Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

is my modem being hacked?


  • This topic is locked This topic is locked
7 replies to this topic

#1 DottieR

DottieR

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 07 May 2016 - 05:37 PM

While on the internet I got a pop-up that said my computer was frozen (it wasn't) and I should call microsoft right away because of a virus. The number turned out to be to Delray Technologies who, it turned out after about an hour of them poking around my computer, wanted to sell me $99.00 worth of anti-something software. I did find out it was the network that had been hacked, the modem evidently. I have 7 extra computers using my system. So what do I do. I found some vague mentions of changing setting, but nothing I can use step by step. Windows Defender had been turned off, not by me. Attempts made to get into gmail, so I changed my password. The OS was installed only yesterday, new hard disk. I have Avira, free version. Windows 7. Zoom modem by Zoom Telephonics, Century Link wireless service who could not help because its not their equipment.

 

I uninstalled the two programs they installed and don't remember what they were, so Slurppa on the securities forum suggested I post here. Under their direction, I typed into the cmd prompt, "netstat -spTCP". I repeated it this morning and found more open connections, but I don't know how to save the file.

 

I uninstalled the two programs they installed and don't remember what they were, so Slurppa on the securities forum suggested I post here. "Malwarebytes came out clean, but given that you had your computer remotely controlled I suggest you create new thread in Malware Removal Logs section to make sure they didn't install anything that our automated tools might not pick up or alter the security of your machine otherwise."

 

I ran Avira and it found and successfully quarantined two items "[DETECTION] Contains patterns of software PUA/Systweak.Gen4" I did change my modem password last night. Now I can't get internet on the old computer which has XP.

 

I uninstalled the two programs they installed and don't remember what they were, so Slurppa on the securities forum suggested I post here.

 

I did ask the guy why I should trust someone I contacted from a pop-up. He sent me to this website. http://www.delraytechnologies.com/

The callback number he gave was the contact number for that website.

 

One other strange thing. They found a phone number in there somewhere which I had never called and who has never called me. I googled it. It is the number of a software program owner whom I had emailed earlier in the day, but had received no answer.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-05-2016
Ran by Dorothy (administrator) on DOROTHY-PC (07-05-2016 14:52:21)
Running from C:\Users\Dorothy\Desktop
Loaded Profiles: Dorothy (Available Profiles: Dorothy)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
() C:\Windows\SysWOW64\SecUPDUtilSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [66328 2016-04-15] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [814608 2016-04-04] (Avira Operations GmbH & Co. KG)
HKU\S-1-5-21-2696319928-2991289490-3549644925-1001\...\Run: [AdvancedIdentityProtector] => "C:\Program Files (x86)\Systweak\Advanced Identity Protector\AdvancedIdentityProtector.exe"

