Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

White Screen Virus - How to Disable White Pop-Up Screen?


  • This topic is locked This topic is locked
78 replies to this topic

#1 RecycleZone

RecycleZone

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 28 November 2015 - 12:52 AM

Hi. And thanks for reading this post.

 

Description: Windows 7 Starter (netbook) loads , desktop is visible for about 30 seconds, then is taken over by a white screen with a submit box on the right bottom portion of the screen. Other than a one-line warning that says "You have 30 seconds to connect to the internet," there are no other messages or directions. I suspect it is some type of flawed ransomware, with an intelligent, very well-hidden code.

 

From a USB, using command prompt, I've tried several dozen malware scanners including HitmanPro and MalwareBytes without success.

 

The computer was infected on 11/18/15 and the virus seems to have deleted any previous restore point(s).

 

The white screen virus locks up Safe Mode and Safe Mode with Networking. The white screen also launches when trying to use explorer.exe or opening up notepad to save a file to the desktop. Tried to use a new user account to bypass the virus, but the white screen locks up the new user account in the same way.

 

Safe Mode with Command Prompt works.

 

I am thankful to be here for some professional help and look forward to the learning experience.

 

I followed Bleeping Computer's directions and uploaded the relevant logs from a recently run Farbar scan.

 

Thank you in advance for any assistance you can provide.

Attached Files


Edited by RecycleZone, 28 November 2015 - 12:54 AM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 01 December 2015 - 06:28 PM

Greetings RecycleZone and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please do this.

===================================================

Recovery Environment - MBR Dump Using Farbar's Recvovery Scan Tool and ListParts

--------------------

For this step you will need a USB device and start on a clean computer if necessary.
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
S3 catchme; \??\C:\Users\RZ\AppData\Local\Temp\catchme.sys [X]
S1 epp32; \??\D:\bin\epp32.sys [X]
U2 ERSvc; no ImagePath
U2 IAStorDataMgrsvc; no ImagePath
U2 NIHardwareService; no ImagePath
U2 NVSvc; no ImagePath
U0 Partizan; system32\drivers\Partizan.sys [X]
U2 srService; no ImagePath
AlternateDataStreams: C:\ProgramData\TEMP:E965A533
AlternateDataStreams: C:\Users\RZ\Documents\Opera_NI_stable.exe:BDU
C:\windows\system32\umstartup000.etl
SaveMbr: Drive=0
  • Please download Farbar Recovery Scan Tool for 32 bit systems and save it to a USB device.
  • Download ListParts for 32 bit systems and save it to your USB device
  • Plug the flashdrive into the infected PC and follow the 2 step process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool
----------

Entering into the System Recovery Options

Option #1

To enter System Recovery Options in Windows 8:Option #2

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
Option #3

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next
----------

Running Farbar's Recovery Scan Tool and Listparts in System Recovery
  • Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • When the tool opens click Yes to disclaimer.
  • Press Fix button.
  • At the command prompt type e:\listparts (replace letter as necessary) and press Enter
  • Three logs will be created on your USB device, mbrdump.txt, fixlog.txt, and Result.txt. Please attach them to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • mbrdump.txt
  • Fixlog.txt
  • Result.txt

Edited by Oh My!, 02 December 2015 - 06:32 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#3 RecycleZone

RecycleZone
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 02 December 2015 - 03:03 PM

 

Hi Gary. It's Mark and I'm glad to meet you. Thanks for generously sharing your time and expertise. I really appreciate the help.

Before realizing you had posted a response, I tried RogueKiller which found some issues, but didn't remove the virus. Now that you're helping me with this, I will be following your directions exactly as provided and posting as requested in a timely manner. Thanks again.

Following are: 1) Fixlog.txt 2) mbrdump.txt and 3) Result.txt

----------------------------------------------------------------------------------------------

1) Fixlog

 

Fix result of Farbar Recovery Scan Tool (x86) Version:01-12-2015

Ran by Administrator (2015-12-02 06:32:45) Run:6

Running from D:\

Loaded Profiles: Administrator (Available Profiles: RZ & Administrator)

Boot Mode: Safe Mode (minimal)

==============================================

fixlist content:

*****************

S3 catchme; \??\C:\Users\RZ\AppData\Local\Temp\catchme.sys [X]

S1 epp32; \??\D:\bin\epp32.sys [X]

U2 ERSvc; no ImagePath

U2 IAStorDataMgrsvc; no ImagePath

U2 NIHardwareService; no ImagePath

U2 NVSvc; no ImagePath

U0 Partizan; system32\drivers\Partizan.sys [X]

U2 srService; no ImagePath

AlternateDataStreams: C:\ProgramData\TEMP:E965A533

AlternateDataStreams: C:\Users\RZ\Documents\Opera_NI_stable.exe:BDU

Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup- /s

File: C:\windows\system32\umstartup000.etl

SaveMbr: Drive=0

*****************

catchme => service not found.

epp32 => service not found.

ERSvc => service removed successfully.

IAStorDataMgrsvc => service removed successfully.

NIHardwareService => service removed successfully.

NVSvc => service removed successfully.

Partizan => service not found.

srService => service removed successfully.

C:\ProgramData\TEMP => ":E965A533" ADS removed successfully..

C:\Users\RZ\Documents\Opera_NI_stable.exe => ":BDU" ADS removed successfully..

 

================= Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup- /s ========================

 

not found.

 

====== End of Folder: ======

 

========================= File: C:\windows\system32\umstartup000.etl ========================

File not signed

MD5: 97E8D5445344A16FCC538A523933B0BA

Creation and modification date: 2009-07-13 - 2015-11-18

Size: 0012288

Attributes: ----A

Company Name:

Internal Name:

Original Name:

Product:

Description:

File Version:

Product Version:

Copyright:

====== End of File: ======

MBRDUMP.txt is made successfully.

 

==== End of Fixlog 06:32:46 ====

 

2) MBRDUMP

 

==============================================

 

3ÀŽÐ¼ |ŽÀŽØ¾ |¿ ¹ üó¤PhËû¹ ½¾ €~ |
…ƒÅâñ͈V UÆFÆF ´A»ªUÍ]rûUªu ÷Á tþFf`€~ t&fh fÿvh h |h h ´BŠV ‹ôÍŸƒÄžë¸» |ŠV ŠvŠNŠnÍfas-þN…

€~ €„Š ²€ë‚U2äŠV Í]ëœ>þ}Uªunÿv èŠ … °Ñædè °ßæ`èx °ÿædèq ¸ »Íf#Àu;fûTCPAu2ùr,fh » fh fh fSfSfUfh fh | fah ÍZ2öê | Í · ë ¶ ë µ 2ä ‹ð¬< tü» ´Íëò+Éädë $àø$ÃInvalid partition table Error loading operating system Missing operating system åë%1 € ! 'Y¿ à. Y¿ þÿÿ è. `ô þÿÿþÿÿ H# ù Uª

 

==============================================

 

3) Results - ListParts

 

ListParts by Farbar Version: 31-07-2014

Ran by Administrator (administrator) on 02-12-2015 at 06:37:56

Windows 7 (X86)

Running From: D:\

Language: English (United States)

************************************************************

========================= Memory info ======================

Percentage of memory in use: 25%

Total physical RAM: 1013.42 MB

Available physical RAM: 753.24 MB

Total Pagefile: 1513.42 MB

Available Pagefile: 1266.69 MB

Total Virtual: 2047.88 MB

Available Virtual: 1979.27 MB

======================= Partitions =========================

 

1 Drive c: (TI105860W0F) (Fixed) (Total:223.64 GB) (Free:0.12 GB) NTFS ==>[System with boot components (obtained from reading drive)]

2 Drive d: (FARBAR) (Removable) (Total:7.53 GB) (Free:7.53 GB) FAT32

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 232 GB 0 B

Disk 1 Online 7728 MB 0 B

Partitions of Disk 0:

