ralphyde
-
Posts
72 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by ralphyde
-
-
Please refer to this topic on the Malware Removal Help forum where this was originally posted:
http://forums.malwarebytes.org/index.php?showtopic=133795
I thought my current instability was the result of changes made by viruses or malware, but Marius in that forum was unable to find any clues, and transferred me to this forum. where I hope to get some help. Possibly it's a matter of messed up settings.
Currently, my computer (Gateway laptop running Vista 32) runs fine for awhile, but periodically, slows and freezes, sometimes crashing, or requiring a forced shutdown and restart in order to continue.
Sometimes it does a CHKDSK on restart, and the indexes for taskmgr.exe and wmplayer.exe are always involved, along with other files sometimes. But CHKDSK always completes the repairs, and the computer functions normally for awhile.
Occasionally the message 'waiting for cache...' is seen prior to a freeze-up. I have been unable to run a full scan with Malwarebytes Pro or MSE recently because the system will freeze up and crash before finishing.
Thanks for any help you can give me. I am 76 years old. Hope I wont try your patience too much.
Here is the output from DDS, which Marius had me run:
====================================================
Here is the output from DDS.txt:
DDS (Ver_2012-11-20.01) - NTFS_x86Internet Explorer: 9.0.8112.16506 BrowserJavaVersion: 10.25.2Run by Ralph at 11:12:43 on 2013-09-24Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.835 [GMT -7:00].AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}.============== Running Processes ================.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exec:\Program Files\Microsoft Security Client\MsMpEng.exeC:\Windows\system32\SLsvc.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Windows\system32\agrsmsvc.exeC:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exeC:\Program Files\Malwarebytes Secure Backup\SAgent.Service.exeC:\Program Files\Secunia\PSI\PSIA.exeC:\Program Files\Malwarebytes Secure Backup\mbsbscan.exeC:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exeC:\Program Files\TomTom HOME 2\TomTomHOMEService.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Windows\system32\SearchIndexer.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\System32\WUDFHost.exec:\Program Files\Microsoft Security Client\NisSrv.exeC:\Program Files\Secunia\PSI\sua.exeC:\Windows\System32\alg.exeC:\Program Files\Microsoft Security Client\msseces.exeC:\Program Files\HP\HP Software Update\hpwuschd2.exeC:\Program Files\Malwarebytes Secure Backup\SMessaging.exeC:\Program Files\HP\HP Photosmart 6520 series\Bin\ScanToPCActivationApp.exeC:\Program Files\Garmin\Express Tray\ExpressTray.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Secunia\PSI\psi_tray.exeC:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exeC:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicator.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exeC:\Program Files\Windows Mail\WinMail.exeC:\Program Files\Microsoft\BingBar\7.2.241.0\SeaPort.exeC:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files\Google\Chrome\Application\chrome.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation.============== Pseudo HJT Report ===============.dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - c:\program files\microsoft\bingbar\7.2.241.0\BingExt.dllBHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dllBHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - <orphaned>BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllBHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - <orphaned>BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dllTB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - c:\program files\microsoft\bingbar\7.2.241.0\BingExt.dlluRun: [HP Photosmart 6520 series (NET)] "c:\program files\hp\hp photosmart 6520 series\bin\ScanToPCActivationApp.exe" -deviceID "CN2AI3526V05XP:NW" -scfn "HP Photosmart 6520 series (NET)"-AutoStart 1uRun: [GarminExpressTrayApp] "c:\program files\garmin\express tray\ExpressTray.exe"uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrunuRunOnce: [Application Restart #5] c:\users\ralph\appdata\local\google\chrome\application\chrome.exe --flag-switches-begin --enable-print-preview --flag-switches-end --restore-last-session --mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hidemRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkeymRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exemRun: [sOSUAUI] "c:\program files\malwarebytes secure backup\sosuploadagent.exe" -showuimRun: [sMessaging] c:\program files\malwarebytes secure backup\SMessaging.exeStartupFolder: c:\users\ralph\appdata\roaming\micros~1\windows\startm~1\programs\startup\monito~1.lnk - c:\windows\system32\RunDll32.exeStartupFolder: c:\users\ralph\appdata\roaming\micros~1\windows\startm~1\programs\startup\monito~2.lnk - c:\windows\system32\RunDll32.