Solved Would like to post HijackThis log file to troubleshoot BSODs

August 22, 2015 at 15:17:30
Specs: Windows 7
I have been getting lots of BSODs and I would like to send in a HijackThis log file. I have run Combofix, AVG & HijackThis, could someone please take a look at the log? I have read that I may not submit unsolicited logs, so I am requesting permission to send. Thanks very much.

See More: Would like to post HijackThis log file to troubleshoot BSODs

Report •

✔ Best Answer
August 27, 2015 at 21:34:59
Run Tweaking.com - Windows Repair

Disable your antivirus program before running Windows Repair.
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...

Right click on the exe & click on > Run as administrator.
Start at Step 1 ( very important ) & when you get to the final step ( Repairs ) check/tick all the boxes. Reboot when finished.
Exclude Step 2 ( Malwarebytes scan )
http://i1-win.softpedia-static.com/...
http://www.softpedia.com/get/Tweak/...
http://i.imgur.com/UbaXHuV.gif
http://www.tweaking.com/
http://www.tweaking.com/content/pag...
http://i.imgur.com/NWSHEUy.gif
http://i.imgur.com/LTVThqF.gif
http://i.imgur.com/tdlbsVH.gif

The logs are large, upload them using Zippy.



#1
August 22, 2015 at 15:19:55
HijackThis is too outdated to be of any value.

Start by running these freebies in the order given:

AdwCleaner:
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Cleaning" button.

Junkware Removal Tool (JRT)
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run JRT. It might appear to have stopped at times or flash the screen but sit tight until it has finished.

MalwareBytes:
http://filehippo.com/download_malwa...
(green Download button top right - not anything else on the page)
Install and Run the program but before doing its Scan go to "Settings > Detection and Protection" and put a checkmark in "Scan for rootkits". Quarantine anything it finds.

Please copy/paste the logs on here.

Always pop back and let us know the outcome - thanks


Report •

#2
August 23, 2015 at 02:45:14
Ok, here's what you requested:

ADWWCleaner log

# AdwCleaner v5.003 - Logfile created 23/08/2015 at 09:58:25
# Updated 20/08/2015 by Xplode
# Database : 2015-08-20.1 [Server]
# Operating system : Windows 7 Ultimate (x64)
# Username : TBShaw - TBPC
# Running from : D:\DloadZ\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

[-] Service Deleted : ReimageRealTimeProtector

***** [ Folders ] *****

[#] Folder Deleted : C:\rei
[#] Folder Deleted : C:\Program Files\Reimage
[#] Folder Deleted : C:\Program Files (x86)\Common Files\tencent
[#] Folder Deleted : C:\ProgramData\Reimage Protector
[#] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\reimage repair
[#] Folder Deleted : C:\Users\Public\Documents\tencent
[#] Folder Deleted : C:\Users\TBShaw\AppData\Roaming\tencent

***** [ Files ] *****

[-] File Deleted : C:\Windows\Reimage.ini

***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : Reimage Reminder
[-] Task Deleted : ReimageUpdater

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\DownloadProxy.EXE
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\REI_AxControl.ReiEngine
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Reimage.exe
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6CE321DA-DC11-45C6-A0FC-4E8A7D978ABC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F62A4AF9-58B4-4FEC-89CC-D717A547D8E8}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
[-] Key Deleted : HKU\.DEFAULT\Software\Avg Secure Update
[-] Key Deleted : HKCU\Software\Conduit
[-] Key Deleted : HKCU\Software\CToolbar
[-] Key Deleted : HKCU\Software\Reimage
[-] Key Deleted : HKCU\Software\Avg Secure Update
[-] Key Deleted : HKLM\SOFTWARE\Conduit
[-] Key Deleted : HKLM\SOFTWARE\CToolbar
[!] Key Not Deleted : [x64] HKCU\Software\Conduit
[!] Key Not Deleted : [x64] HKCU\Software\CToolbar
[!] Key Not Deleted : [x64] HKCU\Software\Reimage
[!] Key Not Deleted : [x64] HKCU\Software\Avg Secure Update
[-] Key Deleted : [x64] HKLM\SOFTWARE\Reimage

