New UPS infection - help needed

Did you buy SpyHunter Security Suite?

Yes, just yesterday...is it a problem?

Okay. Just checking. Probably would have been more effective to wait for my call on that. It's okay, though.

Hopefully it works out for you.

What other problems are happening?

It didn't occur to me that installing Spy Hunter might interfere with your helping me. Sorry about that. I think I am still responsible for solving my own problem...well, except if what I do ends up interfering with someone trying to help me, which I really do appreciate! So, no more surprise installs.
You asked what problems are happening. There are two:
1) there has been a long standing problem of this laptop taking forever with everything: taking minutes to open the start menu, to open the Task Manager, to close the Task Manager, to close a browser..anything, so that it takes so long to do anything that the computer is virtually unusable. I have suspected the file called igfxext.exe because it frequently is running, and when I end that process, things seem to go faster. When I did a search about it, one link that came up was for Spy Hunter, which is why I installed it...but it didn't identify it as a problem. So, I still don't know if igfxext is the culprit in my computer's SUPER-slow operation.
2) since I opened the UPS virus e-mail a second "operating system" is listed along with Windows XP when I start the computer with F8. That second system is listed as "30". I assume if I were to choose "30" when booting, all hell would break loose. I want to get rid of that second, phantom "operating system."
Thanks, Spencer G.

I would have recommended a far better anti-malware solution than SpyHunter by Enigma Software. But, since it's paid for, I wouldn't muster a reversal of that. I'm sure it'd require a refund, and more messes along with it. But, since they're legitimate in their operations, I won't continue my comment on that.

For the memory-type issues... do the following please and let me know how it goes...

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:





Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:




Go to Step 4 and under "System Restore" click on Create button:




Go to Start Repairs tab and click Start button.




Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):



Click on box next to the Restart System when Finished. Then click on Start.

---

As for the extra OS you're talking about...

Please download Listparts
Run the tool,
check the "list BCD" box
click "Scan" and post the log (Result.txt) it makes.

Even though I have paid for SpyHunter, at this point, having really good anti-malware is worth replacing it with something better. What would you recommend. And what would you recommend for anti-virus?
I ran Windows Repair per your instructions - an impressive program.
Things still really slow, e.g. I opened a browser to go online and look at your instructions. I then clicked the Minimize button in the upper right...and a full 5 minutes later, it minimized! And igfxext.exe is using 11% of the CPU.
The result.txt is below. And, much thanks:
____________________________________________________________
ListParts by Farbar Version: 15-09-2012
Ran by Spencer (administrator) on 16-09-2012 at 08:51:15
Windows XP (X86)
Running From: C:\Documents and Settings\Spencer\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 2038.48 MB
Available physical RAM: 1695.3 MB
Total Pagefile: 3935 MB
Available Pagefile: 3764.68 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.97 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:232.88 GB) (Free:182.52 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 233 GB 32 KB
======================================================================================================

Disk: 0
The disk management services could not complete the operation.

======================================================================================================

****** End Of Log ******

Take a look here for the antivirus programs recommended list:

http://secureconnexion.wordpress.com/2012/06/14/antivirus-software-toplist-top-20-summer-2012/

• Download RogueKiller and save it on your desktop.
  
• Quit all programs
  
• Start RogueKiller.exe.
  
• Wait until Prescan has finished ...
  
• Click on Scan
  

• Wait for the end of the scan.
  
• The report has been created on the desktop.
  
• Click on the Delete button.
  

• The report has been created on the desktop.
  

• Next click on the ShortcutsFix
  
  
  
• The report has been created on the desktop.
  

Please post:

All RKreport.txt text files located on your desktop.

