TechSpot

Help! 8.26.70.252 kicking my butt

Solved
By amuck
Nov 10, 2012
  1. My son's teacher found out I am in IT. Next thing I know, he is carrying her laptop home to me, with a note that says "I can't do anything". She had random errors, pop-ups, redirects, all icons on desktop and Start Pearl disappeared.

    I got her icons back (desktop and Start), but could not get Windows Update to work, nor could I get to Eset or Housecall to work (redirect). Finally saw the 8.26.70.252 pop up in an address...

    I ran finally pulled over Malwarbytes, Eset AND Housecall via CD. Malwarbytes found PUM.UserWLoad and PUM.Hijack.StartMenu and cleaned both. Still got redirected.

    Eset found two instances of Win32/HiddenStart.A and removed both. Yet, here I am today still fighting this thing. Forgive me if I make mistakes pasting below from MBAM, GER and DDS. This is my latest MBAM scan, I can post the original before my fix actions if you wish.

    MBAM Log:
    ===============================================
    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org
    Database version: v2012.11.05.05
    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Betty Anne :: BETTYANNE-PC [administrator]
    11/10/2012 8:31:36 PM
    mbam-log-2012-11-10 (20-31-36).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 207573
    Time elapsed: 5 minute(s), 15 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)

    ===============================================

    GMER Log
    ===============================================
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-11-10 21:20:26
    Windows 6.1.7601 Service Pack 1
    Running: rtuywhzi.exe

    ---- Registry - GMER 1.0.15 ----
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015007f6c3b
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4ceb42209bd4
    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0cb38d054a8
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015007f6c3b (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4ceb42209bd4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0cb38d054a8 (not active ControlSet)
    ---- EOF - GMER 1.0.15 ----

