Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer is infected with variant of Department of Justice Ransomware


  • This topic is locked This topic is locked
11 replies to this topic

#1 stephrider

stephrider

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 26 March 2014 - 04:57 PM

I say Variant because I have followed the removal instruction for this and they have not worked. It is still present in every safe mode option and regular mode. I have slaved the drive to another computer and scanned and found nothing. First time around HitmanPro found 22 things but next boot it was still there. The difference from Department of Justice is that it say "Your computer is LOCKED" in the upper left corner of the screen in large format. 

 

I have also used Kaspersky rescue disk and its windows unlocker command as well as a full system scan and it is still present.

 

When I slaved the hard drive I also loaded the hives to look for loading points and removed all "Run" entries

 

I don't know what else I can do. 

 

Stephany



BC AdBot (Login to Remove)

 


#2 stephrider

stephrider
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 26 March 2014 - 06:47 PM

also cannot do any logs. windows vista computer and antivirus looks like avg



#3 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 PM

Posted 27 March 2014 - 06:20 AM

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

 

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:



Plug the flashdrive into the infected PC.

Enter System Recovery Options.


To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.



To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:

  • Startup Repair
  • System Restore
  • Windows Complete PC Restore
  • Windows Memory Diagnostic Tool
  • Command Prompt
  • Select Command Prompt


  • In the command window:
  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#4 stephrider

stephrider
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 27 March 2014 - 01:52 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014  01
Ran by SYSTEM on MINWINPC on 27-03-2014 11:12:53
Running from F:\
Windows Vista ™ Home Premium Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery
 
The current controlset is ControlSet003
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Livingston\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2014-01-30] (Google Inc.)
HKU\Livingston\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125952 2008-01-18] (Microsoft Corporation)
HKU\Livingston\...\Run: [Skype] - C:\Program Files\Skype\Phone\Skype.exe [20728480 2014-01-14] (Skype Technologies S.A.)
 
========================== Services (Whitelisted) =================
 
S2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 AdobeActiveFileMonitor9.0; C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [169408 2010-09-06] (Adobe Systems Incorporated)
S2 avgfws; C:\Program Files\AVG\AVG2014\avgfws.exe [1358944 2013-09-24] (AVG Technologies CZ, s.r.o.)
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3788816 2014-01-22] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-24] (AVG Technologies CZ, s.r.o.)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 TuneUp.UtilitiesSvc; C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe [1741624 2013-12-18] (AVG)
 
==================== Drivers (Whitelisted) ====================
 
S3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)
S3 APL531; C:\Windows\System32\Drivers\ov550i.sys [580992 2006-07-31] (Omnivision Technologies, Inc.)
S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [120600 2013-11-25] (AVG Technologies CZ, s.r.o.)
S1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6x.sys [47928 2013-09-26] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [210712 2013-11-25] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [149272 2013-11-25] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22808 2014-01-19] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [176952 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [222520 2013-10-31] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [102712 2013-09-30] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27448 2013-09-09] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [193848 2013-08-01] (AVG Technologies CZ, s.r.o.)
S3 hcw18bda; C:\Windows\System32\drivers\hcw18bda.sys [391168 2009-03-19] (Hauppauge Computer Works, Inc)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2014-03-16] (Malwarebytes Corporation)
S4 RxFilter; C:\Windows\System32\DRIVERS\RxFilter.sys [57328 2009-06-26] (Sonic Solutions)
S3 TuneUpUtilitiesDrv; C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver32.sys [12320 2013-12-16] (TuneUp Software)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-03-27 11:12 - 2014-03-27 11:12 - 00000000 ____D () C:\FRST
2014-03-26 11:33 - 2014-03-26 11:33 - 00002052 _____ () C:\Users\Livingston\Desktop\Rkill.txt
2014-03-26 11:33 - 2014-03-26 11:33 - 00000000 ___SD () C:\32788R22FWJFW
2014-03-26 11:33 - 2014-03-26 11:33 - 00000000 ____D () C:\Windows\erdnt
2014-03-25 16:25 - 2014-03-25 16:25 - 00008040 _____ () C:\Windows\System32\.crusader
2014-03-25 16:05 - 2014-03-25 16:26 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-03-19 10:05 - 2014-03-26 12:31 - 00005672 _____ () C:\Windows\System32\spsys.log
2014-03-19 09:19 - 2014-03-19 09:59 - 00000000 ___HD () C:\Users\Public\Documents\Report
2014-03-16 15:33 - 2014-03-16 15:33 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\AVG2014
2014-03-16 15:31 - 2014-03-16 15:31 - 00000842 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-03-16 15:29 - 2014-03-16 15:32 - 00000000 ____D () C:\ProgramData\AVG2014
2014-03-16 15:29 - 2014-03-16 15:29 - 00000000 ___HD () C:\$AVG
2014-03-16 15:22 - 2014-03-16 17:09 - 00000000 ____D () C:\Users\Livingston\AppData\Local\Avg2014
2014-03-16 15:21 - 2014-03-16 15:21 - 04462384 _____ (AVG Technologies) C:\Users\Livingston\Desktop\avg_isct_stb_all_2014_4336.exe
2014-03-16 14:46 - 2014-03-16 14:46 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2014-03-13 05:46 - 2014-03-13 05:47 - 209715200 _____ () C:\Users\Livingston\Documents\Data Safe 1.avgfv
2014-03-10 11:32 - 2014-03-10 11:32 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\PeerNetworking
2014-03-06 05:54 - 2014-03-06 05:54 - 00000000 __SHD () C:\found.002
2014-03-01 07:21 - 2014-03-26 12:12 - 00000680 _____ () C:\Users\Livingston\AppData\Local\d3d9caps.dat
 
