Confused PC - Hijack This log

JohnG

Please can someone help/advise me on what now seems a major problem with my (2yr old) PC? It’s recently started struggling badly on the internet, buffering a great deal, so I attempted a clean up of the system, which is what I do from time to time, however, whilst attempting to do a full Malwarebyte scan and checking the MSE forum for further ideas at the same time, the PC completely froze and, having waited for a number of minutes and after failed attempts at re-booting(Ctrl/Alt/Del) to get the task bar up, I went for a manual 'push the button' restart.

This then led to further problems culminating in a bluescreen stating “A problem has been detected and windows has been shut down to prevent damage . . . .” Then listing KERNAL_DATA_INPAGE_ERROR

It suggested the problem might be caused by new hardware or software and to take appropriate action to resolve it but this was not the case so instead I tried a number of times to restart. Going into safe Mode at one point and trying to restore system to an earlier date which failed.

Anyway I’ve managed to get back into the PC on two or three occasions but it’s been very very slow at loading anything and has even frozen again causing me to go through the whole thing again a couple more times.

Here’s a HijackThis report in the hope it might shed some more light on the whole subject:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 01:53:46, on 25/05/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)

Boot mode: Normal
Running processes:
C:\Users\J&C\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\Hewlett-Packard\DigitalImaging\bin\hpohmr08.exe
C:\Program Files (x86)\Hewlett-Packard\DigitalImaging\bin\hpotdd01.exe
C:\Program Files (x86)\Ralink\Common\RaUI.exe
C:\Program Files (x86)\MicrosoftOffice\Office14\ONENOTEM.EXE
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchPage = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,StartPage = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\InternetExplorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\InternetExplorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchPage = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,StartPage = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\InternetExplorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\InternetExplorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,LocalPage = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\InternetExplorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub -{18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\CommonFiles\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: avast! WebRep -{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVASTSoftware\Avast\aswWebRepIE.dll
O2 - BHO: SkypeIEPluginBHO -{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files(x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO -{B4F3A835-0E21-4959-BA22-42B3008E02FF} -C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O3 - Toolbar: avast! WebRep -{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVASTSoftware\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVASTSoftware\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files(x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\ProgramFiles\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\WindowsSidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\John& Clare\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\WindowsSidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin]C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\WindowsSidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin]C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: OneNote 2010 Screen Clipper and Launcher.lnk =C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\ProgramFiles (x86)\Ralink\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel- res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote -res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote -{2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\MicrosoftOffice\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote -{2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\MicrosoftOffice\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes -{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\MicrosoftOffice\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes -{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\MicrosoftOffice\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Skype Click to Call -{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files(x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call -{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files(x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Acceleratedgraphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (ShockwaveFlash Object) -http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype-ie-addon-data -{91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files(x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com -{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml -{807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\CommonFiles\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: SAS Core Service (!SASCORE) -SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Acrobat Update Service(AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\CommonFiles\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service(AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated -C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) -Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: avast! Antivirus - AVAST Software -C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS)- Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax)- Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner -C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel(R) Management and Security ApplicationLocal Management Service (LMS) - Intel Corporation - C:\Program Files(x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner -C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102(Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300(ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (filemissing)
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter)- Ralink Technology, Corp. - C:\Program Files(x86)\Ralink\Common\RaRegistry.exe
O23 - Service: Ralink Registry Writer 64(RalinkRegistryWriter64) - Ralink Technology, Corp. - C:\Program Files(x86)\Ralink\Common\RaRegistry64.exe
O23 - Service: RaMediaServer - Unknown owner - C:\ProgramFiles (x86)\Ralink\Common\RaMediaServer.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2(RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs)- Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - SkypeTechnologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3(SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1(Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101(sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101(UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management and Security ApplicationUser Notification Service (UNS) - Intel Corporation - C:\Program Files(x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003(VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) -Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) -Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601(WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (filemissing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104(wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110(wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (filemissing)
O23 - Service: @%PROGRAMFILES%\Windows MediaPlayer\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files(x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9424 bytes

..........................

