Windows 10: Not BSOD, but lots of issues - OS corrupt or virus (or both)?

If I should post this in another forum, I am happy to do so (I couldn't find a forum that quite fit my problem).

I was deployed for the last 18 months and my wife intermittently used the computer but often left it off and certainly didn't purposely maintain the computer. As time when on, she started telling me about more and more issues (freezing, acting strangely, etc). I am now back and indeed something is up.

Here are some of the issues when I arrived:
- I could not type in the search window (near the start button)
- The start button didn't always work (but did sometimes)
- I am unable to open Task Manager (it opens and then closes with nothing but the tabs every showing)
- A number of processes say the Windows 10 software is missing

I suspected 1) a virus or malware or 2) corrupt OS 3) both

Regarding the OS:
- Updated Windows and it froze at the reboot (I left it for 24 hours and it never got past 20% installed).
- Windows 10 Update Assistant tells me I need to update but gives me an unspecified error when I run it
- sfc.exe from an admin command prompt and it found problems it couldn't fix
- Did a memory and dskcheck /f - both fine
- Used CrystalDisk to check my boot drive - green
- Tried manual install a Windows update but every version I tried said something like "this update doesn't apply to your system"
- Had to create a USB boot on my laptop as MediaCreationTool gave me an error when I tried to create a boot USB
- Tried to "recover" from a USB boot and the USB loaded, but then said it was not able to recover and that I should try from within Windows
- Tried to “recover” from within Windows using USB and it said there was an error
Virus check:
- I use Windows Defender as my virus program - no issues noted
- I downloaded MalwareBytes and installed – “unable to connect service” error when I tried to run it
- Downloaded Bitdefender and installed but when I tried to logon on I got “Unexpected error” with no details
- I downloaded and ran Emsisoft Start Emergency Kit and found 11 “items” some of which looked like real virus issues (report below) but not all could be deleted – rescan (second report below) found 7 “items”.

First Report from Emsisoft
C:\Users\Scott\AppData\Local\Temp\52332234\ic-0.cbca147c4805f.exe Trojan.GenericKD.12070136 (B)
C:\Users\Scott\AppData\Local\ntuserlitelist\regtool\regtool.exe Gen:Variant.Johnnie.14657 (B)
C:\Program Files\0f0195ad310b7fa6e61cd5ffc0f141b9\73f97e91c4500232dd42d2197d54827a.exe Application.Generic.1741633 (B)
C:\Program Files\0f0195ad310b7fa6e61cd5ffc0f141b9\ca2b7813c03b10c8b5367fc3e56c043e.exe Gen:Variant.Zusy.250175 (B)
C:\Program Files\0f0195ad310b7fa6e61cd5ffc0f141b9\19830114bbf25c0e3205d31daa8a3e87.exe Gen:Variant.Zusy.250175 (B)
Key: HKEY_USERS\S-1-5-21-721001023-2188217060-1018798448-1001\SOFTWARE\WAJIENHANCE Application.Toolbar (A)
C:\Users\Scott\AppData\Local\ntuserlitelist Trojan.Trafmous (A)
C:\Users\Scott\AppData\Local\inmzkbs\ntetz\ct.exe Trojan.GenericKD.5732155 (B)
C:\Users\Scott\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe Application.Agent.ASX (B)
C:\Users\Scott\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe Application.Agent.ASY (B)
C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe Gen:Variant.Application.LinenO.1 (B)

Second Report from Emsisoft
C:\Users\Scott\AppData\Local\inmzkbs\ntetz\ct.exe detected: Trojan.GenericKD.5732155 (B) [krnl.xmd]
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe detected: Application.Agent.ASY (B) [krnl.xmd]
C:\Users\Scott\AppData\Local\ntuserlitelist detected: Trojan.Trafmous (A) [286865]
C:\Users\Scott\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe detected: Application.Agent.ASY (B) [krnl.xmd]
C:\Users\Scott\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe detected: Application.Agent.ASX (B) [krnl.xmd]
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ntuserlitelist\regtool\regtool.exe detected: Gen:Variant.Johnnie.14657 (B) [krnl.xmd]
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe detected: Application.Agent.ASX (B) [krnl.xmd]

Sorry this is so long, but I figured details might be useful. I attached my zip file. I know enough about computers to make me dangerous, but I welcome any thoughts on what to do next before I save my important files and wipe the drive and start over with a new install (painful!).

Thanks

:)

 

Virus or corrupt OTKLOADR.dll file or both?

Hello,



As per the description, I would suggest you to perform the clean boot, and check.

Refer the below link.

https://support.microsoft.com/en-us/kb/929135



Note: After troubleshooting, refer to this section "How to reset the computer to start normally after clean boot troubleshooting".



Do let us know the update. We will be happy to assist you.



Thank you.

 

Virus or corrupt OTKLOADR.dll file or both?