==================== One Month Modified Files and Folders =======
 
2014-03-27 11:12 - 2014-03-27 11:12 - 00000000 ____D () C:\FRST
2014-03-26 12:37 - 2014-02-10 09:00 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\Skype
2014-03-26 12:34 - 2006-11-02 04:52 - 01463764 _____ () C:\Windows\WindowsUpdate.log
2014-03-26 12:33 - 2014-01-28 12:17 - 00000000 ____D () C:\ProgramData\MFAData
2014-03-26 12:31 - 2014-03-19 10:05 - 00005672 _____ () C:\Windows\System32\spsys.log
2014-03-26 12:31 - 2006-11-02 04:47 - 00003664 _____ () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-26 12:31 - 2006-11-02 04:47 - 00003664 _____ () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-26 12:12 - 2014-03-01 07:21 - 00000680 _____ () C:\Users\Livingston\AppData\Local\d3d9caps.dat
2014-03-26 12:12 - 2006-11-02 04:52 - 00010418 _____ () C:\Windows\setupact.log
2014-03-26 11:33 - 2014-03-26 11:33 - 00002052 _____ () C:\Users\Livingston\Desktop\Rkill.txt
2014-03-26 11:33 - 2014-03-26 11:33 - 00000000 ___SD () C:\32788R22FWJFW
2014-03-26 11:33 - 2014-03-26 11:33 - 00000000 ____D () C:\Windows\erdnt
2014-03-25 16:26 - 2014-03-25 16:05 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-03-25 16:25 - 2014-03-25 16:25 - 00008040 _____ () C:\Windows\System32\.crusader
2014-03-19 22:38 - 2006-11-02 04:47 - 00089088 _____ () C:\Windows\System32\umstartup.etl
2014-03-19 22:05 - 2006-11-02 04:47 - 00061440 _____ () C:\Windows\System32\umstartup000.etl
2014-03-19 10:04 - 2014-01-26 13:07 - 00158052 _____ () C:\Windows\PFRO.log
2014-03-19 09:59 - 2014-03-19 09:19 - 00000000 ___HD () C:\Users\Public\Documents\Report
2014-03-18 12:30 - 2006-11-02 02:33 - 00703388 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-03-17 08:44 - 2014-01-25 12:51 - 00002609 _____ () C:\Users\Livingston\Desktop\Microsoft Office Word 2003.lnk
2014-03-17 07:03 - 2014-01-25 11:48 - 00000000 ____D () C:\Users\Livingston\Desktop\Short Run
2014-03-17 06:41 - 2014-01-25 11:45 - 00000000 ____D () C:\Users\Livingston\Documents\My Scans
2014-03-16 17:09 - 2014-03-16 15:22 - 00000000 ____D () C:\Users\Livingston\AppData\Local\Avg2014
2014-03-16 17:09 - 2014-01-28 08:32 - 00000000 ____D () C:\Users\Livingston\AppData\Local\LogMeIn Rescue Applet
2014-03-16 15:33 - 2014-03-16 15:33 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\AVG2014
2014-03-16 15:32 - 2014-03-16 15:29 - 00000000 ____D () C:\ProgramData\AVG2014
2014-03-16 15:31 - 2014-03-16 15:31 - 00000842 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-03-16 15:30 - 2014-01-25 11:43 - 00000000 ____D () C:\users\Livingston
2014-03-16 15:29 - 2014-03-16 15:29 - 00000000 ___HD () C:\$AVG
2014-03-16 15:26 - 2014-01-28 12:22 - 00000000 ____D () C:\Program Files\AVG
2014-03-16 15:21 - 2014-03-16 15:21 - 04462384 _____ (AVG Technologies) C:\Users\Livingston\Desktop\avg_isct_stb_all_2014_4336.exe
2014-03-16 14:46 - 2014-03-16 14:46 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbamswissarmy.sys
2014-03-13 06:23 - 2014-01-28 11:20 - 00000000 ____D () C:\Users\Livingston\AppData\Local\LogMeIn Rescue Calling Card
2014-03-13 05:47 - 2014-03-13 05:46 - 209715200 _____ () C:\Users\Livingston\Documents\Data Safe 1.avgfv
2014-03-12 11:15 - 2014-01-25 12:51 - 00002607 _____ () C:\Users\Livingston\Desktop\Microsoft Office Excel 2003.lnk
2014-03-11 18:01 - 2014-01-26 19:30 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2014-03-11 18:01 - 2014-01-26 19:30 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2014-03-10 11:32 - 2014-03-10 11:32 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\PeerNetworking
2014-03-09 21:04 - 2014-01-26 19:31 - 00000000 ____D () C:\Users\Livingston\AppData\Local\Google
2014-03-09 10:53 - 2014-01-26 14:57 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\Image Zone Express
2014-03-07 16:54 - 2014-02-15 07:16 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-03-07 03:40 - 2006-11-02 03:18 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2014-03-06 05:54 - 2014-03-06 05:54 - 00000000 __SHD () C:\found.002
2014-02-27 08:02 - 2014-01-27 05:58 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-02-27 08:01 - 2014-01-27 06:06 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\Adobe
2014-02-26 14:19 - 2014-01-25 11:44 - 00095288 _____ () C:\Users\Livingston\AppData\Local\GDIPFONTCACHEV1.DAT
 
==================== Known DLLs (Whitelisted) ============
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2014-01-28 15:23] - [2011-04-12 06:53] - 0666112 ____A (Microsoft Corporation) 80561C77CC2FE49ED29FF7384A395EAA
 
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 36%
Total physical RAM: 1014.83 MB
Available physical RAM: 649.03 MB
Total Pagefile: 840.51 MB
Available Pagefile: 699.95 MB
Total Virtual: 2047.88 MB
Available Virtual: 1963.34 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:223.44 GB) (Free:192.18 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (RECOVERY) (Fixed) (Total:9.45 GB) (Free:0.21 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (FRTMCFRE_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
Drive f: (PKBACK# 001) (Removable) (Total:7.32 GB) (Free:0.33 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: 818C58C7)
Partition 1: (Not Active) - (Size=9 GB) - (Type=07 NTFS)
Partition 2: (Active) - (Size=223 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)
 
Partition: GPT Partition Type.
 
 
LastRegBack: 2014-03-26 12:37
 
==================== End Of Log ============================


#5 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 PM

Posted 28 March 2014 - 04:32 AM

Search for files with FRST (Recovery Environment)


In Vista or Windows 7: Boot to System Recovery Options and run FRST.

In Windows XP: Please boot to BartPe and run FRST.



