these locations:

BleepingComputer
ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.
Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 tbonziron

tbonziron
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 31 July 2013 - 01:37 AM

before I do anything I feel compelled to tell you whats going on now that may change your game plan. I did a restart and got the BSOD for a split second that said "mini dump" with climbing numbers and I was pushing F8 and before it went to the boot menu it said something about "exiting WED Rom" (I think, it's super fast) got the boot page and clicked "safe mode with command prompt". It "loaded files" forever then it went to a safe mode screen but went to the "your computer was unable to start" "startup repair is checking your system for problems" and the "system recovery screen" starts and after restarting 3 times it boots NORMALLY but before the welcome logon screen it ran 11 "windows" updates then a popup window is there and says  "your computer has recovered from an unexpected shut down" and asks Do you want send the problem online to resolve the issue (or something like that) and when I click on "details" there's a WHOLE bunch of stuff in that window.

 

Shut down unexpectedly Date 7/28/2013 10:49 AM Not reported

Problem signature
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033

 

Files that help describe the problem
072313-22698-01.dmp
sysdata.xml
WERInternalMetadata.xml

 

Extra information about the problem
BCCode: 6b
BCP1: 0000000000000000
BCP2: 0000000000000000
BCP3: 0000000000000000
BCP4: 0000000000000000
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1

 

Here's the result of FRST64

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-07-2013 03
Ran by SYSTEM on 30-07-2013 21:31:41
Running from F:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6561384 2010-12-14] (Realtek Semiconductor)
HKLM\...\Run: [BTMTrayAgent] - rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp [x]
HKLM\...\Run: [QuickSet] - C:\Program Files\Dell\QuickSet\QuickSet.exe [4479648 2011-01-25] (Dell Inc.)
HKLM\...\InprocServer32: [Default-cscui]  <==== ATTENTION!
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [RemoteControl9] - C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] - C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [RoxWatchTray] - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [mcui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [454600 2013-02-28] (McAfee, Inc.)
HKLM-x32\...\Run: [mcpltui_exe] - C:\Program Files\McAfee.com\Agent\mcagent.exe [454600 2013-02-28] (McAfee, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKU\Tom's Lap\...\Run: [Facebook Update] - "C:\Users\Tom's Lap\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver [x]
HKU\Tom's Lap\...\Run: [PC_GIZMOS] - C:\Users\Tom's Lap\AppData\Roaming\PC-Gizmos\PC_137133.en_78.exe [2160208 2013-07-28] (PC Gizmos)
AppInit_DLLs:    [0 ] ()

==================== Services (Whitelisted) =================

S2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 McAfee SiteAdvisor Service; C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [201304 2012-08-31] (McAfee, Inc.)
S2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 McNaiAnn; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [388680 2013-06-15] (McAfee, Inc.)
S2 mcpltsvc; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 McProxy; C:\Program Files\Common Files\mcafee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)
S2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1017016 2013-02-28] (McAfee, Inc.)
S2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [218760 2013-04-03] (McAfee, Inc.)
S2 mfevtp; C:\Windows\system32\mfevtps.exe [182752 2013-04-03] (McAfee, Inc.)
S2 MOBKbackup; C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe [231224 2010-04-13] (McAfee, Inc.)
S2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [221296 2013-03-05] (McAfee, Inc.)