===============

Disk ID: 3125EBE5

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Recovery 1500 MB 1024 KB

Partition 2 Primary 223 GB 1501 MB

Partition 3 Primary 7970 MB 225 GB

======================================================================================================

Disk: 0

Partition 1

Type : 27

Hidden: Yes

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 System NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 0 C TI105860W0F NTFS Partition 223 GB Healthy Boot

======================================================================================================

Disk: 0

Partition 3

Type : 17

Hidden: Yes

Active: No

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:

===============

Disk ID: B6BC67C1

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 7726 MB 31 KB

======================================================================================================

Disk: 1

Partition 1

Type : 0B

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 D FARBAR FAT32 Removable 7726 MB Healthy

======================================================================================================

============================== MBR Partition Table ================================================

Partitions of Disk 0:

===============

Disk ID: 3125EBE5

Partition 1: (Active) - (Size=1 GB) - (Type=27)

Partition 2: (Not Active) - (Size=224 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=8 GB) - (Type=17)

==============================

Partitions of Disk 1:

===============

Disk ID: B6BC67C1

Partition 1: (Active) - (Size=8 GB) - (Type=0B)

Windows Boot Manager

--------------------

identifier {bootmgr}

device partition=\Device\HarddiskVolume1

description Windows Boot Manager

locale en-US

inherit {globalsettings}

default {current}

resumeobject {7096f7a0-096f-11e0-b1e5-ebbe0530b3c6}

displayorder {current}

toolsdisplayorder {memdiag}

timeout 30

Windows Boot Loader

-------------------

identifier {current}

device partition=C:

path \windows\system32\winload.exe

description Windows 7

locale en-US

inherit {bootloadersettings}

recoverysequence {7096f7a2-096f-11e0-b1e5-ebbe0530b3c6}

recoveryenabled Yes

osdevice partition=C:

systemroot \windows

resumeobject {7096f7a0-096f-11e0-b1e5-ebbe0530b3c6}

nx OptIn

vga No

bootlog No

Windows Boot Loader

-------------------

identifier {7096f7a2-096f-11e0-b1e5-ebbe0530b3c6}

device ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{7096f7a3-096f-11e0-b1e5-ebbe0530b3c6}

path \windows\system32\winload.exe

description Windows Recovery Environment

inherit {bootloadersettings}

osdevice ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{7096f7a3-096f-11e0-b1e5-ebbe0530b3c6}

systemroot \windows

nx OptIn

winpe Yes

Resume from Hibernate

---------------------

identifier {7096f7a0-096f-11e0-b1e5-ebbe0530b3c6}

device partition=C:

path \windows\system32\winresume.exe

description Windows Resume Application

locale en-US

inherit {resumeloadersettings}

filedevice partition=C:

filepath \hiberfil.sys

pae Yes

debugoptionenabled No

Windows Memory Tester

---------------------

identifier {memdiag}

device partition=\Device\HarddiskVolume1

path \boot\memtest.exe

description Windows Memory Diagnostic

locale en-US

inherit {globalsettings}

badmemoryaccess Yes

EMS Settings

------------

identifier {emssettings}

bootems Yes

Debugger Settings

-----------------

identifier {dbgsettings}

debugtype Serial

debugport 1

baudrate 115200

RAM Defects

-----------

identifier {badmemory}

Global Settings

---------------

identifier {globalsettings}

inherit {dbgsettings}

{emssettings}

{badmemory}

Boot Loader Settings

--------------------

identifier {bootloadersettings}

inherit {globalsettings}

{hypervisorsettings}

Hypervisor Settings

-------------------

identifier {hypervisorsettings}

hypervisordebugtype Serial

hypervisordebugport 1

hypervisorbaudrate 115200

Resume Loader Settings

----------------------

identifier {resumeloadersettings}

inherit {globalsettings}

Device options

--------------

identifier {7096f7a3-096f-11e0-b1e5-ebbe0530b3c6}

description Ramdisk Options

ramdisksdidevice partition=\Device\HarddiskVolume1

ramdisksdipath \Recovery\WindowsRE\boot.sdi

 

****** End Of Log ******



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 02 December 2015 - 03:30 PM

Hi Mark, nice to meet you as well.

The report you posted shows that you followed the steps while in Safe Mode rather than the Recovery Environment. It is important to follow the steps as provided. We may have to repeat one of the steps later. 

Boot Mode: Safe Mode (minimal)


Please do this next.

===================================================

Running a ListParts Fix in Normal Mode or Safe Mode

--------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type Notepad and press Enter
  • Copy and paste the contents of the below into Notepad
Disk=0 Partition=3 type=07
  • Save the file onto your desktop as Fix.txt
  • Double click the ListParts icon on your dekstop
  • Press Fix
  • When finished please press the Scan button
  • A Result.txt document will appear on your dekstop
  • Copy and paste the contents in your reply
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
C:\windows\system32\umstartup000.etl
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Reboot your computer and check the performance
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Listparts log
  • Fixlog
  • Update on computer behavior

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#5 RecycleZone

RecycleZone
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 02 December 2015 - 05:41 PM

Gary, I am unable to access the desktop in Normal Mode as a blank Windows screen appears with the restart-log-off bottom at the bottom right. I've also tried Safe Mode, and the desktop does appear there, briefly, but then is quickly hijacked by the white screen.

 

I've also pressed the Windows key + r on keyboard at the same time, but nothing happens.

 

When I tried to access the Recovery Environment before, the process would stop before loading the initial screen.  I can now access the Recovery Environment, and repeat the earlier steps, if that would help?

 

Thanks.



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 02 December 2015 - 06:34 PM

Thanks for the update. If you run into a problem let me know because that might provide a clue about what we are dealing with and what we can do.

I have modified the initial instructions in the Recovery Environment to remove a file. Please attempt the steps again and when you get the mbrdump.txt file it must be attached.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#7 RecycleZone

RecycleZone
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 03 December 2015 - 02:33 AM

Gary:

 

Another update: I am no longer able to access the Recovery Environment to launch the command prompt from the "Repair Your Computer" section. I am now greeted by this friendly message :nono: :

--------------------------------------------------------------------------------------------------

"Windows failed to start. A recent hardware or software change might be the cause.
To fix the problem:

1. Insert your Windows installation disc and restart the computer.
2. Choose your language settings and click next.
3. Click "Repair your computer"

 

If you do not have this disc, contact your system administrator or computer manufacture for assistance.

Status:0xc000000f

 

Info: The boot device failed because a required device is inaccessible."

--------------------------------------------------------------------------------------------------

I do not have the Windows installation disc as Windows was preloaded and there is no back-up of which I am aware.

 

I tried keeping the flash drive in the USB slot while pressing F8, to see if that would do anything to get to the Recovery Environment. And it didn't. The USB flash drive was the only device ever connected to this computer during this process. As a precaution, I scanned the flash drive with current McAfee Internet Security which didn't find anything, even though I think this virus can circumvent a lot of the existing Antivirus software.

 

What still works:

 

1) Safe Mode, where the original desktop briefly appears and then is quickly hijacked by the white screen. The original document files seem intact from the momentary glance before the desktop is sabotaged by the white screen.  (I believe Safe Mode with Networking will follow the same routine)

 

2) Safe Mode with Command Prompt, which I tested with a USB drive and launched both the Farber and ListParts tools. I did not run either tool. I just wanted to be able to provide you with some useful information.

 

Since I can't access the recovery environment, I did not run anything so that I could wait for your analysis and advice before proceeding further.

 

By the way, are these symptoms common with this particular virus?

 

I also wanted to mention something that might be of interest or maybe helpful: When the Desktop used to briefly appear at the outset of this infection (one week ago), I was occasionally able to get around the virus by quickly running CCleaner in the 30 seconds or so before the white screen hijack. When I was successful in launching CCleaner, the white screen would take over the desktop as usual, but I would press the ESC key and the Desktop would return with the white screen virus visible in the bottom taskbar. This process depended on very quick timing though, and it wasn't always successful. Since I know you want me to run these tools in a normal environment, I figured it was worth mentioning in case that presents an option, shoud the desktop be accessible again. 