Type the following in the edit box after "Search:"

User32.dll

Click Search button and post the log (Search.txt) it makes to your reply.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#6 stephrider

stephrider
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 28 March 2014 - 02:22 PM

Farbar Recovery Scan Tool (x86) Version: 13-03-2014  01
Ran by SYSTEM at 2014-03-28 11:44:47
Running from F:\
Boot Mode: Recovery
 
================== Search: "user32.dll" ===================
 
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6001.18000_none_cd386c416d5c7f32\user32.dll
[2014-01-28 15:23] - [2008-01-18 23:36] - 0627200 ____A (Microsoft Corporation) B974D9F06DC7D1908E825DC201681269
 
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6000.20537_none_cbc258dc896598f1\user32.dll
[2014-01-27 01:15] - [2014-01-27 01:15] - 0633856 ____A (Microsoft Corporation) 9D9F061EDA75425FC67F0365E3467C86
 
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6000.16438_none_cb39bc5b7047127e\user32.dll
[2014-01-27 01:15] - [2014-01-27 01:15] - 0633856 ____A (Microsoft Corporation) 63B4F59D7C89B1BF5277F1FFEFD491CD
 
C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6000.16386_none_cb01aa4570716e5e\user32.dll
[2006-11-02 00:38] - [2006-11-02 01:46] - 0633856 ____A (Microsoft Corporation) E698A5437B89A285ACA3FF022356810A
 
C:\Windows\System32\user32.dll
[2014-01-28 15:23] - [2011-04-12 06:53] - 0666112 ____A (Microsoft Corporation) 80561C77CC2FE49ED29FF7384A395EAA
 
C:\Windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6002.18005_none_cf23e54d6a7e4a7e\user32.dll
[2014-03-07 03:55] - [2009-04-10 22:28] - 0627712 ____A (Microsoft Corporation) 75510147B94598407666F4802797C75A
 
X:\Windows\System32\user32.dll
[2009-04-10 20:23] - [2009-04-10 22:28] - 0627712 ____N (Microsoft Corporation) 75510147B94598407666F4802797C75A
 
=== End Of Search ===


#7 stephrider

stephrider
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 28 March 2014 - 08:09 PM

I kinda guessed that I should try to replace my user32.dll so I did, booted into safe mode and re ran frst tool in hopes it would help. (took two trys because it came up in regular mode and I was like "yaay its fixed!" but rebooted and it was back.  Needed to try something since we seem only to be able to talk once a day which 3am is way to early for me.   :) so I was hoping these scans in a running mode would work.

 

The frst log and the addition.log are pasted below

 

FRST:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014  01
Ran by Livingston (administrator) on LIVINGSTON-PC on 28-03-2014 17:57:35
Running from C:\Users\Livingston\Desktop
Windows Vista ™ Home Premium Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Safe Mode (minimal)
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(Microsoft Corporation) C:\Windows\system32\wbem\WMIADAP.EXE
(Microsoft Corporation) C:\Windows\system32\Taskmgr.exe
 
 
==================== Registry (Whitelisted) ==================
 
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-2244783017-2422983061-2538244126-1000\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2014-01-30] (Google Inc.)
HKU\S-1-5-21-2244783017-2422983061-2538244126-1000\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-2244783017-2422983061-2538244126-1000\...\Run: [Skype] - C:\Program Files\Skype\Phone\Skype.exe [20728480 2014-01-14] (Skype Technologies S.A.)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com" ],
      "restore_on_startup": 4,
      "restore_on_startup_migrated": true,
      "startup_urls": [ "hxxp://www.google.com/" ],
      "startup_urls_migration_time": "13035572614251080"
CHR DefaultSearchProvider:       "name": "Mysearchdial"
CHR Extension: (No Name) - C:\Users\Livingston\AppData\Local\Google\Chrome\User Data\Default\Extensions\aoejbmmillcdifgagjpdlaamnalbielp [2014-03-14]
CHR Extension: (Google Docs) - C:\Users\Livingston\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-26]
CHR Extension: (Google Drive) - C:\Users\Livingston\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-26]
CHR Extension: (YouTube) - C:\Users\Livingston\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-26]
CHR Extension: (Google Search) - C:\Users\Livingston\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-26]
CHR Extension: (Google Wallet) - C:\Users\Livingston\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-26]
CHR Extension: (Gmail) - C:\Users\Livingston\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-26]
CHR Extension: (DivX Browser Bar) - C:\Users\Livingston\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkmpcdbgnfjfeelcpebpkflcmbkclfho [2014-01-27]
CHR HKLM\...\Chrome\Extension: [aoejbmmillcdifgagjpdlaamnalbielp] - C:\Users\LIVING~1\AppData\Local\nwhb-v9.4.15.crx [2014-01-27]
CHR HKCU\...\Chrome\Extension: [aoejbmmillcdifgagjpdlaamnalbielp] - C:\Users\LIVING~1\AppData\Local\nwhb-v9.4.15.crx [2014-01-27]
 
========================== Services (Whitelisted) =================
 
S2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
S2 AdobeActiveFileMonitor9.0; C:\Program Files\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [169408 2010-09-06] (Adobe Systems Incorporated)
S2 avgfws; C:\Program Files\AVG\AVG2014\avgfws.exe [1358944 2013-09-24] (AVG Technologies CZ, s.r.o.)
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3788816 2014-01-22] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [348008 2013-09-24] (AVG Technologies CZ, s.r.o.)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 TuneUp.UtilitiesSvc; C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesService32.exe [1741624 2013-12-18] (AVG)
 
