Hello,
I am trying to resolve an issue on my parents PC.
It had been getting slower and slower, coming to an almost dead stop last week. I regulalry got asked to check things out, which usually meant allowing the pc to do updates for Windows / Java / Microsoft Security Essentials.
Most recently, MSE kept cleaning and freezing the whole machine. I booted into safe mode, downloaded Malwarebytes and cleaned some trojans and ran MSe in safe mode, which was fine.
However, as soon as I booted normally, MSE would start cleaning and hang the whole machine.
I managed to stop MSE via msconfig, but windows update wouldn;t work and any links to Microsoft knowledge base artciles would just re-direct to the MS home page, I knew something was up.
I'm hoping you guys can help, I attach the DDS logs as requested. I await your advice.
Kind Regards
Jamie McDonald
DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 9.0.8112.16811 BrowserJavaVersion: 11.101.2
Run by McDonald at 22:02:26 on 2016-09-26
Microsoft® Windows Vista Home Basic 6.0.6002.2.1252.44.1033.18.2262.1747 [GMT 1:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: WebCGMHlprObj Class: {56B38F40-4E70-11d4-A076-0080AD86BA2F} - c:\windows\system32\cgmopenbho.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.8.0_101\bin\ssv.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - <orphaned>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.8.0_101\bin\jp2ssv.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [Application Restart #0] c:\program files\windows media player\wmpnscfg.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eRecoveryService] <no file>
dRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
dRunOnce: [KodakHomeCenter] "c:\program files\kodak\aio\center\AiOHomeCenter.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001067-0002-0067-ABCDEFFEDCBC} - <orphaned>
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{53C9F8AE-1C0C-434C-A9B3-5E2A4664294E} : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{B262F103-76FD-4475-9E0D-9A0CB14569D9} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{B4358EBE-F760-4AA7-9DD9-468AE35A8BFE} : DHCPNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2014-11-26 45736]
S0 RapportHades;RapportHades;c:\windows\system32\drivers\RapportHades.sys [2016-9-12 101992]
S1 RapportCerberus_1609053;RapportCerberus_1609053;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_1609053.sys [2016-9-20 775592]
S1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2016-9-12 328808]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2016-9-12 407880]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2013-12-6 209408]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2013-12-6 276992]
S2 AODDriver4.2.0;AODDriver4.2.0;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2013-9-20 50432]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2014-4-11 103608]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-16 21504]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2014-5-6 395640]
S2 Kodak AiO Status Monitor Service;Kodak AiO Status Monitor Service;c:\program files\kodak\aio\statusmonitor\EKPrinterSDK.exe [2013-12-11 780152]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2016-9-12 2387952]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2013-7-5 75264]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2014-8-16 18944]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2016-9-12 257608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2014-4-11 772296]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2008-7-14 80744]
.
=============== File Associations ===============
.
FileExt: .inf: inffile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2016-09-20 21:43:14 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-09-20 21:42:41 53120 ----a-w- c:\windows\system32\drivers\mwac.sys
2016-09-20 21:42:41 24448 ----a-w- c:\windows\system32\drivers\mbam.sys
2016-09-20 21:42:41 126336 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2016-09-20 21:42:40 -------- d-----w- c:\programdata\Malwarebytes
2016-09-20 21:42:40 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2016-09-12 19:21:00 257608 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2016-09-12 19:21:00 101992 ----a-w- c:\windows\system32\drivers\RapportHades.sys
.
==================== Find3M ====================
.
2016-09-15 06:55:31 796352 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-09-15 06:55:31 142528 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2016-08-09 19:37:08 95808 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2016-07-27 15:10:20 406184 ------w- c:\windows\system32\MpSigStub.exe
2016-07-15 21:32:33 1815552 ----a-w- c:\windows\system32\jscript9.dll
2016-07-15 21:29:13 367616 ----a-w- c:\windows\system32\html.iec
2016-07-15 21:27:01 1129984 ----a-w- c:\windows\system32\wininet.dll
2016-07-15 21:26:02 425472 ----a-w- c:\windows\system32\vbscript.dll
2016-07-15 21:26:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2016-07-15 21:25:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2016-07-15 21:25:02 11776 ----a-w- c:\windows\system32\mshta.exe
2016-07-15 21:24:50 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2016-07-11 07:00:58 1260032 ----a-w- c:\windows\system32\lsasrv.dll
2016-07-11 05:40:05 2072064 ----a-w- c:\windows\system32\win32k.sys
2016-07-11 05:36:32 2048 ----a-w- c:\windows\system32\tzres.dll
2014-11-25 23:26:38 6000640 ----a-w- c:\program files\GUT7677.tmp
.
============= FINISH: 22:04:46.23 ===============
I am trying to resolve an issue on my parents PC.
It had been getting slower and slower, coming to an almost dead stop last week. I regulalry got asked to check things out, which usually meant allowing the pc to do updates for Windows / Java / Microsoft Security Essentials.
