PDA

View Full Version : PC hangs after a while, different each time



intentional_22
2012-11-13, 07:19
Please help, not sure if this is an issue with a windows update, malware, trojan, etc, but my PC has been sluggish to start up and seems ok for a while, but ultimately always ends up hanging and the 'working' light on my box blinks in a very slow intermitten pattern. Posting logs and attachments as per the instructions...any direction or help would be a lifesaver...thanks!

DDS Output:

DDS (Ver_2012-11-07.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16448 BrowserJavaVersion: 10.9.2
Run by Adam at 23:17:12 on 2012-11-12
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6077.4325 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\INITIO\Button Manager v1.874\inihid.exe
C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Adam\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWindow Title = The Schmidys PC...please browse and click with caution
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [Google Update] "C:\Users\Adam\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
StartupFolder: C:\Users\Adam\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files\Dell\DellDock\DellDock.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\BUTTON~1.LNK - C:\Program Files (x86)\INITIO\Button Manager v1.874\inihid.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\TOTALM~1.LNK - C:\Program Files (x86)\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{E143E776-6B65-4C4B-AB69-FB0179122E24} : DHCPNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
x64-BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll
x64-Run: [Windows Defender] C:\Program Files (x86)\Windows Defender\MSASCui.exe -hide
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: NoActiveDesktopChanges = dword:1
x64-mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
x64-mPolicies-System: EnableLUA = dword:0
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
.
INFO: x64-HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-4-20 203776]
R2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2010-1-11 155648]
R2 FontCache;Windows Font Cache Service;C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-5-21 1153368]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\System32\drivers\HCW85BDA.sys [2009-7-14 1708800]
R3 VST64_DPV;VST64_DPV;C:\Windows\System32\drivers\VSTDPV6.SYS [2008-1-20 1523712]
R3 VST64HWBS2;VST64HWBS2;C:\Windows\System32\drivers\VSTBS26.SYS [2008-1-20 392704]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2012-5-24 89920]
.
=============== File Associations ===============
.
FileExt: .js: JSFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
FileExt: .jse: JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-10-19 19:30:19 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-19 19:30:19 696760 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-10-16 12:45:41 65309168 ----a-w- C:\Windows\System32\mrt.exe
2012-09-25 03:16:33 95208 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2012-09-25 03:08:27 174056 ----a-w- C:\Windows\SysWow64\javaw.exe
2012-09-25 03:07:57 174056 ----a-w- C:\Windows\SysWow64\java.exe
2012-08-31 02:03:48 228768 ----a-w- C:\Windows\System32\drivers\MpFilter.sys
2012-08-31 02:03:48 128456 ----a-w- C:\Windows\System32\drivers\NisDrvWFP.sys
2012-08-31 00:32:06 821736 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-08-31 00:32:06 746984 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-08-21 17:01:20 33240 ----a-w- C:\Windows\System32\drivers\GEARAspiWDM.sys
2012-08-21 17:01:20 125872 ----a-w- C:\Windows\System32\GEARAspi64.dll
2012-08-21 17:01:20 106928 ----a-w- C:\Windows\SysWow64\GEARAspi.dll
.
============= FINISH: 23:17:42.84 ===============


aswMBR Output:


aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-11-12 23:37:36
-----------------------------
23:37:36.971 OS Version: Windows x64 6.0.6002 Service Pack 2
23:37:36.971 Number of processors: 4 586 0x170A
23:37:36.971 ComputerName: SCHMIDTMONSTER UserName: Adam
23:37:39.280 Initialize success
23:38:34.727 AVAST engine defs: 12111201
23:38:56.317 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:38:56.319 Disk 0 Vendor: ST375063 DE13 Size: 715404MB BusType: 3
23:38:56.342 Disk 0 MBR read successfully
23:38:56.344 Disk 0 MBR scan
23:38:56.347 Disk 0 Windows VISTA default MBR code
23:38:56.351 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
23:38:56.396 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 129024
23:38:56.448 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 699980 MB offset 31586304
23:38:56.479 Disk 0 scanning C:\Windows\system32\drivers
23:39:07.855 Service scanning
23:39:28.728 Modules scanning
23:39:28.728 Disk 0 trace - called modules:
23:39:28.743 ntoskrnl.exe CLASSPNP.SYS disk.sys iastorv.sys hal.dll
23:39:29.242 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800792f790]
23:39:29.242 3 CLASSPNP.SYS[fffffa60011d0c33] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80063ad050]
23:39:32.082 AVAST engine scan C:\Windows
23:39:41.847 AVAST engine scan C:\Windows\system32
23:43:41.219 AVAST engine scan C:\Windows\system32\drivers
23:44:27.878 AVAST engine scan C:\Users\Adam
00:04:09.873 Disk 0 MBR has been saved successfully to "C:\Users\Adam\Desktop\MBR.dat"
00:04:09.873 The log file has been saved successfully to "C:\Users\Adam\Desktop\aswMBR.txt"

