MBR rootkit or virus - help please

[Felines]

I am at my wit's end and hoping you can help.  I have some horrid infection on my PC that is  causing my CPU to max out at close to100% even when I am not using it.  Even worse, my ISPs Security department shut down my connection for "network abuse".  After explaining I do NOT download songs/videos and just have a desktop, cable modem and Vonage adapter they advised doing a clean reinstall of my OS.  THAT DID NOT FIX IT.

My set up is merely HP desktop-Vonage VDV21 adapter-Zoom 5341J cable modem.  I do NOT have a router other than what is in the VDV21.

My OS is Vista HP (I like Vista).  I purchased a brand new, sealed version of Vista with new/clean COA and installed it but I have the same issues.  (Original preinstalled version was 64-bit; new one is 32-bit).  I have had to remove my AV (eset/nod32) and disable Windows Defender to keep my PC from shutting down from the high CPU.

I ran gmer and it identified a ton of "SSDT" in the malware/rootkit section.  (Errrm, I know I shouldn't have but I did run Combofix and it quarantined "tcpip.reg" and "MBR_HardDisk0.mbr"; sorry !)

Thank you in advance.  Attached are my Farbar log and the attachment.
 

FRST.txt

Addition.txt

[kevinf80]

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

1.Download Malwarebytes Anti-Rootkit from this link:

 http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe



4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:



5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.



7. The following image opens, select Update



8. When the update completes select Next.



9. In the following window ensure "Targets" are ticked. Then select "Scan"



10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.



11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.
12. If no threats were found you will see the following image, Select Exit:



13. Verify that your system is now running normally, making sure that the following items are functional:

• 
       
• Internet access
       
• Windows Update
       
• Windows Firewall
  

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

15. Select "Y" from your Keyboard, tap Enter.

16. The fix will be applied, select any key to Exit.

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log   Date and time of scan will also be shown
 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs....
 

Let me see those logs in your reply....

 

Thank you,

 

Kevin

[Felines]

Thanks for your help in advance.   I neglected to mention that about 6 weeks ago I foolishly downloaded "spyhunter".  I was also using Cyberlink Power2Go to make a backup of my Vista Windows mail (have about 5,000 old emails).  That SEEMS to be about the time I started getting these problems. 

Below are the MBAR and FRST logs you requested.

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.09.3.1001

© Malwarebytes Corporation 2011-2012

OS version: 6.0.6002 Windows Vista Service Pack 2 x86

Account is Administrative

Internet Explorer version: 9.0.8112.16421

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.210000 GHz
Memory total: 3084468224, free: 2031968256

Downloaded database version: v2016.01.03.03
Downloaded database version: v2015.12.26.01
Downloaded database version: v2015.12.15.02
=======================================
Initializing...
Driver version: 0.3.0.4
------------ Kernel report ------------
     01/03/2016 08:00:45
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\pciide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\nvstor.sys
\SystemRoot\system32\drivers\storport.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\processr.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\ohci1394.sys
\SystemRoot\system32\DRIVERS\1394BUS.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\nvmfdx32.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\nvlddmkm.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_nvstor.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\drivers\mrxdav.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\WUDFPf.sys
\SystemRoot\system32\drivers\tdtcp.sys
\SystemRoot\System32\DRIVERS\tssecsrv.sys
\SystemRoot\System32\Drivers\RDPWD.SYS
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\ATMFD.DLL
\??\C:\Users\OWNERP~1\AppData\Local\Temp\aswMBR.sys
\??\C:\Users\OWNERP~1\AppData\Local\Temp\aswVmm.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
----------- End -----------
Done!

