Jump to content

Computer is Already Infected - Suspected Boot File Issue


pcdaugs
 Share

Recommended Posts

Hello All,

 

I have gotten an infected machine and I haven't been able to turn it on without turning off immediately after the tries to boot Windows 7. The only way I have been able to get at my hard drive is by pulling it out of the computer and using it like an external drive on my laptop. I am wondering how you would start cleaning this hard drive for use again. I am not sure how to figure out if the boot file is the issue so I would greatly appreciate some help.

 

Thanks,

 

Paul

Link to post
Share on other sites

  • Staff

Hello and welcome to Malwarebytes,

 

Please try the following:

 

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.

 

Plug the flashdrive into the infected PC.

 

Enter System Recovery Options.

 

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:

    Startup Repair

    System Restore

    Windows Complete PC Restore

    Windows Memory Diagnostic Tool

    Command Prompt

    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter

      Note: Replace letter e with the drive letter of your flash drive.

    • The tool will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Place a check next to List Drivers MD5 as well as the default check marks that are already there
    • Press Scan button.
    • type exit and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.
Link to post
Share on other sites

Hello CatByte,

 

Thanks for your help with getting my computer cleaned up and I do still need help with it. However I was able to get it to start before you posted the information early. I removed the hard drive and put it into a hard drive enclosure and scanned it with Malwarebyte Pro from my laptop. It clean off 34 object and then I was able to install it back in the desktop and it will now boot to the main user page. Now I am having trouble with getting it to stay on as it will shut down after logging into my main user account. I have downloaded the DDS file from the sticky post to the this forum and I plan to run that and post the log for further help. Probably won’t be able to complete this until Wednesday night. Thank you for checking in and sorry for my delayed response.

 

Best Regards,

 

pcdaugs

Link to post
Share on other sites

  • Staff

ok,

then let's run FRST in normal mode, as well, I'd like to get a diagnostic scan with MBAR

Please download the Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ (for 32bit systems)

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ (for 64bit systems)

Note: Wait for the direct download to begin, do not click on anything else on the page.

save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it.

When the tool opens click Yes to disclaimer.

Press the Scan button.

It will make a log (FRST.txt) in the same directory the tool is run.

Please attach that log to your reply.

The first time the tool is run, it makes a second log (Addition.txt).

Please attach that to your reply as well

STEP2:

Please download Malwarebytes Anti-Rootkit (MBAR) from here:

http://www.malwarebytes.org/products/mbar/ and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the

contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.

2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, do NOT press the Cleanup button when the scan completes. Click EXIT.

Before performing any removals, I'd like to see the log first so I can see what it will be targeting. You'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.

Link to post
Share on other sites

I got the FRST run and but mbar is not running. I am going to still work at getting it run though. Here is the LOG file from FRST

 

 
FRST.txt
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-03-2014 02
Ran by Daugs (administrator) on DAUGS-PC on 05-03-2014 21:00:40
Running from C:\Windows\System32\config\systemprofile\Desktop
Windows 7 Professional Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal
 
The only official download link for FRST:
Download link for 32-Bit version:
Download link for 64-Bit Version:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
 
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xD7F990A695ADCD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
URLSearchHook: HKCU - (No Name) - {00000000-6E41-4FD3-8538-502F5495E5FC} - No File
SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=
SearchScopes: HKCU - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = 
SearchScopes: HKCU - {38527D85-B835-4F23-8AA3-7C9930650B4D} URL = http://www.mysearchresults.com/search?c=2355&t=01&q={searchTerms}
SearchScopes: HKCU - {7B3AC98A-5AE8-49F0-B8AD-6F4A47FE4D0C} URL = http://search.conduit.com/Results.aspx?ctid=CT3300019&SearchSource=45&UM=2&q={searchTerms}
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=
SearchScopes: HKCU - {A486DC73-64E3-4F6D-AA16-10B8C2252628} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=4CA0B5AA-5F8B-484C-8B29-BD26BA1D8965&apn_sauid=A696E9E0-07FB-4E23-B6B8-4BCBE5246CAF
BHO: No Name - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -  No File
BHO: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Skype add-on for Internet Explorer - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll No File
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: No Name - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -  No File
BHO-x32: Search-Results Toolbar - {377e5d4d-77e5-476a-8716-7e70a9272da0} - C:\PROGRA~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll No File
BHO-x32: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: DefaultTab Browser Helper - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Daugs\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll No File
BHO-x32: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Search-Results Toolbar - {377e5d4d-77e5-476a-8716-7e70a9272da0} - C:\PROGRA~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-02-10 15:37
 