==================== Drivers (Whitelisted) ====================

S3 cfwids; C:\Windows\System32\drivers\cfwids.sys [70112 2013-04-03] (McAfee, Inc.)
S3 DellProf; C:\Windows\System32\drivers\DellProf.sys [22096 2012-04-19] (Dell Computer Corporation)
S3 FLxHCIh; C:\Windows\system32\drivers\FLxHCIh.sys [67136 2011-07-06] (Fresco Logic)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197264 2012-05-28] (McAfee, Inc.)
S0 McPvDrv; C:\Windows\System32\drivers\McPvDrv.sys [74560 2013-04-22] (McAfee, Inc.)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [179664 2013-04-03] (McAfee, Inc.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [309968 2013-04-03] (McAfee, Inc.)
S3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [516608 2013-04-03] (McAfee, Inc.)
S0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [772944 2013-04-03] (McAfee, Inc.)
S3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [337120 2013-02-18] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [95856 2013-02-18] (McAfee, Inc.)
S0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [342416 2013-04-03] (McAfee, Inc.)
S1 MOBKFilter; C:\Windows\System32\DRIVERS\MOBK.sys [66040 2010-04-13] (Mozy, Inc.)
S3 ApfiltrService; system32\DRIVERS\Apfiltr.sys [x]
S3 Delldiag; \??\C:\__de11ctstestfolder20120wdcsa__\7110\WBT_W64\DDDriver.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-30 10:22 - 2013-07-30 10:22 - 00266520 _____ C:\Windows\Minidump\073013-61963-01.dmp
2013-07-28 08:54 - 2013-07-28 08:56 - 00000000 ____D C:\e44ab1f1998d8048e9beb40802
2013-07-28 07:31 - 2013-04-09 15:34 - 01247744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2013-07-28 07:31 - 2013-04-02 14:51 - 01643520 _____ (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2013-07-28 06:55 - 2013-07-28 06:55 - 00269040 _____ C:\Windows\Minidump\072813-59202-01.dmp
2013-07-25 06:41 - 2013-07-25 06:41 - 00000000 ____D C:\FRST
2013-07-23 10:17 - 2013-07-23 10:17 - 00000000 ____D C:\ProgramData\PBDACN
2013-07-22 23:47 - 2013-07-22 23:47 - 00269040 _____ C:\Windows\Minidump\072313-22698-01.dmp
2013-07-20 13:52 - 2013-07-20 13:52 - 00000000 ____D C:\Users\Tom's Lap\AppData\Roaming\Roxio Log Files
2013-07-19 02:15 - 2013-07-23 09:27 - 00000000 ____D C:\Windows\System32\MRT
2013-07-12 00:11 - 2013-07-23 02:29 - 00000000 ____D C:\298746abccb377123380
2013-07-10 11:04 - 2013-07-30 10:22 - 00000000 ____D C:\Windows\Minidump
2013-07-10 11:04 - 2013-07-30 10:21 - 145641760 _____ C:\Windows\MEMORY.DMP
2013-07-10 11:04 - 2013-07-10 11:04 - 00269040 _____ C:\Windows\Minidump\071013-21418-01.dmp
2013-07-09 20:51 - 2013-07-09 20:51 - 00000000 ____D C:\Users\Tom's Lap\AppData\Local\{8995FE65-B7F4-4DC7-BA63-8B59E7C6D862}
2013-07-09 12:15 - 2013-07-28 09:52 - 00000000 ____D C:\Users\Tom's Lap\Documents\Stronghold Crusader
2013-07-07 07:01 - 2013-07-08 10:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-06-30 11:14 - 2013-06-30 11:14 - 00001952 _____ C:\Users\Tom's Lap\Desktop\AEINV_WER_{57BA0C97-009A-4ED7-8256-A23F37A5F518}_20130303_191027 - Shortcut.lnk