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Spencer [Admin rights]
Mode : Scan -- Date : 09/17/2012 22:53:48

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[STARTUP][SUSP PATH] Uninstall Webroot RunOnce.lnk @Administrator : C:\Documents and Settings\Administrator\Application Data\wruninstall.exe -> FOUND
[STARTUP][SUSP PATH] Launch Utility Application.lnk @TEMP.LIFEBOOK : C:\Documents and Settings\TEMP.LIFEBOOK\Application Data\Verizon\UA_ar\UtilityApplication.exe -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[50] : NtCreateSection @ 0x805653B3 -> HOOKED (\??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys @ 0xF7A09700)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEVE-00A0HT0 +++++
--- User ---
[MBR] b97e439e083baa508cea9442867ae5a8
[BSP] 9d427aca4bb75d08431671ed7666ac3e : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt
________________________________________________________________________________________________________________________

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Spencer [Admin rights]
Mode : Remove -- Date : 09/17/2012 22:56:56

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[STARTUP][SUSP PATH] Uninstall Webroot RunOnce.lnk @Administrator : C:\Documents and Settings\Administrator\Application Data\wruninstall.exe -> DELETED
[STARTUP][SUSP PATH] Launch Utility Application.lnk @TEMP.LIFEBOOK : C:\Documents and Settings\TEMP.LIFEBOOK\Application Data\Verizon\UA_ar\UtilityApplication.exe -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[50] : NtCreateSection @ 0x805653B3 -> HOOKED (\??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys @ 0xF7A09700)

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD2500BEVE-00A0HT0 +++++
--- User ---
[MBR] b97e439e083baa508cea9442867ae5a8
[BSP] 9d427aca4bb75d08431671ed7666ac3e : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
________________________________________________________________________________________________________________________

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRKgmailcom
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Spencer [Admin rights]
Mode : Shortcuts HJfix -- Date : 09/17/2012 22:59:17

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 15 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 77 / Fail 0
My documents: Success 14 / Fail 14
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 354 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

Going to take a final look to help assist in the other issues experienced...

Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky and save it to your Desktop.

Note: please close all other applications running on your system.

Double click GetSystemInfo.exe to open it. It will display an agreement. Click on I Agree to continue.

Click the Settings button.



Set the slider to Maximum.



IMPORTANT! Then, click Customize - choose Driver / Ports tab and uncheck Scan Ports.




On the General tab, make sure all of the boxes are checked.




On the Misc tab, make sure all the checkboxes are checked.

Then, click OK on the windows that you launched.



Click Create Report to run it.


It will begin scanning.

It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop.

It should automatically upload it to http://www.getsysteminfo.com. If it does not, then please submit it manually by going to the site and doing the upload process.

It will redirect to a page, where it will provide a sharing URL for specialists. Copy and paste the url of the GSI Parser report in your next reply.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

• Slow computer
  
• Error messages
  
• Fake antivirus alerts or the icon in the system tray
  
• svchost.exe running at 100%
  
• System crashes or blue screen of death

The predominant problem is stupendous [i]slowness.[i] I haven't responded in a couple days because I was running a scan (SuperAntiSpyware) and it took 48 hrs. Most of that time Task Manager showed System Idle at 99%. It could take 30 seconds per file.
Minimizing a window can take several minutes during which nothing else responds.
I do get occassional Blue Screens, but infrequently. I do have about 6 svchost.exe running, but all listed at 0%. No fake antivirus alerts.
Mostly just so slow, slow slow that I can hardly use the computer!

Please do a memory test: http://www.playtool.com/pages/memtest/memtest.html

Then, let me know results. It takes one to two hours at the most, usually.

Well, it took a while to get MemTest to work: 4.0 wouldn't run on my computer, so I ended up using 3.5b...but, no Errors, no ECC Errors.
A friend suggested 1) 2G RAM actually run slower than 1G on this processor, and 2) maybe I have some incorrect BIOS setting. I wanted to see if you think either of those might explain the extreme slowness. He suggested I actually take out 1G RAM.

Oh, I may have solved the extra OS ("30") mystery: Before I contacted GeekPolice.net, I had tried to delete SpyBot to eliminate things which might have been slowing the computer, but it persisted in my Startup, so I used msconfig and deleted the SpyBot line from boot.ini. There is another line in boot.ini: Timeout.old=30, which I just read might have been introduced by SpyBot to create a faster and easier boot to Safe Mode, but I haven't tried it yet to see if it, in fact, boots into Safe Mode.