==================== Drivers (Whitelisted) ====================
 
R3 Afc; C:\Windows\System32\drivers\Afc.sys [18688 2006-11-10] (Arcsoft, Inc.)
S3 APL531; C:\Windows\System32\Drivers\ov550i.sys [580992 2006-07-31] (Omnivision Technologies, Inc.)
S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [120600 2013-11-25] (AVG Technologies CZ, s.r.o.)
S1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6x.sys [47928 2013-09-26] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [210712 2013-11-25] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [149272 2013-11-25] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22808 2014-01-19] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [176952 2013-10-31] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [222520 2013-10-31] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [102712 2013-10-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27448 2013-09-10] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [193848 2013-08-01] (AVG Technologies CZ, s.r.o.)
S3 hcw18bda; C:\Windows\System32\drivers\hcw18bda.sys [391168 2009-03-19] (Hauppauge Computer Works, Inc)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2014-03-28] (Malwarebytes Corporation)
S4 RxFilter; C:\Windows\System32\DRIVERS\RxFilter.sys [57328 2009-06-26] (Sonic Solutions)
S3 TuneUpUtilitiesDrv; C:\Program Files\AVG\AVG PC TuneUp\TuneUpUtilitiesDriver32.sys [12320 2013-12-16] (TuneUp Software)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-03-28 17:57 - 2014-03-28 17:58 - 00008240 _____ () C:\Users\Livingston\Desktop\FRST.txt
2014-03-28 17:55 - 2014-03-27 10:30 - 01145856 _____ (Farbar) C:\Users\Livingston\Desktop\FRST.exe
2014-03-28 16:59 - 2014-03-28 16:59 - 00137808 _____ () C:\Windows\Minidump\Mini032814-02.dmp
2014-03-28 16:26 - 2014-03-28 16:29 - 00000000 ____D () C:\AdwCleaner
2014-03-28 16:26 - 2014-03-15 10:33 - 05190279 ____R (Swearware) C:\Users\Livingston\Desktop\ComboFix.exe
2014-03-28 16:25 - 2013-11-26 16:14 - 01091882 _____ () C:\Users\Livingston\Desktop\AdwCleaner (2).exe
2014-03-28 14:51 - 2014-03-28 16:59 - 00000000 ____D () C:\Windows\Minidump
2014-03-28 14:51 - 2014-03-28 16:58 - 106385769 _____ () C:\Windows\MEMORY.DMP
2014-03-28 14:51 - 2014-03-28 14:51 - 00137808 _____ () C:\Windows\Minidump\Mini032814-01.dmp
2014-03-27 12:12 - 2014-03-28 17:57 - 00000000 ____D () C:\FRST
2014-03-26 12:33 - 2014-03-26 12:33 - 00002052 _____ () C:\Users\Livingston\Desktop\Rkill.txt
2014-03-26 12:33 - 2014-03-26 12:33 - 00000000 ___SD () C:\32788R22FWJFW
2014-03-26 12:33 - 2014-03-26 12:33 - 00000000 ____D () C:\Windows\erdnt
2014-03-25 17:05 - 2014-03-25 17:26 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-03-25 17:01 - 2014-03-28 12:28 - 73910881 _____ () C:\Windows\DUMP3613.tmp
2014-03-19 10:19 - 2014-03-19 10:59 - 00000000 ___HD () C:\Users\Public\Documents\Report
2014-03-16 16:33 - 2014-03-16 16:33 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\AVG2014
2014-03-16 16:31 - 2014-03-16 16:31 - 00000842 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-03-16 16:29 - 2014-03-16 16:32 - 00000000 ____D () C:\ProgramData\AVG2014
2014-03-16 16:29 - 2014-03-16 16:29 - 00000000 ___HD () C:\$AVG
2014-03-16 16:22 - 2014-03-16 18:09 - 00000000 ____D () C:\Users\Livingston\AppData\Local\Avg2014
2014-03-16 16:21 - 2014-03-16 16:21 - 04462384 _____ (AVG Technologies) C:\Users\Livingston\Desktop\avg_isct_stb_all_2014_4336.exe
2014-03-16 15:46 - 2014-03-28 16:09 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2014-03-13 06:46 - 2014-03-13 06:47 - 209715200 _____ () C:\Users\Livingston\Documents\Data Safe 1.avgfv
2014-03-10 12:32 - 2014-03-10 12:32 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\PeerNetworking
2014-03-06 06:54 - 2014-03-06 06:54 - 00000000 __SHD () C:\found.002
2014-03-01 08:21 - 2014-03-26 13:12 - 00000680 _____ () C:\Users\Livingston\AppData\Local\d3d9caps.dat
 