    ===============================================
    DDS.log
    ===============================================
    DDS (Ver_2012-11-07.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16447 BrowserJavaVersion: 10.9.2
    Run by Betty Anne at 21:22:34 on 2012-11-10
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6050.3836 [GMT -5:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\Program Files\IDT\WDM\STacSV64.exe
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\system32\WLANExt.exe
    C:\windows\System32\spoolsv.exe
    C:\Program Files\IDT\WDM\AESTSr64.exe
    C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\windows\system32\svchost.exe -k bthsvcs
    C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
    C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\windows\SysWOW64\svchost.exe -k hpdevmgmt
    C:\Windows\system32\mfevtps.exe
    C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
    C:\windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\windows\system32\taskhost.exe
    C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\windows\system32\wbem\unsecapp.exe
    C:\windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\windows\system32\svchost.exe -k HPService
    C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
    C:\windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\windows\system32\taskmgr.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingBar.exe
    C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe
    C:\Program Files\mcafee.com\agent\mcagent.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
    C:\windows\notepad.exe
    C:\windows\system32\SearchProtocolHost.exe
    C:\windows\system32\SearchFilterHost.exe
    C:\windows\system32\wbem\wmiprvse.exe
    C:\windows\System32\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
    mWinlogon: Userinit = userinit.exe,
    BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
    BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\mcafee\msk\mskapbho.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\mcafee\SystemCore\ScriptSn.20120726144436.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BingExt.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
    EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
    EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
    mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
    mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    StartupFolder: C:\Users\BETTYA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ONENOT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\SmartPrint\smartprintsetup.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    TCP: NameServer = 172.26.38.1 172.26.38.2
    TCP: Interfaces\{8F401738-A93E-48D9-A7BD-57EB16A69529} : DHCPNameServer = 172.26.38.1 172.26.38.2
    TCP: Interfaces\{8F401738-A93E-48D9-A7BD-57EB16A69529}\27F6F6D6C696E687 : DHCPNameServer = 107.20.211.133 107.20.210.188
    TCP: Interfaces\{8F401738-A93E-48D9-A7BD-57EB16A69529}\37D656C6C602D6970266163656D27657563747 : DHCPNameServer = 192.168.33.1
    TCP: Interfaces\{8F401738-A93E-48D9-A7BD-57EB16A69529}\465616E646C676 : DHCPNameServer = 68.87.66.246 68.87.64.242
    TCP: Interfaces\{8F401738-A93E-48D9-A7BD-57EB16A69529}\84F4D454D224345423 : DHCPNameServer = 75.75.75.75 75.75.76.76
    TCP: Interfaces\{8F401738-A93E-48D9-A7BD-57EB16A69529}\C696E6B6379737 : DHCPNameServer = 75.75.75.75 75.75.76.76
    TCP: Interfaces\{CDFB0639-BA97-473F-BFD8-95029808745F} : DHCPNameServer = 75.75.75.75 75.75.76.76
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll
    Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - C:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SSODL: WebCheck - <orphaned>
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    x64-BHO: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} -
    x64-BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\mcafee\SystemCore\ScriptSn.20120726144436.dll
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    x64-DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
    x64-DPF: {CAFEEFAC-0017-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
    x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_01-windows-i586.cab
    x64-Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll
    x64-Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - <orphaned>
    x64-Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - <orphaned>
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
    x64-Notify: igfxcui - igfxdev.dll
    x64-SSODL: WebCheck - <orphaned>
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;C:\windows\System32\drivers\mfehidk.sys [2010-10-13 752672]
    R0 mfewfpk;McAfee Inc. mfewfpk;C:\windows\System32\drivers\mfewfpk.sys [2010-10-13 335784]
    R0 MpFilter;Microsoft Malware Protection Driver;C:\windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
    R0 PxHlpa64;PxHlpa64;C:\windows\System32\drivers\PxHlpa64.sys [2012-2-12 55856]
    R1 MpKsl9d88c931;MpKsl9d88c931;C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F926DC8F-39C8-4192-873E-5D32DB8CEFF9}\MpKsl9d88c931.sys [2012-11-9 35664]
    R2 AESTFilters;Andrea ST Filters Service;C:\Program Files\IDT\WDM\AESTSr64.exe [2012-2-12 89600]
    R2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-9-15 1166848]
    R2 Bluetooth Device Monitor;Bluetooth Device Monitor;C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe [2011-5-19 921664]
    R2 Bluetooth OBEX Service;Bluetooth OBEX Service;C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe [2011-5-19 995392]
    R2 BTHSSecurityMgr;Intel(R) Centrino(R) Wireless Bluetooth(R) 3.0 + High Speed Security Service;C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-6-3 134928]
    R2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-2-12 13336]
    R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-25 201304]
    R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-25 201304]
