Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer would not boot, so I did a restore from the restore partition


  • This topic is locked This topic is locked
40 replies to this topic

#1 brucewhain

brucewhain

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 20 March 2016 - 06:22 PM

5:33 AM Mar. 21 - FINAL MODIFICATION OF THIS POST. Since the computer became unresponsive and was unable to login as described in the two paragraphs right below, did another restore from restore partition, which went very quickly (13 min.) then removed the Veriface program and ran the Farbar scan, during all of which the computer seemed to run fast and smooth as ever. Will post the Farbar scan and addition in the third post. The computer is shut down and will await your instructions before doing anything more.

 

11:58 PM, Mar. 20, Eastern Time - Sorry. Against post facto advice of moderator in the other forum where this issue was posted I have made changes to the computer including installing Service Pack 1, installing firefox, removing firefox, and restoring to a point before installing Service Pack 1. It didn't help. I think I can produce updated Farbar logs in safe mode, thus avoiding problems with Lenovo Veriface, which causes total unresponsiveness, and will post them below.

 

1:07 AM Mar. 21, Sorry again, As a result of my attempt to restore to a point before installing Service Pack 1 the computer will only boot into normal mode, which is impossible because Veriface is completely unresponsive. It may be that the only way to get the computer to boot is to do another restore to default from the restore partition. Will await your instructions before going any farther.

 

The computer is a Lenovo G550 laptop with Windows 7 Home Premium and 200 GB Hitachi hard drive. The Intel works has built in graphics.

 

The Farbar texts are posted below. The fatal error that occurred shortly after 1st boot-up with the factory defaults was - I believe - due to being set to "sleep" after just a few minutes. This occurred while installing Firefox whose install program just stopped and failed to perform the expected shutdown and reboot.

 

Here is a description of the original attack, reposted by global moderator boopme to "Am I Infected? What do I do?" --

 

Today was on two pages in internet explorer - strangely something like news and Wikipedia - and got diverted for a while with a phone call. When I returned the damage was done. It was not possible to to close the pages, but waited quite a while. The only thing that worked was task manager, which was already open but suddenly expanded about 5 minutes after I clicked on it.
 
I should have run MalwareBytes first without shutting down the computer, for when I did it would not boot completely into any mode. It just goes really, really slow, but doesn't work hard or bring up the fan. It looks like the Microsoft progress histogram thing that appears before login is fake, but I could be wrong about that. I tried the built in quick scan which is not up-to-date, and did not find anything.
 
Forgot to say: On 1st attempt to start, the computer went into System something(?) and I tried this again another time. It stayed on about 15 minutes each time, then completed, but could not read what it said it had found as it flashed by. After that, attempts to boot got to the login within 5 minutes but would not finish after login.
 
Although I think it would be possible to use the Lenovo One-Step utility to restore to factory default, there is reams of work that is extremely difficult to save and concerning which I have been unable to find a less time-consuming way to keep up with saving it. The larger part, unsaved, has been accumulating since July and it would be terrible to lose it.

 

Correction re. the above description: I ran System something(? comes on when it fails to boot) a third time before restoring the system to default, and it found one item: "Corrupt Registry".

 

 

Here is the Farbar text log and the addition.txt is attached:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by choochoo (administrator) on CHOOCHOO2 (20-03-2016 03:56:49)
Running from C:\Users\choochoo\Desktop
Loaded Profiles: choochoo (Available Profiles: choochoo)
Platform: Windows 7 Home Premium (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(McAfee, Inc.) C:\Program Files (x86)\McAfee\MPF\MpfSrv.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\MSC\mcmscsvc.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\utility.exe [4366704 2009-09-29] (Lenovo(beijing) Limited)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [5825536 2009-08-18] (Lenovo (Beijing) Limited)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35184 2008-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [snp2uvc] => C:\windows\vsnp2uvc.exe
HKLM-x32\...\Run: [VeriFaceManager] => C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe [3122440 2010-07-29] (Lenovo)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [mcagent_exe] => C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe [645328 2009-07-14] (McAfee, Inc.)
HKLM\...\RunOnce: [WinSATRestorePower] => powercfg -setactive c0ea6ad3-6145-4447-a15e-5fb97be69b98
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3579989564-3160442616-3971763072-1001\...\Run: [ooVoo.exe] => C:\Program Files (x86)\ooVoo\ooVoo.exe [19812536 2010-02-02] (ooVoo LLC)
HKU\S-1-5-18\...\RunOnce: [WLStart] => C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [768336 2009-07-26] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [VeriFace Enc] -> {771C7324-DA80-49D3-8017-753B0AF60951} => C:\windows\system32\IcnOvrly.dll [2010-07-29] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Lenovo Smile Dock.lnk [2010-07-13]
ShortcutTarget: Lenovo Smile Dock.lnk -> C:\Program Files (x86)\DDNi\Lenovo Smile Dock\Delay.exe (Digital Delivery Networks, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{1414D6F3-6B09-4868-BD95-AC9FAF3B27D3}: [DhcpNameServer] 209.18.47.61 209.18.47.62