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{9A013135-2843-4BC9-B32C-A85859066505}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2696319928-2991289490-3549644925-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Dorothy\AppData\Roaming\Mozilla\Firefox\Profiles\oe32kra0.default
FF Homepage: hxxps://mail.google.com/mail/u/0/#inbox
FF Plugin HKU\S-1-5-21-2696319928-2991289490-3549644925-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Dorothy\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2016-05-06] (Citrix Online)
FF Extension: Avira Browser Safety - C:\Users\Dorothy\AppData\Roaming\Mozilla\Firefox\Profiles\oe32kra0.default\Extensions\abs@avira.com [2016-05-05]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirMailService; C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe [970656 2016-04-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\Antivirus\sched.exe [467016 2016-04-04] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\Antivirus\avguard.exe [467016 2016-04-04] (Avira Operations GmbH & Co. KG)
S2 AntiVirWebService; C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe [1435704 2016-04-04] (Avira Operations GmbH & Co. KG)
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [277960 2016-04-15] (Avira Operations GmbH & Co. KG)
R2 SamsungUPDUtilSvc; C:\Windows\SysWOW64\SecUPDUtilSvc.exe [118576 2014-11-26] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [154816 2016-04-04] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [141920 2016-04-04] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2016-04-04] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [79696 2016-04-04] (Avira Operations GmbH & Co. KG)
S2 DgiVecp; C:\Windows\SysWOW64\Drivers\DgiVecp.sys [40448 2003-07-29] (DeviceGuys, Inc.) [File not signed]
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-07 14:52 - 2016-05-07 14:53 - 00006073 _____ C:\Users\Dorothy\Desktop\FRST.txt
2016-05-07 14:52 - 2016-05-07 14:52 - 00000000 ____D C:\FRST
2016-05-07 14:50 - 2016-05-07 14:50 - 02379264 _____ (Farbar) C:\Users\Dorothy\Desktop\FRST64.exe
2016-05-07 13:48 - 2016-05-07 13:48 - 00044732 _____ C:\Users\Dorothy\Downloads\New-Bovis-Chart-4.pdf
2016-05-07 13:42 - 2016-05-07 13:42 - 00183670 _____ C:\Users\Dorothy\Desktop\BovisChart.pdf
2016-05-07 11:32 - 2016-05-07 11:37 - 00000000 ____D C:\Users\Dorothy\Desktop\Microsoft Office
2016-05-07 06:48 - 2016-05-07 06:50 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-05-07 06:47 - 2016-05-07 06:47 - 00001106 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-05-07 06:47 - 2016-05-07 06:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-05-07 06:47 - 2016-05-07 06:47 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-05-07 06:47 - 2016-05-07 06:47 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-05-07 06:47 - 2016-03-10 14:09 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-05-07 06:47 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-05-07 06:47 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-05-07 03:01 - 2012-02-29 23:46 - 00023408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\fs_rec.sys
2016-05-07 03:01 - 2012-02-29 23:38 - 00220672 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2016-05-07 03:01 - 2012-02-29 23:33 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2016-05-07 03:01 - 2012-02-29 23:28 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\wmi.dll
2016-05-07 03:01 - 2012-02-29 22:37 - 00172544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2016-05-07 03:01 - 2012-02-29 22:33 - 00159232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2016-05-07 03:01 - 2012-02-29 22:29 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2016-05-06 22:27 - 2014-06-30 15:24 - 00008856 _____ (Microsoft Corporation) C:\Windows\system32\icardres.dll
2016-05-06 22:27 - 2014-06-30 15:14 - 00008856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardres.dll
2016-05-06 22:27 - 2014-06-05 23:16 - 00035480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TsWpfWrp.exe
2016-05-06 22:27 - 2014-06-05 23:12 - 00035480 _____ (Microsoft Corporation) C:\Windows\system32\TsWpfWrp.exe
2016-05-06 22:27 - 2014-03-09 14:48 - 01389208 _____ (Microsoft Corporation) C:\Windows\system32\icardagt.exe
2016-05-06 22:27 - 2014-03-09 14:48 - 00171160 _____ (Microsoft Corporation) C:\Windows\system32\infocardapi.dll
2016-05-06 22:27 - 2014-03-09 14:47 - 00619672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\icardagt.exe
