TechSpot

Host Process for Windows Services has stopped working

Solved
By Kathryn Rowan
Mar 18, 2013
  1. Kathryn Rowan

    Kathryn Rowan TS Member Topic Starter Posts: 62

    After I select "Repair your computer" when rebooting, I get a screen that asks for a user name and password. It doesn't accept the user name and password for the only user on this computer. What do I do?
     
  2. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Please re-run Combofix one more time.
     
  3. Kathryn Rowan

    Kathryn Rowan TS Member Topic Starter Posts: 62

    Here's the report from Combofix:

    ComboFix 13-03-19.01 - Robert 03/19/2013 20:44:42.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1791.893 [GMT -6:00]
    Running from: c:\users\Robert\Downloads\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {3F839487-C7A2-C958-E30C-E2825BA31FB5}
    SP: Microsoft Security Essentials *Disabled/Updated* {84E27563-E198-C6D6-D9BC-D9F020245508}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-02-20 to 2013-03-20 )))))))))))))))))))))))))))))))
    .
    .
    2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\users\Robert\AppData\Local\temp
    2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\windows\system32\config\systemprofile\AppData\Local\temp
    2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\users\QBDataServiceUser20\AppData\Local\temp
    2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\users\QBDataServiceUser19\AppData\Local\temp
    2013-03-20 02:52 . 2013-03-20 02:52--------d-----w-c:\users\Default\AppData\Local\temp
    2013-03-20 01:23 . 2013-03-15 07:217108640----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{39579FD8-4700-434E-B911-D8E280EB94E5}\mpengine.dll
    2013-03-19 20:38 . 2013-03-19 20:38--------d-----w-c:\program files\ESET
    2013-03-19 20:12 . 2013-03-19 20:12--------d-----w-C:\_OTL
    2013-03-19 17:59 . 2013-02-07 22:456954968----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2013-03-19 14:13 . 2013-03-19 14:13--------d-----w-c:\windows\ERUNT
    2013-03-19 14:13 . 2013-03-19 14:13--------d-----w-C:\JRT
    2013-03-18 21:49 . 2013-03-18 21:49--------d-----w-c:\program files\7-Zip
    2013-03-18 21:31 . 2013-03-18 21:31--------d-----w-c:\users\Robert\CD95F661A5C444F5A6AAECDD91C240CC.TMP
    2013-03-17 18:34 . 2013-03-17 18:32740840------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{86F08306-FA33-40DC-BB0A-8A5DE89DDE07}\gapaengine.dll
    2013-03-17 18:18 . 2013-03-17 18:19--------d-----w-c:\program files\Microsoft Security Client
    2013-03-08 13:58 . 2013-03-08 13:5894112----a-w-c:\windows\system32\WindowsAccessBridge.dll
    2013-02-27 11:05 . 2013-02-27 11:05--------d-----w-c:\windows\system32\config\systemprofile\AppData\Local\Adobe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-03-08 13:58 . 2012-05-20 19:20861088----a-w-c:\windows\system32\npdeployJava1.dll
    2013-03-08 13:58 . 2010-05-01 20:26782240----a-w-c:\windows\system32\deployJava1.dll
    2013-01-30 10:53 . 2010-06-12 22:41232336------w-c:\windows\system32\MpSigStub.exe
    2013-01-28 20:02 . 2013-01-28 20:025113072----a-w-c:\windows\uninst.exe
    2013-01-20 21:59 . 2013-01-20 21:59195296----a-w-c:\windows\system32\drivers\MpFilter.sys
    2013-01-20 21:59 . 2013-01-20 21:59100328----a-w-c:\windows\system32\drivers\NisDrvWFP.sys
    2013-01-05 05:26 . 2013-02-13 08:303550072----a-w-c:\windows\system32\ntoskrnl.exe
    2013-01-05 05:26 . 2013-02-13 08:303602808----a-w-c:\windows\system32\ntkrnlpa.exe
    2013-01-04 11:28 . 2013-02-13 08:30914792----a-w-c:\windows\system32\drivers\tcpip.sys
    2013-01-04 01:55 . 2013-02-13 08:3031232----a-w-c:\windows\system32\drivers\tcpipreg.sys
    2013-01-04 01:38 . 2013-02-13 08:302048512----a-w-c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
    @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
    [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
    2008-01-03 10:0039472----a-w-c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
    backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
    backup=c:\windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
    backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
    backup=c:\windows\pss\Secunia PSI Tray.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
    backupExtension=.CommonStartup
    .
    [HKLM\~\startupfolder\C:^Users^Robert^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
    backupExtension=.Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
    2007-02-02 18:051261568----a-w-c:\program files\Acer Assist\launcher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
    2008-01-10 02:43326176----a-w-c:\acer\Empowering Technology\SysMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
