Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Admin privileges disappeared.....


  • Please log in to reply
49 replies to this topic

#1 wannawonda

wannawonda

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 30 May 2015 - 08:01 PM

Something has happened to our desktop.  Kaspersky has been unable to update databases; sent them a message and have attempted all steps they suggested but am unable to run anything.  Am not able to run or access anything as admin.  There latest email stated to send them screen shots of everything (have attached them)  Computer will not allow me to see users or change users.  Not sure what's going on.  Estimated to be having the problem for the past 2-3 weeks; coincidentally around the time Internet Explorer completely stopped working.

Attached Files


Edited by hamluis, 01 June 2015 - 03:18 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 johnebadbak

johnebadbak

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mount gambier S.A
  • Local time:11:54 PM

Posted 30 May 2015 - 09:19 PM

try safe mode to access admin with  total permissions  In safe mode you shpold be able to fix your problems

 

cmd in windows does not give full access permissions for some system access

 

make sure you have I.E. eleven installed down/load a new copy and install if necessary



#3 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 30 May 2015 - 10:07 PM

okay, but how do i fix the problems if i don't know what they are? that is why i posted.



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 31 May 2015 - 12:40 AM

Hi wannawonda :)

First, you should boot in Safe Mode with Networking, and see if you have Admin Rights there. In order to check that, simply try to open a program with Admin Rights (like the command prompt) and see if it works. Follow the instructions below to boot in Safe Mode with Networking.

http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/#windows7

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 31 May 2015 - 09:29 PM

Hi Aura,

 

I was not able to boot into safe mode, tried several times, the computer would sit and sit with a black screen.  After fourth attempt got a screen about windows failing to load the computer initiated start up repair and restored to a prior date.  Windows loaded and then was able to access things as administrator.  Still not able to update Kaspersky and the computer is really slow.  Not sure what disabled my admin rights or why they seem to be working now.   



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 01 June 2015 - 05:26 AM

Well let's give it a look then shall we? :)

sUc2qjf.pngAutoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:
  • Download Autoruns.zip from the Sysinternals Suite webpage;
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator;
  • Accept the EULA on opening, then wait for all the entries to load;
  • Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file;
  • Go on ge.tt and upload the Autoruns file you saved;
  • Once done, post the download URL of your uploaded file in your next reply;
3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the executable file to your Desktop;
  • Execute MiniToolBox and check the following options:
    • List Installed Programs;
    • List Last 10 Event Viewer Errors;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      wNeKMCX.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 01 June 2015 - 12:47 PM

ge.tt/13B8sWH2/v/0



#8 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 01 June 2015 - 12:49 PM

MiniToolBox by Farbar  Version: 11-05-2015 01
Ran by The Bakers Acres (administrator) on 01-06-2015 at 10:48:36
Running from "C:\Users\The Bakers Acres\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Model: Inspiron 545 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (06/01/2015 10:35:33 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/01/2015 10:15:25 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-1569031769-1789007777-3479381203-1000.bak).  hr = 0x80070539, The security ID structure is invalid.
.


Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {b8ede019-711d-42ce-bc9a-bdb890709d39}

Error: (06/01/2015 10:14:09 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-1569031769-1789007777-3479381203-1000.bak).  hr = 0x80070539, The security ID structure is invalid.
.


Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {b8ede019-711d-42ce-bc9a-bdb890709d39}

Error: (06/01/2015 10:14:09 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: The I/O writes cannot be held during the shadow copy creation period on volume \\?\Volume{3a41567c-3ab6-11de-97eb-806e6f6e6963}\.
The volume index in the shadow copy set is 0. Error details: Open[0x00000000, The operation completed successfully.
], Flush[0x00000000, The operation completed successfully.
], Release[0x80042314, The shadow copy provider timed out while holding writes to the volume being shadow copied. This is probably due to excessive activity on the volume by an application or a system service. Try again later when activity on the volume is reduced.
], OnRun[0x00000000, The operation completed successfully.
].


Operation:
   Executing Asynchronous Operation

Context:
   Current State: DoSnapshotSet

Error: (06/01/2015 10:14:09 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: The shadow copy could not be committed - operation timed out.
Error context: DeviceIoControl(\\?\Volume{3a41567c-3ab6-11de-97eb-806e6f6e6963} - 0000000000000100,0x0053c010,000000000038BF70,0,000000000038CF80,4096,[0]).


