Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Monitor [Closed]


  • This topic is locked This topic is locked

#1
Tinc27

Tinc27

    Member

  • Member
  • PipPip
  • 93 posts

I tried to do a system restore because my Avast popup would not go away when closed out, and now i can only see my mouse on the screen. Tried safe mode, same thing. tried a different monitor,same thing.


  • 0

Advertisements


#2
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,911 posts
Hi Tinc27, :)

:welcome:

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):
  • Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
  • Please do not install any new software while we are working on this system as it may hinder our process.
  • Malware removal is a complicated process so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
  • Please do not try to fix anything without being ask.
  • Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
  • Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
  • Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
  • If you are confused about any instruction stop and ask. Do not keep on going.
  • Do not repeat the steps if you face any problems.
  • I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
  • Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
  • The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.
 
  • Step #1 Scan with Farbar Recovery Scan Tool

    Prerequisites:
    • A clean PC or an accessible user account; and
    • A flash-drive with at least 1GB storage.
    First Part:Second Part:
    • Connect the flash-drive to the infected PC;
    • Restart your PC;
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears;
    • Use the arrow keys to select Repair your computer;
    • From the language setting choose US and click Next;
    • Select the operating system you want repair and click Next;
    • Select your user-account and click Next;
    • You will enter into the System Recovery and will be presented the following options --
      • Startup Repair
      • System Restore
      • Windows Complete PC Restore
      • Windows Memory Diagnostic Tool
      • Command Prompt
    • Select Command Prompt
    Third Part:
    • In the Command Prompt window type notepad and press Enter;
    • When the Notepad opens, go to File>Open>My Computer and take a mental note of the flash-drive letter;
    • In the Command Prompt window type e:\frst.exe(for 64-bit system type e:\frst64.exe)
      • Note: Replace e with the drive letter of your flash-drive
    • When the program starts, click on Scan;
    • A log named frst.txt will be created after the scan and will be saved in your flash-drive;
    • Copy and Paste the contents of the log in your next reply
 
  • Required Log(s):
    • Farbar Recovery Scan Tool Log(s) --
      • FRST.txt
      • Addition.txt
Regards,
Valinorum
  • 0

#3
Tinc27

Tinc27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts

I am using Windows 7. Is that 32 or 64 bit?


  • 0

#4
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,911 posts
Download the 32-bit version first. If it fails to run, go for the 64-bit.
  • 0

#5
Tinc27

Tinc27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-05-2014
Ran by SYSTEM on MININT-78GMAH7 on 03-05-2014 11:53:05
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.
 
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8060960 2009-08-05] (Realtek Semiconductor)
HKLM\...\Run: [Verizon_McciTrayApp] => C:\Program Files\Verizon\McciTrayApp.exe [3432448 2010-03-17] (Alcatel-Lucent)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1281512 2013-01-27] (Microsoft Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [LenovoFSC] => C:\Program Files (x86)\Lenovo\FanSpeedControl\LenovoFSC.exe [49152 2009-07-29] (Lenovo (Shenzhen) Electronic Co., Ltd.)
HKLM-x32\...\Run: [jmekey] => C:\Program Files (x86)\jmesoft\hotkey.exe [114688 2009-07-16] (JME)
HKLM-x32\...\Run: [UpdatePRCShortCut] => C:\Program Files\Lenovo\OneKey App\Lenovo Rescue System\MUITransfer\MUIStartMenu.exe [222504 2009-05-13] (CyberLink Corp.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2544664 2014-03-21] ()
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [3774312 2014-04-01] (AVAST Software)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-20] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [*Restore] - C:\windows\System32\rstrui.exe /runonce [296960 2010-11-20] (Microsoft Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Default\...\RunOnce: [WLStart] - C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [768336 2009-07-26] (Microsoft Corporation)
HKU\Default User\...\RunOnce: [WLStart] - C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [768336 2009-07-26] (Microsoft Corporation)
HKU\Tom\...\Run: [Magellan CmTray] => C:\Program Files (x86)\Content Manager\CmTray.exe [458752 2011-03-04] (MiTAC Digital Corporation.)
HKU\Tom\...\Run: [Akamai NetSession Interface] => C:\Users\Tom\AppData\Local\Akamai\netsession_win.exe [4672920 2014-03-06] (Akamai Technologies, Inc.)
HKU\Tom\...\Run: [Google Update] => C:\Users\Tom\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-04-06] (Google Inc.)
HKU\Tom\...\Run: [FileHippo.com] => C:\Program Files (x86)\FileHippo.com\UpdateChecker.exe [307712 2012-11-23] (FileHippo.com)
HKU\Tom\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2013-02-13] (Google Inc.)
HKU\UpdatusUser\...\RunOnce: [WLStart] - C:\Program Files (x86)\Windows Live\Installer\wlstart.exe [768336 2009-07-26] (Microsoft Corporation)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_89743857.lnk
ShortcutTarget: _uninst_89743857.lnk ->  (No File)
Startup: C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
 