Jack&Jill
2012-12-01, 10:06
Hello and welcome to Safer Networking.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.

intentional_22
2012-12-05, 01:33
Hope I'm not too late. I am subscribed and ready to work to a solution. I will do whatever necessary to help you help me.

Thank you!

Jack&Jill
2012-12-05, 17:46
Hello intentional_22 :),

Welcome to Safer Networking. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.

Please observe and follow these Forum Rules (http://forums.spybot.info/showthread.php?t=288).
Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
Please read the instructions carefully and follow them closely, in the order they are presented to you.
If you have any doubts or problems during the fix, please stop and ask.
All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
If you do not reply within 3 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

Scan with RogueKiller

Please download RogueKiller© by Tigzy and save it to your desktop. Click here. (http://tigzy.geekstogo.com/roguekiller.php)
Click on the blue button with arrow pointing downwards to the right of Mirror:.
Allow the download if prompted by your security software and please close all your programs.
Double click on RogueKiller.exe to run it. If it does not run, please try a few times.
Wait for PreScan to finish, then click on Scan. Accept the EULA if prompted.
Once completed, a log called RKreport[1].txt will be created on the desktop. It can also be accessed via the Report button.
Please copy and paste the contents of that log in your next reply.

--------------------

Please download Farbar Service Scanner© by farbar and save it to your desktop. Click here. (download.bleepingcomputer.com/farbar/FSS.exe)

Double click on FSS.exe to run it.
Check (tick) all options:
Internet Services
Windows Firewall
System Restore
Security Center
Windows Update

Click on the Scan button. A log will open.
Please post the contents of this log. It can also be found on the desktop as FSS.txt.

--------------------

Please post back:
1. RogueKiller log
2. FSS log

intentional_22
2012-12-06, 05:03
RogueKiller V8.3.1 [Dec 5 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version
Started in : Safe mode with network support
User : Adam [Admin rights]
Mode : Scan -- Date : 12/05/2012 21:59:46

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\Users\Default\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost
Spybot hosts file contents
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3750630AS +++++
--- User ---
[MBR] 24f05a929b3b5470aea8a35acda98931
[BSP] 0bbd13b5d76695bb505e813c44c7894b : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 62 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 129024 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31586304 | Size: 699980 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: TEAC USB HS-CF Card USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: TEAC USB HS-xD/SM USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: TEAC USB HS-MS Card USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: TEAC USB HS-SD Card USB Device +++++
Error reading User MBR!
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_12052012_02d2159.txt >>
RKreport[1]_S_12052012_02d2159.txt




Farbar Service Scanner Version: 04-12-2012
Ran by Adam (administrator) on 05-12-2012 at 22:02:26
Running from "C:\Users\Adam\Downloads"
Windows Vista (TM) Home Premium Service Pack 2 (X64)
Boot Mode: Network
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.

VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem service is OK.
The ServiceDll of EventSystem service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2012-05-24 12:21] - [2009-04-11 02:11] - 0268288 ____A (Microsoft Corporation) 3ED0321127CE70ACDAABBF77E157C2A7

C:\Windows\System32\drivers\afd.sys
[2012-05-27 21:25] - [2012-01-03 09:25] - 0404992 ____A (Microsoft Corporation) C4F6CE6087760AD70960C9EB130E7943

C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2012-05-27 21:27] - [2012-03-30 07:45] - 1423744 ____A (Microsoft Corporation) 46D448E9117464E4D3BBF36D7E3FA48E

C:\Windows\System32\dnsrslvr.dll
[2012-05-22 20:09] - [2011-03-02 11:12] - 0117760 ____A (Microsoft Corporation) 06230F1B721494A6DF8D47FD395BB1B0

C:\Windows\System32\mpssvc.dll
[2012-05-24 12:21] - [2009-04-11 02:11] - 0603136 ____A (Microsoft Corporation) 897E3BAF68BA406A61682AE39C83900C

C:\Windows\System32\bfe.dll
[2012-05-24 12:20] - [2009-04-11 02:11] - 0458240 ____A (Microsoft Corporation) FFB96C2589FFA60473EAD78B39FBDE29

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe
[2012-05-24 12:21] - [2009-04-11 02:11] - 1433600 ____A (Microsoft Corporation) B75232DAD33BFD95BF6F0A3E6BFF51E1

C:\Windows\System32\wscsvc.dll
[2012-05-24 12:20] - [2009-04-11 02:11] - 0074752 ____A (Microsoft Corporation) 9EA3E6D0EF7A5C2B9181961052A4B01A

C:\Windows\System32\wbem\WMIsvc.dll
[2012-05-24 12:21] - [2009-04-11 02:11] - 0221696 ____A (Microsoft Corporation) D2E7296ED1BD26D8DB2799770C077A02

C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll
[2012-05-24 12:21] - [2009-04-11 02:11] - 1081856 ____A (Microsoft Corporation) 6D316F4859634071CC25C4FD4589AD2C

C:\Windows\System32\es.dll
[2012-05-24 12:21] - [2009-04-11 02:11] - 0361984 ____A (Microsoft Corporation) E12F22B73F153DECE721CD45EC05B4AF

C:\Windows\System32\cryptsvc.dll
[2012-06-13 23:20] - [2012-04-23 11:25] - 0174592 ____A (Microsoft Corporation) 62740B9D2A137E8CED41A9E4239A7A31

C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2012-05-24 12:21] - [2009-04-11 02:11] - 0719872 ____A (Microsoft Corporation) CF8B9A3A5E7DC57724A89D0C3E8CF9EF



**** End of log ****

Jack&Jill
2012-12-06, 07:24
Hello intentional_22 :),

We need to disable Spybot S&D's Teatimer real-time protection temporarily as it will interfere with the fix.

First step:

Right click the Spybot icon that looks like a blue/white calendar with a padlock symbol in the System Tray (lower right corner where the clock is situated).
For version 1.6, the steps are similar to either one of the below.
If you have version 1.5, click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now unchecked (unticked). The Spybot icon should now be colorless.
If you have Version 1.4, click on Exit Spybot S&D Resident.
Second step, for either version:

Open Spybot S&D.
Click Mode, choose Advanced Mode.
Go to the bottom of the vertical panel on the left, click Tools.
Then, also in left panel, click on Resident that shows a red/white shield.
If your firewall raises a question, say OK.
In the Resident protection status frame, uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active.
OK any prompts.
Exit Spybot S&D and reboot your machine for the changes to take effect.
Remember to enable it when we are done.

--------------------

Please download Malwarebytes' Anti-Malware (MBAM)© from Malwarebytes and save it to your desktop. Click here. (http://www.malwarebytes.org/mbam-download.php)

Run MBAM

Double click on mbam-setup.exe and follow the prompts to install the program.
At the end of installation, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
MBAM will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update mirror, select one of the websites and click on Check for Updates.
Upon completion of update and loading, select the Scanner tab. Click on Perform full scan, then click on Scan.
Leave the default options as it is and click on Start Scan.
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
When done, you will be prompted. Click OK, then click on Show Results.
Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time. It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

--------------------

Please download MiniToolBox© by farbar and save it to your desktop. Click here. (http://download.bleepingcomputer.com/farbar/MiniToolBox.exe)

Double click on MiniToolBox.exe to run it.
Please check (tick) the following options:
Flush DNS
Report IE Proxy Settings
Report FF Proxy Settings
List devices, and select Only Problems
List Users, Partitions and Memory size.
Click on the GO button. A log will open.
Please post the contents of this log. It can also be found on the desktop as Result.txt.

--------------------

Please post back:
1. MBAM report
2. MiniToolBox result

intentional_22
2012-12-06, 15:54
Ok, I accidentally ran a quick scan instead of a full scan...realizing this after the quick scan ran, I ran a full scan. I am posting both logs in the order of operations below.

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.06.03

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Adam :: SCHMIDTMONSTER [administrator]

12/6/2012 12:51:23 AM
mbam-log-2012-12-06 (00-51-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202908
Time elapsed: 3 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Adam\Downloads\SetupRG.exe (PUP.GamesVance) -> Quarantined and deleted successfully.

(end)


Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.06.03

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Adam :: SCHMIDTMONSTER [administrator]

12/6/2012 7:16:51 AM
mbam-log-2012-12-06 (07-16-51).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 378948
Time elapsed: 1 hour(s), 1 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



MiniToolBox by Farbar Version: 25-11-2012
Ran by Adam (administrator) on 06-12-2012 at 08:50:22
Running from "C:\Users\Adam\Downloads"
Windows Vista (TM) Home Premium Service Pack 2 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= Devices: ================================

Name: ATI TV Wonder 600 USB 2.0
Description: ATI TV Wonder 600 USB 2.0
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


========================= Memory info: ===================================

Percentage of memory in use: 34%
Total physical RAM: 6077.03 MB
Available physical RAM: 3963.55 MB
Total Pagefile: 12337.11 MB
Available Pagefile: 10180.43 MB
Total Virtual: 4095.88 MB
Available Virtual: 3996.7 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:683.57 GB) (Free:545.92 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:1.16 GB) NTFS
3 Drive e: (HELLO_KITTY_BECOMES_A_PRINCESS) (CDROM) (Total:3.1 GB) (Free:0 GB) UDF

========================= Users: ========================================

User accounts for \\SCHMIDTMONSTER

Adam Administrator Guest

Jack&Jill
2012-12-07, 01:46
Hello intentional_22 :),

Chkdsk in elevated command prompt

Go to Start, then type cmd in the search box.
You will see a cmd listed in the search result. Right click on it and select Run as administrator.
A command prompt window will appear. Please type chkdsk c: |find /v "percent" >> "%userprofile%\desktop\checkhd.txt", then press Enter.
Wait until the command finish and a new command line appear.
Close the command prompt and post the contents of checkhd.txt, found on your desktop.

--------------------

Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.

Click here (http://www.eset.com/onlinescan/) to go to ESET Online Scanner page.
Click on Run ESET Online Scanner. A new window will open.
For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
You will be prompted to install an ActiveX Control from ESET. Please install.
At the Computer scan settings section, uncheck (untick) Remove found threats. <-- Important, do not remove anything yet.
Then, check Scan archives.
Now, click on Advanced settings and make sure all these are checked:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology
Click on Scan to proceed.
When done, the scan result will be shown. Look for C:\Program Files\ESET\ESET Online Scanner\log.txt and open the file.
Post the contents in your reply.

If the contents of log.txt do not reflect what is shown in the result window, click on List of found threats, then Export to text file..., save a file and post that instead.

--------------------

Please post back:
1. chkdsk result
2. ESET log

Jack&Jill
2012-12-09, 19:22
Hello intentional_22 :),

I usually close the topic after 3 days without any reply, and it has already been 2 days since my last post. Do you still need help? Any problems following my instructions? Need more time?

If I do not get any response within the next 24 hours, this topic will be closed.

intentional_22
2012-12-10, 04:12
I have had problems getting the ESET Scan to complete as my PC locks up (per the original issue) as the ESET scan runs. I will past the Chkdsk log that also seems like it was unable to complete (pasted below) and continue to try to get the ESET scan to complete. The length of time it takes before my PC crashes is now longer (a good thing) but when it sits physically idol (while running the scan) it ends up eventually locking up in 'think' mode.

If I can get the ESET Scan to complete I wll post the results tongiht. If I cannot I will post a message.

Again, sorry for the delay.


ChkDsk Log:

The type of the file system is NTFS.
Volume label is OS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
1091 large file records processed.

0 bad file records processed.

0 EA records processed.

44 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.

Errors found. CHKDSK cannot continue in read-only mode.

Jack&Jill
2012-12-10, 13:44
Hello intentional_22 :),

Please attempt fixing with Chkdsk first before trying ESET again. If you have already obtained the ESET scan result, please post them and continue the Chkdsk step anyway.

--------------------

Repair your hard disk with Chkdsk in elevated command prompt

Go to Start, then type cmd in the search box.
You will see a cmd listed in the search result. Right click on it and select Run as administrator.
A command prompt window will appear. Please type chkdsk c: /f, then press Enter.
You will be prompted to schedule the scan on the next reboot, type Y and press Enter.
Close the command prompt, reboot your computer and Chkdsk will perform the repair tasks accordingly.

You may need to perform Chkdsk more than one time to solve all problems detected.

--------------------

Please perform a memtest and let me know the results.

Windows Memory Diagnostic Tool steps available here (http://www.geekstogo.com/forum/topic/177564-windows-memory-diagnostic-tool/) or here (http://forums.whatthetech.com/index.php?showtopic=103823).

--------------------

Please post back:
1. how did the chkdsk fix go
2. ESET log
3. memory diagnostic result

intentional_22
2012-12-10, 15:36
Ok, so the ESET scan completed with the log below (nothing found). I will continue CHKDSK.

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6844
# api_version=3.0.2
# EOSSerial=4a19a05f3905304ca0bb8681a5ce15ff
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-12-07 04:22:50
# local_time=2012-12-06 11:22:50 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 100 3541963 191452876 0 0
# scanned=189372
# found=0
# cleaned=0
# scan_time=5927
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6844
# api_version=3.0.2
# EOSSerial=4a19a05f3905304ca0bb8681a5ce15ff
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-12-10 03:46:27
# local_time=2012-12-09 10:46:27 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776574 100 100 3798980 191709893 0 0
# scanned=189224
# found=0
# cleaned=0
# scan_time=5921

intentional_22
2012-12-10, 15:58
Ran CHKDSK several times and it apparently wont complete. See below.

The type of the file system is NTFS.
Volume label is OS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
1091 large file records processed.

0 bad file records processed.

0 EA records processed.

44 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.

Errors found. CHKDSK cannot continue in read-only mode.
Invalid parameter - lfind
The type of the file system is NTFS.
Volume label is OS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
1092 large file records processed.

0 bad file records processed.

0 EA records processed.

44 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.

Errors found. CHKDSK cannot continue in read-only mode.
The type of the file system is NTFS.
Volume label is OS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
1092 large file records processed.

0 bad file records processed.

0 EA records processed.

44 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.

Errors found. CHKDSK cannot continue in read-only mode.
The type of the file system is NTFS.
Volume label is OS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
1092 large file records processed.

0 bad file records processed.

0 EA records processed.

44 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.

Errors found. CHKDSK cannot continue in read-only mode.

Jack&Jill
2012-12-10, 17:54
Hello intentional_22 :),

You need to run Chkdsk as:
chkdsk c: /f

It appears the /f switch is missing.

intentional_22
2012-12-11, 04:48
Ok, so I have run the chkdsk with the f switch a couple of times, and it runs on a reboot. While it runs, I noticed it keeps mentioning 44 reparsed files (doesnt change after each subsequent reboot) and addresses a dll file but without a log I don't know what to post. Apologies for being dos command naive...but should I be inserting the /f switch into the original command you had directed me to use in order to get a .txt log file to post?

Also, the memory diagnostic tool links you provided sent me to pages where, once clicking on the link to the tool download...received 404 messages.

Assuming those links were old, and because I am on Vista, there is a Memory Diagnostic Tool in the Control Panel under Admin tools...or I can access by typing 'Memory' into the Start Menu Search box...I will wait on your direction before doing anything there...but I will continue to run chkdsk to hopefully fix any issues until I hear back and will stay up late to hopefully hear back from you and wrap this up. You have been more than patient and generous with your time and expertise!

intentional_22
2012-12-11, 06:10
Ok, so the message I kept receiving during stage 2 of 3 was that ChkDsk was deleting index entry slwga.dll in index $I30 in file 304555...then it says it recovered 1 lost file...orphaned file slwga.dll...then goes on to verify security descriptors and seems to complete ok. anything after that message appears too quickly for me to capture before going to the windows login screen.

I will run Memory diagnostic tool upon your cue.

note: I have Windows updates waiting to install but have not done so, so as to not muddle your help. Pls advise if I should do otherwise.

Again, thank you for all of your help!

Jack&Jill
2012-12-11, 07:12
Hello intentional_22 :),

You are most welcome.

You can use the following for the memory test:

How to use the Vista Windows Memory Diagnostics Tool (http://www.bleepingcomputer.com/tutorials/using-vista-windows-memory-diagnostics-tool/).

Windows update will need to wait until we are done.

intentional_22
2012-12-13, 08:42
Ran the memory diagnostic test, it ran and completed (the standard or normal version of the test).

PC is now struggling to start up and seems bogged down again...

Jack&Jill
2012-12-13, 14:10
Hello intentional_22 :),

So far, we are not seeing much from the scans or logs. It is in my opinion that very likely it could be either Windows experienced some sort of corruption or there is some hardware issue. I suggest that you create backups of your data if you haven't yet, then get help from someone who can sit directly in front of the computer.

Help through online forums are somewhat limited in that aspect and I am not seeing any malware so far.

Jack&Jill
2012-12-18, 01:44
As we reach a point where we could not proceed further and you need to seek help from alternative sources, this topic is now closed.

We are glad to be of help up to this point. If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Your donation helps in improving Spybot-S&D! (http://www.safer-networking.org/en/donate/index.html)