==================== One Month Modified Files and Folders =======

2013-07-30 15:15 - 2012-06-18 20:28 - 01644724 _____ C:\Windows\WindowsUpdate.log
2013-07-30 15:13 - 2009-07-13 20:45 - 00020880 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-30 15:13 - 2009-07-13 20:45 - 00020880 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-30 14:46 - 2012-07-10 17:17 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-30 13:52 - 2012-12-27 17:47 - 00000944 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3190664343-1749693004-3080167251-1003UA.job
2013-07-30 13:19 - 2013-03-29 22:52 - 00000000 ____D C:\Users\Tom's Lap\AppData\Roaming\PC-Gizmos
2013-07-30 13:19 - 2012-11-28 13:38 - 00000000 ____D C:\ProgramData\McAfee Security Scan
2013-07-30 13:19 - 2012-07-10 23:40 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-07-30 13:19 - 2012-07-10 23:40 - 00000000 ____D C:\ProgramData\Skype
2013-07-30 13:19 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2013-07-30 13:19 - 2009-07-13 19:20 - 00000000 ____D C:\Program Files\Common Files\Microsoft Shared
2013-07-30 13:18 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2013-07-30 13:15 - 2012-07-16 10:08 - 00000000 ____D C:\Users\Tom's Lap\AppData\Roaming\SoftGrid Client
2013-07-30 11:16 - 2009-07-13 21:13 - 00727374 _____ C:\Windows\System32\PerfStringBackup.INI
2013-07-30 10:31 - 2012-09-22 12:19 - 00000000 __RSD C:\Users\Tom's Lap\Documents\McAfee Vaults
2013-07-30 10:28 - 2012-06-18 21:14 - 00000000 ____D C:\Users\Default\AppData\Local\SoftThinks
2013-07-30 10:28 - 2012-06-18 21:14 - 00000000 ____D C:\Users\Default User\AppData\Local\SoftThinks
2013-07-30 10:28 - 2012-06-18 21:03 - 00000000 ____D C:\Program Files (x86)\Dell DataSafe Local Backup
2013-07-30 10:27 - 2012-07-10 10:31 - 00000000 ____D C:\users\Tom's Lap
2013-07-30 10:24 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-07-30 10:24 - 2009-07-13 20:51 - 00068717 _____ C:\Windows\setupact.log
2013-07-30 10:24 - 2009-07-13 20:45 - 00378696 _____ C:\Windows\System32\FNTCACHE.DAT
2013-07-30 10:23 - 2010-11-20 23:17 - 00000000 ____D C:\Program Files\Windows Journal
2013-07-30 10:23 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files\Windows Defender
2013-07-30 10:23 - 2009-07-13 21:32 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2013-07-30 10:22 - 2013-07-30 10:22 - 00266520 _____ C:\Windows\Minidump\073013-61963-01.dmp
2013-07-30 10:22 - 2013-07-10 11:04 - 00000000 ____D C:\Windows\Minidump
2013-07-30 10:21 - 2013-07-10 11:04 - 145641760 _____ C:\Windows\MEMORY.DMP
2013-07-28 09:52 - 2013-07-09 12:15 - 00000000 ____D C:\Users\Tom's Lap\Documents\Stronghold Crusader
2013-07-28 09:52 - 2012-07-10 17:17 - 00000000 ____D C:\Windows\System32\Macromed
2013-07-28 09:41 - 2012-06-18 21:08 - 00000000 ____D C:\Program Files (x86)\McAfee
2013-07-28 08:56 - 2013-07-28 08:54 - 00000000 ____D C:\e44ab1f1998d8048e9beb40802
2013-07-28 08:54 - 2012-08-19 00:00 - 78185248 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-07-28 08:39 - 2012-07-10 23:40 - 00000000 ____D C:\Users\Tom's Lap\AppData\Roaming\Skype
2013-07-28 08:39 - 2012-07-10 17:17 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-07-28 08:39 - 2012-07-10 17:17 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-07-28 08:39 - 2012-07-10 17:17 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-07-28 07:33 - 2013-04-11 13:32 - 00003966 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{3A3066C4-E45D-4E54-AE31-87CFA51C9805}
2013-07-28 07:24 - 2013-03-29 23:12 - 00000157 _____ C:\Users\Tom's Lap\AppData\Roaming\uninstall.bat
2013-07-28 06:55 - 2013-07-28 06:55 - 00269040 _____ C:\Windows\Minidump\072813-59202-01.dmp
2013-07-25 06:41 - 2013-07-25 06:41 - 00000000 ____D C:\FRST
2013-07-24 08:02 - 2013-01-02 14:03 - 00000000 ____D C:\Users\Tom's Lap\Documents\Dell WebCam Central
2013-07-23 10:17 - 2013-07-23 10:17 - 00000000 ____D C:\ProgramData\PBDACN
2013-07-23 09:27 - 2013-07-19 02:15 - 00000000 ____D C:\Windows\System32\MRT
2013-07-23 02:30 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\sk-SK
2013-07-23 02:29 - 2013-07-12 00:11 - 00000000 ____D C:\298746abccb377123380
2013-07-23 02:29 - 2013-02-02 22:11 - 00000000 ____D C:\Users\Tom's Lap\Documents\Stronghold
2013-07-23 02:29 - 2012-06-18 21:00 - 00000000 ____D C:\Program Files (x86)\Windows Live
2013-07-22 23:47 - 2013-07-22 23:47 - 00269040 _____ C:\Windows\Minidump\072313-22698-01.dmp
2013-07-20 13:52 - 2013-07-20 13:52 - 00000000 ____D C:\Users\Tom's Lap\AppData\Roaming\Roxio Log Files
2013-07-20 08:02 - 2013-01-23 18:45 - 00094208 _____ C:\Users\Tom's Lap\AppData\Local\GDIPFONTCACHEV1.DAT
2013-07-18 17:19 - 2009-07-13 21:32 - 00000000 ____D C:\Windows\System32\FxsTmp
2013-07-11 16:52 - 2012-12-27 17:47 - 00000922 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-3190664343-1749693004-3080167251-1003Core.job
2013-07-10 11:04 - 2013-07-10 11:04 - 00269040 _____ C:\Windows\Minidump\071013-21418-01.dmp
2013-07-10 10:33 - 2013-04-18 10:25 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2013-07-10 10:30 - 2012-07-16 11:54 - 00000000 __RHD C:\MSOCache
2013-07-09 20:51 - 2013-07-09 20:51 - 00000000 ____D C:\Users\Tom's Lap\AppData\Local\{8995FE65-B7F4-4DC7-BA63-8B59E7C6D862}
2013-07-08 10:53 - 2013-07-07 07:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-06-30 11:14 - 2013-06-30 11:14 - 00001952 _____ C:\Users\Tom's Lap\Desktop\AEINV_WER_{57BA0C97-009A-4ED7-8256-A23F37A5F518}_20130303_191027 - Shortcut.lnk
2013-06-30 10:30 - 2010-11-20 19:47 - 00052226 _____ C:\Windows\PFRO.log

