Jump to content

Multiple Crashes, Freezes, Unable to read Minidumps (settings changed by malware?)


Recommended Posts

  • Root Admin

Here is an article about it in general. 
 
http://www.auslogics.com/en/articles/bad-sector/
 
The issue is that normally these type of failures are hidden from you and automatically corrected by the hard drive firmware.  Once you start seeing them then it typically indicates that the free block of space that is allocated for this has been used up and is now slowly taking parts of the useable disk to map bad ones.
There is no tool that can accurately determine how long the drive will last so making sure you have good data backups is important.  If you have your data backed up and plan to get a new laptop then probably not worth worrying about but better safe than sorry by backing up your data.
 

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
It will also reset your System Restore by flushing out previous restore points and create a new restore point.
It will also remove all the backups our tools may have created.

Uninstall ComboFix (if used):

  • Turn off all active protection software including your antivirus.
  • Push the "Windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • Please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.

CF-Uninstall.png


 
Remove the rest of the tools used:
 

Please download OTCleanIt and save it to your Desktop. This tool will remove all the tools we used to clean your pc.

  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not go ahead and delete it by yourself.
  • If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


AdwCleaner Removal:

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Uninstall
  • Confirm with Yes

ESET antivirus Removal:

  • This tool can be uninstalled via the Control Panel, Programs, Uninstall

If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

If you're not currently using Malwarebytes PRO then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

Link to post
Share on other sites

  • Replies 53
  • Created
  • Last Reply

Top Posters In This Topic

Thanks for all the reference material.  I am currently using Malwarebytes Pro, as well as Secure Backup. 

And I am a subscriber to Windows Secrets, though I can't keep up with it.

 

Last night I decided to see if I could run a Malwarebytes full scan, just to see if my computer could do it

without freezing up.  And first, I scheduled a CHKDSK /f.

 

I started around 9:45.  When I went to bed after 11, Malwarebytes Pro showed one issue found.

But when I checked at 2:30 AM, the screen was black, and nothing I could do would revive it, so I closed it.

 

In the morning, I restarted (chose normal startup), but couldn't find any output from the full scan.  The event log

showed that at 2:06, there were a gupdate, 2 system restore point creations, another gupdate, and a VSS at 2:09.

(I don't know what these mean).  I haven't found any output from the Malwarebytes run, and nothing shows in its

history tab.

 

The output from the CHKDSK run shows the same index rebuilding involving taskmgr and wmplayer, which I don't

understand.  Here is the output from that run:

 

Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          10/21/2013 9:46:58 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      RALPH-PC
Description:
 
 
Checking file system on C:
The type of the file system is NTFS.
 
 
A disk check has been scheduled.
Windows will now check the disk.                         
  318912 file records processed.                                  
 
  1516 large file records processed.                            
 
  0 bad file records processed.                              
 
  0 EA records processed.                                    
 
  68 reparse records processed.                               
 
Unable to locate the file name attribute of index entry wmplayer.exe
of index $I30 with parent 0xcb in file 0x3688f.
Deleting index entry wmplayer.exe in index $I30 of file 203.
Unable to locate the file name attribute of index entry inetpp.dll
of index $I30 with parent 0x5b3 in file 0x30fc9.
Deleting index entry inetpp.dll in index $I30 of file 1459.
Unable to locate the file name attribute of index entry taskeng.exe
of index $I30 with parent 0x5b3 in file 0x36e5b.
Deleting index entry taskeng.exe in index $I30 of file 1459.
Unable to locate the file name attribute of index entry taskmgr.exe
of index $I30 with parent 0x5b3 in file 0x200cc.
Deleting index entry taskmgr.exe in index $I30 of file 1459.
Unable to locate the file name attribute of index entry wer.dll
of index $I30 with parent 0x5b3 in file 0x30de1.
Deleting index entry wer.dll in index $I30 of file 1459.
  386080 index entries processed.                                 
 
CHKDSK is recovering lost files.
Recovering orphaned file taskmgr.exe (131276) into directory file 1459.
Recovering orphaned file wer.dll (200161) into directory file 1459.
Recovering orphaned file inetpp.dll (200649) into directory file 1459.
Recovering orphaned file wmplayer.exe (223375) into directory file 203.
  5 unindexed files processed.                               
 
Recovering orphaned file taskeng.exe (224859) into directory file 1459.
  318912 security descriptors processed.                          
 
Cleaning up 9 unused index entries from index $SII of file 0x9.
Cleaning up 9 unused index entries from index $SDH of file 0x9.
Cleaning up 9 unused security descriptors.
  33585 data files processed.                                    
 
CHKDSK is verifying Usn Journal...
  34528776 USN bytes processed.                                     
 
Usn Journal verification completed.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.
 
