Inactive Windows Locking Up But Not In Safe Mode

Bob Ung

Posts: 15   +0
Trying to repair my daughters Windows Vista 32-bit machine. Works fine for about 10 minutes then I have to reboot. Works flawlessly while in Safe Mode but not in the normal mode. Here's the data from FRST.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:25-04-2016
Ran by Brittany (administrator) on BRITTANY-DESK (25-04-2016 21:02:38)
Running from C:\Users\Brittany\Desktop
Loaded Profiles: Brittany (Available Profiles: Brittany & Bob)
Platform: Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 7 (Default browser: Chrome)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool:

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [RSAgent] => C:\Program Files\RegServe\RSAgent.exe [478144 2013-02-19] ()
HKLM\...\Run: [RSListener] => C:\Program Files\RegServe\RSListener.exe [164288 2013-02-19] ()
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7021880 2015-12-24] (AVAST Software)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [55264 2016-03-10] (Malwarebytes)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-12-24] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk [2012-06-23]
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SELPHY Photo Print Launcher.lnk [2011-03-27]
ShortcutTarget: SELPHY Photo Print Launcher.lnk -> C:\Program Files\Canon\SELPHY Photo Print\CIC_SPPhelper.exe (Canon Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 71.10.216.1 71.10.216.2
Tcpip\..\Interfaces\{8EA608AC-C829-4EF1-8A4C-C55F6ECF061A}: [DhcpNameServer] 71.10.216.1 71.10.216.2

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-12-24] (AVAST Software)

FireFox:
========
FF ProfilePath: C:\Users\Brittany\AppData\Roaming\Mozilla\Firefox\Profiles\w7k3z7dd.default
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-04-25] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-04-25] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-12-20] [not signed]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-12-25]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2015-12-25]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-04-24]
CHR Extension: (Google Docs) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-24]
CHR Extension: (Google Drive) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-24]
CHR Extension: (YouTube) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-24]
CHR Extension: (Google Search) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-04-24]
CHR Extension: (Google Docs Offline) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-24]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-24]
CHR Extension: (Gmail) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-24]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-12-24]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ATTENTION: => Could not perform signature verification. Cryptographic Service is not running.

S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [226440 2015-12-24] (AVAST Software)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24016 2015-12-24] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [81168 2015-12-24] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [55200 2015-12-24] (AVAST Software)
S0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49776 2015-12-24] (AVAST Software)
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [794952 2015-12-24] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436360 2015-12-24] (AVAST Software)
S3 aswStmXP; C:\Windows\system32\drivers\aswStmXP.sys [165104 2015-12-24] (AVAST Software)
S3 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [58016 2015-12-24] (AVAST Software)
S0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [209432 2015-12-24] (AVAST Software)
S3 DellBIOS; C:\Users\BOB~1.BRI\AppData\Local\Temp\DellBIOS.Sys [5120 2015-12-24] ()
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-25 21:02 - 2016-04-25 21:03 - 00007881 _____ C:\Users\Brittany\Desktop\FRST.txt
2016-04-25 21:02 - 2016-04-25 21:02 - 00000000 ____D C:\FRST
2016-04-25 21:01 - 2016-04-25 21:01 - 01726976 _____ (Farbar) C:\Users\Brittany\Desktop\FRST.exe
2016-04-25 19:58 - 2016-03-10 14:09 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-04-25 19:58 - 2016-03-10 14:08 - 00126336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-04-25 19:58 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-04-25 19:13 - 2016-04-25 19:14 - 02268112 _____ (www.PCFixKit.com ) C:\Users\Brittany\Downloads\PCFixKit_Setup.exe
2016-04-24 20:41 - 2016-04-24 21:02 - 128900376 _____ (Microsoft Corporation) C:\Users\Brittany\Downloads\msert.exe
2016-04-24 13:41 - 2016-04-24 13:41 - 00000000 ____D C:\Users\Brittany\AppData\Roaming\Mozilla
2016-04-24 13:41 - 2016-04-24 13:41 - 00000000 ____D C:\Users\Brittany\AppData\Local\Mozilla
2016-04-24 09:55 - 2016-04-24 09:56 - 00000000 ____D C:\Program Files\GUM906C.tmp
2016-04-24 09:55 - 2016-04-24 09:55 - 06871040 _____ C:\Program Files\GUT906D.tmp
2016-04-24 09:29 - 2016-04-24 09:29 - 00000000 ____D C:\Users\Brittany\AppData\Roaming\AVAST Software

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-25 21:00 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\inf
2016-04-25 21:00 - 2006-11-02 03:33 - 00690960 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-25 20:53 - 2015-12-20 13:49 - 02075168 _____ C:\Windows\ntbtlog.txt
2016-04-25 20:35 - 2015-12-24 22:57 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-25 20:24 - 2015-12-20 19:44 - 00000000 ____D C:\Program Files\Ask.com
2016-04-25 19:58 - 2015-12-20 19:46 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-04-25 19:58 - 2015-03-01 21:05 - 00000901 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-04-25 19:58 - 2015-03-01 21:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-25 06:03 - 2015-12-24 23:49 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-25 06:03 - 2015-12-24 23:49 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-25 05:48 - 2006-11-02 06:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-25 05:48 - 2006-11-02 05:47 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-25 05:48 - 2006-11-02 05:47 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-25 05:46 - 2015-12-20 11:44 - 00000680 _____ C:\Users\Brittany\AppData\Local\d3d9caps.dat
2016-04-24 22:17 - 2007-03-05 19:40 - 00000000 ____D C:\Users\Brittany\AppData\Local\Google
2016-04-24 10:58 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\rescache
2016-04-24 09:28 - 2015-12-20 11:44 - 00000951 _____ C:\Users\Brittany\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-04-24 09:28 - 2015-12-20 11:44 - 00000946 _____ C:\Users\Brittany\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-04-24 09:26 - 2015-12-20 11:44 - 00000917 _____ C:\Users\Brittany\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk

==================== Files in the root of some directories =======

2016-04-24 09:55 - 2016-04-24 09:55 - 6871040 _____ () C:\Program Files\GUT906D.tmp
2015-12-24 23:49 - 2015-12-24 23:49 - 50063360 _____ () C:\Program Files\GUTB2EA.tmp
2007-03-06 21:11 - 2007-03-06 21:11 - 0000000 _____ () C:\Users\Brittany\AppData\Roaming\wklnhst.dat
2015-12-20 11:44 - 2016-04-25 05:46 - 0000680 _____ () C:\Users\Brittany\AppData\Local\d3d9caps.dat
2015-12-20 14:25 - 2015-12-20 14:25 - 0004608 _____ () C:\Users\Brittany\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-07-31 07:36 - 2009-07-31 07:36 - 0000059 _____ () C:\Users\Brittany\AppData\Local\Tempdir
2013-01-25 10:09 - 2013-01-25 10:09 - 0000057 _____ () C:\ProgramData\Ament.ini

Some files in TEMP:
====================
C:\Users\Bob\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpsh1kkw.dll
C:\Users\Bob\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\dnsapi.dll
[2015-12-20 12:00] - [2011-03-02 08:44] - 0168448 ____A (Microsoft Corporation) 85E861D0B88DB2B54ACB0839654C09F7

C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2016-04-25 19:21

==================== End of FRST.txt ============================

Data from Addition.txt
Additional scan result of Farbar Recovery Scan Tool (x86) Version:25-04-2016
Ran by Brittany (2016-04-25 21:03:50)
Running from C:\Users\Brittany\Desktop
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) (2015-12-20 18:32:39)
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4046791381-2655318286-1433333655-500 - Administrator - Disabled)
Bob (S-1-5-21-4046791381-2655318286-1433333655-1001 - Administrator - Enabled) => C:\Users\Bob.Brittany-Desk
Brittany (S-1-5-21-4046791381-2655318286-1433333655-1000 - Administrator - Enabled) => C:\Users\Brittany
Guest (S-1-5-21-4046791381-2655318286-1433333655-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Out of date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Out of date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Avast Free Antivirus (HKLM\...\Avast) (Version: 11.1.2245 - AVAST Software)
Google Chrome (HKLM\...\Google Chrome) (Version: 47.0.2526.106 - Google Inc.)
Google Update Helper (Version: 1.3.21.169 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.29.5 - Google Inc.) Hidden
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: - )
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Mozilla Firefox 43.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 43.0.2 (x86 en-US)) (Version: 43.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 43.0.2.5833 - Mozilla)
RegServe (HKLM\...\RegServe) (Version: 7.1.4.0 - Xionix Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {5E9E10A1-3E23-47AE-986E-52022CDC3908} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-12-24] (AVAST Software)
Task: {D6EE31C2-9B3B-46D2-BE2F-240C17ACAD2E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2016-04-25] (Google Inc.)
Task: {E4EC7179-A425-4CFD-805A-2AE04B47BEB8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2016-04-25] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-04-24 20:45 - 2016-04-08 13:53 - 17532096 _____ () C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\PepperFlash\21.0.0.216\pepflashplayer.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 03:23 - 2006-09-18 14:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 localhost
::1 localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4046791381-2655318286-1433333655-1000\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\Wallpaper\img24.jpg
DNS Servers: 71.10.216.1 - 71.10.216.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 1) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: HotKeysCmds => C:\Windows\system32\hkcmd.exe
MSCONFIG\startupreg: IgfxTray => C:\Windows\system32\igfxtray.exe
MSCONFIG\startupreg: Persistence => C:\Windows\system32\igfxpers.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [{FC645D08-3F11-42D2-8594-3B562A349A2C}] => (Allow) LPort=80
FirewallRules: [{615FE556-1AE8-45C6-9F7A-F602A6FF59E1}] => (Allow) LPort=80
FirewallRules: [{2A579881-6547-44BE-BF76-DB74C0A5BECF}] => (Allow) LPort=80
FirewallRules: [{BE3A6C8E-B7F0-4C53-80DF-A703EB36696B}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{3A8F553A-C0C9-414A-912E-A5813CBBF97B}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{696F11F0-5242-4189-AD3D-3E26F6E15AB3}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

22-12-2015 13:35:49 Windows Update
22-12-2015 13:36:23 Windows Update

==================== Faulty Device Manager Devices =============

Name: WAN Miniport (L2TP)
Description: WAN Miniport (L2TP)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: Rasl2tp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: WAN Miniport (Network Monitor)
Description: WAN Miniport (Network Monitor)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: NdisWan
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: WAN Miniport (IP)
Description: WAN Miniport (IP)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: NdisWan
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: WAN Miniport (IPv6)
Description: WAN Miniport (IPv6)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: NdisWan
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: WAN Miniport (PPPOE)
Description: WAN Miniport (PPPOE)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: RasPppoe
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: WAN Miniport (PPTP)
Description: WAN Miniport (PPTP)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: PptpMiniport
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: WAN Miniport (SSTP)
Description: WAN Miniport (SSTP)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: RasSstp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (04/25/2016 08:55:49 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (04/25/2016 08:55:36 PM) (Source: profsvc) (EventID: 1542) (User: NT AUTHORITY)
Description: Windows cannot load classes registry file.
DETAIL - The system cannot find the file specified.

Error: (04/25/2016 08:55:06 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/25/2016 07:07:14 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/25/2016 07:06:28 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (04/25/2016 07:06:14 PM) (Source: profsvc) (EventID: 1542) (User: NT AUTHORITY)
Description: Windows cannot load classes registry file.
DETAIL - The system cannot find the file specified.

Error: (04/25/2016 05:49:59 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/25/2016 05:49:38 AM) (Source: profsvc) (EventID: 1542) (User: NT AUTHORITY)
Description: Windows cannot load classes registry file.
DETAIL - The system cannot find the file specified.

Error: (04/25/2016 05:48:27 AM) (Source: profsvc) (EventID: 1542) (User: NT AUTHORITY)
Description: Windows cannot load classes registry file.
DETAIL - The system cannot find the file specified.