Well, it definitely is not connected with another operating system or partition for that matter.

2G RAM actually run slower than 1G on this processor

I find this untrue. RAM is different than CPU power. Processing is hardware that runs the programs and helps process information to memory. It only has an effect on how much data can be written to memory at one time.

The more memory you have (RAM), the more available space in memory there is that the processor can help write to.

If RAM were a problem, then the test would have found faults.

What were the MEMTEST results?

Well, it took a while to get MemTest to work: 4.0 wouldn't run on my computer, so I ended up using 3.5b...but, no Errors, no ECC Errors.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

• Slow computer
  
• Error messages
  
• Fake antivirus alerts or the icon in the system tray
  
• svchost.exe running at 100%
  
• System crashes or blue screen of death
  

1) The computer continues to be very slow; 2) I do seem to be having a fair number of system crashes (blue screen) every couple days, but I see no pattern.

Please follow this guide and post information back: http://www.sevenforums.com/tutorials/92394-sf-diagnostic-tool-using-troubleshooting.html

I ran the SF diagnostic tool, but I can't figure out how to upload either the folder (sf_01-10-2012) or the .zip file made from it. I can't use servimg because it does not upload .zip files. I've spent the past hour trying to figure this out without success..so, I'm declaring defeat!

Please upload it to www.mediafire.com and post download link here...

http://www.mediafire.com/?ru3o3absdrdymw7

Thanks!

Please download BlueScreenVew
Unzip the downloaded file and double click on BlueScreenView.exe file to run the program.
When scanning is done, go Edit > Select All.
Go File > Save Selected Items, and save the report as BSOD.txt.
Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.

==================================================
Dump File : Mini093012-01.dmp
Crash Time : 9/30/2012 10:18:39 PM
Bug Check String : CRITICAL_OBJECT_TERMINATION
Bug Check Code : 0x000000f4
Parameter 1 : 0x00000003
Parameter 2 : 0x898bfda0
Parameter 3 : 0x898bff14
Parameter 4 : 0x805faffc
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5c876
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6223 (xpsp_sp3_gdr.120504-1619)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c876
Stack Address 1 : ntoskrnl.exe+157149
Stack Address 2 : ntoskrnl.exe+123fba
Stack Address 3 : ntoskrnl.exe+77ec
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini093012-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 90,112
==================================================

==================================================
Dump File : Mini092812-01.dmp
Crash Time : 9/28/2012 6:21:16 PM
Bug Check String : CRITICAL_OBJECT_TERMINATION
Bug Check Code : 0x000000f4
Parameter 1 : 0x00000003
Parameter 2 : 0x89a91da0
Parameter 3 : 0x89a91f14
Parameter 4 : 0x805faffc
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5c876
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6223 (xpsp_sp3_gdr.120504-1619)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c876
Stack Address 1 : ntoskrnl.exe+157149
Stack Address 2 : ntoskrnl.exe+123fba
Stack Address 3 : ntoskrnl.exe+77ec
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini092812-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 90,112
==================================================

==================================================
Dump File : Mini090512-02.dmp
Crash Time : 9/5/2012 9:19:17 PM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x1000000a
Parameter 1 : 0x00000008
Parameter 2 : 0x00000002
Parameter 3 : 0x00000000
Parameter 4 : 0x804ea79a
Caused By Driver : atapi.sys
Caused By Address : atapi.sys+81dd
File Description : IDE/ATAPI Port Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2108)
Processor : 32-bit
Crash Address : ntoskrnl.exe+1379a
Stack Address 1 : atapi.sys+416c
Stack Address 2 : atapi.sys+6d4b
Stack Address 3 : aswMBR.sys+2c71
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini090512-02.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 90,112
==================================================

