Multiple crashes, CHKDSKs, and recoveries recently on Vista

[ralphyde]

I have a very unstable computer now, a Gateway laptop running on Vista Home premium SP2.

my problems started in late January, 2013. when I my computer wouldn't start.  I used AVG free back then.  In safe mode, I ran AVG scan and it found EXPLOIT virus and trojans.  I called a number I found somewhere that I thought was AVG, but it turned out to be an Indian man, who ran some scans, said I had over 4000 errors, and he connected me with ITechline, associated with Microsoft, he said.  I paid $199 for three months help. Various Indian technicians worked on my computer remotely, running malwarebytes among other things, and deleting some of my programs as well, including AVG. They installed MSE.

 

At various times they said it was fixed, but then I would have more crashes. I eventually lost confidence in their ablilities, and my computer was running ok but wiith occasional crashes.  I also found and removed the Win32-OpenCandy virus, with Malwarebytes, but not sure really fixed.

Recently, my computer has gotten less stable, and freezes and crashes occasionally, but usually comes up okay, after a CHKDSK run which deletes, fixes, and rebuilds indexes.  Two programs always showing in the CHKDSK run are taskmgr.exe and wmplayer.exe. but the indexes are rebuilt, and things run ok for awhile.

 

I have recently bought Malwarebytes Pro and Malwarebytes Secure Backup, to get my files backed up before getting more help.  But running Secure Backup took a few days, because the computer would freeze partway through and not complete, but would get further on my next try, and finally completed a few days ago.

 

But last night, my computer wouldn't recover normally.  Had to go through multiple startup recoveries and CHKDSK runs, but by 4am it came up to the signon screen.  So I shut it down cleanly.  But today, another CHKDSK before coming up again.  But after awhile it will bog down, then freeze.  Previous dumps referenced MEMORY MANAGEMENT, but a later one said DRIVER_POWER_STATE_FAILURE (a couple of days ago).

 

Malwarebytes doesn't find any infections, but there might be remnants of previous ones.

So I need some help, please.  I am 76 years old, have been a computer professsional in the past, but am weak in knowledge of PCs and memory now.

 

Thanks for any help you can give me now.

[Psychotic]

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
I would recommend that we two will have a look to your system to check if any malware is present. When finished, our experts at the Windows forum will help you
The error messages point to hardware or driver errors, but we have to ensure this problem isn´t malware related.
 
 
 
Scan with DDS

Download DDS and save it to your desktop from here or here or
here.

Disable any script blocker, and then double click dds.scr to run the tool.

When done, DDS will open two (2) logs

DDS.txt: save to your desktop then post its contents in your topic
Attach.txt: save to your desktop then attach it to your next reply
 
 
 
Scan with Gmer rootkit scanner

Please download Gmer from here by clicking on the "Download EXE" Button.

• Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  
  • Sections
  • IAT/EAT
  • Show All ( should be unchecked by default )
    

  [*]Leave everything else as it is. [*]Close all other running programs as well as your Browser. [*]Click the Scan button & wait for it to finish. [*]Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. [*]Save it where you can easily find it, such as your desktop. [*]Please post the content of the ark.txt here.
  

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[ralphyde]

Thank you, Marius, for your help.  I will try to follow your instructions to the best of my limited ability.

 

Here is the output from DDS.txt:

 

DDS (Ver_2012-11-20.01) - NTFS_x86 

Internet Explorer: 9.0.8112.16506  BrowserJavaVersion: 10.25.2

Run by Ralph at 11:12:43 on 2013-09-24

Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2038.835 [GMT -7:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}

.

============== Running Processes ================

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\system32\SLsvc.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\agrsmsvc.exe

C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exe

C:\Program Files\Malwarebytes Secure Backup\SAgent.Service.exe

C:\Program Files\Secunia\PSI\PSIA.exe

C:\Program Files\Malwarebytes Secure Backup\mbsbscan.exe

C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\System32\WUDFHost.exe

c:\Program Files\Microsoft Security Client\NisSrv.exe

C:\Program Files\Secunia\PSI\sua.exe

C:\Windows\System32\alg.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files\HP\HP Software Update\hpwuschd2.exe

C:\Program Files\Malwarebytes Secure Backup\SMessaging.exe

C:\Program Files\HP\HP Photosmart 6520 series\Bin\ScanToPCActivationApp.exe

C:\Program Files\Garmin\Express Tray\ExpressTray.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Secunia\PSI\psi_tray.exe