 145773809 KB total disk space.
  70644432 KB in 260267 files.
    145660 KB in 33586 indexes.
        60 KB in bad sectors.
    437309 KB in use by the system.
     65536 KB occupied by the log file.
  74546348 KB available on disk.
 
      4096 bytes in each allocation unit.
  36443452 total allocation units on disk.
  18636587 allocation units available on disk.
 
Internal Info:
c0 dd 04 00 e9 7b 04 00 05 b9 07 00 00 00 00 00  .....{..........
32 7c 00 00 44 00 00 00 00 00 00 00 00 00 00 00  2|..D...........
42 00 00 00 e2 73 ef 76 58 84 40 00 58 7c 40 00  B....s.vX.@.X|@.
 
Windows has finished checking your disk.
Please wait while your computer restarts.
 
Event Xml:
  <System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-10-22T04:46:58.000Z" />
    <EventRecordID>143591</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>RALPH-PC</Computer>
    <Security />
  </System>
  <EventData>
    <Data>
 
Checking file system on C:
The type of the file system is NTFS.
 
 
A disk check has been scheduled.
Windows will now check the disk.                         
  318912 file records processed.                                  
 
  1516 large file records processed.                            
 
  0 bad file records processed.                              
 
  0 EA records processed.                                    
 
  68 reparse records processed.                               
 
Unable to locate the file name attribute of index entry wmplayer.exe
of index $I30 with parent 0xcb in file 0x3688f.
Deleting index entry wmplayer.exe in index $I30 of file 203.
Unable to locate the file name attribute of index entry inetpp.dll
of index $I30 with parent 0x5b3 in file 0x30fc9.
Deleting index entry inetpp.dll in index $I30 of file 1459.
Unable to locate the file name attribute of index entry taskeng.exe
of index $I30 with parent 0x5b3 in file 0x36e5b.
Deleting index entry taskeng.exe in index $I30 of file 1459.
Unable to locate the file name attribute of index entry taskmgr.exe
of index $I30 with parent 0x5b3 in file 0x200cc.
Deleting index entry taskmgr.exe in index $I30 of file 1459.
Unable to locate the file name attribute of index entry wer.dll
of index $I30 with parent 0x5b3 in file 0x30de1.
Deleting index entry wer.dll in index $I30 of file 1459.
  386080 index entries processed.                                 
 
CHKDSK is recovering lost files.
Recovering orphaned file taskmgr.exe (131276) into directory file 1459.
Recovering orphaned file wer.dll (200161) into directory file 1459.
Recovering orphaned file inetpp.dll (200649) into directory file 1459.
Recovering orphaned file wmplayer.exe (223375) into directory file 203.
  5 unindexed files processed.                               
 
Recovering orphaned file taskeng.exe (224859) into directory file 1459.
  318912 security descriptors processed.                          
 
Cleaning up 9 unused index entries from index $SII of file 0x9.
Cleaning up 9 unused index entries from index $SDH of file 0x9.
Cleaning up 9 unused security descriptors.
  33585 data files processed.                                    
 
CHKDSK is verifying Usn Journal...
  34528776 USN bytes processed.                                     
 
Usn Journal verification completed.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.
 
 145773809 KB total disk space.
  70644432 KB in 260267 files.
    145660 KB in 33586 indexes.
        60 KB in bad sectors.
    437309 KB in use by the system.
     65536 KB occupied by the log file.
  74546348 KB available on disk.
 
      4096 bytes in each allocation unit.
  36443452 total allocation units on disk.
  18636587 allocation units available on disk.
 
Internal Info:
c0 dd 04 00 e9 7b 04 00 05 b9 07 00 00 00 00 00  .....{..........
32 7c 00 00 44 00 00 00 00 00 00 00 00 00 00 00  2|..D...........
42 00 00 00 e2 73 ef 76 58 84 40 00 58 7c 40 00  B....s.vX.@.X|@.
 
Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
  </EventData>
</Event>
 
 
And I still don't understand why we weren't able to read the minidumps by zipping.them.  Were settings changed somehow?
 
My system seems to be running better, but not without anomalies.  I have suspected all along that stealthy changes
were made my some malware, which have affected my system.  What about wmplayer? and taskmgr?  
Still not sure what  to do next.
Link to post
Share on other sites

  • Root Admin

The gupdate is from Google software updating.  The VSS is Volume Shadow Copy Service which is what is used to make Restore Points.

 

The computer is not infected at this time and it is my belief that the drive is failing.   Regardless if failing or not the only other possible solution is the one for the link to the Microsoft site which appeared to have very similar issue.  I would suggest signing up for that site and posting there for any additional help with the chkdsk issue.

 

I will be closing your post here later today as this forum is for removing malware which we have done and completed.  Your current issues are categorized as a general PC maintenance or possibly hardware issue.

 

Thank you again

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.