Operation:
   Committing shadow copies

Context:
   Execution Context: System Provider

Error: (06/01/2015 08:46:57 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/01/2015 08:38:18 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-1569031769-1789007777-3479381203-1000.bak).  hr = 0x80070539, The security ID structure is invalid.
.


Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {f0f4ec44-a94f-4366-b437-03caeb451799}

Error: (06/01/2015 08:38:18 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: The I/O writes cannot be held during the shadow copy creation period on volume \\?\Volume{3a41567c-3ab6-11de-97eb-806e6f6e6963}\.
The volume index in the shadow copy set is 0. Error details: Open[0x00000000, The operation completed successfully.
], Flush[0x00000000, The operation completed successfully.
], Release[0x80042314, The shadow copy provider timed out while holding writes to the volume being shadow copied. This is probably due to excessive activity on the volume by an application or a system service. Try again later when activity on the volume is reduced.
], OnRun[0x00000000, The operation completed successfully.
].


Operation:
   Executing Asynchronous Operation

Context:
   Current State: DoSnapshotSet

Error: (06/01/2015 08:38:18 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: The shadow copy could not be committed - operation timed out.
Error context: DeviceIoControl(\\?\Volume{3a41567c-3ab6-11de-97eb-806e6f6e6963} - 000000000000013C,0x0053c010,0000000000138FA0,0,00000000001447F0,4096,[0]).


Operation:
   Committing shadow copies

Context:
   Execution Context: System Provider

Error: (06/01/2015 08:12:45 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (06/01/2015 10:34:14 AM) (Source: Service Control Manager) (User: )
Description: The AVG WatchDog service failed to start due to the following error:
%%2

Error: (06/01/2015 10:22:08 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.

Error: (06/01/2015 10:21:59 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.

Error: (06/01/2015 10:21:53 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.

Error: (06/01/2015 10:07:55 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.

Error: (06/01/2015 10:07:49 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.

Error: (06/01/2015 10:07:42 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.

Error: (06/01/2015 10:06:18 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.

Error: (06/01/2015 10:06:12 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.

Error: (06/01/2015 10:05:53 AM) (Source: Ntfs) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.


Microsoft Office Sessions:
=========================
Error: (06/01/2015 10:35:33 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/01/2015 10:15:25 AM) (Source: VSS)(User: )
Description: ConvertStringSidToSid(S-1-5-21-1569031769-1789007777-3479381203-1000.bak)0x80070539, The security ID structure is invalid.


Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {b8ede019-711d-42ce-bc9a-bdb890709d39}

Error: (06/01/2015 10:14:09 AM) (Source: VSS)(User: )
Description: ConvertStringSidToSid(S-1-5-21-1569031769-1789007777-3479381203-1000.bak)0x80070539, The security ID structure is invalid.


Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {b8ede019-711d-42ce-bc9a-bdb890709d39}

Error: (06/01/2015 10:14:09 AM) (Source: VSS)(User: )
Description: \\?\Volume{3a41567c-3ab6-11de-97eb-806e6f6e6963}\00x00000000, The operation completed successfully.
0x00000000, The operation completed successfully.
0x80042314, The shadow copy provider timed out while holding writes to the volume being shadow copied. This is probably due to excessive activity on the volume by an application or a system service. Try again later when activity on the volume is reduced.
0x00000000, The operation completed successfully.


Operation:
   Executing Asynchronous Operation

Context:
   Current State: DoSnapshotSet

Error: (06/01/2015 10:14:09 AM) (Source: VSS)(User: )
Description: DeviceIoControl(\\?\Volume{3a41567c-3ab6-11de-97eb-806e6f6e6963} - 0000000000000100,0x0053c010,000000000038BF70,0,000000000038CF80,4096,[0])

Operation:
   Committing shadow copies

Context:
   Execution Context: System Provider

Error: (06/01/2015 08:46:57 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (06/01/2015 08:38:18 AM) (Source: VSS)(User: )
Description: ConvertStringSidToSid(S-1-5-21-1569031769-1789007777-3479381203-1000.bak)0x80070539, The security ID structure is invalid.


Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {f0f4ec44-a94f-4366-b437-03caeb451799}

Error: (06/01/2015 08:38:18 AM) (Source: VSS)(User: )
Description: \\?\Volume{3a41567c-3ab6-11de-97eb-806e6f6e6963}\00x00000000, The operation completed successfully.
0x00000000, The operation completed successfully.
0x80042314, The shadow copy provider timed out while holding writes to the volume being shadow copied. This is probably due to excessive activity on the volume by an application or a system service. Try again later when activity on the volume is reduced.
0x00000000, The operation completed successfully.


Operation:
   Executing Asynchronous Operation

Context:
   Current State: DoSnapshotSet

Error: (06/01/2015 08:38:18 AM) (Source: VSS)(User: )
Description: DeviceIoControl(\\?\Volume{3a41567c-3ab6-11de-97eb-806e6f6e6963} - 000000000000013C,0x0053c010,0000000000138FA0,0,00000000001447F0,4096,[0])

Operation:
   Committing shadow copies

Context:
   Execution Context: System Provider

Error: (06/01/2015 08:12:45 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


CodeIntegrity Errors:
===================================
  Date: 2015-03-10 04:37:51.299
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-10 04:37:51.284
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-10 04:33:16.832
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-10 04:33:16.739
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-09 04:00:54.483
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-09 04:00:54.468
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-09 03:57:07.705
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-09 03:57:07.689
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-08 04:57:17.181
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-03-08 04:57:17.181
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security 15.0.2\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