 

There was one restore point, which was created by one of the repair tools after the virus. Is that an option?

 

Thanks for your patience, and I look forward to your next post. -- Regards, Mark



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 03 December 2015 - 09:51 AM

Do you have an external CD/DVD device?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#9 RecycleZone

RecycleZone
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 04 December 2015 - 04:22 AM

Hi Gary:

 

I apologize if this problem has become more complicated and very much appreciate your continuing help.

 

I'm sure I can access an external CD/DVD device. The netbook also has 3 USB ports, which seem accessible through boot setup. I tried the boot setup option just to make sure, and it works.

 

Is it possible that the recovery partition may have been corrupted or the drive letter for that partition may have been deleted. Is there a way to confirm that? Is there an effective way to repair or recover a deleted or corrupted recovery partition, if that's the issue?

 

As always, thanks -- Mark



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 04 December 2015 - 11:12 AM

Hi Mark,

I appreciate your consideration but it is not uncommon for problems to become more complex. I am used to that. Don't worry about trying to get an external CD drive just yet. We will try to work around that.

Because you are able to boot into Windows I don't think your Recovery Partition or drive letters are a problem. Please rerun a FRST scan including Addition.txt and post the logs. I want to take a fresh look at things before providing our next step.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#11 RecycleZone

RecycleZone
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 05 December 2015 - 04:04 AM

Thanks Gary, for the reassuring message. I was really starting to lose hope that these inconvenient roadblocks were going to stall any further progress. I'm glad to know from your experience that problems becoming more complex are not that uncommon.

 

The results of the FRST scan including the Addition.txt are posted below. (As I am unable to get into the Recovery environment, the scan was run through Safe Mode with Command Prompt). I appreciate your time and will look forward to your evaluation.

 

Thanks --Mark

 

*  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  *  * 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:01-12-2015
Ran by Administrator (administrator) on - (05-12-2015 01:57:42)
Running from D:\
Loaded Profiles: Administrator (Available Profiles: RZ & Administrator)
Platform: Microsoft Windows 7 Starter  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\cmd.exe

==================== Registry (Whitelisted) ===========================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [UnlockerAssistant] => C:\Program Files\Unlocker\UnlockerAssistant.exe [17408 2010-07-04] ()
HKLM Group Policy restriction on software: %ALLUSERSPROFILE%\* <====== ATTENTION
HKLM Group Policy restriction on software: %SystemRoot%\Fonts\* <====== ATTENTION
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\* <====== ATTENTION
HKLM Group Policy restriction on software: %SystemDrive%\$Recycle.Bin\* <====== ATTENTION
HKLM Group Policy restriction on software: %APPDATA%\Microsoft\* <====== ATTENTION
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\Local\Google\* <====== ATTENTION
HKLM Group Policy restriction on software: %APPDATA%\Macromedia\* <====== ATTENTION
HKLM Group Policy restriction on software: %ALLUSERSPROFILE%\Oracle\Java\* <====== ATTENTION
HKLM Group Policy restriction on software: %APPDATA%\Microsoft\Internet Explorer\Quick Launch\* <====== ATTENTION
HKLM Group Policy restriction on software: %APPDATA%\Microsoft\Windows\Recent\* <====== ATTENTION
HKLM Group Policy restriction on software: %ALLUSERSPROFILE%\Skype\* <====== ATTENTION
HKLM Group Policy restriction on software: %ALLUSERSPROFILE%\UVK\Immunization\* <====== ATTENTION
HKLM Group Policy restriction on software: %ALLUSERSPROFILE%\Intuit\* <====== ATTENTION
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\Local\Apps\2.0\* <====== ATTENTION
HKLM Group Policy restriction on software: %ALLUSERSPROFILE%\Google\* <====== ATTENTION
HKLM Group Policy restriction on software: %SystemDrive%\Users\Public\* <====== ATTENTION
HKLM Group Policy restriction on software: %APPDATA%\Microsoft\Windows\Start Menu\* <====== ATTENTION
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\* <====== ATTENTION
HKLM Group Policy restriction on software: %ALLUSERSPROFILE%\Intel\* <====== ATTENTION
HKLM Group Policy restriction on software: %ALLUSERSPROFILE%\Adobe\* <====== ATTENTION
HKLM Group Policy restriction on software: %ALLUSERSPROFILE%\Microsoft\* <====== ATTENTION
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\Local\2Browse\* <====== ATTENTION
HKLM Group Policy restriction on software: %ALLUSERSPROFILE%\Package Cache\* <====== ATTENTION
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\Local\Temp\* <====== ATTENTION
HKLM Group Policy restriction on software: %SystemDrive%\Users\Public\Desktop\* <====== ATTENTION
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\LocalLow\Microsoft\* <====== ATTENTION
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\Local\Microsoft\* <====== ATTENTION
HKLM Group Policy restriction on software: %USERPROFILE%\AppData\LocalLow\Sun\Java\* <====== ATTENTION
HKU\S-1-5-21-1956770879-1816902715-2261419009-500\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [4826904 2014-10-29] (Piriform Ltd)
HKU\S-1-5-21-1956770879-1816902715-2261419009-500\...\RunOnce: [Report] => C:\AdwCleaner\AdwCleaner[C1].txt [1141 2015-11-30] ()

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: Hosts file not detected in the default directory

 

Internet Explorer:
==================

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
SearchScopes: HKLM -> DefaultScope {CFA4741B-866B-41E9-A3C6-DF0C01766446} URL = hxxp://www.bing.com/search?q={searchTerms}&form=TSHTDF&pc=MATB&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {CFA4741B-866B-41E9-A3C6-DF0C01766446} URL = hxxp://www.bing.com/search?q={searchTerms}&form=TSHTDF&pc=MATB&src=IE-SearchBox
BHO: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2010-05-14] (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-06-07] (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)

 

FireFox:
========

FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF32_16_0_0_235.dll [2014-12-15] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @Microsoft.com/NpWinExt,version=5.0 -> C:\Program Files\MSN Toolbar\Platform\5.0.1407.0\npwinext.dll [2010-03-11] (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2012-12-18] (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [msntoolbar@msn.com] - C:\Program Files\MSN Toolbar\Platform\5.0.1407.0\Firefox
FF Extension: Bing Bar - C:\Program Files\MSN Toolbar\Platform\5.0.1407.0\Firefox [2010-05-09] [not signed]
FF HKLM\...\Firefox\Extensions: [{A27F3FEF-1113-4cfb-A032-8E12D7D8EE70}] - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension
FF Extension: Firefox Synchronisation Extension - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension [2011-09-03] [not signed]
FF HKLM\...\Firefox\Extensions: [{27182e60-b5f3-411c-b545-b44205977502}] - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension
FF Extension: Search Helper Extension - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension [2011-11-13] [not signed]
FF HKLM\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2014-07-07] [not signed]
FF HKLM\...\Thunderbird\Extensions: [{CCB7D94B-CA92-4E3F-B79D-ADE0F07ADC74}] - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension
FF Extension: Thunderbird Address Book Synchronisation Extension - C:\Program Files\Nokia\Nokia Ovi Suite\Connectors\Thunderbird Connector\ThunderbirdExtension [2011-09-03] [not signed]

 

==================== Services (Whitelisted) ========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S4 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [106248 2015-11-23] (SurfRight B.V.)
S4 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S4 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.226\McCHSvc.exe [235696 2015-10-30] (McAfee, Inc.)
S4 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [54136 2011-02-11] (TOSHIBA Corporation)
S4 TOSHIBA HDD SSD Alert Service; C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [111960 2010-02-05] (TOSHIBA Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-13] (Microsoft Corporation)

 