    2007-10-15 20:433387392----a-w-c:\program files\Acer Registration\ACE1.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2012-12-03 07:35946352----a-w-c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2012-12-18 14:2838112----a-w-c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2012-11-28 21:1359280----a-w-c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BkupTray]
    2008-01-23 20:3334552----a-w-c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2007-04-04 01:501603152----a-w-c:\program files\Canon\MyPrinter\BJMYPRT.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2007-05-15 01:01644696----a-w-c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
    2008-01-03 09:55521776----a-w-c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-21 02:25125952----a-w-c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    2010-07-08 03:0430192----a-w-c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
    2011-10-03 10:44161336----a-w-c:\program files\Google\Google Updater\GoogleUpdater.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2009-02-27 01:3630040----a-w-c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
    2010-10-19 10:581439496----a-w-c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2012-12-12 20:57152544----a-w-c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
    2008-09-17 21:1432768----a-w-c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
    2013-01-27 17:11947152----a-w-c:\program files\Microsoft Security Client\msseces.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
    2008-12-13 00:06642856----a-w-c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
    2007-02-04 18:0279400----a-w-c:\program files\ScanSoft\OmniPageSE4\OpWareSE4.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMMediaSharing]
    2008-01-26 02:49204908----a-w-c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2012-10-25 10:12421888----a-w-c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
    2007-07-06 03:064669440----a-w-c:\windows\RtHDVCpl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
    2009-02-03 13:15111856----a-w-c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetPoint]
    2005-03-31 23:19434176----a-w-c:\program files\Logitech\SetPoint\SetPoint.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skytel]
    2007-06-15 08:451826816----a-w-c:\windows\SkyTel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
    2007-02-02 00:37630784----a-w-c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
    2006-10-25 15:03210472----a-w-c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
    2006-11-10 18:3590112----a-w-c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2012-07-03 16:04252848----a-w-c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    2008-07-15 14:5268856----a-w-c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2012-10-29 17:50296096----a-w-c:\program files\Real\RealPlayer\Update\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    2008-01-21 02:231008184----a-w-c:\program files\Windows Defender\MSASCui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
    2009-04-11 06:282153472----a-w-c:\windows\System32\oobefldr.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-21 02:25202240----a-w-c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WrtMon.exe]
    2006-09-20 14:3520480----a-w-c:\windows\System32\spool\drivers\w32x86\3\WrtMon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
    2009-02-03 13:15111856----a-w-c:\program files\Yahoo!\Search Protection\SearchProtection.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
    2002-11-23 08:15631362----a-w-c:\program files\Logitech\iTouch\iTouch.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R4 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonationREG_MULTI_SZ FontCache
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2013-03-12 17:201629648----a-w-c:\program files\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-03 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-18 13:11]
    .
    2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 00:04]
    .
    2013-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 00:04]
    .
    2013-03-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4152560199-2736179257-3684623034-1000.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 20:27]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com
    mStart Page = hxxp://www.yahoo.com
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.1.1 75.75.75.75 75.75.76.76
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-03-19 20:52
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(3512)
    c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
    c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
    .
    Completion time: 2013-03-19 20:54:00
    ComboFix-quarantined-files.txt 2013-03-20 02:53
    ComboFix2.txt 2013-03-19 01:17
    .
    Pre-Run: 44,271,177,728 bytes free
    Post-Run: 43,912,740,864 bytes free
    .
    - - End Of File - - D46C5D9914EFC67AB3295769FC231F80
     
