Jump to content
Guest McGolff

Programs only run in Safe Mode

Recommended Posts

Guest McGolff

When running in normal boot mode,, hour glass spins but programs never launch. Everything takes minutes to process --- but nothing happens.

I brought up the Task Manager, but it doesn't look normal and doesn't show any applications running (not even task manager) and the processes all show 1 or 2 CPU

Some Icons not showing up on bottom Launch Tray (like internet bars, battery, etc)

I ran Malware Bytes 1.x first and it found one serious virus Trojan.RotBrowser and removed it. Also removed a load of Pups.

Ran TDSSKiller and it didn't find anything.

Ran MalwareBytes again and it found 1 Pup (Conduit) and removed

Still did not work

Run AVG and it looks like it removed the Malware Bytes Clean.dll (so I deinstalled MBAM and reinstalled MBAM 2.0)

Found a file on C: called LogFileIU that looks like it has something to do with Conduit (attached below)

Started looking for help.......

Ran MBAM 2.0 (3 minor items only) attached below)

Ran Farbar and attached logs below:

 

 

FRST_14-06-2014_13-32-08.txt

Addition.txt

mbam-log-2014-06-14 (12-10-54).xml

protection-log-2014-06-14.xml

logFileUI.txt

mbam-log-2014-06-13 (21-47-11).txt

mbam-log-2014-06-13 (23-29-05).txt

mbam-log-2014-06-14 (00-08-26).txt

TDSSKiller.3.0.0.39_13.06.2014_23.05.05_log.txt

Share this post


Link to post
Share on other sites

Hello and :welcome:

Please read the following and post back the logs when ready and we'll see about getting you cleaned up.

General P2P/Piracy Warning:
 
 

 
If you're using
Peer 2 Peer
software such as
uTorrent, BitTorrent
or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have
illegal/cracked software, cracks, keygens etc
. on the system, please remove or uninstall them now and read the policy on
Piracy
.



 
Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.
  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

    [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)


 
STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.
 


Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.
  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe


STEP 02
Please run a Threat Scan with MBAM.  If you're unable to run or complete the scan as shown below please see the following:  MBAM Clean Removal Process 2x
When reinstalling the program please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.
 
 
STEP 03
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.


Thank you
 

Share this post


Link to post
Share on other sites
Guest McGolff

Downloaded both rkill and iexplore.

I was able to get rkill to come up with the prompt to Run As Administrator..........but nothing happened from that point forward.

was not able to get iexplore to even come up with the prompt.

 

rebooted and tried both programs multiple times without getting them to actually run....only got the Run as Administrator prompt the one time.

 

Just to test, rebooted in Safe mode and was able to easily run Rkill so I can see what it is supposed to do.....but in safe mode it didn't find anything wrong.

Share this post


Link to post
Share on other sites
Guest McGolff

Was able to get the Run As Administrator prompt for RogueKiller and click on it....however after two and a half hours it had not finished and system went into hibernate mode.  I thought that I'd set it for Never Hibernate while I had it up in safe mode.... so not sure if I missed something there.

There was one output during the time it was running....pop-up box showing:

Revocation information for the security certificate for this site is not available. Do you want to proceed?

(Yes/No/View Certificate)

(Antivirus had been completely shut off before trying to run RogueKiller)

 

I pressed Yes.

During the whole time it was running (after getting Run As Admin option) the Tool bar clock did not advance, so I don't think that I'm getting any CPU cycles to actually run the program

I'm assuming that if it had run properly that the output log would have showed upon the desktop?

 

 

 

Share this post


Link to post
Share on other sites

Please restart the computer and try to tap the F8 key and start the computer. then you can try running the programs again from there.

 

Thanks

Share this post


Link to post
Share on other sites
Guest McGolff

This is a Gateway laptop running Windows7, so F8 may not be the right key.  What screen are you wanting me to get to?

I tried tapping F8 through the boot process and didn't get any separate screen.

 

(was able to get RogueKiller to try to run again in Administrator Mode today......it ran for 6 hours without completing or creating any file that I could find)

Share this post


Link to post
Share on other sites
Guest McGolff

OK, I was able to get to the Advanced Boot Options menu:

which option do you want me to select?

  1. Safe mode
  2. Safe mode with Networking
  3. Safe mode with command prompt
  4. Enable Boot Logging
  5. Enable low-resolution video
  6. Last known good configuration
  7. Directory Services Restore Mode
  8. Debugging Mode
  9. Disable Auto restart on system failure
  10. Disable Drive Signature Enforcement
  11. Start Windows Normally

Share this post


Link to post
Share on other sites
Guest McGolff

Ran RogueKiller in Safe Mode with Networking with the following results:

RogueKiller V9.2.3.0 (x64) [Jul 11 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Safe mode with network support

User : MamaMac [Admin rights]

Mode : Scan -- Date : 07/24/2014 22:05:14

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤

[suspicious.Path] (X64) HKEY_USERS\S-1-5-21-1227411736-1427263262-1273520369-1001\Software\Microsoft\Windows\CurrentVersion\Run | AVG-Secure-Search-Update_1113a : C:\Users\MamaMac\AppData\Roaming\AVG 1113a Campaign\AVG-Secure-Search-Update-1113a.exe /PROMPT /mid=beffb09ecf3947d081640d47e746db67-5aacfd7fc5db60ba8536f8c0d03453ae72e4b8b8 /CMPID=1113a -> FOUND

[suspicious.Path] (X86) HKEY_USERS\S-1-5-21-1227411736-1427263262-1273520369-1001\Software\Microsoft\Windows\CurrentVersion\Run | AVG-Secure-Search-Update_1113a : C:\Users\MamaMac\AppData\Roaming\AVG 1113a Campaign\AVG-Secure-Search-Update-1113a.exe /PROMPT /mid=beffb09ecf3947d081640d47e746db67-5aacfd7fc5db60ba8536f8c0d03453ae72e4b8b8 /CMPID=1113a -> FOUND

[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WiFiPasswordService -> FOUND

[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WiFiPasswordService -> FOUND

[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\WiFiPasswordService -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤

[suspicious.Path] AVG-Secure-Search-Update_JUNE2013_HP_rmv.job -- C:\Windows\TEMP\{5394D87E-200D-4288-895C-512250791FE4}.exe (--uninstall=1) -> FOUND

[suspicious.Path] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job -- C:\Windows\TEMP\{239D8E12-7D78-4898-83D1-A3AC90DB23AC}.exe (--uninstall=1) -> FOUND

¤¤¤ Files : 1 ¤¤¤

[suspicious.Path][File] Best Buy pc app.lnk -- C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk [LNK@] C:\PROGRA~3\BESTBU~1\CLICKO~1.EXE "C:\ProgramData\Best Buy pc app\Best Buy pc app.application" -> FOUND

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MQ01ABD050 +++++

--- User ---

[MBR] bb9cd2f9de94783672d1b4b1ed56544c

[bSP] f4a9a77b4fb66d756e5b340f4ce33687 : Windows Vista/7/8 MBR Code

Partition table:

0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 13312 MB

1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 27265024 | Size: 100 MB

2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 27469824 | Size: 463526 MB

User = LL1 ... OK

User = LL2 ... OK

Share this post


Link to post
Share on other sites

Please try to run the following from Safe Mode

 

 

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Share this post


Link to post
Share on other sites
Guest McGolff

ComboFix 14-07-25.01 - MamaMac 07/25/2014 10:16:02.1.4 - x64 NETWORK

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3948.2906 [GMT -4:00]

Running from: c:\users\MamaMac\Desktop\ComboFix.exe

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

ADS - Windows: deleted 12 bytes in 1 streams.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\MamaMac\AppData\Roaming\fastinternet.exe

c:\users\MamaMac\Documents\~WRL1123.tmp

c:\users\MamaMac\Documents\~WRL1739.tmp

c:\users\MamaMac\Documents\~WRL3282.tmp

c:\windows\SysWow64\html

c:\windows\SysWow64\images

c:\windows\wininit.ini

.

.

((((((((((((((((((((((((( Files Created from 2014-06-25 to 2014-07-25 )))))))))))))))))))))))))))))))

.

.

2014-07-25 14:21 . 2014-07-25 14:21 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-07-25 14:15 . 2014-07-25 14:15 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B1E69781-38A7-4628-A89E-A77BE23193EC}\offreg.dll

2014-07-25 01:59 . 2014-07-25 01:59 30312 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2014-07-25 01:59 . 2014-07-25 01:59 -------- d-----w- c:\programdata\RogueKiller

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2014-06-21 18:00 . 2014-06-14 16:10 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys

2014-06-12 22:57 . 2013-06-02 19:56 95414520 ----a-w- c:\windows\system32\MRT.exe

2014-06-08 09:13 . 2014-06-11 22:02 506368 ----a-w- c:\windows\system32\aepdu.dll

2014-06-08 09:08 . 2014-06-11 22:02 424448 ----a-w- c:\windows\system32\aeinv.dll

2014-05-30 10:21 . 2014-06-11 22:03 23414784 ----a-w- c:\windows\system32\mshtml.dll

2014-05-30 10:02 . 2014-06-11 22:03 2724864 ----a-w- c:\windows\system32\mshtml.tlb

2014-05-30 10:02 . 2014-06-11 22:03 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll

2014-05-30 09:45 . 2014-06-11 22:03 2768384 ----a-w- c:\windows\system32\iertutil.dll

2014-05-30 09:39 . 2014-06-11 22:03 548352 ----a-w- c:\windows\system32\vbscript.dll

2014-05-30 09:39 . 2014-06-11 22:03 66048 ----a-w- c:\windows\system32\iesetup.dll

2014-05-30 09:38 . 2014-06-11 22:03 48640 ----a-w- c:\windows\system32\ieetwproxystub.dll

2014-05-30 09:28 . 2014-06-11 22:03 51200 ----a-w- c:\windows\system32\jsproxy.dll

2014-05-30 09:27 . 2014-06-11 22:03 33792 ----a-w- c:\windows\system32\iernonce.dll

2014-05-30 09:24 . 2014-06-11 22:03 574976 ----a-w- c:\windows\system32\ieui.dll

2014-05-30 09:21 . 2014-06-11 22:03 139264 ----a-w- c:\windows\system32\ieUnatt.exe

2014-05-30 09:21 . 2014-06-11 22:03 111616 ----a-w- c:\windows\system32\ieetwcollector.exe

2014-05-30 09:20 . 2014-06-11 22:03 752640 ----a-w- c:\windows\system32\jscript9diag.dll

2014-05-30 09:11 . 2014-06-11 22:03 940032 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe

2014-05-30 09:08 . 2014-06-11 22:03 5782528 ----a-w- c:\windows\system32\jscript9.dll

2014-05-30 09:06 . 2014-06-11 22:03 452096 ----a-w- c:\windows\system32\dxtmsft.dll

2014-05-30 09:02 . 2014-06-11 22:03 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb

2014-05-30 08:55 . 2014-06-11 22:03 38400 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll

2014-05-30 08:49 . 2014-06-11 22:03 195584 ----a-w- c:\windows\system32\msrating.dll

2014-05-30 08:46 . 2014-06-11 22:03 85504 ----a-w- c:\windows\system32\mshtmled.dll

2014-05-30 08:44 . 2014-06-11 22:03 455168 ----a-w- c:\windows\SysWow64\vbscript.dll

2014-05-30 08:44 . 2014-06-11 22:03 295424 ----a-w- c:\windows\system32\dxtrans.dll

2014-05-30 08:43 . 2014-06-11 22:03 61952 ----a-w- c:\windows\SysWow64\iesetup.dll

2014-05-30 08:42 . 2014-06-11 22:03 51200 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll

2014-05-30 08:35 . 2014-06-11 22:03 608768 ----a-w- c:\windows\system32\ie4uinit.exe

2014-05-30 08:29 . 2014-06-11 22:03 631808 ----a-w- c:\windows\system32\msfeeds.dll

2014-05-30 08:28 . 2014-06-11 22:03 112128 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2014-05-30 08:27 . 2014-06-11 22:03 592896 ----a-w- c:\windows\SysWow64\jscript9diag.dll

2014-05-30 08:24 . 2014-06-11 22:03 1249280 ----a-w- c:\windows\system32\mshtmlmedia.dll

2014-05-30 08:23 . 2014-06-11 22:03 2040832 ----a-w- c:\windows\system32\inetcpl.cpl

2014-05-30 08:10 . 2014-06-11 22:03 32256 ----a-w- c:\windows\SysWow64\JavaScriptCollectionAgent.dll

2014-05-30 07:56 . 2014-06-11 22:03 2266112 ----a-w- c:\windows\system32\wininet.dll

2014-05-30 07:56 . 2014-06-11 22:03 4244992 ----a-w- c:\windows\SysWow64\jscript9.dll

2014-05-30 07:50 . 2014-06-11 22:03 1068032 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll

2014-05-30 07:49 . 2014-06-11 22:03 1964544 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2014-05-30 07:43 . 2014-06-11 22:03 13522944 ----a-w- c:\windows\system32\ieframe.dll

2014-05-30 07:30 . 2014-06-11 22:03 1398272 ----a-w- c:\windows\system32\urlmon.dll

2014-05-30 07:21 . 2014-06-11 22:03 1790976 ----a-w- c:\windows\SysWow64\wininet.dll

2014-05-30 07:13 . 2014-06-11 22:03 846336 ----a-w- c:\windows\system32\ieapfltr.dll

2014-05-15 01:20 . 2013-02-01 12:12 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2014-05-15 01:20 . 2011-08-18 15:35 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2014-05-12 11:26 . 2014-06-14 16:10 63704 ----a-w- c:\windows\system32\drivers\mwac.sys

2014-05-12 11:26 . 2014-06-14 16:10 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2014-05-12 11:25 . 2014-06-14 16:10 25816 ----a-w- c:\windows\system32\drivers\mbam.sys

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]

@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"

[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]

2012-04-09 21:27 158224 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"BackupManagerTray"="c:\program files (x86)\NTI\Gateway MyBackup\BackupManagerTray.exe" [2011-03-09 290112]

"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2011-07-01 1103440]

"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336]

"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-14 59720]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]

"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-08-18 2641272]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]

"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]

"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-11-02 152392]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe "c:\programdata\Best Buy pc app\Best Buy pc app.application" [2011-6-30 16032]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]

"LoadAppInit_DLLs"=1 (0x1)

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]

R2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]

R2 ePowerSvc;ePower Service;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe;c:\program files\Gateway\Gateway Power Management\ePowerSvc.exe [x]

R2 GREGService;GREGService;c:\program files (x86)\Gateway\Registration\GREGsvc.exe;c:\program files (x86)\Gateway\Registration\GREGsvc.exe [x]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]

R2 Live Updater Service;Live Updater Service;c:\program files\Gateway\Gateway Updater\UpdaterService.exe;c:\program files\Gateway\Gateway Updater\UpdaterService.exe [x]

R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]

R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]

R2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]

R2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe;c:\program files (x86)\NTI\Gateway MyBackup\IScheduleSvc.exe [x]

R2 QBVSS;QBIDPService;c:\program files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe;c:\program files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [x]

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]

R2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]

R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]

R3 bScsiSDa;bScsiSDa;c:\windows\system32\DRIVERS\bScsiSDa.sys;c:\windows\SYSNATIVE\DRIVERS\bScsiSDa.sys [x]

R3 cbfs3;EldoS Callback File System driver v3;c:\windows\system32\DRIVERS\cbfs3.sys;c:\windows\SYSNATIVE\DRIVERS\cbfs3.sys [x]

R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]

R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]

R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]

R3 TurboBoost;Intel® Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]

R3 WiFiPasswordService;WiFiPasswordService;c:\users\MamaMac\AppData\Local\Temp\WiFiPasswordService.exe;c:\users\MamaMac\AppData\Local\Temp\WiFiPasswordService.exe [x]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]

S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys;c:\windows\SYSNATIVE\drivers\avgtpx64.sys [x]

S3 b57xdbd;Broadcom xD Picture Bus Driver Service;c:\windows\system32\DRIVERS\b57xdbd.sys;c:\windows\SYSNATIVE\DRIVERS\b57xdbd.sys [x]

S3 b57xdmp;Broadcom xD Picture vstorp client drv;c:\windows\system32\DRIVERS\b57xdmp.sys;c:\windows\SYSNATIVE\DRIVERS\b57xdmp.sys [x]

S3 bScsiMSa;bScsiMSa;c:\windows\system32\DRIVERS\bScsiMSa.sys;c:\windows\SYSNATIVE\DRIVERS\bScsiMSa.sys [x]

S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]

S3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]

S3 TS_AR5416;[CommView] Atheros AR5008 Wireless Network Adapter Service 7.7;c:\windows\system32\DRIVERS\ts_athwx.sys;c:\windows\SYSNATIVE\DRIVERS\ts_athwx.sys [x]

.

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-06-12 22:52 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.153\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-07-24 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-01 01:20]

.

2014-07-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-16 23:34]

.

2014-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-16 23:34]

.

2014-06-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1227411736-1427263262-1273520369-1001Core.job

- c:\users\MamaMac\AppData\Local\Google\Update\GoogleUpdate.exe [2014-01-18 20:05]

.

2014-07-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1227411736-1427263262-1273520369-1001UA.job

- c:\users\MamaMac\AppData\Local\Google\Update\GoogleUpdate.exe [2014-01-18 20:05]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]

@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"

[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]

2012-04-09 21:27 190480 ----a-w- c:\windows\System32\CbFsMntNtf3.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-21 167704]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-21 392472]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-21 416024]

"IntelTBRunOnce"="wscript.exe" [2013-10-12 168960]

"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-03-10 11785832]

"Power Management"="c:\program files\Gateway\Gateway Power Management\ePowerTray.exe" [2011-08-02 1831016]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://search.coupons.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

Handler: intu-help-qb6 - {6898B29B-BF49-43cb-A0B1-D0B9496AF491} - c:\program files (x86)\Intuit\QuickBooks 2013\HelpAsyncPluggableProtocol.dll

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

Wow6432Node-HKCU-Run-DW7 - c:\program files (x86)\The Weather Channel\The Weather Channel App\TWCApp.exe

Wow6432Node-HKCU-Run-AVG-Secure-Search-Update_1113a - c:\users\MamaMac\AppData\Roaming\AVG 1113a Campaign\AVG-Secure-Search-Update-1113a.exe

Wow6432Node-HKLM-Run-Denzi - c:\program files (x86)\Denzi\Launcher.bat

HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start

Toolbar-Locked - (no file)

HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.13"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2014-07-25 10:24:17

ComboFix-quarantined-files.txt 2014-07-25 14:24

.

Pre-Run: 410,651,340,800 bytes free

Post-Run: 412,018,053,120 bytes free

.

- - End Of File - - F2564F86CF1588E470358938629A8801

Share this post


Link to post
Share on other sites
Guest McGolff

Yes, problem still exists.

Most of the icons are just white squares (except MalwareBytes and Adobe Reader)

There is a highlighted circle on the internet connection bars in the toolbar --- like it is trying but unable to connect to the internet

I did a right click on Rkill, just to see if it would come up quickly............but the right click options took 25 minutes to appear.

It is trying to Run as Administrator at the moment.

Share this post


Link to post
Share on other sites

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

PC Winvids - How to run Kaspersky TDSSKiller

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.

Share this post


Link to post
Share on other sites
Guest McGolff

I will only be able to run this in Safe Mode with Networking (or any other Safe Mode).  Is that acceptable, or do I need to try to get it to run in Normal mode?

Share this post


Link to post
Share on other sites
Guest McGolff

Ran in Safe Mode with Networking.

It rebooted in Normal mode when I checked on Loaded Modules.

Utility came up correctly in Normal mode on restart

selected additional options and pressed scan.

System dropped into Blue Screen of Death and did a memory dump too fast to see what it errored out on.

Started TDSKiller in Safe Mode again and selected Loaded Modules

on reboot this time it stated:

Windows cannot find {06788DCD-2625-4974-8040-4EAD956B0F05}.exe

when I continued, I received a message that "Another instance of Utility is Running".

Tried pressing scan and got BSOD again.

TDSSKiller.3.0.0.40_28.07.2014_10.16.40_log.txt

TDSSKiller.3.0.0.40_28.07.2014_10.36.13_log.txt

TDSSKiller.3.0.0.40_28.07.2014_10.14.01_log.txt

Share this post


Link to post
Share on other sites
Guest McGolff

yes, I can still start up in Safe Mode with Networking and it appears to work fine.

Share this post


Link to post
Share on other sites
Guest McGolff

Was not able to get the Toshiba Disk Utility to run -- it opened, showed the drive but would not allow me to select it or run the tests. Will check for other utilities

But, when rebooting the system TDSKiller launched again, and this time it ran to completion. It didn't find anything, but log is attached

TDSSKiller.3.0.0.40_30.07.2014_09.08.46_log.txt

Also, while in the temp Windows boot mode launched by TDSKiller, everything was running fine, so when MalwareBytes popped up a reminder to scan, I went ahead and ran that while I had the chance.

MalwareBytes 2014-07-29-13.20.txt

after finishing all this, I rebooted into the Normal Windows mode and it went right back to not being able to run anything.

Share this post


Link to post
Share on other sites
Guest McGolff

Downloaded Toshiba Diagnostics but they would not run on Windows 7.

Ran Windows Chkdsk, just to get something to output -- screen captures attached

when I rebooted, TDSKiller was still in residence so it started up and this time ran to completion. It did not find any errors though - log attached

when TDSKiller finished (running in its boot version of Windows) everything was running well and MalwareBytes popped up with a scan reminder, so I ran it since I hadn't been able to run it except in safe mode. Log attached

when I rebooted after MalwareBytes finished the system returned to the "Normal" version of Windows 7 and was not able to run anything again.

(On the reboot, I'm not getting the "Windows cannot find xxxx.exe" message that I was getting above and I'm not getting the BSOD......but the standard version of windows still does not work properly)

post-111354-0-80788100-1406749396_thumb.

post-111354-0-62757700-1406749404_thumb.

TDSSKiller.3.0.0.40_30.07.2014_09.08.46_log.txt

MalwareBytes 2014-07-29-13.20.txt

Share this post


Link to post
Share on other sites

Well at this point not really sure what's going on there and you might end up having to do a Factory Restore.

 

Let's try Combofix again from Safe Mode. 

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Share this post


Link to post
Share on other sites
Guest McGolff

Ran ComboFix from Safe Mode with Networking.  Tested a normal reboot after it finished with the same non-working results --- cannot run any programs.

ComboFix Log attached.

 

ComboFix.txt

Share this post


Link to post
Share on other sites

Well I'm sorry to say but I'm not seeing anything that might be causing that behavior.
 
You can try the following and see if it helps or not.
 
 
ESET Services Repair


Please download the ESET services repair from here and save the file to your desktop.
On XP double click to run it.  On Vista/Win7/Win8 please right click and choose "Run as administrator"
Once the tool has finished please restart the computer.
 
 
You can also try some of the top fixes from Microsoft.
http://support.microsoft.com/fixit/
 
 
If those do not work you can also try the following
 
 

Please download and run the following tool.

Windows Repair (All In One)

Direct Program Download Link

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.