Most recently, MSE kept cleaning and freezing the whole machine. I booted into safe mode, downloaded Malwarebytes and cleaned some trojans and ran MSe in safe mode, which was fine.
However, as soon as I booted normally, MSE would start cleaning and hang the whole machine.
I managed to stop MSE via msconfig, but windows update wouldn;t work and any links to Microsoft knowledge base artciles would just re-direct to the MS home page, I knew something was up.
I'm hoping you guys can help, I attach the DDS logs as requested. I await your advice.
Kind Regards
Jamie McDonald
DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 9.0.8112.16811 BrowserJavaVersion: 11.101.2
Run by McDonald at 22:02:26 on 2016-09-26
Microsoft® Windows Vista Home Basic 6.0.6002.2.1252.44.1033.18.2262.1747 [GMT 1:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uURLSearchHooks: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - <orphaned>
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: WebCGMHlprObj Class: {56B38F40-4E70-11d4-A076-0080AD86BA2F} - c:\windows\system32\cgmopenbho.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.8.0_101\bin\ssv.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - <orphaned>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre1.8.0_101\bin\jp2ssv.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [Application Restart #0] c:\program files\windows media player\wmpnscfg.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [eRecoveryService] <no file>
dRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
dRunOnce: [KodakHomeCenter] "c:\program files\kodak\aio\center\AiOHomeCenter.exe"
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-001067-0002-0067-ABCDEFFEDCBC} - <orphaned>
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{53C9F8AE-1C0C-434C-A9B3-5E2A4664294E} : DHCPNameServer = 172.20.10.1
TCP: Interfaces\{B262F103-76FD-4475-9E0D-9A0CB14569D9} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{B4358EBE-F760-4AA7-9DD9-468AE35A8BFE} : DHCPNameServer = 192.168.1.254
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
.
============= SERVICES / DRIVERS ===============
.
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2014-11-26 45736]
S0 RapportHades;RapportHades;c:\windows\system32\drivers\RapportHades.sys [2016-9-12 101992]
S1 RapportCerberus_1609053;RapportCerberus_1609053;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_1609053.sys [2016-9-20 775592]
S1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2016-9-12 328808]
S1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2016-9-12 407880]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2013-12-6 209408]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2013-12-6 276992]
S2 AODDriver4.2.0;AODDriver4.2.0;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2013-9-20 50432]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2014-4-11 103608]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-7-16 21504]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2014-5-6 395640]
S2 Kodak AiO Status Monitor Service;Kodak AiO Status Monitor Service;c:\program files\kodak\aio\statusmonitor\EKPrinterSDK.exe [2013-12-11 780152]
S2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2016-9-12 2387952]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2013-7-5 75264]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2014-8-16 18944]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2016-9-12 257608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2014-4-11 772296]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2008-7-14 80744]
.
=============== File Associations ===============
.
FileExt: .inf: inffile=c:\windows\system32\NOTEPAD.EXE %1 [UserChoice]
.
=============== Created Last 30 ================
.
2016-09-20 21:43:14 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-09-20 21:42:41 53120 ----a-w- c:\windows\system32\drivers\mwac.sys
2016-09-20 21:42:41 24448 ----a-w- c:\windows\system32\drivers\mbam.sys
2016-09-20 21:42:41 126336 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2016-09-20 21:42:40 -------- d-----w- c:\programdata\Malwarebytes
2016-09-20 21:42:40 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2016-09-12 19:21:00 257608 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2016-09-12 19:21:00 101992 ----a-w- c:\windows\system32\drivers\RapportHades.sys
.
==================== Find3M ====================
.
2016-09-15 06:55:31 796352 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2016-09-15 06:55:31 142528 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2016-08-09 19:37:08 95808 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2016-07-27 15:10:20 406184 ------w- c:\windows\system32\MpSigStub.exe
2016-07-15 21:32:33 1815552 ----a-w- c:\windows\system32\jscript9.dll
2016-07-15 21:29:13 367616 ----a-w- c:\windows\system32\html.iec
2016-07-15 21:27:01 1129984 ----a-w- c:\windows\system32\wininet.dll
2016-07-15 21:26:02 425472 ----a-w- c:\windows\system32\vbscript.dll
2016-07-15 21:26:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2016-07-15 21:25:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2016-07-15 21:25:02 11776 ----a-w- c:\windows\system32\mshta.exe
2016-07-15 21:24:50 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2016-07-11 07:00:58 1260032 ----a-w- c:\windows\system32\lsasrv.dll
2016-07-11 05:40:05 2072064 ----a-w- c:\windows\system32\win32k.sys
2016-07-11 05:36:32 2048 ----a-w- c:\windows\system32\tzres.dll
2014-11-25 23:26:38 6000640 ----a-w- c:\program files\GUT7677.tmp
.
============= FINISH: 22:04:46.23 ===============