Error: (04/24/2016 01:35:35 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (04/25/2016 08:59:43 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068COMSysApp{ECABAFBC-7F19-11D2-978E-0000F8757E2A}

Error: (04/25/2016 08:59:37 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068COMSysApp{182C40F0-32E4-11D0-818B-00A0C9231C29}

Error: (04/25/2016 08:57:30 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{9E175B68-F52A-11D8-B9A5-505054503030}

Error: (04/25/2016 08:56:10 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (04/25/2016 08:56:08 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (04/25/2016 08:55:58 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (04/25/2016 08:55:49 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (04/25/2016 08:55:38 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (04/25/2016 08:55:07 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: aswRvrt
aswSnx
aswSP
aswVmm
spldr
Wanarpv6

Error: (04/25/2016 08:55:07 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Computer BrowserServer%%1068


CodeIntegrity:
===================================
Date: 2016-04-25 21:03:40.996
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-25 21:03:40.918
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-25 21:03:40.809
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-25 21:03:40.705
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-25 21:03:40.425
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-25 21:03:40.331
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-25 21:03:40.239
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-25 21:03:40.146
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-25 20:45:22.900
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-25 20:45:22.822
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel(R) Pentium(R) D CPU 2.80GHz
Percentage of memory in use: 28%
Total physical RAM: 3061.02 MB
Available physical RAM: 2185.86 MB
Total Virtual: 6961.34 MB
Available Virtual: 6259.69 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:138.96 GB) (Free:12.75 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:6 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 149 GB) (Disk ID: 18000000)
Partition 1: (Not Active) - (Size=47 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=139 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================
 
Welcome aboard

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================

redtarget.gif
Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2
  • Close all the running programs
  • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
redtarget.gif
Please download Malwarebytes Anti-Malware (MBAM) to your desktop.
NOTE. If you already have MBAM 2.0 installed scroll down.
  • Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
If you already have MBAM 2.0 installed:
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
How to get logs:
(Export log to save as txt)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
(Copy to clipboard for pasting into forum replies or tickets)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.
redtarget.gif
Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
redtarget.gif
Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
 
RogueKiller.exe won't run even after trying to rename it winlogon.exe or winlogon.com
I had to boot up in safe mode otherwise the computer will lock up after a couple of minutes. Tried once using normal boot up and RogueKiller started but the computer locked up after a couple of minutes.
 
Disregard my last message. I just opened a command prompt window (as administrator) and ran RogueKiller.exe from the command prompt. It's running right now. I may have to do the same with Malwarebytes, adwcleaner, and junkware removal tool.
 
RogueKiller data:
RogueKiller V12.1.4.0 [Apr 25 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Safe mode with network support
User : Brittany [Administrator]
Started from : C:\Users\Brittany\Desktop\RogueKiller.exe
Mode : Delete -- Date : 04/26/2016 22:40:52

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[Hj.RegVal] HKEY_LOCAL_MACHINE\RK_Software_ON_D_D6F4\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell : cmd.exe /k start cmd.exe -> Replaced (explorer.exe)
[PUM.Proxy] HKEY_LOCAL_MACHINE\RK_System_ON_D_6D58\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD1600JS-75NCB3 +++++
--- User ---
[MBR] 944873152e737d60d854354f2bb4195d
[BSP] 162060bb474056eae6dde76395768ebf : HP MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 98304 | Size: 10240 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 21069824 | Size: 142298 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: TEAC USB HS-CF Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: TEAC USB HS-xD/SM USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: TEAC USB HS-MS Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: TEAC USB HS-SD Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
Malwarebytes data:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/26/2016
Scan Time: 10:44:12 PM
Logfile: MBAM
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.04.27.01
Rootkit Database: v2016.04.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Brittany

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 372716
Time Elapsed: 14 min, 51 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
 
AdwCleaner data:
# AdwCleaner v5.113 - Logfile created 27/04/2016 at 05:42:52
# Updated 24/04/2016 by Xplode
# Database : 2016-04-24.3 [Server]
# Operating system : Windows Vista (TM) Home Premium Service Pack 2 (X86)
# Username : Brittany - BRITTANY-DESK
# Running from : C:\Users\Brittany\Desktop\adwcleaner_5.113.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : C:\Program Files\Yahoo!\Companion
Folder Found : C:\Users\Brittany\AppData\Local\VirtualStore\Program Files\Yahoo!\Companion
Folder Found : C:\Users\Brittany\AppData\Roaming\iWin
Folder Found : C:\Users\Brittany\AppData\Roaming\Yahoo!\Companion
Folder Found : C:\Users\Brittany\AppData\Roaming\Pogo Games

***** [ Files ] *****

File Found : C:\Program Files\Yahoo!\Common\unyt.exe

***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [1018 bytes] - [27/04/2016 05:42:52]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1091 bytes] ##########
 
Junkware Removal Tool data
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.5 (04.20.2016)
Operating System: Windows Vista (TM) Home Premium x86
Ran by Brittany (Limited) on Wed 04/27/2016 at 5:20:47.61
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 19

