[Buddierdl]

Can you go to the History tab in MBAM, then select "Quarantine" on the right and see if there are any items in there?

ESET didn't report any detections, right?

[Advertisements]

There was something, but I deleted what was in quatantine in trying to copy/paste the information to the forum, sorry. Bad mistake.

I have a screen print of it but cannot figure how to upload to the forum

The only thing I notice now with my PC is that boot up is slow and switching between users it got stuck, so I had to hard re-boot. Could Malwarebytes be doing this?

Thanks

[craigoh]

There was something, but I deleted what was in quatantine in trying to copy/paste the information to the forum, sorry. Bad mistake.

I have a screen print of it but cannot figure how to upload to the forum

The only thing I notice now with my PC is that boot up is slow and switching between users it got stuck, so I had to hard re-boot. Could Malwarebytes be doing this?

Thanks

[Buddierdl]

I have a screen print of it but cannot figure how to upload to the forum

When you reply, select the "More Reply Options." On the next page, there should be a button at the bottom of the editor where you can attach the file to your reply.

The only thing I notice now with my PC is that boot up is slow and switching between users it got stuck, so I had to hard re-boot. Could Malwarebytes be doing this?
 
Thanks

Was it just a one time thing, or does it happen all the time? Let's take a look at the event logs. Please reboot your computer right before running this scan:

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:

• List last 10 Event Viewer log
• List Devices
• List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

[craigoh]

Thank you for the help with the file attachment. 

 

As for the frequency...yes, seems to be all the time now.  When switching between users the screen goes black and it states it loses DVI connection.  Then the monitor goes into standby mode.  I have to wait 10-30 seconds, hit a key and the monitor comes back on to the screen where you choose between the users. very odd.  never happened before.  The only thing I can say is that it happened after MBAM was installed. 

 

The result scan is below:

MiniToolBox by Farbar  Version: 21-07-2014
Ran by Craig (administrator) on 17-10-2014 at 14:50:41
Running from "C:\Users\Craig\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/17/2014 09:12:07 AM) (Source: EventSystem) (User: )
Description: 80070005EventSystem.EventSubscription{D63A16CD-B70B-4350-A0DD-F010D2AB197C}-{00000000-0000-0000-0000-000000000000}-{00000000-0000-0000-0000-000000000000}

Error: (10/16/2014 09:39:24 AM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - Failed to compile: System.Xml, Version=2.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil . Error code = 0x80070020

Error: (10/15/2014 08:35:24 PM) (Source: Perflib) (User: )
Description: PolicyAgent

Error: (10/15/2014 08:35:24 PM) (Source: Perflib) (User: )
Description: OpenIPSecPerformanceDataC:\Windows\System32\ipsecsvc.dllPolicyAgent4

Error: (10/15/2014 08:35:24 PM) (Source: Perflib) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4

Error: (10/15/2014 08:35:23 PM) (Source: Perflib) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (10/15/2014 08:29:49 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid.  hr = 0x80070539.

Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {c8baac95-4286-450d-9c4a-3848965332da}

Error: (10/14/2014 05:25:55 PM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid.  hr = 0x80070539.

Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {a7c58050-9534-4f4b-8ef7-2cef103f33ca}

Error: (10/13/2014 04:08:13 PM) (Source: Application Hang) (User: )
Description: The program wlmail.exe version 15.4.3555.308 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 4e0
Start Time: 01cfe721270b3754
Termination Time: 0

Error: (10/13/2014 04:00:54 PM) (Source: EventSystem) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

System errors:
=============
Error: (10/17/2014 09:46:00 AM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00044B039DCF.  The following error occurred:
%%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Error: (10/17/2014 09:45:01 AM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00044B039DCF.  The following error occurred:
%%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Error: (10/17/2014 09:30:12 AM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00044B039DCF.  The following error occurred:
%%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Error: (10/17/2014 09:11:00 AM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00044B039DCF.  The following error occurred:
%%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Error: (10/17/2014 09:05:18 AM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00044B039DCF.  The following error occurred:
%%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Error: (10/17/2014 09:04:16 AM) (Source: Dhcp) (User: )
Description: Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00044B039DCF.  The following error occurred:
%%121. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Error: (10/17/2014 09:03:11 AM) (Source: Service Control Manager) (User: )
Description: 30000MBAMScheduler

Error: (10/16/2014 04:11:26 PM) (Source: Service Control Manager) (User: )
Description: Windows Update

Error: (10/16/2014 04:08:17 PM) (Source: Service Control Manager) (User: )
Description: Windows Media Player Network Sharing Service%%1053

Error: (10/16/2014 04:08:17 PM) (Source: Service Control Manager) (User: )
Description: 30000Windows Media Player Network Sharing Service

Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2014-10-17 13:27:11.841
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-17 13:27:11.591
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-17 13:27:11.342
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-17 13:27:11.108
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-17 11:55:41.179
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-17 11:55:40.961
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-17 11:55:40.742
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-17 11:55:40.524
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-17 11:55:40.305
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-17 11:55:40.087
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\avgidshx.sys because the set of per-page image hashes could not be found on the system.