    R2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2012-2-12 237920]
    R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2012-2-12 218320]
    R2 mfevtp;McAfee Validation Trust Protection Service;C:\windows\System32\mfevtps.exe [2012-2-12 177144]
    R2 NOBU;Dell DataSafe Online;C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe [2010-8-25 2823000]
    R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2012-2-12 1692480]
    R2 UNS;Intel(R) Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2012-2-12 2655768]
    R3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;C:\windows\System32\drivers\AmpPal.sys [2011-9-15 299008]
    R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.EXE [2012-6-11 240208]
    R3 btmaudio;Intel Bluetooth Audio Service;C:\windows\System32\drivers\btmaud.sys [2011-5-19 51712]
    R3 btmaux;Intel Bluetooth Auxiliary Service;C:\windows\System32\drivers\btmaux.sys [2011-5-19 53248]
    R3 btmhsf;btmhsf;C:\windows\System32\drivers\btmhsf.sys [2011-7-19 282624]
    R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\windows\System32\drivers\CtClsFlt.sys [2012-2-12 176096]
    R3 iBtFltCoex;iBtFltCoex;C:\windows\System32\drivers\iBtFltCoex.sys [2011-7-19 59904]
    R3 IntcDAud;Intel(R) Display Audio;C:\windows\System32\drivers\IntcDAud.sys [2012-2-12 317440]
    R3 iwdbus;IWD Bus Enumerator;C:\windows\System32\drivers\iwdbus.sys [2011-6-21 25496]
    R3 mfeavfk;McAfee Inc. mfeavfk;C:\windows\System32\drivers\mfeavfk.sys [2010-10-13 300392]
    R3 mfefirek;McAfee Inc. mfefirek;C:\windows\System32\drivers\mfefirek.sys [2010-10-13 513456]
    R3 RTL8167;Realtek 8167 NT Driver;C:\windows\System32\drivers\Rt64win7.sys [2012-2-12 406632]
    R3 tihub3;TI USB3 Hub Service;C:\windows\System32\drivers\tihub3.sys [2011-7-20 136000]
    R3 tixhci;TI XHCI Service;C:\windows\System32\drivers\tixhci.sys [2011-7-20 406336]
    S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\BBSvc.EXE [2012-6-11 193616]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-25 201304]
    S2 RoxWatch12;Roxio Hard Drive Watcher 12;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-5 160944]
    S3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;C:\windows\System32\drivers\AmpPal.sys [2011-9-15 299008]
    S3 Bluetooth Media Service;Bluetooth Media Service;C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe [2011-5-19 1335360]
    S3 cfwids;McAfee Inc. cfwids;C:\windows\System32\drivers\cfwids.sys [2010-10-13 69672]
    S3 fssfltr;fssfltr;C:\windows\System32\drivers\fssfltr.sys [2012-2-24 48488]
    S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
    S3 HipShieldK;McAfee Inc. HipShieldK;C:\windows\System32\drivers\HipShieldK.sys [2012-10-25 196440]
    S3 intaud_WaveExtensible;Intel WiDi Audio Device;C:\windows\System32\drivers\intelaud.sys [2011-6-21 34200]
    S3 McAWFwk;McAfee Activation Service;C:\PROGRA~1\mcafee\msc\mcawfwk.exe [2012-2-12 220528]
    S3 mferkdet;McAfee Inc. mferkdet;C:\windows\System32\drivers\mferkdet.sys [2010-10-13 106112]
    S3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [2011-9-15 340240]
    S3 NisDrv;Microsoft Network Inspection System;C:\windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
    S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
    S3 RoxMediaDB12OEM;RoxMediaDB12OEM;C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\windows\System32\drivers\RtsUStor.sys [2012-2-12 250984]
    S3 TsUsbFlt;TsUsbFlt;C:\windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
    S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\System32\drivers\usbaapl64.sys [2012-4-25 52736]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\System32\Wat\WatAdminSvc.exe [2012-2-24 1255736]
    S4 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2012-10-25 201304]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2012-11-10 04:45:07 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F926DC8F-39C8-4192-873E-5D32DB8CEFF9}\offreg.dll
    2012-11-10 04:45:06 35664 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F926DC8F-39C8-4192-873E-5D32DB8CEFF9}\MpKsl9d88c931.sys
    2012-11-10 03:14:57 9291768 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F926DC8F-39C8-4192-873E-5D32DB8CEFF9}\mpengine.dll
    2012-11-10 03:13:56 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
    2012-11-10 03:13:50 -------- d-----w- C:\Program Files\Microsoft Security Client
    2012-11-09 23:54:32 821736 ----a-w- C:\windows\SysWow64\npDeployJava1.dll
    2012-11-09 23:54:02 95208 ----a-w- C:\windows\SysWow64\WindowsAccessBridge-32.dll
    2012-11-09 03:33:27 -------- d-----w- C:\Program Files (x86)\ESET
    2012-11-09 00:51:12 -------- d-----w- C:\Users\Betty Anne\AppData\Roaming\Malwarebytes
    2012-11-09 00:48:51 -------- d-----w- C:\ProgramData\Malwarebytes
    2012-11-09 00:48:48 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-10-31 00:05:27 33240 ----a-w- C:\windows\System32\drivers\GEARAspiWDM.sys
    2012-10-31 00:04:54 -------- d-----w- C:\Program Files\iPod
    2012-10-31 00:04:53 -------- d-----w- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
    2012-10-31 00:04:53 -------- d-----w- C:\Program Files\iTunes
    2012-10-31 00:04:53 -------- d-----w- C:\Program Files (x86)\iTunes
    2012-10-30 20:31:53 -------- d--h--w- C:\Users\Betty Anne\Pearson
    2012-10-26 00:46:22 196440 ----a-w- C:\windows\System32\drivers\HipShieldK.sys
    .
    ==================== Find3M ====================
    .
    2012-11-09 23:53:48 746984 ----a-w- C:\windows\SysWow64\deployJava1.dll
    2012-08-31 03:03:48 228768 ----a-w- C:\windows\System32\drivers\MpFilter.sys
    2012-08-31 03:03:48 128456 ----a-w- C:\windows\System32\drivers\NisDrvWFP.sys
    2012-08-21 17:01:20 125872 ----a-w- C:\windows\System32\GEARAspi64.dll
    2012-08-21 17:01:20 106928 ----a-w- C:\windows\SysWow64\GEARAspi.dll
    .
    ============= FINISH: 21:25:44.54 ===============