==================== Services (Whitelisted) =================
 
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-02-08] (AVAST Software)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2211000 2014-03-30] (Microsoft Corporation)
S2 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [350792 2013-09-13] (Verizon)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2010-03-17] (Alcatel-Lucent)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] (Microsoft Corporation)
S2 vToolbarUpdater18.0.5; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.5\ToolbarUpdater.exe [1771032 2014-03-21] (AVG Secure Search)
S2 WinnetPlusService; C:\Program Files (x86)\FileNori\winnetplus.exe [700416 2013-09-21] ()
S3 aspnet_state; %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [X]
 
==================== Drivers (Whitelisted) ====================
 
S0 89743857; C:\Windows\System32\DRIVERS\89743857.sys [460888 2012-10-13] (Kaspersky Lab ZAO)
S2 aswMonFlt; C:\windows\system32\drivers\aswMonFlt.sys [78648 2014-02-08] (AVAST Software)
S1 aswRdr; C:\windows\system32\drivers\aswRdr2.sys [92544 2014-02-08] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-02-08] ()
S1 aswSnx; C:\windows\system32\drivers\aswSnx.sys [1038072 2014-02-08] (AVAST Software)
S1 aswSP; C:\windows\system32\drivers\aswSP.sys [421704 2014-02-08] (AVAST Software)
S3 aswStm; C:\windows\system32\drivers\aswStm.sys [80184 2014-02-08] (AVAST Software)
S1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [64288 2014-01-22] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [207904 2014-02-08] ()
S1 avgtp; C:\windows\system32\drivers\avgtpx64.sys [49952 2014-03-21] (AVG Technologies)
S3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
S3 MREMP50; C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [21248 2010-03-17] (Printing Communications Assoc., Inc. (PCAUSA))
S3 MRESP50; C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [20096 2010-03-17] (Printing Communications Assoc., Inc. (PCAUSA))
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S3 RTL8023x64; C:\Windows\System32\DRIVERS\Rtnic64.sys [51712 2009-06-10] (Realtek Semiconductor Corporation                           )
S3 SuperIO; C:\Windows\System32\DRIVERS\spio.sys [11848 2009-06-05] ()
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-05-03 11:52 - 2014-05-03 11:53 - 00000000 ____D () C:\FRST
2014-04-27 11:09 - 2014-04-27 11:09 - 00000000 ____D () C:\Users\Tom\AppData\Local\AVG Secure Search
2014-04-26 19:17 - 2014-04-26 19:17 - 00022208 _____ () C:\Users\Tom\Documents\[kickass.to]becoming.santa.2011 (2).torrent
2014-04-26 19:07 - 2014-04-26 19:07 - 00022208 _____ () C:\Users\Tom\Documents\[kickass.to]becoming.santa.2011 (1).torrent
2014-04-19 16:50 - 2014-04-19 16:50 - 00010683 _____ () C:\Users\Tom\Documents\[kickass.to]the.hobbit.the.desolation.of.smaug.2013.720p.brrip.x264.yify.torrent
2014-04-19 14:09 - 2014-04-19 14:09 - 00020697 _____ () C:\Users\Tom\Documents\[kickass.to]12.years.a.slave.2013.1080p.brrip.x264.yify.torrent
 