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exemPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0mPolicies-System: EnableUIADesktopToggle = dword:0IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dllIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dllIE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllTCP: NameServer = 192.168.0.1 64.91.3.46TCP: Interfaces\{1C35532F-CC6F-407B-98E8-2291FE153E84} : DHCPNameServer = 192.168.0.1 64.91.3.46TCP: Interfaces\{FD8151B4-12CB-4F39-AF97-76EE4D27BCC3} : DHCPNameServer = 192.168.0.1 209.206.179.157Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dllHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dllNotify: igfxcui - igfxdev.dllAppInit_DLLs= c:\progra~1\google\google~1\GOEC62~1.DLLLSA: Security Packages = kerberos msv1_0 schannel wdigest tspkgmASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome.============= SERVICES / DRIVERS ===============.R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-3 31576]R1 MpKsl529f02b5;MpKsl529f02b5;c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\MpKsl529f02b5.sys [2013-9-23 40392]R1 MpKsla99b3035;MpKsla99b3035;c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\MpKsla99b3035.sys [2013-9-24 40392]R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-15 21504]R2 Garmin Core Update Service;Garmin Core Update Service;c:\program files\garmin\core update service\Garmin.Cartography.MapUpdate.CoreService.exe [2013-8-22 220504]R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-17 418376]R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-17 701512]R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-8-30 107392]R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-28 196912]R2 sagentservice;Online Backup Service;c:\program files\malwarebytes secure backup\SAgent.Service.exe [2013-8-15 39832]R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-8-14 3291008]R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2013-7-2 93072]R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.2.241.0\SeaPort.EXE [2013-7-23 240288]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-17 22856]R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-9-22 40776]R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-6-20 295376]R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2010-3-31 350720]R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.2.241.0\BBSvc.EXE [2013-7-23 193696]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 gupdate1c90e025ce8c3d3;Google Update Service (gupdate1c90e025ce8c3d3);c:\program files\google\update\GoogleUpdate.exe [2013-2-5 116648]S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-21 162408]S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2009-11-16 704000]S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2009-11-16 24192]S3 usbUDisc;usbUDisc;c:\windows\system32\drivers\USBDrv.sys [2012-8-27 13824].=============== Created Last 30 ================.2013-09-24 17:28:03 40392 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\MpKsla99b3035.sys2013-09-24 05:00:04 40392 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\MpKsl529f02b5.sys2013-09-23 18:44:40 7328304 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\mpengine.dll2013-09-23 18:13:43 -------- d-sh--w- C:\found.0082013-09-23 08:13:38 -------- d-sh--w- C:\found.0072013-09-22 20:14:46 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2013-09-22 06:02:31 7328304 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll2013-09-12 20:58:20 -------- d-sh--w- C:\found.0062013-09-12 03:23:10 615936 ----a-w- c:\windows\system32\themeui.dll2013-09-12 03:21:50 2049536 ----a-w- c:\windows\system32\win32k.sys2013-09-06 03:52:13 718712 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1a862cd4-4029-4f66-973d-ce99a48bce04}\gapaengine.dll2013-09-03 13:53:52 187248 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll2013-08-31 16:24:45 -------- d-----w- C:\ce6ec4963661da0ceca73c30c6cdd12013-08-28 17:29:53 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL2013-08-28 16:52:52 -------- d-sh--w- C:\found.0052013-08-28 07:38:19 -------- d-sh--w- C:\found.004.