2x1/4x1 USB Peripheral Switch (HKLM-x32\...\{A3752427-9AAA-4B1C-B428-01723E0E9FFA}) (Version:  - )
64 Bit HP CIO Components Installer (HKLM\...\{9301985B-D116-4A93-A93D-94580084FF86}) (Version: 1.2.0 - Hewlett-Packard) Hidden
64 Bit HP CIO Components Installer (HKLM\...\{FF21C3E6-97FD-474F-9518-8DCBE94C2854}) (Version: 7.2.8 - Hewlett-Packard) Hidden
ABBYY FineReader for ScanSnap ™ 4.1 (HKLM-x32\...\{FB410000-0001-0000-0000-074957833700}) (Version: 8.02.449.72515 - ABBYY)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 16.0.0.273 - Adobe Systems Incorporated)
Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Adobe Flash Player 17 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 17.0.0.188 - Adobe Systems Incorporated)
Adobe Photoshop Elements 10 (HKLM-x32\...\Adobe Photoshop Elements 10) (Version: 10.0 - Adobe Systems Incorporated)
Adobe Photoshop Lightroom 5.2 64-bit (HKLM\...\{54E6C675-3AD4-42E4-957F-31666ABF1603}) (Version: 5.2.1 - Adobe)
Adobe Photoshop.com Inspiration Browser (HKLM-x32\...\PhotoshopdotcomInspirationBrowser.4C35C4D325D350FE0114230CBADCA2DDD0AC8D25.1) (Version: 3.07 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.11) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.11 - Adobe Systems Incorporated)
Amazon Kindle (HKCU\...\Amazon Kindle) (Version:  - Amazon)
Apple Application Support (HKLM-x32\...\{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}) (Version: 2.3.4 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2F72F540-1F60-4266-9506-952B21D6640D}) (Version: 6.1.0.13 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Audacity 2.1.0 (HKLM-x32\...\Audacity_is1) (Version: 2.1.0 - Audacity Team)
AVG 2015 (HKLM\...\{D0C861C6-35B9-4F46-8176-61D36272256D}) (Version: 15.0.4293 - AVG Technologies) Hidden
Bandicam (HKLM-x32\...\Bandicam) (Version: 1.8.4.283 - Bandisoft.com)
Bandisoft MPEG-1 Decoder (HKLM-x32\...\BandiMPEG1) (Version:  - )
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CardMinder (HKLM-x32\...\{D4F2AFD3-0167-4464-B92F-78AB6DA8A0AA}) (Version: V4.1L20 - PFU)
CardMinder V4.1 (HKLM-x32\...\{FB4BC1A5-B28D-4DD3-8611-192228F4317D}) (Version: 4.1.20.1 - PFU) Hidden
Cisco Connect (HKLM-x32\...\Cisco Connect) (Version: 1.3.11006.1 - Cisco Consumer Products LLC)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CyberLink MediaShow (HKLM-x32\...\InstallShield_{80E158EA-7181-40FE-A701-301CE6BE64AB}) (Version: 4.0.2224 - CyberLink Corp.)
Dave Ramsey's Financial Peace Financial Software 5.4.1 (HKLM-x32\...\Dave Ramsey's Financial Peace Financial Software 5.45.4) (Version: 5.4.1 - The Lampo Group, Inc)
Dell Edoc Viewer (HKLM\...\{8EBA8727-ADC2-477B-9D9A-1A1836BE4E05}) (Version: 1.0.0 - Dell Inc)
DVD Decrypter (Remove Only) (HKLM-x32\...\DVD Decrypter) (Version:  - )
Elements 10 Organizer (HKLM-x32\...\{22D3A614-482C-444A-932C-9DA1B8ECDFD2}) (Version: 10.0 - Adobe Systems Incorporated) Hidden
ERUNT 1.1j (HKLM-x32\...\ERUNT_is1) (Version:  - Lars Hederer)
Fraps (remove only) (HKLM-x32\...\Fraps) (Version:  - )
GEAR driver installer for x86 and x64 (HKLM-x32\...\{2EA45803-BEB7-46C4-9ADC-46A5F9E7BB77}) (Version: 4.008.5 - GEAR Software) Hidden
Ghostery (HKLM-x32\...\Ghostery) (Version:  - Ghostery Inc)
Google Drive (HKLM-x32\...\{35574F09-89F9-4B16-B69B-64F3E25901B8}) (Version: 1.21.9226.6034 - Google, Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.27.5 - Google Inc.) Hidden
Handbrake 0.9.4 (HKLM-x32\...\Handbrake) (Version: 0.9.4 - )
HD Writer HE 1.0 (HKLM-x32\...\{101AD205-6A22-4BF1-9EF5-22C8F97F90A3}) (Version: 1.00.018.1033 - Panasonic Corporation)
HP Photosmart 7520 series Basic Device Software (HKLM\...\{27ABA988-D480-4F44-B0FD-45E5656D2CFE}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
IObit Toolbar v5.3 (HKLM-x32\...\{3082E921-811D-4E9E-B991-3B65C6EA09FF}) (Version: 5.3 - Spigot, Inc.)
iTunes (HKLM\...\{76FF0F03-B707-4332-B5D1-A56C8303514E}) (Version: 11.0.4.4 - Apple Inc.)
Java 8 Update 45 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418045F0}) (Version: 8.0.450 - Oracle Corporation)
Junk Mail filter update (HKLM-x32\...\{8E5233E1-7495-44FB-8DEB-4BE906D59619}) (Version: 14.0.8117.416 - Microsoft Corporation) Hidden
Kaspersky Total Security (HKLM-x32\...\{02FECEE0-16B2-43DB-BC3B-C844477FC142}) (Version: 15.0.2.361 - Kaspersky Lab) Hidden
Kaspersky Total Security (HKLM-x32\...\InstallWIX_{02FECEE0-16B2-43DB-BC3B-C844477FC142}) (Version: 15.0.2.361 - Kaspersky Lab)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version:  - )
Logitech Webcam Software (HKLM\...\{987FE247-4E69-4A2E-A961-D14F901FDBF6}) (Version: 12.10.1113 - Logitech Inc.)
Logitech Webcam Software Driver Package (HKLM\...\lvdrivers_12.10) (Version: 12.10.1110 - Logitech Inc.)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Download Manager (HKLM-x32\...\{654977DB-0001-0002-0001-EABD228DDE8B}) (Version: 1.2.1 - Microsoft Corporation)