===================== Drivers (Whitelisted) ==========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ampa; C:\windows\system32\ampa.sys [14448 2013-12-18] ()
S3 btaudio; C:\windows\System32\drivers\btaudio.sys [534440 2008-04-15] (Broadcom Corporation.)
S3 BTDriver; C:\windows\System32\DRIVERS\btport.sys [37160 2008-02-04] (Broadcom Corporation.)
S3 BTKRNL; C:\windows\System32\DRIVERS\btkrnl.sys [990632 2008-04-15] (Broadcom Corporation.)
S3 BTWDNDIS; C:\windows\System32\DRIVERS\btwdndis.sys [156392 2007-09-20] (Broadcom Corporation.)
S3 btwhid; C:\windows\System32\DRIVERS\btwhid.sys [57384 2008-03-10] (Broadcom Corporation.)
S3 BTWUSB; C:\windows\System32\Drivers\btwusb.sys [47272 2008-03-27] (Broadcom Corporation.)
S3 LEqdUsb; C:\windows\System32\Drivers\LEqdUsb.Sys [42264 2014-03-18] (Logitech, Inc.)
S3 LHidEqd; C:\windows\System32\Drivers\LHidEqd.Sys [10136 2014-03-18] (Logitech, Inc.)
R0 LPCFilter; C:\windows\System32\DRIVERS\LPCFilter.sys [36208 2009-07-30] (COMPAL ELECTRONIC INC.)
S3 mbamchameleon; C:\windows\system32\drivers\mbamchameleon.sys [94936 2015-11-30] (Malwarebytes)
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [23256 2015-10-05] (Malwarebytes)
S3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [170200 2015-11-30] (Malwarebytes)
S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [51928 2015-10-05] (Malwarebytes Corporation)
S3 pwdspio; C:\windows\system32\pwdspio.sys [13064 2015-03-05] ()
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [30848 2015-12-02] ()
U5 AppMgmt; C:\windows\system32\svchost.exe [20992 2015-11-18] (Microsoft Corporation)

 

==================== NetSvcs (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2015-12-02 05:09 - 2015-12-02 06:04 - 00000000 ____D C:\ProgramData\RogueKiller
2015-12-02 05:09 - 2015-12-02 05:09 - 00030848 _____ C:\windows\system32\Drivers\TrueSight.sys
2015-11-30 07:09 - 2015-11-30 07:09 - 00003224 _____ C:\bootsqm.dat
2015-11-30 05:38 - 2015-11-30 05:38 - 00111288 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2015-11-30 04:23 - 2015-11-30 04:24 - 00000000 ____D C:\ProgramData\Sophos
2015-11-30 04:04 - 2015-11-30 04:07 - 00004978 _____ C:\Users\Administrator\Desktop\Rkill.txt
2015-11-30 03:41 - 2015-11-30 03:45 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-11-30 03:40 - 2015-11-30 03:58 - 00000000 ____D C:\Users\Administrator\Desktop\mbar
2015-11-27 04:19 - 2015-11-27 04:19 - 00014232 _____ C:\ComboFix.txt
2015-11-27 03:41 - 2011-06-25 22:45 - 00256000 _____ C:\windows\PEV.exe
2015-11-27 03:41 - 2010-11-07 09:20 - 00208896 _____ C:\windows\MBR.exe
2015-11-27 03:41 - 2009-04-19 20:56 - 00060416 _____ (NirSoft) C:\windows\NIRCMD.exe
2015-11-27 03:41 - 2000-08-30 16:00 - 00518144 _____ (SteelWerX) C:\windows\SWREG.exe
2015-11-27 03:41 - 2000-08-30 16:00 - 00406528 _____ (SteelWerX) C:\windows\SWSC.exe
2015-11-27 03:41 - 2000-08-30 16:00 - 00098816 _____ C:\windows\sed.exe
2015-11-27 03:41 - 2000-08-30 16:00 - 00080412 _____ C:\windows\grep.exe
2015-11-27 03:41 - 2000-08-30 16:00 - 00068096 _____ C:\windows\zip.exe
2015-11-27 03:40 - 2015-11-27 04:19 - 00000000 ____D C:\Qoobox
2015-11-27 03:40 - 2015-11-27 04:15 - 00000000 ____D C:\windows\erdnt
2015-11-26 23:49 - 2015-11-26 23:49 - 00000000 ____D C:\ProgramData\AVAST Software
2015-11-26 15:23 - 2015-11-26 15:23 - 00944732 _____ C:\Users\RZ\Desktop\00000-ntbtlog.txt
2015-11-26 14:41 - 2015-12-05 01:57 - 10589476 _____ C:\windows\ntbtlog.txt
2015-11-26 05:01 - 2015-11-26 05:01 - 00000000 ____D C:\Users\Administrator\AppData\Local\Acelogix
2015-11-26 04:21 - 2015-11-26 04:21 - 00006010 ____R C:\Users\Administrator\Desktop\Pre_Scan_26_11_2015_04_21_37.txt
2015-11-26 04:21 - 2015-11-26 04:21 - 00006010 ____R C:\Pre_Scan_26_11_2015_04_21_37.txt
2015-11-26 04:21 - 2015-11-26 04:21 - 00000969 _____ C:\Users\Administrator\Desktop\Internet Explorer.lnk
2015-11-26 03:21 - 2015-11-26 04:21 - 00000000 ____D C:\Pre_Scan
2015-11-26 03:21 - 2015-11-26 03:31 - 00001537 _____ C:\Users\Administrator\Desktop\Pre_Scan_Restore.lnk
2015-11-26 03:21 - 2015-11-26 03:31 - 00001135 _____ C:\Users\Administrator\Desktop\Pre_Scan_Donate.lnk
2015-11-26 03:11 - 2015-11-26 03:11 - 00000000 ____D C:\ProgramData\RegRun
2015-11-26 03:08 - 2015-11-26 03:16 - 00000000 ____D C:\Users\Public\Documents\regruninfo
2015-11-26 03:08 - 2015-11-26 03:14 - 00000000 ____D C:\Users\Administrator\Documents\RegRun2
2015-11-26 03:08 - 2015-11-26 03:08 - 00000976 _____ C:\Users\Administrator\Desktop\UnHackMe.lnk
2015-11-26 03:08 - 2015-11-26 03:08 - 00000002 _RSOT C:\windows\winstart.bat
2015-11-26 03:07 - 2015-11-26 03:09 - 00000000 ____D C:\Program Files\UnHackMe
2015-11-26 02:51 - 2015-11-30 05:16 - 00000000 ____D C:\AdwCleaner
2015-11-26 01:50 - 2015-11-26 01:50 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Opera Software
2015-11-26 01:50 - 2015-11-26 01:50 - 00000000 ____D C:\Users\Administrator\AppData\Local\Opera Software
2015-11-26 01:24 - 2015-11-30 16:19 - 00000000 ____D C:\Users\Administrator\AppData\Local\CrashDumps
2015-11-26 01:00 - 2015-11-30 05:30 - 00000798 _____ C:\Users\Administrator\Desktop\JRT.txt
2015-11-26 00:00 - 2015-11-26 00:00 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
2015-11-26 00:00 - 2015-11-26 00:00 - 00000000 _SHDL C:\Users\Administrator\My Documents
2015-11-26 00:00 - 2015-11-26 00:00 - 00000000 _SHDL C:\Users\Administrator\Documents\My Videos
2015-11-26 00:00 - 2015-11-26 00:00 - 00000000 _SHDL C:\Users\Administrator\Documents\My Pictures
2015-11-26 00:00 - 2015-11-26 00:00 - 00000000 _SHDL C:\Users\Administrator\Documents\My Music
2015-11-26 00:00 - 2015-11-26 00:00 - 00000000 ____D C:\Users\Administrator
2015-11-26 00:00 - 2011-11-13 11:44 - 00000000 ____D C:\Users\Administrator\AppData\Local\Microsoft Help
2015-11-25 18:12 - 2015-11-25 18:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UVK - Ultra Virus Killer
2015-11-25 18:03 - 2015-11-25 18:03 - 00001512 _____ C:\Users\RZ\Desktop\Norton Download Manager.lnk
2015-11-25 18:03 - 2015-11-25 18:03 - 00001305 _____ C:\Users\RZ\Desktop\Norton Installation Files.lnk
2015-11-25 07:34 - 2015-11-25 07:34 - 00004656 _____ C:\Users\RZ\Desktop\UVKFixLog.txt
2015-11-25 04:59 - 2015-11-25 07:33 - 00000000 ____D C:\Users\RZ\AppData\Local\2Browse
2015-11-25 04:55 - 2015-11-25 18:12 - 00001974 _____ C:\Users\Public\Desktop\UVK - Ultra Virus Killer.lnk
2015-11-25 04:55 - 2015-11-25 18:12 - 00000000 ____D C:\Program Files\UVK - Ultra Virus Killer
2015-11-25 04:55 - 2015-11-25 07:22 - 00000000 ____D C:\ProgramData\UVK
2015-11-25 02:09 - 2015-11-25 02:15 - 00000803 _____ C:\Users\RZ\Desktop\Find.txt
2015-11-24 07:38 - 2015-11-24 07:38 - 00000000 ____D C:\Users\RZ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Unlocker
2015-11-24 07:38 - 2015-11-24 07:38 - 00000000 ____D C:\Program Files\Unlocker
2015-11-24 06:31 - 2015-11-24 06:34 - 00192744 _____ C:\TDSSKiller.3.1.0.6_24.11.2015_06.31.07_log.txt
2015-11-23 10:02 - 2015-11-23 10:02 - 00000050 _____ C:\.directory
2015-11-23 04:14 - 2015-11-23 04:22 - 00024208 _____ C:\Users\RZ\Desktop\sfcdetails.txt
2015-11-23 03:11 - 2015-11-23 03:11 - 00001908 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2015-11-23 03:11 - 2015-11-23 03:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2015-11-23 02:06 - 2015-11-23 02:06 - 00001075 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-11-23 01:40 - 2015-11-23 02:02 - 00005114 _____ C:\Users\RZ\Desktop\Rkill.txt
2015-11-21 18:02 - 2015-11-21 18:02 - 00005788 _____ C:\Users\RZ\Documents\startup.txt
2015-11-21 17:59 - 2015-11-21 18:00 - 00006244 _____ C:\Users\RZ\Desktop\cc_20151121_175943.reg
2015-11-21 03:24 - 2015-12-05 01:57 - 00000000 ____D C:\FRST
2015-11-21 01:28 - 2015-11-21 17:49 - 00000000 ____D C:\windows\Microsoft Antimalware
2015-11-20 23:28 - 2015-11-21 17:49 - 00000000 ____D C:\Users\norton
2015-11-20 23:28 - 2015-11-20 23:28 - 00000000 _SHDL C:\Users\norton\My Documents
2015-11-20 23:28 - 2015-11-20 23:28 - 00000000 _SHDL C:\Users\norton\Documents\My Videos
2015-11-20 23:28 - 2015-11-20 23:28 - 00000000 _SHDL C:\Users\norton\Documents\My Pictures
2015-11-20 23:28 - 2015-11-20 23:28 - 00000000 _SHDL C:\Users\norton\Documents\My Music
2015-11-20 23:28 - 2011-11-13 11:44 - 00000000 ____D C:\Users\norton\AppData\Local\Microsoft Help
2015-11-20 16:49 - 2015-11-23 03:11 - 00000000 ____D C:\Program Files\HitmanPro
2015-11-18 21:57 - 2015-11-18 21:57 - 00000000 ____D C:\FixMeStick Quarantine
2015-11-18 20:13 - 2015-11-18 20:13 - 00000000 ____D C:\FixMeStick