==================== Find3M ====================.2013-09-19 18:15:51 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-09-19 18:15:51 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe2013-08-15 21:50:17 31744 ----a-w- c:\windows\system32\cscapi.dll2013-08-05 04:49:51 481336 ----a-w- c:\windows\system32\cc_20130804_214808.reg2013-07-31 10:00:20 1800704 ----a-w- c:\windows\system32\jscript9.dll2013-07-31 09:52:44 1129472 ----a-w- c:\windows\system32\wininet.dll2013-07-31 09:52:34 1427968 ----a-w- c:\windows\system32\inetcpl.cpl2013-07-31 09:48:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe2013-07-31 09:48:09 420864 ----a-w- c:\windows\system32\vbscript.dll2013-07-31 09:45:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb2013-07-17 19:41:34 2048 ----a-w- c:\windows\system32\tzres.dll2013-07-14 20:24:10 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll2013-07-14 20:24:02 867240 ----a-w- c:\windows\system32\npDeployJava1.dll2013-07-14 20:24:02 789416 ----a-w- c:\windows\system32\deployJava1.dll2013-07-12 21:00:55 28764 ----a-w- c:\programdata\1373662743.bdinstall.bin2013-07-10 09:47:00 783360 ----a-w- c:\windows\system32\rpcrt4.dll2013-07-09 12:10:36 1205168 ----a-w- c:\windows\system32\ntdll.dll2013-07-08 04:55:51 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe2013-07-08 04:55:51 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe2013-07-08 04:20:04 172544 ----a-w- c:\windows\system32\wintrust.dll2013-07-08 04:16:55 98304 ----a-w- c:\windows\system32\cryptnet.dll2013-07-08 04:16:55 133120 ----a-w- c:\windows\system32\cryptsvc.dll2013-07-08 04:16:54 992768 ----a-w- c:\windows\system32\crypt32.dll2013-07-05 03:20:37 914880 ----a-w- c:\windows\system32\drivers\tcpip.sys2013-07-05 01:43:04 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys.============= FINISH: 11:15:34.97 ===============There is also an attached output from Attach.txt from DDS in the previous thread.Thanks for your help. -
Thanks very much for your help, Marius.
What do you make of the ESET run which hung up both times at the same place and failed to continue the scan?
files 1456 file: C:\Boot\bootstat.dat
When I look for that file in Windows Explorer, I can't find it. Is it the remnant of a virus or trojan?
-
I shut down Chrome and went to IE to run ESET Online again. It came up, installed activex, and started to run with the parameters you specified. I watched it cruise through the first 1455 files quickly, then stop again at the same place as before:
1456 files, C:\Boot\bootstat.datI let the scan run for another hour (the clock continued to tick the elapsed time, but nothing else moved, and I started no more programs. Finally I tried to start Windows Explorer, but it wouldn't start. I clicked on a new IE tab, but the system froze, and there was no system tray or start button. System was frozen again. I forced another shutdown. This time it came up without a CHKDSK, and is still running normally.
What next? And did the GMER run indicate a rootkit?
-
Another current issue. While running ESET online (under Chrome) it stopped after 1456 files, on C:\Boot\bootstat.dat without advancing for another 20 minutes or more. When I clicked on the link for the help screen (http://www.eset.com/us/online-scanner/help/), the system froze without that page coming up (just a blank page), and a small message at the bottom which said 'waiting for cache...'
This remained for another 30 minutes or so, until I tried to close other pages, and the system froze solid, with no cursor movement or system tray or Start button. So I forced a shutdown. This time, when I started up, the system did a CHKDSK. Like other recent CHKDSKs,
It deleted index entry wmplayer.exe and taskmgr.exe then went on to
recover orphaned file wmplayer.exe and taskmgr.exe and finish normally.
Windows then started up normally, and I'm back here to write this message, before looking into ESET help, and trying to run it with Internet Explorer this time instead of Chrome if this might help.
I don't know what is filling up my cache and causing the system to freeze. Hoping you will be able to solve this for me.
-
Ok, I ran another Flash Scan of Malwarebytes Pro just now: No malware was found.