Microsoft Office 2000 Professional (HKLM-x32\...\{00010409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Microsoft Office Excel Viewer (HKLM-x32\...\{95120000-003F-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM-x32\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM-x32\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft PowerPoint Viewer (HKLM-x32\...\{95140000-00AF-0409-0000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Research AutoCollage 2008 version 1.1 (HKLM-x32\...\{423D8FBE-EC52-40FD-B2A0-8C9C8F973FD7}) (Version: 1.01.2008 - Microsoft Research)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP2 ENU (HKLM-x32\...\{3A9FC03D-C685-4831-94CF-4EDFD3749497}) (Version: 3.5.8080.0 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP2 x64 ENU (HKLM\...\{D4AD39AD-091E-4D33-BB2B-59F6FCB8ADC3}) (Version: 3.5.8080.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (HKLM-x32\...\{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Word 2002 (HKLM-x32\...\{911B0409-6000-11D3-8CFE-0050048383C9}) (Version: 10.0.6626.0 - Microsoft Corporation)
Microsoft Works (HKLM-x32\...\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}) (Version: 9.7.0621 - Microsoft Corporation)
Microsoft Works 2004 Setup Launcher (HKLM-x32\...\Works2004Setup) (Version:  - )
Mozilla Firefox 38.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 38.0.1 (x86 en-US)) (Version: 38.0.1 - Mozilla)
MSRedist (HKLM-x32\...\{328687A2-2504-49FA-AE3E-08B0DEDB51EC}) (Version: 9.0.30729.4148 - Symantec Corporation) Hidden
MSRedx64 (HKLM-x32\...\{D6174060-52D9-4886-8DBF-4EBF7C1CBCAA}) (Version: 9.0.30729.4148 - Symantec Corporation) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
PackMaster (HKLM-x32\...\{FB9C1550-C380-11E0-6784-0B93E74E18BE}) (Version: 4.02b - Troopmaster Software)
PhotoParade Player (HKLM-x32\...\PhotoParade.exe) (Version:  - )
PowerDVD DX (HKLM-x32\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 8.3.5424 - CyberLink Corp.)
PSE10 STI Installer (HKLM-x32\...\{11D08055-939C-432b-98C3-E072478A0CD7}) (Version: 10.0 - Adobe Systems Incorporated) Hidden
Quicken 2014 (HKLM-x32\...\{0877F595-254F-45F4-991D-3F72E86B17CE}) (Version: 23.1.7.6 - Intuit)
Quicken WillMaker Plus 2011 (HKLM-x32\...\Quicken WillMaker Plus 2011) (Version:  - Nolo)
QuickTime 7 (HKLM-x32\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Realtek 8136 8168 8169 Ethernet Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0005 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5894 - Realtek Semiconductor Corp.)
Roxio Creator DE (HKLM-x32\...\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}) (Version: 10.1 - Roxio)
Runtime (HKLM-x32\...\{DABF43D9-1104-4764-927B-5BED1274A3B0}) (Version: 1.00.0000 - Your Company Name) Hidden
ScanSnap (HKLM-x32\...\{9AA5E6EB-2C32-4EC6-81E1-7F014052CBD3}) (Version: 5.1.20.1 - PFU Limited) Hidden
ScanSnap Manager (HKLM-x32\...\{DBCDB997-EEEB-4BE9-BAFF-26B4094DBDE6}) (Version: V5.1L20 - PFU)
ScanSnap Organizer (HKLM-x32\...\{6CBA54FA-323E-4C13-BB5C-4E2576D630CB}) (Version: 4.1.20.12 - PFU LIMITED) Hidden
ScanSnap Organizer (HKLM-x32\...\{E58F3B88-3B3E-4F85-9323-04789D979C15}) (Version: V4.1L20 - PFU)
SeaTools for Windows (HKLM-x32\...\{98613C99-1399-416C-A07C-1EE1C585D872}) (Version: 1.2.0.6 - Seagate Technology)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TurboTax 2011 (HKLM-x32\...\TurboTax 2011) (Version:  - Intuit, Inc)
TurboTax 2012 (HKLM-x32\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
TurboTax 2013 (HKLM-x32\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
TurboTax 2014 (HKLM-x32\...\TurboTax 2014) (Version: 2014.0 - Intuit, Inc)
Unity Web Player (HKCU\...\UnityWebPlayer) (Version: 5.0.0f4 - Unity Technologies ApS)
WD Diagnostics (HKLM-x32\...\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}) (Version: 1.09.0002 - Western Digital Technologies)
WD Drive Utilities (HKLM-x32\...\{439A51F7-84B1-4603-BEC8-647EB2AC307F}) (Version: 1.0.1.5 - Western Digital)
WD Security (HKLM-x32\...\{8172B41A-9BB5-4A64-BF28-1FB5FE43C3FF}) (Version: 1.0.1.5 - Western Digital)
WD SmartWare (HKLM\...\{6FE8A1DA-8CA6-4801-BF0F-0F2FED143FF4}) (Version: 1.6.4.7 - Western Digital Technologies, Inc.)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM-x32\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{B10914FD-8812-47A4-85A1-50FCDE7F1F33}) (Version: 14.0.8117.416 - Microsoft Corporation)
Windows Live Upload Tool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
Wizard101 (HKLM-x32\...\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}) (Version: 1.0.0 - KingsIsle Entertainment, Inc.)
WOT for Internet Explorer (HKLM\...\{373B90E1-A28C-434C-92B6-7281AFA6115A}) (Version: 13.9.2.0 - WOT Services Oy)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 31%
Total physical RAM: 8181.18 MB
Available physical RAM: 5616.68 MB
Total Pagefile: 16360.56 MB
Available Pagefile: 13613.26 MB
Total Virtual: 4095.88 MB
Available Virtual: 3984.94 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:683.58 GB) (Free:405.62 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:7.71 GB) NTFS