Internet Explorer:
==================
HKU\S-1-5-21-3579989564-3160442616-3971763072-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo.msn.com
HKU\S-1-5-21-3579989564-3160442616-3971763072-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com/
SearchScopes: HKU\S-1-5-21-3579989564-3160442616-3971763072-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3579989564-3160442616-3971763072-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-06-18] (McAfee, Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO-x32: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll [2009-01-14] (Microsoft Corp.)
BHO-x32: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\McAfee\VirusScan\scriptsn.dll [2009-06-18] (McAfee, Inc.)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO-x32: Windows Live Toolbar Helper -> {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} -> C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll [2009-02-06] (Microsoft Corporation)
Toolbar: HKLM-x32 - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll [2009-02-06] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-3579989564-3160442616-3971763072-1001 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-07-13] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-07-13] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-07-13] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-07-13] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\choochoo\AppData\Roaming\Mozilla\Firefox\Profiles\btkyr0nc.default
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrl.dll [2009-06-23] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npnul32.dll [2010-04-01] (mozilla.org)
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\answers.xml [2010-04-01]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\creativecommons.xml [2010-04-01]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\firefox-branding.js [2010-04-01]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\firefox-l10n.js [2010-04-01]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\firefox.js [2010-04-01]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\defaults\pref\reporter.js [2010-04-01]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 IGRS; C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-14] (Lenovo Group Limited)
S3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [509192 2009-08-14] (Lenovo Group Limited)
S3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [579400 2009-09-22] (Lenovo Group Limited)
R2 mcmscsvc; C:\Program Files (x86)\McAfee\MSC\mcmscsvc.exe [865832 2009-07-14] (McAfee, Inc.)
S2 McNASvc; c:\Program Files (x86)\Common Files\McAfee\MNA\McNASvc.exe [2482848 2009-04-09] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [696848 2009-06-16] (McAfee, Inc.)
S2 McProxy; c:\Program Files (x86)\Common Files\McAfee\McProxy\McProxy.exe [359952 2009-04-09] (McAfee, Inc.)
S2 McShield; C:\Program Files\McAfee\VirusScan\Mcshield.exe [155456 2009-06-18] (McAfee, Inc.)
S3 McSysmon; C:\Program Files (x86)\McAfee\VirusScan\mcsysmon.exe [606736 2009-06-16] (McAfee, Inc.)
R2 MpfService; C:\Program Files (x86)\McAfee\MPF\MPFSrv.exe [894136 2009-07-08] (McAfee, Inc.)
S2 Oasis2Service; C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [46080 2010-06-23] () [File not signed]
S3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited)
S2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited)
S2 SAService; C:\Windows\system32\SAsrv.exe [445496 2010-03-25] (Conexant Systems, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-15] (Lenovo)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S1 funfrm; C:\Windows\System32\Drivers\funfrm.sys [58896 2010-07-29] ()
R3 JmUsbCcgp; C:\Windows\System32\DRIVERS\jmccgp.sys [17904 2010-02-05] (JMicron Technology Corp.)
S3 JmUsbVideo; C:\Windows\System32\Drivers\jmcam.sys [57072 2010-04-23] (JMicron Technology Corp.)
S3 JmUsbVideo2; C:\Windows\System32\Drivers\jmcam_lo.sys [31344 2010-04-23] (JMicron Technology Corp.)
S3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [102600 2009-06-18] (McAfee, Inc.)
S1 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [307400 2009-06-18] (McAfee, Inc.)
S3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [40904 2009-06-18] (McAfee, Inc.)
S3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [49480 2009-06-18] (McAfee, Inc.)
R1 MPFP; C:\Windows\System32\Drivers\Mpfp.sys [176144 2009-04-09] (McAfee, Inc.)
S3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11280 2009-07-16] (Lenovo)
U3 BcmSqlStartupSvc; no ImagePath
U2 IAStorDataMgrSvc; no ImagePath
U2 IviRegMgr; no ImagePath
U2 RichVideo; no ImagePath
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
U3 SQLWriter; no ImagePath
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
S3 WinRing0_1_2_0; \??\D:\test\ECECECEC\WinRing0x64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-20 03:56 - 2016-03-20 03:57 - 00011207 _____ C:\Users\choochoo\Desktop\FRST.txt
2016-03-20 03:30 - 2016-03-20 03:56 - 00000000 ____D C:\FRST
2016-03-20 03:25 - 2016-03-20 03:25 - 02374144 _____ (Farbar) C:\Users\choochoo\Desktop\FRST64.exe
2016-03-19 22:00 - 2016-03-20 03:15 - 00223500 _____ C:\windows\ntbtlog.txt
2016-03-19 21:03 - 2016-03-19 21:03 - 00242128 _____ C:\Users\choochoo\Desktop\Firefox Setup Stub 45.0.1.exe
2016-03-19 19:43 - 2016-03-19 19:44 - 00000000 ____D C:\ProgramData\CyberLink
2016-03-19 19:00 - 2016-03-19 19:03 - 00000000 ____D C:\windows\system32\MRT
2016-03-19 19:00 - 2016-03-19 19:00 - 143659408 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2016-03-19 18:58 - 2011-04-09 02:58 - 00142336 _____ (Microsoft Corporation) C:\windows\system32\poqexec.exe
2016-03-19 18:58 - 2011-04-09 02:45 - 05509504 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2016-03-19 18:58 - 2011-04-09 02:13 - 03957632 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2016-03-19 18:58 - 2011-04-09 02:13 - 03901824 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2016-03-19 18:58 - 2011-04-09 01:56 - 00123904 _____ (Microsoft Corporation) C:\windows\SysWOW64\poqexec.exe
2016-03-19 18:37 - 2016-03-19 18:37 - 00000000 ____D C:\Users\choochoo\AppData\Roaming\Mozilla
2016-03-19 18:37 - 2016-03-19 18:37 - 00000000 ____D C:\Users\choochoo\AppData\Local\Mozilla
2016-03-19 18:25 - 2016-03-19 19:36 - 00000342 _____ C:\windows\Tasks\McDefragTask.job
2016-03-19 18:25 - 2016-03-19 19:36 - 00000320 _____ C:\windows\Tasks\McQcTask.job
2016-03-19 18:25 - 2016-03-19 18:25 - 00060368 _____ C:\Users\choochoo\AppData\Local\GDIPFONTCACHEV1.DAT
2016-03-19 18:25 - 2016-03-19 18:25 - 00003746 _____ C:\windows\System32\Tasks\McQcTask
2016-03-19 18:25 - 2016-03-19 18:25 - 00003682 _____ C:\windows\System32\Tasks\McDefragTask
2016-03-19 18:25 - 2016-03-19 18:25 - 00001447 _____ C:\Users\choochoo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-03-19 18:25 - 2016-03-19 18:25 - 00001413 _____ C:\Users\choochoo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2016-03-19 18:25 - 2016-03-19 18:25 - 00000000 ____D C:\Users\choochoo\AppData\Roaming\ooVoo Details
2016-03-19 18:24 - 2016-03-20 03:14 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-03-19 18:24 - 2016-03-19 19:43 - 00002243 _____ C:\Users\choochoo\Desktop\OneKey Recovery.lnk
2016-03-19 18:24 - 2016-03-19 18:25 - 00001122 _____ C:\Users\choochoo\Desktop\Cyberlink Power2Go.lnk
2016-03-19 18:24 - 2016-03-19 18:25 - 00000000 ____D C:\Users\choochoo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2016-03-19 18:24 - 2016-03-19 18:25 - 00000000 ____D C:\Users\choochoo
2016-03-19 18:24 - 2016-03-19 18:24 - 00000020 ___SH C:\Users\choochoo\ntuser.ini
2016-03-19 18:24 - 2016-03-19 18:24 - 00000000 _SHDL C:\Users\choochoo\My Documents
2016-03-19 18:24 - 2016-03-19 18:24 - 00000000 _SHDL C:\Users\choochoo\Documents\My Videos
2016-03-19 18:24 - 2016-03-19 18:24 - 00000000 _SHDL C:\Users\choochoo\Documents\My Pictures
2016-03-19 18:24 - 2016-03-19 18:24 - 00000000 _SHDL C:\Users\choochoo\Documents\My Music
2016-03-19 18:24 - 2016-03-19 18:24 - 00000000 ____D C:\Users\choochoo\AppData\Local\VirtualStore
2016-03-19 18:24 - 2016-03-19 18:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox
2016-03-19 18:24 - 2009-07-29 03:23 - 00000000 ____D C:\Users\choochoo\AppData\Roaming\Media Center Programs
2016-03-19 18:18 - 2012-06-02 18:19 - 02428952 _____ (Microsoft Corporation) C:\windows\system32\wuaueng.dll
2016-03-19 18:18 - 2012-06-02 18:19 - 00057880 _____ (Microsoft Corporation) C:\windows\system32\wuauclt.exe
2016-03-19 18:18 - 2012-06-02 18:19 - 00044056 _____ (Microsoft Corporation) C:\windows\system32\wups2.dll
2016-03-19 18:18 - 2012-06-02 18:15 - 02622464 _____ (Microsoft Corporation) C:\windows\system32\wucltux.dll
2016-03-19 18:17 - 2016-03-19 18:17 - 00000000 ____D C:\Program Files (x86)\Microsoft Sync Framework
2016-03-19 18:17 - 2012-06-02 18:19 - 00701976 _____ (Microsoft Corporation) C:\windows\system32\wuapi.dll
2016-03-19 18:17 - 2012-06-02 18:19 - 00038424 _____ (Microsoft Corporation) C:\windows\system32\wups.dll
2016-03-19 18:17 - 2012-06-02 18:15 - 00099840 _____ (Microsoft Corporation) C:\windows\system32\wudriver.dll
2016-03-19 18:17 - 2012-06-02 15:19 - 00186752 _____ (Microsoft Corporation) C:\windows\system32\wuwebv.dll
2016-03-19 18:17 - 2012-06-02 15:15 - 00036864 _____ (Microsoft Corporation) C:\windows\system32\wuapp.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-20 03:19 - 2009-07-14 01:13 - 00713888 _____ C:\windows\system32\PerfStringBackup.INI
2016-03-20 03:19 - 2009-07-13 23:20 - 00000000 ____D C:\windows\inf
2016-03-20 03:12 - 2010-07-29 18:24 - 00001698 _____ C:\Users\Public\Desktop\Lenovo ReadyComm 5.lnk
2016-03-19 21:22 - 2009-07-14 00:45 - 00013424 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-19 21:22 - 2009-07-14 00:45 - 00013424 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-19 21:15 - 2010-07-29 18:32 - 00000000 ____D C:\ProgramData\VeriFace
2016-03-19 21:15 - 2009-07-14 01:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2016-03-19 21:14 - 2010-07-13 07:54 - 00001645 _____ C:\windows\system32\Config.MPF
2016-03-19 19:36 - 2010-07-13 07:45 - 00000000 ____D C:\Program Files (x86)\McAfee
2016-03-19 18:26 - 2010-07-13 07:45 - 00000000 ____D C:\ProgramData\McAfee
2016-03-19 18:18 - 2010-07-13 08:05 - 00000000 ____D C:\Program Files (x86)\Windows Live
2016-03-19 18:17 - 2009-07-13 23:20 - 00000000 __RHD C:\Users\Public\Libraries
2016-03-19 13:52 - 2009-07-13 23:20 - 00000000 ____D C:\windows\rescache