OS Name Microsoft Windows 7 Home Premium
Version 6.1.7601 Service Pack 1 Build 7601
Other OS Description Not Available
OS Manufacturer Microsoft Corporation
System Name MAINPC
System Manufacturer System manufacturer
System Model System Product Name
System Type x64-based PC
Processor Intel(R) Core(TM) i5-2500 CPU @ 3.30GHz, 3301 Mhz, 4 Core(s), 4 Logical Processor(s)
BIOS Version/Date American Megatrends Inc. 0402, 01/04/2011
SMBIOS Version 2.6
Windows Directory C:\Windows
System Directory C:\Windows\system32
Boot Device \Device\HarddiskVolume1
Locale United Kingdom
Hardware Abstraction Layer Version = "6.1.7601.17514"
User Name MainPC\John & Clare
Time Zone GMT Daylight Time
Installed Physical Memory (RAM) 4.00 GB
Total Physical Memory 3.91 GB
Available Physical Memory 2.38 GB
Total Virtual Memory 7.82 GB
Available Virtual Memory 5.96 GB
Page File Space 3.91 GB
Page File C:\pagefile.sys


Hope there's someone out there who can help?

GunJack

can't see anything blatantly obvious in there.....did it do windows or driver updates immediately prior to it misbehaving ??? Anything plugged in to usb/card readers??? on startup can you get into last known good config ???

JohnG

Many thanks for your response Gunjack!
No there wasnt anything updating as far as I know, or anything plugged in (apart from a microphone and webcam) I get the feeling it's just been picking stuff up (spyware etc) and gradually it's had this adverse effect when trying to do too many things at the same time?
As it happens, the PC seems much more stable at the moment (and starts-up without toooo much delay) so I am feeling a bit more optimistic (I thought I had lost the system completely last night :eek:) plus the fact you suggest there isnt anything obviously untoward on the HJT is reassuring to know.
I've been doing more antispyware checks etc this morning and removed one or two things from the startup (i hope) in pursuit of getting it all back to full speed but I'll report back if problems persist.
Thanks again!
:beer:

PS Presumably KERNAL_DATA_INPAGE_ERROR could mean many things?

GunJack

I'd open a cmd prompt (run as admin) and do a Chkdsk /f /r on the hdd to be safe, then once done (may take ome time) then run malwarebytes once it's rebooted

http://technet.microsoft.com/en-us/library/cc957628.aspx

waddler_8

JohnG wrote: »

...the fact you suggest there isnt anything obviously untoward on the HJT is reassuring to know.

HJT's use is in showing possible load points for malware and settings that may have been altered by malware - Unfortunately it's outdated and hasn't kept up with more modern malware - a clean HJT log doesn't necessarily mean a clean PC. It also doesn't perform correctly on x64 systems.

Do as suggested by GunJack, If mbam still wont run to completion, run a quick mbam scan in safe mode to see if it completes, or run it from normal mode using it's chameleon technology.

http://helpdesk.malwarebytes.org/entries/20872371-use-chameleon-to-run-malwarebytes-on-infected-systems

Figment

JohnG wrote: »

PS Presumably KERNAL_DATA_INPAGE_ERROR could mean many things?

Was it accompanied by a STOP code (0x????????)

GunJack

Figment wrote: »

Was it accompanied by a STOP code (0x????????)

0xC000009C or 0xC000016A would be the most likely ones according to the technet article I linked to, so would be interesting to see if that was indeed the case....

closed

backup your data, and make sure you have the means to reinstall the operating system should it be necessary, ie windows disc or factory restore partition, plus a full window7 system image and boot disc for good measure.

JohnG

Figment wrote: »

Was it accompanied by a STOP code (0x????????)

Yes it was and I made a note of some of it at the time:

OX0000007A, OX00000020, OXFX8C,OX59D etc (I gave up noting all the zeros so the above are shortened versions)

JohnG

closed wrote: »

backup your data, and make sure you have the means to reinstall the operating system should it be necessary, ie windows disc or factory restore partition, plus a full window7 system image and boot disc for good measure.

Thanks Closed, I have to admit this is something I hvnt done for many moons but will endeavour to do so asap as you recommend. Will check out instructions on how to do this that I think you and/or others have given in previous threads.

JohnG

Hi Closed,
Doing a back-up using the windows built in facility on to a seperate hard drive but now everythings gone funny.com. Have lost desk top icons and I cant use internet as it said it's been removed? in fact everything has gone except recyle bin icon and desk top picture. Nothing is working at all?
I'm now on my old pc upstairs and very depressed