Scan started
Database versions:
  main:    v2016.01.03.03
  rootkit: v2015.12.26.01

<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8592c670, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8592c298, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8592c670, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff84b285f8, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff84adb780, DeviceName: \Device\0000004c\, DriverName: \Driver\nvstor\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
Done!
Drive 0
This is a System drive
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 150E53E5

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 951337107
    Partition is bootable
    Partition file system is NTFS

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 951337170  Numsec = 25430895
    Partition is bootable
    Partition file system is NTFS

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
    Partition is not bootable

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xffffffff8750d030, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8751a378, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8750d030, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff87519430, DeviceName: \Device\00000060\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 2, DevicePointer: 0xffffffff87524ac8, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff87518b18, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff87524ac8, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff875175d8, DeviceName: \Device\00000061\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 3, DevicePointer: 0xffffffff8750eac8, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff87514020, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8750eac8, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff8751a750, DeviceName: \Device\00000062\, DriverName: \Driver\USBSTOR\
------------ End ----------
Physical Sector Size: 0
Drive: 4, DevicePointer: 0xffffffff8636c030, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8750e7b8, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff8636c030, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff875134f0, DeviceName: \Device\00000063\, DriverName: \Driver\USBSTOR\
------------ End ----------
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-63-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-951337170-i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
Removal finished
 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org

Database version:
  main:    v2016.01.03.03
  rootkit: v2015.12.26.01

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
OwnerPrivate :: OWNERPRIVATE-PC [administrator]

1/3/2016 8:00:56 AM
mbar-log-2016-01-03 (08-00-56).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 287763
Time elapsed: 16 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

LastRegBack: 2016-01-03 07:34

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version:31-12-2015
Ran by OwnerPrivate (2016-01-03 08:30:01)
Running from C:\Users\OwnerPrivate\Desktop
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) (2016-01-01 13:14:56)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2294915419-925363701-3883088226-500 - Administrator - Disabled)
Guest (S-1-5-21-2294915419-925363701-3883088226-501 - Limited - Disabled)
OwnerPrivate (S-1-5-21-2294915419-925363701-3883088226-1000 - Administrator - Enabled) => C:\Users\OwnerPrivate

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 20 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 20.0.0.267 - Adobe Systems Incorporated)
Mozilla Firefox 43.0.3 (x86 en-US) (HKLM\...\Mozilla Firefox 43.0.3 (x86 en-US)) (Version: 43.0.3 - Mozilla)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {06ED9A16-F236-4101-B2AF-4859255E99D6} - System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\VistaSP1CEIP => C:\Windows\servicing\vsp1ceip.exe [2008-01-18] (Microsoft Corporation)
Task: {1CC81347-6204-4B83-900C-01E02F50F067} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {F55F85D3-8FDE-479E-82E0-A9BB339AA8E2} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============


==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 05:23 - 2016-01-02 15:53 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1       localhost

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2294915419-925363701-3883088226-1000\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\img24.jpg
DNS Servers: 75.75.76.76 - 75.75.75.75
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: NvMediaCenter => RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
MSCONFIG\startupreg: Windows Defender => %ProgramFiles%\Windows Defender\MSASCui.exe -hide

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [sLSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [sLSVC-In-TCP] => (Allow) %SystemRoot%\system32\slsvc.exe
FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WMPNSS-WMP-Out-TCP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMPNSS-WMP-Out-UDP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMPNSS-WMP-In-UDP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMPNSS-WMP-Out-TCP-NoScope-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMPNSS-WMP-Out-UDP-NoScope-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMPNSS-WMP-In-UDP-NoScope-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMP-Out-TCP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMP-Out-UDP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe
FirewallRules: [WMP-In-UDP-x86] => (Allow) %ProgramFiles(x86)%\Windows Media Player\wmplayer.exe

==================== Restore Points =========================

01-01-2016 17:33:22 New Install
02-01-2016 06:00:59 Windows Update
02-01-2016 07:06:34 Windows Update
02-01-2016 07:14:47 Windows Vista Service Pack 1
02-01-2016 08:22:25 Windows Update
02-01-2016 09:00:10 Windows Update
02-01-2016 09:11:02 Windows Update
02-01-2016 09:16:54 Windows Vista™ Service Pack 2
02-01-2016 09:53:36 Windows Update
03-01-2016 07:20:55 Windows Modules Installer

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/02/2016 04:44:24 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application ny5qt7vh.exe, version 2.1.19357.0, time stamp 0x52e7ea83, faulting module ny5qt7vh.exe, version 2.1.19357.0, time stamp 0x52e7ea83, exception code 0xc0000409, fault offset 0x000728d6,
process id 0x700, application start time 0xny5qt7vh.exe0.

Error: (01/02/2016 09:52:57 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (2160) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (01/02/2016 07:55:17 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (3064) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (01/02/2016 07:47:04 AM) (Source: WerSvc) (EventID: 5007) (User: )
Description: The target file for the Windows Feedback Platform (a DLL file containing the list of problems on this computer that require additional data collection for diagnosis) could not be parsed. The error code was 8014FFF9.

Error: (01/02/2016 06:13:39 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (2196) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (01/02/2016 06:06:38 AM) (Source: usbperf) (EventID: 2004) (User: )
Description: Usbperf data collection failed. Collect function called with usupported Query Type.

Error: (01/02/2016 06:04:33 AM) (Source: usbperf) (EventID: 2004) (User: )
Description: Usbperf data collection failed. Collect function called with usupported Query Type.

Error: (01/02/2016 06:04:32 AM) (Source: Perflib) (EventID: 1017) (User: )
Description: PolicyAgent

Error: (01/02/2016 06:04:32 AM) (Source: Perflib) (EventID: 1005) (User: )
Description: OpenIPSecPerformanceDataC:\Windows\System32\ipsecsvc.dllPolicyAgent4

Error: (01/02/2016 06:04:32 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4


System errors:
=============
Error: (01/03/2016 08:09:48 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Print Spooler3

Error: (01/03/2016 08:06:57 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Print Spooler2600001Restart the service

Error: (01/03/2016 07:33:29 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Print Spooler1600001Restart the service

Error: (01/03/2016 07:30:42 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Parallel port driver%%1058

Error: (01/03/2016 05:20:31 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Print Spooler3

Error: (01/03/2016 04:48:39 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Print Spooler2600001Restart the service

Error: (01/03/2016 04:35:04 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Print Spooler1600001Restart the service

Error: (01/03/2016 04:34:03 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Parallel port driver%%1058

Error: (01/02/2016 05:19:04 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Print Spooler2600001Restart the service

Error: (01/02/2016 04:22:56 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Print Spooler1600001Restart the service


CodeIntegrity:
===================================
  Date: 2016-01-03 08:29:58.038
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-01-03 08:29:57.882
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-01-03 08:29:57.772
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-01-03 08:29:57.585
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-01-03 08:04:15.421
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-01-03 08:04:15.327
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-01-03 08:04:15.233
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-01-03 08:04:15.140
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-01-03 08:04:15.031
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-01-03 08:04:14.921
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: AMD Phenom 9550 Quad-Core Processor
Percentage of memory in use: 39%
Total physical RAM: 2941.58 MB
Available physical RAM: 1790.19 MB
Total Virtual: 6101.73 MB
Available Virtual: 5004.01 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:453.63 GB) (Free:423.02 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (FACTORY_IMAGE) (Fixed) (Total:12.13 GB) (Free:1.62 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 465.8 GB) (Disk ID: 150E53E5)
Partition 1: (Active) - (Size=453.6 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=12.1 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

 

[kevinf80]

Thanks for those logs, continue please:

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

• Double click on Adwcleaner.exe to run the tool.
• Click on the Scan in the Actions box
• Please wait fot the scan to finish..
• When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
• Click on the Cleaning box.
• Next click OK on the "Closing Programs" pop up box.
• Click OK on the Information box & again OK to allow the necessary reboot
• After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...
  

Next,
 
Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts. (re-enable when done)
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.
  