==================== Files in the root of some directories =======

2010-07-13 08:10 - 2010-07-13 08:28 - 0000235 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-03-19 21:42

==================== End of FRST.txt ============================

Attached Files


Edited by brucewhain, 21 March 2016 - 04:49 AM.


BC AdBot (Login to Remove)

 


#2 brucewhain

brucewhain
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 20 March 2016 - 07:51 PM

Have been trying to remove a few of the irritating programs contained in the factory default and find that the Widows 7 version of "Add/Remove Programs" is becoming unresponsive. Had to force shutdown. Am afraid there's something wrong and will try the built-in Widows test for the hard drive first.

 

UPDATE: Was unable to log back in to read the Scandisk log due to Veriface being unresponsive, though several things were getting unresponsive following the changes I made after the first restore to default.


Edited by brucewhain, 21 March 2016 - 04:54 AM.


#3 brucewhain

brucewhain
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 21 March 2016 - 05:01 AM

Here are the Farbar logs made after the 2nd restore to default and uninstall of Veriface:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by choochoo (administrator) on choochoo-PC (21-03-2016 05:28:30)
Running from F:\
Loaded Profiles: choochoo (Available Profiles: choochoo)
Platform: Windows 7 Home Premium (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Lenovo Group Limited) C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe
() C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft Corp.) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(McAfee, Inc.) C:\Program Files (x86)\Common Files\McAfee\MNA\McNASvc.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\MSC\mcmscsvc.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\MPF\MpfSrv.exe
(McAfee, Inc.) C:\Program Files (x86)\Common Files\McAfee\McProxy\McProxy.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Lenovo(beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
(Lenovo (Beijing) Limited) C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(ooVoo LLC) C:\Program Files (x86)\ooVoo\ooVoo.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe
(McAfee, Inc.) C:\Program Files\McAfee\VirusScan\Mcshield.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan\mcsysmon.exe
(Digital Delivery Networks, Inc.) C:\Program Files (x86)\DDNi\Lenovo Smile Dock\CenterStage.exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-06-04] (Intel Corporation)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\utility.exe [4366704 2009-09-29] (Lenovo(beijing) Limited)
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [5825536 2009-08-18] (Lenovo (Beijing) Limited)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35184 2008-12-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [snp2uvc] => C:\windows\vsnp2uvc.exe
HKLM-x32\...\Run: [VeriFaceManager] => C:\Program Files (x86)\Lenovo\VeriFace\PManage.exe
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [mcagent_exe] => C:\Program Files (x86)\McAfee.com\Agent\mcagent.exe [645328 2009-07-14] (McAfee, Inc.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3579989564-3160442616-3971763072-1000\...\Run: [ooVoo.exe] => C:\Program Files (x86)\ooVoo\ooVoo.exe [19812536 2010-02-02] (ooVoo LLC)
HKU\S-1-5-18\...\RunOnce: [WLStart] => C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [768336 2009-07-26] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Lenovo Smile Dock.lnk [2010-07-13]
ShortcutTarget: Lenovo Smile Dock.lnk -> C:\Program Files (x86)\DDNi\Lenovo Smile Dock\Delay.exe (Digital Delivery Networks, Inc.)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Internet Explorer:
==================
HKU\S-1-5-21-3579989564-3160442616-3971763072-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://lenovo.msn.com
HKU\S-1-5-21-3579989564-3160442616-3971763072-1000\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com/
SearchScopes: HKU\S-1-5-21-3579989564-3160442616-3971763072-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3579989564-3160442616-3971763072-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-06-18] (McAfee, Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO-x32: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll [2009-01-14] (Microsoft Corp.)
BHO-x32: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\McAfee\VirusScan\scriptsn.dll [2009-06-18] (McAfee, Inc.)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
BHO-x32: Windows Live Toolbar Helper -> {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} -> C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll [2009-02-06] (Microsoft Corporation)
Toolbar: HKLM-x32 - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll [2009-02-06] (Microsoft Corporation)
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll [2009-07-26] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-07-13] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-07-13] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-07-13] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-07-13] (Microsoft Corporation)
FireFox:
========
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\3.0.40624.0\npctrl.dll [2009-06-23] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
==================== Services (Whitelisted) ========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S2 0240911458551873mcinstcleanup; C:\windows\TEMP\024091~1.EXE [316312 2009-07-09] (McAfee, Inc.)
R3 IGRS; C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [38152 2009-07-14] (Lenovo Group Limited)
S3 Lenovo ReadyComm AppSvc; C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [509192 2009-08-14] (Lenovo Group Limited)