==================== One Month Modified Files and Folders =======
 
2014-03-28 17:58 - 2014-03-28 17:57 - 00008240 _____ () C:\Users\Livingston\Desktop\FRST.txt
2014-03-28 17:57 - 2014-03-27 12:12 - 00000000 ____D () C:\FRST
2014-03-28 17:54 - 2006-11-02 05:52 - 00010452 _____ () C:\Windows\setupact.log
2014-03-28 17:16 - 2014-02-10 10:00 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\Skype
2014-03-28 17:15 - 2014-01-30 08:44 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-03-28 17:08 - 2014-01-30 08:44 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-03-28 17:08 - 2006-11-02 03:33 - 00703388 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-28 17:06 - 2014-01-28 13:17 - 00000000 ____D () C:\ProgramData\MFAData
2014-03-28 17:04 - 2006-11-02 05:52 - 01485416 _____ () C:\Windows\WindowsUpdate.log
2014-03-28 17:01 - 2014-01-26 20:30 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-28 16:59 - 2014-03-28 16:59 - 00137808 _____ () C:\Windows\Minidump\Mini032814-02.dmp
2014-03-28 16:59 - 2014-03-28 14:51 - 00000000 ____D () C:\Windows\Minidump
2014-03-28 16:59 - 2006-11-02 06:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-28 16:59 - 2006-11-02 05:47 - 00003664 _____ () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-28 16:59 - 2006-11-02 05:47 - 00003664 _____ () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-28 16:58 - 2014-03-28 14:51 - 106385769 _____ () C:\Windows\MEMORY.DMP
2014-03-28 16:30 - 2006-11-02 06:01 - 00032638 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-28 16:29 - 2014-03-28 16:26 - 00000000 ____D () C:\AdwCleaner
2014-03-28 16:09 - 2014-03-16 15:46 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2014-03-28 15:29 - 2006-11-02 04:18 - 00000000 ____D () C:\Windows\system32\LogFiles
2014-03-28 14:51 - 2014-03-28 14:51 - 00137808 _____ () C:\Windows\Minidump\Mini032814-01.dmp
2014-03-28 12:28 - 2014-03-25 17:01 - 73910881 _____ () C:\Windows\DUMP3613.tmp
2014-03-27 10:30 - 2014-03-28 17:55 - 01145856 _____ (Farbar) C:\Users\Livingston\Desktop\FRST.exe
2014-03-26 13:12 - 2014-03-01 08:21 - 00000680 _____ () C:\Users\Livingston\AppData\Local\d3d9caps.dat
2014-03-26 12:33 - 2014-03-26 12:33 - 00002052 _____ () C:\Users\Livingston\Desktop\Rkill.txt
2014-03-26 12:33 - 2014-03-26 12:33 - 00000000 ___SD () C:\32788R22FWJFW
2014-03-26 12:33 - 2014-03-26 12:33 - 00000000 ____D () C:\Windows\erdnt
2014-03-25 17:29 - 2014-01-28 18:16 - 00000432 ____H () C:\Windows\Tasks\User_Feed_Synchronization-{B0C1AA40-ADF5-48AF-9814-351C15D93A79}.job
2014-03-25 17:26 - 2014-03-25 17:05 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-03-19 23:38 - 2006-11-02 05:47 - 00089088 _____ () C:\Windows\system32\umstartup.etl
2014-03-19 23:05 - 2006-11-02 05:47 - 00061440 _____ () C:\Windows\system32\umstartup000.etl
2014-03-19 11:04 - 2014-01-26 14:07 - 00158052 _____ () C:\Windows\PFRO.log
2014-03-19 10:59 - 2014-03-19 10:19 - 00000000 ___HD () C:\Users\Public\Documents\Report
2014-03-17 09:44 - 2014-01-25 13:51 - 00002609 _____ () C:\Users\Livingston\Desktop\Microsoft Office Word 2003.lnk
2014-03-17 08:03 - 2014-01-25 12:48 - 00000000 ____D () C:\Users\Livingston\Desktop\Short Run
2014-03-17 07:41 - 2014-01-25 12:45 - 00000000 ____D () C:\Users\Livingston\Documents\My Scans
2014-03-16 18:09 - 2014-03-16 16:22 - 00000000 ____D () C:\Users\Livingston\AppData\Local\Avg2014
2014-03-16 18:09 - 2014-01-28 09:32 - 00000000 ____D () C:\Users\Livingston\AppData\Local\LogMeIn Rescue Applet
2014-03-16 16:33 - 2014-03-16 16:33 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\AVG2014
2014-03-16 16:32 - 2014-03-16 16:29 - 00000000 ____D () C:\ProgramData\AVG2014
2014-03-16 16:31 - 2014-03-16 16:31 - 00000842 _____ () C:\Users\Public\Desktop\AVG 2014.lnk
2014-03-16 16:30 - 2014-01-25 12:43 - 00000000 ____D () C:\Users\Livingston
2014-03-16 16:29 - 2014-03-16 16:29 - 00000000 ___HD () C:\$AVG
2014-03-16 16:26 - 2014-01-28 13:22 - 00000000 ____D () C:\Program Files\AVG
2014-03-16 16:21 - 2014-03-16 16:21 - 04462384 _____ (AVG Technologies) C:\Users\Livingston\Desktop\avg_isct_stb_all_2014_4336.exe
2014-03-15 10:33 - 2014-03-28 16:26 - 05190279 ____R (Swearware) C:\Users\Livingston\Desktop\ComboFix.exe
2014-03-13 07:23 - 2014-01-28 12:20 - 00000000 ____D () C:\Users\Livingston\AppData\Local\LogMeIn Rescue Calling Card
2014-03-13 06:47 - 2014-03-13 06:46 - 209715200 _____ () C:\Users\Livingston\Documents\Data Safe 1.avgfv
2014-03-12 12:15 - 2014-01-25 13:51 - 00002607 _____ () C:\Users\Livingston\Desktop\Microsoft Office Excel 2003.lnk
2014-03-11 19:01 - 2014-01-26 20:30 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-03-11 19:01 - 2014-01-26 20:30 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-03-10 12:32 - 2014-03-10 12:32 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\PeerNetworking
2014-03-09 22:04 - 2014-01-26 20:31 - 00000000 ____D () C:\Users\Livingston\AppData\Local\Google
2014-03-09 11:53 - 2014-01-26 15:57 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\Image Zone Express
2014-03-07 17:54 - 2014-02-15 08:16 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-03-07 04:40 - 2006-11-02 04:18 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2014-03-06 06:54 - 2014-03-06 06:54 - 00000000 __SHD () C:\found.002
2014-03-04 13:22 - 2014-01-25 12:43 - 00000944 _____ () C:\Users\Livingston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2014-02-27 09:02 - 2014-01-27 06:58 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2014-02-27 09:01 - 2014-01-27 07:06 - 00000000 ____D () C:\Users\Livingston\AppData\Roaming\Adobe
2014-02-26 15:19 - 2014-01-25 12:44 - 00095288 _____ () C:\Users\Livingston\AppData\Local\GDIPFONTCACHEV1.DAT
 
Some content of TEMP:
====================
C:\Users\Livingston\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll
[2014-01-28 16:23] - [2011-04-12 07:53] - 0666112 ____A (Microsoft Corporation) B2BEB83B3EB880CE3AAA31B004A1F48E
 
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-03-28 17:06
 
 
 
 
 
=================================================================================
=================================================================================
ADDTIONAL: 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-03-2014  01
Ran by Livingston at 2014-03-28 17:58:22
Running from C:\Users\Livingston\Desktop
Boot Mode: Safe Mode (minimal)
==========================================================
 
 
==================== Security Center ========================
 
AV: AVG Internet Security 2014 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG Internet Security 2014 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}
FW: AVG Internet Security 2014 (Enabled) {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
 