  4. Kathryn Rowan

    Kathryn Rowan TS Member Topic Starter Posts: 62

    I get the same results after re-running Combofix. Could I rund the program in Safe Mode?
     
  5. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    No. There is nothing malicious there anymore.

    Download Windows Repair (All in One) from this site

    Install the program then run it.

    NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator".
    NOTE 2. Disable your antivirus program before running Windows Repair.


    Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

    [​IMG]



    Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

    [​IMG]


    Go to Step 4 and under "System Restore" click on Create button:

    [​IMG]


    Go to Start Repairs tab and click Start button.

    Leave all checkmarks as they're.
    NOTE for Windows 8 users. Reset Registry Permissions is NOT checked by design.

    Click on Start button.

    [​IMG]

    Post Windows Repair log (_windows_repair_log.txt) which is located in the following folder:
    64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
    32-bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs
     
  6. Kathryn Rowan

    Kathryn Rowan TS Member Topic Starter Posts: 62

    Here's the log from Windows Repair:

    Running Repair Under System Account
    Running Repair Under System Account
    Starting Repairs...
    Start (3/20/2013 8:20:24 AM)

    Reset Registry Permissions 01/03
    HKEY_CURRENT_USER & Sub Keys
    Start (3/20/2013 8:20:24 AM)
    Running Repair Under Current User Account
    Done (3/20/2013 8:20:29 AM)

    Reset Registry Permissions 02/03
    HKEY_LOCAL_MACHINE & Sub Keys
    Start (3/20/2013 8:20:29 AM)
    Running Repair Under System Account
    Done (3/20/2013 8:24:02 AM)

    Reset Registry Permissions 03/03
    HKEY_CLASSES_ROOT & Sub Keys
    Start (3/20/2013 8:24:02 AM)
    Running Repair Under System Account
    Done (3/20/2013 8:24:35 AM)

    Register System Files
    Start (3/20/2013 8:24:35 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:25:08 AM)

    Repair WMI
    Start (3/20/2013 8:25:08 AM)
    Running Repair Under Current User Account
    The system cannot find the path specified.
    Invalid Global Switch.

    Running Repair Under System Account
    The system cannot find the path specified.
    Invalid Global Switch.

    Done (3/20/2013 8:28:32 AM)

    Repair Windows Firewall
    Start (3/20/2013 8:28:32 AM)
    Running Repair Under Current User Account
    The Internet Connection Sharing (ICS) service is not started.

    More help is available by typing NET HELPMSG 3521.

    The Internet Connection Sharing (ICS) service could not be started.

    The service did not report an error.

    More help is available by typing NET HELPMSG 3534.

    Running Repair Under System Account
    The Internet Connection Sharing (ICS) service is not started.

    More help is available by typing NET HELPMSG 3521.

    The Internet Connection Sharing (ICS) service could not be started.

    The service did not report an error.

    More help is available by typing NET HELPMSG 3534.

    Done (3/20/2013 8:29:06 AM)

    Repair Internet Explorer
    Start (3/20/2013 8:29:06 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:29:24 AM)

    Repair MDAC/MS Jet
    Start (3/20/2013 8:29:24 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:29:44 AM)

    Repair Hosts File
    Start (3/20/2013 8:29:44 AM)
    Running Repair Under System Account
    Done (3/20/2013 8:29:46 AM)

    Remove Policies Set By Infections
    Start (3/20/2013 8:29:46 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:29:51 AM)

    Repair Icons
    Start (3/20/2013 8:29:51 AM)
    Running Repair Under System Account
    Could Not Find C:\Users\Robert\AppData\Local\IconCache.db.bak
    Could Not Find C:\Users\Robert\AppData\Local\IconCache.db
    Done (3/20/2013 8:29:53 AM)

    Repair Winsock & DNS Cache
    Start (3/20/2013 8:29:53 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:30:02 AM)

    Repair Proxy Settings
    Start (3/20/2013 8:30:02 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:30:06 AM)

    Repair Windows Updates
    Start (3/20/2013 8:30:06 AM)
    Running Repair Under Current User Account
    The Background Intelligent Transfer Service service is not started.

    More help is available by typing NET HELPMSG 3521.

    The Windows Update service is not started.

    More help is available by typing NET HELPMSG 3521.

    The system cannot find the file specified.
    Running Repair Under System Account
    The Cryptographic Services service is not started.

    More help is available by typing NET HELPMSG 3521.

    The Background Intelligent Transfer Service service is not started.

    More help is available by typing NET HELPMSG 3521.

    The Windows Update service is not started.

    More help is available by typing NET HELPMSG 3521.

    The system cannot find the file specified.
    Done (3/20/2013 8:30:28 AM)

    Repair CD/DVD Missing/Not Working
    Start (3/20/2013 8:30:28 AM)
    Done (3/20/2013 8:30:28 AM)

    Repair Volume Shadow Copy Service
    Start (3/20/2013 8:30:28 AM)
    Running Repair Under Current User Account
    The Volume Shadow Copy service is not started.

    More help is available by typing NET HELPMSG 3521.

    The Microsoft Software Shadow Copy Provider service is not started.

    More help is available by typing NET HELPMSG 3521.

    Running Repair Under System Account
    The Volume Shadow Copy service is not started.

    More help is available by typing NET HELPMSG 3521.

    The Microsoft Software Shadow Copy Provider service is not started.

    More help is available by typing NET HELPMSG 3521.

