[mango_nj]

Possible virus. Laptop has been slow, crashed a couple of times, and Malwarebytes detected
PUP.Optional.Conduit - 3 threats. They were advised to quarantine. Malwarebytes also
advised to  use Adwcleaner program as well, which I did.

Upon doing so I downloaded and tried to open the new yahoo messenger v0.8.109. I get an
error message stating this and it will not open:

The message entry point GetCurrentProcessedExplicitAppUsedModel1D
could not be located in the dynamic link library SHELL32.dll

I looked this up online and stated,  maybe something in my system is mimicing that dll.
Could be a virus.  I have attached copies of the Malwarebytes threats, AdwCleaner report
and  a screen shot of the error in yahoo. If you would like them. I'll attached. 

 

Problem just started 2 days ago. Appreciate your help.

___________________________________________________________________________

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-08-2016
Ran by Dove (administrator) on DOVE-PC (03-08-2016 17:38:16)
Running from C:\Users\Dove\Desktop
Loaded Profiles: Dove (Available Profiles: Dove)
Platform: Microsoft® Windows Vista™ Business  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ccfaa5a9\stacsv.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(ABBYY) C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
(LSI Corporation) C:\Program Files\LSI SoftModem\agrsmsvc.exe
(AO Kaspersky Lab) C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Renesas Electronics Corporation) C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
() C:\Program Files\Lexmark Pro710 Series\LMADImon.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(AO Kaspersky Lab) C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avpui.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [865840 2007-04-26] (Synaptics, Inc.)
HKLM\...\Run: [NUSB3MON] => C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [442433 2008-05-06] (IDT, Inc.)
HKU\S-1-5-21-2216220318-1106448592-600384341-1001\...\Run: [LMab1err] => C:\Program Files\Lexmark\ErrorApp\LMab1err.exe [643752 2011-04-12] ()
HKU\S-1-5-21-2216220318-1106448592-600384341-1001\...\Run: [LMADImon] => C:\Program Files\Lexmark Pro710 Series\LMADImon.exe [946856 2011-06-17] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 8.8.4.4
Tcpip\..\Interfaces\{9B5A4C48-295C-4B98-A706-5F511E86EB2E}: [DhcpNameServer] 192.168.111.1
Tcpip\..\Interfaces\{BB57FBF3-12C1-439E-BFCB-735CC16F6CCE}: [DhcpNameServer] 4.2.2.1 4.2.2.2
Tcpip\..\Interfaces\{E6C4AA84-B6F4-4CD5-BA96-1FE9DF27274C}: [DhcpNameServer] 8.8.8.8 8.8.4.4

Internet Explorer:
==================
HKU\S-1-5-21-2216220318-1106448592-600384341-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://yahoo.com/
SearchScopes: HKU\S-1-5-21-2216220318-1106448592-600384341-1001 -> DefaultScope {2FF3A029-70DF-4610-85BE-8832A2B01AE9} URL =
SearchScopes: HKU\S-1-5-21-2216220318-1106448592-600384341-1001 -> {85A60A59-D3D8-468F-B598-FB4393789EF4} URL = hxxps://www.google.com/search?q={searchTerms}
BHO: Kaspersky Protection -> {03993315-5CE9-4F00-8790-D14A94F1D91A} -> C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\IEExt\ie_plugin.dll [2015-12-22] (AO Kaspersky Lab)
Toolbar: HKLM - Kaspersky Protection Toolbar - {001032CB-B0AC-4F2C-A650-AD4B2B26E5DA} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\IEExt\ie_plugin.dll [2015-12-22] (AO Kaspersky Lab)

FireFox:
========
FF ProfilePath: C:\Users\Dove\AppData\Roaming\Mozilla\Firefox\Profiles\i0zg0oga.default
FF NewTab: hxxp://yahoo.com/
FF DefaultSearchEngine: Google
FF SelectedSearchEngine: Google
FF Homepage: hxxp://yahoo.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-31] ()
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF SearchPlugin: C:\Users\Dove\AppData\Roaming\Mozilla\Firefox\Profiles\i0zg0oga.default\searchplugins\google-lavasoft.xml [2016-07-25]
FF Extension: Adblock Plus - C:\Users\Dove\AppData\Roaming\Mozilla\Firefox\Profiles\i0zg0oga.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-28]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2015-01-31] [not signed]
FF HKLM\...\Firefox\Extensions: [[email protected]] - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\FFExt\light_plugin_firefox\addon.xpi
FF Extension: Kaspersky Protection - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\FFExt\light_plugin_firefox\addon.xpi [2016-04-29]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [lpeeaghdjmhlakojjcgfdhgcejdaefmi] - hxxps://chrome.google.com/webstore/detail/lpeeaghdjmhlakojjcgfdhgcejdaefmi

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
R2 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-03-27] (LSI Corporation) [File not signed]
R2 AVP16.0.1; C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe [236928 2015-12-22] (AO Kaspersky Lab)
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_ccfaa5a9\STacSV.exe [221239 2008-05-06] (IDT, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AgereSoftModem; C:\Windows\System32\DRIVERS\AGRSM.sys [1161696 2009-07-09] (LSI Corporation) [File not signed]
R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [201912 2015-07-06] (Kaspersky Lab ZAO)
R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [155304 2015-09-11] (Kaspersky Lab ZAO)
R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [46776 2015-06-06] (Kaspersky Lab ZAO)
R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [66440 2015-12-01] (AO Kaspersky Lab)
R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [67456 2015-12-02] (AO Kaspersky Lab)
R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [145800 2015-12-11] (AO Kaspersky Lab)
R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [53160 2016-04-29] (AO Kaspersky Lab)
R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [776624 2016-04-29] (AO Kaspersky Lab)
R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [45144 2016-04-29] (AO Kaspersky Lab)
R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [46464 2015-11-11] (AO Kaspersky Lab)
R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [38072 2015-06-07] (Kaspersky Lab ZAO)
R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [41864 2015-12-07] (AO Kaspersky Lab)
R1 kltdf; C:\Windows\System32\DRIVERS\kltdf.sys [83328 2015-11-23] (AO Kaspersky Lab)
R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [54328 2015-06-11] (Kaspersky Lab ZAO)
R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [161672 2015-12-03] (AO Kaspersky Lab)
S3 nusb3hub; C:\Windows\System32\DRIVERS\nusb3hub.sys [62208 2010-11-19] (Renesas Electronics Corporation)
S3 nusb3xhc; C:\Windows\System32\DRIVERS\nusb3xhc.sys [141568 2010-11-19] (Renesas Electronics Corporation)
R3 RTL85n86; C:\Windows\System32\DRIVERS\RTL85n86.sys [311808 2006-11-02] (Realtek)
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
U4 klkbdflt2; system32\DRIVERS\klkbdflt2.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-03 17:38 - 2016-08-03 17:40 - 00009202 _____ C:\Users\Dove\Desktop\FRST.txt
2016-08-03 17:37 - 2016-08-03 17:38 - 00000000 ____D C:\FRST
2016-08-03 17:32 - 2016-08-03 17:32 - 01743872 _____ (Farbar) C:\Users\Dove\Desktop\FRST.exe
2016-08-02 17:47 - 2016-08-02 17:47 - 00000000 ____D C:\Users\Dove\AppData\Local\yahoomessenger
2016-08-02 17:21 - 2016-08-02 17:47 - 00000000 ____D C:\Users\Dove\AppData\Local\SquirrelTemp
2016-08-02 17:19 - 2016-08-02 17:29 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-08-02 11:28 - 2016-08-02 11:34 - 00000000 ____D C:\AdwCleaner
2016-08-02 11:18 - 2016-08-02 11:19 - 03712064 _____ C:\Users\Dove\Desktop\adwcleaner_5.201.exe
2016-07-28 15:51 - 2016-08-02 11:44 - 00000000 ____D C:\Program Files\DAUM
2016-07-24 15:58 - 2016-07-24 15:58 - 00000969 _____ C:\Users\Dove\Desktop\Auslogics Disk Defrag.lnk
2016-07-24 15:58 - 2016-07-24 15:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auslogics
2016-07-24 15:58 - 2016-07-24 15:58 - 00000000 ____D C:\ProgramData\Auslogics
2016-07-24 15:58 - 2016-07-24 15:58 - 00000000 ____D C:\Program Files\Auslogics
2016-07-18 04:44 - 2016-08-03 17:16 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2016-07-18 04:44 - 2016-07-18 04:44 - 00001960 _____ C:\Users\Public\Desktop\Kaspersky Anti-Virus.lnk
2016-07-18 04:44 - 2016-07-18 04:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Anti-Virus
2016-07-18 04:44 - 2016-07-18 04:44 - 00000000 ____D C:\Program Files\Kaspersky Lab
2016-07-18 04:43 - 2016-04-29 06:12 - 00776624 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klif.sys
2016-07-18 04:43 - 2016-04-29 06:12 - 00053160 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klhk.sys
2016-07-18 04:43 - 2015-12-11 17:27 - 00145800 _____ (AO Kaspersky Lab) C:\Windows\system32\Drivers\klflt.sys
2016-07-18 03:29 - 2016-07-18 03:30 - 12819016 _____ (Kaspersky Lab ZAO) C:\Users\Dove\Desktop\kavremvr.exe
2016-07-17 20:11 - 2016-07-17 20:12 - 00000000 ____D C:\Users\Dove\AppData\Roaming\SumatraPDF
2016-07-15 03:09 - 2016-06-10 07:19 - 02071040 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-07-15 03:08 - 2016-06-25 08:37 - 00626176 _____ (Microsoft Corporation) C:\Windows\system32\localspl.dll
2016-07-15 03:08 - 2016-06-25 08:37 - 00443904 _____ (Microsoft Corporation) C:\Windows\system32\win32spl.dll
2016-07-15 03:08 - 2016-06-25 08:37 - 00216064 _____ (Microsoft Corporation) C:\Windows\system32\ntprint.dll
2016-07-15 03:08 - 2016-06-25 08:37 - 00122880 _____ (Microsoft Corporation) C:\Windows\system32\inetpp.dll
2016-07-15 03:08 - 2016-06-25 07:40 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\ntprint.exe
2016-07-14 10:15 - 2016-06-20 10:50 - 01815552 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-07-14 10:15 - 2016-06-20 10:48 - 12842496 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-07-14 10:15 - 2016-06-20 10:46 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-07-14 10:15 - 2016-06-20 10:45 - 09755136 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-07-14 10:15 - 2016-06-20 10:45 - 01140224 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-07-14 10:15 - 2016-06-20 10:44 - 01129984 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-07-14 10:15 - 2016-06-20 10:43 - 01804800 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-07-14 10:15 - 2016-06-20 10:43 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-07-14 10:15 - 2016-06-20 10:43 - 00719360 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-07-14 10:15 - 2016-06-20 10:43 - 00425472 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-07-14 10:15 - 2016-06-20 10:43 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2016-07-14 10:15 - 2016-06-20 10:43 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-07-14 10:15 - 2016-06-20 10:43 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-07-14 10:15 - 2016-06-20 10:42 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-07-14 10:15 - 2016-06-20 10:42 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-07-14 10:15 - 2016-06-20 10:42 - 00354304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-07-14 10:15 - 2016-06-20 10:42 - 00223744 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-07-14 10:15 - 2016-06-20 10:42 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-07-14 10:15 - 2016-06-20 10:42 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-07-14 10:15 - 2016-06-20 10:42 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2016-07-14 10:15 - 2016-06-20 10:42 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2016-07-14 10:15 - 2016-06-20 10:42 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-03 17:27 - 2006-11-02 05:47 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-03 17:27 - 2006-11-02 05:47 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-03 10:50 - 2006-11-02 06:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-03 06:32 - 2006-11-02 06:01 - 00032618 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-08-03 06:03 - 2015-07-22 22:15 - 00000000 ____D C:\Users\Dove\AppData\Roaming\Skype
2016-08-02 18:02 - 2015-07-22 19:43 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-08-02 17:29 - 2015-07-23 03:02 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-07-31 14:27 - 2015-07-22 20:55 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2016-07-31 14:27 - 2015-07-22 20:55 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2016-07-31 14:27 - 2015-07-22 20:54 - 00000000 ____D C:\Users\Dove\AppData\Local\Adobe
2016-07-31 14:26 - 2015-07-22 20:55 - 00000000 ____D C:\Windows\system32\Macromed
2016-07-28 14:48 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\inf
2016-07-28 14:48 - 2006-11-02 03:33 - 00758370 _____ C:\Windows\system32\PerfStringBackup.INI
2016-07-26 14:24 - 2015-01-30 21:01 - 00406184 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2016-07-23 03:47 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\system32\spool
2016-07-18 04:44 - 2015-07-22 18:33 - 00000000 ____D C:\Users\Dove
2016-07-15 14:09 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\rescache
2016-07-15 13:45 - 2006-11-02 05:47 - 00228936 _____ C:\Windows\system32\FNTCACHE.DAT
2016-07-15 03:05 - 2015-09-18 13:53 - 00000000 ____D C:\Windows\system32\MRT
2016-07-15 03:00 - 2006-11-02 03:24 - 141983760 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2016-07-12 00:54 - 2015-07-22 22:15 - 00000000 ___RD C:\Program Files\Skype
2016-07-12 00:54 - 2015-07-22 22:14 - 00000000 ____D C:\ProgramData\Skype

==================== Files in the root of some directories =======

2015-07-22 19:21 - 2015-07-22 19:21 - 0003584 _____ () C:\Users\Dove\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-07-22 18:49 - 2015-07-22 18:49 - 0017408 _____ () C:\Users\Dove\AppData\Local\WebpageIcons.db
2016-07-17 18:26 - 2016-07-17 18:35 - 0000798 _____ () C:\ProgramData\LMADIscan.log

Some files in TEMP:
====================
C:\Users\Dove\AppData\Local\Temp\libeay32.dll
C:\Users\Dove\AppData\Local\Temp\msvcr120.dll
C:\Users\Dove\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-08-03 10:56

==================== End of FRST.txt ============================

 

___________________________________________________________________________

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-08-2016
Ran by Dove (2016-08-03 17:40:27)
Running from C:\Users\Dove\Desktop
Microsoft® Windows Vista™ Business  Service Pack 2 (X86) (2015-01-20 03:30:40)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2216220318-1106448592-600384341-500 - Administrator - Disabled)
Dove (S-1-5-21-2216220318-1106448592-600384341-1001 - Administrator - Enabled) => C:\Users\Dove
Guest (S-1-5-21-2216220318-1106448592-600384341-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Kaspersky Anti-Virus (Enabled - Up to date) {86367591-4BE4-AE08-2FD9-7FCB8259CD98}
AS: Kaspersky Anti-Virus (Enabled - Up to date) {3D579475-6DDE-A186-1569-44B9F9DE8725}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ABBYY FineReader 9.0 Sprint (HKLM\...\ABBYY FineReader 9.0 Sprint) (Version: 9.00.595.5857 - ABBYY)
ABBYY FineReader 9.0 Sprint (Version: 9.00.595.5857 - ABBYY) Hidden
Adobe Flash Player 18 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Flash Player 22 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
Auslogics Disk Defrag (HKLM\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: 7.0.0.0 - Auslogics Labs Pty Ltd)
IDT Audio (HKLM\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.5939.0 - IDT)
Kaspersky Anti-Virus (HKLM\...\InstallWIX_{F575F386-57EF-4943-B003-A13F13B05EEB}) (Version: 16.0.1.445 - Kaspersky Lab)
Kaspersky Anti-Virus (Version: 16.0.1.445 - Kaspersky Lab) Hidden
Lexmark Pro710 Series Uninstaller (HKLM\...\Lexmark Pro710 Series) (Version:  - Lexmark International, Inc.)
LSI HDA Modem (HKLM\...\LSI Soft Modem) (Version: 2.2.96 - LSI Corporation)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Mozilla Firefox 48.0 (x86 en-US) (HKLM\...\Mozilla Firefox 48.0 (x86 en-US)) (Version: 48.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 48.0.0.6051 - Mozilla)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.30.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (Version: 2.0.30.0 - Renesas Electronics Corporation) Hidden
Skype™ 7.25 (HKLM\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.25.106 - Skype Technologies S.A.)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 9.2.3.0 - Synaptics)
Yahoo Messenger (HKU\S-1-5-21-2216220318-1106448592-600384341-1001\...\yahoomessenger) (Version: 0.8.109 - Yahoo! Inc)
Yahoo! Messenger (HKLM\...\Yahoo! Messenger) (Version:  - Yahoo! Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {D2413F01-8007-4B1A-A8E3-F593013A6958} - System32\Tasks\LexmarkPUDCTask => C:\Program Files\Lexmark\ProductUpdate\LMprodupdate.exe [2011-06-03] ()

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2007-01-25 22:11 - 2007-01-25 22:11 - 00159744 _____ () C:\Windows\system32\atitmmxx.dll
2015-12-22 02:47 - 2015-12-22 02:47 - 00794920 _____ () C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\kpcengine.2.3.dll
2015-12-30 15:48 - 2011-06-17 12:36 - 00946856 _____ () C:\Program Files\Lexmark Pro710 Series\LMADImon.exe
2015-12-30 15:48 - 2011-06-24 06:02 - 01454080 _____ () C:\Program Files\Lexmark Pro710 Series\lmabdrs.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-2216220318-1106448592-600384341-1001\...\localhost -> localhost

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 03:23 - 2006-09-18 14:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost
::1             localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2216220318-1106448592-600384341-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Dove\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
DNS Servers: 8.8.8.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 1) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Skype => "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: SysTrayApp => %ProgramFiles%\IDT\WDM\sttray.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [SLSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [SLSVC-In-TCP] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [{2417CF08-EAE7-411E-972D-7A56E22D546B}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe
FirewallRules: [{204ABA10-196D-47C0-9F08-8B8891D2D40C}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{F9C01264-C95A-444A-8E44-85DDDC0EB828}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{0F4B8263-1CE0-4349-BC4B-9A16856D5965}] => (Allow) LPort=80
FirewallRules: [{CFA5A0B1-CDEF-4E94-BBCD-1A66FEA4153C}] => (Allow) LPort=80
FirewallRules: [{5731FF9F-0B95-4B68-8A14-006918752416}] => (Allow) LPort=80
FirewallRules: [{A60EFE27-DFC2-4404-B24E-1633A16490D2}] => (Allow) C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{9417B87D-6518-4F45-819F-585B8F572602}] => (Allow) C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{572437A3-41F8-4EE0-B70C-769329A4FA0F}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{E703FD98-1CB0-4AC1-893C-8D5E1E9F992E}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{98282958-9215-40C1-BEE6-8C22F2002A11}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{10489D24-756B-4EC8-ACE4-7DC1B8EBAA7C}] => (Allow) C:\Program Files\Lexmark\Status Center\lmsmc.exe
FirewallRules: [{60057A31-0156-439E-B0AB-B6789287314E}] => (Allow) C:\Program Files\Lexmark\Status Center\lmsmc.exe
FirewallRules: [{6631AA9F-79D0-41B3-BD42-C7B567325216}] => (Allow) C:\Program Files\Lexmark\PSU\lmpsu.exe
FirewallRules: [{4EF1364F-D641-4058-899E-33C4CDA514AB}] => (Allow) C:\Program Files\Lexmark\PSU\lmpsu.exe
FirewallRules: [{3EF263C9-2244-4CB0-87AD-FEEF8BD8C271}] => (Allow) C:\Program Files\Lexmark\WirelessSetup\LMwpss.exe
FirewallRules: [{E9AB6F4D-080B-4416-82C0-F05EE87E3501}] => (Allow) C:\Program Files\Lexmark\WirelessSetup\LMwpss.exe
FirewallRules: [{1BA00E2B-8F99-42BB-94FB-EEB3FC902CB5}] => (Allow) C:\Program Files\Lexmark Pro710 Series\LMADImon.exe
FirewallRules: [{85F448D2-F47E-4EB9-A998-F56972ADE803}] => (Allow) C:\Program Files\Lexmark Pro710 Series\LMADImon.exe
FirewallRules: [{01C41C7B-2232-40A3-9DAA-B57FEB23EEDB}] => (Allow) C:\Program Files\Lexmark Pro710 Series\LMADIlscn.exe
FirewallRules: [{C591EF8F-C56D-4921-89C8-31D3F96A0292}] => (Allow) C:\Program Files\Lexmark Pro710 Series\LMADIlscn.exe
FirewallRules: [{C58AF16A-99D6-4788-909E-AF60B1700358}] => (Allow) C:\Program Files\Lexmark Pro710 Series\LMabscw.dll
FirewallRules: [{C93D3165-5155-4469-B7A5-FD5C18EF2E8D}] => (Allow) C:\Program Files\Lexmark Pro710 Series\LMabscw.dll
FirewallRules: [{6F606BC4-409F-4AE8-8FCA-03BC729AAD86}] => (Allow) C:\Program Files\Lexmark\NetworkTwain\LMZZZ_32__bc.dll
FirewallRules: [{4BE9F968-A796-4FF1-A939-25D55ABE9C6F}] => (Allow) C:\Program Files\Lexmark\NetworkTwain\LMZZZ_32__bc.dll
FirewallRules: [{F6CA1A55-6759-4A18-83DC-C2E70415E123}] => (Allow) C:\Program Files\Lexmark\NetworkTwain\LMzzz_32serv.dll
FirewallRules: [{307D20A9-D646-443A-8B0C-6CA8761CEA1F}] => (Allow) C:\Program Files\Lexmark\NetworkTwain\LMzzz_32serv.dll
FirewallRules: [{AD69FF8C-3C56-4A7E-83BA-DF6FCFCEDDA7}] => (Allow) C:\Program Files\Lexmark\NetworkTwain\lextwprotocol.dll
FirewallRules: [{C40667EC-6552-4857-9497-8E11A3F488D9}] => (Allow) C:\Program Files\Lexmark\NetworkTwain\lextwprotocol.dll
FirewallRules: [{23BDF513-AA96-499C-9937-C0734F5A5A37}] => (Allow) C:\Windows\twain_32\Lexmark\NetworkTwain\lexnetworkds.ds
FirewallRules: [{79AB66D2-81FD-490A-8622-79D1F24975F3}] => (Allow) C:\Windows\twain_32\Lexmark\NetworkTwain\lexnetworkds.ds
FirewallRules: [TCP Query User{72A924F8-08F6-464B-BB9C-6D034DD68AB4}C:\program files\lexmark pro710 series\lmadimon.exe] => (Block) C:\program files\lexmark pro710 series\lmadimon.exe
FirewallRules: [UDP Query User{03FAD172-E40D-495F-B660-8CD127F09F70}C:\program files\lexmark pro710 series\lmadimon.exe] => (Block) C:\program files\lexmark pro710 series\lmadimon.exe

==================== Restore Points =========================

Check "winmgmt" service or repair WMI.


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (08/03/2016 05:41:56 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80070422.


