Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help with FBI windowlock encrypt ransomware $300 virus


  • Please log in to reply

#31
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I changed he user mode windows driver startup from manual to automatic

 

I uninstalled microsoft office click-to-run 2010

 

I cleared windows system and application logs

 

Here are the View files

 

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 16/02/2015 6:44:30 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 16/02/2015 11:35:55 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.

Log: 'System' Date/Time: 16/02/2015 11:18:39 PM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.
 

 

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 16/02/2015 6:45:54 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 16/02/2015 11:18:19 PM
Type: Error Category: 0
Event: 8193 Source: VSS
Volume Shadow Copy Service error: Unexpected error calling routine Unexpected error: dwIndex out of scope 6 7.  hr = 0x8000ffff, Catastrophic failure .

Operation:
   OnPostSnapshot event
   PostSnapshot Event

Context:
   Execution Context: Shadow Copy Optimization Writer
   Execution Context: Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {e6b3aa0c-c617-4682-b587-3c0518252c4a}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 16/02/2015 11:35:54 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   8 user registry handles leaked from \Registry\User\S-1-5-21-4215829332-950673753-2765580295-1001:
Process 600 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 600 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 456 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\trust
Process 456 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\Root
Process 600 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\My
Process 600 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\CA
Process 456 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 600 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\Disallowed


Log: 'Application' Date/Time: 16/02/2015 11:18:35 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   5 user registry handles leaked from \Registry\User\S-1-5-21-4215829332-950673753-2765580295-1001:
Process 612 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 612 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 612 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\My
Process 612 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\CA
Process 612 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\Disallowed


Log: 'Application' Date/Time: 16/02/2015 11:18:19 PM
Type: Warning Category: 0
Event: 8229 Source: VSS
A VSS writer has rejected an event with error 0x00000000, The operation completed successfully. . Changes that the writer made to the writer components while handling the event will not be available to the requester. Check the event log for related events from the application hosting the VSS writer.

Operation:
   PostSnapshot Event

Context:
   Execution Context: Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {e6b3aa0c-c617-4682-b587-3c0518252c4a}
   Command Line: C:\Windows\system32\vssvc.exe
   Process ID: 4680

Log: 'Application' Date/Time: 16/02/2015 11:17:57 PM
Type: Warning Category: 51
Event: 3208 Source: Application Virtualization Client
The event description cannot be found.

Log: 'Application' Date/Time: 16/02/2015 11:17:24 PM
Type: Warning Category: 0
Event: 12348 Source: VSS
Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{48d7ed77-480d-11e0-abee-1a659da7f5ba}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly.  Check security on the volume, and try the operation again.

Operation:
   Removing auto-release shadow copies
   Loading provider

Context:
   Execution Context: System Provider
 


  • 0

Advertisements


#32
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I did reboot before running Event Viewer


  • 0

#33
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,016 posts
  • MVP

OK.  Basically two errors left.  The first is  Volume Shadow Copy Service.  This is used with System Restore and it fails if it tries to monitor something like the Q: drive used in click to run Office.

 

Let's look at System Restore:  Control Panel, (View By: Large icons), System,  System Protection.  Under Protection Settings, verify that only after the Local Drive C:\ does it say ON.  Any other drives should be Off.  If one is On then highlight it and select Configure then Turn Off System Protection.

 

If only C: is ON then select it and Configure and turn it off.  Reboot then go back and turn it on.

 

 

For the Event: 1530.  I'm not really sure.  Lot of people seem to have the same problem on new installs.  Main thing the error does is slow down shutdown.

 

There was a remnant from spybot that hangs out in this area so let's remove it with a fixlist (attached) and FRST.  

 

Download the attached fixlist.txt to the same location as FRST

Run FRST and press Fix

 

I have also seen Superantispyware cause this so you might want to uninstall it to see if the error goes away.

 

 
Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on Application and Clear Log, Clear. 
 
Reboot. 
 
 
 
1. Please download the Event Viewer Tool by Vino Rosso
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
 
* Application
4. Under 'Select type to list', select:
* Error
* Warning
 
 
Then use the 'Number of events' as follows:
 
 
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
 
 
Please post the Output log in your next reply.  (we only need the Application log this time)

 


  • 0

#34
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

OK I was able to do everything you said.  Your instructions were good.

 

Here is the view application log-- I can read it, but have no idea what it means. :prop:

It does seem to get smaller, which must be good

 

Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 16/02/2015 11:45:21 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 17/02/2015 4:41:32 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   5 user registry handles leaked from \Registry\User\S-1-5-21-4215829332-950673753-2765580295-1001:
Process 576 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 576 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001
Process 576 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\My
Process 576 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\CA
Process 576 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-4215829332-950673753-2765580295-1001\Software\Microsoft\SystemCertificates\Disallowed

 


  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,016 posts
  • MVP

The last error is probably something you will have to live with.  It's possible that it comes from Norton/Symantec or possibly from MBAM since I don't have the error and I don't have either program.  Lsass is something to do with security which is why I'm pointing at them.  The registry entry in question is your login.