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exe

C:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicator.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe

C:\Program Files\Windows Mail\WinMail.exe

C:\Program Files\Microsoft\BingBar\7.2.241.0\SeaPort.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>

BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - c:\program files\microsoft\bingbar\7.2.241.0\BingExt.dll

BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - <orphaned>

BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - <orphaned>

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - c:\program files\microsoft\bingbar\7.2.241.0\BingExt.dll

uRun: [HP Photosmart 6520 series (NET)] "c:\program files\hp\hp photosmart 6520 series\bin\ScanToPCActivationApp.exe" -deviceID "CN2AI3526V05XP:NW" -scfn "HP Photosmart 6520 series (NET)" 

 

-AutoStart 1

uRun: [GarminExpressTrayApp] "c:\program files\garmin\express tray\ExpressTray.exe"

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun

uRunOnce: [Application Restart #5] c:\users\ralph\appdata\local\google\chrome\application\chrome.exe  --flag-switches-begin --enable-print-preview --flag-switches-end --restore-last-session -- 

 

http://www.facebook.com/n/?ralphyde%2Fposts%2F131122870350523&mid=5cbe6b9G57b6445dG37ebc08Ge&bcode=3qS8MlBm&n_m=ralphyde%40centurytel.net

mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide

mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [sOSUAUI] "c:\program files\malwarebytes secure backup\sosuploadagent.exe" -showui

mRun: [sMessaging] c:\program files\malwarebytes secure backup\SMessaging.exe

StartupFolder: c:\users\ralph\appdata\roaming\micros~1\windows\startm~1\programs\startup\monito~1.lnk - c:\windows\system32\RunDll32.exe

StartupFolder: c:\users\ralph\appdata\roaming\micros~1\windows\startm~1\programs\startup\monito~2.lnk - c:\windows\system32\RunDll32.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe

mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

TCP: NameServer = 192.168.0.1 64.91.3.46

TCP: Interfaces\{1C35532F-CC6F-407B-98E8-2291FE153E84} : DHCPNameServer = 192.168.0.1 64.91.3.46

TCP: Interfaces\{FD8151B4-12CB-4F39-AF97-76EE4D27BCC3} : DHCPNameServer = 192.168.0.1 209.206.179.157

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs= c:\progra~1\google\google~1\GOEC62~1.DLL

LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level -

 

-multi-install --chrome

.

============= SERVICES / DRIVERS ===============

.

R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-3 31576]

R1 MpKsl529f02b5;MpKsl529f02b5;c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\MpKsl529f02b5.sys [2013-9-23 40392]

R1 MpKsla99b3035;MpKsla99b3035;c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\MpKsla99b3035.sys [2013-9-24 40392]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-15 21504]

R2 Garmin Core Update Service;Garmin Core Update Service;c:\program files\garmin\core update service\Garmin.Cartography.MapUpdate.CoreService.exe [2013-8-22 220504]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-17 418376]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-17 701512]

R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-8-30 107392]

R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-28 196912]

R2 sagentservice;Online Backup Service;c:\program files\malwarebytes secure backup\SAgent.Service.exe [2013-8-15 39832]

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]

R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]

R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-8-14 3291008]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2013-7-2 93072]

R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.2.241.0\SeaPort.EXE [2013-7-23 240288]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-17 22856]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-9-22 40776]

R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-6-20 295376]

R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]

R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2010-3-31 350720]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]

S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.2.241.0\BBSvc.EXE [2013-7-23 193696]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate1c90e025ce8c3d3;Google Update Service (gupdate1c90e025ce8c3d3);c:\program files\google\update\GoogleUpdate.exe [2013-2-5 116648]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-21 162408]

S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]

S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]

S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2009-11-16 704000]

S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2009-11-16 24192]

S3 usbUDisc;usbUDisc;c:\windows\system32\drivers\USBDrv.sys [2012-8-27 13824]

.

=============== Created Last 30 ================

.