Successfully deleted: C:\ProgramData\ask (Folder)
Successfully deleted: C:\ProgramData\Start Menu\Programs\coupons (Folder)
Successfully deleted: C:\Users\Brittany\Appdata\LocalLow\bfgbar (Folder)
Successfully deleted: C:\Users\Brittany\Appdata\LocalLow\pagerage (Folder)
Successfully deleted: \Microsoft\Windows\Temporary Internet Files\Content.IE5\AM7AYJTR (Temporary Internet Files Folder)
Successfully deleted: \Microsoft\Windows\Temporary Internet Files\Content.IE5\ED5PYEPW (Temporary Internet Files Folder)
Successfully deleted: \Microsoft\Windows\Temporary Internet Files\Content.IE5\KW91G1QL (Temporary Internet Files Folder)
Successfully deleted: \Microsoft\Windows\Temporary Internet Files\Content.IE5\OLV0J33Z (Temporary Internet Files Folder)
Successfully deleted: C:\Program Files\ask.com (Folder)
Successfully deleted: C:\Program Files\coupons (Folder)
Successfully deleted: C:\Program Files\GUT906D.tmp (File)
Successfully deleted: C:\Program Files\GUTB2EA.tmp (File)
Successfully deleted: C:\Program Files\pagerage (Folder)
Successfully deleted: C:\Program Files\selectrebates (Folder)
Successfully deleted: C:\Program Files\trymedia (Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AM7AYJTR (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ED5PYEPW (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KW91G1QL (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OLV0J33Z (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 04/27/2016 at 5:22:43.89
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
Combofix.txt data:
ComboFix 16-04-22.01 - Brittany 04/27/2016 19:03:29.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3061.2524 [GMT -7:00]
Running from: c:\users\Brittany\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Outdated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Enabled/Outdated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2016-03-28 to 2016-04-28 )))))))))))))))))))))))))))))))
.
.
2016-04-28 02:11 . 2016-04-28 02:11 -------- d-----w- c:\users\Brittany\AppData\Local\temp
2016-04-27 12:41 . 2016-04-27 12:42 -------- d-----w- C:\AdwCleaner
2016-04-27 05:25 . 2016-04-27 05:27 -------- d-----w- c:\program files\roguekiller
2016-04-27 04:44 . 2016-04-27 05:31 24688 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2016-04-27 04:42 . 2016-04-27 05:41 -------- d-----w- c:\programdata\RogueKiller
2016-04-27 04:36 . 2016-04-27 04:36 -------- d-----w- C:\found.037
2016-04-26 04:02 . 2016-04-26 04:04 -------- d-----w- C:\FRST
2016-04-26 02:58 . 2016-03-10 21:09 53120 ----a-w- c:\windows\system32\drivers\mwac.sys
2016-04-26 02:58 . 2016-03-10 21:08 126336 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2016-04-26 02:58 . 2016-03-10 21:08 24448 ----a-w- c:\windows\system32\drivers\mbam.sys
2016-04-24 20:41 . 2016-04-24 20:41 -------- d-----w- c:\users\Brittany\AppData\Local\Mozilla
2016-04-24 16:55 . 2016-04-24 16:56 -------- d-----w- c:\program files\GUM906C.tmp
2016-04-24 16:29 . 2016-04-24 16:29 -------- d-----w- c:\users\Brittany\AppData\Roaming\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-04-27 12:18 . 2015-12-25 05:57 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2015-12-25 06:29 750216 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSListener"="c:\program files\RegServe\RSListener.exe" [2013-02-19 164288]
"RSAgent"="c:\program files\RegServe\RSAgent.exe" [2013-02-19 478144]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-12-25 7021880]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2015-12-20 113664]
SELPHY Photo Print Launcher.lnk - c:\program files\Canon\SELPHY Photo Print\CIC_SPPhelper.exe [2015-12-20 135168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-12-25 08:27 1000264 ----a-w- c:\program files\Google\Chrome\Application\47.0.2526.106\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2016-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 12:54]
.
2016-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 12:54]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 71.10.216.1 71.10.216.2
FF - ProfilePath -
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2016-04-27 19:11
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2016-04-27 19:14:11
ComboFix-quarantined-files.txt 2016-04-28 02:13
.
Pre-Run: 12,193,501,184 bytes free
Post-Run: 12,225,486,848 bytes free
.
- - End Of File - - A4F079FDEDFED3E73CD0051F632E1A26
5C616939100B85E558DA92B899A0FC36
 
Re-run Farbar Recovery Scan Tool (FRST/FRST64) you ran at the very beginning of this topic.

  • Double click to run it.
  • Make sure you checkmark Addition.txt box.
  • Press Scan button.
  • Scan will create two logs, FRST.txt and Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.
 
FRST.txt
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:25-04-2016
Ran by Brittany (administrator) on BRITTANY-DESK (27-04-2016 20:24:50)
Running from C:\Users\Brittany\Desktop
Loaded Profiles: Brittany (Available Profiles: Brittany & Bob)
Platform: Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 7 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool:

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RSListener] => C:\Program Files\RegServe\RSListener.exe [164288 2013-02-19] ()
HKLM\...\Run: [RSAgent] => C:\Program Files\RegServe\RSAgent.exe [478144 2013-02-19] ()
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7021880 2015-12-24] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll [2015-12-24] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk [2012-06-23]
ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SELPHY Photo Print Launcher.lnk [2011-03-27]
ShortcutTarget: SELPHY Photo Print Launcher.lnk -> C:\Program Files\Canon\SELPHY Photo Print\CIC_SPPhelper.exe (Canon Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 71.10.216.1 71.10.216.2
Tcpip\..\Interfaces\{8EA608AC-C829-4EF1-8A4C-C55F6ECF061A}: [DhcpNameServer] 71.10.216.1 71.10.216.2

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4046791381-2655318286-1433333655-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-4046791381-2655318286-1433333655-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-12-24] (AVAST Software)