==================== One Month Modified Files and Folders =======
 
2014-05-03 11:53 - 2014-05-03 11:52 - 00000000 ____D () C:\FRST
2014-05-03 03:08 - 2011-03-20 17:59 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-05-03 02:47 - 2013-09-21 18:13 - 00000000 ____D () C:\Program Files (x86)\FileNori
2014-04-30 17:05 - 2011-03-16 18:14 - 00000000 ____D () C:\users\Tom
2014-04-30 17:04 - 2011-04-27 11:35 - 00000000 ____D () C:\Users\Tom\AppData\Roaming\Azureus
2014-04-30 17:04 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\AppCompat
2014-04-30 17:03 - 2014-03-21 07:45 - 00000000 ____D () C:\ProgramData\AVG Secure Search
2014-04-30 17:03 - 2013-05-03 16:55 - 00000000 ____D () C:\Program Files (x86)\AVG SafeGuard toolbar
2014-04-30 17:03 - 2011-11-03 17:43 - 00000000 ____D () C:\Users\Tom\AppData\Local\Akamai
2014-04-30 17:03 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\registration
2014-04-30 16:35 - 2009-07-13 20:45 - 00017952 _____ () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-04-30 16:35 - 2009-07-13 20:45 - 00017952 _____ () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-04-27 11:09 - 2014-04-27 11:09 - 00000000 ____D () C:\Users\Tom\AppData\Local\AVG Secure Search
2014-04-26 19:17 - 2014-04-26 19:17 - 00022208 _____ () C:\Users\Tom\Documents\[kickass.to]becoming.santa.2011 (2).torrent
2014-04-26 19:07 - 2014-04-26 19:07 - 00022208 _____ () C:\Users\Tom\Documents\[kickass.to]becoming.santa.2011 (1).torrent
2014-04-20 01:24 - 2012-04-06 20:29 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3758289344-697551801-2976451627-1001UA.job
2014-04-20 01:24 - 2010-12-28 18:10 - 01549755 _____ () C:\Windows\WindowsUpdate.log
2014-04-20 01:04 - 2012-04-06 18:07 - 00000892 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-04-20 00:24 - 2012-04-06 20:29 - 00000848 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3758289344-697551801-2976451627-1001Core.job
2014-04-19 19:04 - 2012-04-06 18:07 - 00000888 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-04-19 17:26 - 2009-07-13 21:13 - 00741000 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-04-19 17:00 - 2012-10-11 09:44 - 00000460 _____ () C:\Windows\Tasks\SpeedMaxPc Registration3.job
2014-04-19 16:50 - 2014-04-19 16:50 - 00010683 _____ () C:\Users\Tom\Documents\[kickass.to]the.hobbit.the.desolation.of.smaug.2013.720p.brrip.x264.yify.torrent
2014-04-19 16:48 - 2011-04-27 11:35 - 00000000 ____D () C:\Program Files (x86)\Vuze
2014-04-19 14:09 - 2014-04-19 14:09 - 00020697 _____ () C:\Users\Tom\Documents\[kickass.to]12.years.a.slave.2013.1080p.brrip.x264.yify.torrent
2014-04-19 06:28 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-04-19 06:28 - 2009-07-13 20:51 - 00084987 _____ () C:\Windows\setupact.log
2014-04-18 00:13 - 2012-10-11 09:44 - 00000396 _____ () C:\Windows\Tasks\SpeedMaxPc.job
2014-04-14 16:53 - 2013-02-13 12:58 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2014-04-14 16:50 - 2010-12-28 19:07 - 00880472 _____ () C:\Windows\PFRO.log
2014-04-13 21:00 - 2012-04-06 18:07 - 00000000 ____D () C:\Users\Tom\AppData\Local\Google
2014-04-13 02:50 - 2012-10-11 09:44 - 00000418 _____ () C:\Windows\Tasks\SpeedMaxPc Update3.job
2014-04-12 11:22 - 2013-11-02 15:56 - 00000000 ____D () C:\Program Files\Microsoft Office 15
2014-04-08 20:27 - 2012-04-06 20:30 - 00002316 _____ () C:\Users\Tom\Desktop\Google Chrome.lnk
2014-04-06 23:07 - 2011-06-25 15:25 - 00114416 _____ () C:\Users\Tom\AppData\Roaming\GDIPFONTCACHEV1.DAT
 