    Attach.txt
    ===============================================
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-07.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2/21/2012 7:21:34 PM
    System Uptime: 11/10/2012 12:25:39 PM (9 hours ago)
    .
    Motherboard: Dell Inc. | | 034W60
    Processor: Intel(R) Core(TM) i3-2330M CPU @ 2.20GHz | CPU 1 | 2200/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 581 GiB total, 530.521 GiB free.
    D: is CDROM (UDF)
    W: is FIXED (NTFS) - 15 GiB total, 7.219 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
    Description: Officejet 4500 G510n-z
    Device ID: ROOT\IMAGE\0000
    Manufacturer: HP
    Name: Officejet 4500 G510n-z
    PNP Device ID: ROOT\IMAGE\0000
    Service: StillCam
    .
    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Officejet 4500 G510n-z
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer: HP
    Name: Officejet 4500 G510n-z
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:
    .
    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Photosmart D110 series
    Device ID: ROOT\MULTIFUNCTION\0001
    Manufacturer: HP
    Name: Photosmart D110 series
    PNP Device ID: ROOT\MULTIFUNCTION\0001
    Service:
    .
    ==== System Restore Points ===================
    .
    RP32: 7/26/2012 10:12:14 PM - Scheduled Checkpoint
    RP33: 8/13/2012 3:22:45 PM - Scheduled Checkpoint
    RP34: 9/10/2012 5:41:38 AM - Scheduled Checkpoint
    RP35: 9/28/2012 10:42:06 PM - Scheduled Checkpoint
    RP36: 10/6/2012 7:44:30 PM - Scheduled Checkpoint
    RP37: 10/29/2012 6:20:57 PM - Scheduled Checkpoint
    RP38: 10/30/2012 8:03:13 PM - Installed iTunes
    RP39: 11/9/2012 3:11:57 PM - Scheduled Checkpoint
    RP40: 11/9/2012 6:52:39 PM - Installed Java 7 Update 9
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    4500_G510nz_Help
    4500G510nz
    4500G510nz_Software_Min
    64 Bit HP CIO Components Installer
    Adobe Flash Player 11 ActiveX 64-bit
    Adobe Reader X MUI
    Advanced Audio FX Engine
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Bing Bar
    Bonjour
    BufferChm
    CCleaner
    Coupon Printer for Windows
    Cozi
    D3DX10
    Dell DataSafe Local Backup
    Dell DataSafe Local Backup - Support Software
    Dell DataSafe Online
    Dell Edoc Viewer
    Dell Getting Started Guide
    Dell Home Systems Service Agreement
    Dell MusicStage
    Dell PhotoStage
    Dell Stage
    Dell Support Center
    Dell Touchpad
    Dell VideoStage
    Dell Webcam Central
    Destinations
    DeviceDiscovery
    DirectX 9 Runtime
    DocMgr
    DocProc
    ESET Online Scanner v3
    Fax
    GPBaseService2
    Greeting Card Factory Silver
    Hoyle Casino
    HP Customer Participation Program 13.0
    HP Deskjet 3510 series Basic Device Software
    HP Deskjet 3510 series Help
    HP Deskjet 3510 series Product Improvement Study
    HP Document Manager 2.0
    HP Imaging Device Functions 13.0
    HP Officejet 4500 G510n-z
    HP Photo Creations
    HP Smart Web Printing 4.5
    HP Solution Center 13.0
    HP Update
    HPProductAssistant
    HPSSupply
    IDT Audio
    Intel PROSet Wireless
    Intel(R) Control Center
    Intel(R) Management Engine Components
    Intel(R) Processor Graphics
    Intel(R) PROSet/Wireless Software for Bluetooth(R) Technology
    Intel(R) PROSet/Wireless WiFi Software
    Intel(R) Rapid Storage Technology
    Intel(R) WiDi
    Intel(R) Wireless Display
    iTunes
    Java 7 Update 9
    Java Auto Updater
    Java(TM) 7 Update 1 (64-bit)
    Junk Mail filter update
    Malwarebytes Anti-Malware version 1.65.1.1000
    MarketResearch
    McAfee SecurityCenter
    Mesh Runtime
    Messenger Companion
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office 2010
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Office 64-bit Components 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared 64-bit MUI (English) 2007
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    MSVCRT
    MSVCRT_amd64
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Network64
    OCR Software by I.R.I.S. 13.0
    PhotoShowExpress
    Quickset64
    RBVirtualFolder64Inst
    Realtek Ethernet Controller Driver
    Realtek USB 2.0 Card Reader
    Roxio Activation Module
    Roxio BackOnTrack
    Roxio Burn
    Roxio Creator Starter
    Roxio Express Labeler 3
    Roxio File Backup
    Scan
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596666) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
    Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