==================== One Month Modified files and folders ========

 

(If an entry is included in the fixlist, the file/folder will be moved.)

 

2015-12-05 01:30 - 2009-07-13 20:53 - 00000006 ____H C:\windows\Tasks\SA.DAT
2015-12-02 03:38 - 2011-04-12 10:27 - 00000000 ____D C:\Users\RZ
2015-11-30 23:22 - 2013-02-28 11:29 - 00450968 _____ C:\windows\system32\FNTCACHE.DAT
2015-11-30 03:41 - 2014-04-11 21:36 - 00170200 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2015-11-30 03:40 - 2014-04-11 21:35 - 00094936 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamchameleon.sys
2015-11-27 04:13 - 2009-07-13 18:04 - 00000215 _____ C:\windows\system.ini
2015-11-26 15:16 - 2011-04-13 20:31 - 00000000 ____D C:\windows\pss
2015-11-26 05:09 - 2011-05-10 12:32 - 00000000 ____D C:\ProgramData\TEMP
2015-11-26 05:08 - 2011-04-18 18:53 - 00000000 ____D C:\Users\RZ\AppData\Local\CrashDumps
2015-11-26 03:08 - 2009-07-13 18:04 - 00002577 _____ C:\windows\system32\config.nt
2015-11-26 03:08 - 2009-07-13 18:04 - 00001688 _____ C:\windows\system32\autoexec.nt
2015-11-25 18:04 - 2010-12-16 15:42 - 00000000 ____D C:\ProgramData\Norton
2015-11-25 18:03 - 2012-05-14 08:18 - 00000000 ____D C:\Users\Public\Downloads\Norton
2015-11-25 17:56 - 2013-02-17 23:18 - 00000000 ____D C:\Users\RZ\AppData\Local\NPE
2015-11-24 03:56 - 2013-02-27 21:40 - 00000000 ___RD C:\Users\RZ\Desktop\Anti-Virus File
2015-11-23 09:23 - 2011-10-05 21:10 - 00000000 ___RD C:\Users\RZ\Desktop\Work Files
2015-11-23 02:06 - 2014-04-11 21:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-11-23 02:06 - 2014-04-11 21:35 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-11-21 17:49 - 2015-06-13 02:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free PDF Metadata Editor
2015-11-21 17:49 - 2015-03-22 14:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free PDF Splitter
2015-11-21 17:49 - 2015-02-23 07:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDF Merge
2015-11-21 17:49 - 2014-07-07 19:50 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logitech
2015-11-21 17:49 - 2013-05-17 01:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Video Related Programs
2015-11-21 17:49 - 2013-02-18 15:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-11-21 17:49 - 2012-11-10 04:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NCH Software Suite
2015-11-21 17:49 - 2012-09-05 16:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon MX410 series Manual
2015-11-21 17:49 - 2012-08-12 08:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audio Related Programs
2015-11-21 17:49 - 2012-03-11 14:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PeaZip
2015-11-21 17:49 - 2011-11-13 11:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-11-21 17:49 - 2011-11-07 15:38 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mp3 My Mp3 3.1
2015-11-21 17:49 - 2011-10-12 17:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PDFCreator
2015-11-21 17:49 - 2011-10-11 01:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CPUID
2015-11-21 17:49 - 2011-09-03 15:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nokia
2015-11-21 17:49 - 2011-05-10 12:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ace Utilities
2015-11-21 17:49 - 2011-05-07 15:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Canon Utilities
2015-11-21 17:49 - 2010-12-16 15:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Best Buy Software Installer
2015-11-21 17:49 - 2010-12-16 15:41 - 00000000 ____D C:\Program Files\Best Buy Software Installer
2015-11-21 17:49 - 2010-12-16 15:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel® Matrix Storage Manager
2015-11-21 17:49 - 2010-12-16 15:07 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2015-11-21 17:49 - 2010-12-16 14:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Works
2015-11-21 17:49 - 2010-05-09 05:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live
2015-11-21 17:49 - 2010-05-09 05:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\My Toshiba
2015-11-21 17:49 - 2010-05-09 05:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TOSHIBA
2015-11-21 17:49 - 2009-07-13 20:52 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-11-21 17:49 - 2009-07-13 18:37 - 00000000 ____D C:\windows\registration
2015-11-19 13:55 - 2012-01-22 16:42 - 00000000 ____D C:\Users\RZ\Desktop\Law Stuff 1
2015-11-19 13:55 - 2011-12-30 11:19 - 00000000 ____D C:\Users\RZ\Desktop\Book Stuff
2015-11-19 13:54 - 2015-05-02 17:56 - 00000000 ___HD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup-
2015-11-19 13:54 - 2014-11-27 01:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Antivirus Free Edition
2015-11-19 11:34 - 2009-07-13 20:53 - 00032630 _____ C:\windows\Tasks\SCHEDLGU.TXT
2015-11-19 10:13 - 2009-07-13 20:34 - 00021504 _____ C:\windows\system32\umstartup.etl
2015-11-19 07:11 - 2012-06-08 05:28 - 00007615 _____ C:\Users\RZ\AppData\Local\Resmon.ResmonCfg
2015-11-18 22:36 - 2009-07-13 15:19 - 00020992 _____ (Microsoft Corporation) C:\windows\system32\svchost.exe
2015-11-18 21:58 - 2015-06-17 05:09 - 00000000 ____D C:\Users\RZ\Desktop\PDF Compressor
2015-11-18 21:58 - 2015-03-22 14:29 - 00000000 ____D C:\Users\RZ\Desktop\PDF Splitter
2015-11-18 21:58 - 2015-02-23 06:46 - 00000000 ____D C:\Users\RZ\Desktop\PDFMerger
2015-11-18 13:33 - 2011-05-10 12:35 - 00000000 ____D C:\Users\RZ\Documents\Ace Utilities Backups
2015-11-18 13:05 - 2009-07-13 20:34 - 00012288 _____ C:\windows\system32\umstartup000.etl