==================================================
Dump File : Mini090512-01.dmp
Crash Time : 9/5/2012 8:53:27 PM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x1000000a
Parameter 1 : 0x00000008
Parameter 2 : 0x00000002
Parameter 3 : 0x00000000
Parameter 4 : 0x804ea79a
Caused By Driver : atapi.sys
Caused By Address : atapi.sys+81dd
File Description : IDE/ATAPI Port Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2108)
Processor : 32-bit
Crash Address : ntoskrnl.exe+1379a
Stack Address 1 : atapi.sys+416c
Stack Address 2 : atapi.sys+6d4b
Stack Address 3 : aswMBR.sys+2c71
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini090512-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 98,304
==================================================

==================================================
Dump File : Mini090212-01.dmp
Crash Time : 9/2/2012 9:10:08 PM
Bug Check String : CRITICAL_OBJECT_TERMINATION
Bug Check Code : 0x000000f4
Parameter 1 : 0x00000003
Parameter 2 : 0x88f93020
Parameter 3 : 0x88f93194
Parameter 4 : 0x805faffc
Caused By Driver : WRkrn.sys
Caused By Address : WRkrn.sys+100a0
File Description :
Product Name :
Company :
File Version :
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c876
Stack Address 1 : ntoskrnl.exe+157149
Stack Address 2 : ntoskrnl.exe+123fba
Stack Address 3 : WRkrn.sys+100f2
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini090212-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 90,112
==================================================

==================================================
Dump File : Mini081212-01.dmp
Crash Time : 8/12/2012 1:41:44 PM
Bug Check String : KERNEL_STACK_INPAGE_ERROR
Bug Check Code : 0x00000077
Parameter 1 : 0xc000000e
Parameter 2 : 0xc000000e
Parameter 3 : 0x00000000
Parameter 4 : 0x015e4000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+5c876
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6223 (xpsp_sp3_gdr.120504-1619)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c876
Stack Address 1 : ntoskrnl.exe+49e3a
Stack Address 2 : ntoskrnl.exe+110de
Stack Address 3 : ntoskrnl.exe+fb51
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini081212-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 90,112
==================================================

==================================================
Dump File : Mini080512-01.dmp
Crash Time : 8/5/2012 8:17:52 PM
Bug Check String : CRITICAL_OBJECT_TERMINATION
Bug Check Code : 0x000000f4
Parameter 1 : 0x00000003
Parameter 2 : 0x897fb880
Parameter 3 : 0x897fb9f4
Parameter 4 : 0x805faffc
Caused By Driver : WRkrn.sys
Caused By Address : WRkrn.sys+ffe0
File Description :
Product Name :
Company :
File Version :
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c876
Stack Address 1 : ntoskrnl.exe+157149
Stack Address 2 : ntoskrnl.exe+123fba
Stack Address 3 : WRkrn.sys+10032
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini080512-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 90,112
==================================================

Do you ever use Hibernate?

If the computer is slowing down often, then bad RAM is usually the issue.

I never deliberately use Hibernate, but if I leave the computer on for a while, it automatically goes into Hibernate.
I'll try removing one and then the other RAM chip and see if it makes a difference.

Okay. Let me know.

Wow, you may be the Master! There are two 1G RAM chips in my system. When I took out one of them, after 20 minutes, the computer had still not finished booting. I replaced it with the other RAM chip, it booted very quickly and is now zipping along faster than I have seen it for a long time! So, I think the first chip has problems. I'm still afraid to trust that it will last!
Thank-you, Spencer Gross

You're welcome. Now, if you don't know what RAM replacement you need, you can go here to find out: www.crucial.com/systemscanner

Otherwise, let's finish up so you can prevent malware in the future... (woo a long drag, a month so far in this topic):

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note:If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Download CCleaner Slim and save it to your Desktop - [URL='http://www.majorgeeks.com/CCleaner_Slim_No_Toolbar_d4191.html']Alternate download link[/URL]

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.

* Double-click the CCleaner shortcut on the desktop to start the program.
* Click on the Options block on the left, then choose Cookies.
* Under Cookies to Delete, highlight any cookies you would like to retain permanently
* Click the right arrow > to move them to the Cookies to Keep window.
* Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
* Click Cleaner on the left then Run Cleaner on the right to run the program.
* Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or [URL='http://screen317.changelog.fr/SecurityCheck.exe']Changelog.fr[/URL].

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.