Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Keeps Freezing


  • This topic is locked This topic is locked
15 replies to this topic

#1 GTT54

GTT54

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 21 January 2013 - 12:19 PM

I had this topic closed, http://www.bleepingcomputer.com/forums/topic474512.html/page__p__2889766__fromsearch__1#entry2889766. My computer still keeps freezing up sporadically. I am not sure if it is malware or a hardware issue. It is quite frustrating. I would like to resolve the issue. Your help is greatly appreciated. Thanks.


DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.11.2
Run by Farfalla at 12:11:33 on 2013-01-21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.415 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\PLFSetL.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Farfalla\Local Settings\Application Data\Facebook\Messenger\2.1.4651.0\FacebookMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - <orphaned>
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
EB: <No Name>: {555D4D79-4BD2-4094-A395-CFC534424A05} - LocalServer32 - <no file>
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [avast] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-00109-0002-0009-ABCDEFFEDCBC} - <orphaned>
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2703049B-D81D-4763-A3C6-AF8932FCBD8F} - hxxps://am.hrblock.com/ActivexComponent/CheckFileStatus.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1352981317671
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://connect2qa.prudential.com/dana-na/auth/url_45/dwa8W.cab
DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://connect2qa.prudential.com/dana-cached/sc/JuniperSetupClient.cab
DPF: {FD3FF62E-61A7-48EE-A4A4-97CE7BD1F99D} - hxxps://connect2qa.prudential.com/dana-na/auth/url_45/SodaAgent.CAB
TCP: NameServer = 167.206.254.1 167.206.254.2
TCP: Interfaces\{10AF4899-58EA-4DF6-8EE7-48C8AEE2A55C} : DHCPNameServer = 167.206.254.1 167.206.254.2
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks 2012\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\farfalla\application data\mozilla\firefox\profiles\czg9ts25.default\
FF - plugin: c:\documents and settings\farfalla\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\farfalla\local settings\application data\facebook\messenger\2.1.4651.0\npFbDesktopPlugin.dll
FF - plugin: c:\documents and settings\farfalla\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - ExtSQL: !HIDDEN! 2009-08-18 22:43; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 CLBStor;CyberLink InstantBurn UDF Reader Help Driver;c:\windows\system32\drivers\CLBStor.sys [2009-8-14 10368]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-6-30 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-2-17 361032]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-17 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-10 44808]
R2 CLBUDFR;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDFR.sys [2009-8-14 154368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2011-7-31 245760]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-2-14 96856]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
S4 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
S4 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-8-19 1248256]
.
=============== Created Last 30 ================
.
2013-01-17 13:43:47 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
==================== Find3M ====================
.
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 21:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-11 01:51:37 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-11 01:51:37 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-13 01:25:12 1866368 ------w- c:\windows\system32\win32k.sys
2012-11-11 17:42:05 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-11 17:42:05 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-06 02:01:39 1371648 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 02:02:42 375296 ------w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ----a-w- c:\windows\system32\html.iec
2012-10-30 23:51:58 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-10-30 23:51:07 41224 ----a-w- c:\windows\avastSS.scr
.
============= FINISH: 12:12:46.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 21 January 2013 - 05:20 PM

Hello GTT54, and welcome back to the forums! :thumbsup:

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • Please copy and paste all logs here unless otherwise instructed!
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.

==========

Step :step1:

Run RogueKiller

Download RogueKiller from here or here and save it to your desktop.

  • Close all programs and disconnect any USB or external drives before running the tool.
  • Right-click RogueKiller.exe and select Run as Administrator.
  • Once the Prescan has finished, click Scan.
  • Once the Status box shows "Scan Finished", click Delete.
  • When the Status box shows "Deleting Finished", click Report and then copy and paste the log in your next reply.
  • The log can also be found at RKreport[1].txt on your desktop.

==========

Step :step2:

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
.

==========

Step :step3:

Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

==========

In your next reply, please include the following:

  • The RogueKiller log
  • The adwCleaner log
  • The Junkware Removal log
  • Please update me on the status of the computers freezing issue!
bloopie

#3 GTT54

GTT54
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 21 January 2013 - 08:22 PM

There was no original cd/dvd since there is no cd/dvd drive. This is a netbook. I can't comment on the freezing just yet because it is sporadic. I can be on the computer for a while when it happens. I could just start up the computer and it happens. Please let me know if the logs below had anything ad in them. Thanks.

I had to run the Rogue Killer in safe mode because the computer kept crashing in regular mode.

RogueKiller V8.4.3 [Jan 21 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode
User : Farfalla [Admin rights]
Mode : Remove -- Date : 01/21/2013 19:45:37

Bad processes : 0

Registry Entries : 5
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)
[HJ SMENU] HKLM\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

Driver : [NOT LOADED]

HOSTS File:
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


MBR Check:

+++++ PhysicalDrive0: WDC WD1600BEVT-22ZCT0 +++++
--- User ---
[MBR] 7cb3943294ecd87e39cd94dc8f24b530
[BSP] 0639599f9f10526a8845373803eb7b9b : Acer tatooed MBR Code
Partition table:
0 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 63 | Size: 4996 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 10233405 | Size: 147628 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_01212013_02d1945.txt >>
RKreport[1]_S_01212013_02d1945.txt ; RKreport[2]_D_01212013_02d1945.txt


# AdwCleaner v2.107 - Logfile created 01/21/2013 at 19:53:03
# Updated 21/01/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Farfalla - PICCOLO
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Farfalla\desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0 (en-US)

File : C:\Documents and Settings\Farfalla\Application Data\Mozilla\Firefox\Profiles\czg9ts25.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [3009 octets] - [07/11/2012 10:28:22]
AdwCleaner[S2].txt - [1036 octets] - [21/01/2013 19:53:03]

########## EOF - C:\AdwCleaner[S2].txt - [1096 octets] ##########


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.4.7 (01.21.2013:1)
OS: Microsoft Windows XP x86
Ran by Farfalla on Mon 01/21/2013 at 20:01:02.92
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_current_user\software\microsoft\internet explorer\urlsearchhooks\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}
Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\toolbar\\{ef99bd32-c1fb-11d2-892f-0090271d4f88}
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName
Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{02478d38-c3f9-4efb-9b51-7695eca05670}



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Documents and Settings\Farfalla\Application Data\mozilla\firefox\profiles\czg9ts25.default\minidumps [26 files]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 01/21/2013 at 20:12:47.04
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

#4 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 21 January 2013 - 09:58 PM

Hi again,

Thanks for posting the logs. :)

Your logs aren't showing much of interest as of yet (in terms of malware), so I'd like to run the Check Disk utility to check for file system errors on your hard disk. How old is this machine?

==========

Use the Windows Error Checking utility (Check Disk), with the options to scan the disk surface for errors, and attempt recovery of data and repair the disk.
  • Open "My Computer"
  • Right-click on the drive that you wish to check > Properties > Tools > and in the "Error checking" section, click on "Check now".
  • Place a tick in both boxes > Start.
  • If the disk you have chosen is the system disk:
  • A message will notify you that a restart is necessary: Click OK, and close all windows.
  • Re-start the computer. The disk will be checked when the system boots.
    This test will take some time to run and at times may appear stalled but just let it run.
  • When the disk check is complete, the system will re-start automatically and load Windows.

A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open Event Viewer and view the log:
  • Go to Start > Run > and type eventvwr and press the <ENTER> key.
    The Event Viewer window will open.
  • In the left pane, click on Application.
  • In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
  • Look in the Source column for "Winlogon", with an entry corresponding to the date and time of the disk check.
  • Double-click on that entry to view the log.
  • Click on the Posted Image button to copy the log text to the clipboard.
  • Please paste the log text into your next reply.

Also, please let me know how the machine is running currently!

bloopie

#5 GTT54

GTT54
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 23 January 2013 - 07:36 PM

Event Type: Information
Event Source: Winlogon
Event Category: None
Event ID: 1001
Date: 1/23/2013
Time: 8:37:23 AM
User: N/A
Computer: PICCOLO
Description:
Checking file system on C:
The type of the file system is NTFS.
Volume label is ACER.

A disk check has been scheduled.
Windows will now check the disk.
Cleaning up minor inconsistencies on the drive.
Cleaning up 60 unused index entries from index $SII of file 0x9.
Cleaning up 60 unused index entries from index $SDH of file 0x9.
Cleaning up 60 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.

151171649 KB total disk space.
28796228 KB in 75597 files.
26448 KB in 9826 indexes.
0 KB in bad sectors.
453673 KB in use by the system.
65536 KB occupied by the log file.
121895300 KB available on disk.

4096 bytes in each allocation unit.
37792912 total allocation units on disk.
30473825 allocation units available on disk.

Internal Info:
80 4c 03 00 bb 4d 01 00 d0 d4 01 00 00 00 00 00 .L...M..........
51 03 00 00 07 00 00 00 36 05 00 00 00 00 00 00 Q.......6.......
70 ec fd 04 00 00 00 00 5c 28 9d 33 00 00 00 00 p.......\(.3....
d8 b0 5f 0d 00 00 00 00 78 02 8c dd 02 00 00 00 .._.....x.......
8e 3c 65 ca 05 00 00 00 ba d8 fb fe 08 00 00 00 .<e.............
99 9e 36 00 00 00 00 00 c0 38 07 00 4d 27 01 00 ..6......8..M'..
00 00 00 00 00 10 95 dd 06 00 00 00 62 26 00 00 ............b&..

Windows has finished checking your disk.
Please wait while your computer restarts.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

#6 GTT54

GTT54
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 23 January 2013 - 08:03 PM

The computer froze up again.

#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 23 January 2013 - 10:52 PM

Hi again,

Could you please tell me where/when the computer froze? What were you doing when the machine froze? Any error messages at all?

That information may help us determine the problem.

...From the outside, it looks like a driver issue. Were you playing games on this machine when the problem began?

bloopie

#8 GTT54

GTT54
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 24 January 2013 - 07:17 AM

It is very random. No error messages pop up. I think it is the usb driver for the internal web cam. I would get usb driver not recognized. I disabled it but I am not sure what else to do.

#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 25 January 2013 - 07:08 PM

Hi again,

Sorry for the delay!

  • What happens when the computer "freezes"? Does everything just lock up? And you then have to do a hard shutdown (hold the power button) and reboot to get it running again?
  • Or do you see any "blue screens" flash "with white lettering" before the computer automatically reboots itself?

Please be as clear as you can on the above questions. :thumbup2:

==========

Now let's get another couple of logs for good measure:

Step :step1:


  • Double click ListParts.exe to launch the program.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on your Desktop.
  • Please post me the contents of the log.

==========

Step :step2:

You've run Malwarebytes before, so please update it's definitions, then run a full scan and post the log for me.

==========

Step :step3:

Now I'd like you to rerun ESET, but with these instructions:

ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista/Windows 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here to run the scan.

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

====================

In your next reply, please include the following:

  • An answer to my first questions
  • The ListParts log
  • The MBAM log
  • The ESET log

bloopie

#10 GTT54

GTT54
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 26 January 2013 - 01:44 PM

What happens when the computer "freezes"? Does everything just lock up? And you then have to do a hard shutdown (hold the power button) and reboot to get it running again? Yes


ListParts by Farbar Version: 16-01-2013
Ran by Farfalla (administrator) on 26-01-2013 at 09:55:21
Windows XP (X86)
Running From: C:\Documents and Settings\Farfalla\desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 46%
Total physical RAM: 1011.88 MB
Available physical RAM: 541.84 MB
Total Pagefile: 2428.14 MB
Available Pagefile: 2084.86 MB
Total Virtual: 2047.88 MB
Available Virtual: 2000.4 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:144.17 GB) (Free:115.65 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 149 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 4997 MB 32 KB
Partition 2 Primary 144 GB 4997 MB
======================================================================================================

Disk: 0
Partition 1
Type : 12
Hidden: Yes
Active: No

There is no volume associated with this partition.
======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 C ACER NTFS Partition 144 GB Healthy System (partition with boot components)
======================================================================================================

****** End Of Log ******

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.26.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Farfalla :: PICCOLO [administrator]

1/26/2013 9:56:52 AM
mbam-log-2013-01-26 (09-56-52).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 298500
Time elapsed: 1 hour(s), 6 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


C:\Documents and Settings\Farfalla\My Documents\Downloads\gusetup.exe a variant of Win32/Bundled.Toolbar.Ask application

#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 26 January 2013 - 02:11 PM

Hi again,

Okay, thanks!

Now I'd like you to run TDSSKiller again but with a fresh download and different instructions then you've previously done:

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    Posted Image

  • Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    Posted Image
  • Click Start Scan and allow the scan process to run


    Posted Image

  • If threats are detected select Skip or Cure (if available) for all of them unless otherwise instructed.
    ***Do NOT select Delete!
  • Click Continue


    Posted Image

  • Click Reboot computer
  • Please copy and paste the TDSSKiller.[Version]_[Date]_[Time]_log.txt file found in your root directory (typically c:\) to your reply

bloopie

#12 GTT54

GTT54
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 27 January 2013 - 09:58 AM

It said the post was too big every time I tried posting the log. If you need more, let me know. I am posting the end part:

09:47:33.0843 3264 Scan finished
09:47:33.0843 3264 ============================================================
09:47:33.0953 3252 Detected object count: 12
09:47:33.0953 3252 Actual detected object count: 12
09:48:43.0328 3252 BrYNSvc ( UnsignedFile.Multi.Generic ) - skipped by user
09:48:43.0328 3252 BrYNSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:48:43.0328 3252 CLBStor ( UnsignedFile.Multi.Generic ) - skipped by user
09:48:43.0328 3252 CLBStor ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:48:43.0328 3252 CLBUDFR ( UnsignedFile.Multi.Generic ) - skipped by user
09:48:43.0328 3252 CLBUDFR ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:48:43.0343 3252 hpqcxs08 ( UnsignedFile.Multi.Generic ) - skipped by user
09:48:43.0343 3252 hpqcxs08 ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:48:43.0343 3252 hpqddsvc ( UnsignedFile.Multi.Generic ) - skipped by user
09:48:43.0343 3252 hpqddsvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:48:43.0359 3252 HPSLPSVC ( UnsignedFile.Multi.Generic ) - skipped by user
09:48:43.0359 3252 HPSLPSVC ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:48:43.0375 3252 int15.sys ( UnsignedFile.Multi.Generic ) - skipped by user
09:48:43.0375 3252 int15.sys ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:48:43.0375 3252 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
09:48:43.0375 3252 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:48:43.0390 3252 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
09:48:43.0390 3252 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:48:43.0406 3252 QBCFMonitorService ( UnsignedFile.Multi.Generic ) - skipped by user
09:48:43.0406 3252 QBCFMonitorService ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:48:43.0421 3252 QBFCService ( UnsignedFile.Multi.Generic ) - skipped by user
09:48:43.0421 3252 QBFCService ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:48:43.0421 3252 QBVSS ( UnsignedFile.Multi.Generic ) - skipped by user
09:48:43.0421 3252 QBVSS ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:49:05.0125 3036 Deinitialize success

#13 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 28 January 2013 - 04:08 PM

Hi again,

There are just a couple of steps that I'd like you to do to clean our tools up and uninstall some programs. These steps you can find below in my "all clean" speech.

At this point, I think it's safe to say that your issue is not malware related, but it seems to be a hardware issue. In light of that, I'd like you to post a new topic in the Internal Hardware forum for continued support. Be sure to mention that you and I have worked together to rule out malware, and/or you can post a link to this topic when you begin your new topic.

====================

Your machine appears to be clean! :thumbsup:

Let's do some housekeeping now:



The following steps will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.


Step :step1:

DeFogger:

Note** This only needs to be run if it was run before - If not then skip it.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


Step :step2:

Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


Step :step3:

Uninstall adwCleaner:

  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall.
  • Confirm with yes.


Step :step4:

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Begin Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Any programs and logs that are left over you can just delete from the desktop.


Are you having any additional problems at this point? If so, please let me know. Otherwise feel free to enjoy use of your repaired machine :thumbup2:



The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. you can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out of date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows XP SP2 or later is fine) and leaving it on, and using and keeping up to date an antivirus solution such as Norton AntiVirus. Antiviral solutions don't even have to cost money; for instance Microsoft Secuity Essentials provides perfectly acceptable protection for free. If for some reason you don't like MSE, there are other free products available as well:
  • Avast (home use only)
  • Avira (shows nag screen to purchase full product when updating, home use only)

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:
If you want more information on methods malware use to infect your computer, consider browsing our How did I get infected? topic.

Please respond to this post so I can close the thread unless you have any other questions.


Best of regards, and happy surfing!! :wink:

bloopie

#14 GTT54

GTT54
  • Topic Starter

  • Members
  • 72 posts
  • OFFLINE
  •  
  • Local time:09:13 PM

Posted 29 January 2013 - 08:55 PM

I ran through those steps. I posted a new topic in internal hardware. Will another moderator respond to my topic?

Thank you for your help. It is much appreciated.

#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:10:13 PM

Posted 29 January 2013 - 10:47 PM

Hi again,

Will another moderator respond to my topic?

I can't say who will respond to the topic, but anyone can respond to topics in that forum. In this forum, it's only me or other members of the Malware Response Team that can respond, so you're limited here.

Advisors are the helpers that are most qualified to help with internal hardware issues, but that's not to say that regular members can't help either. To become Advisor, you must be "chosen" for your trustworthy advice. So strictly speaking, regular members with many posts and good advice are potential Advisors anyway. :thumbup2:

If your topic goes unanswered for more than a couple of days, I will post a note to the Advisors that you still need help. You won't be overlooked if I can help it! :)

Thank you for your help. It is much appreciated.

It's my pleasure! You've been a pleasure to help! :clapping:

Best of regards, and good luck!

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users