FireFox:
========
FF ProfilePath: C:\Users\Brittany\AppData\Roaming\Mozilla\Firefox\Profiles\w7k3z7dd.default
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-04-25] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-04-25] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-12-20] [not signed]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-12-25]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2015-12-25]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Profile: C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-04-24]
CHR Extension: (Google Docs) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-24]
CHR Extension: (Google Drive) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-24]
CHR Extension: (YouTube) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-24]
CHR Extension: (Google Search) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-04-24]
CHR Extension: (Google Docs Offline) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-24]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-24]
CHR Extension: (Gmail) - C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-24]
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-12-24]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [226440 2015-12-24] (AVAST Software)
R3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24016 2015-12-24] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [81168 2015-12-24] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [55200 2015-12-24] (AVAST Software)
S0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49776 2015-12-24] (AVAST Software)
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [794952 2015-12-24] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436360 2015-12-24] (AVAST Software)
S3 aswStmXP; C:\Windows\system32\drivers\aswStmXP.sys [165104 2015-12-24] (AVAST Software)
S3 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [58016 2015-12-24] (AVAST Software)
S0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [209432 2015-12-24] (AVAST Software)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [24688 2016-04-26] ()
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
U3 catchme; \??\C:\Users\Brittany\AppData\Local\Temp\catchme.sys [X]
S3 DellBIOS; \??\C:\Users\BOB~1.BRI\AppData\Local\Temp\DellBIOS.Sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
U3 mbr; \??\C:\ComboFix\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-27 19:14 - 2016-04-27 19:14 - 00005056 _____ C:\ComboFix.txt
2016-04-27 18:59 - 2011-06-25 23:45 - 00256000 _____ C:\Windows\PEV.exe
2016-04-27 18:59 - 2010-11-07 10:20 - 00208896 _____ C:\Windows\MBR.exe
2016-04-27 18:59 - 2009-04-19 21:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2016-04-27 18:59 - 2000-08-30 17:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2016-04-27 18:59 - 2000-08-30 17:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2016-04-27 18:59 - 2000-08-30 17:00 - 00098816 _____ C:\Windows\sed.exe
2016-04-27 18:59 - 2000-08-30 17:00 - 00080412 _____ C:\Windows\grep.exe
2016-04-27 18:59 - 2000-08-30 17:00 - 00068096 _____ C:\Windows\zip.exe
2016-04-27 18:58 - 2016-04-27 19:14 - 00000000 ____D C:\Qoobox
2016-04-27 18:58 - 2016-04-27 19:12 - 00000000 ____D C:\Windows\erdnt
2016-04-27 18:57 - 2016-04-27 18:56 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Brittany\Desktop\iExplore.exe
2016-04-27 18:56 - 2016-04-27 18:56 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Brittany\Downloads\iExplore.exe
2016-04-27 18:52 - 2016-04-27 18:52 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Brittany\Desktop\rkill.exe
2016-04-27 18:49 - 2016-04-27 18:50 - 05660058 ____R (Swearware) C:\Users\Brittany\Desktop\ComboFix.exe
2016-04-27 05:46 - 2016-04-27 05:46 - 00001170 _____ C:\Users\Brittany\Desktop\AdwCleaner[S1].txt
2016-04-27 05:41 - 2016-04-27 05:42 - 00000000 ____D C:\AdwCleaner
2016-04-27 05:22 - 2016-04-27 05:22 - 00002467 _____ C:\Users\Brittany\Desktop\JRT.txt
2016-04-27 05:19 - 2016-04-27 05:19 - 00001056 _____ C:\Users\Brittany\Desktop\MBAM
2016-04-26 22:41 - 2016-04-26 22:41 - 00004928 _____ C:\Users\Brittany\Desktop\rkreport.txt
2016-04-26 22:25 - 2016-04-26 22:27 - 00000000 ____D C:\Program Files\roguekiller
2016-04-26 21:44 - 2016-04-26 22:31 - 00024688 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-04-26 21:42 - 2016-04-26 22:41 - 00000000 ____D C:\ProgramData\RogueKiller
2016-04-26 21:36 - 2016-04-26 21:36 - 00000000 ____D C:\found.037
2016-04-26 21:05 - 2016-04-26 21:10 - 03580480 _____ C:\Users\Brittany\Desktop\adwcleaner_5.113.exe
2016-04-26 21:05 - 2016-04-26 21:06 - 01610008 _____ (Malwarebytes) C:\Users\Brittany\Desktop\JRT.exe
2016-04-26 20:40 - 2016-04-26 20:40 - 00526252 _____ C:\Users\Brittany\Desktop\Windows Locking Up But Not In Safe Mode - TechSpot Forums.pdf
2016-04-26 20:37 - 2016-04-26 22:21 - 19766856 _____ C:\Users\Brittany\Desktop\RogueKiller.exe
2016-04-25 21:03 - 2016-04-25 21:04 - 00017025 _____ C:\Users\Brittany\Desktop\Addition.txt
2016-04-25 21:02 - 2016-04-27 20:24 - 00008462 _____ C:\Users\Brittany\Desktop\FRST.txt
2016-04-25 21:02 - 2016-04-27 20:24 - 00000000 ____D C:\FRST
2016-04-25 21:01 - 2016-04-25 21:01 - 01726976 _____ (Farbar) C:\Users\Brittany\Desktop\FRST.exe
2016-04-25 19:58 - 2016-03-10 14:09 - 00053120 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-04-25 19:58 - 2016-03-10 14:08 - 00126336 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-04-25 19:58 - 2016-03-10 14:08 - 00024448 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-04-25 19:13 - 2016-04-25 19:14 - 02268112 _____ (www.PCFixKit.com ) C:\Users\Brittany\Downloads\PCFixKit_Setup.exe
2016-04-24 20:41 - 2016-04-24 21:02 - 128900376 _____ (Microsoft Corporation) C:\Users\Brittany\Downloads\msert.exe
2016-04-24 13:41 - 2016-04-24 13:41 - 00000000 ____D C:\Users\Brittany\AppData\Roaming\Mozilla
2016-04-24 13:41 - 2016-04-24 13:41 - 00000000 ____D C:\Users\Brittany\AppData\Local\Mozilla
2016-04-24 09:55 - 2016-04-24 09:56 - 00000000 ____D C:\Program Files\GUM906C.tmp
2016-04-24 09:29 - 2016-04-24 09:29 - 00000000 ____D C:\Users\Brittany\AppData\Roaming\AVAST Software

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-27 19:14 - 2015-12-20 13:49 - 02269480 _____ C:\Windows\ntbtlog.txt
2016-04-27 19:11 - 2006-11-02 03:23 - 00000215 _____ C:\Windows\system.ini
2016-04-27 06:41 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\inf
2016-04-27 06:41 - 2006-11-02 03:33 - 00690960 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-27 06:25 - 2006-11-02 06:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-27 06:25 - 2006-11-02 05:47 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-27 06:25 - 2006-11-02 05:47 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-27 05:18 - 2015-12-24 22:57 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-04-26 21:52 - 2015-12-22 18:13 - 00000000 ____D C:\Windows\pss
2016-04-26 21:23 - 2015-12-24 23:49 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-26 21:23 - 2015-12-24 23:49 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-25 19:58 - 2015-12-20 19:46 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2016-04-25 19:58 - 2015-03-01 21:05 - 00000901 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-04-25 19:58 - 2015-03-01 21:05 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-04-25 05:46 - 2015-12-20 11:44 - 00000680 _____ C:\Users\Brittany\AppData\Local\d3d9caps.dat
2016-04-24 22:17 - 2007-03-05 19:40 - 00000000 ____D C:\Users\Brittany\AppData\Local\Google
2016-04-24 10:58 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\rescache
2016-04-24 09:28 - 2015-12-20 11:44 - 00000951 _____ C:\Users\Brittany\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-04-24 09:28 - 2015-12-20 11:44 - 00000946 _____ C:\Users\Brittany\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-04-24 09:26 - 2015-12-20 11:44 - 00000917 _____ C:\Users\Brittany\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Mail.lnk

==================== Files in the root of some directories =======

2007-03-06 21:11 - 2007-03-06 21:11 - 0000000 _____ () C:\Users\Brittany\AppData\Roaming\wklnhst.dat
2015-12-20 11:44 - 2016-04-25 05:46 - 0000680 _____ () C:\Users\Brittany\AppData\Local\d3d9caps.dat
2015-12-20 14:25 - 2015-12-20 14:25 - 0004608 _____ () C:\Users\Brittany\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-07-31 07:36 - 2009-07-31 07:36 - 0000059 _____ () C:\Users\Brittany\AppData\Local\Tempdir
2013-01-25 10:09 - 2013-01-25 10:09 - 0000057 _____ () C:\ProgramData\Ament.ini

