Jump to content

HELP! Virus or Malware Added Group Policy and cannot find it


Recommended Posts

I download a program call beyond repair from CNET 2 days ago and my system has not been the same since. I believe I have removed all the infections using Malwarebytes(in safe mode) Hijackthis, cccleaner,rkill,spybot, etc. I have googled and tried everything I could find but here is the current state of my machine. If I try and run MalwareBytes I get an error staying that "This Program is Blocked by Group Policy" I then check the event viewer and see this "

Access to C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe has been restricted by your Administrator by location with policy rule {3036cfcf-7c01-4800-a2ca-e6a7873107d2} placed on path C:\Program Files (x86)\Malwarebytes' Anti-Malware.

I have googled and looked and I cannot find anywhere on my system where I have a group policy. I know for a fact I did not add one. I also get the same error when I try and start the avira control panel. If I go rename the C:\Program Files (x86)\Malwarebytes' Anti-Malware to C:\Program Files (x86)\Malwarebytes' Anti-Malware1 and run the exe it runs fine and does not find or detect anything. It also works in safe mode. I also found online a command option to reset all your group policys back to default and I still get the error. I am not a member of a domain. Whatever virus or spyware that was on my system found I was running Malwarebytes and Avira and added a rule somehwere that I cannot remove. I have also tried the Avira rescue disk as well as loaded Avast and peformed a boot scan and found nothing. I am not sure what to try next any help will be greatly appericated. I attached my hijackthis log and screen shots. My user is the Administrator and I also get the same error if I login and use the Windows Default Admin Account.

post-120343-0-04478100-1352998843.jpg

hijackthis.log

Link to post
Share on other sites

  • Staff

This may be like trying to find a needle in a haystack, but we can try

first of all, have you tried restoring the machine back to a restore point prior to downloading the program?

also have you tried completely uninstalling and re-installing both those programs (MBAM and Avira)?

Let's first get a diagnostic log outside of Windows:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

  • Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button.
  • type exit and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
Link to post
Share on other sites

I download a program call beyond repair from CNET 2 days ago and my system has not been the same since. I believe I have removed all the infections using Malwarebytes(in safe mode) Hijackthis, cccleaner,rkill,spybot, etc. I have googled and tried everything I could find but here is the current state of my machine. If I try and run MalwareBytes I get an error staying that "This Program is Blocked by Group Policy" I then check the event viewer and see this "

Access to C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe has been restricted by your Administrator by location with policy rule {3036cfcf-7c01-4800-a2ca-e6a7873107d2} placed on path C:\Program Files (x86)\Malwarebytes' Anti-Malware.

I have googled and looked and I cannot find anywhere on my system where I have a group policy. I know for a fact I did not add one. I also get the same error when I try and start the avira control panel. If I go rename the C:\Program Files (x86)\Malwarebytes' Anti-Malware to C:\Program Files (x86)\Malwarebytes' Anti-Malware1 and run the exe it runs fine and does not find or detect anything. It also works in safe mode. I also found online a command option to reset all your group policys back to default and I still get the error. I am not a member of a domain. Whatever virus or spyware that was on my system found I was running Malwarebytes and Avira and added a rule somehwere that I cannot remove. I have also tried the Avira rescue disk as well as loaded Avast and peformed a boot scan and found nothing. I am not sure what to try next any help will be greatly appericated. I attached my hijackthis log and screen shots. My user is the Administrator and I also get the same error if I login and use the Windows Default Admin Account.

I did try a system restore and uninstall and reinstall of both and got same results. Malwarebytes will only run in safe mode or in regular windows if I rename the directory. AVIRA will not run reguardless because the the group policy. Anyway here is the log. Thanks again for your help and I hope you see something. Oh I almost forgot I ran sys file checker and everything came back clean.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-11-2012

Ran by SYSTEM at 16-11-2012 08:20:06

Running from J:\

Windows 7 Ultimate N (X64) OS Language: English(US)

The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [16329760 2009-06-16] (NVIDIA Corporation)

HKLM\...\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start [93728 2009-06-16] (NVIDIA Corporation)

HKLM\...\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe [660360 2007-05-31] (Microsoft Corporation)

HKLM\...\Run: [sysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-09] (IDT, Inc.)

HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-15] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [85160 2009-06-17] (Elaborate Bytes AG)

HKLM-x32\...\Run: [standby] "c:\Program Files (x86)\Common Files\Corel\Standby\Standby.exe" -START [105632 2010-03-18] (Corel)

HKLM-x32\...\Run: [Firebird] C:\Program Files (x86)\Firebird\Firebird_2_1\bin\fbguard.exe -a [81920 2009-07-22] (Firebird Project)

HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-10-11] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)

HKLM-x32\...\Run: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler [2073976 2012-03-14] (Flexera Software LLC.)

HKLM-x32\...\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin [1523360 2011-01-12] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [] [x]

HKLM-x32\...\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe" [887976 2011-08-23] (Ask)

HKLM-x32\...\Run: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)

HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [38872 2012-07-31] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-11] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-09-09] (Apple Inc.)

HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-10-25] (Apple Inc.)

HKLM-x32\...\Run: [sDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" [3821592 2012-10-24] (Safer-Networking Ltd.)

HKLM-x32\...\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui [4297136 2012-10-30] (AVAST Software)

HKU\Administrator\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-05-07] (Google Inc.)

HKU\justin\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2010-05-07] (Google Inc.)

HKU\justin\...\Run: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US [4321112 2011-01-05] (AOL Inc.)

HKU\justin\...\Run: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\isuspm.exe -scheduler [2073976 2012-03-14] (Flexera Software LLC.)

HKU\justin\...\Run: [cdloader] "C:\Users\justin\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK [50592 2010-12-03] (magicJack L.P.)

HKU\justin\...\Run: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [59280 2012-08-29] (Apple Inc.)

Tcpip\Parameters: [DhcpNameServer] 10.28.1.120 10.22.1.29

AppInit_DLLs: C:\Windows\System32\AMInit64.dll

Startup: C:\Users\All Users\Start Menu\Programs\Startup\NTRglobal Console.lnk

ShortcutTarget: NTRglobal Console.lnk -> C:\Program Files (x86)\NTR global\Console\_inquiero.exe (NTR)

==================== Services (Whitelisted) ===================

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)

4 AeXNSClient; C:\Program Files (x86)\Altiris\Altiris Agent\aexnsagent.exe [1401640 2010-03-28] (Altiris, Inc.)

4 AltirisAgentProvider; "C:\Program Files (x86)\Altiris\Altiris Agent\Agents\WMIProviderAgent\AltirisAgentProvider.exe" [614400 2009-04-22] (Altiris, Inc.)

2 avast! Antivirus; "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" [44808 2012-10-30] (AVAST Software)

4 awhost32; "C:\Program Files (x86)\Symantec\pcAnywhere\awhost32.exe" [136568 2010-01-04] (Symantec Corporation)

2 FirebirdGuardianDefaultInstance; "C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbguard.exe" -s DefaultInstance [98304 2010-09-17] (Firebird Project)

3 FirebirdServerDefaultInstance; "C:\Program Files (x86)\Firebird\Firebird_2_5\bin\fbserver.exe" -s DefaultInstance [3735552 2010-09-17] (Firebird Project)

3 getPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper.dll [44576 2010-05-10] (NOS Microsystems Ltd.)

2 Iap; "C:\Program Files\Dell\OpenManage\Client\Iap.exe" [613288 2010-03-23] (Dell Inc.)

2 MSSQL$SQLSERVER; "C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLSERVER\MSSQL\Binn\sqlservr.exe" -sSQLSERVER [61916000 2011-04-23] (Microsoft Corporation)

2 NWVZHelper; C:\Program Files (x86)\Novatel Wireless\Verizon\Drivers\NWHelper_001.exe [270848 2010-06-14] (Novatel Wireless Inc.)

3 oad; C:\PROGRA~2\Borland\vbroker\bin\oad.exe [1781248 1998-03-12] ()

3 osagent; C:\PROGRA~2\Borland\vbroker\bin\osagent.exe [193536 1998-03-12] ()

2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1100320 2012-10-24] (Safer-Networking Ltd.)

2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1367576 2012-10-24] (Safer-Networking Ltd.)

2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-10-24] (Safer-Networking Ltd.)

2 softOSD; C:\Program Files (x86)\softOSD\softOSD.exe [284728 2009-12-15] (EnTech Taiwan)

4 SQLAgent$SQLSERVER; "C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLSERVER\MSSQL\Binn\SQLAGENT.EXE" -i SQLSERVER [428384 2011-04-23] (Microsoft Corporation)

2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_e085d3cd5b474ba6\STacSV64.exe [244736 2010-03-09] (IDT, Inc.)

2 UltiDev Web Server Pro; "C:\Program Files (x86)\UltiDev\Web Server\UltiDev.WebServer.Monitor.exe" [64512 2012-02-25] (UltiDev LLC)

2 UWS HiPriv Services; "C:\Program Files (x86)\UltiDev\Web Server\UWS.HighPrivilegeUtilities.exe" [48128 2012-02-25] (UltiDev LLC)

2 UWS LoPriv Services; "C:\Program Files (x86)\UltiDev\Web Server\UWS.LowPrivilegeUtilities.exe" [44032 2012-02-25] (UltiDev LLC)

==================== Drivers (Whitelisted) =====================

3 61883; C:\Windows\System32\Drivers\61883.sys [60288 2009-07-13] (Microsoft Corporation)

2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [25232 2012-10-30] (AVAST Software)

2 aswMonFlt; C:\Windows\System32\Drivers\aswMonFlt.sys [71600 2012-10-30] (AVAST Software)

1 aswRdr; C:\Windows\System32\Drivers\aswrdr2.sys [54072 2012-10-15] (AVAST Software)

1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [984144 2012-10-30] (AVAST Software)

1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [370288 2012-10-30] (AVAST Software)

1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [59728 2012-10-30] (AVAST Software)

1 awecho; C:\Windows\SysWow64\drivers\awechomd.sys [16432 2009-12-02] (Symantec Corporation)

1 AW_HOST; C:\Windows\SysWow64\drivers\aw_host5.sys [23864 2007-03-30] (Symantec Corporation)

3 ISRegFlt; \??\C:\Program Files (x86)\InstallShield\2012\System\ISRegFlt64.sys [39576 2011-08-11] (Flexera Software)

1 omci; C:\Windows\System32\Drivers\omci.sys [26624 2010-03-08] (Dell Inc.)

1 se64a; C:\Windows\System32\Drivers\se64a.sys [14032 2007-05-03] (EnTech Taiwan)

1 se64a; C:\Windows\SysWow64\Drivers\se64a.sys [14032 2007-05-03] (EnTech Taiwan)

3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [x]

3 xpvcom; C:\Windows\System32\Drivers\xpvcom.sys [x]

==================== NetSvcs (Whitelisted) ====================

==================== One Month Created Files and Folders ========

2012-11-15 09:04 - 2012-11-15 09:04 - 00002981 ____A C:\Users\justin\Desktop\HiJackThis.lnk

2012-11-15 09:04 - 2012-11-15 09:04 - 00000000 ____D C:\Program Files (x86)\Trend Micro

2012-11-15 07:49 - 2012-11-16 04:53 - 00003622 _RASH C:\Users\All Users\ntuser.pol

2012-11-15 06:13 - 2012-11-15 06:27 - 01056768 ____A C:\Users\justin\defltbase.sdb

2012-11-15 04:25 - 2012-11-15 04:25 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-15 04:25 - 2012-11-15 04:25 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-15 04:25 - 2012-09-29 16:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys

2012-11-14 19:00 - 2012-11-16 04:51 - 00000392 ____A C:\Windows\setupact.log

2012-11-14 18:56 - 2012-11-14 18:56 - 00001958 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk

2012-11-14 18:56 - 2012-11-14 18:56 - 00000350 ___AH C:\Windows\Tasks\avast! Emergency Update.job

2012-11-14 18:56 - 2012-10-30 15:51 - 00984144 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys

2012-11-14 18:56 - 2012-10-30 15:51 - 00370288 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys

2012-11-14 18:56 - 2012-10-30 15:51 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys

2012-11-14 18:56 - 2012-10-30 15:51 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys

2012-11-14 18:56 - 2012-10-15 08:59 - 00054072 ____A (AVAST Software) C:\Windows\System32\Drivers\aswRdr2.sys

2012-11-14 18:55 - 2012-11-14 18:55 - 00000000 ____D C:\Users\All Users\AVAST Software

2012-11-14 18:55 - 2012-11-14 18:55 - 00000000 ____D C:\Program Files\AVAST Software

2012-11-14 18:55 - 2012-11-14 18:55 - 00000000 ____A C:\Windows\SysWOW64\config.nt

2012-11-14 18:55 - 2012-10-30 15:51 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys

2012-11-14 18:55 - 2012-10-30 15:51 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr

2012-11-14 18:55 - 2012-10-30 15:50 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe

2012-11-14 18:55 - 2012-10-30 15:50 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe

2012-11-14 13:42 - 2012-11-14 14:14 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy

2012-11-14 13:42 - 2012-11-14 13:42 - 00002177 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk

2012-11-14 13:42 - 2012-11-14 13:42 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2

2012-11-14 13:42 - 2009-01-25 10:14 - 00017272 ____A (Safer Networking Limited) C:\Windows\System32\sdnclean64.exe

2012-11-14 04:46 - 2012-11-15 07:22 - 00007554 ____A C:\Windows\PFRO.log

2012-11-14 04:46 - 2012-11-14 04:46 - 00000000 ____A C:\Windows\setuperr.log

2012-11-13 19:49 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Google

2012-11-13 19:49 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Macromedia

2012-11-13 19:48 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla

2012-11-13 19:48 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google

2012-11-13 19:48 - 2012-11-13 19:48 - 00000000 ____D C:\Users\Administrator\AppData\Local\Mozilla

2012-11-13 19:46 - 2012-11-13 19:56 - 00000000 ____D C:\Users\Administrator\AppData\Local\TSVNCache

2012-11-13 19:46 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe

2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Subversion

2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Apple Computer

2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Local\ntr

2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Local\Adobe

2012-11-13 19:45 - 2012-11-13 19:45 - 00000020 __ASH C:\Users\Administrator\ntuser.ini

2012-11-13 19:45 - 2012-11-13 19:45 - 00000000 ___RD C:\Users\Administrator\Virtual Machines

2012-11-13 19:45 - 2012-11-13 19:45 - 00000000 ____D C:\users\Administrator

2012-11-13 19:45 - 2012-03-07 13:17 - 00000000 ____D C:\Users\Administrator\Documents\Visual Studio 2008

2012-11-13 19:45 - 2012-03-07 05:09 - 00000000 ____D C:\Users\Administrator\Documents\Visual Studio 2010

2012-11-13 19:45 - 2012-03-06 05:01 - 00000000 ____D C:\Users\Administrator\Documents\Visual Studio 2005

2012-11-13 19:45 - 2012-03-06 05:01 - 00000000 ____D C:\Users\Administrator\AppData\Local\Microsoft Help

2012-11-13 19:45 - 2010-05-07 11:05 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Macromedia

2012-11-13 19:23 - 2012-11-13 19:23 - 00001021 ____A C:\Users\Public\Desktop\CCleaner.lnk

2012-11-13 18:04 - 2012-11-14 13:34 - 00000808 ____A C:\rkill.log

2012-11-13 17:54 - 2012-11-13 18:46 - 00000000 ____D C:\Windows\erdnt

2012-11-13 17:34 - 2012-11-16 05:14 - 00000000 ____D C:\removaltools

2012-11-13 17:34 - 2012-11-13 17:34 - 00000000 ____D C:\Users\justin\Documents\My Weblog Posts

2012-11-13 13:25 - 2012-11-13 13:25 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\justin\Downloads\mbam-setup-1.65.1.1000.exe

2012-11-13 08:36 - 2012-11-13 08:36 - 00000000 ____D C:\Users\justin\AppData\Roaming\Scooter Software

2012-11-13 08:36 - 2012-11-13 08:36 - 00000000 ____D C:\Users\justin\AppData\Roaming\Claro

2012-11-13 08:35 - 2012-11-13 08:35 - 05869768 ____A (Scooter Software ) C:\Users\justin\Downloads\BCompare-3.3.5.15075.exe

2012-11-13 08:35 - 2012-11-13 08:35 - 00000000 ____D C:\Users\All Users\Browser Manager

2012-11-13 07:29 - 2012-11-13 07:29 - 04693333 ____A (FileZilla Project) C:\Users\justin\Downloads\FileZilla_3.6.0_win32-setup.exe

2012-11-12 08:06 - 2012-11-12 08:08 - 00000000 ____D C:\medicalplan

2012-11-08 06:38 - 2012-11-08 06:38 - 00001845 ____A C:\Users\Public\Desktop\QuickTime Player.lnk

2012-11-08 06:38 - 2012-11-08 06:38 - 00000000 ____D C:\Program Files (x86)\QuickTime

2012-11-08 06:34 - 2012-11-08 06:34 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk

2012-11-08 06:34 - 2012-08-21 10:01 - 00033240 ____A (GEAR Software Inc.) C:\Windows\System32\Drivers\GEARAspiWDM.sys

2012-11-08 06:32 - 2012-11-08 06:34 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69

2012-11-08 06:32 - 2012-11-08 06:34 - 00000000 ____D C:\Program Files\iTunes

2012-11-08 06:32 - 2012-11-08 06:32 - 00000000 ____D C:\Program Files\iPod

2012-11-06 07:51 - 2012-11-06 07:51 - 00000000 ____D C:\Users\justin\AppData\Roaming\smkits

2012-11-05 08:59 - 2012-11-05 08:59 - 00079360 ____A (WANGXUEFENG, CHANGZHOU,JIANGSU province) C:\Windows\System32\dxdiinfo64.dll

2012-10-30 12:00 - 2012-10-30 12:00 - 00000000 ____D C:\Users\justin\Documents\host[1]

2012-10-25 00:12 - 2012-10-25 00:12 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx

2012-10-25 00:12 - 2012-10-25 00:12 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts

2012-10-23 10:43 - 2012-10-23 12:36 - 00000533 ____A C:\Users\justin\Desktop\QESettings.xml

2012-10-17 08:30 - 2012-10-17 08:30 - 00002758 ____A C:\Users\justin\Desktop\Microsoft SQL Server 2012 Update for Developers Training Kit.lnk

2012-10-17 08:29 - 2012-10-17 08:30 - 00000000 ____D C:\SQL2012UpdateForDevsTrainingKit

==================== One Month Modified Files and Folders =======

2012-11-16 08:19 - 2012-11-16 08:19 - 00000000 ____D C:\FRST

2012-11-16 05:16 - 2012-04-05 04:29 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job

2012-11-16 05:16 - 2010-08-03 09:59 - 00000000 ____D C:\Users\justin\AppData\Local\TSVNCache

2012-11-16 05:16 - 2010-04-23 05:33 - 01311694 ____A C:\Windows\WindowsUpdate.log

2012-11-16 05:14 - 2012-11-13 17:34 - 00000000 ____D C:\removaltools

2012-11-16 05:13 - 2009-07-13 20:50 - 00015008 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2012-11-16 05:13 - 2009-07-13 20:50 - 00015008 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2012-11-16 05:12 - 2010-12-29 08:34 - 00105472 ____A C:\Users\justin\Documents\JustinProgressChart.xls

2012-11-16 05:11 - 2009-07-13 21:12 - 00984700 ____A C:\Windows\System32\PerfStringBackup.INI

2012-11-16 05:00 - 2010-05-07 09:52 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2012-11-16 04:53 - 2012-11-15 07:49 - 00003622 _RASH C:\Users\All Users\ntuser.pol

2012-11-16 04:51 - 2012-11-14 19:00 - 00000392 ____A C:\Windows\setupact.log

2012-11-16 04:51 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT

2012-11-15 13:28 - 2011-09-27 07:16 - 00000000 ____D C:\Users\All Users\firebird

2012-11-15 12:47 - 2010-05-07 09:52 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2012-11-15 09:04 - 2012-11-15 09:04 - 00002981 ____A C:\Users\justin\Desktop\HiJackThis.lnk

2012-11-15 09:04 - 2012-11-15 09:04 - 00000000 ____D C:\Program Files (x86)\Trend Micro

2012-11-15 07:57 - 2011-10-18 08:16 - 00000000 ____D C:\7.6

2012-11-15 07:54 - 2012-06-28 11:47 - 00000000 ____D C:\7.7

2012-11-15 07:22 - 2012-11-14 04:46 - 00007554 ____A C:\Windows\PFRO.log

2012-11-15 07:10 - 2010-12-13 12:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

2012-11-15 06:27 - 2012-11-15 06:13 - 01056768 ____A C:\Users\justin\defltbase.sdb

2012-11-15 06:13 - 2010-04-23 05:33 - 00000000 ____D C:\users\justin

2012-11-15 04:25 - 2012-11-15 04:25 - 00001113 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2012-11-15 04:25 - 2012-11-15 04:25 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-11-14 18:56 - 2012-11-14 18:56 - 00001958 ____A C:\Users\Public\Desktop\avast! Free Antivirus.lnk

2012-11-14 18:56 - 2012-11-14 18:56 - 00000350 ___AH C:\Windows\Tasks\avast! Emergency Update.job

2012-11-14 18:55 - 2012-11-14 18:55 - 00000000 ____D C:\Users\All Users\AVAST Software

2012-11-14 18:55 - 2012-11-14 18:55 - 00000000 ____D C:\Program Files\AVAST Software

2012-11-14 18:55 - 2012-11-14 18:55 - 00000000 ____A C:\Windows\SysWOW64\config.nt

2012-11-14 14:14 - 2012-11-14 13:42 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy

2012-11-14 13:42 - 2012-11-14 13:42 - 00002177 ____A C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk

2012-11-14 13:42 - 2012-11-14 13:42 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2

2012-11-14 13:34 - 2012-11-13 18:04 - 00000808 ____A C:\rkill.log

2012-11-14 12:22 - 2010-06-12 13:39 - 00000000 ____D C:\Users\justin\AppData\Local\Apps\2.0

2012-11-14 12:22 - 2009-07-13 20:50 - 00578032 ____A C:\Windows\System32\FNTCACHE.DAT

2012-11-14 07:07 - 2010-12-14 12:43 - 00000000 ____D C:\spywaretools

2012-11-14 04:46 - 2012-11-14 04:46 - 00000000 ____A C:\Windows\setuperr.log

2012-11-14 02:40 - 2011-01-27 05:58 - 00000000 ____D C:\Program Files (x86)\IdentaFone Software

2012-11-13 19:56 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Local\TSVNCache

2012-11-13 19:49 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Google

2012-11-13 19:49 - 2012-11-13 19:49 - 00000000 ____D C:\Users\Administrator\AppData\Local\Macromedia

2012-11-13 19:49 - 2012-11-13 19:48 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla

2012-11-13 19:49 - 2012-11-13 19:48 - 00000000 ____D C:\Users\Administrator\AppData\Local\Google

2012-11-13 19:49 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe

2012-11-13 19:48 - 2012-11-13 19:48 - 00000000 ____D C:\Users\Administrator\AppData\Local\Mozilla

2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Subversion

2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Apple Computer

2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Local\ntr

2012-11-13 19:46 - 2012-11-13 19:46 - 00000000 ____D C:\Users\Administrator\AppData\Local\Adobe

2012-11-13 19:45 - 2012-11-13 19:45 - 00000020 __ASH C:\Users\Administrator\ntuser.ini

2012-11-13 19:45 - 2012-11-13 19:45 - 00000000 ___RD C:\Users\Administrator\Virtual Machines

2012-11-13 19:45 - 2012-11-13 19:45 - 00000000 ____D C:\users\Administrator

2012-11-13 19:25 - 2010-10-04 12:19 - 00000000 ____D C:\Users\justin\AppData\Roaming\FileZilla

2012-11-13 19:24 - 2010-04-23 09:15 - 00000000 ____D C:\Windows\Panther

2012-11-13 19:23 - 2012-11-13 19:23 - 00001021 ____A C:\Users\Public\Desktop\CCleaner.lnk

2012-11-13 19:23 - 2010-12-14 12:48 - 00000000 ____D C:\Program Files (x86)\CCleaner

2012-11-13 18:54 - 2009-07-13 19:20 - 00000000 __RHD C:\users\Default

2012-11-13 18:46 - 2012-11-13 17:54 - 00000000 ____D C:\Windows\erdnt

2012-11-13 18:37 - 2009-07-13 18:34 - 00000215 ____A C:\Windows\system.ini

2012-11-13 17:34 - 2012-11-13 17:34 - 00000000 ____D C:\Users\justin\Documents\My Weblog Posts

2012-11-13 17:34 - 2011-10-20 05:22 - 00000000 ____D C:\Users\justin\AppData\Local\Windows Live Writer

2012-11-13 14:41 - 2010-11-03 12:49 - 00000000 ____D C:\8.0

2012-11-13 13:25 - 2012-11-13 13:25 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\justin\Downloads\mbam-setup-1.65.1.1000.exe

2012-11-13 09:29 - 2012-05-21 04:19 - 00000000 ____D C:\8.0 NET

2012-11-13 08:36 - 2012-11-13 08:36 - 00000000 ____D C:\Users\justin\AppData\Roaming\Scooter Software

2012-11-13 08:36 - 2012-11-13 08:36 - 00000000 ____D C:\Users\justin\AppData\Roaming\Claro

2012-11-13 08:35 - 2012-11-13 08:35 - 05869768 ____A (Scooter Software ) C:\Users\justin\Downloads\BCompare-3.3.5.15075.exe

2012-11-13 08:35 - 2012-11-13 08:35 - 00000000 ____D C:\Users\All Users\Browser Manager

2012-11-13 07:29 - 2012-11-13 07:29 - 04693333 ____A (FileZilla Project) C:\Users\justin\Downloads\FileZilla_3.6.0_win32-setup.exe

2012-11-13 07:29 - 2010-10-04 12:19 - 00000000 ____D C:\Program Files (x86)\FileZilla FTP Client

2012-11-12 08:08 - 2012-11-12 08:06 - 00000000 ____D C:\medicalplan

2012-11-12 06:02 - 2010-05-10 06:49 - 00000000 ____D C:\tempsp

2012-11-09 05:07 - 2011-09-01 11:52 - 00000000 ____D C:\calls

2012-11-08 13:36 - 2011-07-07 05:33 - 00000000 ____D C:\justin

2012-11-08 08:07 - 2012-02-16 07:31 - 00000600 ____A C:\Users\justin\AppData\Roaming\winscp.rndx

2012-11-08 07:55 - 2012-09-11 08:10 - 00000000 ____D C:\aaa

2012-11-08 07:17 - 2012-02-13 12:06 - 00000000 ____D C:\iphonejailbreak

2012-11-08 06:38 - 2012-11-08 06:38 - 00001845 ____A C:\Users\Public\Desktop\QuickTime Player.lnk

2012-11-08 06:38 - 2012-11-08 06:38 - 00000000 ____D C:\Program Files (x86)\QuickTime

2012-11-08 06:34 - 2012-11-08 06:34 - 00001783 ____A C:\Users\Public\Desktop\iTunes.lnk

2012-11-08 06:34 - 2012-11-08 06:32 - 00000000 ____D C:\Users\All Users\34BE82C4-E596-4e99-A191-52C6199EBF69

2012-11-08 06:34 - 2012-11-08 06:32 - 00000000 ____D C:\Program Files\iTunes

2012-11-08 06:34 - 2012-07-16 08:01 - 00000000 ____D C:\Program Files (x86)\iTunes

2012-11-08 06:32 - 2012-11-08 06:32 - 00000000 ____D C:\Program Files\iPod

2012-11-07 08:51 - 2010-04-28 07:25 - 00175272 ____A C:\Users\justin\AppData\Local\GDIPFONTCACHEV1.DAT

2012-11-07 07:39 - 2010-06-15 05:33 - 00000000 ____D C:\Users\All Users\Microsoft Help

2012-11-07 05:48 - 2012-09-12 04:21 - 00002378 ____A C:\Users\Public\Desktop\Google Chrome.lnk

2012-11-06 07:51 - 2012-11-06 07:51 - 00000000 ____D C:\Users\justin\AppData\Roaming\smkits

2012-11-05 08:59 - 2012-11-05 08:59 - 00079360 ____A (WANGXUEFENG, CHANGZHOU,JIANGSU province) C:\Windows\System32\dxdiinfo64.dll

2012-11-01 11:45 - 2012-04-09 05:08 - 00025088 ____A C:\Users\justin\Documents\daddyloangood.xls

2012-10-31 10:20 - 2010-05-14 05:21 - 00000000 ____D C:\Users\justin\AppData\Local\Downloaded Installations

2012-10-31 05:46 - 2010-07-28 06:20 - 00000000 ____D C:\mitchell

2012-10-30 15:51 - 2012-11-14 18:56 - 00984144 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys

2012-10-30 15:51 - 2012-11-14 18:56 - 00370288 ____A (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys

2012-10-30 15:51 - 2012-11-14 18:56 - 00059728 ____A (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys

2012-10-30 15:51 - 2012-11-14 18:56 - 00025232 ____A (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys

2012-10-30 15:51 - 2012-11-14 18:55 - 00071600 ____A (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys

2012-10-30 15:51 - 2012-11-14 18:55 - 00041224 ____A (AVAST Software) C:\Windows\avastSS.scr

2012-10-30 15:50 - 2012-11-14 18:55 - 00285328 ____A (AVAST Software) C:\Windows\System32\aswBoot.exe

2012-10-30 15:50 - 2012-11-14 18:55 - 00227648 ____A (AVAST Software) C:\Windows\SysWOW64\aswBoot.exe

2012-10-30 12:00 - 2012-10-30 12:00 - 00000000 ____D C:\Users\justin\Documents\host[1]

2012-10-30 11:30 - 2010-05-10 06:49 - 00000000 ____D C:\Program Files (x86)\napa

2012-10-26 11:39 - 2012-04-27 06:11 - 18722816 ____A C:\Users\justin\Documents\tracs7.6blank.mdb

2012-10-25 00:12 - 2012-10-25 00:12 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx

2012-10-25 00:12 - 2012-10-25 00:12 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts

2012-10-24 11:55 - 2010-05-12 04:50 - 00000000 ____D C:\Delphi DevEnv

2012-10-23 12:36 - 2012-10-23 10:43 - 00000533 ____A C:\Users\justin\Desktop\QESettings.xml

2012-10-23 12:36 - 2010-06-15 05:43 - 00000000 ____D C:\Users\justin\Documents\SQL Server Management Studio

2012-10-23 04:44 - 2010-08-19 11:54 - 00000000 ____D C:\bob hammer

2012-10-17 08:30 - 2012-10-17 08:30 - 00002758 ____A C:\Users\justin\Desktop\Microsoft SQL Server 2012 Update for Developers Training Kit.lnk

2012-10-17 08:30 - 2012-10-17 08:29 - 00000000 ____D C:\SQL2012UpdateForDevsTrainingKit

2012-10-17 06:02 - 2012-02-28 05:33 - 00000000 ____D C:\recovermyfiles

==================== Known DLLs (Whitelisted) =================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK

HKLM\...\exefile\DefaultIcon: %1 => OK

HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-10-30 06:00:06

Restore point made on: 2012-10-30 06:01:14

Restore point made on: 2012-10-30 06:02:30

Restore point made on: 2012-10-30 06:04:35

Restore point made on: 2012-11-07 07:35:49

Restore point made on: 2012-11-13 16:24:18

Restore point made on: 2012-11-15 09:03:55

Restore point made on: 2012-11-16 04:59:13

==================== Memory info ===========================

Percentage of memory in use: 10%

Total physical RAM: 8179.89 MB

Available physical RAM: 7310.24 MB

Total Pagefile: 8178.04 MB

Available Pagefile: 7298.8 MB

Total Virtual: 8192 MB

Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: () (Fixed) (Total:465.66 GB) (Free:51.27 GB) NTFS

7 Drive j: () (Removable) (Total:0.94 GB) (Free:0.03 GB) FAT

8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

9 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[system with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt

-------- ------------- ------- ------- --- ---

Disk 0 Online 465 GB 0 B

Disk 1 No Media 0 B 0 B

Disk 2 No Media 0 B 0 B

Disk 3 No Media 0 B 0 B

Disk 4 No Media 0 B 0 B

Disk 5 Online 967 MB 0 B

Partitions of Disk 0:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 100 MB 1024 KB

Partition 2 Primary 465 GB 101 MB

==================================================================================

Disk: 0

Partition 1

Type : 07

Hidden: No

Active: Yes

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

=========================================================

Disk: 0

Partition 2

Type : 07

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 2 C NTFS Partition 465 GB Healthy

=========================================================

Partitions of Disk 5:

===============

Partition ### Type Size Offset

------------- ---------------- ------- -------

Partition 1 Primary 966 MB 764 KB

==================================================================================

Disk: 5

Partition 1

Type : 06

Hidden: No

Active: No

Volume ### Ltr Label Fs Type Size Status Info

---------- --- ----------- ----- ---------- ------- --------- --------

* Volume 7 J FAT Removable 966 MB Healthy

=========================================================

Last Boot: 2012-11-06 06:39

==================== End Of Log =============================

FRST.txt

Link to post
Share on other sites

  • Staff

I need another diagnostic log before we begin, please run the following:

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /rp /s
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    DRIVES
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post both logs

Link to post
Share on other sites

Here

I need another diagnostic log before we begin, please run the following:

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /rp /s
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    DRIVES
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post both logs

Here you go. Thanks

OTL.Txt

Extras.Txt

Link to post
Share on other sites

  • Staff

Please run the following:

Run OTL.exe

  • Copy/paste the following text written inside of the quote box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    [2012/11/05 11:59:04 | 000,079,360 | ---- | C] (WANGXUEFENG, CHANGZHOU,JIANGSU province) -- C:\Windows\SysNative\dxdiinfo64.dll
    [2012/11/16 07:53:58 | 000,003,622 | RHS- | M] () -- C:\ProgramData\ntuser.pol
    [2012/11/05 11:59:04 | 000,079,360 | ---- | M] (WANGXUEFENG, CHANGZHOU,JIANGSU province) -- C:\Windows\SysNative\dxdiinfo64.dll
    [2012/09/01 11:19:59 | 000,000,000 | ---- | C] () -- C:\Users\justin\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
    :Files
    ipconfig /flushdns /c
    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL log

NEXT

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

NEXT

Refer to the ComboFix User's Guide

  1. Download ComboFix from the following location:
    Link
    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on ComboFix.exe & follow the prompts.
  4. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  5. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  6. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

  • Staff

please do the following:

  1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  2. Restart your computer (very important).
  3. Download and run this utility.
  4. It will ask to restart your computer (please allow it to).
  5. After the computer restarts, install the latest version from here.

NEXT

Go here to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Link to post
Share on other sites

  • Staff

can you please provide a screenshot of that error or copy it exactly, thanks

please run the following

(most of what ESET found are just installer files bundled with adware, so we can remove them)

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:

Press the WinKey + R to open a run box, type Notepad > click OK.

This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')


File::
C:\7.6\dotnetclientfix\SoftonicDownloader_for_regcleaner.exe
C:\8.0 NET\cbsidlm-tr1_7-Beyond_Compare-ORG2-10015731.exe
C:\8.0 NET\sqlexpress\Brothersoft_downloader_For_SQL_Server_Management_Studio_Express.exe
C:\battoexeconverter\cbsidlm-cbsi3_2_5_53-Bat_To_Exe_Converter-10555897.exe
C:\calls\cnet2_SoundMill_Setup_V2_msi.exe
C:\iphonejailbreak\winscp436setup-sponsored.exe
C:\Oldcomputer\getdataback\Get.Data.Back.for.NTFS-V2.31.zip
C:\palm\Mightyrom\Unlocker\RhodiumW-HardSPL_V1_10R3.exe.vir
C:\palm\Mightyrom\Unlocker\RhodiumW-HardSPL_V1_10R3_100HSPL.zip.vir
C:\regularguys\setup_359884.exe
C:\regularguys\setup_48599.exe
C:\Users\justin\Desktop\fsSetup132.exe
C:\Users\justin\Downloads\cnet_diskspacefinder_setup_exe.exe
C:\Users\justin\Downloads\cnet_PandoraRecovery2_1_1Setup_exe.exe

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Link to post
Share on other sites

  • Staff

you have Spybot installed, was teatimer disabled when we did our fixes to allow any changes we made to take place?

please manually navigate to the following folder

Press Start > type Administrative Tools into the search box and open when it populates in the window above > right click "Local Security Policy" and choose to "Run as an Administrator"

Look in both the "Software Restriction Policies" and "Application Control Policies"

and let me know what you find there and if there are any references to MBAM or your other security programs

Link to post
Share on other sites

  • Staff

Try running the following:

Please download Windows Repair (all in one) from here

Install the program then run it

Go to step 2 and allow it to run Disk check

Capture3.gif

Once that is done then go to step 3 and allow it to run SFC

Capture.gif

On the the Start Repairs tab => Click the Start

7fthj.png

Click on the select all check box and then click on Start

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure.

Link to post
Share on other sites

  • Staff

let's see what we can find in the registry

Please download MiniRegTool64.zip and save it to your desktop.

Unzip it and run MiniRegTool64.exe

Copy and paste the following in the edit box:


HKEY_CURRENT_USER\Software\Policies
HKEY_LOCAL_MACHINE\Software\Policies

Check Export key(s) radio button and click Go.

Please post the log (Export.txt) it makes to your reply.

Link to post
Share on other sites

  • Staff

well nothing there

so let's try this:

Please run the following:

  • For x64 bit systems please download GrantPerms64.zip and save it to your desktop.
  • Unzip the file and run GrantPerms64.exe
  • Copy and paste the following in the edit box:

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

  • Now Click Unlock.
  • When it is done click "OK".
  • Now click List Permissions and post the result (Perms.txt) that pops up.
  • A copy of Perms.txt will be saved in the same directory the tool is run.

Link to post
Share on other sites

  • Staff

Let's try this

Please download the Crisis Aversion Tool and save it to your desktop

  • double click on CAT.exe to run it
  • on the "Fixes" tab, check the "Reset Explorer Shell" check box as well as the "Reset Permissions" checkbox
    qtXKR.png
  • Click the "Apply Checked Fixes" button and wait for the tool to finish
  • once complete, close the program and a log should open automatically > copy and paste the content of that log into your next reply

Link to post
Share on other sites

=============== Repairing permissions... ===============

Analyzing security setting differences (This may take several minutes)... Done. Log saved to: "C:\CAT-Logs\11-20-2012 - 21.48.14.111\SECEDIT - 21.49.08.674.log"

Applying default security settings (This may take several minutes)... Done.

============= Permissions Repair Complete ==============

=============== Repairing explorer shell ===============

Registering acelpdec.ax... Success.

Registering actxprxy.dll... Success.

Registering asctrls.ocx... Success.

Registering daxctle.ocx... Success.

Registering dhtmled.ocx... Success.

Registering hhctrl.ocx... Success.

Registering lcodecx.ax... Success.

Registering licmgr.dll... Success.

Registering mpgds.ax... Success.

Registering msdxm.ocx... Success.

Registering plugin.ocx... Success.

Registering proctexe.ocx... Success.

Registering tdc.ocx... Success.

Registering wshom.ocx... Unable to determine result.

Registering access.cpl... Success.

Registering appwiz.cpl... Success.

Registering desk.cpl... Success.

Registering firewall.cpl... Success.

Registering hdwwiz.cpl... Success.

Registering inetcpl.cpl... Success.

Registering intl.cpl... Success.

Registering nusrmgr.cpl... Success.

Registering netsetup.cpl... Success.

Registering powercfg.cpl... Success.

Registering timedate.cpl... Success.

Registering wuau.cpl... Success.

Registering quartz.dll... Success.

Registering danim.dll... Success.

Registering dxmasf.dll... Success.

Registering dxtmsft.dll... Success.

Registering dxtrans.dll... Success.

Registering sbe.dll... Success.

Registering dxva.dll... Success.

Registering dxmrtp.dll... Success.

Registering dxdiagn.dll... Success.

Registering atl.dll... Success.

Registering corpol.dll... Success.

Registering dispex.dll... Success.

Registering jscript.dll... Success.

Registering scrrun.dll... Success.

Registering scrobj.dll... Success.

Registering vbscript.dll... Success.

Registering wshext.dll... Success.

Registering activeds.dll... Success.

Registering audiodev.dll... Success.

Registering browseui.dll... Success.

Registering browsewm.dll... Success.

Registering cabview.dll... Success.

Registering cdfview.dll... Success.

Registering clbcatex.dll... Success.

Registering clbcatq.dll... Success.

Registering comcat.dll... Success.

Registering cscui.dll... Success.

Registering credui.dll... Success.

Registering datime.dll... Success.

Registering devmgr.dll... Success.

Registering dfsshlex.dll... Unable to determine result.

Registering dmdlgs.dll... Success.

Registering dmdeskmgr.dll... Success.

Registering dmocx.dll... Success.

Registering dmview.ocx... Unable to determine result.

Registering dsuiext.dll... Success.

Registering dsquery.dll... Success.

Registering dskquoiu.dll... Success.

Registering els.dll... Success.

Registering es.dll... Success.

Registering fontext.dll... Success.

Registering hlink.dll... Success.

Registering hnetcfg.dll... Success.

Registering iedkcs.dll... Success.

Registering iepeers.dll... Success.

Registering iesetup.dll... Success.

Registering ils.dll... Success.

Registering imgutil.dll... Success.

Registering inetcfg.dll... Success.

Registering inetcomm.dll... Success.

Registering inseng.dll... Success.

Registering laprxy.dll... Success.

Registering lmrt.dll... Success.

Registering mlang.dll... Success.

Registering mmcndmgr.dll... Unable to determine result.

Registering mmcshext.dll... Success.

Registering mscoree.dll... Success.

Registering mshhtml.dll... Success.

Registering msieftp.dll... Success.

Registering msoe.dll... Success.

Registering msoeacct.dll... Success.

Registering msrc.dll... Success.

Registering msrating.dll... Success.

Registering mydocs.dll... Success.

Registering mstime.dll... Success.

Registering netcfgx.dll... Success.

Registering netplwiz.dll... Success.

Registering netman.dll... Success.

Registering netshell.dll... Success.

Registering ntmsevt.dll... Success.

Registering ntmsmgr.dll... Success.

Registering ntmssvc.dll... Success.

Registering occache.dll... Success.

Registering ole.dll... Success.

Registering oleaut.dll... Success.

Registering oleacc.dll... Success.

Registering olepro.dll... Success.

Registering photowiz.dll... Success.

Registering pngfilt.dll... Success.

Registering remotepg.dll... Success.

Registering rpcrt.dll... Success.

Registering rshx.dll... Success.

Registering sendmail.dll... Success.

Registering slayerxp.dll... Success.

Registering shdocvw.dll... Success.

Registering shsvcs.dll... Success.

Registering srclient.dll... Success.

Registering stobject.dll... Success.

Registering themeui.dll... Success.

Registering twext.dll... Success.

Registering urlmon.dll... Success.

Registering userenv.dll... Success.

Registering webcheck.dll... Success.

Registering webvw.dll... Success.

Registering winhttp.dll... Success.

Registering wininet.dll... Success.

Registering zipfldr.dll... Success.

Registering msdadc.dll... Success.

Registering nsdaenum.dll... Success.

Registering msdaer.dll... Success.

Registering msdaipp.dll... Success.

Registering msdaora.dll... Success.

Registering msdaosp.dll... Success.

Registering msdaps.dll... Success.

Registering msdasc.dll... Success.

Registering msdasql.dll... Success.

Registering msdatt.dll... Success.

Registering msdaurl.dll... Success.

Registering msdmeng.dll... Success.

Registering msdmine.dll... Success.

Registering msjtor.dll... Success.

Registering msmdbc.dll... Success.

Registering msmdgd.dll... Success.

Registering msolap.dll... Success.

Registering msolui.dll... Success.

Registering msxactps.dll... Success.

Registering oledb.dll... Success.

Registering oledbr.dll... Success.

Registering sqloledb.dll... Success.

Registering sqlxmlx.dll... Success.

Writing to registry: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonShell"... Successful.

Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\GeneralTab"... Key/Value does not exist.

Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\ProgramsTab"... Key/Value does not exist.

Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\SecurityTab"... Key/Value does not exist.

Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\ContentTab"... Key/Value does not exist.

Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\PrivacyTab"... Key/Value does not exist.

Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\AdvancedTab"... Key/Value does not exist.

Deleting registry key "HKLM\Software\Policies\Microsoft\Explorer\ConnectionsTab"... Key/Value does not exist.

Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\GeneralTab"... Key/Value does not exist.

Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\ProgramsTab"... Key/Value does not exist.

Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\SecurityTab"... Key/Value does not exist.

Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\ContentTab"... Key/Value does not exist.

Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\PrivacyTab"... Key/Value does not exist.

Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\AdvancedTab"... Key/Value does not exist.

Deleting registry key "HKCU\Software\Policies\Microsoft\Explorer\ConnectionsTab"... Key/Value does not exist.

Killing Explorer shell... Done.

Restarting Explorer shell... Done.

============ Explorer Shell Repair Complete ============

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.