========================= Users: ========================================

User accounts for \\SASSY

Administrator            Guest                    Joseph                   
The Bakers Acres         


**** End of log ****



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 01 June 2015 - 12:55 PM

Before we do anything, you need to run a chkdsk on your drive, like shown in the Event Viewer. This operation can take a while to complete, I suggest you to run it overnight or when you're gone to work.

EndqYRa.pngCheck Disk (chkdsk)
Follow the instructions below to run a CHKDSK scan on your Windows partition;
  • On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Run as Administrator
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the command chkdsk /r (there's a space between "chkdsk" and "/r") and press on Enter;
  • A message will be returned, stating that the drive cannot be locked because it's already in use, and you'll be asked if you want to schedule the scan for the next restart. Enter y and press on Enter;
  • Restart your computer, and the chkdsk scan will be launched automatically;
  • WARNING: Depending on your hard drive (specs, free space, fragmentation, etc.) this scan can be relatively long to complete. Give it all the time it needs to finish. Do not interrupt it for any reason there is, or you might be damaging your drive in the process and make your Windows unbootable. It's suggested to let this scan run overnight or when you leave the house for a few hours (when you go to work for example). If you are running this scan on a laptop, don't forget to leave it plugged in;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 01 June 2015 - 05:21 PM

chkdsk done.



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 01 June 2015 - 09:06 PM

Alright that's good. Are you able to uninstall the following program?
  • IObit Toolbar v5.3;
Also, it looks like you have AVG 2015 installed, which means that you have two Antivirus installed on the system. You should never, ever have more than one Antivirus program installed at the time on a system, since it can cause system instability. I suggest you to read the "IMPORTANT NOTE" in the following article by quietman :)

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

Now, we need to get AVG 2015 off your system. Follow the instructions below please.
EndqYRa.pngRegistry - Export Uninstall Keys
  • On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Run as Administrator
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the following commands, one after the other. You'll know when you're ready to input the next command when a new line with a blinking cursor will appear under the precedent one:
    Note: You can copy and paste these commands instead of typing them. To copy a command inside the command prompt, move your mouse over the blinking cursor, right-click and select Paste. You must have copied the command prior to that (via Ctrl + C or left-click and Copy).
    • reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s > %userprofile%\Desktop\hklm_uninstall32.txt
    • reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall /s > %userprofile%\Desktop\hklm_uninstall64.txt
  • Once you're done running the commands, two files will have appeared on your desktop:
    • hklm_uninstall32.txt
    • hklm_uninstall64.txt
  • Create a new folder on your Desktop and move both files inside it. Once done, archive (.zip) the folder (right-click on it, select Send to... and select Compressed archive (.zip));
  • Go on ge.tt, upload the archive (.zip) there and give me the download URL in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 01 June 2015 - 10:11 PM

I haven't had iobit for two years.  It was removed but still remains on the program and features menu.  Please see screen shots of error when attempting to remove.  The AVG was a trial and was removed.  Not sure why it is still there.  It is not searchable or shows up on the program and features menu.



#13 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 01 June 2015 - 10:25 PM

how can i attach a screen shot?



#14 wannawonda

wannawonda
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Local time:06:24 AM

Posted 01 June 2015 - 10:33 PM

avg uninstall attempt screen shot and iobit uninstall attempt screen shots

 

http://ge.tt/4Yz0RYH2



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 02 June 2015 - 05:22 AM

Try these commands, my bad:

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s > "%userprofile%\Desktop\hklm_uninstall32.txt"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall /s > "%userprofile%\Desktop\hklm_uninstall64.txt"

I always forget to edit my cannot. Also, if IObit cannot be installed, we'll deal with it after AVG.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users