Some content of TEMP:
====================
C:\Users\Tom\AppData\Local\Temp\i4jdel0.exe
C:\Users\Tom\AppData\Local\Temp\OfficeSetup.exe
C:\Users\Tom\AppData\Local\Temp\oi_{C7447BF1-984D-4B6A-B3DD-4E1B81CF6DB6}.exe
C:\Users\Tom\AppData\Local\Temp\setupproplusretail.x86.en-us_TX_PR_act_1_.exe
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2011-07-01 08:11] - [2010-11-20 05:27] - 0520192 ____A (Microsoft Corporation) 523CC374F87FF4AD4B450C98F4851F0F
 
 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
Restore point made on: 2014-04-06 17:54:09
Restore point made on: 2014-04-11 17:53:53
Restore point made on: 2014-04-15 17:02:18
Restore point made on: 2014-04-20 01:25:05
Restore point made on: 2014-04-26 03:37:07
Restore point made on: 2014-04-29 17:02:34
Restore point made on: 2014-04-30 17:00:39
 
==================== Memory info =========================== 
 
Percentage of memory in use: 10%
Total physical RAM: 8191.18 MB
Available physical RAM: 7339.69 MB
Total Pagefile: 8189.32 MB
Available Pagefile: 7325.5 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:906.34 GB) (Free:607.99 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive g: () (Removable) (Total:14.9 GB) (Free:2.68 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 932 GB) (Disk ID: C4483DD6)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=906 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=25 GB) - (Type=12)
 
========================================================
Disk: 2 (Size: 15 GB) (Disk ID: 00000000)
 
Partition: GPT Partition Type.
 
 
LastRegBack: 2014-04-29 19:06
 
==================== End Of Log ===========================

  • 0

#6
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,911 posts
Re-run FRST64.exe again. In the search box type rpcss.dll and click on search file(s). Post the contents of the Search.txt which is saved in your USB.
  • 0

#7
Tinc27

Tinc27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts
Farbar Recovery Scan Tool (x64) Version: 02-05-2014
Ran by SYSTEM at 2014-05-03 12:17:39
Running from G:\
Boot Mode: Recovery
 
================== Search: "rpcss.dll" ===================
 
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[2011-07-01 08:11] - [2010-11-20 05:27] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123
 
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027
 
C:\Windows\System32\rpcss.dll
[2011-07-01 08:11] - [2010-11-20 05:27] - 0520192 ____A (Microsoft Corporation) 523CC374F87FF4AD4B450C98F4851F0F
 
X:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027
 
X:\Windows\System32\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0509440 ____A (Microsoft Corporation) 7266972E86890E2B30C0C322E906B027
 
====== End Of Search ======

  • 0

#8
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,911 posts
Hi Tinc27, :)
  • Step #2 Fix with FRST
    This section of the fix has two parts. For the first part please peruse the following --