Malwarebytes Anti-Malware (PRO) 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.09.24.08Windows Vista Service Pack 2 x86 NTFSInternet Explorer 9.0.8112.16421Ralph :: RALPH-PC [administrator]Protection: Enabled9/25/2013 1:55:47 PMmbam-log-2013-09-25 (13-55-47).txtScan type: Flash scanScan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: Registry | File System | P2PObjects scanned: 176031Time elapsed: 2 minute(s), 38 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)ESET is running now. -
Yes, I am having an issue running a full scan with Malwarebyes Pro. My system bogged down and froze after about 20 minutes, so that I had to force a shutdown. I was able to restart normally. I have not been able to run a full scan with Malwarebytes or with MSE for the recent days when my system has been bogging down and freezing after only a few hours of running. Previously, a full scan would take about 3 hours, so I would run it at night. But recently, I'd wake up to find the system frozen with Malwarebytes also frozen. So instead, I have been running the Flash Scan option of Malwarebytes Pro. Here are some recent results, if this would help:
The latest with Flash Scan option on September 22:
Malwarebytes Anti-Malware (PRO) 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.09.22.01Windows Vista Service Pack 2 x86 NTFSInternet Explorer 9.0.8112.16421Ralph :: RALPH-PC [administrator]Protection: Enabled9/22/2013 11:16:20 AMmbam-log-2013-09-22 (11-16-20).txtScan type: Flash scanScan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: Registry | File System | P2PObjects scanned: 175925Time elapsed: 3 minute(s), 43 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)Here's the latest one that found anything on September 19:Malwarebytes Anti-Malware (PRO) 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.09.19.06Windows Vista Service Pack 2 x86 NTFSInternet Explorer 9.0.8112.16421Ralph :: RALPH-PC [administrator]Protection: Enabled9/19/2013 10:44:09 PMmbam-log-2013-09-19 (22-44-09).txtScan type: Flash scanScan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: Registry | File System | P2PObjects scanned: 175415Time elapsed: 3 minute(s), 18 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 1HKCU\Software\Cr_Installer\21804 (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)And here's last successful Full scan, on August 30th:Malwarebytes Anti-Malware (PRO) 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.08.29.03Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)Internet Explorer 9.0.8112.16421Ralph :: RALPH-PC [administrator]Protection: Disabled8/29/2013 10:46:30 PMmbam-log-2013-08-29 (22-46-30).txtScan type: Full scan (C:\|D:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 504020Time elapsed: 2 hour(s), 47 minute(s), 49 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end)And here is the last malware that was found and removed on August 28th.Malwarebytes Anti-Malware (PRO) 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.08.28.01Windows Vista Service Pack 2 x86 NTFSInternet Explorer 9.0.8112.16421Ralph :: RALPH-PC [administrator]Protection: Enabled8/28/2013 1:17:19 PMmbam-log-2013-08-28 (13-17-19).txtScan type: Flash scanScan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: Registry | File System | P2PObjects scanned: 195082Time elapsed: 4 minute(s), 38 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 12HKCR\CrossriderApp0021804.BHO (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.HKCR\CrossriderApp0021804.BHO.1 (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.HKCR\CrossriderApp0021804.Sandbox (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.HKCR\CrossriderApp0021804.Sandbox.1 (PUP.Optional.CrossRider.A) -> Quarantined and deleted successfully.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.HKCR\CLSID\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.HKCR\TypeLib\{44444444-4444-4444-4444-440244184404} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.HKCR\Interface\{55555555-5555-5555-5555-550255185504} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110211181104} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 1C:\Program Files\Coupon Companion Plugin\Coupon Companion Plugin.dll (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.