S3 Lenovo ReadyComm ConnSvc; C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [579400 2009-09-22] (Lenovo Group Limited)
R2 mcmscsvc; C:\Program Files (x86)\McAfee\MSC\mcmscsvc.exe [865832 2009-07-14] (McAfee, Inc.)
R2 McNASvc; c:\Program Files (x86)\Common Files\McAfee\MNA\McNASvc.exe [2482848 2009-04-09] (McAfee, Inc.)
S3 McODS; C:\Program Files\McAfee\VirusScan\mcods.exe [696848 2009-06-16] (McAfee, Inc.)
R2 McProxy; c:\Program Files (x86)\Common Files\McAfee\McProxy\McProxy.exe [359952 2009-04-09] (McAfee, Inc.)
R2 McShield; C:\Program Files\McAfee\VirusScan\Mcshield.exe [155456 2009-06-18] (McAfee, Inc.)
R3 McSysmon; C:\Program Files (x86)\McAfee\VirusScan\mcsysmon.exe [606736 2009-06-16] (McAfee, Inc.)
R2 MpfService; C:\Program Files (x86)\McAfee\MPF\MPFSrv.exe [894136 2009-07-08] (McAfee, Inc.)
R2 Oasis2Service; C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe [46080 2010-06-23] () [File not signed]
S3 PS_MDP; C:\Program Files (x86)\Lenovo\ReadyComm\PS_MDP.dll [276296 2009-07-15] (Lenovo Group Limited)
S2 ReadyComm.DirectRouter; C:\Program Files (x86)\Lenovo\ReadyComm\common\router.dll [103688 2009-07-14] (Lenovo Group Limited)
S2 SAService; C:\Windows\system32\SAsrv.exe [445496 2010-03-25] (Conexant Systems, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
===================== Drivers (Whitelisted) ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
S3 Bridge0; C:\Windows\System32\drivers\WDBridge.sys [79376 2009-07-15] (Lenovo)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 funfrm; C:\Windows\System32\Drivers\funfrm.sys [58896 2010-07-29] ()
R3 JmUsbCcgp; C:\Windows\System32\DRIVERS\jmccgp.sys [17904 2010-02-05] (JMicron Technology Corp.)
R3 JmUsbVideo; C:\Windows\System32\Drivers\jmcam.sys [57072 2010-04-23] (JMicron Technology Corp.)
R3 JmUsbVideo2; C:\Windows\System32\Drivers\jmcam_lo.sys [31344 2010-04-23] (JMicron Technology Corp.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [102600 2009-06-18] (McAfee, Inc.)
R1 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [307400 2009-06-18] (McAfee, Inc.)
S3 mferkdk; C:\Windows\System32\drivers\mferkdk.sys [40904 2009-06-18] (McAfee, Inc.)
R3 mfesmfk; C:\Windows\System32\drivers\mfesmfk.sys [49480 2009-06-18] (McAfee, Inc.)
R1 MPFP; C:\Windows\System32\Drivers\Mpfp.sys [176144 2009-04-09] (McAfee, Inc.)
R3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [11280 2009-07-16] (Lenovo)
U3 BcmSqlStartupSvc; no ImagePath
U2 IAStorDataMgrSvc; no ImagePath
U2 IviRegMgr; no ImagePath
U2 RichVideo; no ImagePath
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
U3 SQLWriter; no ImagePath
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
S3 WinRing0_1_2_0; \??\D:\test\ECECECEC\WinRing0x64.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-03-21 05:28 - 2016-03-21 05:28 - 00000000 ____D C:\FRST
2016-03-21 05:18 - 2016-03-21 05:18 - 00060368 _____ C:\Users\choochoo\AppData\Local\GDIPFONTCACHEV1.DAT
2016-03-21 05:18 - 2016-03-21 05:18 - 00001447 _____ C:\Users\choochoo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-03-21 05:18 - 2016-03-21 05:18 - 00001413 _____ C:\Users\choochoo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2016-03-21 05:18 - 2016-03-21 05:18 - 00000000 ____D C:\Users\choochoo\AppData\Roaming\ooVoo Details
2016-03-21 05:17 - 2016-03-21 05:18 - 00001122 _____ C:\Users\choochoo\Desktop\Cyberlink Power2Go.lnk
2016-03-21 05:17 - 2016-03-21 05:18 - 00000000 ____D C:\Users\choochoo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo
2016-03-21 05:17 - 2016-03-21 05:18 - 00000000 ____D C:\Users\choochoo
2016-03-21 05:17 - 2016-03-21 05:17 - 00003746 _____ C:\windows\System32\Tasks\McQcTask
2016-03-21 05:17 - 2016-03-21 05:17 - 00003682 _____ C:\windows\System32\Tasks\McDefragTask
2016-03-21 05:17 - 2016-03-21 05:17 - 00000342 _____ C:\windows\Tasks\McDefragTask.job
2016-03-21 05:17 - 2016-03-21 05:17 - 00000320 _____ C:\windows\Tasks\McQcTask.job
2016-03-21 05:17 - 2016-03-21 05:17 - 00000020 ___SH C:\Users\choochoo\ntuser.ini
2016-03-21 05:17 - 2016-03-21 05:17 - 00000000 _SHDL C:\Users\choochoo\My Documents
2016-03-21 05:17 - 2016-03-21 05:17 - 00000000 _SHDL C:\Users\choochoo\Documents\My Videos
2016-03-21 05:17 - 2016-03-21 05:17 - 00000000 _SHDL C:\Users\choochoo\Documents\My Pictures
2016-03-21 05:17 - 2016-03-21 05:17 - 00000000 _SHDL C:\Users\choochoo\Documents\My Music
2016-03-21 05:17 - 2016-03-21 05:17 - 00000000 ____D C:\Users\choochoo\AppData\Local\VirtualStore
2016-03-21 05:17 - 2010-07-13 07:44 - 00002104 _____ C:\Users\choochoo\Desktop\OneKey Recovery.lnk
2016-03-21 05:17 - 2009-07-29 03:23 - 00000000 ____D C:\Users\choochoo\AppData\Roaming\Media Center Programs
2016-03-21 05:16 - 2016-03-21 05:16 - 00000000 ____D C:\Program Files (x86)\Microsoft Sync Framework
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-03-21 05:27 - 2009-07-14 01:13 - 00713888 _____ C:\windows\system32\PerfStringBackup.INI
2016-03-21 05:27 - 2009-07-13 23:20 - 00000000 ____D C:\windows\inf
2016-03-21 05:25 - 2010-07-29 18:24 - 00000000 ____D C:\Program Files (x86)\Lenovo
2016-03-21 05:25 - 2010-07-13 08:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo
2016-03-21 05:20 - 2009-07-14 00:45 - 00013424 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-21 05:20 - 2009-07-14 00:45 - 00013424 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-21 05:18 - 2010-07-13 07:54 - 00001195 _____ C:\windows\system32\Config.MPF
2016-03-21 05:18 - 2010-07-13 07:45 - 00000000 ____D C:\ProgramData\McAfee
2016-03-21 05:17 - 2010-07-13 07:45 - 00000000 ____D C:\Program Files (x86)\McAfee
2016-03-21 05:16 - 2010-07-13 08:05 - 00000000 ____D C:\Program Files (x86)\Windows Live