==================== Installed Programs ======================
 
32 Bit HP CIO Components Installer (Version: 1.0.0 - Hewlett-Packard) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.5.3.9130 - Adobe Systems Inc.)
Adobe AIR (Version: 1.5.3.9130 - Adobe Systems Inc.) Hidden
Adobe Community Help (HKLM\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.2.1.650 - Adobe Systems Incorporated)
Adobe Community Help (Version: 3.2.1 - Adobe Systems Incorporated) Hidden
Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Flash Player 12 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Photoshop Elements 9 (HKLM\...\Adobe Photoshop Elements 9) (Version: 9.0.3.0 - Adobe Systems Incorporated)
Adobe Photoshop Elements 9 (Version: 9.0.3.0 - Adobe Systems Incorporated) Hidden
Adobe Photoshop.com Inspiration Browser (HKLM\...\PhotoshopdotcomInspirationBrowser.4C35C4D325D350FE0114230CBADCA2DDD0AC8D25.1) (Version: 3.07 - Adobe Systems Incorporated)
Adobe Photoshop.com Inspiration Browser (Version: 3.07 - Adobe Systems Incorporated) Hidden
Adobe Premiere Elements 9 (HKLM\...\PremElem90) (Version: 9.0 - Adobe Systems Incorporated)
Adobe Premiere Elements 9 (Version: 9.0.1 - Adobe Systems Incorporated) Hidden
Adobe Reader 9.5.5 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.5 - Adobe Systems Incorporated)
AIO_CDA_ProductContext (Version: 82.0.233.000 - Hewlett-Packard) Hidden
AIO_CDA_Software (Version: 82.0.233.000 - Hewlett-Packard) Hidden
AIO_Scan (Version: 82.0.173.000 - Hewlett-Packard) Hidden
ArcSoft PhotoImpression 6 (HKLM\...\{D56401D6-E356-4CA5-97A3-024D666F5E5C}) (Version:  - ArcSoft)
AVG 2014 (HKLM\...\AVG) (Version: 2014.0.4336 - AVG Technologies)
AVG 2014 (Version: 14.0.3722 - AVG Technologies) Hidden
AVG 2014 (Version: 14.0.4336 - AVG Technologies) Hidden
AVG PC TuneUp 2014 (en-US) (Version: 14.0.1001.295 - AVG) Hidden
AVG PC TuneUp 2014 (HKLM\...\AVG PC TuneUp) (Version: 14.0.1001.295 - AVG)
AVG PC TuneUp 2014 (Version: 14.0.1001.295 - AVG) Hidden
BufferChm (Version: 82.0.173.000 - Hewlett-Packard) Hidden
C3100 (Version: 82.0.233.000 - Hewlett-Packard) Hidden
c3100_Help (Version: 82.0.233.000 - Hewlett-Packard) Hidden
CameraHelperMsi (Version: 13.51.815.0 - Logitech) Hidden
Consumer Input (HKLM\...\Setup Support for Consumer Input) (Version: 1.0 - Sono Control Inc.)
Copy (Version: 82.0.188.000 - Hewlett-Packard) Hidden
Destinations (Version: 82.0.173.000 - Hewlett-Packard) Hidden
DeviceManagementQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
DirectX 9 Runtime (Version: 1.00.0000 - Sonic Solutions) Hidden
DocProc (Version: 8.1.0.0 - Hewlett-Packard) Hidden
DocProcQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
Elements 9 Organizer (Version: 9.0 - Adobe Systems Incorporated) Hidden
Elements STI Installer (Version: 1.0 - Adobe Systems Incorporated) Hidden
EMC 10 Content (Version: 1.0.035 - Roxo, Inc.) Hidden
erLT (Version: 1.20.138.34 - Logitech, Inc.) Hidden
eSupportQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
Fax (Version: 82.0.188.000 - Hewlett-Packard) Hidden
Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.22.5 - Google Inc.) Hidden
Hoyle Card Games 2005 (HKLM\...\{B44AA698-B221-4B3B-8CA5-E65EF6A5AF26}) (Version: 1.2.0.0 - Encore, Inc.)
HP Imaging Device Functions 8.0 (HKLM\...\HP Imaging Device Functions) (Version: 8.0 - HP)
HP OCR Software 8.0 (HKLM\...\HPOCR) (Version: 8.0 - HP)
HP Photosmart Essential (HKLM\...\{EB21A812-671B-4D08-B974-2A347F0D8F70}) (Version: 1.12.0.46 - HP)
HP Photosmart.All-In-One Driver Software 8.0 .A (HKLM\...\{282E5AB2-8E47-4571-B6FA-6B512555B557}) (Version: 8.0 - HP)
HP Solution Center 8.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 8.0 - HP)
HP Update (HKLM\...\{8C6027FD-53DC-446D-BB75-CACD7028A134}) (Version: 4.000.005.006 - Hewlett-Packard)
HPProductAssistant (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Logitech Webcam Software (HKLM\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.51 - Logitech Inc.)
LWS Facebook (Version: 13.50.854.0 - Logitech) Hidden
LWS Gallery (Version: 13.51.827.0 - Logitech) Hidden
LWS Help_main (Version: 13.51.828.0 - Logitech) Hidden
LWS Launcher (Version: 13.51.828.0 - Logitech) Hidden
LWS Motion Detection (Version: 13.51.815.0 - Logitech) Hidden
LWS Pictures And Video (Version: 13.51.815.0 - Logitech) Hidden
LWS Twitter (Version: 13.30.1346.0 - Logitech) Hidden
LWS Webcam Software (Version: 13.51.815.0 - Logitech) Hidden
LWS WLM Plugin (Version: 1.30.1201.0 - Logitech) Hidden
LWS YouTube Plugin (Version: 13.31.1038.0 - Logitech) Hidden
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC90_CRT_x86 (Version: 1.00.0000 - Adobe) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
OVT Scanner X86 (HKLM\...\{6B566EFE-DC1D-471F-93DD-84832663F140}) (Version: 1.00.0000 - OVT)
Roxio Activation Module (Version: 1.0 - Roxio) Hidden
Roxio BackOnTrack (Version: 1.3.0 - Roxio) Hidden
Roxio Burn (Version: 1.0.0 - Roxio) Hidden
Roxio Central Audio (Version: 3.8.0 - Roxio) Hidden
Roxio Central Copy (Version: 3.8.0 - Roxio) Hidden
Roxio Central Core (Version: 3.8.0 - Roxio) Hidden
Roxio Central Data (Version: 3.8.0 - Roxio) Hidden
Roxio Central Tools (Version: 3.8.0 - Roxio) Hidden
Roxio Easy CD and DVD Burning (HKLM\...\{537BF16E-7412-448C-95D8-846E85A1D817}) (Version: 10.3 - Roxio)
Roxio Easy CD and DVD Burning (Version: 10.3.104 - Roxio) Hidden
Roxio Express Labeler 3 (Version: 3.2.1 - Roxio) Hidden
Roxio File Backup (Version: 1.3.0 - Roxio) Hidden
Roxio PhotoShow (HKLM\...\Roxio PhotoShow) (Version: 6.0 - Sonic Solutions)
Roxio Update Manager (Version: 6.0.0 - Roxio) Hidden
Scan (Version: 8.1.0.0 - Hewlett-Packard) Hidden
Skype™ 6.13 (HKLM\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.13.104 - Skype Technologies S.A.)
SmartSound Quicktracks for Premiere Elements 9.0 (HKLM\...\InstallShield_{6748E773-5DA0-4D19-8AA5-273B4133A09B}) (Version: 3.12.3090 - SmartSound Software Inc)
SmartSound Quicktracks for Premiere Elements 9.0 (Version: 3.12.3090 - SmartSound Software Inc) Hidden
Soft Data Fax Modem with SmartCP (HKLM\...\CNXT_MODEM_PCI_HSF) (Version:  - )
SolutionCenter (Version: 82.0.188.000 - Hewlett-Packard) Hidden
Sonic CinePlayer Decoder Pack (Version: 4.3.0 - Sonic Solutions) Hidden
Status (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Sunrise PC Support (HKLM\...\{C2835850-FCEB-4A1A-A213-57E7A9A8EC62}) (Version: 7.0.454 - LogMeIn, Inc.)
Toolbox (Version: 82.0.173.000 - Hewlett-Packard) Hidden
TrayApp (Version: 82.0.188.000 - Hewlett-Packard) Hidden
Uninstall OVT Scanner (HKLM\...\OVT Scanner) (Version:  - )
UnloadSupport (Version: 1.00.0000 - Hewlett-Packard) Hidden
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
UpdaterEX (HKCU\...\UpdaterEX) (Version:  - UpdaterEX)
VC80CRTRedist - 8.0.50727.6195 (Version: 1.2.0 - DivX, Inc) Hidden
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
WebReg (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Yahoo! Toolbar (HKLM\...\Yahoo! Companion) (Version:  - Yahoo! Inc.)
 