(end)Further back in August, on August 4, there was this, using a Quick Scan.Malwarebytes Anti-Malware (PRO) 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.08.03.02Windows Vista Service Pack 2 x86 NTFSInternet Explorer 9.0.8112.16421Ralph :: RALPH-PC [administrator]Protection: Enabled8/4/2013 3:44:33 PMmbam-log-2013-08-04 (15-44-33).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 238776Time elapsed: 26 minute(s), 53 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 2C:\Users\Ralph\Downloads\SportHunterTVApp_setup(11).exe (PUP.BundleInstaller.DW) -> Quarantined and deleted successfully.C:\Users\Ralph\Downloads\DownloadSetup.exe (PUP.Optional.Installex) -> Quarantined and deleted successfully.(end)And back on July 2, there was this:Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.orgDatabase version: v2013.06.30.05Windows Vista Service Pack 2 x86 NTFSInternet Explorer 9.0.8112.16421Ralph :: RALPH-PC [administrator]7/2/2013 12:34:49 AMmbam-log-2013-07-02 (00-34-49).txtScan type: Full scan (C:\|D:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 489886Time elapsed: 3 hour(s), 49 minute(s), 10 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 5C:\Users\Ralph\Downloads\FlashPlayer_V.106726342c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.C:\Users\Ralph\Downloads\FlashPlayer_V.166065848c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.C:\Users\Ralph\Downloads\FlashPlayer_V.166065916c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.C:\Users\Ralph\Downloads\FlashPlayer_V.166065945c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.C:\Users\Ralph\Downloads\FlashPlayer_V.166065955c.exe (Adware.DomaIQ) -> Quarantined and deleted successfully.(end)Then there was nothing back until February 25, back when ITechline was trying to solve my problems.Malwarebytes Anti-Malware 1.70.0.1100www.malwarebytes.orgDatabase version: v2013.02.25.02Windows Vista Service Pack 2 x86 NTFSInternet Explorer 9.0.8112.16421Ralph :: RALPH-PC [administrator]2/25/2013 12:33:53 AMmbam-log-2013-02-25 (00-33-53).txtScan type: Full scan (C:\|D:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 450076Time elapsed: 3 hour(s), 4 minute(s), 8 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 5C:\Program Files\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.C:\Program Files\ClickPotatoLite\bin (Adware.ClickPotato) -> Quarantined and deleted successfully.C:\Program Files\ClickPotatoLite\bin\10.0.630.0 (Adware.ClickPotato) -> Quarantined and deleted successfully.C:\Program Files\ClickPotatoLite\bin\10.0.630.0\firefox (Adware.ClickPotato) -> Quarantined and deleted successfully.C:\Program Files\ClickPotatoLite\bin\10.0.630.0\firefox\extensions (Adware.ClickPotato) -> Quarantined and deleted successfully.Files Detected: 0(No malicious items detected)(end)I think MSE found and removed another, sometime during this period, but I can't find the logs.I hope this is helpful.Shall I go ahead with the ESET scan, or wait for further instructions? -
Here is the content of ark.txt from GMER rootkit scanner:
GMER 2.1.19163 - http://www.gmer.netRootkit scan 2013-09-24 13:58:55Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.0000 149.05GBRunning: 6d4nnzwk.exe; Driver: C:\Users\Ralph\AppData\Local\Temp\fglorpoc.sys---- Devices - GMER 2.1 ----AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sysAttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sysAttachedDevice \FileSystem\fastfat \Fat fltmgr.sysAttachedDevice \FileSystem\fastfat \Fat fltmgr.sys---- Registry - GMER 2.1 ----Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LogName C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy35.gthrReg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LogNumber 36---- EOF - GMER 2.1 ---- -
-
With regard to Attach.txt, your instructions say to attach it to my next reply, rather than posting it, as above.
I do not find an attach icon. Basic question; How do I do an attach here?
Thanks,
-
Thank you, Marius, for your help. I will try to follow your instructions to the best of my limited ability.