    Done (3/20/2013 8:30:38 AM)

    Repair MSI (Windows Installer)
    Start (3/20/2013 8:30:38 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:30:47 AM)

    Repair bat Association
    Start (3/20/2013 8:30:47 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:30:52 AM)

    Repair cmd Association
    Start (3/20/2013 8:30:52 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:30:57 AM)

    Repair com Association
    Start (3/20/2013 8:30:57 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:31:01 AM)

    Repair Directory Association
    Start (3/20/2013 8:31:02 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:31:06 AM)

    Repair Drive Association
    Start (3/20/2013 8:31:06 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:31:11 AM)

    Repair exe Association
    Start (3/20/2013 8:31:11 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:31:16 AM)

    Repair Folder Association
    Start (3/20/2013 8:31:16 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:31:20 AM)

    Repair inf Association
    Start (3/20/2013 8:31:20 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:31:25 AM)

    Repair lnk (Shortcuts) Association
    Start (3/20/2013 8:31:25 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:31:30 AM)

    Repair msc Association
    Start (3/20/2013 8:31:30 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:31:35 AM)

    Repair reg Association
    Start (3/20/2013 8:31:35 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:31:39 AM)

    Repair scr Association
    Start (3/20/2013 8:31:39 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:31:44 AM)

    Repair Windows Safe Mode
    Start (3/20/2013 8:31:44 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:31:49 AM)

    Repair Print Spooler
    Start (3/20/2013 8:31:49 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:32:02 AM)

    Restore Important Windows Services
    Start (3/20/2013 8:32:02 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:32:06 AM)

    Set Windows Services To Default Startup
    Start (3/20/2013 8:32:06 AM)
    Running Repair Under Current User Account
    Running Repair Under System Account
    Done (3/20/2013 8:32:19 AM)

    Cleaning up empty logs...

    All Selected Repairs Done.
    Done (3/20/2013 8:32:19 AM)
    Total Repair Time: 00:11:55


    ...YOU MUST RESTART YOUR SYSTEM...
    Running Repair Under System Account
     
  7. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    How are things now?
     
  8. Kathryn Rowan

    Kathryn Rowan TS Member Topic Starter Posts: 62

    Problem seems to be solved. Any idea what the problem was?
     
  9. Kathryn Rowan

    Kathryn Rowan TS Member Topic Starter Posts: 62

    BTW - I just made a donation. This is the second time you have helped me and I really appreciate it. Sorry I couldn't donate more but we are really tight on money as I do not currently have a job. Thanks for your help!
     
  10. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Good news :)

    ...and thank you.

    I still need Security Check log from your to wrap this topic up.
     
  11. Kathryn Rowan

    Kathryn Rowan TS Member Topic Starter Posts: 62

    Where do I find the Security Check log?
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    Re-read my reply #18.
    You never ran Security Check.
     
  13. Kathryn Rowan

    Kathryn Rowan TS Member Topic Starter Posts: 62

    Here's the report from Security Check. I know I did run it before, I guess the report didn't get posted in my reply.

    Results of screen317's Security Check version 0.99.61
    Windows Vista Service Pack 2 x86 (UAC is enabled)
    Internet Explorer 9
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Microsoft Security Essentials
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Secunia PSI (3.0.0.6001)
    Malwarebytes Anti-Malware version 1.70.0.1100
    CCleaner
    Java 7 Update 17
    Adobe Reader 8 Adobe Reader out of Date!
    Adobe Reader 10.1.6 Adobe Reader out of Date!
    Google Chrome 25.0.1364.152
    Google Chrome 25.0.1364.172
    ````````Process Check: objlist.exe by Laurent````````
    Microsoft Security Essentials MSMpEng.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 6 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
    ````````````````````End of Log``````````````````````
     
  14. Broni

    Broni Malware Annihilator Posts: 47,048   +256

    [​IMG] Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions (if present).
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

    =============================

    [​IMG] Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. (Windows XP only) Run defrag at your convenience.

    12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    13. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    14. Please, let me know, how your computer is doing.
     
  15. Kathryn Rowan

    Kathryn Rowan TS Member Topic Starter Posts: 62

    Here's the report from the OTL Scan:

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: QBDataServiceUser18
    ->Temp folder emptied: 0 bytes

    User: QBDataServiceUser19
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: QBDataServiceUser20
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Robert
    ->Temp folder emptied: 26767970 bytes
    ->Temporary Internet Files folder emptied: 58901821 bytes
    ->Java cache emptied: 0 bytes
    ->Google Chrome cache emptied: 12587665 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 540594 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 94.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: Public

    User: QBDataServiceUser18

    User: QBDataServiceUser19

    User: QBDataServiceUser20

    User: Robert
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: All Users

    User: Default

    User: Default User

    User: Public

    User: QBDataServiceUser18

    User: QBDataServiceUser19

    User: QBDataServiceUser20

    User: Robert
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point

    OTL by OldTimer - Version 3.2.69.0 log created on 03202013_195459

    Files\Folders moved on Reboot...
    File\Folder C:\Windows\temp\TMP0000003A245FAFFB14583405 not found!

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
     
  16. Kathryn Rowan

    Kathryn Rowan TS Member Topic Starter Posts: 62

    Just wanted to follow up. Our computer seems to be working fine but I am having problems with Secunia PSI. It gets hung up when trying to update some software. Any thoughts on this?
     
  17. Broni

    Broni Malware Annihilator Posts: 47,048   +256



Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.