    Security Update for Microsoft Office InfoPath 2007 (KB2596786) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
    Shared C Run-time for x64
    Shop for HP Supplies
    Skype™ 5.9
    SmartWebPrinting
    SolutionCenter
    Sonic CinePlayer Decoder Pack
    Status
    TI USB 3.0 Host Controller Driver
    TI USB3 Host Driver
    Toolbox
    TrayApp
    TrustedID
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687310) 32-Bit Edition
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    WebReg
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Language Selector
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Messenger Companion Core
    Windows Live MIME IFilter
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live Remote Client
    Windows Live Remote Client Resources
    Windows Live Remote Service
    Windows Live Remote Service Resources
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/9/2012 7:24:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    11/9/2012 10:15:09 PM, Error: Service Control Manager [7003] - The Microsoft Network Inspection System service depends the following service: BFE. This service might not be installed.
    11/9/2012 10:15:09 PM, Error: Service Control Manager [7001] - The Microsoft Network Inspection service depends on the Microsoft Network Inspection System service which failed to start because of the following error: The dependency service does not exist or has been marked for deletion.
    11/9/2012 10:15:09 PM, Error: Microsoft Antimalware [2003] - Microsoft Antimalware has encountered an error trying to update the engine. New Engine Version: Previous Engine Version: Engine Type: Network Inspection System User: BettyAnne-PC\Betty Anne Error Code: 0x8007042c Error description: The dependency service or group failed to start.
    11/9/2012 10:15:09 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: Update Source: User Update Stage: Install Source Path: Signature Type: Network Inspection System Update Type: Full User: BettyAnne-PC\Betty Anne Current Engine Version: Previous Engine Version: Error code: 0x8007042c Error description: The dependency service or group failed to start.
    11/9/2012 10:14:59 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    11/9/2012 10:14:59 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    11/9/2012 10:14:59 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    11/9/2012 10:14:59 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    11/9/2012 10:14:59 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    11/9/2012 10:14:10 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
    11/9/2012 10:14:10 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: BettyAnne-PC\Betty Anne Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    11/9/2012 10:14:10 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: BettyAnne-PC\Betty Anne Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server name or address could not be resolved
    11/9/2012 10:11:04 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    11/9/2012 10:11:03 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    11/9/2012 10:11:02 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    11/9/2012 10:08:27 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service Bluetooth Device Monitor with arguments "" in order to run the server: {DABF28BE-F6B4-4E40-8F40-C4FB26F3116C}
    11/9/2012 10:07:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    11/9/2012 10:04:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    11/9/2012 10:04:30 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    11/9/2012 10:04:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    11/9/2012 10:04:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    11/9/2012 10:03:45 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\windows\System32\IWMSSvc.dll Error Code: 21
    11/9/2012 10:03:27 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
    11/9/2012 10:03:25 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    11/8/2012 3:15:14 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    11/5/2012 5:26:30 AM, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    11/5/2012 5:26:30 AM, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
    11/10/2012 4:54:25 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Schedule service.
    11/10/2012 12:03:08 PM, Error: Service Control Manager [7003] - The McAfee Personal Firewall Service service depends the following service: MpsSvc. This service might not be installed.
    .
    ==== End Of File ===========================