Here is the output from DDS.txt:
DDS (Ver_2012-11-20.01) - NTFS_x86Internet Explorer: 9.0.8112.16506 BrowserJavaVersion: 10.25.2Run by Ralph at 11:12:43 on 2013-09-24Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.835 [GMT -7:00].AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}.============== Running Processes ================.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exec:\Program Files\Microsoft Security Client\MsMpEng.exeC:\Windows\system32\SLsvc.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Windows\system32\agrsmsvc.exeC:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exeC:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\Nitro PDF\Reader\NitroPDFReaderDriverService.exeC:\Program Files\Malwarebytes Secure Backup\SAgent.Service.exeC:\Program Files\Secunia\PSI\PSIA.exeC:\Program Files\Malwarebytes Secure Backup\mbsbscan.exeC:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exeC:\Program Files\TomTom HOME 2\TomTomHOMEService.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Windows\system32\SearchIndexer.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\System32\WUDFHost.exec:\Program Files\Microsoft Security Client\NisSrv.exeC:\Program Files\Secunia\PSI\sua.exeC:\Windows\System32\alg.exeC:\Program Files\Microsoft Security Client\msseces.exeC:\Program Files\HP\HP Software Update\hpwuschd2.exeC:\Program Files\Malwarebytes Secure Backup\SMessaging.exeC:\Program Files\HP\HP Photosmart 6520 series\Bin\ScanToPCActivationApp.exeC:\Program Files\Garmin\Express Tray\ExpressTray.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Secunia\PSI\psi_tray.exeC:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicatorCom.exeC:\Program Files\HP\HP Photosmart 6520 series\Bin\HPNetworkCommunicator.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exeC:\Program Files\Windows Mail\WinMail.exeC:\Program Files\Microsoft\BingBar\7.2.241.0\SeaPort.exeC:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files\Google\Chrome\Application\chrome.exeC:\Program Files\Google\Chrome\Application\chrome.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation.============== Pseudo HJT Report ===============.dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - c:\program files\microsoft\bingbar\7.2.241.0\BingExt.dllBHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dllBHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - <orphaned>BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllBHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - <orphaned>BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dllTB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} - c:\program files\microsoft\bingbar\7.2.241.0\BingExt.dlluRun: [HP Photosmart 6520 series (NET)] "c:\program files\hp\hp photosmart 6520 series\bin\ScanToPCActivationApp.exe" -deviceID "CN2AI3526V05XP:NW" -scfn "HP Photosmart 6520 series (NET)"-AutoStart 1uRun: [GarminExpressTrayApp] "c:\program files\garmin\express tray\ExpressTray.exe"uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrunuRunOnce: [Application Restart #5] c:\users\ralph\appdata\local\google\chrome\application\chrome.exe --flag-switches-begin --enable-print-preview --flag-switches-end --restore-last-session --mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hidemRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkeymRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exemRun: [sOSUAUI] "c:\program files\malwarebytes secure backup\sosuploadagent.exe" -showuimRun: [sMessaging] c:\program files\malwarebytes secure backup\SMessaging.exeStartupFolder: c:\users\ralph\appdata\roaming\micros~1\windows\startm~1\programs\startup\monito~1.lnk - c:\windows\system32\RunDll32.exeStartupFolder: c:\users\ralph\appdata\roaming\micros~1\windows\startm~1\programs\startup\monito~2.lnk - c:\windows\system32\RunDll32.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exemPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0mPolicies-System: EnableUIADesktopToggle = dword:0IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dllIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dllIE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllTCP: NameServer = 192.168.0.1 64.91.3.46TCP: Interfaces\{1C35532F-CC6F-407B-98E8-2291FE153E84} : DHCPNameServer = 192.168.0.1 64.91.3.46TCP: Interfaces\{FD8151B4-12CB-4F39-AF97-76EE4D27BCC3} : DHCPNameServer = 192.168.0.1 209.206.179.157Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dllHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dllNotify: igfxcui - igfxdev.dllAppInit_DLLs= c:\progra~1\google\google~1\GOEC62~1.DLLLSA: Security Packages = kerberos msv1_0 schannel wdigest tspkgmASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\29.0.1547.76\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome.============= SERVICES / DRIVERS ===============.R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-3 31576]R1 MpKsl529f02b5;MpKsl529f02b5;c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\MpKsl529f02b5.sys [2013-9-23 40392]R1 MpKsla99b3035;MpKsla99b3035;c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\MpKsla99b3035.sys [2013-9-24 40392]R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-15 21504]R2 Garmin Core Update Service;Garmin Core Update Service;c:\program files\garmin\core update service\Garmin.Cartography.MapUpdate.CoreService.exe [2013-8-22 220504]R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-17 418376]R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-17 701512]R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-8-30 107392]R2 NitroReaderDriverReadSpool;NitroPDFReaderDriverCreatorReadSpool;c:\program files\nitro pdf\reader\NitroPDFReaderDriverService.exe [2011-1-28 196912]R2 sagentservice;Online Backup Service;c:\program files\malwarebytes secure backup\SAgent.Service.exe [2013-8-15 39832]R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-8-14 3291008]R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2013-7-2 93072]R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.2.241.0\SeaPort.EXE [2013-7-23 240288]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-17 22856]R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-9-22 40776]R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-6-20 295376]R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2010-3-31 350720]R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]S2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.2.241.0\BBSvc.EXE [2013-7-23 193696]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 gupdate1c90e025ce8c3d3;Google Update Service (gupdate1c90e025ce8c3d3);c:\program files\google\update\GoogleUpdate.exe [2013-2-5 116648]S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-21 162408]S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]S3 USA19H;USA19H;c:\windows\system32\drivers\USA19H2k.sys [2009-11-16 704000]S3 USA19H2KP;Keyspan USB Serial Port Driver;c:\windows\system32\drivers\USA19H2kp.sys [2009-11-16 24192]S3 usbUDisc;usbUDisc;c:\windows\system32\drivers\USBDrv.sys [2012-8-27 13824].=============== Created Last 30 ================.2013-09-24 17:28:03 40392 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\MpKsla99b3035.sys2013-09-24 05:00:04 40392 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\MpKsl529f02b5.sys2013-09-23 18:44:40 7328304 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{4f1b834e-4cab-4f09-9edf-11ceb45c916c}\mpengine.dll2013-09-23 18:13:43 -------- d-sh--w- C:\found.0082013-09-23 08:13:38 -------- d-sh--w- C:\found.0072013-09-22 20:14:46 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2013-09-22 06:02:31 7328304 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll2013-09-12 20:58:20 -------- d-sh--w- C:\found.0062013-09-12 03:23:10 615936 ----a-w- c:\windows\system32\themeui.dll2013-09-12 03:21:50 2049536 ----a-w- c:\windows\system32\win32k.sys2013-09-06 03:52:13 718712 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{1a862cd4-4029-4f66-973d-ce99a48bce04}\gapaengine.dll2013-09-03 13:53:52 187248 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll2013-08-31 16:24:45 -------- d-----w- C:\ce6ec4963661da0ceca73c30c6cdd12013-08-28 17:29:53 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL2013-08-28 16:52:52 -------- d-sh--w- C:\found.0052013-08-28 07:38:19 -------- d-sh--w- C:\found.004.==================== Find3M ====================.2013-09-19 18:15:51 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl2013-09-19 18:15:51 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe2013-08-15 21:50:17 31744 ----a-w- c:\windows\system32\cscapi.dll2013-08-05 04:49:51 481336 ----a-w- c:\windows\system32\cc_20130804_214808.reg2013-07-31 10:00:20 1800704 ----a-w- c:\windows\system32\jscript9.dll2013-07-31 09:52:44 1129472 ----a-w- c:\windows\system32\wininet.dll2013-07-31 09:52:34 1427968 ----a-w- c:\windows\system32\inetcpl.cpl2013-07-31 09:48:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe2013-07-31 09:48:09 420864 ----a-w- c:\windows\system32\vbscript.dll2013-07-31 09:45:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb2013-07-17 19:41:34 2048 ----a-w- c:\windows\system32\tzres.dll2013-07-14 20:24:10 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll2013-07-14 20:24:02 867240 ----a-w- c:\windows\system32\npDeployJava1.dll2013-07-14 20:24:02 789416 ----a-w- c:\windows\system32\deployJava1.dll2013-07-12 21:00:55 28764 ----a-w- c:\programdata\1373662743.bdinstall.bin2013-07-10 09:47:00 783360 ----a-w- c:\windows\system32\rpcrt4.dll2013-07-09 12:10:36 1205168 ----a-w- c:\windows\system32\ntdll.dll2013-07-08 04:55:51 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe2013-07-08 04:55:51 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe2013-07-08 04:20:04 172544 ----a-w- c:\windows\system32\wintrust.dll2013-07-08 04:16:55 98304 ----a-w- c:\windows\system32\cryptnet.dll2013-07-08 04:16:55 133120 ----a-w- c:\windows\system32\cryptsvc.dll2013-07-08 04:16:54 992768 ----a-w- c:\windows\system32\crypt32.dll2013-07-05 03:20:37 914880 ----a-w- c:\windows\system32\drivers\tcpip.sys2013-07-05 01:43:04 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys.============= FINISH: 11:15:34.97 =============== -
I have a very unstable computer now, a Gateway laptop running on Vista Home premium SP2.