2016-03-21 01:13 - 2009-07-13 23:20 - 00000000 ____D C:\windows\rescache
2016-03-21 01:12 - 2009-07-14 01:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
==================== Files in the root of some directories =======
2010-07-13 08:10 - 2010-07-13 08:28 - 0000235 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
Some files in TEMP:
====================
C:\Users\choochoo\AppData\Local\Temp\uninstall.exe
==================== Bamital & volsnap =================
(There is no automatic fix for files that do not pass verification.)
C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2009-07-29 02:01
==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by choochoo (2016-03-21 05:29:21)
Running from F:\
Windows 7 Home Premium (X64) (2016-03-21 09:17:37)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3579989564-3160442616-3971763072-500 - Administrator - Disabled)
choochoo (S-1-5-21-3579989564-3160442616-3971763072-1000 - Administrator - Enabled) => C:\Users\choochoo
Guest (S-1-5-21-3579989564-3160442616-3971763072-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: McAfee VirusScan (Enabled - Up to date) {86355677-4064-3EA7-ABB3-1B136EB04637}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee VirusScan (Enabled - Up to date) {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Personal Firewall (Enabled) {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acrobat.com (HKLM-x32\...\{77DCDCE3-2DED-62F3-8154-05E745472D07}) (Version: 1.1.377 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.)
Adobe Reader 9.0.1 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A90100000001}) (Version: 9.0.1 - Adobe Systems Incorporated)
ALPS Touch Pad Driver (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: - )
Broadcom 802.11 Wireless Driver (HKLM-x32\...\{8991E763-21F5-4DEA-A938-5D9D77DCB488}) (Version: 1.0.0.0 - )
Broadcom Gigabit Integrated Controller (HKLM\...\{49F3D04B-B849-4C89-AB31-2366A004EA28}) (Version: 12.24.02 - Broadcom Corporation)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 4.119.0.60 - Conexant)
EasyCapture (HKLM-x32\...\EasyCapture4.0) (Version: V4.0.09.1015 - Lenovo)
Energy Management (HKLM-x32\...\{AE1E24C2-E720-42D5-B8E1-48F71A97B4DB}) (Version: 4.4.1.3 - Lenovo)
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: - Intel Corporation)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version: - Intel Corporation)
Junk Mail filter update (x32 Version: 14.0.8089.726 - Microsoft Corporation) Hidden
Lenovo EasyCamera (HKLM-x32\...\{DB27AA12-FB7E-4452-815A-56F6C03DD92B}) (Version: 1.0.9.4 - Suyin Optronics Corp.)
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 7.0.0723 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 7.0.0723 - CyberLink Corp.) Hidden
Lenovo ReadyComm 5 (HKLM-x32\...\{17542DBF-E17C-4562-BC4D-FA3EF3076C45}) (Version: 5.1.1.20 - Lenovo)
Lenovo ReadyComm 5.0 Service (HKLM-x32\...\{76C66170-C538-4E77-B54D-48E136B5B533}) (Version: 5.0.0.1 - Lenovo Group Limited)
Lenovo Smile Dock (HKLM-x32\...\Lenovo Smile Dock) (Version: 2.0.200.1 - DDNi)
Lenovo Smile Dock (x32 Version: 2.0.200.1 - DDNi) Hidden
McAfee SecurityCenter (HKLM-x32\...\MSC) (Version: - McAfee, Inc.)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 3.0.40624.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Sync Framework Runtime Native v1.0 (x86) (HKLM-x32\...\{8A74E887-8F0F-4017-AF53-CBA42211AAA5}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Sync Framework Services Native v1.0 (x86) (HKLM-x32\...\{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}) (Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Oasis2Service 1.0 (HKLM-x32\...\{E50FC5DB-7CBD-407D-A46E-0C13E45BC386}) (Version: 1.0.0 - DDNi)
ooVoo (HKLM-x32\...\{FAA7F8FF-3C05-4A61-8F14-D8A6E9ED6623}) (Version: 2.2.4.25 - ooVoo LLC.)
PC-Doctor for Windows (HKLM\...\PC-Doctor for Windows) (Version: 6.0.5426.03 - PC-Doctor, Inc.)
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.4809d4 - CyberLink Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30101 - Realtek Semiconductor Corp.)
Windows Driver Package - Lenovo (ACPIVPC) System (05/19/2009 4.4.0.1) (HKLM\...\92F4CDC794E6E4E29DC063D292D1C94F6FA1EA1E) (Version: 05/19/2009 4.4.0.1 - Lenovo)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8089.0726 - Microsoft Corporation)
Windows Live Sign-in Assistant (HKLM-x32\...\{45338B07-A236-4270-9A77-EBB4115517B5}) (Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
Windows Live Upload Tool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1D129EB2-031D-40B9-9A6C-608D4438C9A8} - System32\Tasks\McQcTask => c:\Program Files (x86)\McAfee\MQC\QcConsol.exe [2009-07-03] (McAfee, Inc.)
Task: {887ABCE2-0606-4B8E-A5DF-E6D5FCF1B28C} - System32\Tasks\McDefragTask => c:\Program Files (x86)\McAfee\MQC\QcConsol.exe [2009-07-03] (McAfee, Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\windows\Tasks\McDefragTask.job => c:\PROGRA~2\mcafee\mqc\QcConsol.exe C:\windows\system32\defrag.exe
Task: C:\windows\Tasks\McQcTask.job => c:\PROGRA~2\mcafee\mqc\QcConsol.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2010-06-23 01:39 - 2010-06-23 01:39 - 00046080 _____ () C:\Program Files (x86)\DDNi\Oasis2Service 1.0\Oasis2Service.exe
2010-07-29 18:32 - 2010-07-29 18:32 - 01502720 _____ () C:\windows\system32\IcnOvrly.dll
2010-07-29 18:33 - 2009-07-15 11:55 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\kbdhook.dll
2010-07-29 18:33 - 2009-07-15 11:55 - 00054088 _____ () C:\Program Files (x86)\Lenovo\Energy Management\HookLib.dll
2010-06-23 01:39 - 2010-06-23 01:39 - 00049152 _____ () C:\Program Files (x86)\DDNi\Oasis2Service 1.0\DdniCore.dll
2010-06-23 01:39 - 2010-06-23 01:39 - 00033280 _____ () C:\Program Files (x86)\DDNi\Oasis2Service 1.0\AspUpdate.dll