2016-05-06 22:27 - 2014-03-09 14:47 - 00099480 _____ (Microsoft Corporation) C:\Windows\SysWOW64\infocardapi.dll
2016-05-06 21:41 - 2012-02-16 23:38 - 01031680 _____ (Microsoft Corporation) C:\Windows\system32\rdpcore.dll
2016-05-06 21:41 - 2012-02-16 22:34 - 00826880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2016-05-06 21:41 - 2012-02-16 21:58 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2016-05-06 21:41 - 2012-02-16 21:57 - 00023552 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdtcp.sys
2016-05-06 21:21 - 2016-05-06 21:21 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung Printers
2016-05-06 21:21 - 2016-05-06 21:21 - 00000000 ____D C:\ProgramData\Samsung
2016-05-06 21:21 - 2014-11-26 04:07 - 00118576 _____ C:\Windows\SysWOW64\SecUPDUtilSvc.exe
2016-05-06 21:20 - 2016-05-06 21:20 - 00000000 ____D C:\Program Files (x86)\Samsung
2016-05-06 21:20 - 2014-05-22 06:22 - 02738496 ____N C:\Windows\TotalUninstaller.exe
2016-05-06 21:19 - 2014-12-25 21:56 - 00000357 _____ C:\Windows\system32\usp02l.smt
2016-05-06 21:19 - 2014-04-16 01:22 - 00029184 _____ () C:\Windows\system32\usp02l.dll
2016-05-06 21:19 - 2013-05-10 02:48 - 00162136 _____ C:\Windows\system32\usp02ci.exe
2016-05-06 21:19 - 2010-10-20 01:46 - 00089600 _____ (SS) C:\Windows\system32\usp02ci.dll
2016-05-06 16:21 - 2016-05-06 16:24 - 00000000 ____D C:\ProgramData\TEMP
2016-05-06 16:10 - 2016-05-06 18:49 - 00000000 ____D C:\Program Files (x86)\Citrix
2016-05-06 16:09 - 2016-05-06 16:10 - 00000000 ____D C:\Users\Dorothy\AppData\Local\Citrix
2016-05-06 15:34 - 2016-05-06 15:34 - 00004060 _____ C:\Program Files\UninPCAt.isu
2016-05-06 15:34 - 2016-05-06 15:34 - 00000156 _____ C:\Windows\acsatlas.ini
2016-05-06 15:34 - 2016-05-06 15:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ACS PC Atlas
2016-05-06 15:34 - 1999-07-15 09:57 - 03097989 _____ C:\Program Files\Acsia.dat
2016-05-06 15:34 - 1999-04-21 22:54 - 00124611 _____ C:\Program Files\Acstt.dat
2016-05-06 15:34 - 1998-10-27 08:41 - 00029732 ____N C:\Program Files\Acsatlas.exe
2016-05-06 15:34 - 1998-10-27 08:41 - 00009045 ____N C:\Program Files\Paconvrt.exe
2016-05-06 15:34 - 1998-02-07 18:31 - 00080752 _____ (Astro Communications Services, Inc.) C:\Windows\SysWOW64\Acsatls.vbx
2016-05-06 15:34 - 1997-12-01 14:11 - 04918952 _____ C:\Program Files\Acsua.dat
2016-05-06 15:34 - 1997-08-09 16:51 - 00108954 ____N C:\Program Files\Acsatlas.hlp
2016-05-06 15:34 - 1997-03-03 04:30 - 00000042 _____ C:\Program Files\acspa.dat
2016-05-06 15:34 - 1993-05-12 00:00 - 00398416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Vbrun300.dll
2016-05-06 15:32 - 1997-08-26 12:06 - 00315904 _____ (InstallShield Software Corporation) C:\Windows\IsUninst.exe
2016-05-06 15:30 - 2016-05-06 15:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Samsung ML-1740 Series
2016-05-06 15:30 - 2003-01-14 05:38 - 00014002 _____ (Samsung Electronics.) C:\Windows\SysWOW64\ssgb6mon.dll
2016-05-06 15:29 - 2016-05-06 15:29 - 00000000 ____D C:\Windows\Samsung
2016-05-06 15:29 - 2003-09-08 01:36 - 00204800 ____N (Samsung Electronics Co., Ltd.) C:\Windows\SysWOW64\SSRemove.exe
2016-05-06 12:06 - 2016-05-06 12:06 - 00000000 ____D C:\Program Files\DCW03
2016-05-06 12:05 - 2016-05-06 12:05 - 00000000 ____D C:\Program Files\Decoz
2016-05-06 11:58 - 2016-05-06 11:58 - 00002000 _____ C:\Users\Dorothy\Desktop\Numerology Calculator.lnk
2016-05-06 11:58 - 2016-05-06 11:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\2Near the Edge
2016-05-06 11:58 - 2016-05-06 11:58 - 00000000 ____D C:\Program Files (x86)\2Near
2016-05-06 11:54 - 2016-05-06 11:54 - 00001355 _____ C:\Users\Dorothy\Desktop\Tetris - Shortcut.lnk
2016-05-06 11:45 - 2016-05-06 11:54 - 00000000 ____D C:\Program Files\The Tetris Game
2016-05-06 11:44 - 2016-05-06 11:44 - 00000000 ____D C:\Program Files\DoNotTrackPlus
2016-05-06 10:38 - 2016-05-06 10:38 - 00000000 ____D C:\Users\Dorothy\AppData\Local\ElevatedDiagnostics
2016-05-06 06:49 - 2016-05-06 06:49 - 00000000 ____D C:\3f7dfc3f1f9d8e12f87bc2f3697631e5
2016-05-06 06:49 - 2016-05-06 06:49 - 00000000 ____D C:\071d71b1a43477c57a208d16ff777515
2016-05-06 06:39 - 2016-05-06 06:39 - 00003044 _____ C:\Windows\System32\Tasks\{FE4460E8-45E0-4952-991D-0F065563FE4C}
2016-05-05 22:53 - 2016-05-05 22:53 - 00000000 ____D C:\Users\Dorothy\AppData\Local\WindowsUpdate
2016-05-05 17:28 - 2016-05-05 17:28 - 00000000 ____D C:\Users\Dorothy\AppData\Roaming\Avira