========================= Devices: ================================

========================= Minidump Files ==================================

No minidump file found

**** End of log ****

[Buddierdl]

Do you still have the screen print to upload for me?

Try ending the MBAM free trial and see if it helps:



If that doesn't help, try uninstalling MBAM. Let me know.

[craigoh]

                  OK it states I am not permitted to upload this file.  It is on a word doco and 158KB in size.  I tried both basic and advance options on the uploaded. 

I will uninstall MBAM.  I just did not want to until you said I was done.  

 

 

 

[Buddierdl]

We still need to clean up and update, but I want to make sure we get all the kinks sorted out first, so let's see if uninstalling MBAM helps. But I would try ending the free trial first, as that removes active protection.

Can you export the document to a PDF to upload it?

[craigoh]

Here I go.  I downloaded a PDF converter...

 

Thank you!

Attached Files

•  MBAM.pdf   314.02KB   128 downloads

[Buddierdl]

Those are nothing to worry about. MBAM just found a few remnants and took care of them.

I hope no adware rode along with the PDF converter!

Have your tried ending the MBAM trial to see if it helped with the slowness and crashes while switching users?

[craigoh]

Hello,

 

I uninstalled MBAM and that seemed to clear it up...Thanks

Removed the converter(I go to CNET to download things like this-hopefully it is clean)

[Buddierdl]

Removed the converter(I go to CNET to download things like this-hopefully it is clean)

Just be careful with CNET installers to uncheck any unwanted extras during the install process.

Okay, let's update now and then we can cleanup.

Please update these programs, as old versions pose a security risk.

• Java
  
  WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
  See this article and this article.
  I would recommend that you completely uninstall Java unless you need it to run an important software.
  In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
  
  If you do need java, then you should definitely update to the latest version:
  
  Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, then click Remove JRE.
  • Run the built-in uninstallers for all copies of java listed
  • Click the Next button
  • Click the Next button again
  • Click the Java Manual Download link
  • A browser window will open with the Java download page
  • Click the Windows Offline (32-bit) or Windows Offline (64-bit) link to download Java (based on your browser type)
  • Run the installer
  • Close JavaRa
• Adobe Flash -> You can get the latest version here.
• Adobe Reader -> Please uninstall Adobe Reader 8 and 10 using the control panel. Then, you can get the latest version here.
  
  I would recommend securing Adobe Reader against the latest exploits as follows:
  • Launch Adobe Reader.
  • Click on Edit and select Preferences.
  • On the Left, click on the Javascript category and Uncheck Enable Acrobat Javascript.
  • Click on the Security (Enhanced) category and Uncheck Automatically trust sites from my Win OS security zones.
  • Click on the Trust Manager category and Uncheck Allow opening of non-PDF file attachments with external applications.
  • Click the OK button.
• Internet Explorer. One scan showed IE 5 on your computer, but the others show IE 9. Can you verify for me that you have IE 9?

Let me know when you are done, or if you have any questions about the updates.

[craigoh]

Hello,

 

I uninstalled ADOBE and JAVA

 

I reinstalled ADOBE from the links you provided

 

I have IE 9

[Buddierdl]

I uninstalled ADOBE and JAVA

I reinstalled ADOBE from the links you provided

Just to confirm, you updated both Adobe Flash and Adobe Reader, right?

Now for the good part. Subject to no further problems,

Congratulations, Craigoh . Your computer now appears to be clean. Please complete the followings steps to finalize the cleaning process.

It would be a good idea also to reset your firewall in case the malware opened any ports.

Download Delfix from here and save it to your desktop.

• Ensure Remove disinfection tools is checked.
• Also place a checkmark next to:
  • Create registry backup
  • Purge system restore
  
• Click the Run button.
• Any logs or removal tools left over can be deleted now. If ESET is still installed, you can uninstall it from the "Programs and Features" menu in the control panel.

Empty temp files. I would recommend doing this every so often to free up some space on your computer.

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Ensure that Windows is always updated. Keeping Windows updated is very important to prevent security vulnerabilities. I recommend turning on automatic updates following the instructions below:

• First, click on Start and click onAll Programs, then Windows Update.
• Click on Change Settings in the left pane and then check the option for Automatic Updates.

Always ensure that your firewall and anti-virus program are updated and running. These are your first line of defense against infection.

Make sure that you keep all of your programs updated. Out-of-date programs can make your computer more vulnerable to infection. Software manufacturers release updates to fix security problems as they are discovered. Secunia Personal Software Inspector, free to download here, is a good program that will scan your computer looking for programs that need to be updated.

This article has good information about how computers get infected. You can read it for good tips on staying clean and safe.

[craigoh]

Thank you for your help.

[Buddierdl]

You're welcome.