 

Next,

 

Download and Save McAfee Stinger to your Desktop from here:

http://downloadcenter.mcafee.com/products/mcafee-avert/Stinger/stinger32.exe

Read the Terms and Conditions, the download tab is at the bottom of the page.

Close all browsers before starting. Disable your antivirus program and anti-malware, if any.

To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs read here:

http://www.bleepingcomputer.com/forums/topic114351.html

On Windows 7, 8, 10 & Vista systems, Right Click on Stinger and select Run as Administrator.

On XP, double-click to start it.

Click on “I Accept” tab at McAfee end user licence agreement.
 

 

In the new Window select “Advanced” then “Settings”
 

 

The settings window will open, make sure the settings are exactly as shown in the following image, then select “Save” <<------Very Important
 

 

In the new window Click the “Customize my Scan” under the “Scan” button.
 

 

In the new Window select C:\ drive and any other listed Hard Drive, then select “Scan”
 

 

When the scan completes select the “View log” to do that, select “Notepad” if offered in list of choices.

If the log opens in your browser, copy and save to a file....

I will need a copy of that log.

 

Let me see those logs, also give an update on any remaining issues oe concerns....

 

Thank uou,

 

Kevin

 

 

Fixlist.txt

[AdvancedSetup]

As you have an open topic on Bleepingcomputer for this you should let them know you're working on it here and to close the one over there so as not to waste limited resources.

 

http://www.bleepingcomputer.com/forums/t/601158/mbr-virus-or-rootkit-ssdt/

 

Thanks

[Felines]

Apologies; my PC has been acting up something dreadful.  I will run those programs and notify other group.
Thanks ever so !

[Felines]

Hi Kevinf80,

Below are the logs.  One big caveat:  I can not run Stinger !  I have 6GB RAM but Stinger is putting my CPU into overdrive (80%) and physical memory at 70-75%.  My PC shut down twice.  I am not able to get the rest of Windows Updates to download (worked okay with your other fixes but no longer after I restarted my PC).  The "svchost" shows a good 500,000+ in physical memory after rebooting.
ALSO, there seems to be something awry with System Restore as I can't get it to run.

I did a "clean" reinstall of Vista HP 32-bit.  Could I also have unnecessary services running ?  Thanks again for your help.
MOD note:  I did notify BleepingComputer that y'all are helping me.

Fix result of Farbar Recovery Scan Tool (x86) Version:31-12-2015
Ran by OwnerPrivate (2016-01-05 08:10:07) Run:1
Running from C:\Users\OwnerPrivate\Desktop
Loaded Profiles: OwnerPrivate (Available Profiles: OwnerPrivate & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2294915419-925363701-3883088226-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
U3 uftiikog; \??\C:\Users\OWNERP~1\AppData\Local\Temp\uftiikog.sys [X]
File: C:\ComboFix.txt
Folder: C:\Qoobox
EmptyTemp:
end
*****************

Processes closed successfully.
Error: (0) Failed to create a restore point.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-2294915419-925363701-3883088226-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
blbdrive => service removed successfully.
catchme => Service stopped successfully.
catchme => service removed successfully.
IpInIp => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
uftiikog => service not found.

========================= File: C:\ComboFix.txt ========================

File not signed
MD5: 1314C8CFA587D76BFDE6EC24ACF92CB8
Creation and modification date: 2016-01-05 - 2016-01-05
Size: 0014700
Attributes: ----A
Company Name:
Internal Name:
Original Name:
Product:
Description:
File Version:
Product Version:
Copyright:

====== End of File: ======


========================= Folder: C:\Qoobox ========================

not found.