2013-09-24 17:28:03 40392 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\MpKsla99b3035.sys

2013-09-24 05:00:04 40392 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\MpKsl529f02b5.sys

2013-09-23 18:44:40 7328304 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\mpengine.dll

2013-09-23 18:13:43 -------- d-sh--w- C:\found.008

2013-09-23 08:13:38 -------- d-sh--w- C:\found.007

2013-09-22 20:14:46 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-09-22 06:02:31 7328304 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll

2013-09-12 20:58:20 -------- d-sh--w- C:\found.006

2013-09-12 03:23:10 615936 ----a-w- c:\windows\system32\themeui.dll

2013-09-12 03:21:50 2049536 ----a-w- c:\windows\system32\win32k.sys

2013-09-06 03:52:13 718712 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1a862cd4-4029-4f66-973d-ce99a48bce04}\gapaengine.dll

2013-09-03 13:53:52 187248 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

2013-08-31 16:24:45 -------- d-----w- C:\ce6ec4963661da0ceca73c30c6cdd1

2013-08-28 17:29:53 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL

2013-08-28 16:52:52 -------- d-sh--w- C:\found.005

2013-08-28 07:38:19 -------- d-sh--w- C:\found.004

.

==================== Find3M  ====================

.

2013-09-19 18:15:51 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-09-19 18:15:51 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-08-15 21:50:17 31744 ----a-w- c:\windows\system32\cscapi.dll

2013-08-05 04:49:51 481336 ----a-w- c:\windows\system32\cc_20130804_214808.reg

2013-07-31 10:00:20 1800704 ----a-w- c:\windows\system32\jscript9.dll

2013-07-31 09:52:44 1129472 ----a-w- c:\windows\system32\wininet.dll

2013-07-31 09:52:34 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2013-07-31 09:48:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2013-07-31 09:48:09 420864 ----a-w- c:\windows\system32\vbscript.dll

2013-07-31 09:45:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2013-07-17 19:41:34 2048 ----a-w- c:\windows\system32\tzres.dll

2013-07-14 20:24:10 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-07-14 20:24:02 867240 ----a-w- c:\windows\system32\npDeployJava1.dll

2013-07-14 20:24:02 789416 ----a-w- c:\windows\system32\deployJava1.dll

2013-07-12 21:00:55 28764 ----a-w- c:\programdata\1373662743.bdinstall.bin

2013-07-10 09:47:00 783360 ----a-w- c:\windows\system32\rpcrt4.dll

2013-07-09 12:10:36 1205168 ----a-w- c:\windows\system32\ntdll.dll

2013-07-08 04:55:51 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-07-08 04:55:51 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-07-08 04:20:04 172544 ----a-w- c:\windows\system32\wintrust.dll

2013-07-08 04:16:55 98304 ----a-w- c:\windows\system32\cryptnet.dll

2013-07-08 04:16:55 133120 ----a-w- c:\windows\system32\cryptsvc.dll

2013-07-08 04:16:54 992768 ----a-w- c:\windows\system32\crypt32.dll

2013-07-05 03:20:37 914880 ----a-w- c:\windows\system32\drivers\tcpip.sys

2013-07-05 01:43:04 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys

.

============= FINISH: 11:15:34.97 ===============

[ralphyde]

With regard to Attach.txt, your instructions say to attach it to my next reply, rather than posting it, as above.

I do not find an attach icon.  Basic question; How do I do an attach here?  

 

Thanks,

[Psychotic]

click on "more reply options" at the bottom right - there you´ll finde the attach option.

[ralphyde]

Here is the attach.txt file previously created from DDS.

 

attach.txt

 

thanks,

[ralphyde]

Here is the content of ark.txt from GMER rootkit scanner:

 

GMER 2.1.19163 - http://www.gmer.net

Rootkit scan 2013-09-24 13:58:55

Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.0000 149.05GB

Running: 6d4nnzwk.exe; Driver: C:\Users\Ralph\AppData\Local\Temp\fglorpoc.sys

 

 

---- Devices - GMER 2.1 ----

 

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0                                      Wdf01000.sys

AttachedDevice  \Driver\kbdclass \Device\KeyboardClass1                                      Wdf01000.sys

AttachedDevice  \FileSystem\fastfat \Fat                                                     fltmgr.sys

AttachedDevice  \FileSystem\fastfat \Fat                                                     fltmgr.sys

 

---- Registry - GMER 2.1 ----

 

Reg             HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LogName    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy35.gthr

Reg             HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LogNumber  36

 

---- EOF - GMER 2.1 ----

[Psychotic]

OK, looks good, let´s cross check. If you are facing any issues, please stop and report that to me:

 

 

Full System Scan with Malwarebytes Antimalware

• 
  If not existing, please download

Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:

• Run Malwarebytes Antimalware
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location.
• The log can also be found here:
  C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Post that log back here.
  

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

[ralphyde]

Yes, I am having an issue running a full scan with Malwarebyes Pro.  My system bogged down and froze after about 20 minutes, so that I had to force a shutdown.  I was able to restart normally.  I have not been able to run a full scan with Malwarebytes or with MSE for the recent days when my system has been bogging down and freezing after only a few hours of running. Previously, a full scan would take about 3 hours, so I would run it at night.  But recently, I'd wake up to find the system frozen with Malwarebytes also frozen.  So instead, I have been running the Flash Scan option of Malwarebytes Pro.  Here are some recent results, if this would help:

 

The latest with Flash Scan option on September 22:

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.09.22.01

 

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Ralph :: RALPH-PC [administrator]

 

Protection: Enabled

 

9/22/2013 11:16:20 AM

mbam-log-2013-09-22 (11-16-20).txt

 

Scan type: Flash scan

Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: Registry | File System | P2P

Objects scanned: 175925

Time elapsed: 3 minute(s), 43 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

Here's the latest one that found anything on September 19:

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.09.19.06

 

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Ralph :: RALPH-PC [administrator]

 

Protection: Enabled

 

9/19/2013 10:44:09 PM

mbam-log-2013-09-19 (22-44-09).txt

 

Scan type: Flash scan

Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: Registry | File System | P2P

Objects scanned: 175415

Time elapsed: 3 minute(s), 18 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 1

HKCU\Software\Cr_Installer\21804 (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

And here's last successful Full scan, on August 30th:

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.08.29.03

 

Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

Ralph :: RALPH-PC [administrator]

 

Protection: Disabled

 

8/29/2013 10:46:30 PM

mbam-log-2013-08-29 (22-46-30).txt

 

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 504020

Time elapsed: 2 hour(s), 47 minute(s), 49 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

And here is the last malware that was found and removed on August 28th.

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.08.28.01

 

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Ralph :: RALPH-PC [administrator]

 

Protection: Enabled

 

8/28/2013 1:17:19 PM

mbam-log-2013-08-28 (13-17-19).txt

 

Scan type: Flash scan

Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: Registry | File System | P2P

Objects scanned: 195082

Time elapsed: 4 minute(s), 38 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 12

HKCR\CrossriderApp0021804.BHO (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.

HKCR\CrossriderApp0021804.BHO.1 (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.

HKCR\CrossriderApp0021804.Sandbox (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.

HKCR\CrossriderApp0021804.Sandbox.1 (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.

HKCR\CLSID\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.

HKCR\TypeLib\{44444444-4444-4444-4444-440244184404} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.

HKCR\Interface\{55555555-5555-5555-5555-550255185504} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 1

C:\Program Files\Coupon Companion Plugin\Coupon Companion Plugin.dll (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.

 

(end)

 

Further back in August, on August 4, there was this, using a Quick Scan.

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.08.03.02

 

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Ralph :: RALPH-PC [administrator]

 

Protection: Enabled

 

8/4/2013 3:44:33 PM

mbam-log-2013-08-04 (15-44-33).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 238776

Time elapsed: 26 minute(s), 53 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 2

C:\Users\Ralph\Downloads\SportHunterTVApp_setup(11).exe (PUP.BundleInstaller.DW) -> Quarantined and deleted successfully.

C:\Users\Ralph\Downloads\DownloadSetup.exe (PUP.Optional.Installex) -> Quarantined and deleted successfully.

 

(end)

 

And back on July 2, there was this:

 

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.06.30.05

 

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Ralph :: RALPH-PC [administrator]

 

7/2/2013 12:34:49 AM

mbam-log-2013-07-02 (00-34-49).txt

 

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 489886

Time elapsed: 3 hour(s), 49 minute(s), 10 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 5

C:\Users\Ralph\Downloads\FlashPlayer_V.106726342c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.

C:\Users\Ralph\Downloads\FlashPlayer_V.166065848c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.

C:\Users\Ralph\Downloads\FlashPlayer_V.166065916c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.

C:\Users\Ralph\Downloads\FlashPlayer_V.166065945c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.