==================== End Of Log ============================
 
 
Addition.txt
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-03-2014 02
Ran by Daugs at 2014-03-05 21:02:47
Running from C:\Windows\System32\config\systemprofile\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: BullGuard Antivirus (Enabled - Out of date) {C3CCAC61-52F7-A056-1860-6406566E2578}
AS: BullGuard Antispyware (Enabled - Out of date) {78AD4D85-74CD-AFD8-22D0-5F742DE96FC5}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: BullGuard Firewall (Enabled) {FBF72D44-1898-A10E-333F-CD33A8BD6203}
 
==================== Installed Programs ======================
 
 
==================== Restore Points  =========================
 
 
==================== Hosts content: ==========================
 
2009-07-13 20:34 - 2009-06-10 15:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\Digital Sites.job => C:\Users\Daugs\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1587915867-4008423288-1005279028-1001Core.job => C:\Users\Daugs\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1587915867-4008423288-1005279028-1001UA.job => C:\Users\Daugs\AppData\Local\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
 
==================== Alternate Data Streams (whitelisted) =========
 
 
==================== Safe Mode (whitelisted) ===================
 
 
==================== Disabled items from MSCONFIG ==============
 
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: AdobeCS4ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
MSCONFIG\startupreg: SearchProtect => C:\Users\Administrator\AppData\Roaming\SearchProtect\bin\cltmng.exe
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/05/2014 09:01:06 PM) (Source: Application Error) (User: )
Description: Faulting application name: wmpnetwk.exe, version: 12.0.7601.17514, time stamp: 0x4ce7ae7f
Faulting module name: SHELL32.dll, version: 6.1.7601.18222, time stamp: 0x51f1ddfa
Exception code: 0xc0000005
Fault offset: 0x0000000000097c3e
Faulting process id: 0x109c
Faulting application start time: 0xwmpnetwk.exe0
Faulting application path: wmpnetwk.exe1
Faulting module path: wmpnetwk.exe2
Report Id: wmpnetwk.exe3
 
Error: (03/05/2014 09:00:23 PM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe_nsi, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: IPHLPAPI.DLL, version: 6.1.7601.17514, time stamp: 0x4ce7c6da
Exception code: 0xc0000005
Fault offset: 0x0000000000003abc
Faulting process id: 0x3c4
Faulting application start time: 0xsvchost.exe_nsi0
Faulting application path: svchost.exe_nsi1
Faulting module path: svchost.exe_nsi2
Report Id: svchost.exe_nsi3
 
Error: (03/05/2014 09:00:18 PM) (Source: Application Error) (User: )
Description: Faulting application name: RarExtLoader.exe, version: 3.93.0.0, time stamp: 0x4b9dd387
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
Exception code: 0xc0000005
Fault offset: 0x0003867c
Faulting process id: 0x1598
Faulting application start time: 0xRarExtLoader.exe0
Faulting application path: RarExtLoader.exe1
Faulting module path: RarExtLoader.exe2
Report Id: RarExtLoader.exe3
 
Error: (03/05/2014 08:57:12 PM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe_gpsvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: gpsvc.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c66a
Exception code: 0xc0000005
Fault offset: 0x000000000001873e
Faulting process id: 0x3dc
Faulting application start time: 0xsvchost.exe_gpsvc0
Faulting application path: svchost.exe_gpsvc1
Faulting module path: svchost.exe_gpsvc2
Report Id: svchost.exe_gpsvc3
 
Error: (03/05/2014 08:24:58 PM) (Source: Application Error) (User: )
Description: Faulting application name: spoolsv.exe, version: 6.1.7601.17777, time stamp: 0x4f35fc1d
Faulting module name: DEVOBJ.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdee1
Exception code: 0xc0000005
Fault offset: 0x0000000000002bfe
Faulting process id: 0x500
Faulting application start time: 0xspoolsv.exe0
Faulting application path: spoolsv.exe1
Faulting module path: spoolsv.exe2
Report Id: spoolsv.exe3
 
Error: (02/27/2014 09:31:57 PM) (Source: Application Error) (User: )
Description: Faulting application name: Dropbox.exe, version: 2.4.11.0, time stamp: 0x527d91e4
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
Exception code: 0xc0000005
Fault offset: 0x0005b6ac
Faulting process id: 0x994
Faulting application start time: 0xDropbox.exe0
Faulting application path: Dropbox.exe1
Faulting module path: Dropbox.exe2
Report Id: Dropbox.exe3
 
Error: (02/21/2014 11:07:23 AM) (Source: Application Error) (User: )
Description: Faulting application name: AUDIODG.EXE, version: 6.1.7601.17514, time stamp: 0x4ce7abf9
Faulting module name: MMDevAPI.DLL, version: 6.1.7600.16385, time stamp: 0x4a5bdf68
Exception code: 0xc0000005
Fault offset: 0x00000000000069be
Faulting process id: 0x23c
Faulting application start time: 0xAUDIODG.EXE0
Faulting application path: AUDIODG.EXE1
Faulting module path: AUDIODG.EXE2
Report Id: AUDIODG.EXE3
 
Error: (02/20/2014 09:52:59 PM) (Source: Application Error) (User: )
Description: Faulting application name: rundll32.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc637
Faulting module name: RPCRT4.dll, version: 6.1.7601.18205, time stamp: 0x51db9710
Exception code: 0xc0000005
Fault offset: 0x00020d80
Faulting process id: 0xe8c
Faulting application start time: 0xrundll32.exe0
Faulting application path: rundll32.exe1
Faulting module path: rundll32.exe2
Report Id: rundll32.exe3
 
Error: (02/20/2014 09:36:41 PM) (Source: Application Error) (User: )
Description: Faulting application name: CopyAgent.exe, version: 1.42.277.0, time stamp: 0x52f14e97
Faulting module name: CopyAgent.exe, version: 1.42.277.0, time stamp: 0x52f14e97
Exception code: 0xc0000005
Fault offset: 0x00000000001137c2
Faulting process id: 0x1124
Faulting application start time: 0xCopyAgent.exe0
Faulting application path: CopyAgent.exe1
Faulting module path: CopyAgent.exe2
Report Id: CopyAgent.exe3
 
Error: (02/20/2014 09:36:25 PM) (Source: Application Error) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: DUI70.dll, version: 6.1.7600.16385, time stamp: 0x4a5bdf25
Exception code: 0xc0000005
Fault offset: 0x0000000000013d3c
Faulting process id: 0xb98
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3
 
 
System errors:
=============
Error: (03/05/2014 09:02:36 PM) (Source: Service Control Manager) (User: )
Description: The Windows Update service hung on starting.
 
Error: (03/05/2014 09:02:27 PM) (Source: Service Control Manager) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Network Store Interface Service service, but this action failed with the following error: 
%%1056
 
Error: (03/05/2014 09:01:14 PM) (Source: Service Control Manager) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 
Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )
Description: The WinHTTP Web Proxy Auto-Discovery Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.
 
Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )
Description: The Diagnostic Service Host service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )
Description: The Network Store Interface Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 100 milliseconds: Restart the service.
 
Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )
Description: The Windows Font Cache Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.
 
Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )
Description: The Function Discovery Provider Host service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (03/05/2014 09:00:27 PM) (Source: Service Control Manager) (User: )
Description: The COM+ Event System service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 1000 milliseconds: Restart the service.
 
 
Microsoft Office Sessions:
=========================
Error: (12/04/2013 11:22:46 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 89 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (01/09/2013 03:27:17 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 212124 seconds with 120 seconds of active time.  This session ended with a crash.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 13%
Total physical RAM: 16381.55 MB
Available physical RAM: 14089.72 MB
Total Pagefile: 32761.29 MB
Available Pagefile: 30445.58 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:931.41 GB) (Free:273.63 GB) NTFS
Drive f: () (Removable) (Total:1.91 GB) (Free:1.9 GB) FAT
 
==================== End Of Log ============================
 
Thanks for the help!
 
pcdaugs
Link to post
Share on other sites

  • Staff

There are lots of issues with this machine, but let's see what we can do.

Please run the following:

Download attached fixlist.txt file and save it to the Desktop.

FixList.txt

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Link to post
Share on other sites

Here is the FixLog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-03-2014 02
Ran by Daugs at 2014-03-05 21:27:48 Run:1
Running from C:\Users\Daugs\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearc...r=901251890&ir=
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearc...r=901251890&ir=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearc...r=901251890&ir=
URLSearchHook: HKCU - (No Name) - {00000000-6E41-4FD3-8538-502F5495E5FC} - No File
SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.as...pn_ptnrs=AG6&q={searchTerms}
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.as...pn_ptnrs=AG6&q={searchTerms}
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.as...pn_ptnrs=AG6&q={searchTerms}
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search.as...pn_ptnrs=AG6&q={searchTerms}
SearchScopes: HKCU - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://start.mysearc...ults.php?f=4&q={searchTerms}&a=dsites0101&cd=2XzuyEtN2Y1L1QzutC0CyC0FyCyDyEzzzzzzyC0A0ByEyDzztN0D0Tzu0CyBtAyCtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=901251890&ir=
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = 
SearchScopes: HKCU - {38527D85-B835-4F23-8AA3-7C9930650B4D} URL = http://www.mysearchr...?c=2355&t=01&q={searchTerms}
SearchScopes: HKCU - {77AA745B-F4F8-45DA-9B14-61D2D95054C8} URL = http://dts.search.as...pn_ptnrs=AG6&q={searchTerms}
SearchScopes: HKCU - {7B3AC98A-5AE8-49F0-B8AD-6F4A47FE4D0C} URL = http://search.condui...urce=45&UM=2&q={searchTerms}
BHO: No Name - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -  No File
BHO: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File
BHO-x32: No Name - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -  No File
BHO-x32: Search-Results Toolbar - {377e5d4d-77e5-476a-8716-7e70a9272da0} - C:\PROGRA~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll No File
BHO-x32: No Name - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -  No File
BHO-x32: DefaultTab Browser Helper - {7F6AFBF1-E065-4627-A2FD-810366367D01} - C:\Users\Daugs\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll No File
Toolbar: HKLM-x32 - Search-Results Toolbar - {377e5d4d-77e5-476a-8716-7e70a9272da0} - C:\PROGRA~2\SEARCH~1\Datamngr\SRTOOL~1\searchresultsDx.dll No File
Toolbar: HKCU - No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} -  No File
Task: C:\Windows\Tasks\Digital Sites.job => C:\Users\Daugs\AppData\Roaming\DIGITA~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
end
 
 
*****************
 
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00000000-6E41-4FD3-8538-502F5495E5FC} => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8} => Key deleted successfully.
HKCR\CLSID\{77AA745B-F4F8-45DA-9B14-61D2D95054C8} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key deleted successfully.
HKCR\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key not found.
HKCR\Wow6432Node\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} => Key deleted successfully.
HKCR\CLSID\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{38527D85-B835-4F23-8AA3-7C9930650B4D} => Key deleted successfully.
HKCR\CLSID\{38527D85-B835-4F23-8AA3-7C9930650B4D} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8} => Key deleted successfully.
HKCR\CLSID\{77AA745B-F4F8-45DA-9B14-61D2D95054C8} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{7B3AC98A-5AE8-49F0-B8AD-6F4A47FE4D0C} => Key deleted successfully.
HKCR\CLSID\{7B3AC98A-5AE8-49F0-B8AD-6F4A47FE4D0C} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key deleted successfully.
HKCR\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A486DC73-64E3-4F6D-AA16-10B8C2252628} => Key deleted successfully.
HKCR\CLSID\{A486DC73-64E3-4F6D-AA16-10B8C2252628} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} => Key deleted successfully.
HKCR\CLSID\{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key deleted successfully.
HKCR\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{377e5d4d-77e5-476a-8716-7e70a9272da0} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{377e5d4d-77e5-476a-8716-7e70a9272da0} => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01} => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{377e5d4d-77e5-476a-8716-7e70a9272da0} => Value deleted successfully.
HKCR\Wow6432Node\CLSID\{377e5d4d-77e5-476a-8716-7e70a9272da0} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} => Value deleted successfully.
HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key not found.
C:\Windows\Tasks\Digital Sites.job => Moved successfully.
 
==== End of Fixlog ====
 
What next?
 
I can run the mbar program now it looks like.
Link to post
Share on other sites

  • Staff

what error are you getting?

Please run the following:

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

    You can get help on disabling your protection programs here

  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:

    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------

  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
Link to post
Share on other sites

Hello CatByte,

 

I have decided to reformat the hard drive and install a new operating system. I really appreciate all of you help on this I was running the ComboFix software but my system just kept shutting down before I had time to run it. So I got frustrated and I am in the process of pulling all of the data off of the drive that I want so I can reformat and clear the drive completely. This experience has taught me to keep a better eye on my machines so I don't have to do this again.

 

Thank You,

 

Paul

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.