    Make sure that you have access to a clean PC or a functioning user account and still have FRST.exe in your flash drive. If you do not have it, download the suitable version from here to your flash-drive.
    • Open Notepad.exe. Do not use any other text editor software;
    • Copy and Paste the contents inside the code-box to your Notepad --
      Start
      HKLM-x32\...\Run: [] => [X]
      HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2544664 2014-03-21] ()
      C:\Program Files (x86)\AVG SafeGuard toolbar
      Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
      ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
      Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
      ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
      Startup: C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_89743857.lnk
      ShortcutTarget: _uninst_89743857.lnk ->  (No File)
      Startup: C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
      ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
      S2 vToolbarUpdater18.0.5; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.5\ToolbarUpdater.exe [1771032 2014-03-21] (AVG Secure Search)
      C:\Program Files (x86)\Common Files\AVG Secure Search
      S0 89743857; C:\Windows\System32\DRIVERS\89743857.sys [460888 2012-10-13] (Kaspersky Lab ZAO)
      S1 avgtp; C:\windows\system32\drivers\avgtpx64.sys [49952 2014-03-21] (AVG Technologies)
      2014-04-26 19:17 - 2014-04-26 19:17 - 00022208 _____ () C:\Users\Tom\Documents\[kickass.to]becoming.santa.2011 (2).torrent
      2014-04-26 19:07 - 2014-04-26 19:07 - 00022208 _____ () C:\Users\Tom\Documents\[kickass.to]becoming.santa.2011 (1).torrent
      2014-04-19 16:50 - 2014-04-19 16:50 - 00010683 _____ () C:\Users\Tom\Documents\[kickass.to]the.hobbit.the.desolation.of.smaug.2013.720p.brrip.x264.yify.torrent
      2014-04-19 14:09 - 2014-04-19 14:09 - 00020697 _____ () C:\Users\Tom\Documents\[kickass.to]12.years.a.slave.2013.1080p.brrip.x264.yify.torrent
      2014-04-30 17:03 - 2014-03-21 07:45 - 00000000 ____D () C:\ProgramData\AVG Secure Search
      2014-04-30 17:03 - 2013-05-03 16:55 - 00000000 ____D () C:\Program Files (x86)\AVG SafeGuard toolbar
      2014-04-27 11:09 - 2014-04-27 11:09 - 00000000 ____D () C:\Users\Tom\AppData\Local\AVG Secure Search
      C:\Users\Tom\AppData\Local\Temp\i4jdel0.exe
      Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll C:\Windows\System32\rpcss.dll
      End
    • Click on File > Save as...
      • Inside the File Name box type fixlist.txt
      • From the Save as type drop down list, choose All Files
    • Copy and Paste fixlist.txt to your flash drive.
    You are ready to move on to the second part. Please peruse --
    • Connect your flash drive to the infected PC;
    • Enter the System Recovery Options and select Command Prompt;
    • Run FRST.exe( or FRST64.exe for 64-bit machine) again as outlined in the previous post;
    • Click on Fix;
    • After the fix a log will be created in the flash drive named FixLog.txt;
    • Copy and Paste the contents of the log in your next reply;
    • Try to boot into Normal Mode.
 