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcmscsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MpfService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2009-06-10 17:00 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3579989564-3160442616-3971763072-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\choochoo\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{63AE3BA2-FE25-468B-A96A-2B7DA3B046DC}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MNA\McNaSvc.exe
FirewallRules: [{C1DD37B0-9AC0-4743-8606-4C7CB026E079}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\wlcsdk.exe
FirewallRules: [{1373B338-4487-4FAD-AB91-0B080709E80E}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{D8EA1BBA-EE5C-4B0E-BF3E-0B13A63B3813}] => (Allow) svchost.exe
FirewallRules: [{4AA3F84B-9E4B-4E2B-9D8F-8704A54BA958}] => (Allow) C:\Program Files (x86)\Windows Live\Sync\WindowsLiveSync.exe
FirewallRules: [TCP Query User{34E88B29-B9DE-4477-9E17-FA4DFB2920DD}C:\program files (x86)\oovoo\oovoo.exe] => (Block) C:\program files (x86)\oovoo\oovoo.exe
FirewallRules: [UDP Query User{BA895774-A0EE-4433-81F3-060E93B3BAD9}C:\program files (x86)\oovoo\oovoo.exe] => (Block) C:\program files (x86)\oovoo\oovoo.exe
FirewallRules: [{7B301C0E-5E26-4322-963E-0A0D4840DAFA}] => (Allow) C:\windows\System32\IgrsSvcs.exe
FirewallRules: [{6676268D-3365-4EEE-9DD1-4C67207E6481}] => (Allow) C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe
FirewallRules: [{5CF37A03-9D74-48A8-B15F-F15143FEACB5}] => (Allow) C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe
FirewallRules: [{82ACB21A-4AB0-461C-90D7-5FBF3B09F839}] => (Allow) C:\windows\System32\IgrsSvcs.exe
FirewallRules: [{15A12A99-2C10-40FA-AFED-479314303968}] => (Allow) C:\Program Files\Lenovo\ReadyComm\ReadyCom.exe
FirewallRules: [{A9D1F47C-A36C-4199-B9A3-41FFBD9F14FD}] => (Allow) C:\Program Files\Lenovo\ReadyComm\ReadyComm.exe
FirewallRules: [{78DAB086-D568-483C-A173-7101C6B44BE6}] => (Allow) C:\Program Files\Lenovo\ReadyComm\Projectionist.exe
FirewallRules: [{5FF64C10-D110-4E1C-B74E-212D32506306}] => (Allow) C:\Program Files\Lenovo\ReadyComm\Projectionist.exe
FirewallRules: [{3D3B80D4-9D22-4D7A-9A51-C09BD6F12D8A}] => (Allow) C:\Program Files\Lenovo\ReadyComm\AppSvc.exe
FirewallRules: [{609C0C6F-ABE5-49BA-A2E4-9E6A726842CF}] => (Allow) C:\Program Files\Lenovo\ReadyComm\AppSvc.exe
FirewallRules: [{014CEE90-2520-4EFB-97DC-1CFC5C45F079}] => (Allow) C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe
FirewallRules: [{87F05640-8755-4B16-A286-5BE56373BEC4}] => (Allow) C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe
FirewallRules: [{305DDCCE-9B6A-42F2-91A0-51CBF4C6C075}] => (Allow) C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe
FirewallRules: [{D4C9AF4F-6D72-43DB-B4AD-239B91955DCF}] => (Allow) C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe

==================== Restore Points =========================


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (07/29/2010 06:45:57 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.

Error: (07/29/2010 06:45:56 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.


System errors:
=============
Error: (03/21/2016 05:26:22 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (03/21/2016 05:26:22 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (03/21/2016 05:26:21 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (03/21/2016 05:26:20 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (03/21/2016 05:26:19 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (03/21/2016 05:26:18 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (03/21/2016 05:26:18 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (03/21/2016 05:26:17 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (03/21/2016 05:26:17 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (03/21/2016 05:26:16 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.


==================== Memory info ===========================

Processor: Intel® Celeron® CPU 900 @ 2.20GHz
Percentage of memory in use: 48%
Total physical RAM: 2008.61 MB
Available physical RAM: 1033.01 MB
Total Virtual: 4017.22 MB
Available Virtual: 2921.65 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:103.85 GB) (Free:88.93 GB) NTFS
Drive d: (Lenovo) (Fixed) (Total:30.25 GB) (Free:27.7 GB) NTFS
Drive f: () (Removable) (Total:1.87 GB) (Free:0.52 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: E6B7354F)
Partition 1: (Active) - (Size=200 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=103.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=30.2 GB) - (Type=OF Extended)
Partition 4: (Not Active) - (Size=14.8 GB) - (Type=12)

========================================================
Disk: 1 (Size: 1.9 GB) (Disk ID: 7BE06BB6)
Partition 1: (Not Active) - (Size=1.9 GB) - (Type=06)

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 23 March 2016 - 08:26 PM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,142 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:47 AM

Posted 23 March 2016 - 08:29 PM

Greetings brucewhain and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format and check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it to your Desktop as fixlist.txt. If FRST.exe is not on your Deskptop please move it to that location. (<<<Important)
CreateRestorePoint:
CloseProcesses:
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
S2 0240911458551873mcinstcleanup; C:\windows\TEMP\024091~1.EXE [316312 2009-07-09] (McAfee, Inc.)
C:\windows\TEMP\024091~1.EXE
U3 BcmSqlStartupSvc; no ImagePath
U2 IAStorDataMgrSvc; no ImagePath
U2 IviRegMgr; no ImagePath
U2 RichVideo; no ImagePath
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
U3 SQLWriter; no ImagePath
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
S3 WinRing0_1_2_0; \??\D:\test\ECECECEC\WinRing0x64.sys [X]
C:\Users\choochoo\AppData\Local\Temp\uninstall.exe
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Attached System Summary report
  • Any current issues?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 brucewhain

brucewhain
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 23 March 2016 - 11:01 PM

Hi Gary, would have gotten back to you sooner but was supposed to see a friend off at the airport. He got there early and the plane left early so there was no point in going after got half way there. Saved $10 round trip though. Yes, you can call me Bruce.

 

The computer seems to be working normal after this 2nd restore to default, but have not entered the login code for the internet connection for fear a possible virus might interact with something online. There are several programs besides VeriFace (already removed) including McAfee Security Center, ooVoo and SmileDock that slow things down at startup and will remove them pending your approval.

 

This Posted a Few Minutes Later: Forgot to turn off the computer after running fixlist and getting the summary, and when I went back to it noticed something was causing it to run a lot. When I maximized Task Manager, there at the top of the list was Windows System Summary Tool. Then it vanished right away and the computer slowed down, then I shut it down.

 

Here is the fixlog and the Summary is attached below:

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by choochoo (2016-03-23 23:29:18) Run:1
Running from C:\Users\choochoo\Desktop
Loaded Profiles: choochoo (Available Profiles: choochoo)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
S2 0240911458551873mcinstcleanup; C:\windows\TEMP\024091~1.EXE [316312 2009-07-09] (McAfee, Inc.)
C:\windows\TEMP\024091~1.EXE
U3 BcmSqlStartupSvc; no ImagePath
U2 IAStorDataMgrSvc; no ImagePath
U2 IviRegMgr; no ImagePath
U2 RichVideo; no ImagePath
S3 RSUSBSTOR; System32\Drivers\RtsUStor.sys [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
U3 SQLWriter; no ImagePath
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
S3 WinRing0_1_2_0; \??\D:\test\ECECECEC\WinRing0x64.sys [X]
C:\Users\choochoo\AppData\Local\Temp\uninstall.exe
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}" => key removed successfully
HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => key not found.
0240911458551873mcinstcleanup => service not found.
C:\windows\TEMP\024091~1.EXE => moved successfully
BcmSqlStartupSvc => service removed successfully
IAStorDataMgrSvc => service removed successfully
IviRegMgr => service removed successfully
RichVideo => service removed successfully
RSUSBSTOR => service removed successfully
RtsUIR => service removed successfully
SQLWriter => service removed successfully
USBCCID => service removed successfully
WinRing0_1_2_0 => service removed successfully
C:\Users\choochoo\AppData\Local\Temp\uninstall.exe => moved successfully

The system needed a reboot.

==== End of Fixlog 23:29:38 ====

Attached Files


Edited by brucewhain, 23 March 2016 - 11:11 PM.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,142 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:47 AM

Posted 24 March 2016 - 08:07 AM

Hi Bruce,

Thanks for all the information.
 

McAfee Security Center, ooVoo and SmileDock that slow things down at startup and will remove them pending your approval.

Feel free to remove these but if you simply want to disable the automatic startup and leave the programs on your computer let me know.

Please do this.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Check Uninstall application on close
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ESET log
  • Security Check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 brucewhain

brucewhain
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 24 March 2016 - 02:17 PM

Hi Gary. Here is the checkup.txt file. As to ESET there were no threats found.
 
Computer seemed to work ok through all this, though have determined my provider has a bandwidth threshhold for $30/mo. accounts that when passed results in a lot of destructive stuff including 1.5-million units of RAM for a single webpage that just stays that way till you close it, if you can. Call me paranoid!

Results of screen317's Security Check version 1.014 --- 12/23/15
Windows 7 x64 (UAC is enabled)
Out of date service pack!!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

Attached Files


Edited by Oh My!, 24 March 2016 - 04:48 PM.


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,142 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:47 AM

Posted 24 March 2016 - 04:52 PM

Hi Bruce.

Thanks for the information. Not much I can do about your ISP. :)

This report is indicating your Windows 7 is significantly out of date. I have seen where this is an incorrect reading but we will see. Please do this.

===================================================

Update Adobe Reader

--------------------

Your Adobe Reader is out of date and a security concern. Here is some excellent information and a video which explains the importance of minimizing the risk of infection through compromised PDF files.
  • Please visit Adobe Reader
  • Uncheck the McAfee optional offer
  • Click Install now
  • Save the file to your desktop
  • Double click the installation icon
  • Select Run
  • When completed click Finish
  • Press the Windows key + R at the same time
  • Type appwiz.cpl, press Enter, and allow the Programs list to populate
  • Uninstall every Adobe Reader program except the one just downloaded and installed
===================================================

Updating Windows 7

--------------------
  • Click Start
  • Click All Programs
  • Click Windows Update
  • Continue to rerun Windows update until there are no more updates to install
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • How did the updates go?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 brucewhain

brucewhain
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 24 March 2016 - 11:35 PM

I was not able to update Adobe Reader, because Internet Explorer 8 gets totally unresponsive. Had to force shut-down once because of this. Tried to download an installer from Mozilla website to my flash drive on the other computer, but this results in several files that windows 7 (the OS on the Lenovo computer at issue here) doesn't recognize, and one that apparently hasn't downloaded yet when you go to close the download page. (Tried this twice.) Will try Chrome after the updates, which are continuing apace.

 

UPDATE: Neither Chrome nor Firefox seems to want people downloading installers so am out of ideas. The updates seemed to go quickly but Interent Explorer was not installed.


Edited by brucewhain, 25 March 2016 - 12:40 AM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,142 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:47 AM

Posted 25 March 2016 - 08:43 AM

Please try to download and install Internet Explorer 11 of Windows 7 64 bit systems. If you are successful try the Adobe download again.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 brucewhain

brucewhain
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 25 March 2016 - 03:42 PM

Well Happy Easter Gary. Was not able to get back to you till now so will expect you may be taking some time off for the holiday.

 

Strangely, while Windows 7 does recognize the installation file for IE 11, I get a message that says the system is not compatible because it lacks Service Pack 1. But Windows Update said it installed Service Pack 1. However the System Properties don't list it. Also tried launching IE 8 from a link to this Bleeping Computer page contained in an RTF document - but it would not connect: just opens, then does nothing, using little CPU or RAM, and displays in the upper left: "Connecting". Was able to close it with the task manager this time.



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,142 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:47 AM

Posted 25 March 2016 - 03:57 PM

Did you continue to hit Start, All Programs, Windows Update after every update until it said there are no more updates?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,142 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:47 AM

Posted 25 March 2016 - 03:57 PM

BTW, Happy Easter to you as well..
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 brucewhain

brucewhain
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 25 March 2016 - 09:54 PM

Thanks. Regarding Windows Update - yes I did. But will try again in case it comes up with something. Can't imagine what's wrong with IE 8 that it's unresponsive the way it is: I am using it now on ths XP computer. My theories run in two directions: ISP revenge for using too much bandwidth, or a virus still in the works - or, hardware problems to be expected at this age and heavy level of use. (The L. mouse button has deep spalling - term usly. applied to RR inside-of-curve rail) A problem exactly like this existed with "Programs and Features" before the 2nd system restore, but that works fine now, responds immediately good as ever.

 

Windows Update found 10 more downloads just now, though it says Service Pack 1 was in the bunch installed yesterday, and that it was sucessfully installed.

 

Download of updates is taking quite a while this time. (later) Now it says it installed the ones it did yesterday at 9:15 PM today, including Service Pack 1. It hung for a bit while checking "Installed Updates" but was able to get back to the "Downloading Updates" page without terminating the process. It's been downloading since 9:15 and it's still going, reading 98% done. It's 10:50 now.

 

12:00 EDT. It now says it's creating a restore point and I'm afraid I should have cancelled the download since it looks like it may be about to install the same 10 updates it did last night.

 

12:20: It took so long to get through just one installation I decided to abort it. However by this time even Task Manager would not function and it was necessary to force shut down.


Edited by brucewhain, 25 March 2016 - 11:25 PM.


#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 38,142 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:47 AM

Posted 26 March 2016 - 07:41 AM

Good Morning.

Please run this tool. Click Run now under Fix it for me.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users