***** [ Web browsers ] *****


*************************

:: Proxy settings cleared
:: Winsock settings cleared
:: IE policies deleted

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [4864 bytes] ##########


JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.7 (08.18.2015:1)
OS: Windows 7 Ultimate x64
Ran by TBShaw on Sun 08/23/2015 at 10:19:27.60
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Tasks

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer

~~~ Files

~~~ Folders

Successfully deleted: [Folder] C:\Users\TBShaw\AppData\Roaming\tencent
Successfully deleted: [Folder] C:\Users\TBShaw\AppData\Roaming\xiaomi

~~~ FireFox

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@qq.com/npqscall
Emptied folder: C:\Users\TBShaw\AppData\Roaming\mozilla\firefox\profiles\6y9toxat.default\minidumps [12 files]

~~~ Chrome


[C:\Users\TBShaw\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\TBShaw\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\TBShaw\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\TBShaw\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 08/23/2015 at 10:32:23.94
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

MAB log

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/23/2015
Scan Time: 10:48 AM
Logfile: MAB.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.08.22.04
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x64
File System: NTFS
User: TBShaw

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 362783
Time Elapsed: 11 min, 2 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Looks pretty clean, are you sure HijackThis would not be relevant? I see a lot of Unknown Owner entries there, including something called keyiso.dll that looks a little scary. Please advise, and thanks for your prompt response.


Report •

#3
August 23, 2015 at 02:51:35
"Looks pretty clean, are you sure HijackThis would not be relevant?"
So far we are on the right track, I prefer this tool.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif


Report •

Related Solutions

#4
August 23, 2015 at 07:07:45
I've found "HijackThis" misunderstands file locations, often showing them as missing when they are in the correct place (even worse from Win 8 onwards). It used to be OK so I think it is because it hasn't been updated for years.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#5
August 23, 2015 at 07:31:15
OK guys all done with FRST. I assumed that you wanted both log files, since they differ, so I zipped them. The link at Zippyshare is:

http://www15.zippyshare.com/v/OiT9p...


Report •

#6
August 23, 2015 at 15:46:33
"so I zipped them"
Thanks.
"I assumed that you wanted both log files"
That was in my post #3 to send both files.
"including something called keyiso.dll"
That is a normal windows file, if it is in the right places. Here is where mine are.
http://i.imgur.com/MnrjwYF.gif

Copy & Paste the dump (.dmp ) file onto your desktop & then upload it using ZippyShare.
Minidump file is located in C:\Windows\Minidump
How to see hidden files in Windows
http://www.bleepingcomputer.com/tut...

message edited by Johnw


Report •

#7
August 23, 2015 at 17:42:56
Here's the link to the .dmp file:

http://www3.zippyshare.com/v/ENuyiD...

Thanks for your help.


Report •

#8
August 23, 2015 at 18:13:47
Here is the complete analysis so everyone can see it.

I'm here.
http://www.timeanddate.com/worldclo...

Windows 7 Kernel Version 7600 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7600.16385.amd64fre.win7_rtm.090713-1255
Machine Name:
Kernel base = 0xfffff800`03249000 PsLoadedModuleList = 0xfffff800`03486e50
Debug session time: Sun Aug 23 20:13:25.630 2015 (UTC - 4:00)
System Uptime: 0 days 1:16:30.191
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff96000134283, Address of the instruction which caused the bugcheck
Arg3: fffff880071f4060, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
win32k!HmgLockEx+a3
fffff960`00134283 0fb7430c movzx eax,word ptr [rbx+0Ch]

CONTEXT: fffff880071f4060 -- (.cxr 0xfffff880071f4060)
rax=fffff900c0200000 rbx=0000000000000000 rcx=fffffa801252cb60
rdx=fffff900c0200000 rsi=0000000000000000 rdi=fffff900c0200000
rip=fffff96000134283 rsp=fffff880071f4a40 rbp=0000000000000000
r8=0000000000000001 r9=0000000000000000 r10=0000000000000000
r11=fffff880071f4aa8 r12=0000000003af5400 r13=0000000000000000
r14=0000000000000001 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
win32k!HmgLockEx+0xa3:
fffff960`00134283 0fb7430c movzx eax,word ptr [rbx+0Ch] ds:002b:00000000`0000000c=????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: dwm.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff960002ec6b0 to fffff96000134283