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-27 18:54

==================== End of FRST.txt ============================
 
Addition.txt
Additional scan result of Farbar Recovery Scan Tool (x86) Version:25-04-2016
Ran by Brittany (2016-04-27 20:25:23)
Running from C:\Users\Brittany\Desktop
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) (2015-12-20 18:32:39)
Boot Mode: Safe Mode (with Networking)
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4046791381-2655318286-1433333655-500 - Administrator - Disabled)
Bob (S-1-5-21-4046791381-2655318286-1433333655-1001 - Administrator - Enabled) => C:\Users\Bob.Brittany-Desk
Brittany (S-1-5-21-4046791381-2655318286-1433333655-1000 - Administrator - Enabled) => C:\Users\Brittany
Guest (S-1-5-21-4046791381-2655318286-1433333655-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Out of date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Out of date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Avast Free Antivirus (HKLM\...\Avast) (Version: 11.1.2245 - AVAST Software)
Google Chrome (HKLM\...\Google Chrome) (Version: 47.0.2526.106 - Google Inc.)
Google Update Helper (Version: 1.3.21.169 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.29.5 - Google Inc.) Hidden
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: - )
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Mozilla Firefox 43.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 43.0.2 (x86 en-US)) (Version: 43.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 43.0.2.5833 - Mozilla)
RegServe (HKLM\...\RegServe) (Version: 7.1.4.0 - Xionix Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {2464E550-ADE1-4725-9C90-B03E4325A4F0} - Access Denied.
Task: {5E9E10A1-3E23-47AE-986E-52022CDC3908} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-12-24] (AVAST Software)
Task: {D6EE31C2-9B3B-46D2-BE2F-240C17ACAD2E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2016-04-25] (Google Inc.)
Task: {E4EC7179-A425-4CFD-805A-2AE04B47BEB8} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2016-04-25] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-04-24 20:45 - 2016-04-08 13:53 - 17532096 _____ () C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\PepperFlash\21.0.0.216\pepflashplayer.dll
2016-04-24 21:00 - 2014-02-10 13:44 - 04592128 _____ () C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libglesv2.dll
2016-04-24 21:00 - 2014-02-10 13:44 - 00112128 _____ () C:\Users\Brittany\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libegl.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 03:23 - 2016-04-27 19:11 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4046791381-2655318286-1433333655-1000\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\Wallpaper\img24.jpg
DNS Servers: 71.10.216.1 - 71.10.216.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 1) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [{FC645D08-3F11-42D2-8594-3B562A349A2C}] => (Allow) LPort=80
FirewallRules: [{615FE556-1AE8-45C6-9F7A-F602A6FF59E1}] => (Allow) LPort=80
FirewallRules: [{2A579881-6547-44BE-BF76-DB74C0A5BECF}] => (Allow) LPort=80
FirewallRules: [{BE3A6C8E-B7F0-4C53-80DF-A703EB36696B}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{3A8F553A-C0C9-414A-912E-A5813CBBF97B}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{696F11F0-5242-4189-AD3D-3E26F6E15AB3}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

22-12-2015 13:35:49 Windows Update
22-12-2015 13:36:23 Windows Update

==================== Faulty Device Manager Devices =============

Name: WAN Miniport (L2TP)
Description: WAN Miniport (L2TP)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: Rasl2tp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: WAN Miniport (Network Monitor)
Description: WAN Miniport (Network Monitor)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: NdisWan
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: WAN Miniport (IP)
Description: WAN Miniport (IP)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: NdisWan
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: WAN Miniport (IPv6)
Description: WAN Miniport (IPv6)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: NdisWan
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: WAN Miniport (PPPOE)
Description: WAN Miniport (PPPOE)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: RasPppoe
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: WAN Miniport (PPTP)
Description: WAN Miniport (PPTP)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: PptpMiniport
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: WAN Miniport (SSTP)
Description: WAN Miniport (SSTP)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: RasSstp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (04/27/2016 07:21:44 PM) (Source: profsvc) (EventID: 1542) (User: NT AUTHORITY)
Description: Windows cannot load classes registry file.
DETAIL - The system cannot find the file specified.

Error: (04/27/2016 07:14:20 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (04/27/2016 07:00:11 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point on volume (Process = C:\Windows\system32\wbem\wmiprvse.exe; Descripton = ComboFix created restore point; Hr = 0x8007043c).

Error: (04/27/2016 06:38:07 AM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (04/27/2016 06:37:51 AM) (Source: profsvc) (EventID: 1542) (User: NT AUTHORITY)
Description: Windows cannot load classes registry file.
DETAIL - The system cannot find the file specified.

Error: (04/27/2016 06:36:35 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/27/2016 06:28:17 AM) (Source: profsvc) (EventID: 1542) (User: NT AUTHORITY)
Description: Windows cannot load classes registry file.
DETAIL - The system cannot find the file specified.

Error: (04/27/2016 06:26:20 AM) (Source: profsvc) (EventID: 1542) (User: NT AUTHORITY)
Description: Windows cannot load classes registry file.
DETAIL - The system cannot find the file specified.

Error: (04/27/2016 06:25:58 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/27/2016 06:25:05 AM) (Source: profsvc) (EventID: 1542) (User: NT AUTHORITY)
Description: Windows cannot load classes registry file.
DETAIL - The system cannot find the file specified.


System errors:
=============
Error: (04/27/2016 07:11:41 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: PEVSystemStart

Error: (04/27/2016 07:08:27 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: PEVSystemStart

Error: (04/27/2016 07:02:53 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: PEVSystemStart

Error: (04/27/2016 06:38:25 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (04/27/2016 06:38:24 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (04/27/2016 06:38:14 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (04/27/2016 06:38:07 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (04/27/2016 06:37:53 AM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (04/27/2016 06:36:35 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: aswRvrt
aswSnx
aswSP
aswVmm
spldr
Wanarpv6

Error: (04/27/2016 06:36:35 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Computer BrowserServer%%1068


CodeIntegrity:
===================================
Date: 2016-04-27 20:25:17.117
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-27 20:25:17.029
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-27 20:25:16.942
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-27 20:25:16.853
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-27 20:25:16.595
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-27 20:25:16.510
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-27 20:25:16.425
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-27 20:25:16.341
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-27 19:04:35.007
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