====== End of Folder: ======

EmptyTemp: => 33 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 08:11:33 ====

 

# AdwCleaner v5.028 - Logfile created 05/01/2016 at 08:35:32
# Updated 04/01/2016 by Xplode
# Database : 2016-01-04.2 [server]
# Operating system : Windows Vista Home Premium Service Pack 2 (x86)
# Username : OwnerPrivate - OWNERPRIVATE-PC
# Running from : C:\Users\OwnerPrivate\Desktop\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****


########## EOF - C:\AdwCleaner\AdwCleaner[s2].txt - [612 bytes] ##########
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows Vista Home Premium x86
Ran by OwnerPrivate (Administrator) on Tue 01/05/2016 at  7:44:37.87
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 1

Successfully deleted: C:\Users\OwnerPrivate\Desktop\help.lnk (Shortcut)



Registry: 1

Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 01/05/2016 at  7:45:40.53
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[kevinf80]

As Stinger has not ran successfully run the following:

 

Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:
 

• Accept the Terms of Use and click Start.
• Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

• Download esetsmartinstaller_enu.exe that you'll be given link to.
• Double click esetsmartinstaller_enu.exe.
• Allow the Terms of Use and click Start.

To perform the scan:

• Make sure that Remove found threats is Checked.
• Scan archives is checked.
• In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
• Under “Enable Stealth Technology select “Change” select any extra drives in that window.
• Click Start
• The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
• When completed, the program will begin to scan. This may take several hours. Please, be patient.
• Do not do anything on your machine as it may interrupt the scan.
• When the scan is done, click Finish.
• A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.

Don't forget to re-enable protection software!

 

 

Next,

 

Download Services Repair tool, available here -

http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe

Save it to your Desktop. Right click on it and select Run As Administrator, follow the prompts. It should reboot when it finishes. If not reboot it yourself.

 

Post the log from ESET, also see if System Restore is working..... Let me know if there are any remaining issues or concerns..

 

Thank you,

 

Kevin

[Felines]

ESET online scanner came up with nothing (log below).  I had to use Firefox as IE9 would not install the add-on.  System Restore still will not create a restore point (some odd 0x......FFF error code).  Every time I reboot, the svchost service goes into overdrive.

On top of everything else, do you think I botched the clean installation somehow ?  Also, do you know if the "Windows All-in-One" repair download on Bleeping Computer safe ?  As far as having to do another clean installation, I have NO idea how to get full Administrator access when I did the installation.  I know there is a "hidden" admin account.  My so-called Admin account is lacking access.

 

THANKS in advance.
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=cdab4c7a0ca1aa468930502a04f05b58
# end=init
# utc_time=2016-01-05 05:24:48
# local_time=2016-01-05 12:24:48 (-0500, Eastern Standard Time)
# country="United States"
# osver=6.0.6002 NT Service Pack 2
Update Init
Update Download
Update Finalize
Updated modules version: 27504
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=cdab4c7a0ca1aa468930502a04f05b58
# end=updated
# utc_time=2016-01-05 05:27:24
# local_time=2016-01-05 12:27:24 (-0500, Eastern Standard Time)
# country="United States"
# osver=6.0.6002 NT Service Pack 2
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7777
# api_version=3.1.1
# EOSSerial=cdab4c7a0ca1aa468930502a04f05b58
# engine=27504
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2016-01-05 05:45:32
# local_time=2016-01-05 12:45:32 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode_1=''
# compatibility_mode=5892 16776574 100 100 0 288623460 0 0
# scanned=86654
# found=0
# cleaned=0
# scan_time=1087
 

[Felines]

After running the Services Repair and rebooting:

a) STILL no joy with windows updates.  System Restore seems to be working.

b) Can't run much of anything:  that "svchost" service (one of many) is again back in overdrive.  Below is a screenshot from Task Manager. 

Thanks again. 

[kevinf80]

Those readings are quite acceptable... CPU 29% and Physical memory 48%

 

Regarding Windows Updates, go here: https://support.microsoft.com/en-gb/kb/971058 Use the "fixit" for Vista. Re-boot when complete and check updates again....

 

The repair tool you mention is that the one from Tweaking.com

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!