C:\Users\Ralph\Downloads\FlashPlayer_V.166065955c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.

 

(end)

 

Then there was nothing back until February 25, back when ITechline was trying to solve my problems.

 

Malwarebytes Anti-Malware 1.70.0.1100

www.malwarebytes.org

 

Database version: v2013.02.25.02

 

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Ralph :: RALPH-PC [administrator]

 

2/25/2013 12:33:53 AM

mbam-log-2013-02-25 (00-33-53).txt

 

Scan type: Full scan (C:\|D:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 450076

Time elapsed: 3 hour(s), 4 minute(s), 8 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 5

C:\Program Files\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.

C:\Program Files\ClickPotatoLite\bin (Adware.ClickPotato) -> Quarantined and deleted successfully.

C:\Program Files\ClickPotatoLite\bin\10.0.630.0 (Adware.ClickPotato) -> Quarantined and deleted successfully.

C:\Program Files\ClickPotatoLite\bin\10.0.630.0\firefox (Adware.ClickPotato) -> Quarantined and deleted successfully.

C:\Program Files\ClickPotatoLite\bin\10.0.630.0\firefox\extensions (Adware.ClickPotato) -> Quarantined and deleted successfully.

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

I think MSE found and removed another, sometime during this period, but I can't find the logs.

 

I hope this is helpful.

 

Shall I go ahead with the ESET scan, or wait for further instructions?

 

[ralphyde]

Ok, I ran another Flash Scan of Malwarebytes Pro just now:  No malware was found.

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300

www.malwarebytes.org

 

Database version: v2013.09.24.08

 

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Ralph :: RALPH-PC [administrator]

 

Protection: Enabled

 

9/25/2013 1:55:47 PM

mbam-log-2013-09-25 (13-55-47).txt

 

Scan type: Flash scan

Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: Registry | File System | P2P

Objects scanned: 176031

Time elapsed: 2 minute(s), 38 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

ESET is running now.

[ralphyde]

Another current issue.  While running ESET online (under Chrome) it stopped after 1456 files, on C:\Boot\bootstat.dat without advancing for another 20 minutes or more.  When I clicked on the link for the help screen (http://www.eset.com/us/online-scanner/help/), the system froze without that page coming up (just a blank page), and a small message at the bottom which said 'waiting for cache...'

 

This remained for another 30 minutes or so, until I tried to close other pages, and the system froze solid, with no cursor movement or system tray or Start button.  So I forced a shutdown.  This time, when I started up, the system did a CHKDSK.  Like other recent CHKDSKs, 

    It deleted index entry wmplayer.exe and taskmgr.exe  then went on to 

       recover orphaned file wmplayer.exe and taskmgr.exe and finish normally.

 

Windows then started up normally, and I'm back here to write this message, before looking into ESET help, and trying to run it with Internet Explorer this time instead of Chrome if this might help.

 

I don't know what is filling up my cache and causing the system to freeze.  Hoping you will be able to solve this for me.

[ralphyde]

I shut down Chrome and went to IE to run ESET Online again.  It came up, installed activex, and started to run with the parameters you specified.  I watched it cruise through the first 1455 files quickly, then stop again at the same place as before:

1456 files, C:\Boot\bootstat.dat

 

I let the scan run for another hour (the clock continued to tick the elapsed time, but nothing else moved, and I started no more programs.  Finally I tried to start Windows Explorer, but it wouldn't start.  I clicked on a new IE tab, but the system froze, and there was no system tray or start button.  System was frozen again.  I forced another shutdown.  This time it came up without a CHKDSK, and is still running normally.

 

What next?  And did the GMER run indicate a rootkit?

[Psychotic]

No, you just had some adware on your system which couldn´t be the reason of all this.

I´ll forward you to our General PC help forum: http://forums.malwarebytes.org/index.php?showforum=6

 

Please open up a new topic there - tell the helper that you were here before and finished the malware removal process.

 

Good luck for the future and keep on working with computers!

[ralphyde]

Thanks very much for your help, Marius.

What do you make of the ESET run which hung up both times at the same place and failed to continue the scan?

 

files 1456    file: C:\Boot\bootstat.dat

 

When I look for that file in Windows Explorer, I can't find it.  Is it the remnant of a virus or trojan?

[Psychotic]

No, that´s a legit file.

I think your problem has nothing to do with malware but serious hard- or software errors.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!