Date: 2016-04-27 19:04:34.929
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel(R) Pentium(R) D CPU 2.80GHz
Percentage of memory in use: 32%
Total physical RAM: 3061.02 MB
Available physical RAM: 2054.51 MB
Total Virtual: 6963.3 MB
Available Virtual: 6203.71 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:138.96 GB) (Free:11.41 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:6 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 149 GB) (Disk ID: 18000000)
Partition 1: (Not Active) - (Size=47 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=139 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================
 
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST(FRST64) and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

Attachments

  • fixlist.txt
    973 bytes · Views: 1
Fix result of Farbar Recovery Scan Tool (x86) Version:25-04-2016
Ran by Brittany (2016-04-27 20:52:29) Run:1
Running from C:\Users\Brittany\Desktop
Loaded Profiles: Brittany (Available Profiles: Brittany & Bob)
Boot Mode: Safe Mode (with Networking)

==============================================

fixlist content:
*****************
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4046791381-2655318286-1433333655-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
S3 DellBIOS; \??\C:\Users\BOB~1.BRI\AppData\Local\Temp\DellBIOS.Sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
U3 mbr; \??\C:\ComboFix\mbr.sys [X]
2007-03-06 21:11 - 2007-03-06 21:11 - 0000000 _____ () C:\Users\Brittany\AppData\Roaming\wklnhst.dat
2015-12-20 11:44 - 2016-04-25 05:46 - 0000680 _____ () C:\Users\Brittany\AppData\Local\d3d9caps.dat
2015-12-20 14:25 - 2015-12-20 14:25 - 0004608 _____ () C:\Users\Brittany\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2009-07-31 07:36 - 2009-07-31 07:36 - 0000059 _____ () C:\Users\Brittany\AppData\Local\Tempdir
2013-01-25 10:09 - 2013-01-25 10:09 - 0000057 _____ () C:\ProgramData\Ament.ini

*****************

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-4046791381-2655318286-1433333655-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
DellBIOS => service removed successfully.
IpInIp => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
mbr => service removed successfully.
C:\Users\Brittany\AppData\Roaming\wklnhst.dat => moved successfully
C:\Users\Brittany\AppData\Local\d3d9caps.dat => moved successfully
C:\Users\Brittany\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully
C:\Users\Brittany\AppData\Local\Tempdir => moved successfully
C:\ProgramData\Ament.ini => moved successfully

==== End of Fixlog 20:52:29 ====
 
Go Start>Run (Start Search in Vista/7), type in:
msconfig
Click OK (hit Enter in Vista/7).
Windows 8/8.1 users. Press Windows logo key
aa922834-ed43-40f1-8830-d5507badb56c_91.jpg
and start typing the following:
msconfig
Press Enter.

Click on Startup tab.
Click Disable all
IMPORTANT! In case of laptop, make sure, you do NOT disable any keyboard, or touchpad entries.

Click Services tab.
Put checkmark in Hide all Microsoft services
Click Disable all.

Click OK.
Restart computer in Normal Mode.

NOTE. If you use different firewall, than Windows firewall, turn Windows firewall on, just for this test, since your regular firewall won't be running.
If you use Windows firewall, you're fine.

Same problem?
 
Go back to "msconfig" a nd re-nable all items you just disabled.

Download Windows Repair (All in One) from this site

Install the program then run it.

NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator".
NOTE 2. Disable your antivirus program before running Windows Repair.


Go to Step 3 and click on Check button next to 1. See If Check Disk Is Needed.
If the tool that the Check Disk is needed click on Do It button next to 2. Check Disk.
In that case make sure you restart computer.

p22012121.gif



Once the above is done go to Step 4 and allow it to run System File Check by clicking on Do It button:

p22012122.gif



Go to Step 5 and under "System Restore" click on Create button:

p22012123.gif



Go to Repairs tab and click Open Repairs button.

p22012124.gif


In next window....
Leave all checkmarks as they're.
Click on Start Repairs button.

p22012126.gif


Post Windows Repair log which is located in the following folder:
64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
32-bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs
 
The Windows Repair Log is below. However when I looked in some of the individual repair logs where it said it deleted some files (e.g. *.mof files), the files are still there, even after a reboot as instructed.

Tweaking.com - Windows Repair v3.8.7
--------------------------------------------------------------------------------

System Variables
--------------------------------------------------------------------------------
OS: Windows Vista (TM) Home Premium
OS Architecture: 32-bit
OS Version: 6.0.6002
OS Service Pack: Service Pack 2
Computer Name: BRITTANY-DESK
Windows Drive: C:\
Windows Path: C:\Windows
Program Files: C:\Program Files
Current Profile: C:\Users\Brittany
Current Profile SID: S-1-5-21-4046791381-2655318286-1433333655-1000
Current Profile Classes: S-1-5-21-4046791381-2655318286-1433333655-1000_Classes
Profiles Location: C:\Users
Profiles Location 2: C:\Windows\ServiceProfiles
Local Settings AppData: C:\Users\Brittany\AppData\Local
--------------------------------------------------------------------------------

System Information
--------------------------------------------------------------------------------
System Up Time: 0 Days 00:18:20

Process Count: 24
Commit Total: 410.48 MB
Commit Limit: 6.80 GB
Commit Peak: 417.31 MB
Handle Count: 6496
Kernel Total: 72.79 MB
Kernel Paged: 41.46 MB
Kernel Non Paged: 31.32 MB
System Cache: 350.98 MB
Thread Count: 287
--------------------------------------------------------------------------------

Memory Before Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 2.99 GB
Memory Used: 561.64 MB(18.3482%)
Memory Avail.: 2.44 GB
--------------------------------------------------------------------------------

Cleaning Memory Before Starting Repairs...

Memory After Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 2.99 GB
Memory Used: 436.70 MB(14.2666%)
Memory Avail.: 2.56 GB
--------------------------------------------------------------------------------

Starting Repairs...
Started at (4/30/2016 7:08:29 PM)

Setting Any Missing 'InstallDate' From Uninstall Sections Before Running Repair...
Total Missing 'InstallDate' Fixed: 0

01 - Reset Registry Permissions 01/02
HKEY_CURRENT_USER & Sub Keys
Start (4/30/2016 7:08:30 PM)

Running Repair Under Current User Account
Done (4/30/2016 7:08:32 PM)

01 - Reset Registry Permissions 02/02
HKEY_LOCAL_MACHINE & Sub Keys
Start (4/30/2016 7:08:33 PM)

Running Repair Under System Account
Done (4/30/2016 7:12:05 PM)

Reset File Permissions: C:
C: & Sub Folders
Start (4/30/2016 7:12:05 PM)

Running Repair Under Current User Account
Done (4/30/2016 7:58:49 PM)

Reset File Permissions: All Profiles
C:\Users & Sub Folders
Start (4/30/2016 7:58:49 PM)

Running Repair Under Current User Account
Done (4/30/2016 8:03:28 PM)

Reset File Permissions: Current Profile
C:\Users\Brittany & Sub Folders
Start (4/30/2016 8:03:28 PM)

Running Repair Under Current User Account
Done (4/30/2016 8:05:48 PM)

Reset File Permissions: Cleanup
Repairing Restricted Folders Permissions To Avoid Infinite Loops
Start (4/30/2016 8:05:48 PM)

Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:05:50 PM)

03 - Reset Service Permissions
Start (4/30/2016 8:05:50 PM)

Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:06:11 PM)

04 - Register System Files
Start (4/30/2016 8:06:11 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:06:41 PM)

05 - Repair WMI
Start (4/30/2016 8:06:41 PM)

Starting Security Center So We Can Export The Security Info.

Exporting Antivirus Info...
No Antivirus Products Reported.

Exporting AntiSpyware Info...
Windows Defender Exported.
avast! Antivirus Exported.

Exporting 3rd Party Firewall Info...
No Firewall Products Reported.

Running Repair Under Current User Account
Done (4/30/2016 8:10:30 PM)

06 - Repair Windows Firewall
Start (4/30/2016 8:10:30 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:10:59 PM)

07 - Repair Internet Explorer
Start (4/30/2016 8:10:59 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:11:11 PM)

08 - Repair MDAC/MS Jet
Start (4/30/2016 8:11:11 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:11:19 PM)

09 - Repair Hosts File
Start (4/30/2016 8:11:19 PM)
Running Repair Under System Account
Done (4/30/2016 8:11:20 PM)

10 - Remove Policies Set By Infections
Start (4/30/2016 8:11:20 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:11:26 PM)

11 - Repair Start Menu Icons Removed By Infections
Start (4/30/2016 8:11:26 PM)
Running Repair Under System Account
Done (4/30/2016 8:11:27 PM)

12 - Repair Icons
Start (4/30/2016 8:11:27 PM)
Running Repair Under Current User Account
Done (4/30/2016 8:11:28 PM)

13 - Repair Network
Start (4/30/2016 8:11:28 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:11:42 PM)

14 - Remove Temp Files
Start (4/30/2016 8:11:42 PM)
Running Repair Under System Account
Done (4/30/2016 8:11:43 PM)

15 - Repair Proxy Settings
Start (4/30/2016 8:11:44 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:11:46 PM)

17 - Repair Windows Updates
Start (4/30/2016 8:11:46 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Setting Windows Updates Files That Are In Use To Be Removed At Next Boot.
Done (4/30/2016 8:12:05 PM)

18 - Repair CD/DVD Missing/Not Working
Start (4/30/2016 8:12:05 PM)
iTunes or GEARAspiWDM.sys not found, not applying UpperFilters iTunes Reg Key
Done (4/30/2016 8:12:05 PM)

19 - Repair Volume Shadow Copy Service
Start (4/30/2016 8:12:05 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:12:25 PM)

20 - Repair Windows Sidebar/Gadgets
Start (4/30/2016 8:12:25 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:12:27 PM)

21 - Repair MSI (Windows Installer)
Start (4/30/2016 8:12:27 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:12:38 PM)

22 - Repair Windows Snipping Tool
Start (4/30/2016 8:12:38 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:12:40 PM)

23.01 - Repair bat Association
Start (4/30/2016 8:12:40 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:12:42 PM)

23.02 - Repair cmd Association
Start (4/30/2016 8:12:43 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:12:45 PM)

23.03 - Repair com Association
Start (4/30/2016 8:12:45 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:12:47 PM)

23.04 - Repair Directory Association
Start (4/30/2016 8:12:47 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:12:49 PM)

23.05 - Repair Drive Association
Start (4/30/2016 8:12:49 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:12:51 PM)

23.06 - Repair exe Association
Start (4/30/2016 8:12:51 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:12:53 PM)

23.07 - Repair Folder Association
Start (4/30/2016 8:12:53 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:12:56 PM)

23.08 - Repair inf Association
Start (4/30/2016 8:12:56 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:12:58 PM)

23.09 - Repair lnk (Shortcuts) Association
Start (4/30/2016 8:12:58 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:13:00 PM)

23.10 - Repair msc Association
Start (4/30/2016 8:13:00 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:13:02 PM)

23.11 - Repair reg Association
Start (4/30/2016 8:13:02 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:13:04 PM)

23.12 - Repair scr Association
Start (4/30/2016 8:13:04 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:13:07 PM)

24 - Repair Windows Safe Mode
Start (4/30/2016 8:13:07 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:13:09 PM)

25 - Repair Print Spooler
Start (4/30/2016 8:13:09 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:13:13 PM)

26 - Restore Important Windows Services
Start (4/30/2016 8:13:13 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:13:22 PM)

27 - Set Windows Services To Default Startup
Start (4/30/2016 8:13:22 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:13:28 PM)

Skipping Repair.
Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
Current version: 6.0.6002

Skipping Repair.
Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
Current version: 6.0.6002

Skipping Repair.
Repair is for Windows v6.2 (Windows 8 & Newer) or higher.
Current version: 6.0.6002

31 - Repair Windows 'New' Submenu
Start (4/30/2016 8:13:29 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:13:31 PM)

32 - Restore UAC (User Account Control) Settings
Start (4/30/2016 8:13:31 PM)
Running Repair Under Current User Account
Running Repair Under System Account
Done (4/30/2016 8:13:33 PM)

33 - Repair Performance Counters
Start (4/30/2016 8:13:33 PM)
Running Repair Under Current User Account
Done (4/30/2016 8:13:39 PM)

Cleaning up empty logs...

All Selected Repairs Done.
Done at (4/30/2016 8:13:39 PM)
Total Repair Time: 01:05:12


...YOU MUST RESTART YOUR SYSTEM...
 
At this point...

In this forum, we make sure, your computer is free of malware and your computer is clean :)
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

Good luck :)
 
Back