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-07-28 08:37:13
Restore point made on: 2013-07-28 08:39:17
Restore point made on: 2013-07-28 16:20:39
Restore point made on: 2013-07-28 16:21:44
Restore point made on: 2013-07-30 15:08:58

==================== Memory info ===========================

Percentage of memory in use: 19%
Total physical RAM: 3990.17 MB
Available physical RAM: 3231.75 MB
Total Pagefile: 3988.32 MB
Available Pagefile: 3217.34 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: (OSDisk) (Fixed) (Total:452.09 GB) (Free:399.18 GB) NTFS (Disk=0 Partition=1)
Drive d: (Recovery) (Fixed) (Total:13.67 GB) (Free:2.27 GB) NTFS (Disk=0 Partition=2) ==>[System with boot components (obtained from reading drive)]
Drive f: () (Removable) (Total:1.92 GB) (Free:1.91 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: FABE46E6)
Partition 1: (Not Active) - (Size=452 GB) - (Type=07 NTFS)
Partition 2: (Active) - (Size=14 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=2 GB) - (Type=06)

LastRegBack: 2013-07-23 13:31

==================== End Of Log ============================

 

 



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:10 PM

Posted 31 July 2013 - 08:33 AM

You said this is a new computer. Just curious at this point, how troublesome would it be to revert the computer back to the factory condition. Do you have a lot of files/programs, etc.?

The reason why I am asking is because of the possible significant contamination of your computer.  If it is easy to restore your computer to factory condition I would like to know that so I can properly balance cleaning vs. restoring.  I am not sure yet how severely you computer is infected but there is a lot of strange stuff going on.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 tbonziron

tbonziron
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 03 August 2013 - 01:22 AM

Sorry it's taken so long my little girl got her tonsils removed a few days ago and I have been waiting on her hand and foot! I don't know what data I all have on this laptop. MOST of the pics came from our main computer off of discs or off of Facebook, My Space and other social web sites or just a bunch photos I gathered for my desktop like castles and castles with moats. Anyway, I don't know what's involved. All of my drives are missing except the (D:)DVDR\CDRW and my (E:)SD Card drive for my wireless mouse. I ran ComboFix and let it do it's thing. When it was done I tried to open the TXT and the screen went nuts and showed a huge log file and disappeared, now every file I try to open says "Illegal operation on a registry key marked for deletion". SOooo, I guess we go with your last option but could you PLEASE help me get my computer right again! It was a gift from my wife less than a year ago and I have NEVER done anything like this before. THANK YOU FOR THE HELP THUS FAR

#14 tbonziron

tbonziron
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 PM

Posted 03 August 2013 - 01:30 AM

OH and NOW whenever I click anything on the internet I get 3 or 4 pop-ups, the first one say "BHO error connect" then 3 more times "error connect" and that STUPID "windows is not genuine" pop-up thing too!

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:10 PM

Posted 03 August 2013 - 08:43 AM

If you have not restarted your computer after you received "Illegal operation on a registry key marked for deletion" please do so and let me know the result.  We will carry on trying to fix your computer before we consider resetting to factory defaults.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users