STACK_TEXT:
fffff880`071f4a40 fffff960`002ec6b0 : fffff900`c28dbca0 00000000`00000001 ffffffff`af1206a2 fffff900`c2df3010 : win32k!HmgLockEx+0xa3
fffff880`071f4ab0 fffff960`002ebbae : fffff900`c28dbca0 00000000`00000000 000006a2`00000000 00000000`00000000 : win32k!SFMLOGICALSURFACE::OwnsSurfaceCleanup+0x40
fffff880`071f4ae0 fffff960`002ecab3 : 00000000`00000000 ffffffff`af1206a2 fffff900`c28dbca0 00000000`03af54b0 : win32k!SFMLOGICALSURFACE::DeInitialize+0x4e
fffff880`071f4b20 fffff960`002495ff : 00000000`00000000 fffff900`c00c0010 fffff900`c28dbca0 00000000`00000020 : win32k!bhLSurfDestroyLogicalSurfaceObject+0x4b
fffff880`071f4b60 fffff960`0026a908 : 00000800`00000001 00000000`00000001 fffff880`071f4ca0 00000000`00000000 : win32k!GreSfmCloseCompositorRef+0x10f
fffff880`071f4ba0 fffff800`032ba153 : fffffa80`1252cb60 00000000`026df910 000007fe`f7f1d610 00000000`00000000 : win32k!NtGdiHLSurfSetInformation+0x1a8
fffff880`071f4c20 000007fe`fd274efa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`026df368 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7fe`fd274efa


FOLLOWUP_IP:
win32k!HmgLockEx+a3
fffff960`00134283 0fb7430c movzx eax,word ptr [rbx+0Ch]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: win32k!HmgLockEx+a3

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc5e0

STACK_COMMAND: .cxr 0xfffff880071f4060 ; kb

FAILURE_BUCKET_ID: X64_0x3B_win32k!HmgLockEx+a3

BUCKET_ID: X64_0x3B_win32k!HmgLockEx+a3

Followup: MachineOwner


Report •

#9
August 23, 2015 at 18:18:20
Here is the MS opinion.

Bug Check 0x3B: SYSTEM_SERVICE_EXCEPTION
https://msdn.microsoft.com/en-us/li...

"Cause

This error has been linked to excessive paged pool usage and may occur due to user-mode graphics drivers crossing over and passing bad data to the kernel code."


Report •

#10
August 23, 2015 at 18:22:06
From the Farbar logs.
Are these actions deliberate?

ProxyEnable: [S-1-5-21-3883817282-1891597748-1379894258-1000] => Internet Explorer proxy is enabled.

ProxyServer: [S-1-5-21-3883817282-1891597748-1379894258-1000] => http=127.0.0.1:3213;https=127.0.0.1:3213

astrill.com

message edited by Johnw


Report •

#11
August 24, 2015 at 15:45:27
Yes, Astrill is a VPN. It is necessary as I live in mainland China. I have used Astrill for years and never had any issues with it. Also, this issue occurs whether the VPN is on or not. And I don't use IE anyway, though I understand that Firerfox and Opera are sort of piggybacked onto the IE front end. I switched browsers from Firefox to Opera recently due to the new Firefox issues in release 40.0 and 40.2, but the BSODs predate the switch.

The most common time I get BSODs is when I alt-tab out of World of Warcraft to the browser, but I never had a problem with that until about three or four weeks ago. It is always the same 0x0000003b stop code. Is this the "...excessive paged pool usage and may occur due to user-mode graphics drivers crossing over and passing bad data to the kernel code..." from MS? Why all of a sudden? I have been happily alt-tabbing out of WoW for years. Could it be I need to roll back the latest video driver update from my nVidia GTX560Ti? I think that update might have been around the time the BSODs started, but I'm not sure.

I have run a series of hardware diagnostics and stress tests (BIOS, CPU, HDD, Memory) from the UBCD and Hiren's, and they all come up clean. So is this going to be like the bad joke: Guy goes to the doctor, says "It hurts when I do this." Doctor says "So don't do that."