my problems started in late January, 2013. when I my computer wouldn't start. I used AVG free back then. In safe mode, I ran AVG scan and it found EXPLOIT virus and trojans. I called a number I found somewhere that I thought was AVG, but it turned out to be an Indian man, who ran some scans, said I had over 4000 errors, and he connected me with ITechline, associated with Microsoft, he said. I paid $199 for three months help. Various Indian technicians worked on my computer remotely, running malwarebytes among other things, and deleting some of my programs as well, including AVG. They installed MSE.
At various times they said it was fixed, but then I would have more crashes. I eventually lost confidence in their ablilities, and my computer was running ok but wiith occasional crashes. I also found and removed the Win32-OpenCandy virus, with Malwarebytes, but not sure really fixed.
Recently, my computer has gotten less stable, and freezes and crashes occasionally, but usually comes up okay, after a CHKDSK run which deletes, fixes, and rebuilds indexes. Two programs always showing in the CHKDSK run are taskmgr.exe and wmplayer.exe. but the indexes are rebuilt, and things run ok for awhile.
I have recently bought Malwarebytes Pro and Malwarebytes Secure Backup, to get my files backed up before getting more help. But running Secure Backup took a few days, because the computer would freeze partway through and not complete, but would get further on my next try, and finally completed a few days ago.
But last night, my computer wouldn't recover normally. Had to go through multiple startup recoveries and CHKDSK runs, but by 4am it came up to the signon screen. So I shut it down cleanly. But today, another CHKDSK before coming up again. But after awhile it will bog down, then freeze. Previous dumps referenced MEMORY MANAGEMENT, but a later one said DRIVER_POWER_STATE_FAILURE (a couple of days ago).
Malwarebytes doesn't find any infections, but there might be remnants of previous ones.
So I need some help, please. I am 76 years old, have been a computer professsional in the past, but am weak in knowledge of PCs and memory now.
Thanks for any help you can give me now.
Transferred from malware removal help forum - Freezes and multiple crashes
in General Windows PC Help
Posted
Thanks for your recommendation, which I will do as soon as I post this.
Yesterday, my problems went from bad to worse, and I'm no longer able to start up normally.
But I am able to start up and communicate here in Safe Mode with networking.
I've tried Startup Repair a couple of times without success.
I ran sfc /scannow and it verified to 100% then went away.
I also ran Malwarebytes Pro again with Flash option, and it showed no malware.
Now I get a bluescreen crash whenever I shut down, which I will post a copy of here,
then when I startup again it brings up the Startup Repair option recommended.
Does being able to work in Safe Mode indicate a driver problem? How do I gradually add back
drivers to see when it fails again?
Now I'll go away and try your BIOS screen test.
Thanks for any clues or advice,
I am 76 years old (a former IBM Systems Engineer, 45 years ago), so please be patient.