2016-05-05 17:20 - 2016-04-04 17:07 - 00154816 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2016-05-05 17:20 - 2016-04-04 17:07 - 00141920 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2016-05-05 17:20 - 2016-04-04 17:07 - 00079696 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2016-05-05 17:20 - 2016-04-04 17:07 - 00028600 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avkmgr.sys
2016-05-05 17:04 - 2016-05-05 17:04 - 00057560 _____ C:\Users\Dorothy\AppData\Local\GDIPFONTCACHEV1.DAT
2016-05-05 17:03 - 2016-05-05 17:21 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2016-05-05 17:03 - 2016-05-05 17:20 - 00000000 ____D C:\ProgramData\Avira
2016-05-05 17:03 - 2016-05-05 17:20 - 00000000 ____D C:\Program Files (x86)\Avira
2016-05-05 17:03 - 2016-05-05 17:03 - 00000000 ____D C:\ProgramData\Package Cache
2016-05-05 16:22 - 2016-05-05 15:33 - 00000000 ____D C:\Windows\Panther
2016-05-05 16:21 - 2016-05-05 17:08 - 00000000 ____D C:\Users\Dorothy\AppData\Local\Mozilla
2016-05-05 16:21 - 2016-05-05 16:57 - 00000000 ____D C:\Users\Dorothy\AppData\Roaming\Mozilla
2016-05-05 16:20 - 2016-05-05 16:21 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-05-05 16:20 - 2016-05-05 16:20 - 00001163 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-05-05 16:20 - 2016-05-05 16:20 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-05-05 15:39 - 2016-05-05 15:39 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2016-05-05 15:34 - 2014-05-14 09:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2016-05-05 15:34 - 2014-05-14 09:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2016-05-05 15:34 - 2014-05-14 09:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2016-05-05 15:34 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2016-05-05 15:34 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2016-05-05 15:34 - 2014-05-14 09:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2016-05-05 15:34 - 2014-05-14 09:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2016-05-05 15:34 - 2014-05-14 09:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2016-05-05 15:34 - 2014-05-14 09:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2016-05-05 15:34 - 2014-05-14 09:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2016-05-05 15:34 - 2014-05-14 09:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2016-05-05 15:34 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2016-05-05 15:34 - 2014-05-14 09:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2016-05-05 15:34 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2016-05-05 15:33 - 2016-05-06 21:24 - 00000000 ____D C:\Users\Dorothy\AppData\Local\VirtualStore
2016-05-05 15:33 - 2016-05-05 15:33 - 00001447 _____ C:\Users\Dorothy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-05-05 15:33 - 2016-05-05 15:33 - 00001413 _____ C:\Users\Dorothy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2016-05-05 15:33 - 2016-05-05 15:33 - 00000020 ___SH C:\Users\Dorothy\ntuser.ini
2016-05-05 15:33 - 2016-05-05 15:33 - 00000000 _SHDL C:\Users\Dorothy\My Documents
2016-05-05 15:33 - 2016-05-05 15:33 - 00000000 _SHDL C:\Users\Dorothy\Documents\My Videos
2016-05-05 15:33 - 2016-05-05 15:33 - 00000000 _SHDL C:\Users\Dorothy\Documents\My Pictures
2016-05-05 15:33 - 2016-05-05 15:33 - 00000000 _SHDL C:\Users\Dorothy\Documents\My Music
2016-05-05 15:33 - 2016-05-05 15:33 - 00000000 ____D C:\Users\Dorothy
2016-05-05 15:33 - 2011-04-12 01:28 - 00000000 ____D C:\Users\Dorothy\AppData\Roaming\Media Center Programs
2016-05-05 15:25 - 2016-05-05 15:25 - 00001345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
2016-05-05 15:25 - 2016-05-05 15:25 - 00001326 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-07 14:00 - 2009-07-13 21:45 - 00021872 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-05-07 14:00 - 2009-07-13 21:45 - 00021872 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-05-07 13:59 - 2009-07-13 22:13 - 00713888 _____ C:\Windows\system32\PerfStringBackup.INI
2016-05-07 13:59 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\inf
2016-05-07 13:52 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-05-05 16:22 - 2009-07-13 22:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2016-05-05 15:33 - 2009-07-13 20:20 - 00000000 __RHD C:\Users\Public\Libraries
2016-05-05 15:28 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2016-05-05 15:27 - 2009-07-13 21:45 - 00274320 _____ C:\Windows\system32\FNTCACHE.DAT
2016-05-05 15:25 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\sysprep
2016-05-05 15:23 - 2011-04-12 01:28 - 00000000 ____D C:\Windows\CSC

==================== Files in the root of some directories =======

2016-05-06 15:34 - 1998-10-27 08:41 - 0029732 ____N () C:\Program Files\Acsatlas.exe
2016-05-06 15:34 - 1997-08-09 16:51 - 0108954 ____N () C:\Program Files\Acsatlas.hlp
2016-05-06 15:34 - 1999-07-15 09:57 - 3097989 _____ () C:\Program Files\Acsia.dat
2016-05-06 15:34 - 1997-03-03 04:30 - 0000042 _____ () C:\Program Files\acspa.dat
2016-05-06 15:34 - 1999-04-21 22:54 - 0124611 _____ () C:\Program Files\Acstt.dat
2016-05-06 15:34 - 1997-12-01 14:11 - 4918952 _____ () C:\Program Files\Acsua.dat
2016-05-06 15:34 - 1998-10-27 08:41 - 0009045 ____N () C:\Program Files\Paconvrt.exe
2016-05-06 15:34 - 2016-05-06 15:34 - 0004060 _____ () C:\Program Files\UninPCAt.isu

Some files in TEMP:
====================
C:\Users\Dorothy\AppData\Local\Temp\avgnt.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-05-05 15:23

==================== End of FRST.txt ============================

 

 

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:43 PM

Posted 08 May 2016 - 08:24 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

HKU\S-1-5-21-2696319928-2991289490-3549644925-1001\...\Run: [AdvancedIdentityProtector] => "C:\Program Files (x86)\Systweak\Advanced Identity Protector\AdvancedIdentityProtector.exe"


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please let me know what problem persists with this computer.

p.s.
Please also paste the content the Addition.txt file that was created by the Farbar tool for my review.

#3 DottieR

DottieR
  • Topic Starter

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 08 May 2016 - 04:57 PM

I wasn't having any actual problem. I wanted to know if anything remained of the programs installed by the tech from the pop-up ad. From my post above "I uninstalled the two programs they installed and don't remember what they were, so Slurppa on the securities forum suggested I post here."

 

I would like to know how the tech from the pop-up ad found a phone number I never had contact with on my computer.

 

Thank you for your help.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:07-05-2016
Ran by Dorothy (2016-05-08 12:32:30) Run:1
Running from C:\Users\Dorothy\Desktop
Loaded Profiles: Dorothy (Available Profiles: Dorothy)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

HKU\S-1-5-21-2696319928-2991289490-3549644925-1001\...\Run: [AdvancedIdentityProtector] => "C:\Program Files (x86)\Systweak\Advanced Identity Protector\AdvancedIdentityProtector.exe"


End
*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.

=========  ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========  IPCONFIG /release =========


Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::d8f3:5b46:87ab:bbc9%11
   Default Gateway . . . . . . . . . : fe80::ca3a:35ff:fe09:a3a0%11

Tunnel adapter isatap.Home:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

========= End of CMD: =========


=========  IPCONFIG /renew =========


Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : Home
   Link-local IPv6 Address . . . . . : fe80::d8f3:5b46:87ab:bbc9%11
   IPv4 Address. . . . . . . . . . . : 192.168.1.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::ca3a:35ff:fe09:a3a0%11
                                       192.168.1.1

========= End of CMD: =========

HKU\S-1-5-21-2696319928-2991289490-3549644925-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AdvancedIdentityProtector => value removed successfully
EmptyTemp: => 650.7 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 12:44:10 ====

 

 

Not sure if the following is complete as Windows update restarted my computer while it was running.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-05-2016
Ran by Dorothy (administrator) on DOROTHY-PC (08-05-2016 12:49:05)
Running from C:\Users\Dorothy\Desktop
Loaded Profiles: Dorothy (Available Profiles: Dorothy)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [Avira SystrayStartTrigger] => C:\Program Files (x86)\Avira\Launcher\Avira.SystrayStartTrigger.exe [66328 2016-04-15] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\Antivirus\avgnt.exe [814608 2016-04-04] (Avira Operations GmbH & Co. KG)
HKLM\...\RunOnce: [*EmptyTemp] => cmd /c rd /q/s C:\FRST\Temp
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 

 

# AdwCleaner v5.115 - Logfile created 08/05/2016 at 13:49:03
# Updated 01/05/2016 by Xplode
# Database : 2016-05-08.4 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (X64)
# Username : Dorothy - DOROTHY-PC
# Running from : C:\Users\Dorothy\Desktop\adwcleaner_5.115.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [650 bytes] - [08/05/2016 13:49:03]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [722 bytes] ##########



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:43 PM

Posted 09 May 2016 - 07:14 AM

http://www.delraytechnologies.com/

I would like to know how the tech from the pop-up ad found a phone number I never had contact with on my computer.


He probably was party to it.
Delraytechnologies.com was created on created on 27 January 2016
http://statuslite.com/domain/delraytechnologies.com

I know one thing I would NEVER call any number that is given to me my an unknown party.

Mircosoft or any other Security software co will never ask you to Contact them. I mean NEVER.

===

I would like you to run the Farbar tool one more time an post a fresh FRST log.

I need to see the contents of the Addition.txt file that was created the first time you executed the Farbar tool.

#5 DottieR

DottieR
  • Topic Starter

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 09 May 2016 - 09:03 AM

Thank you. Lesson learned. But it was scary when that black screen popped up and said my computer was locked.

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:07-05-2016
Ran by Dorothy (2016-05-09 06:46:30)
Running from C:\Users\Dorothy\Desktop
Windows 7 Professional Service Pack 1 (X64) (2016-05-05 22:33:19)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2696319928-2991289490-3549644925-500 - Administrator - Disabled)
Dorothy (S-1-5-21-2696319928-2991289490-3549644925-1001 - Administrator - Enabled) => C:\Users\Dorothy
Guest (S-1-5-21-2696319928-2991289490-3549644925-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2696319928-2991289490-3549644925-1003 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Antivirus (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Antivirus (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ACS PC Atlas (HKLM-x32\...\ACS PC Atlas) (Version:  - )
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.17.273 - Avira Operations GmbH & Co. KG)
Avira Launcher (HKLM-x32\...\{75d68d04-536e-4ae9-9d9a-549d3228d816}) (Version: 1.1.60.27086 - Avira Operations GmbH & Co. KG)
Avira Launcher (x32 Version: 1.1.60.27086 - Avira Operations GmbH & Co. KG) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Mozilla Firefox 46.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 46.0.1 (x86 en-US)) (Version: 46.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 46.0.1 - Mozilla)
Samsung ML-1740 Series (HKLM-x32\...\Samsung ML-1740 Series) (Version:  - )
Samsung Universal Print Driver 2 (HKLM-x32\...\Samsung Universal Print Driver 2) (Version: 2.50.06.00 - Samsung Electronics Co., Ltd.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {8AF7718F-1B60-49E9-A89A-E2D6131C9326} - System32\Tasks\{FE4460E8-45E0-4952-991D-0F065563FE4C} => pcalua.exe -a G:\sp44223.exe -d G:\

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-05-06 21:19 - 2014-04-16 01:22 - 00029184 _____ () C:\Windows\System32\usp02l.dll
2016-05-06 21:21 - 2014-11-26 04:07 - 00118576 _____ () C:\Windows\SysWOW64\SecUPDUtilSvc.exe

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:18750BD1 [145]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 19:34 - 2009-06-10 14:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2696319928-2991289490-3549644925-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Dorothy\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{8CC77492-AF01-4365-8003-8606A1F121DD}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{21A1223E-EF89-4C38-AED6-E40D943EE84A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4C44BBFB-8763-4C27-AE5C-9D00C1797803}] => (Allow) C:\Program Files (x86)\Samsung\Samsung Universal Print Driver 2\PrinterSelector\SUPDApp.exe

==================== Restore Points =========================

05-05-2016 15:33:46 Windows Update
05-05-2016 19:30:46 Windows Backup
06-05-2016 22:25:45 Windows Update
07-05-2016 03:00:33 Windows Update
07-05-2016 21:59:48 Windows Update
08-05-2016 16:45:17 Windows Update
08-05-2016 22:09:04 Windows Update

==================== Faulty Device Manager Devices =============

Name: PS/2 Compatible Mouse
Description: PS/2 Compatible Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (05/09/2016 06:35:45 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/08/2016 10:56:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/08/2016 03:40:26 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (05/08/2016 03:25:42 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/08/2016 01:15:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/08/2016 12:54:25 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/08/2016 12:53:03 PM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{e8acb575-130f-11e6-b5ad-806e6f6e6963} - 000000000000013C,0x0053c008,00000000002DFFE0,0,00000000002E0FF0,4096,[0]).  hr = 0x80070079, The semaphore timeout period has expired.
.


Operation:
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (05/08/2016 12:42:37 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Dorothy\Desktop\FRST64.exe ; Description = Restore Point Created by FRST; Error = 0x81000101).

Error: (05/08/2016 12:32:35 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {94e0d94d-e296-4e1e-afd4-57a4ae969cc7}

Error: (05/08/2016 12:06:27 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (05/09/2016 06:35:05 AM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \SystemRoot\SysWow64\Drivers\DgiVecp.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (05/08/2016 10:55:27 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \SystemRoot\SysWow64\Drivers\DgiVecp.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (05/08/2016 10:54:29 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070103: Intel Corporation - Display - Intel® 82945G Express Chipset Family.

Error: (05/08/2016 10:54:28 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070103: Intel Corporation - Display - Intel® 82945G Express Chipset Family.

Error: (05/08/2016 10:10:50 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {752073A1-23F2-4396-85F0-8FDB879ED0ED}

Error: (05/08/2016 09:30:04 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

Error: (05/08/2016 06:40:06 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.

Error: (05/08/2016 03:29:53 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR3.

Error: (05/08/2016 03:29:52 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR3.

Error: (05/08/2016 03:29:52 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR3.


==================== Memory info ===========================

Processor: Intel® Pentium® 4 CPU 2.80GHz
Percentage of memory in use: 87%
Total physical RAM: 2039.43 MB
Available physical RAM: 253.14 MB
Total Virtual: 4078.85 MB
Available Virtual: 2438.32 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:187.64 GB) (Free:149.68 GB) NTFS
Drive d: () (Fixed) (Total:37.25 GB) (Free:27.28 GB) NTFS
Drive g: (PATRIOT) (Removable) (Total:115.21 GB) (Free:103.8 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 37.3 GB) (Disk ID: 60C0968A)
Partition 1: (Active) - (Size=37.3 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 08D757C3)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=187.6 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 115.2 GB) (Disk ID: B2D25236)
Partition 1: (Not Active) - (Size=115.2 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:43 PM

Posted 09 May 2016 - 12:51 PM

Thank you. Lesson learned. But it was scary when that black screen popped up and said my computer was locked.


Yes, I can appreciate that.

Your logs are clean.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#7 DottieR

DottieR
  • Topic Starter

  • Members
  • 278 posts
  • OFFLINE
  •  
  • Local time:07:43 PM

Posted 09 May 2016 - 02:19 PM

Every thing seems fine. Thank you.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,559 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:43 PM

Posted 15 May 2016 - 08:35 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users