==================== Restore Points  =========================
 
Could not list Restore Points. Check "winmgmt" service or repair WMI.
 
 
==================== Hosts content: ==========================
 
2006-11-02 03:23 - 2006-09-18 14:41 - 00000761 ____N C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {1304C226-7688-4A6C-864A-F819387D6100} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-01-30] (Google Inc.)
Task: {1CC81347-6204-4B83-900C-01E02F50F067} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {22A8D572-7191-4944-B023-54333718B8AC} - System32\Tasks\ArcSoft Connect Daemon => C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [2010-10-27] (ArcSoft Inc.)
Task: {233D9217-7557-4B38-9BE7-E791E5F467CE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-01-30] (Google Inc.)
Task: {295CB04E-FCB2-4246-9648-CB6309543C61} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {2CF67888-C262-4BCB-AF56-EA76F59C1FE8} - System32\Tasks\TuneUpUtilities_Task_BkGndMaintenance2013 => C:\Program Files\AVG\AVG PC TuneUp\OneClick.exe [2013-12-18] (AVG)
Task: {3BCDF251-CA5C-4045-A1FC-8FCEF9FBDC93} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {44980BEE-7809-44A9-AC24-D6E578A3B7DF} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-19] (Microsoft Corporation)
Task: {5E5DC6A9-A473-4324-8C04-3989822BF951} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {7B9D1F8C-8433-4984-BE33-31765D158EF4} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\VistaSP1CEIP => C:\Windows\servicing\vsp1ceip.exe [2008-01-19] (Microsoft Corporation)
Task: {8B18750B-E6F1-4C9A-ABB4-9E1A46AAF4F3} - System32\Tasks\Adobe online update program => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2013-04-04] (Adobe Systems Incorporated)
Task: {967378C9-18D2-4804-BBF5-3D37CAD4C240} - System32\Tasks\Advanced System Optimizer => C:\Program Files\Advanced System Optimizer 3\ASO3.exe
Task: {A728AE6B-5AB8-4223-AD3E-E6341441A01C} - System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries => Rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries
Task: {AB1F74BE-6629-4B46-8D0C-0E0994B1F9C7} - System32\Tasks\HP online update program => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-12-10] (Hewlett-Packard Co.)
Task: {E5150B95-F9B4-4D5D-95A2-7EC1ACBA95F8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-05] ()
Task: {ED1EB867-1BCB-4E2A-BEDD-99986358CB50} - System32\Tasks\AdobeAAMUpdater-1.0-Livingston-PC-Livingston => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2010-07-29] (Adobe Systems Incorporated)
Task: {ED56F597-A80C-49B0-9210-3BED143B4E7A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-11] (Adobe Systems Incorporated)
Task: {FD3A417D-E805-490A-9E2F-383A9546E685} - System32\Tasks\DivX online update program => C:\Program Files\DivX\DivX Update\DivXUpdate.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\User_Feed_Synchronization-{B0C1AA40-ADF5-48AF-9814-351C15D93A79}.job => C:\Windows\system32\msfeedssync.exe
 
==================== Loaded Modules (whitelisted) =============
 
 
==================== Alternate Data Streams (whitelisted) =========
 
 
==================== Safe Mode (whitelisted) ===================
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"
 
==================== Disabled items from MSCONFIG ==============
 
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk => C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^Livingston^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Storm Alerts.lnk => C:\Windows\pss\Storm Alerts.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Livingston^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^StormAlerts.lnk => C:\Windows\pss\StormAlerts.lnk.Startup
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: AVG_UI => "C:\Program Files\AVG\AVG2014\avgui.exe" /TRAYONLY
MSCONFIG\startupreg: Desktop Disc Tool => "C:\Program Files\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
MSCONFIG\startupreg: DivXMediaServer => C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe
MSCONFIG\startupreg: InstallX Search Protect for Yahoo => "C:\Users\Livingston\AppData\Roaming\InstallX Search Protect for Yahoo\searchprotector.exe"
MSCONFIG\startupreg: LWS => C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
MSCONFIG\startupreg: Windows Defender => %ProgramFiles%\Windows Defender\MSASCui.exe -hide
MSCONFIG\startupreg: XeroxRegistation => "C:\Users\LIVING~1\AppData\Local\Temp\Xerox\EReg\EReg.exe" /Startup
 
==================== Faulty Device Manager Devices =============
 
Could not list Devices. Check "winmgmt" service or repair WMI.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/28/2014 05:53:23 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (03/28/2014 05:53:05 PM) (Source: EventSystem) (User: )
Description: d:\vistasp1_gdr\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
 
Error: (03/28/2014 05:02:36 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (03/28/2014 04:32:41 PM) (Source: Software Licensing Service) (User: )
Description: The Software Licensing service failed to start. hr=0xC004D401, [2, 4]
 
Error: (03/28/2014 04:30:05 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x47918b89, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x000047c8,
process id 0x223c, application start time 0xsvchost.exe0.
 
Error: (03/28/2014 04:29:59 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x47918b89, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x000047c8,
process id 0x22d8, application start time 0xsvchost.exe0.
 
Error: (03/28/2014 04:29:54 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x47918b89, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x000047c8,
process id 0x2278, application start time 0xsvchost.exe0.
 
Error: (03/28/2014 04:29:48 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x47918b89, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x000047c8,
process id 0x1d58, application start time 0xsvchost.exe0.
 
Error: (03/28/2014 04:29:43 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x47918b89, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x000047c8,
process id 0x21f8, application start time 0xsvchost.exe0.
 