 

Let's do a boot log just to be sure there is nothing odd loading.

 

When you get to Step 3 Substep 2.  Copy and paste the text from Notepad into a reply.
 
(If you get a pop up just click on No Thanks I know everything)

  • 0

#36
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

The txt file looked long so I am attachingAttached File  ntbtlog.txt   128.14KB   41 downloads


  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,016 posts
  • MVP

What make and model is this PC?  I think it needs the chipset utility.  Also it looks like Norton/Symantec is not quite right.  


  • 0

#38
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

This is a Hewlet Packard Pavilion Elite

Model HPE 400Z

Bios American Megatrends 6.09 9/7/2010

x64 based system

Memory 8.00 GB

 

I have been using Norton antivirus products for several years, but I am not really happy with their virus protection or their support.

The Norton 360 does have a lot of other features such as Norton safesearch, the vault for storing passwords, tuneup running in background, etc. that are useful

 

I don't think their actual virus protection is do good. I have been considering changing to another brand. I wonder if you can recommend what protections I should use with my limited knowledge of  computers.


  • 0

#39
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,016 posts
  • MVP

Do you have the latest BIOS?  Your PC has more than 4 GB RAM and the latest BIOS says:

 
H-RS880-uATX Motherboard BIOS update resolves an issue with resuming from sleep mode on systems configured with 4GB or more of memory. More details
 
Released: 2013-05-08  |  Size: 1.62M
Version6.09
 
 
 
Not our problem but thought it was interesting.
 
I don't see a chipset utility so do you have this one?
 
 
AMD Unified Graphics Driver Update
This package provides the driver update for the AMD/ATI Radeon HD graphics solutions in supported models that are running a supported operating system. More details
 
Released: 2012-11-15  |  Size: 120.69M
Version8.892.1.1000
 
 
Both of these are from:
 
 
Look for 
 
BIOS(1)
 
and 
 
Driver-Graphics(1)
 
and click on the + after each to get to the download page.
 
 
As far as anti-virus, Norton is a CPU hog and really slows things down.  I use the free Avast which doesn't have things like password vault or a firewall but does have a boot-time scan which is the best around even tho it takes all night to run.  If you are willing to pay for an anti-virus then Kaspersky is the best.  We very seldom see anyone with Kaspersky on the malware forum.  If you switch to another anti-virus then make sure you cancel your auto-renewal with Norton/Symantec.  Even if you don't switch it appears Norton has been damaged so it needs to be uninstalled and reinstalled.  Make sure you have your license or account info so you can reinstall it.

 

After you have done that then:
 
delete the old c:\windows\ntbtlog.txt file, reboot and post the new ntbtlog.txt

  • 0

#40
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I ordered this PC from HP I guess in 2010. The RAM and bios is what came with the PC I have not added anything until just now.

 

I downloaded and installed BIOS(1) and Driver-Graphics(1) updates.

 

Here is the new ntbtlog txt

 

 

Attached File  ntbtlog.txt   17.32KB   85 downloads

 

I have not uninstalled and reinstalled Norton yet. Should I do that now and then get a new ntbtlog?


  • 0

Advertisements


#41
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,016 posts
  • MVP

Looks a lot better. The AMD driver problems are gone.

 

Yes let's reinstall Norton and then make a new ntbtlog.  Actually now that I think of it could you make one after uninstalling Norton then a second one after the reinstall?

 

I want to make sure that the no name drivers are Norton's and not some super spyware.


  • 0

#42
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I have a problem.

Windows now won't start in normal mode


  • 0

#43
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I am now in safe mode networking


  • 0

#44
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

I went to the norton my accounts to get my key before uninstalling. The website was not working so I went to Norton support chat and a gu from India gave me my key. It was correct, because I had found it written down. However, he told me I might have a problem because he saw my computer had proxy connection enabled.

He gave me the norton website to download the new installation.

I went to the site, downloaded Norton 360 and installed it.

The problem began when I tried to activate the program. Somewhere in the process. it told me I had to be connected to the internet and suddenly things wouldn't work, so I rebooted and got a flash of a blue screen with horizontal lines and when I tried to sign into my account it wouldn't book normally, but gave me the black screen with options for booting, Since starting normally wouldn't work, I booted int safe mode with networking where I am now...Fun fun fun not funny


  • 0

#45
wharriss

wharriss

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 105 posts

The netlog in the above post is before I uninstalled the norton product. I don't think the norton product I tried to install from the download site given by the norton rep is fully installed and certainly not activated


Edited by wharriss, 17 February 2015 - 04:04 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP