Virus / Malware

Hi, I am having big problems with my laptop and am typing this in safe mode!

When I try to startup Windows I just get a black screen and Windows won’t start at all. I started the machine in safe mode and ran Malwarebytes’ Anti-Malware, which found 15 infections. I restarted my machine as instructed, and Windows still wouldn’t start.

I’ve since been back into safe mode, and ran Malwarebytes again, Avast and AG and none of them can find any infections at all. But my machine won’t start.

Here is the log from Malwarebytes when it detected numerous infections (which it doesn’t detect any more):

Malwarebytes Anti-Malware (Trial) 1.60.1.1000 www.malwarebytes.org

Database version: v2012.04.06.07

Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421

Protection: Disabled

06/04/2012 20:21:14
mbam-log-2012-04-06 (20-21-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 190628
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 10
HKCR\CLSID{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCR\TypeLib{BB7256DD-EBA9-480B-8441-A00388C2BEC3} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCR\CLSID{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Quarantined and deleted successfully.

Registry Values Detected: 4
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Data: ;áÃzÊ;XA³0öm»Áµ → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Data: VShareTB → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Data: → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Data: → Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) → Bad: (http://startsear.ch/?aff=1&cf=4257cea3-1916-11e1-a653-a4badbb27d38) Good: (http://www.google.com) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) → Bad: (http://startsear.ch/?aff=1&cf=4257cea3-1916-11e1-a653-a4badbb27d38) Good: (http://www.google.com) → Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Program Files\vShare.tv plugin\BarLcher.dll (PUP.VShareRedir) → Quarantined and deleted successfully.
C:\Users\Chris\Downloads\Retrogamer(2).exe (PUP.FunWebProducts) → Quarantined and deleted successfully.
C:\Users\Chris\Downloads\Retrogamer.exe (PUP.FunWebProducts) → Quarantined and deleted successfully.

(end)

I tried to run the OTL programme that is suggested in this thread:

http://forum.avast.com/index.php?topic=53253.0

But it won’t run at all seemingly. Does anyone have any suggestions, as I’m about ready to do a factory reset!

What was the sequence of events prior to this happening

Avast and AG and none............
what is AG ?
What was the sequence of events prior to this happening
Thanks for the swift reply. The first time I noticed a problem was when a program that I'd installed the previous day from a CD wouldn't work properly. I doubt this was a rogue program, incidentally, because it's from the Open University. This program wouldn't run properly, but when I tried to uninstall it, that wouldn't work either. I got some error message about it not being a valid Win32 application.

I tried to run Spybot, but when it came to deleting the spyware, it told me that I wasn’t an administrator, so I obviously knew at this point that something was wrong.

At this point I tried going into safe mode, but I couldn’t manage it at first, as the infection had deleted the option to go into safe mode. But I managed to do it today. I’ve tried running all the scans I possibly can, but none of them have made any difference, even though they’re all coming up as blank now on safe mode. When I try to open Windows, I either get a black screen, or else it starts, but will run absolutely nothing at all.

I also tried using system restore but that didn’t help at all.

what is AG ?
A typo!

http://free.avg.com/gb-en/homepage

so you have avast and AVG installed ?

running multiple AV can/will create all kind of windows errors and false positive detections

Read reply from quietman7
http://www.bleepingcomputer.com/forums/topic186533.html

so you have avast and AVG installed ?
I didn't have them both installed at the time of the problem. I had Avast installed, but when I looked at Avast while I was in the normal Windows mode, it had been disabled. I did a scan with Avast in safe mode, and it found nothing, so I downloaded AVG and ran a scan, and it found nothing.

If anyone has any advice it would be appreciated, as it’s impossible to start Windows, and I’ve tried all the scans in safe mode that I possibly can, and it’s made no difference whatsoever, and they’re telling me that the system is clean.

the removal specialist…Essexboy is offline now
he will be back tommorow, usually late UK time

Okay, thanks.

I will just post up some more information here:

When I try to startup Windows I just get a black screen and Windows won’t start at all. I started the machine in safe mode and ran Malwarebytes’ Anti-Malware, which found 20 infections. When it came to deleting the infections, the program prompted me to restart my machine. I am not at all convinced that the infections were got rid of. I restarted my machine as instructed, and Windows still wouldn’t start. However, when I ran another scan in safe mode with Malwarebytes it told me my machine was clean.

I’ve since been back into safe mode, and ran Malwarebytes again, Spybot, Avast and AVG and none of them can find any infections at all. But my machine won’t start. One time I ran Spybot in safe mode, it found 21 infections, but refused to delete three of them.

Here is the log from Malwarebytes when it detected numerous infections (which it doesn’t detect any more):

Malwarebytes Anti-Malware (Trial) 1.60.1.1000 Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: v2012.04.06.09

Windows 7 Service Pack 1 x86 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421

Protection: Disabled

07/04/2012 02:47:31
mbam-log-2012-04-07 (02-47-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 190882
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 15
HKCR\CLSID{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCR\TypeLib{BB7256DD-EBA9-480B-8441-A00388C2BEC3} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCR\Interface{3D782BB2-F2A5-11D3-BF4C-000000000000} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncherBHO.1 (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncherBHO (PUP.VShareRedir) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCR\CLSID{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncher.1 (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncher (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Quarantined and deleted successfully.

Registry Values Detected: 4
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser|{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Data: ;áÃzÊ;XA³0öm»Áµ → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Data: VShareTB → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Data: → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) → Data: → Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) → Bad: (SearchCompletion Search) Good: (Google) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) → Bad: (SearchCompletion Search) Good: (Google) → Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Program Files\vShare.tv plugin\BarLcher.dll (PUP.VShareRedir) → Quarantined and deleted successfully.
C:\Users\Chris\Downloads\Retrogamer(2).exe (PUP.FunWebProducts) → Quarantined and deleted successfully.
C:\Users\Chris\Downloads\Retrogamer.exe (PUP.FunWebProducts) → Quarantined and deleted successfully.

(end)

Despite the fact that it states in this log that infections were successfully quarantined, when I start my machine again, Windows still won’t run properly.

I have tried system restoring the PC to 25th March, this did no good at all. I’ve tried running every virus scanner and malware program that I can think of, none of them have done any good at all. With previous problems, I’ve always started the machine in safe mode, run a virus and spyware program, it’s killed the infection, and that’s that. This seems able to override safe mode, and also override the mechanisms in the anti-spyware and anti-virus programs that delete the infections.

I tried to run the OTL program suggested but it just freezes and won’t run at all in safe mode. It is impossible to run anything in normal mode because the system either runs pitifully slowly or won’t start at all.

OK lets try the foolowing

First download this version of OTL and see if it runs, if you are using Firefox then right click the link and select save as…

Download OTL to your Desktop

If that fails

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thanks for your assistance, Essexboy.

Firstly, I cannot run OTL even in safe mode, it just freezes.

I tried to uninstall / turn off AVG and Avast. When I try to uninstall AVG, I just got an error message saying that it has already been uninstalled, which I had tried to do previously. When I click on Avast, it states that Avast has been stopped or is an inconsistent state. When I tried to uninstall it I got a message saying “Error reading product data…” and it would not uninstall.

So when I started Combofix it warned me about Avast and AVG, but as far as I can see this programs are not operational, and I can do nothing else with them anyway. So I had to run the scan on Combofix with the system as it is.

The current state of my machine is that it is impossible to run Windows. If the machine will even start normally, then everything runs either pitifully slowly, or many programs will not start at all. Avast has also been permanently turned off when the machine runs in normal mode, and cannot be turned on.

I can run the machine in safe mode, but it would appear that the virus / malware has prevented all spyware and virus checker programs from functioning correctly and destroying the infections.

I will include the log in a separate post as this message otherwise exceeds 10,000 characters.

Any advice or assistance would be appreciated.

Here is the log from Combofix:

ComboFix 12-04-07.02 - Chris 07/04/2012 16:40:09.1.4 - x86 NETWORK Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.2935.2110 [GMT 1:00] Running from: c:\users\Chris\Desktop\ComboFix.exe AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C} AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0} SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681} SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\HyperCam Toolbar\tbHElper.dll c:\program files\pst c:\program files\pst\E-Prime\Documentation\GettingStartedGuide.pdf c:\program files\pst\E-Prime\Documentation\ReferenceGuide.pdf c:\program files\pst\E-Prime\Documentation\UsersGuide.pdf c:\program files\pst\E-Prime\License.txt c:\program files\pst\E-Prime\Program\BasicRT.ebs c:\program files\pst\E-Prime\Program\ClockExtension.ebn c:\program files\pst\E-Prime\Program\CoreExtension.ebn c:\program files\pst\E-Prime\Program\DisplayExtension.ebn c:\program files\pst\E-Prime\Program\EDataAidAnalysisMacros.xla c:\program files\pst\E-Prime\Program\FactorExtension.ebn c:\program files\pst\E-Prime\Program\FactorTableWizard.xls c:\program files\pst\E-Prime\Program\IFISExtension.ebn c:\program files\pst\E-Prime\Program\KeyboardExtension.ebn c:\program files\pst\E-Prime\Program\MouseExtension.ebn c:\program files\pst\E-Prime\Program\PortExtension.ebn c:\program files\pst\E-Prime\Program\SerialExtension.ebn c:\program files\pst\E-Prime\Program\SocketExtension.ebn c:\program files\pst\E-Prime\Program\SoundExtension.ebn c:\program files\pst\E-Prime\Program\SRBoxExtension.ebn c:\program files\pst\E-Prime\Samples And Tutorials\Samples\BasicRT\BasicRT.es c:\program files\pst\E-Prime\Samples And Tutorials\Samples\NestingRT\NestingRT.es c:\program files\pst\E-Prime\Samples And Tutorials\Samples\NestingXRT\NestingXRT.es c:\program files\pst\E-Prime\Samples And Tutorials\Samples\PictureRT\BlueCar.bmp c:\program files\pst\E-Prime\Samples And Tutorials\Samples\PictureRT\PictureRT.es c:\program files\pst\E-Prime\Samples And Tutorials\Samples\PictureRT\RedCar.bmp c:\program files\pst\E-Prime\Samples And Tutorials\Samples\SlideRT\down.bmp c:\program files\pst\E-Prime\Samples And Tutorials\Samples\SlideRT\left.bmp c:\program files\pst\E-Prime\Samples And Tutorials\Samples\SlideRT\right.bmp c:\program files\pst\E-Prime\Samples And Tutorials\Samples\SlideRT\SlideRT.es c:\program files\pst\E-Prime\Samples And Tutorials\Samples\SlideRT\up.bmp c:\program files\pst\E-Prime\Samples And Tutorials\Samples\SoundRT\APPLEF.WAV c:\program files\pst\E-Prime\Samples And Tutorials\Samples\SoundRT\CANARYF.WAV c:\program files\pst\E-Prime\Samples And Tutorials\Samples\SoundRT\SoundRT.es c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\CC.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\CL.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\correct.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\CR.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\cueLoc.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\cueWord.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\error.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\LC.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\LL.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\LR.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\PrimeStroop.es c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\RC.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\RL.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\RR.wav c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\SCREENSTROOP.ES c:\program files\pst\E-Prime\Samples And Tutorials\Samples\TMA01\SOUNDSTROOP.ES c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Bob.WAV c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\CANARYF.WAV c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Originals\PictureTutorial.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Originals\SoundTutorial.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Originals\SRBoxTutorial.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Originals\Tutorial-1-1.edat c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Originals\Tutorial-2-1.edat c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Originals\Tutorial-3-1.edat c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Originals\Tutorial-4-1.edat c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Originals\Tutorial-5-1.edat c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Originals\Tutorial.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Tutorial-1-1.edat c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Tutorial-2-1.edat c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Tutorial-3-1.edat c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Tutorial-4-1.edat c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Data\Tutorial-5-1.edat c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\E-BasicExample.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\E-BasicSoundExample.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Female.bmp c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Linda.WAV c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Male.bmp c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\RedCar.bmp c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Tones.wav c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Using E-Studio Stages\LexicalDecision001.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Using E-Studio Stages\Stage2-LexicalDecision001.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Using E-Studio Stages\Stage3-LexicalDecision001.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Using E-Studio Stages\Stage3-MethodA-LexicalDecision001.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Using E-Studio Stages\Stage3-MethodB-LexicalDecision001.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Using E-Studio Stages\Stage3-MethodC-LexicalDecision001.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Using E-Studio Stages\Stage4-ChangeTrialProc-LexicalDecision001.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Using E-Studio Stages\Stage4-LexicalDecision001.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Using E-Studio Stages\Stage4-NestedBlockList-LexicalDecision001.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Using E-Studio Stages\Stage5-LexicalDecision001.es c:\program files\pst\E-Prime\Samples And Tutorials\Tutorials\Using E-Studio Stages\Stage6-LexicalDecision001.es c:\users\Chris\Documents\~PI3BEA.tmp c:\users\Chris\Documents\~PI9245.tmp c:\users\Chris\Documents\~PI92F5.tmp c:\users\Chris\Documents\~PI9F8F.tmp c:\users\Chris\Documents\~PIA852.tmp c:\users\Chris\Documents\~PICA05.tmp c:\users\Chris\Documents\~PID4D.tmp c:\users\Chris\Documents\~PID873.tmp c:\users\Chris\Documents\~WRL0005.tmp c:\users\Chris\Documents\~WRL3027.tmp c:\windows\desktop c:\windows\desktop\Virtual Pool 3 Preview.lnk

(continued in next post)

((((((((((((((((((((((((( Files Created from 2012-03-07 to 2012-04-07 ))))))))))))))))))))))))))))))) . . 2012-04-07 15:49 . 2012-04-07 15:49 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-04-07 14:21 . 2012-04-07 15:28 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E6DDAD9A-9F67-4ED3-B5CE-911456A87FDC}\offreg.dll 2012-04-07 01:44 . 2011-12-10 14:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-04-06 19:05 . 2012-04-06 19:05 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes 2012-04-06 19:05 . 2012-04-06 19:05 -------- d-----w- c:\programdata\Malwarebytes 2012-04-06 19:05 . 2012-04-07 01:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-04-06 03:16 . 2012-04-06 03:16 -------- d-----w- c:\programdata\Lavasoft 2012-04-06 03:16 . 2012-04-07 00:12 -------- d-----w- c:\program files\Ad-Aware Antivirus 2012-04-06 03:15 . 2012-04-06 18:35 -------- d-----w- c:\users\Chris\AppData\Roaming\Ad-Aware Antivirus 2012-04-06 03:12 . 2012-04-06 03:12 -------- d-----w- c:\programdata\AVAST Software 2012-04-05 00:52 . 2012-04-05 00:52 -------- d-----w- c:\users\Chris\AppData\Roaming\Pst 2012-04-04 23:02 . 1998-06-24 09:55 164144 ----a-w- c:\windows\system32\COMCT232.OCX 2012-03-15 11:55 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-03-15 11:55 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-03-14 10:41 . 2012-02-03 03:54 2343424 ----a-w- c:\windows\system32\win32k.sys 2012-03-14 10:41 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\system32\DWrite.dll 2012-03-14 10:40 . 2012-01-25 05:27 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe 2012-03-14 10:40 . 2012-01-25 05:32 58880 ----a-w- c:\windows\system32\rdpwsx.dll 2012-03-14 10:40 . 2012-01-25 05:32 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll 2012-03-14 10:40 . 2012-02-17 05:34 826880 ----a-w- c:\windows\system32\rdpcore.dll 2012-03-14 10:40 . 2012-02-17 04:14 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-03-14 10:40 . 2012-02-17 04:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-03-03 00:38 . 2012-03-03 00:38 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe 2012-03-03 00:38 . 2012-03-03 00:38 161792 ----a-w- c:\windows\system32\msls31.dll 2012-03-03 00:38 . 2012-03-03 00:38 1127424 ----a-w- c:\windows\system32\wininet.dll 2012-03-03 00:38 . 2012-03-03 00:38 110592 ----a-w- c:\windows\system32\IEAdvpack.dll 2012-03-03 00:38 . 2012-03-03 00:38 86528 ----a-w- c:\windows\system32\iesysprep.dll 2012-03-03 00:38 . 2012-03-03 00:38 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe 2012-03-03 00:38 . 2012-03-03 00:38 74752 ----a-w- c:\windows\system32\iesetup.dll 2012-03-03 00:38 . 2012-03-03 00:38 63488 ----a-w- c:\windows\system32\tdc.ocx 2012-03-03 00:38 . 2012-03-03 00:38 48640 ----a-w- c:\windows\system32\mshtmler.dll 2012-03-03 00:38 . 2012-03-03 00:38 367104 ----a-w- c:\windows\system32\html.iec 2012-03-03 00:38 . 2012-03-03 00:38 23552 ----a-w- c:\windows\system32\licmgr10.dll 2012-03-03 00:38 . 2012-03-03 00:38 152064 ----a-w- c:\windows\system32\wextract.exe 2012-03-03 00:38 . 2012-03-03 00:38 150528 ----a-w- c:\windows\system32\iexpress.exe 2012-03-03 00:38 . 2012-03-03 00:38 1427456 ----a-w- c:\windows\system32\inetcpl.cpl 2012-03-03 00:38 . 2012-03-03 00:38 420864 ----a-w- c:\windows\system32\vbscript.dll 2012-03-03 00:38 . 2012-03-03 00:38 35840 ----a-w- c:\windows\system32\imgutil.dll 2012-03-03 00:38 . 2012-03-03 00:38 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-03-03 00:38 . 2012-03-03 00:38 1798656 ----a-w- c:\windows\system32\jscript9.dll 2012-03-03 00:38 . 2012-03-03 00:38 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-03-03 00:38 . 2012-03-03 00:38 11776 ----a-w- c:\windows\system32\mshta.exe 2012-03-03 00:38 . 2012-03-03 00:38 101888 ----a-w- c:\windows\system32\admparse.dll 2012-02-17 00:04 . 2010-08-04 02:18 348160 ----a-w- c:\windows\system32\msvcr71.dll 2012-02-17 00:04 . 2010-08-04 02:18 499712 ----a-w- c:\windows\system32\msvcp71.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

(continued in next post)

You can attach the log as a single text file - use additional options at the bottom of the post

Thanks, sorry, I couldn’t find that anywhere!

Before we proceed we will secure you - let me know when you are completed

OK from safe mode run these two programmes to clear Avast and AVG
For aswClear run it for V4,5,6, and 7

But first download a fresh copy of Avast
http://files.avast.com/iavs5x/avast_free_antivirus_setup.exe

http://files.avast.com/files/eng/aswclear.exe
http://download.avg.com/filedir/util/avgrem/avg_remover_stf_x86_2012_2125.exe

let me know when you are completed
I have successfully cleared AVG and Avast off my system and downloaded and installed Avast again.

Is Avast now working properly ?

OK next we need to determine why you cannot get to normal mode

When you get the black screen is there any writing or is it just a flashing cursor ?

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

As far as I can see Avast is running fine now.

I have attached the text file for Farbar.