Computer is Already Infected - Suspected Boot File Issue

[pcdaugs]

Hello All,

 

I have gotten an infected machine and I haven't been able to turn it on without turning off immediately after the tries to boot Windows 7. The only way I have been able to get at my hard drive is by pulling it out of the computer and using it like an external drive on my laptop. I am wondering how you would start cleaning this hard drive for use again. I am not sure how to figure out if the boot file is the issue so I would greatly appreciate some help.

 

Thanks,

 

Paul

[CatByte]

Hello and welcome to Malwarebytes,

 

Please try the following:

 

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

 

Plug the flashdrive into the infected PC.

 

Enter System Recovery Options.

 

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.
• To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
  On the System Recovery Options menu you will get the following options:

  Startup Repair

  System Restore

  Windows Complete PC Restore

  Windows Memory Diagnostic Tool

  Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button.
  • type exit and reboot the computer normally
  • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.

[CatByte]

do you still need help with your machine?

[pcdaugs]

Hello CatByte,

 

Thanks for your help with getting my computer cleaned up and I do still need help with it. However I was able to get it to start before you posted the information early. I removed the hard drive and put it into a hard drive enclosure and scanned it with Malwarebyte Pro from my laptop. It clean off 34 object and then I was able to install it back in the desktop and it will now boot to the main user page. Now I am having trouble with getting it to stay on as it will shut down after logging into my main user account. I have downloaded the DDS file from the sticky post to the this forum and I plan to run that and post the log for further help. Probably won’t be able to complete this until Wednesday night. Thank you for checking in and sorry for my delayed response.

 

Best Regards,

 

pcdaugs

[CatByte]

ok,

then let's run FRST in normal mode, as well, I'd like to get a diagnostic scan with MBAR

Please download the Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ (for 32bit systems)

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ (for 64bit systems)

Note: Wait for the direct download to begin, do not click on anything else on the page.

save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it.

When the tool opens click Yes to disclaimer.

Press the Scan button.

It will make a log (FRST.txt) in the same directory the tool is run.

Please attach that log to your reply.

The first time the tool is run, it makes a second log (Addition.txt).

Please attach that to your reply as well

STEP2:

Please download Malwarebytes Anti-Rootkit (MBAR) from here:

http://www.malwarebytes.org/products/mbar/ and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the

contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.

2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, do NOT press the Cleanup button when the scan completes. Click EXIT.

Before performing any removals, I'd like to see the log first so I can see what it will be targeting. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.

[pcdaugs]

I got the FRST run and but mbar is not running. I am going to still work at getting it run though. Here is the LOG file from FRST

 

 

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-03-2014 02

Ran by Daugs (administrator) on DAUGS-PC on 05-03-2014 21:00:40

Running from C:\Windows\System32\config\systemprofile\Desktop

Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)

Internet Explorer Version 11

Boot Mode: Normal

 

The only official download link for FRST:

Download link for 32-Bit version:

Download link for 64-Bit Version:

Download link from any site other than Bleeping Computer is unpermitted or outdated.

See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

 

 

==================== Internet (Whitelisted) ====================

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xD7F990A695ADCD01

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=

URLSearchHook: HKCU - (No Name) - {00000000-6E41-4FD3-8538-502F5495E5FC} - No File

SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=

SearchScopes: HKLM - {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=120&systemid=406&v=a9301-114&apn_uid=1530318458124034&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}

SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=

SearchScopes: HKLM-x32 - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=120&systemid=406&v=a9301-114&apn_uid=1530318458124034&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}

SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=120&systemid=406&v=a9301-114&apn_uid=1530318458124034&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}

SearchScopes: HKCU - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=

SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = 

SearchScopes: HKCU - {38527D85-B835-4F23-8AA3-7C9930650B4D} URL = http://www.mysearchresults.com/search?c=2355&t=01&q={searchTerms}

SearchScopes: HKCU - {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=120&systemid=406&v=a9301-114&apn_uid=1530318458124034&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}

SearchScopes: HKCU - {7B3AC98A-5AE8-49F0-B8AD-6F4A47FE4D0C} URL = http://search.conduit.com/Results.aspx?ctid=CT3300019&SearchSource=45&UM=2&q={searchTerms}

SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=

SearchScopes: HKCU - {A486DC73-64E3-4F6D-AA16-10B8C2252628} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=4CA0B5AA-5F8B-484C-8B29-BD26BA1D8965&apn_sauid=A696E9E0-07FB-4E23-B6B8-4BCBE5246CAF

BHO: No Name - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -  No File

BHO: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File

BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll No File

BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

BHO-x32: No Name - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -  No File

BHO-x32: Search-Results Toolbar - {377e5d4d-77e5-476a-8716-7e70a9272da0} - C:\PROGRA~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll No File

BHO-x32: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File

BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO-x32: DefaultTab Browser Helper - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Daugs\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll No File

BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)

BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Toolbar: HKLM-x32 - Search-Results Toolbar - {377e5d4d-77e5-476a-8716-7e70a9272da0} - C:\PROGRA~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll No File

Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

 

==================== NetSvcs (Whitelisted) ===================

 

 

==================== Bamital & volsnap Check =================

 

C:\Windows\System32\winlogon.exe => MD5 is legit

C:\Windows\System32\wininit.exe => MD5 is legit

C:\Windows\SysWOW64\wininit.exe => MD5 is legit

C:\Windows\explorer.exe => MD5 is legit

C:\Windows\SysWOW64\explorer.exe => MD5 is legit

C:\Windows\System32\svchost.exe => MD5 is legit

C:\Windows\SysWOW64\svchost.exe => MD5 is legit

C:\Windows\System32\services.exe => MD5 is legit

C:\Windows\System32\User32.dll => MD5 is legit

C:\Windows\SysWOW64\User32.dll => MD5 is legit

C:\Windows\System32\userinit.exe => MD5 is legit

C:\Windows\SysWOW64\userinit.exe => MD5 is legit

C:\Windows\System32\rpcss.dll => MD5 is legit

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

 

 

LastRegBack: 2014-02-10 15:37

 

==================== End Of Log ============================

 

 

Addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-03-2014 02

Ran by Daugs at 2014-03-05 21:02:47

Running from C:\Windows\System32\config\systemprofile\Desktop

Boot Mode: Normal

==========================================================

 

 

==================== Security Center ========================

 

AV: BullGuard Antivirus (Enabled - Out of date) {C3CCAC61-52F7-A056-1860-6406566E2578}

AS: BullGuard Antispyware (Enabled - Out of date) {78AD4D85-74CD-AFD8-22D0-5F742DE96FC5}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: BullGuard Firewall (Enabled) {FBF72D44-1898-A10E-333F-CD33A8BD6203}

 

==================== Installed Programs ======================

 

 

==================== Restore Points  =========================

 

 

==================== Hosts content: ==========================

 

2009-07-13 20:34 - 2009-06-10 15:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

 

==================== Scheduled Tasks (whitelisted) =============

 

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

Task: C:\Windows\Tasks\Digital Sites.job => C:\Users\Daugs\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1587915867-4008423288-1005279028-1001Core.job => C:\Users\Daugs\AppData\Local\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1587915867-4008423288-1005279028-1001UA.job => C:\Users\Daugs\AppData\Local\Google\Update\GoogleUpdate.exe

 

==================== Loaded Modules (whitelisted) =============

 

 

==================== Alternate Data Streams (whitelisted) =========

 

 

==================== Safe Mode (whitelisted) ===================

 

 

==================== Disabled items from MSCONFIG ==============

 

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

MSCONFIG\startupreg: AdobeCS4ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

MSCONFIG\startupreg: SearchProtect => C:\Users\Administrator\AppData\Roaming\SearchProtect\bin\cltmng.exe

 

==================== Faulty Device Manager Devices =============

 

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (03/05/2014 09:01:06 PM) (Source: Application Error) (User: )

Description: Faulting application name: wmpnetwk.exe, version: 12.0.7601.17514, time stamp: 0x4ce7ae7f

Faulting module name: SHELL32.dll, version: 6.1.7601.18222, time stamp: 0x51f1ddfa

Exception code: 0xc0000005

Fault offset: 0x0000000000097c3e

Faulting process id: 0x109c

Faulting application start time: 0xwmpnetwk.exe0

Faulting application path: wmpnetwk.exe1

Faulting module path: wmpnetwk.exe2

Report Id: wmpnetwk.exe3

 

Error: (03/05/2014 09:00:23 PM) (Source: Application Error) (User: )

Description: Faulting application name: svchost.exe_nsi, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1

Faulting module name: IPHLPAPI.DLL, version: 6.1.7601.17514, time stamp: 0x4ce7c6da

Exception code: 0xc0000005

Fault offset: 0x0000000000003abc

Faulting process id: 0x3c4

Faulting application start time: 0xsvchost.exe_nsi0

Faulting application path: svchost.exe_nsi1

Faulting module path: svchost.exe_nsi2

Report Id: svchost.exe_nsi3

 

Error: (03/05/2014 09:00:18 PM) (Source: Application Error) (User: )

Description: Faulting application name: RarExtLoader.exe, version: 3.93.0.0, time stamp: 0x4b9dd387

Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7

Exception code: 0xc0000005

Fault offset: 0x0003867c

Faulting process id: 0x1598

Faulting application start time: 0xRarExtLoader.exe0

Faulting application path: RarExtLoader.exe1

Faulting module path: RarExtLoader.exe2

Report Id: RarExtLoader.exe3

 

Error: (03/05/2014 08:57:12 PM) (Source: Application Error) (User: )

Description: Faulting application name: svchost.exe_gpsvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1

Faulting module name: gpsvc.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c66a

Exception code: 0xc0000005

Fault offset: 0x000000000001873e

Faulting process id: 0x3dc

Faulting application start time: 0xsvchost.exe_gpsvc0

Faulting application path: svchost.exe_gpsvc1

Faulting module path: svchost.exe_gpsvc2

Report Id: svchost.exe_gpsvc3

 

Error: (03/05/2014 08:24:58 PM) (Source: Application Error) (User: )

Description: Faulting application name: spoolsv.exe, version: 6.1.7601.17777, time stamp: 0x4f35fc1d

Faulting module name: DEVOBJ.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdee1

Exception code: 0xc0000005

Fault offset: 0x0000000000002bfe

Faulting process id: 0x500

Faulting application start time: 0xspoolsv.exe0

Faulting application path: spoolsv.exe1

Faulting module path: spoolsv.exe2

Report Id: spoolsv.exe3

 

Error: (02/27/2014 09:31:57 PM) (Source: Application Error) (User: )

Description: Faulting application name: Dropbox.exe, version: 2.4.11.0, time stamp: 0x527d91e4

Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7

Exception code: 0xc0000005

Fault offset: 0x0005b6ac

Faulting process id: 0x994

Faulting application start time: 0xDropbox.exe0

Faulting application path: Dropbox.exe1

Faulting module path: Dropbox.exe2

Report Id: Dropbox.exe3

 

Error: (02/21/2014 11:07:23 AM) (Source: Application Error) (User: )

Description: Faulting application name: AUDIODG.EXE, version: 6.1.7601.17514, time stamp: 0x4ce7abf9

Faulting module name: MMDevAPI.DLL, version: 6.1.7600.16385, time stamp: 0x4a5bdf68

Exception code: 0xc0000005

Fault offset: 0x00000000000069be

Faulting process id: 0x23c

Faulting application start time: 0xAUDIODG.EXE0

Faulting application path: AUDIODG.EXE1

Faulting module path: AUDIODG.EXE2

Report Id: AUDIODG.EXE3

 

Error: (02/20/2014 09:52:59 PM) (Source: Application Error) (User: )

Description: Faulting application name: rundll32.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc637

Faulting module name: RPCRT4.dll, version: 6.1.7601.18205, time stamp: 0x51db9710

Exception code: 0xc0000005

Fault offset: 0x00020d80

Faulting process id: 0xe8c

Faulting application start time: 0xrundll32.exe0

Faulting application path: rundll32.exe1

Faulting module path: rundll32.exe2

Report Id: rundll32.exe3

 

Error: (02/20/2014 09:36:41 PM) (Source: Application Error) (User: )

Description: Faulting application name: CopyAgent.exe, version: 1.42.277.0, time stamp: 0x52f14e97

Faulting module name: CopyAgent.exe, version: 1.42.277.0, time stamp: 0x52f14e97

Exception code: 0xc0000005

Fault offset: 0x00000000001137c2

Faulting process id: 0x1124

Faulting application start time: 0xCopyAgent.exe0

Faulting application path: CopyAgent.exe1

Faulting module path: CopyAgent.exe2

Report Id: CopyAgent.exe3

 

Error: (02/20/2014 09:36:25 PM) (Source: Application Error) (User: )

Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4

Faulting module name: DUI70.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdf25

Exception code: 0xc0000005

Fault offset: 0x0000000000013d3c

Faulting process id: 0xb98

Faulting application start time: 0xExplorer.EXE0

Faulting application path: Explorer.EXE1

Faulting module path: Explorer.EXE2

Report Id: Explorer.EXE3

 

 

System errors:

=============

Error: (03/05/2014 09:02:36 PM) (Source: Service Control Manager) (User: )

Description: The Windows Update service hung on starting.

 

Error: (03/05/2014 09:02:27 PM) (Source: Service Control Manager) (User: )

Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Network Store Interface Service service, but this action failed with the following error: 

%%1056

 

Error: (03/05/2014 09:01:14 PM) (Source: Service Control Manager) (User: )

Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

 

Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )

Description: The WinHTTP Web Proxy Auto-Discovery Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

 

Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )

Description: The Diagnostic Service Host service terminated unexpectedly.  It has done this 1 time(s).

 

Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )

Description: The Network Store Interface Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

 

Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )

Description: The Network List Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.

 

Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )

Description: The Windows Font Cache Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

 

Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )

Description: The Function Discovery Provider Host service terminated unexpectedly.  It has done this 1 time(s).

 

Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )

Description: The COM+ Event System service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.

 

 

Microsoft Office Sessions:

=========================

Error: (12/04/2013 11:22:46 AM) (Source: Microsoft Office 12 Sessions)(User: )

Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 89 seconds with 0 seconds of active time.  This session ended with a crash.

 

Error: (01/09/2013 03:27:17 AM) (Source: Microsoft Office 12 Sessions)(User: )

Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 212124 seconds with 120 seconds of active time.  This session ended with a crash.

 

 

==================== Memory info =========================== 

 

Percentage of memory in use: 13%

Total physical RAM: 16381.55 MB

Available physical RAM: 14089.72 MB

Total Pagefile: 32761.29 MB

Available Pagefile: 30445.58 MB

Total Virtual: 8192 MB

Available Virtual: 8191.83 MB

 

==================== Drives ================================

 

Drive c: () (Fixed) (Total:931.41 GB) (Free:273.63 GB) NTFS

Drive f: () (Removable) (Total:1.91 GB) (Free:1.9 GB) FAT

 

==================== End Of Log ============================

 

Thanks for the help!

 

pcdaugs

[CatByte]

There are lots of issues with this machine, but let's see what we can do.

Please run the following:

Download attached fixlist.txt file and save it to the Desktop.

FixList.txt

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

[pcdaugs]

Here is the FixLog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-03-2014 02

Ran by Daugs at 2014-03-05 21:27:48 Run:1

Running from C:\Users\Daugs\Desktop

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

start

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearc...r=901251890&ir=

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearc...r=901251890&ir=

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearc...r=901251890&ir=

URLSearchHook: HKCU - (No Name) - {00000000-6E41-4FD3-8538-502F5495E5FC} - No File

SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.as...pn_ptnrs=AG6&q={searchTerms}

SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.as...pn_ptnrs=AG6&q={searchTerms}

SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.as...pn_ptnrs=AG6&q={searchTerms}

SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.as...pn_ptnrs=AG6&q={searchTerms}

SearchScopes: HKCU - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://start.mysearc...ults.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=

SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = 

SearchScopes: HKCU - {38527D85-B835-4F23-8AA3-7C9930650B4D} URL = http://www.mysearchr...?c=2355&t=01&q={searchTerms}

SearchScopes: HKCU - {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://dts.search.as...pn_ptnrs=AG6&q={searchTerms}

SearchScopes: HKCU - {7B3AC98A-5AE8-49F0-B8AD-6F4A47FE4D0C} URL = http://search.condui...urce=45&UM=2&q={searchTerms}

SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://websearch.ask...0031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=4CA0B5AA-5F8B-484C-8B29-BD26BA1D8965&apn_sauid=A696E9E0-07FB-4E23-B6B8-4BCBE5246CAF

BHO: No Name - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -  No File

BHO: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File

BHO-x32: No Name - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -  No File

BHO-x32: Search-Results Toolbar - {377e5d4d-77e5-476a-8716-7e70a9272da0} - C:\PROGRA~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll No File

BHO-x32: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File

BHO-x32: DefaultTab Browser Helper - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Daugs\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll No File

Toolbar: HKLM-x32 - Search-Results Toolbar - {377e5d4d-77e5-476a-8716-7e70a9272da0} - C:\PROGRA~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll No File

Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File

Task: C:\Windows\Tasks\Digital Sites.job => C:\Users\Daugs\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION

end

 

 

*****************

 

HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.

HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00000000-6E41-4FD3-8538-502F5495E5FC} => Value deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8} => Key deleted successfully.

HKCR\CLSID\{77AA745B-F4F8-45DA-9B14-61D2D95054C8} => Key not found.

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key deleted successfully.

HKCR\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key not found.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key not found.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key not found.

HKCR\Wow6432Node\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} => Key deleted successfully.

HKCR\CLSID\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{38527D85-B835-4F23-8AA3-7C9930650B4D} => Key deleted successfully.

HKCR\CLSID\{38527D85-B835-4F23-8AA3-7C9930650B4D} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8} => Key deleted successfully.

HKCR\CLSID\{77AA745B-F4F8-45DA-9B14-61D2D95054C8} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7B3AC98A-5AE8-49F0-B8AD-6F4A47FE4D0C} => Key deleted successfully.

HKCR\CLSID\{7B3AC98A-5AE8-49F0-B8AD-6F4A47FE4D0C} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key deleted successfully.

HKCR\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A486DC73-64E3-4F6D-AA16-10B8C2252628} => Key deleted successfully.

HKCR\CLSID\{A486DC73-64E3-4F6D-AA16-10B8C2252628} => Key not found.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} => Key deleted successfully.

HKCR\CLSID\{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} => Key not found.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key deleted successfully.

HKCR\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key not found.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} => Key not found.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{377e5d4d-77e5-476a-8716-7e70a9272da0} => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{377e5d4d-77e5-476a-8716-7e70a9272da0} => Key deleted successfully.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key not found.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01} => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01} => Key deleted successfully.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{377e5d4d-77e5-476a-8716-7e70a9272da0} => Value deleted successfully.

HKCR\Wow6432Node\CLSID\{377e5d4d-77e5-476a-8716-7e70a9272da0} => Key not found.

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} => Value deleted successfully.

HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key not found.

C:\Windows\Tasks\Digital Sites.job => Moved successfully.

 

==== End of Fixlog ====

 

What next?

 

I can run the mbar program now it looks like.

[CatByte]

ok good, let's see if it finds anything

[pcdaugs]

Well every time I try to run mbar my computer shuts down with the same error I have been running into since I started trying to fix it. Any thoughts about what we can do with that?

[CatByte]

what error are you getting?

Please run the following:

Refer to the ComboFix User's Guide

• Download ComboFix from the following location:

  Link

  * IMPORTANT !!! Place ComboFix.exe on your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

  You can get help on disabling your protection programs here

• Double click on ComboFix.exe & follow the prompts.
• Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
• When finished, it shall produce a log for you. Post that log in your next reply

  Note:

  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

  ---------------------------------------------------------------------------------------------

• Ensure your AntiVirus and AntiSpyware applications are re-enabled.

  ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[pcdaugs]

I will give this a shot and let you know what happens.

 

thanks,

[AdvancedSetup]

Are you still with us?

This topic will be closed soon if we do not hear back from you.

[pcdaugs]

Hello CatByte,

 

I have decided to reformat the hard drive and install a new operating system. I really appreciate all of you help on this I was running the ComboFix software but my system just kept shutting down before I had time to run it. So I got frustrated and I am in the process of pulling all of the data off of the drive that I want so I can reformat and clear the drive completely. This experience has taught me to keep a better eye on my machines so I don't have to do this again.

 

Thank You,

 

Paul

[CatByte]

Hello Paul,

That is probably the most sensible solution given the issues you were having.

Regards

~CB

[CatByte]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.