I will say that WoW pushes my system, and the fans rev up when I play. But wouldn't the stress tests I have run show if it was a heat-related issue? Tell me what else I can do, and what I'm doing wrong (but don't bother telling me to quit WoW, that advice will be ignored!).

message edited by t5b0s5


Report •

#12
August 24, 2015 at 17:21:17
"Yes, Astrill is a VPN. It is necessary as I live in mainland China."
Good, just had to make sure, process of elimination.

"Could it be I need to roll back the latest video driver update from my nVidia GTX560Ti?"
Maybe.

Delete any old version of Combofix.

Download the latest version of ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please Note: Once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

message edited by Johnw


Report •

#13
August 24, 2015 at 17:26:18
There's a lot more discussion here:
http://answers.microsoft.com/en-us/...

Seems the video driver could be implicated as well as other things. What AV are you using?

Always pop back and let us know the outcome - thanks


Report •

#14
August 24, 2015 at 17:33:26
"What AV are you using?"

It's in the Farbar logs Derek.

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}


Report •

#15
August 24, 2015 at 23:13:08
Ran the latest ComboFix (as stated in my OP). Rundate was 8/22. Logfile here:

http://www92.zippyshare.com/v/48qOW...


Report •

#16
August 25, 2015 at 00:29:33
Extract from your Farbar logs.
"Running from D:\DloadZ"

Download the latest version > Farbar Recovery Scan Tool 21.08.2015.3

Run Farbar again, this time from the Desktop as per the original instructions please.
http://i.imgur.com/i3fg3Pf.gif

message edited by Johnw


Report •

#17
August 25, 2015 at 01:34:16
Sorry, I also ran ComboFix from a non-desktop location. Will run both Farbar and ComboFix properly and zip both logs to Zippyshare. Please forgive my poor following of clear instructions :P

Report •

#18
August 25, 2015 at 01:36:44
"Please forgive my poor following of clear instructions"
Great, that will make it a lot easier.

Report •

#19
August 25, 2015 at 07:41:36
OK, so hopefully this time I have completed everything correctly. Logs are here:

http://www71.zippyshare.com/v/vIJUA...

Thanks for your patience.


Report •

#20
August 25, 2015 at 14:55:21
"so hopefully this time I have completed everything correctly"
Perfect.

Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

closeprocesses:
emptytemp:
HKLM-x32\...\Run: [] => [X]
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3883817282-1891597748-1379894258-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Toolbar: HKU\S-1-5-21-3883817282-1891597748-1379894258-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
FF Homepage: hxxp://global.bing.com/?FORM=HPCNEN&setmkt=en-us&setlang=en-us#
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @qq.com/npchrome -> C:\Program Files (x86)\Common Files\Tencent\Npchrome\npchrome.dll [No File]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz134; \??\C:\Users\TBShaw\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S4 NVHDA; system32\drivers\nvhda64v.sys [X]
U2 V2iMount; no ImagePath

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#21
August 27, 2015 at 21:34:59
✔ Best Answer
Run Tweaking.com - Windows Repair

Disable your antivirus program before running Windows Repair.
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...

Right click on the exe & click on > Run as administrator.
Start at Step 1 ( very important ) & when you get to the final step ( Repairs ) check/tick all the boxes. Reboot when finished.
Exclude Step 2 ( Malwarebytes scan )
http://i1-win.softpedia-static.com/...
http://www.softpedia.com/get/Tweak/...
http://i.imgur.com/UbaXHuV.gif
http://www.tweaking.com/
http://www.tweaking.com/content/pag...
http://i.imgur.com/NWSHEUy.gif
http://i.imgur.com/LTVThqF.gif
http://i.imgur.com/tdlbsVH.gif

The logs are large, upload them using Zippy.


Report •

#22
August 30, 2015 at 17:21:28
Here is how a USER got a lot of the problems, no AV would have prevented USER error. Go to any Malware forum & no matter what AV they have installed, they got infected.

As you can see from your logs, you had a lot of stuff installed, that you do not know, how it got installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic & Brothersoft )
http://www.groovypost.com/unplugged...

I use Softpedia & FreewareFiles.com, they make you aware what Ad-supported programs the author of the program has included.
http://win.softpedia.com/index.free...
http://www.freewarefiles.com/new_fi...
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
http://i.imgur.com/rqSpp1e.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/Unchec...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.


Report •

Ask Question