Error: (03/28/2014 04:29:37 PM) (Source: Application Error) (User: )
Description: Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x47918b89, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x000047c8,
process id 0x2178, application start time 0xsvchost.exe0.
 
 
System errors:
=============
Error: (03/28/2014 06:00:45 PM) (Source: DCOM) (User: )
Description: 1084MSIServer{000C101C-0000-0000-C000-000000000046}
 
Error: (03/28/2014 05:56:06 PM) (Source: DCOM) (User: )
Description: {73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
 
Error: (03/28/2014 05:55:26 PM) (Source: DCOM) (User: )
Description: {1F87137D-0E7C-44D5-8C73-4EFFB68962F2}
 
Error: (03/28/2014 05:54:24 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068
 
Error: (03/28/2014 05:54:24 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068
 
Error: (03/28/2014 05:54:24 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068
 
Error: (03/28/2014 05:54:24 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068
 
Error: (03/28/2014 05:54:24 PM) (Source: Service Control Manager) (User: )
Description: AFD
Avgdiskx
Avgfwfd
AVGIDSDriver
AVGIDSShim
Avgldx86
Avgtdix
DfsC
NetBIOS
netbt
nsiproxy
PSched
RasAcd
rdbss
Smb
spldr
tdx
Wanarpv6
 
Error: (03/28/2014 05:54:24 PM) (Source: Service Control Manager) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068
 
Error: (03/28/2014 05:54:24 PM) (Source: Service Control Manager) (User: )
Description: Network Location AwarenessNetwork Store Interface Service%%1068
 
 
Microsoft Office Sessions:
=========================
Error: (03/28/2014 05:53:23 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"J:\HitmanPro_x64.exe
 
Error: (03/28/2014 05:53:05 PM) (Source: EventSystem)(User: )
Description: d:\vistasp1_gdr\com\complus\src\events\tier1\eventsystemobj.cpp458007043c
 
Error: (03/28/2014 05:02:36 PM) (Source: SideBySide)(User: )
Description: Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"J:\HitmanPro_x64.exe
 
Error: (03/28/2014 04:32:41 PM) (Source: Software Licensing Service)(User: )
Description: hr=0xC004D401, [2, 4]
 
Error: (03/28/2014 04:30:05 PM) (Source: Application Error)(User: )
Description: svchost.exe6.0.6001.1800047918b89unknown0.0.0.000000000c0000005000047c8223c01cf4adda6074a89
 
Error: (03/28/2014 04:29:59 PM) (Source: Application Error)(User: )
Description: svchost.exe6.0.6001.1800047918b89unknown0.0.0.000000000c0000005000047c822d801cf4adda2af5e53
 
Error: (03/28/2014 04:29:54 PM) (Source: Application Error)(User: )
Description: svchost.exe6.0.6001.1800047918b89unknown0.0.0.000000000c0000005000047c8227801cf4add9f574e78
 
Error: (03/28/2014 04:29:48 PM) (Source: Application Error)(User: )
Description: svchost.exe6.0.6001.1800047918b89unknown0.0.0.000000000c0000005000047c81d5801cf4add9c2f114a
 
Error: (03/28/2014 04:29:43 PM) (Source: Application Error)(User: )
Description: svchost.exe6.0.6001.1800047918b89unknown0.0.0.000000000c0000005000047c821f801cf4add98e0ae7c
 
Error: (03/28/2014 04:29:37 PM) (Source: Application Error)(User: )
Description: svchost.exe6.0.6001.1800047918b89unknown0.0.0.000000000c0000005000047c8217801cf4add955d6821
 
 
CodeIntegrity Errors:
===================================
  Date: 2014-03-28 17:57:58.218
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-28 17:57:58.125
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-28 17:57:58.031
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-28 17:57:57.953
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-28 17:57:57.843
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-28 17:57:57.750
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-28 17:57:57.640
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-28 17:57:57.546
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-28 17:57:52.234
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-28 17:57:52.140
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 36%
Total physical RAM: 1014.83 MB
Available physical RAM: 647.91 MB
Total Pagefile: 2287.99 MB
Available Pagefile: 2054.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1952.92 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:223.44 GB) (Free:192.67 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (RECOVERY) (Fixed) (Total:9.45 GB) (Free:0.21 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (FRTMCFRE_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF
Drive j: (PKBACK# 001) (Removable) (Total:7.32 GB) (Free:0.33 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 233 GB) (Disk ID: 818C58C7)
Partition 1: (Not Active) - (Size=9 GB) - (Type=07 NTFS)
Partition 2: (Active) - (Size=223 GB) - (Type=07 NTFS)
 
========================================================
Disk: 5 (MBR Code: Windows XP) (Size: 7 GB) (Disk ID: C3072E18)
 
Partition: GPT Partition Type.
 
==================== End Of Log ============================


#8 stephrider

stephrider
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 29 March 2014 - 12:29 PM

Really, no response? Thought for sure that would help



#9 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 PM

Posted 31 March 2014 - 03:02 AM

Sorry, I was off for the whole weekend.

 

 

Fix with FRST (Recovery Environment)


  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    REPLACE: C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.0.6000.20537_none_cbc258dc896598f1\user32.dll | C:\Windows\System32\user32.dll

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Now please enter System Recovery Options again.

  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

 

 

Try to boot int owindows now.

 

 

 

Full System Scan with Malwarebytes Antimalware

  • If not existing, please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:

    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

  • Click Finish.


If the program is already installed:
  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.


  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#10 stephrider

stephrider
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 01 April 2014 - 01:36 PM

I appreciate your assistance quick update on the system - replaced the user32 rebooted the computer and attempted to run mbam over the weekend beforeyour post - was running mbam and various other scanners and then all of a sudden the system turned off all the scanners and rebooted and low and behold - the bad boy was back. 

 

My friend decided to reload the whole system.  Which is a little dissapointing because I dont like to admit one of these buggers beat me.

 

Thank you anyway for your help



#11 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 PM

Posted 01 April 2014 - 01:45 PM

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.

  • Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

  • Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system.
  • Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.
    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.


Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)

#12 TB-Psychotic

TB-Psychotic

  • Malware Response Team
  • 6,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 PM

Posted 01 April 2014 - 01:45 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Proud Member of UNITE & TB
 
My help is free, however, if you want to support my fight against malware, click here --> btn_donate_SM.gif <--(no worries, every little bit helps)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users