  • Required Log(s):
    • FRST Fix Log
Regards,
Valinorum
  • 0

#9
Tinc27

Tinc27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-05-2014
Ran by SYSTEM at 2014-05-03 12:45:20 Run:1
Running from G:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
Start
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2544664 2014-03-21] ()
C:\Program Files (x86)\AVG SafeGuard toolbar
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_89743857.lnk
ShortcutTarget: _uninst_89743857.lnk ->  (No File)
Startup: C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
S2 vToolbarUpdater18.0.5; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.5\ToolbarUpdater.exe [1771032 2014-03-21] (AVG Secure Search)
C:\Program Files (x86)\Common Files\AVG Secure Search
S0 89743857; C:\Windows\System32\DRIVERS\89743857.sys [460888 2012-10-13] (Kaspersky Lab ZAO)
S1 avgtp; C:\windows\system32\drivers\avgtpx64.sys [49952 2014-03-21] (AVG Technologies)
2014-04-26 19:17 - 2014-04-26 19:17 - 00022208 _____ () C:\Users\Tom\Documents\[kickass.to]becoming.santa.2011 (2).torrent
2014-04-26 19:07 - 2014-04-26 19:07 - 00022208 _____ () C:\Users\Tom\Documents\[kickass.to]becoming.santa.2011 (1).torrent
2014-04-19 16:50 - 2014-04-19 16:50 - 00010683 _____ () C:\Users\Tom\Documents\[kickass.to]the.hobbit.the.desolation.of.smaug.2013.720p.brrip.x264.yify.torrent
2014-04-19 14:09 - 2014-04-19 14:09 - 00020697 _____ () C:\Users\Tom\Documents\[kickass.to]12.years.a.slave.2013.1080p.brrip.x264.yify.torrent
2014-04-30 17:03 - 2014-03-21 07:45 - 00000000 ____D () C:\ProgramData\AVG Secure Search
2014-04-30 17:03 - 2013-05-03 16:55 - 00000000 ____D () C:\Program Files (x86)\AVG SafeGuard toolbar
2014-04-27 11:09 - 2014-04-27 11:09 - 00000000 ____D () C:\Users\Tom\AppData\Local\AVG Secure Search
C:\Users\Tom\AppData\Local\Temp\i4jdel0.exe
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll C:\Windows\System32\rpcss.dll
End
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\vProt => Value deleted successfully.
C:\Program Files (x86)\AVG SafeGuard toolbar => Moved successfully.
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk => Moved successfully.
C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe => Moved successfully.
C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk not found.
C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe not found.
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_89743857.lnk => Moved successfully.
ShortcutTarget: _uninst_89743857.lnk ->  (No File) not found.
C:\Users\UpdatusUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk => Moved successfully.
C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe not found.
vToolbarUpdater18.0.5 => Service deleted successfully.
C:\Program Files (x86)\Common Files\AVG Secure Search => Moved successfully.
89743857 => Service deleted successfully.
avgtp => Service deleted successfully.
C:\Users\Tom\Documents\[kickass.to]becoming.santa.2011 (2).torrent => Moved successfully.
C:\Users\Tom\Documents\[kickass.to]becoming.santa.2011 (1).torrent => Moved successfully.
C:\Users\Tom\Documents\[kickass.to]the.hobbit.the.desolation.of.smaug.2013.720p.brrip.x264.yify.torrent => Moved successfully.
C:\Users\Tom\Documents\[kickass.to]12.years.a.slave.2013.1080p.brrip.x264.yify.torrent => Moved successfully.
C:\ProgramData\AVG Secure Search => Moved successfully.
"C:\Program Files (x86)\AVG SafeGuard toolbar" => File/Directory not found.
C:\Users\Tom\AppData\Local\AVG Secure Search => Moved successfully.
C:\Users\Tom\AppData\Local\Temp\i4jdel0.exe => Moved successfully.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll
 
==== End of Fixlog ====

  • 0

#10
Tinc27

Tinc27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts

Restart good. Get a message that system restore did not complete successfully. An unspecified error occurred during system restore. (0x0000022). Do I have a virus? why did the Avast banner not go away?

Have not seen the banner yet. Since recent restart.


  • 0

#11
Tinc27

Tinc27

    Member

  • Topic Starter
  • Member
  • PipPip
  • 93 posts

Avast banner is back with a different message. Now about wanting to optimze. This is a recent problem with Avast. I never had this banner issue with Avast before. Avast ban

ner popup


  • 0

#12
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,911 posts

Restart good. Get a message that system restore did not complete successfully. An unspecified error occurred during system restore. (0x0000022). Do I have a virus? why did the Avast banner not go away?
Have not seen the banner yet. Since recent restart.

0X0000022 Error Codes are caused in one way or another by misconfigured system files in your windows operating system. Malware patched one of your system file which I replaced earlier.
 

Avast banner is back with a different message. Now about wanting to optimze. This is a recent problem with Avast. I never had this banner issue with Avast before. Avast ban
ner popup

Can you post a screenshot or type the exact message?

 

Copy FRST to your Desktop and run it in normal mode. Check all the boxes and click scan. After the scan post the logs from FRST.txt and Addition.txt. :)
  • 0

#13
Valinorum

Valinorum

    GeekU Guardian Bot

  • GeekU Moderator
  • 2,911 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP