Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

100% of cpu usage and 80% + of hardware usage


  • Please log in to reply
24 replies to this topic

#1 neighbour2013

neighbour2013

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 18 November 2013 - 08:36 AM

Hi,

 

History

 My senior neighbour was having problems using her computer.  I am not an expert user of one, but know the basics. She had her copmuter online with NO protection- nothing, and 100% of cpu usage was showing along with 80% + of hardware usage and nothing could be done with it.

 

Actions Taken

 

I put it into safe mode, installed:

 

Spybot search and destory - free

Malware bytes - free

Super anit spyware - free

Emisoft anti malware - free

Avast -free

 

Ran the programs and it found all kinds of malware including several trojans. I didn't keep track of what they were.  Running these programs took several weeks, because her life is all medical appointments so I had to do it between medical appointments, at her place

 

I told her NOT to use her computer and to call me when I can come over next. It was my INTENTION to update the programs and re-run them in safe mode.

 

Instead she calls me and says the computer is slow again and not working. She had been using the comptuer online with no protection again. Even though I told her there was still stuff on her computer.

 

I went over there and re-ran everything in safe mode and this time it didn't help and there is no way to update those programs.

 

An observation:   when her computer was on, and basicly all seized up, the internet lights on the moden were looking like the lights on a christmas tree, like there was a lot of activitiy.    Zombie computer. 

 

 

An added note:

 

I now have her computer at my home to work on.

 

And the last time the computer was started in 'normal' mode, it gaves us the blue screen of death.

 

 

Thanks.

 

 

 

Edited to add:   I forgot to mention that I also used a mcafee removal tool on her computer as it wouldn't uninstall through the control panel.

 

Moderator Edit: Moved from Windows 7 to a more appropriate forum.

Roger

 

 

Edited to say - Thank you, and I apologize for putting it in the wrong place.


Edited by neighbour2013, 18 November 2013 - 09:52 AM.


BC AdBot (Login to Remove)

 


#2 jaytee84

jaytee84

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 18 November 2013 - 09:32 AM

boot into safe mode. save copies of all her personal files.  run belarc advisor and get a list of programs that are installed on her computer. it should also show the keys for the programs,  backup her bookmarks etc etc.  then recover or format the computer. it sound like a nightmare.  this is going to be a lot easier for you and better for the computer in the end



#3 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:12 PM

Posted 18 November 2013 - 08:41 PM

Welcome aboard p22002758.gif

 

p22002970.gif Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


p22002970.gif Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices (do NOT change any settings here)
  • List Users, Partitions and Memory size

Click Go and post the result.

p22002970.gif Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

p22002970.gifDownload Malwarebytes Anti-Rootkit from HERE to your Desktop.
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • DO NOT click on the Cleanup button. Simply exit the program.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt


p22002970.gif Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

NOTE Do NOT wrap your logs in "quote" or "code" brackets.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#4 rotor123

rotor123

  • Moderator
  • 8,093 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:05:12 PM

Posted 18 November 2013 - 10:22 PM

jaytee84 it is early days to be suggesting what amounts to a solution that can lead to a lot of work.

 

In many cases windows can be cleaned and made to work OK. The repair utilities are getting better and better.

 

If not then is the time to go to the drastic step of wiping out and reloading windows and all the applications as well as all the settings needed.

 

With all my years of experience going back to the days of the 8088 processor and DOS running on a dual floppy system. I have been known to miss something that later on caused me extra work.

I keep all my licenses in a lose leaf book. I keep all my User names and Passwords in another book and still sometimes I just jave to shrug it off as lost.

 

None of us are perfect.

I use Mozback for my Firefox and email backups for example. I can copy my favorites from IE, and still things can happen. I keep multiple backups too. That is based on experience however.

 

And I still do wipe and reload rather than run a upgrade for Windows. It seems to help with stability in my experience.

 

Thank You for helping

Roger


Fortune Cookie says: Fortune not Found: Abort, Retry, Ignore?

Sent from my All-In-One Desktop. Perfect for Internet, Not for heavy usage or gaming however.

How Does a computer get Infected? http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Forum Rules,    The BC Welcome Guide

167 @ June 2015


#5 neighbour2013

neighbour2013
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 19 November 2013 - 02:15 PM

HI -  THANKS!

 

I'm home now, I read your post at work, and something rang a bell for me. I had seen rill before. When I got home I checked her computer-desktop and inside a folder inside a folder called security I found the following programs all dated for Sept 2013.

adwcleaner

combofix

dds

hijack this

rkill

 

 

I never thought anything about them, because I don't know what they were there for, so I left them.

 

I called the senior whose computer this is and she said that the young fellow upstairs had been working on her computer. She said between the two of us (him and I) she thought that it would get fixed because he was a wiz on his xbox.

 

I'm sorry I didn't know any of this until now.

 

I am currently following your instructions, and please know, I feel a bit angry with her that she wasn't completely honest with me, and that I couldn't give you the full background of her machine. 

 

 

Please know that I have the greatest respect and regard for what you do, and I do appreciate your help, but I would understand if you didn't want to help because of this miss deception.

 

 

Edited to fix a spelling error.


Edited by neighbour2013, 19 November 2013 - 02:23 PM.


#6 Kilroy

Kilroy

  • BC Advisor
  • 3,378 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:04:12 PM

Posted 19 November 2013 - 03:15 PM

I'm with jaytee84, back it up and blow it up.  "I say we take off and nuke the entire site from orbit. It's the only way to be sure." - Ripley

 

Once a machine has been infected you can no longer trust anything it tells you.  Wih the time it takes to clean a machine, that you can never be sure is really clean, you are better served reloading.  Take a listen or read of Security Now! - Episode 9 - Rootkits - https://www.grc.com/sn/past/2005.htm

 

That episode was from 2005, rest assure the bad guys have only gotten better, Cryptolocker anyone?

 

I'd also suggest the purchase of a router.  I wouldn't feel comfortable putting any of my machines directtly on the Internet and don't think anyone else should either.


Edited by RKilroy, 19 November 2013 - 03:16 PM.


#7 jaytee84

jaytee84

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:12 PM

Posted 19 November 2013 - 03:23 PM

It's going to take just as long to scan and fix everything if not longer. Just write down and backup passwords and make sure you can get software to re-install and then do a restore. I prefer to get the OEM cd's from online and then use the key on the machine so the OS doesnt come loaded with garbage software right off the bat.  If using the OEM cd's just be aware that some drivers may not be installed automatically in which case you need to go the internet.  So say its a Dell go to dell.com.  Pretty simple,  I agree a format isn't always the way but it will eventually need to happen better to just deal with it now rather than 6 months down the road.



#8 cmptrgy

cmptrgy

  • Members
  • 1,652 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts
  • Local time:05:12 PM

Posted 19 November 2013 - 04:34 PM

neighbour2013 I understand your situation as I have been there myself. To make a long story short, now when I help someone regardless of capability, I ask them to describe what the problems are followed up by has anyone worked on this computer not only recently but even a few years ago and then verify their make/model, OS and pertinent product codes right in front of them

That typically takes all of 10, maybe 15 minutes

 

I wouldn't get hung up on someone's deception but use this as a learning tool - that person probably doesn't comprehend the significance of what's going on. You were honest enough to bring up the after the facts situations and I know BC will be more than willing to help you

 

Fortunately you have the computer at home so now you can follow the approach you decide to use

 

Last but not least when someone doesn't listen to instructions that's not a good thing and I've been up against that also and that takes experience on how to handle such situations



#9 neighbour2013

neighbour2013
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 19 November 2013 - 06:59 PM

cmptrgy / Larry, thank you for your kind words, and advice it is greatly appreciated.  :)

 

-----------------

 

BC are the logs you requested:

 

Before posting the logs, I did Control-F in the text documents to search for the senior's name in order to protect her privacy, when I found it I replace it with a ------. That was the only change I made to the logs.

 

 

 

:step1: From Security Check - Checkup.txt

 

Results of screen317's Security Check version 0.99.77  
 Windows 7 Service Pack 1 x86 (UAC is disabled!)  
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
avast! Antivirus                
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 4.6    
 Spybot - Search & Destroy
 SUPERAntiSpyware     
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
 Java™ 6 Update 29  
 Java version out of Date!
 Adobe Flash Player     11.6.602.171  
 Adobe Reader XI  
 Mozilla Firefox (25.0.1)
 Google Chrome 30.0.1599.101  
 Google Chrome 31.0.1650.57  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Spybot Teatimer.exe is disabled!
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

 

:step2: FSS - FSS.txt

 

Farbar Service Scanner Version: 10-11-2013
Ran by -----(administrator) on 19-11-2013 at 15:26:19
Running from "C:\Users\----\Desktop\BC Computer"
Microsoft Windows 7 Home Premium  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys
[2013-10-12 16:33] - [2013-09-13 19:48] - 0338944 ____A (Microsoft Corporation) F81BB7E487EDCEAB630A7EE66CF23913

C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-10-12 16:34] - [2013-09-07 21:07] - 1294272 ____A (Microsoft Corporation) CA59F7C570AF70BC174F477CFE2D9EE3

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll
[2013-08-15 18:08] - [2013-07-08 23:46] - 0140288 ____A (Microsoft Corporation) 7CA1BECEA5DE2643ADDAD32670E7A4C9

C:\Program Files\Windows Defender\MpSvc.dll
[2013-07-11 23:27] - [2013-05-26 23:57] - 0680960 ____A (Microsoft Corporation) 082CF481F659FAE0DE51AD060881EB47

C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

 

 

:step3: MiniToolbox

 

MiniToolBox by Farbar  Version: 13-07-2013
Ran by ------  (administrator) on 19-11-2013 at 15:31:55
Running from "C:\Users\----\Desktop\BC Computer"
Microsoft Windows 7 Home Premium  Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================



========================= IP Configuration: ================================

Intel® PRO/100 VE Network Connection = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : ---- PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : gateway.2wire.net

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : gateway.2wire.net
   Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection
   Physical Address. . . . . . . . . : 00-16-76-28-0A-5C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9083:ac19:fdaf:8973%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.2.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 2013-11-19 1:37:41 PM
   Lease Expires . . . . . . . . . . : 2013-11-22 3:19:46 PM
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DHCPv6 IAID . . . . . . . . . . . : 285218422
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-14-04-75-00-16-76-28-0A-5C
   DNS Servers . . . . . . . . . . . : 192.168.2.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.gateway.2wire.net:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:8c:3c97:3f57:fdf5(Preferred)
   Link-local IPv6 Address . . . . . : fe80::8c:3c97:3f57:fdf5%13(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled
Server:  mymodem
Address:  192.168.2.1

Name:    google.com
Addresses:  2607:f8b0:400b:806::1002
      74.125.226.130
      74.125.226.142
      74.125.226.131
      74.125.226.129
      74.125.226.135
      74.125.226.128
      74.125.226.132
      74.125.226.133
      74.125.226.136
      74.125.226.134
      74.125.226.137


Pinging google.com [74.125.226.130] with 32 bytes of data:
Reply from 74.125.226.130: bytes=32 time=19ms TTL=54
Reply from 74.125.226.130: bytes=32 time=19ms TTL=54

Ping statistics for 74.125.226.130:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms
Server:  mymodem
Address:  192.168.2.1

Name:    yahoo.com
Addresses:  98.139.183.24
      206.190.36.45
      98.138.253.109


Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
Reply from 98.139.183.24: bytes=32 time=60ms TTL=49
Reply from 98.139.183.24: bytes=32 time=129ms TTL=49

Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 60ms, Maximum = 129ms, Average = 94ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 11...00 16 76 28 0a 5c ......Intel® PRO/100 VE Network Connection
  1...........................Software Loopback Interface 1
 15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.1     192.168.2.10     20
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.2.0    255.255.255.0         On-link      192.168.2.10    276
     192.168.2.10  255.255.255.255         On-link      192.168.2.10    276
    192.168.2.255  255.255.255.255         On-link      192.168.2.10    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.2.10    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.2.10    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 13     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 13     58 2001::/32                On-link
 13    306 2001:0:5ef5:79fd:8c:3c97:3f57:fdf5/128
                                    On-link
 11    276 fe80::/64                On-link
 13    306 fe80::/64                On-link
 13    306 fe80::8c:3c97:3f57:fdf5/128
                                    On-link
 11    276 fe80::9083:ac19:fdaf:8973/128
                                    On-link
  1    306 ff00::/8                 On-link
 13    306 ff00::/8                 On-link
 11    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog5 06 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 07 C:\Windows\system32\winrnr.dll [20992] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 28 C:\Windows\system32\mswsock.dll [231424] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/19/2013 01:36:29 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.


Details:
Could not query the status of the EventSystem service.

System Error:
A system shutdown is in progress.
.

Error: (11/19/2013 10:54:35 AM) (Source: Application Hang) (User: )
Description: The program Bubbles.scr version 6.1.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: f0c

Start Time: 01cee53f88935448

Termination Time: 3526

Application Path: C:\Windows\system32\Bubbles.scr

Report Id: d2fa9b00-5132-11e3-8bcd-001676280a5c

Error: (11/19/2013 10:53:32 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {573434e1-2b3a-4a8c-9e2a-b4236a377155}


System errors:
=============
Error: (11/19/2013 02:48:49 PM) (Source: Microsoft-Windows-HAL) (User: )
Description: The platform firmware has corrupted memory across the previous system power transition.  Please check for updated firmware for your system.

Error: (11/19/2013 01:38:18 PM) (Source: Service Control Manager) (User: )
Description: The Emsisoft Anti-Malware 8.0 - Service service failed to start due to the following error:
%%1053

Error: (11/19/2013 01:38:18 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Emsisoft Anti-Malware 8.0 - Service service to connect.

Error: (11/19/2013 01:34:39 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/19/2013 01:34:32 PM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/19/2013 11:48:20 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/19/2013 11:47:52 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/19/2013 11:47:52 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/19/2013 11:47:52 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/19/2013 11:47:52 AM) (Source: Service Control Manager) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068


Microsoft Office Sessions:
=========================
Error: (11/19/2013 01:36:29 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description:
Details:
Could not query the status of the EventSystem service.

System Error:
A system shutdown is in progress.

Error: (11/19/2013 10:54:35 AM) (Source: Application Hang)(User: )
Description: Bubbles.scr6.1.7601.17514f0c01cee53f889354483526C:\Windows\system32\Bubbles.scrd2fa9b00-5132-11e3-8bcd-001676280a5c

Error: (11/19/2013 10:53:32 AM) (Source: VSS)(User: )
Description: 0x80070005, Access is denied.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {573434e1-2b3a-4a8c-9e2a-b4236a377155}


=========================== Installed Programs ============================

Adobe Flash Player 11 ActiveX (Version: 11.5.502.149)
Adobe Flash Player 11 Plugin (Version: 11.6.602.171)
Adobe Reader XI (11.0.03) (Version: 11.0.03)
Apple Application Support (Version: 2.2.2)
Apple Mobile Device Support (Version: 6.0.0.59)
Apple Software Update (Version: 2.1.3.127)
avast! Free Antivirus (Version: 9.0.2008)
Bandwidth Monitor
Bonjour (Version: 3.0.0.10)
CCleaner (Version: 4.06)
Emsisoft Anti-Malware (Version: 8.1)
Google Chrome (Version: 31.0.1650.57)
Google Update Helper (Version: 1.3.21.165)
Intel® Graphics Media Accelerator Driver (Version: 8.15.10.1930)
IrfanView (remove only) (Version: 4.32)
iTunes (Version: 10.7.0.21)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Security Client (Version: 4.4.0304.0)
Microsoft Security Essentials (Version: 4.4.304.0)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Mozilla Firefox 25.0.1 (x86 en-US) (Version: 25.0.1)
Mozilla Maintenance Service (Version: 25.0.1)
OpenOffice.org 3.3 (Version: 3.3.9567)
Spybot - Search & Destroy (Version: 2.0.12)
SpywareBlaster 4.6 (Version: 4.6.1)
SUPERAntiSpyware (Version: 5.6.1032)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (Version: 3)
VC80CRTRedist - 8.0.50727.6195 (Version: 1.2.0)

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 47%
Total physical RAM: 1014.12 MB
Available physical RAM: 529.49 MB
Total Pagefile: 2038.12 MB
Available Pagefile: 1128.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1940.77 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:186.31 GB) (Free:77.39 GB) NTFS

========================= Users: ========================================

User accounts for \\-----PC

Administrator            -------    Guest                    
-----


**** End of log ****

 

:step4: MBAM

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.19.10

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16736
----:: ----PC [administrator]

2013-11-19 3:44:04 PM
mbam-log-2013-11-19 (15-44-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 245087
Time elapsed: 20 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

 

:step5: Malware bytes Rootkit

 

MBAR -LOG

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1007
www.malwarebytes.org

Database version: v2013.11.19.10

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16736
--- :: -----PC [administrator]

2013-11-19 4:54:09 PM
mbar-log-2013-11-19 (16-54-09).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 248002
Time elapsed: 31 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

 

MBAR- SYSTEM- LOG

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x86

Account is Administrative

Internet Explorer version: 10.0.9200.16736

Java version: 1.6.0_29

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED
CPU speed: 2.666000 GHz
Memory total: 1063378944, free: 288374784

Downloaded database version: v2013.11.19.10
Downloaded database version: v2013.10.11.02
=======================================
Initializing...
------------ Kernel report ------------
     11/19/2013 16:53:32
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\halmacpi.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\DRIVERS\disk.sys
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
\SystemRoot\System32\Drivers\aswVmm.sys
\SystemRoot\System32\Drivers\aswRvrt.sys
\SystemRoot\system32\drivers\cdrom.sys
\??\C:\Windows\system32\drivers\aswSnx.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\??\C:\Windows\system32\drivers\aswTdi.sys
\SystemRoot\system32\drivers\afd.sys
\??\C:\Windows\system32\drivers\aswRdr2.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\DRIVERS\blbdrive.sys
\??\C:\Windows\system32\drivers\aswSP.sys
\??\C:\Program Files\Emsisoft Anti-Malware\a2ddax86.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\1394ohci.sys
\SystemRoot\system32\DRIVERS\e100b325.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\drivers\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\HdAudio.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\aswMonFlt.sys
\??\C:\Windows\system32\drivers\aswFsBlk.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\DRIVERS\parvdm.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff84ef64d0
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-2\
Lower Device Object: 0xffffffff84e42030
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff84ef64d0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff84ef7020, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff84ef64d0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff84e42f08, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff84e42030, DeviceName: \Device\Ide\IdeDeviceP1T0L0-2\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: FFFFFFFF

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 390717440
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 200049647616 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-390701968-390721968)...
Done!
Scan finished
=======================================


Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_2048_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished
 

 

:step6: RKill

 

Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/19/2013 05:26:25 PM in x86 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 11/19/2013 05:28:33 PM
Execution time: 0 hours(s), 2 minute(s), and 7 seconds(s)
 



#10 neighbour2013

neighbour2013
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 20 November 2013 - 09:22 AM

I moved a 3.05 mb file this morning on her computer, and it took a little over 15 minutes to move it. - wow



#11 neighbour2013

neighbour2013
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 25 November 2013 - 09:46 AM

I've been watching the Task Manger / Resource manager closely and this is what I have observed:

 

msmpeng - was hogging the resources - I uninstalled it

 

then svchost.ext (secsvcs) was hogging the resources - ended it then

svchost (netsvcs) was hogging the resources - ended it then

wmpnetworksoc was hogging the resources - ended it then

svchost.exe (local system network restricted) was hogging the resources - ended it then

firefox was was hogging the resources and it wasn't even running

 

and the cpu usage was down.

 

Then I restarted the computer, and everything was up there again.

 

I don't know if this helps or hinders.



#12 neighbour2013

neighbour2013
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 25 November 2013 - 12:10 PM

How is this for wonky, I tried to install the flash player from Adobe site and when I double clicked on it, it disappeared. I checked the recycle bin and it wasn't there either, its gone. Totally gone.



#13 Kilroy

Kilroy

  • BC Advisor
  • 3,378 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:04:12 PM

Posted 25 November 2013 - 12:14 PM

The Adobe Flash Plug-in deletes itself after you run it, this is normal.



#14 neighbour2013

neighbour2013
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 25 November 2013 - 01:46 PM

Do you mean the file that I download from the internet?  This is the first time I've seen that and it never did install, it hung up.


Edited by neighbour2013, 25 November 2013 - 01:47 PM.


#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:12 PM

Posted 25 November 2013 - 07:25 PM

First of all you're running two AV programs:

Microsoft Security Essentials   
avast! Antivirus   
 

You must uninstall one of them.

 

Secondly you have only 1GB of RAM installed.

Installing at least another 1GB of RAM would be crucial to your computer performance.

 

So far all looks clean.

 

When done with uninstalling one of your AV programs...

 

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.

 

Upload the file(s) here: http://www.sendspace.com/
Click on Browse button and navigate to the file you want to upload.
Click on Upload button.
Click on FIRST Copy Link button and paste the link in your next reply.


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users