==================== Files in the root of some directories =======

 

2015-11-19 13:47 - 2015-11-23 03:48 - 0008234 _____ () C:\ProgramData\NanoLog001.log

Some files in TEMP:

====================

C:\Users\RZ\AppData\Local\temp\dllnt_dump.dll

==================== Bamital & volsnap =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\windows\explorer.exe => File is digitally signed
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-11-01 05:58

 

==================== End of FRST.txt ============================

 

START - ADDITIONS.TXT

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:01-12-2015
Ran by Administrator (2015-12-05 01:59:33)
Running from D:\
Microsoft Windows 7 Starter  Service Pack 1 (X86) (2011-04-12 18:27:17)
Boot Mode: Safe Mode (minimal)
==========================================================

==================== Accounts: =============================

 

Administrator (S-1-5-21-1956770879-1816902715-2261419009-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-1956770879-1816902715-2261419009-501 - Limited - Enabled)
RZ (S-1-5-21-1956770879-1816902715-2261419009-1000 - Administrator - Enabled) => C:\Users\RZ

 

==================== Security Center ========================

 

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

 

==================== Installed Programs ======================

 

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Ace Utilities (HKLM\...\Ace Utilities_is1) (Version: 5.9.0 - Acelogix Software)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.239 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 16.0.0.235 - Adobe Systems Incorporated)
Adobe Reader 9.5.3 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.3 - Adobe Systems Incorporated)
Atheros Driver Installation Program (HKLM\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 5.2 - Atheros)
Bing Bar (HKLM\...\{08234a0d-cf39-4dca-99f0-0c5cb496da81}) (Version: 5.0.1407.0 - Microsoft Corporation)
Bing Bar Platform (Version: 5.0.1407.0 - Microsoft Corporation) Hidden
Canon Inkjet Printer Driver Add-On Module (HKLM\...\CANONIJINBOXADDON100) (Version:  - )
Canon My Printer (HKLM\...\CanonMyPrinter) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 4.19 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
CPUID CPU-Z 1.58 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
Free PDF Metadata Editor (remove only) (HKLM\...\Free PDF Metadata Editor) (Version:  - )
Free PDF Splitter (HKLM\...\{FDD848D0-C82C-4DD0-9853-65D5067FBFB1}) (Version: 1.0.0 - Free PDF Solutions)
Futuremark SystemInfo (HKLM\...\{BEE64C14-BEF1-4610-8A68-A16EAA47B882}) (Version: 3.62.1.1 - Futuremark Corporation)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.10.251 - SurfRight B.V.)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.14.10.2117 - Intel Corporation)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - Intel Corporation)
Junk Mail filter update (Version: 14.0.8089.726 - Microsoft Corporation) Hidden
K-Lite Codec Pack 7.0.0 (Standard) (HKLM\...\KLiteCodecPack_is1) (Version: 7.0.0 - )
Logitech SetPoint 6.65 (HKLM\...\sp6) (Version: 6.65.62 - Logitech)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.11.226.1 - McAfee, Inc.)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office Small Business 2007 (HKLM\...\SMALLBUSINESSR) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Works (HKLM\...\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}) (Version: 9.7.0621 - Microsoft Corporation)
MixPad (HKLM\...\MixPad) (Version:  - NCH Software)
Mp3 My Mp3 3.1 (HKLM\...\Mp3 My Mp3 3.1) (Version: 3.1 - Digital Liquid Ltd)
Mp3 My Mp3 3.1 (Version: 3.1 - Digital Liquid Ltd) Hidden
MSVC80_x86_v2 (Version: 1.0.3.0 - Nokia) Hidden
MSVC90_x86 (Version: 1.0.1.2 - Nokia) Hidden
MSXML 4.0 SP3 Parser (KB2721691) (HKLM\...\{355B5AC0-CEEE-42C5-AD4D-7F3CFD806C36}) (Version: 4.30.2114.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB973685) (HKLM\...\{859DFA95-E4A6-48CD-B88E-A3E483E89B44}) (Version: 4.30.2107.0 - Microsoft Corporation)
Nokia Connectivity Cable Driver (HKLM\...\{2D99A593-C841-43A7-B7C9-D6F3AE70B756}) (Version: 7.1.45.0 - Nokia)
Nokia Ovi Suite (HKLM\...\Nokia Ovi Suite) (Version: 3.1.1.85 - Nokia)
Nokia Ovi Suite (Version: 3.1.1.85 - Nokia) Hidden
Opera Stable 33.0.1990.58 (HKLM\...\Opera 33.0.1990.58) (Version: 33.0.1990.58 - Opera Software)
Ovi Desktop Sync Engine (Version: 1.5.266.0 - Nokia) Hidden
OviMPlatform (Version: 2.7.72.0 - Nokia) Hidden
Panda Devices Agent (Version: 1.05.00 - Panda Security) Hidden
Panda Free Antivirus (Version: 7.84.00.0000 - Panda Security) Hidden
PC Connectivity Solution (HKLM\...\{C373F7C4-05D2-4047-96D1-6AF30661C6AA}) (Version: 11.4.19.0 - Nokia)
PDF Merge (HKLM\...\{50217A00-46B2-40E3-8664-5C93BFFA03B0}) (Version: 1.0.0 - Free PDF Soulutions)
PDFCreator (HKLM\...\{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}) (Version: 1.2.3 - Frank Heindörfer, Philip Chinery)
PeaZip 4.7.3 (HKLM\...\{5A2BC38A-406C-4A5B-BF45-6991F9A05325}_is1) (Version:  - Giorgio Tani)
Realtek Ethernet Controller Driver For Windows 7 (HKLM\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.17.304.2010 - Realtek)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6088 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30116 - Realtek Semiconductor Corp.)
Recuva (HKLM\...\Recuva) (Version: 1.46 - Piriform)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.0.8.1 - Synaptics Incorporated)
TOSHIBA Application and Driver Installer (HKLM\...\{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}) (Version: 9.0.1.2 - TOSHIBA)
TOSHIBA Assist (HKLM\...\{12B3A009-A080-4619-9A2A-C6DB151D8D67}) (Version: 2.01.12 - TOSHIBA)
TOSHIBA Bulletin Board (HKLM\...\InstallShield_{B2FB7DBA-CEEC-41F1-BC23-3323D96290F6}) (Version: 1.6.07.32 - TOSHIBA Corporation)
TOSHIBA Flash Cards Support Utility (HKLM\...\InstallShield_{620BBA5E-F848-4D56-8BDA-584E44584C5E}) (Version: 1.63.0.5C - TOSHIBA CORPORATION)
TOSHIBA Hardware Setup (HKLM\...\InstallShield_{5279374D-87FE-4879-9385-F17278EBB9D3}) (Version: 1.63.1.19C - TOSHIBA CORPORATION)
TOSHIBA HDD/SSD Alert (HKLM\...\InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}) (Version: 3.1.0.6 - TOSHIBA Corporation)
TOSHIBA Media Controller (HKLM\...\{C7A4F26F-F9B0-41B2-8659-99181108CDE3}) (Version: 1.0.80.5 - TOSHIBA CORPORATION)
TOSHIBA Quality Application (HKLM\...\{E69992ED-A7F6-406C-9280-1C156417BC49}) (Version: 1.0.3 - TOSHIBA)
TOSHIBA Recovery Media Creator (HKLM\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 2.1.0.4 - TOSHIBA Corporation)
TOSHIBA ReelTime (HKLM\...\InstallShield_{B894522E-C079-4DC8-A305-30BA6E2F4459}) (Version: 1.6.06.32 - TOSHIBA Corporation)
TOSHIBA Service Station (HKLM\...\{AC6569FA-6919-442A-8552-073BE69E247A}) (Version: 2.2.9 - TOSHIBA)
TOSHIBA Supervisor Password (HKLM\...\InstallShield_{51B4E156-14A5-4904-9AE4-B1AA2A0E46BE}) (Version: 1.63.0.9C - TOSHIBA CORPORATION)
TOSHIBA Value Added Package (HKLM\...\InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}) (Version: 1.3.6 - TOSHIBA Corporation)
TOSHIBA Web Camera Application (HKLM\...\{5E6F6CF3-BACC-4144-868C-E14622C658F3}) (Version: 1.1.1.15 - TOSHIBA Corporation)
ToshibaRegistration (HKLM\...\{5AF550B4-BB67-4E7E-82F1-2C4300279050}) (Version: 1.0.4 - Toshiba)
UnHackMe 7.71 release (HKLM\...\UnHackMe_is1) (Version:  - Greatis Software, LLC.)
Unlocker 1.9.2 (HKLM\...\Unlocker) (Version: 1.9.2 - Cedrick Collomb)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-00CA-0000-0000-0000000FF1CE}_SMALLBUSINESSR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Utility Common Driver (Version: 1.0.52.1C - TOSHIBA) Hidden
UVK - Ultra Virus Killer (HKLM\...\UVK - Ultra virus killer) (Version: 7.5.1.0 - Carifred)
VideoPad Video Editor (HKLM\...\VideoPad) (Version:  - NCH Software)
WavePad Sound Editor (HKLM\...\WavePad) (Version:  - NCH Software)
WIDCOMM Bluetooth Software (HKLM\...\{84814E6B-2581-46EC-926A-823BD1C670F6}) (Version: 5.5.0.3200 -  )
Windows 7 Upgrade Advisor (HKLM\...\{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}) (Version: 2.0.5000.0 - Microsoft Corporation)
Windows Driver Package - Nokia pccsmcfd  (08/22/2008 7.0.0.0) (HKLM\...\504244733D18C8F63FF584AEB290E3904E791693) (Version: 08/22/2008 7.0.0.0 - Nokia)
Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8089.0726 - Microsoft Corporation)
Windows Live ID Sign-in Assistant (HKLM\...\{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}) (Version: 6.500.3165.0 - Microsoft Corporation)
Windows Live Sync (HKLM\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
Windows Live Upload Tool (HKLM\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)

 

==================== Custom CLSID (Whitelisted): ==========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

 

==================== Restore Points =========================

 

19-11-2015 14:07:24 Removed Panda Devices Agent.

 

==================== Scheduled Tasks (Whitelisted) =============

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {D89BC2EA-B248-4F12-8436-2348A828834F} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-10-29] (Piriform Ltd)
Task: {DB4E41E4-74AD-409C-AB6A-F3909551EB47} - System32\Tasks\Opera scheduled Autoupdate 1431305136 => C:\Program Files\Opera\launcher.exe [2015-10-30] (Opera Software)
Task: {E04514E3-0ED6-4B36-87D8-44E939567B57} - System32\Tasks\AceUtilsSkipUAC => C:\Program Files\Ace Utilities\au.exe [2015-01-12] (Acelogix Software)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Loaded Modules (Whitelisted) ==============

==================== Alternate Data Streams (Whitelisted) =========

 

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR311 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR430 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR501 => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "UseAlternateShell"="1"

 

==================== EXE Association (Whitelisted) ===============

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

 

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Other Areas ============================

 

(Currently there is no automatic fix for this section.)

DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)

 

==================== MSCONFIG/TASK MANAGER disabled items ==

 

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: btwdins => 2
MSCONFIG\Services: Futuremark SystemInfo Service => 3
MSCONFIG\Services: HitmanProScheduler => 2
MSCONFIG\Services: LBTServ => 3
MSCONFIG\Services: MBAMService => 2
MSCONFIG\Services: McComponentHostService => 3
MSCONFIG\Services: NanoServiceMain => 2
MSCONFIG\Services: PandaAgent => 2
MSCONFIG\Services: PSUAService => 2
MSCONFIG\Services: TMachInfo => 3
MSCONFIG\Services: TODDSrv => 2
MSCONFIG\Services: TosCoSrv => 2
MSCONFIG\Services: TOSHIBA HDD SSD Alert Service => 3
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk => C:\windows\pss\Bluetooth.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk => C:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
MSCONFIG\startupreg: 00TCrdMain => %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: Bing Bar => "C:\Program Files\MSN Toolbar\Platform\5.0.1407.0\mswinext.exe"
MSCONFIG\startupreg: CanonMyPrinter => C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
MSCONFIG\startupreg: EvtMgr6 => C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
MSCONFIG\startupreg: HotKeysCmds => C:\windows\system32\hkcmd.exe
MSCONFIG\startupreg: IgfxTray => C:\windows\system32\igfxtray.exe
MSCONFIG\startupreg: KeNotify => C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
MSCONFIG\startupreg: Microsoft Default Manager => "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
MSCONFIG\startupreg: Persistence => C:\windows\system32\igfxpers.exe
MSCONFIG\startupreg: RtHDVBg => C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe /FORPCEE3
MSCONFIG\startupreg: RtHDVCpl => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
MSCONFIG\startupreg: SmoothView => %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
MSCONFIG\startupreg: SynTPEnh => %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
MSCONFIG\startupreg: ToshibaServiceStation => "C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
MSCONFIG\startupreg: TosNC => %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe
MSCONFIG\startupreg: TosReelTimeMonitor => %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
MSCONFIG\startupreg: TosSENotify => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
MSCONFIG\startupreg: TosVolRegulator => C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
MSCONFIG\startupreg: TPwrMain => %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE

 

==================== FirewallRules (Whitelisted) ===============

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{61CA23EF-3171-447F-BD3C-C533BAFB04BA}] => (Allow) C:\Program Files\Windows Live\Messenger\wlcsdk.exe
FirewallRules: [{E225C826-0893-4E4C-90D9-B43F77BEA0F9}] => (Allow) C:\Program Files\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{63A385C6-CDB7-4996-9B11-8056D24F6A16}] => (Allow) svchost.exe
FirewallRules: [{34C3D07D-C033-43C1-8812-4A8179A9A5AB}] => (Allow) C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe
FirewallRules: [{88084F02-49F0-46D9-BE4A-EDC44A003A8D}] => (Allow) C:\Program Files\nokia\nokia ovi suite\nokiaovisuite.exe
FirewallRules: [{BF3FB177-09DA-49C9-B7E1-F244BE4600F6}] => (Allow) C:\windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

 

==================== Faulty Device Manager Devices =============

 

Name: USB 2.0 Camera
Description: USB Video Device
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Microsoft
Service: usbvideo
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

 

Application errors:

==================

 

Error: (12/02/2015 05:11:23 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 512) (User: )
Description: The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.