Operation:
   Instantiating VSS server

Error: (08/03/2016 05:41:56 PM) (Source: VSS) (EventID: 39) (User: )
Description: Volume Shadow Copy Service error:  The Volume Shadow Copy service (VSS) is disabled.  Please
enable the service and try again.


Operation:
   Instantiating VSS server

Error: (08/03/2016 10:51:57 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/03/2016 02:42:38 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application YahooMessenger.exe, version 11.5.0.228, time stamp 0x4fbf6b79, faulting module Flash32_18_0_0_209.ocx_unloaded, version 0.0.0.0, time stamp 0x55a1edba, exception code 0xc0000005, fault offset 0x04737ad0,
process id 0xacc, application start time 0xYahooMessenger.exe0.

Error: (08/02/2016 05:30:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/02/2016 11:38:43 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/02/2016 10:34:13 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/02/2016 04:03:23 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point on volume (Process = C:\Windows\system32\svchost.exe -k netsvcs; Descripton = Windows Update; Hr = 0x8000ffff).

Error: (08/02/2016 04:03:22 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80070422.


Operation:
   Instantiating VSS server

Error: (08/02/2016 04:03:22 AM) (Source: VSS) (EventID: 39) (User: )
Description: Volume Shadow Copy Service error:  The Volume Shadow Copy service (VSS) is disabled.  Please
enable the service and try again.


Operation:
   Instantiating VSS server


System errors:
=============
Error: (08/02/2016 11:34:36 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Presentation Foundation Font Cache 4.0.0.0101Restart the service

Error: (08/02/2016 11:34:35 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Windows Media Player Network Sharing Service1300001Restart the service

Error: (08/02/2016 11:34:35 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Agere Modem Call Progress Audio1

Error: (08/02/2016 11:34:35 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Software Licensing11200001Restart the service

Error: (08/02/2016 11:34:35 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: ABBYY FineReader 9.0 Sprint Licensing Service1

Error: (08/02/2016 11:34:35 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Print Spooler1600001Restart the service

Error: (08/02/2016 11:34:35 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Audio Service1

Error: (08/01/2016 01:23:40 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (07/28/2016 02:41:11 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 2:36:50 PM on 7/28/2016 was unexpected.

Error: (07/24/2016 03:47:05 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 3:43:41 PM on 7/24/2016 was unexpected.


CodeIntegrity:
===================================
  Date: 2016-08-03 17:40:21.082
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\klif.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-03 17:40:20.858
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\klif.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-03 17:40:20.636
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\klif.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-03 17:40:20.418
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\klif.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-03 17:40:20.177
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\klhk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-03 17:40:19.957
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\klhk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-03 17:40:19.742
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\klhk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-03 17:40:19.523
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\klhk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-03 17:40:19.270
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\klflt.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-03 17:40:19.057
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\klflt.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Core™ Duo CPU T2500 @ 2.00GHz
Percentage of memory in use: 79%
Total physical RAM: 1981.39 MB
Available physical RAM: 403.09 MB
Total Virtual: 4225.99 MB
Available Virtual: 2710.04 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.79 GB) (Free:89.9 GB) NTFS ==>[drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 111.8 GB) (Disk ID: B5DFB5DF)
Partition 1: (Active) - (Size=111.8 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

[Advertisements]

 

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

 

Reboot. 

 

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator.  Then type (with an Enter after each line).

sfc  /scannow

 

 

 

Copy the next two lines:

 

findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \windows\logs\cbs\junk.txt 

notepad \windows\logs\cbs\junk.txt 

 

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.

Hit Enter. Copy and paste the text from notepad or if it is too big, just attach the file.)

 

 

1. Please download the Event Viewer Tool by Vino Rosso

http://images.malwar...om/vino/VEW.exe

and save it to your Desktop:

2. Right-click VEW.exe and Run AS Administrator

3. Under 'Select log to query', select:

 

* System

4. Under 'Select type to list', select:

* Error

* Warning

 

 

Then use the 'Number of events' as follows:

 

 

1. Click the radio button for 'Number of events'

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

 

 

Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

 

 

 

 

 

Get Process Explorer

 

http://live.sysinter...com/procexp.exe

Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).  

 

View, Select Column, check Verified Signer, OK

Options, Verify Image Signatures

 

 

Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  

 

Wait a full minute then:

 

File, Save As, Save.  Note the file name.   Open the file  on your desktop and copy and paste the text to a reply.

 

Get the free version of Speccy:

 

http://www.filehippo...download_speccy (Look in the upper right for the Download

Latest Version button  - Do NOT press the large Start Download button on the upper left!)  

Download, Save and Install it.  Tell it you do not need CCLEANER.    Run Speccy.  When it finishes (the little icon in the bottom left will stop moving), 

File, Save as Text File,  (to your desktop) note the name it gives. OK.  Open the file in notepad and delete the line that gives the serial number of your Operating System.  

(It will be near the top about 10 lines down.) Save the file.  Attach the file to your next post.  (More Reply Options, Choose File, Open, Attach This File)

 

[RKinner]

 

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

 

Reboot. 

 

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator.  Then type (with an Enter after each line).

sfc  /scannow

 

 

 

Copy the next two lines:

 

findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \windows\logs\cbs\junk.txt 

notepad \windows\logs\cbs\junk.txt 

 

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.

Hit Enter. Copy and paste the text from notepad or if it is too big, just attach the file.)

 

 

1. Please download the Event Viewer Tool by Vino Rosso

http://images.malwar...om/vino/VEW.exe

and save it to your Desktop:

2. Right-click VEW.exe and Run AS Administrator

3. Under 'Select log to query', select:

 

* System

4. Under 'Select type to list', select:

* Error

* Warning

 

 

Then use the 'Number of events' as follows:

 

 

1. Click the radio button for 'Number of events'

Type 20 in the 1 to 20 box

Then click the Run button.

Notepad will open with the output log.

 

 

Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

 

 

 

 

 

Get Process Explorer

 

http://live.sysinter...com/procexp.exe

Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).  

 

View, Select Column, check Verified Signer, OK

Options, Verify Image Signatures

 

 

Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  

 

Wait a full minute then:

 

File, Save As, Save.  Note the file name.   Open the file  on your desktop and copy and paste the text to a reply.

 

Get the free version of Speccy:

 

http://www.filehippo...download_speccy (Look in the upper right for the Download

Latest Version button  - Do NOT press the large Start Download button on the upper left!)  

Download, Save and Install it.  Tell it you do not need CCLEANER.    Run Speccy.  When it finishes (the little icon in the bottom left will stop moving), 

File, Save as Text File,  (to your desktop) note the name it gives. OK.  Open the file in notepad and delete the line that gives the serial number of your Operating System.  

(It will be near the top about 10 lines down.) Save the file.  Attach the file to your next post.  (More Reply Options, Choose File, Open, Attach This File)

 

[mango_nj]

HI RKinner!! Thank you for the "expert help"...I will be out of town until Monday afternoon.

Please bare with, so my incident is not closed....I will get all of your directions done ASAP!

If I have any questions, I'll surely message you. Thanks so much..I'm on it!!!

[RKinner]

No hurry.  I'm one of the few who doesn't lock post for inactivity.

[mango_nj]

Hi RKinner....

 

I have a question. Instructions were to: Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application

Only category I found is called "LOG SUMMARY" ...I don't see Windows Logs.
I saw System and Application. When I right click on them it only gives me
2 options and none is to Clear Log. Did I do this correctly? Pls advise.

1)view requests in this log
2)Help

I do not see a clear log option --> see attached
 

[RKinner]

Not sure where you are.  This is about what it should look like:

 

 

This is from a Win 7 as I no longer have a Vista but it should be the same.  

 

 

The following should also clear the logs:

 

Copy the next two lines:

 

wevtutil cl System

wevtutil cl Application 

 

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.

Hit Enter. Prompt should return.

 

 

If clearing the alarms is too hard just note the time when you reboot and I'll sort through them.

[mango_nj]

Hi RKinner!!!  Sorry about that. I was in the wrong area of the event viewer. All cleared up.

The Notepad log saved from command prompt and Speccy...I attached.

 

Thank you for being so patient and all the help you've been providing 

 

 

 

 

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 08/08/2016 1:20:18 PM ----SYSTEM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

Vino's Event Viewer v01c run on Windows Vista in English
Report run at 08/08/2016 1:23:12 PM -- APPLICATION

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 08/08/2016 7:46:25 PM
Type: Error Category: 0
Event: 10 Source: Microsoft-Windows-WMI
Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 08/08/2016 7:43:33 PM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   11 user registry handles leaked from \Registry\User\S-1-5-21-2216220318-1106448592-600384341-1001:
Process 512 (\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2216220318-1106448592-600384341-1001
Process 512 (\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2216220318-1106448592-600384341-1001
Process 512 (\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2216220318-1106448592-600384341-1001
Process 512 (\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2216220318-1106448592-600384341-1001
Process 512 (\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2216220318-1106448592-600384341-1001\Software\Microsoft\SystemCertificates\My
Process 512 (\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2216220318-1106448592-600384341-1001\Software\Microsoft\SystemCertificates\CA
Process 512 (\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2216220318-1106448592-600384341-1001\Software\Microsoft\SystemCertificates\trust
Process 512 (\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2216220318-1106448592-600384341-1001\Software\Microsoft\SystemCertificates\Disallowed
Process 512 (\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2216220318-1106448592-600384341-1001\Software\Microsoft\SystemCertificates\Root
Process 512 (\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2216220318-1106448592-600384341-1001\Software\Microsoft\SystemCertificates\SmartCardRoot
Process 512 (\Device\HarddiskVolume1\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 16.0.1\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2216220318-1106448592-600384341-1001\Software\Microsoft\SystemCertificates\TrustedPeople

 

 

___________________________________________________________________________________________________________

 

Process Explorer

 

Process    CPU    Private Bytes    Working Set    PID    Description    Company Name
agrsmsvc.exe        768 K    2,496 K    480    LSI Soft Modem Call Progress Service    LSI Corporation
audiodg.exe        12,944 K    14,964 K    1264    Windows Audio Device Graph Isolation     Microsoft Corporation
avpui.exe        86,744 K    4,172 K    3728    Kaspersky Anti-Virus    AO Kaspersky Lab
dwm.exe        1,124 K    3,696 K    1776    Desktop Window Manager    Microsoft Corporation
lsass.exe        3,124 K    2,260 K    732    Local Security Authority Process    Microsoft Corporation
lsm.exe        1,764 K    3,956 K    740    Local Session Manager Service    Microsoft Corporation
mobsync.exe        3,212 K    6,756 K    3192    Microsoft Sync Center    Microsoft Corporation
MSASCui.exe        5,708 K    8,552 K    552    Windows Defender User Interface    Microsoft Corporation
NetworkLicenseServer.exe        4,584 K    7,900 K    2024    ABBYY network license server    ABBYY
notepad.exe        6,420 K    15,396 K    3852    Notepad    Microsoft Corporation
notepad.exe        6,224 K    15,092 K    2124    Notepad    Microsoft Corporation
notepad.exe        6,380 K    15,152 K    4664    Notepad    Microsoft Corporation
services.exe        2,344 K    6,576 K    720    Services and Controller app    Microsoft Corporation
SLsvc.exe        5,920 K    11,544 K    1340    Microsoft Software Licensing Service    Microsoft Corporation
smss.exe        308 K    792 K    488    Windows Session Manager    Microsoft Corporation
sttray.exe        5,332 K    12,240 K    2800    IDT PC Audio    IDT, Inc.
svchost.exe        2,268 K    5,496 K    2064    Host Process for Windows Services    Microsoft Corporation
svchost.exe        4,192 K    6,732 K    2108    Host Process for Windows Services    Microsoft Corporation
svchost.exe        1,380 K    6,396 K    496    Host Process for Windows Services    Microsoft Corporation
svchost.exe        2,188 K    4,968 K    1320    Host Process for Windows Services    Microsoft Corporation
svchost.exe        49,352 K    57,428 K    988    Host Process for Windows Services    Microsoft Corporation
svchost.exe        3,276 K    6,344 K    948    Host Process for Windows Services    Microsoft Corporation
svchost.exe        11,612 K    15,776 K    1944    Host Process for Windows Services    Microsoft Corporation
svchost.exe        7,684 K    12,752 K    1400    Host Process for Windows Services    Microsoft Corporation
svchost.exe        15,572 K    15,120 K    1596    Host Process for Windows Services    Microsoft Corporation
taskeng.exe        2,044 K    5,820 K    516    Task Scheduler Engine    Microsoft Corporation
wininit.exe        1,376 K    4,208 K    640    Windows Start-Up Application    Microsoft Corporation
winlogon.exe        2,052 K    5,728 K    688    Windows Logon Application    Microsoft Corporation
WmiPrvSE.exe        3,016 K    5,480 K    5428    WMI Provider Host    Microsoft Corporation
wmpnscfg.exe        1,728 K    5,368 K    2564    Windows Media Player Network Sharing Service Configuration Application    Microsoft Corporation
WPFFontCache_v0400.exe        1,568 K    4,780 K    4304    wpffontcache_v0400.exe    Microsoft Corporation
WUDFHost.exe        2,656 K    4,964 K    2364    Windows Driver Foundation - User-mode Driver Framework Host Process    Microsoft Corporation
Interrupts    < 0.01    0 K    0 K    n/a    Hardware Interrupts and DPCs    
spoolsv.exe    < 0.01    8,572 K    12,924 K    1904    Spooler SubSystem App    Microsoft Corporation
LMADImon.exe    < 0.01    6,536 K    11,000 K    2828    Printer Device Monitor    
nusb3mon.exe    < 0.01    2,528 K    4,476 K    2772    USB 3.0 Monitor    Renesas Electronics Corporation
svchost.exe    < 0.01    16,348 K    13,824 K    1080    Host Process for Windows Services    Microsoft Corporation
wmpnetwk.exe    < 0.01    5,304 K    9,664 K    2624    Windows Media Player Network Sharing Service    Microsoft Corporation
svchost.exe    < 0.01    2,448 K    5,684 K    884    Host Process for Windows Services    Microsoft Corporation
csrss.exe    < 0.01    1,876 K    6,224 K    572    Client Server Runtime Process    Microsoft Corporation
taskeng.exe    < 0.01    9,156 K    9,988 K    1912    Task Scheduler Engine    Microsoft Corporation
stacsv.exe    < 0.01    7,908 K    6,080 K    1156    IDT PC Audio    IDT, Inc.
svchost.exe    < 0.01    22,460 K    29,076 K    1128    Host Process for Windows Services    Microsoft Corporation
svchost.exe    < 0.01    10,632 K    13,672 K    1108    Host Process for Windows Services    Microsoft Corporation
avp.exe    < 0.01    233,472 K    19,544 K    556    Kaspersky Anti-Virus    AO Kaspersky Lab
System    < 0.01    0 K    21,624 K    4        
SynTPEnh.exe    < 0.01    2,272 K    7,032 K    2760    Synaptics TouchPad Enhancements    Synaptics, Inc.
explorer.exe    < 0.01    27,364 K    39,300 K    1784    Windows Explorer    Microsoft Corporation
csrss.exe    0.77    10,620 K    13,980 K    632    Client Server Runtime Process    Microsoft Corporation
firefox.exe    3.08    328,988 K    358,896 K    2276    Firefox    Mozilla Corporation
procexp.exe    3.85    18,824 K    27,176 K    5108    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com

System Idle Process    92.30    0 K    24 K    0        

 

 

 

_______________________________________________________________________________________________

 

SPECCY

 

See Attached

Attached Files

•  notepad-log.txt   24.4KB   162 downloads
•  DOVE-PC.txt   266.22KB   290 downloads

Edited by mango_nj, 08 August 2016 - 03:35 PM.

[RKinner]

My bet is the hard drive is at fault.  The following attributes are showing non zero Raw Values:  Some of the values seem impossibly bad so there may be some problem with the reporting.

 

 

FUJITSU MHV2120AH ATA Device

 

Power On Time 2509150.0 days

..

01

Attribute name Read Error Rate

Real value 0

Current 100

Worst 100

Threshold 46

Raw Value 000002E53E

Status Good

...

07

Attribute name Seek Error Rate

Real value 0

Current 100

Worst 100

Threshold 47

Raw Value 0000000B35

Status Good

...

Attribute name Hardware ECC Recovered

Real value 0

Current 100

Worst 100

Threshold 0

Raw Value 0000000ED4

Status Good

C4

Attribute name Reallocation Event Count

Real value 440,401,920

Current 100

Worst 100

Threshold 0

Raw Value 001A400000

Status Good

...

 

Attribute name Write Error Rate / Multi-Zone Error Rate

Real value 25,562

Current 100

Worst 100

Threshold 60

Raw Value 00000063DA

Status Good

CB

Attribute name Run Out Cancel

Real value 3,732,208,683,400

Current 100

Worst 100

Threshold 0

Raw Value 00F8F90988

Status Good

 

 

 

I would clone the drive before it is too late.  Your drive is a :Fujitsu MHV2120AH 120GB 5400 RPM 8MB Cache IDE Ultra ATA100 / ATA-6 2.5" Notebook Hard Drive .

 

 

 

Imporant things to look for in a replacement are 2.5" IDE (also called PATA)  and should be bigger than 120GB (More is better) at least 5400 RPM and 8 MB Cache.  

 

160GB HTS541616J9AT00 160 GB 2.5 Inch PATA IDE(160 gb 2.5" PATA) Laptop Hard Drive 5400 RPM - 1 Year Warranty $32.99 from Amazon.com would work for you.  IDE drives are no longer being made so they are getting scarce so if you are going to do this don't wait too long.  They may be all gone or impossibly expensive.   This one is 160 GB vs your original 120GB but otherwise it's pretty much the same.  Since it's a notebook/laptop you will need a USB to IDE adapter.  

An example on Amaon is 

 

New USB 2.0 to IDE SATA S-ATA/2.5/3.5 Adapter Cable (Adapter Cable) for a little over $3.  Just about any of them will work.  There are several more at around $9.

 

To clone it you connect the new drive to your adapter and the adapter to a USB jack on the PC.  Windows will detect the drive but there is no built-in program for cloning a drive.  There are lots of free cloning programs:

 

http://www.techrepub...-cloning-tools/

http://www.backup-ut...e-software.html

 

Some require you to boot from a CD or USB but several like AOMEI (second link) can work from within windows.

 

When you run the cloning software just be sure you know which one is the source (your old drive) and which one is the destination (your new drive).  Once the cloning is done (takes a few hours) you shut down the laptop,  Use a small Philips screwdriver to remove the cover and remove the drive.  If the connector does not look like the one on your new drive it's because it has an adapter stuck on it.  Use a small flat blade screwdriver to pry off the adapter and then put it on the new drive before you install it.  Some laptops use a carrier which holds the drive in with another 4 screws and you have to remove the old drive from the carrier and put it in the new one.  Just go slow and make sure you know which way the drive has to sit in the carrier. 

 

 

  

[mango_nj]

RK!!  Thank you so much for all of the info. I had no idea it was that bad, but little things started to go wrong. How long do you think this computer will last? I got this used laptop about a year ago, it was refurbished. I used it mainly for my nephew in school. I had another one just like it several years ago, but with the original specs. It was just something to travel with. Vista is rather ancient now and pretty terrible.

 

From what you could see of the reports, were there any viruses present? OR was the shell32.dll issue due to the failing hard drive? Don't want to save anything, if there are koodies attached.

Appreciate the help cloning the drive and I will definitely look into it, before it's too late. I'm so thankful for the warning with that HD. It could've just died on me and nothing would be saved. I guess it's a wrap. The best bet is to get a newer pc. Can you make a recommendation on a good laptop. I'm looking at a Lenova, but I'm open.  I still fancy WIndows 7 and there are still some new computers available...some can be upgraded to Windows 10. I have looked around a  bit in Amazon.

You've been so patient and extremely knowledgeable. Thank you again.

Edited by mango_nj, 09 August 2016 - 05:00 AM.

[RKinner]

No sign of a virus (and not likely with Kaspersky - about the best anti-virus you can buy).  You do have some problems.  

 

Error: (08/02/2016 04:03:22 AM) (Source: VSS) (EventID: 39) (User: )
Description: Volume Shadow Copy Service error:  The Volume Shadow Copy service (VSS) is disabled.  Please
enable the service and try again.

 

 

 

When this is disabled it's unable to make backups and even system restore doesn't work.  

 

Search for 

 

services.msc

 

and hit Enter.  This should open the services window.  Scroll down and find 

 

Volume Shadow Copy 

 

right click on it and select Properties.  If the Startup Type does not say Manual, change it to Manual and APPL.  Try and Start it.  Does it start?

 

 

 

As for a new laptop.  I just bought a tablet with keyboard on sale for $125 from Newegg.com.  iClever 10.1" Windows 10 OS Tablet with Detachable Keyboard & Stand, Intel BayTrail T Quad Core, 2GB RAM 32GB Storage, 1280*800 HD Display, HDMI, Bluetooth 4.0, 5.0MP Rear Camera.  I just bought it to take on trips.  Looks like a knockoff of Microsoft's Surface 3.  If you are just going to surf the web and do email and play on Facbook it might work for you.  For real laptops I like Dells just because they are the easiest to clean the heatsinks.  You might also look at one of the Chromebooks.  They tend to be fairly reasonable.  They don't run Windows but aren't hard to learn.  It all depends on what you plan to do with it.  

[mango_nj]

HI RK!  I will take a look at enabling the VSS later this evening and
let you know how that goes.  I had no idea that system restore
wasn't working. I'll follow your instructions. If I have a problem I'll
message you. Thank goodness there are no viruses, but like you

stated....this system has some serious problems.

Appreciate the laptop recommendations. Definitely going to take a
look at the tablet from newegg. I definitely need a real laptop, something
that can multi-task and run photoshop. I have my desktop for heavy duty
work, but I need something portable. Will peruse Dell and see what they
have to offer. Thanks so much....I'll get back to you.

Edited by mango_nj, 10 August 2016 - 06:53 AM.

[mango_nj]

Hi RK! I was able to start VSS. I attached a screen shot, to make sure I did it right.

Please let me know your next instructions. Thank you again.

Attached Thumbnails

• 

[RKinner]

Looks good.  See if you can get it to make a System Restore point.

 

http://www.howtogeek...system-restore/

[mango_nj]

Hi RK!  Not good......there was an error in creating a system restore point.
I attached a screen shot.  I do believe a long time ago, when that used
laptop was upgraded...there was no restore partition, which is probably
why system restore doesn't work. I'm sure you can tell me for sure.

 

I completely forgot about that.  It had to be backed up on an external drive.

I gave it to my nephew to use for school and I don't believe he backed it up.

Attached Thumbnails

• 

Edited by mango_nj, 10 August 2016 - 09:53 PM.

[RKinner]

Copy the next two lines;

vssadmin list shadowstorage > \junk.txt

notepad \junk.txt

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied lines should appear.

Hit Enter if notepad does not open.  Copy and paste the text from notepad into a reply.