    Help me, Obi Wan Kenobi; you are my only hope.
  2. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    I should add, I tried to run TDSSKiller (an action lead I got from another forum) and it doesn't seem to run. It pops up in Task Mgr and then dies.
  3. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================

    • Download RogueKiller on the desktop
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    =============================

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
  4. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    Thanks Broni. aswMBR will not run, even if right-click and select "Run as administrator". I see it come up in Task Mgr, and then it disappears. Below please find RogueKiller reports:

    RogueKiller V8.2.3 [11/07/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Betty Anne [Admin rights]
    Mode : Scan -- Date : 11/11/2012 00:40:34
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 10 ¤¤¤
    [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
    [HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Betty Anne\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\n.) -> FOUND
    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FOLDER] U : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U --> FOUND
    [ZeroAccess][FOLDER] L : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L --> FOUND
    [ZeroAccess][FOLDER] U : C:\Users\Betty Anne\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U --> FOUND
    [ZeroAccess][FOLDER] L : C:\Users\Betty Anne\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L --> FOUND
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ Infection : Rans.Gendarm|Rans.Gendarm ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: TOSHIBA MK6475GSX +++++
    --- User ---
    [MBR] a2111a8ed72be82719f761f51d90dbe5
    [BSP] c8cda3a0ea2a6defe307a70b0ca03225 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 595364 Mo
    User != LL1 ... KO!
    --- LL1 ---
    [MBR] a3fb239838a262fc33a2bf0212ae403d
    [BSP] c8cda3a0ea2a6defe307a70b0ca03225 : Windows 7/8 MBR Code [possible maxSST in 3!]
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 595364 Mo
    3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1250234368 | Size: 10 Mo
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] a3fb239838a262fc33a2bf0212ae403d
    [BSP] c8cda3a0ea2a6defe307a70b0ca03225 : Windows 7/8 MBR Code [possible maxSST in 3!]
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 595364 Mo
    3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1250234368 | Size: 10 Mo
    Finished : << RKreport[1]_S_11112012_02d0040.txt >>
    RKreport[1]_S_11112012_02d0040.txt

    RogueKiller V8.2.3 [11/07/2012] by Tigzy
    mail: tigzyRK<at>gmail<dot>com
    Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
    Website: http://tigzy.geekstogo.com/roguekiller.php
    Blog: http://tigzyrk.blogspot.com
    Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Betty Anne [Admin rights]
    Mode : Remove -- Date : 11/11/2012 00:41:34
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 8 ¤¤¤
    [HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
    [HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> REPLACED (1)
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    [HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\Users\Betty Anne\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\n.) -> REPLACED (C:\windows\system32\shell32.dll)
    ¤¤¤ Particular Files / Folders: ¤¤¤
    [ZeroAccess][FOLDER] ROOT : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\windows\Installer\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Users\Betty Anne\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U --> REMOVED
    [ZeroAccess][FOLDER] ROOT : C:\Users\Betty Anne\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L --> REMOVED
    ¤¤¤ Driver : [NOT LOADED] ¤¤¤
    ¤¤¤ Infection : Rans.Gendarm|Rans.Gendarm ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> C:\windows\system32\drivers\etc\hosts

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: TOSHIBA MK6475GSX +++++
    --- User ---
    [MBR] a2111a8ed72be82719f761f51d90dbe5
    [BSP] c8cda3a0ea2a6defe307a70b0ca03225 : Windows 7/8 MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 595364 Mo
    User != LL1 ... KO!
    --- LL1 ---
    [MBR] a3fb239838a262fc33a2bf0212ae403d
    [BSP] c8cda3a0ea2a6defe307a70b0ca03225 : Windows 7/8 MBR Code [possible maxSST in 3!]
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 595364 Mo
    3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1250234368 | Size: 10 Mo
    User != LL2 ... KO!
    --- LL2 ---
    [MBR] a3fb239838a262fc33a2bf0212ae403d
    [BSP] c8cda3a0ea2a6defe307a70b0ca03225 : Windows 7/8 MBR Code [possible maxSST in 3!]
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
    1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 15000 Mo
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 30926848 | Size: 595364 Mo
    3 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 1250234368 | Size: 10 Mo
    Finished : << RKreport[2]_D_11112012_02d0041.txt >>
    RKreport[1]_S_11112012_02d0040.txt ; RKreport[2]_D_11112012_02d0041.txt



    Will not touch this device until I hear from you. And thanks.
  5. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

    Next...

    Re-run FRST again.
    Type the following in the edit box after "Search:".

    services.exe

    Click Search button and post the log (Search.txt) it makes in your reply.

    I'll expect two logs:
    - FRST.txt
    - Search.txt
  6. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    Question: How long should it take to boot into Repair Mode? I selected the option after hitting F8 and I have been sitting here now for the better part of half an hour? "Windows is loading files..."

    I do not have access to her Windows Installation Disk, but I do have a copy of Windows 7 Pro OEM here (Not the same OS as is on this box)...

    Thanks
  7. Broni

    Broni Malware Annihilator Posts: 46,479   +252

  8. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    Roger that, stand by and let me get this downloaded/installed to DVD. I'll post some progress shortly.
  9. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    Sigh. I am getting the following error after I select "boot from CD/DVD" and "Windows is loading files...":

    Windows Boot Manager

    Windows has encountered a problem communicating with a device connected to your computer.

    This error can be caused by unplugging a removable storage device such as an external USB drive while the device is still in use, or by faulty hardware such as a hard drive or CD-ROM drive that is failing. Make sure any removable storage is properly connected and then restart your computer.

    If you continue to receive this error message, contact the hardware manufacturer.

    Status: 0xc00000e9

    Info: An unexpected I/O error has occurred.

    Enter=Continue ESC=Exit

    Neither enter or escape work.



    I do not have a large enough flash/thumb drive, but I can get one. The above happened while using DVD using the ISO referenced. I assure you nothing is plugged in, so there is nothing to remove while the device is in use.

    Am I hosed?
  10. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Let's try something else.
    It looks like you may have fake infected partition.

    For x86 (x32) bit systems please download Listparts
    For x64 bit systems please download Listparts64

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
  11. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    ListParts by Farbar Version: 30-10-2012
    Ran by Betty Anne (administrator) on 11-11-2012 at 22:08:55
    Windows 7 (X64)
    Running From: C:\Users\Betty Anne\Desktop
    Language: 0409
    ************************************************************
    ========================= Memory info ======================
    Percentage of memory in use: 27%
    Total physical RAM: 6050.05 MB
    Available physical RAM: 4414.33 MB
    Total Pagefile: 12098.3 MB
    Available Pagefile: 10319.04 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.9 MB
    ======================= Partitions =========================
    1 Drive c: (OS) (Fixed) (Total:581.41 GB) (Free:530.54 GB) NTFS
    3 Drive x: (Recovery) (Fixed) (Total:14.65 GB) (Free:7.22 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 596 GB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 100 MB 1024 KB
    Partition 2 Primary 14 GB 101 MB
    Partition 3 Primary 581 GB 14 GB
    Partition 4 Primary 10 MB 596 GB
    ======================================================================================================
    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No
    There is no volume associated with this partition.
    ======================================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Recovery NTFS Partition 14 GB Healthy System (partition with boot components)
    ======================================================================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 581 GB Healthy Boot
    ======================================================================================================
    Disk: 0
    Partition 4
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes
    There is no volume associated with this partition.
    ======================================================================================================
    The boot configuration data store could not be opened.
    The system cannot find the file specified.

    ****** End Of Log ******
     
  12. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Yeah Partition 4 is a fake malicious one.

    WARNING!
    Proceed with extreme caution!
    Deleting wrong partition will result with your computer being unusable.
    If you have any doubts, ask.


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Download GETxPUD.exe to the desktop of your clean computer

    • Double click on GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Insert blank CD into your CD drive.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Boot bad computer from the CD
    • Click Menu then Terminal Emulator
    • Type parted /dev/sda set 2 boot on
    • Press Enter
    • Type parted /dev/sda rm 4
    • Press Enter
    • Remove xPUD CD, reboot, run ListParts and post the log
  13. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    Dang me. On the bad PC, I never see Menu or the option to click Terminal Emulator.
    It boots, then it allows you to select language (I leave it on English), it counts down to boot and then after some text I get: "Fatal server error: no screens found". And some other information. I guess what is interesting on this screen is it says "xinit: No such file or directory (errno 2): unable to connect to X server".

    Driver issue?
  14. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Not good.
    We have to boot from an external source to fix this issue.

    Let's try another tool.

    WARNING!
    Proceed with extreme caution!
    Deleting wrong partition will result with your computer being unusable.
    If you have any doubts, ask.


    Download Download gparted-live-0.11.0-7.iso (119.8 MB)

    Burn it to a CD: http://neosmart.net/wiki/display/G/Burning ISO Images to a CD or DVD

    Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    Boot off of the newly created Gparted CD.

    You should be here:
    [​IMG]
    Press Enter.

    By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER:
    [​IMG]

    Choose your language and press ENTER. English is default [33]:
    [​IMG]

    Once again, at this prompt, press ENTER:
    [​IMG]

    You will now be taken to the main GUI screen below:
    [​IMG]
    According to your logs, the partition that you want to delete is the small partition of 10MB.
    Click on it to highlight it.
    Click the trash can icon to delete and then click Apply.

    You should now be here confirming your actions:
    [​IMG]

    Now you should be here:
    [​IMG]

    Is "boot" next to your OS drive?
    [​IMG]

    If "boot" is NOT next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags.

    In the menu that pops up, place a checkmark in boot like the picture below:
    [​IMG]

    Now double-click the [​IMG] button.

    You should receive a small pop up like this:
    [​IMG]

    Choose reboot and then press OK.

    If it worked run ListParts and post the log
  15. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    Was able to do all that, set the "boot" flag to the largest partition (called "OS", which closely matched what Windows told me about the partition) and now I am getting

    Windows failed to start. A recent hardware or software change might be the cause.
    To fix the problem:
    1. Insert your Windows installation disc and restart the computer.
    2. Choose your language settings and click next.
    3. Click "repair your computer"

    If you do not have this disk, contact your system administrator or computer manufacturer for assistance.

    File: \Boot\BCD
    Status: 0xc000000f
    Info: An error occurred while attempting to read the boot configuration data.

    I have the installation disc you had me create earlier, but I have not run it yet because I am deferring to your lead. Standing by, and thanks for your help!
  16. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    By the way, the suspected malware partition was previously set as "boot", and by itself, I believe. I should have taken closer notice, but I know for sure it was set to boot.
  17. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Yes that was the main issue.

    Go ahead and try repair.
  18. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    Dang me, I get the same error message from the Windows Boot Manager as stated in Post #15 above...:'(
  19. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    Edit: sorry brother, it's been a long day. NOW THAT I HAVE PUT THE REPAIR CD IN...the message I get is the same as in Post #9 above:

    Windows Boot Manager

    Windows has encountered a problem communicating with a device connected to your computer.

    This error can be caused by unplugging a removable storage device such as an external USB drive while the device is still in use, or by faulty hardware such as a hard drive or CD-ROM drive that is failing. Make sure any removable storage is properly connected and then restart your computer.

    If you continue to receive this error message, contact the hardware manufacturer.

    Status: 0xc00000e9

    Info: An unexpected I/O error has occurred.

    Enter=Continue ESC=Exit

    Neither enter or escape work, again.
  20. Broni

    Broni Malware Annihilator Posts: 46,479   +252

  21. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    Yeah, I can't even get to the point where I can use the DVD with the ISO image you directed me to; I also used a System Repair disk made from one of my Win7 Home Premium systems lying around here, and when I tried to use it, I got the same error reported above. I wonder: can I use Gparted to set the installed recovery partition as the boot partition? Is that advisable?
  22. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Yes you can try that.
  23. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    Okay, setting the recovery partition to boot made the Startup Repair start...currently watching a status bar that states "Startup Repair is checking your system for problems..." etc. This has been going on for over an hour now. I'll keep you posted. Wish me luck.
  24. Broni

    Broni Malware Annihilator Posts: 46,479   +252

    Good luck :)
  25. amuck

    amuck Newcomer, in training Topic Starter Posts: 36

    Dear Sir,

    It did not work. There were a couple interesting Root Causes found:

    Repair Action: System files integrity check and repair
    Result: Failed. Error Code = 0X490
    Time taken = 994444ms

    Root cause found:
    -----------------------------------------------
    Unspecified changes to system configuration might have caused the problem.

    Repair action: System Restore
    Result: Completed successfully. Error Code = 0x0


    These were not back-to-back, and there were about a dozen others with nothing listed that appeared to be of interest.

    I tried GParting back to the Win7 partition (as boot), and I got the same \Boot\BCD error described earlier.

    Should I re-set the boot to the recovery partition and drop to the CMD prompt from there?

    (be advised I must return to work tomorrow, so I will not be online again until around 6PM EST, but I eagerly await your reply. No one troubleshoots anymore, it's always "re-image". This is almost refreshing).


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.