Details:
Could not query the status of the EventSystem service.

System Error:
A system shutdown is in progress.
.

Error: (11/30/2015 04:23:05 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 512) (User: )
Description: The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.

Details:
Could not query the status of the EventSystem service.

System Error:
A system shutdown is in progress.
.

Error: (11/30/2015 03:48:58 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ManageACL_32.exe, version: 1.2.0.0, time stamp: 0x56336281
Faulting module name: ManageACL_32.exe, version: 1.2.0.0, time stamp: 0x56336281
Exception code: 0x40000015
Fault offset: 0x00036f76
Faulting process id: 0x56c
Faulting application start time: 0xManageACL_32.exe0
Faulting application path: ManageACL_32.exe1
Faulting module path: ManageACL_32.exe2
Report Id: ManageACL_32.exe3

Error: (11/30/2015 03:22:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ManageACL_32.exe, version: 1.2.0.0, time stamp: 0x56336281
Faulting module name: ManageACL_32.exe, version: 1.2.0.0, time stamp: 0x56336281
Exception code: 0x40000015
Fault offset: 0x00036f76
Faulting process id: 0x7cc
Faulting application start time: 0xManageACL_32.exe0
Faulting application path: ManageACL_32.exe1
Faulting module path: ManageACL_32.exe2
Report Id: ManageACL_32.exe3

Error: (11/30/2015 07:58:05 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ManageACL_32.exe, version: 1.2.0.0, time stamp: 0x56336281
Faulting module name: ManageACL_32.exe, version: 1.2.0.0, time stamp: 0x56336281
Exception code: 0x40000015
Fault offset: 0x00036f76
Faulting process id: 0x784
Faulting application start time: 0xManageACL_32.exe0
Faulting application path: ManageACL_32.exe1
Faulting module path: ManageACL_32.exe2
Report Id: ManageACL_32.exe3

Error: (11/30/2015 07:17:01 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\windows\system32\wbem\wmiprvse.exe; Description = Tweaking.com - Windows Repair; Error = 0x8007043c).

Error: (11/30/2015 05:26:53 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\ADMINI~1\AppData\Local\Temp\jrt\CreateRestorePoint.exe  "JRT Pre-Junkware Removal"; Description = JRT Pre-Junkware Removal; Error = 0x8007043c).

Error: (11/30/2015 04:11:46 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: ntdll.dll, version: 6.1.7601.17725, time stamp: 0x4ec49b60
Exception code: 0xc0000022
Fault offset: 0x00081f64
Faulting process id: 0x614
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (11/27/2015 03:41:25 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\windows\system32\wbem\wmiprvse.exe; Description = ComboFix created restore point; Error = 0x8007043c).

System errors:
=============
Error: (12/05/2015 01:52:06 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:

AFD
DfsC
discache
NetBIOS
NetBT
nsiproxy
Psched
rdbss
spldr
tdx
vwififlt
Wanarpv6
WfpLwf
ws2ifsl

 

Error: (12/05/2015 01:52:06 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Internet Connection Sharing (ICS) service depends on the Network Connections service which failed to start because of the following error:
%%1068

Error: (12/05/2015 01:52:06 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error:
%%1068

Error: (12/05/2015 01:52:06 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error:
%%1068

Error: (12/05/2015 01:52:06 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:
%%1068

Error: (12/05/2015 01:52:06 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error:
%%1068

Error: (12/05/2015 01:52:06 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error:
%%31

Error: (12/05/2015 01:52:06 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error:
%%1068

Error: (12/05/2015 01:52:06 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Fax service depends on the Print Spooler service which failed to start because of the following error:
%%1068

Error: (12/05/2015 01:52:05 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error:
%%1068

Code Integrity:
===================================

 

Date: 2015-12-05 01:30:54.825
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\rpcrt4.dll because the set of per-page image hashes could not be found on the system.

 

==================== Memory info ===========================

 

Processor: Intel® Atom™ CPU N455 @ 1.66GHz
Percentage of memory in use: 29%
Total physical RAM: 1013.42 MB
Available physical RAM: 711.78 MB
Total Virtual: 1513.42 MB
Available Virtual: 1234.78 MB

 

==================== Drives ================================

 

Drive c: (TI105860W0F) (Fixed) (Total:223.64 GB) (Free:0.01 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (FARBAR) (Removable) (Total:7.53 GB) (Free:7.53 GB) FAT32

 

==================== MBR & Partition Table ==================

 

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 232.9 GB) (Disk ID: 3125EBE5)
Partition 1: (Active) - (Size=1.5 GB) - (Type=27)
Partition 2: (Not Active) - (Size=223.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=7.8 GB) - (Type=17)

 

========================================================

Disk: 1 (Size: 7.5 GB) (Disk ID: 0D69FBDA)
Partition 1: (Active) - (Size=7.5 GB) - (Type=0B)

 

==================== End of Addition.txt ============================

 

 

 



#12 RecycleZone

RecycleZone
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 05 December 2015 - 06:35 AM

Gary: After running and posting the frst scans, the computer is no longer booting into windows. A quick blue flash screen appears and it goes into the Repair Windows (recommended) mode. I think something must be corrupted. I tried the Windows Repair option and it will not launch. The "Start Windows" normally option creates a loop with the same symptoms.

 

It seems I can still can boot from a USB through the setup function.

 

I tried turning the computer on with the zero (0) pressed and the Recovery Screen to reinstall the original system eventually appeared. I didn't go beyond the first screen as it warned that initiating the process would delete everything. I figured this would be a last resort, if we couldn't get the computer running again or the virus out. This is of course assuming that the recovery process won't hang up once initiated and that the virus didn't infect the recovery tool.

 

I would like to try a bootable USB file manager to look over the computer contents and copy anything that may have been missed in a prior back-up. Any suggestions?

 

I wanted to alert you to this recent computer behavior immediately so we could adjust strategies for this new problem.

 

I am not discouraged by this recent happening and believe that it's probably something minor, and that there are still options -- maybe those options are not as good as before and the challenge has become greater, so I'll reflect on John 16:33 for the time being. :) 

 

As always, any advice you can provide on getting Windows to boot or otherwise will surely be appreciated.

 

Have a great day!

 

Regards, --Mark



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 05 December 2015 - 07:27 PM

Hi Mark,

Thank you for your patience. In reviewing your logs I noticed the below and if true it will be at least one reason, if not the reason, your computer won't run properly. Not sure it is related to your inability to boot into the Recovery Environment, although 1 GB of RAM is very little to work with.
 

1 Drive c: (TI105860W0F) (Fixed) (Total:223.64 GB) (Free:0.12 GB)


Very roughly speaking a computer should have 15% free hard drive space in order to run properly. You are well below 1%. Are there files you can back up to a USB device and then delete off the hard drive to free up at least 22GB? We can start with that and see how your computer behaves.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#14 RecycleZone

RecycleZone
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:51 AM

Posted 05 December 2015 - 11:59 PM

Hi Gary:

 

Thanks so much for the analysis! I didn't realize there was such a serious hard drive space issue. I will archive the non-system, non-program files early this week and delete those files from the computer to free up significant space. With such limited space now, I can certainly understand the strain on the computer to operate properly. Thanks for pointing that out.

 

The computer only had 1GB of RAM when purchased new, but another 1GB of RAM can be installed. I will try to find an extra 1GB of RAM to add while getting the external storage drive to back up the files.

 

I should have another update for you in a couple days on these 2 items.  Thanks again. --Mark



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,444 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:51 AM

Posted 06 December 2015 - 08:46 AM

Hi Mark,

Sounds good. I am not sure I would run out and buy more RAM unless it is something you would want to do anyway. Technically the little RAM by itself should not prevent your computer from running properly, it just won't run efficiently.

Pop in when you get a chance and let me know how we are doing.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users