When I turn on my computer it starts fairly normally other than than the screen clickers almost imperceptibly. Then after entering the login PIN and going to the desktop a message box opens. Mostly in white, with black text reading as follows:





"System Settings Change

Your hardware settings have changed. Please reboot your computer for these changes to take effect !!"

Thinking a virus, I ran AVG antivirus which came up with this notification:


The file is signed with a broken digital signature. issued by: Microsoft Corporation.

C:\program files (x86)\Microsoft Office\root\Office16\ADDINS\OTKLOADR.DLL

I ran the troubleshoot for Hardware and Devices and confirmed that my AMD software is up to date.

DO I HAVE A VIRUS OR DO I NEED TO DOWNLOAD AND REGISTER A NEW OTKLOADR.DLL FILE?

 

1) Do you have your files backed up?
2) Had you made an image of the drive?
3) Are you able to perform a clean install (delete partitions, format the drive, make an unallocated driver, install a new windows 10 version 1703) This would eliminate all files, applications, drivers, malware, etc.

Download Windows 10

Clean Install Windows 10 Windows 10 Installation Upgrade Tutorials

If you cannot perform a clean install due the loss of critical files then:
Run each of these malware programs on the computer and post images of the result:
ESET: Free Virus Scan | Online Virus Scan from ESET ESET
Superantispyware: SUPERAntiSpyware.com - Online Scanner
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!
Kaspersky: https://usa.kaspersky.com/downloads/tdsskiller
AdwCleaner: Downloads - AdwCleaner - ToolsLib
Windows defender offline scan
Windows defender full scan
Malwarebytes: Malwarebytes | Free Cyber Security & Anti-Malware Software
Zemana: Zemana - AntiMalware and AntiLogger Protection


The computer information that you had manually entered indicates a lap top.
The information in the zip is a desktop.
Please update one or the other.

If this is a desktop please re-post all of the information and include information on:
PSU, cooler, case, mouse, keyboard, anything else attached/connected to the computer.

 

Thanks - sorry about the profile - I have both systems but I updated my profile for my desktop.

I have an off-site backup of all my files and on one of the hard drives, but I would like to avoid a complete reinstall if possible, so I will reply when I get all those scans done. Thanks for the guidance, very much appreciated.

 

At any time if there is a new bsod please post a new zip:
BSOD - Posting Instructions - Windows 10 Forums
There were numerous failed to update in the event log.
This includes operating system, windows defender, adobe etc.


One of the startup programs is:
HP ENVY 7640 series (NET) "C:\Program Files\HP\HP ENVY 7640 series\Bin\ScanToPCActivationApp.exe" -deviceID "TH49M270VQ063T:NW" -scfn "HP ENVY 7640 series (NET)" -AutoStart 1 MAINSSD\Scott
How come there is a HP program on startup for an Asus computer?
What does this HP program do?

Please list the current active malware prorgrams.
Please list the malware program that was in use when all the infections happened.
Please list the malware programs that require manual use and how often had they been used.

Once all of the malware scans have completed:

The first part are keyboard steps:
1) type: win + x (keys simultaneously)
2) type: a
3) type: alt + y (keys simultaneously)
Administrative command prompt should appear as a pop up.

If any of the steps below fail to complete please make sure that you reopen administrative command with the steps above and perform #9 followed by #12, 13, and 14

4) type: sfc /scannow
5) dism /online /cleanup-image /checkhealth
6) dism /online /cleanup-image /scanhealth
7) dism /online /cleanup-image /restorehealth
8) chkdsk /scan
9) net user test /add

10) When these have completed > right click on the top bar or title bar of the administrative command prompt box > left click on edit then select all > right click on the top bar again > left click on edit then copy > paste into the thread
11) If you are unable to use the mouse please use a camera or smart phone camera to take a picture and post the image into the thread.
12) shutdown /r
13) When the computer reboots sign on with the new user named test.
14) Evaluate the performance with the new user and compare to the prior user.






If the malware can not be completely eradicated plan a clean install.
It would be best to start with a clean install with all of the malware noted in the opening post.
Once all the malware scans are completed and all of the malware has been eradicated these will be additional steps:
Turn off windows fast startup:
Turn On or Off Fast Startup in Windows 10 Windows 10 Performance Maintenance Tutorials
Create a bootable windows 10 iso: Download Windows 10
Plan a windows 10 version 1703 in place upgrade repair:
Repair Install Windows 10 with an In-place Upgrade Windows 10 Installation Upgrade Tutorials



Code: Windows failed fast startup with error status 0xC00000D4.[/quote] Code: Crash dump initialization failed![/quote] Code: Installation Failure: Windows failed to install the following update with error 0x8024200D: Feature update to Windows 10, version 1607.[/quote] Code: Installation Failure: Windows failed to install the following update with error 0x80246013: Microsoft .Net Native Framework Package 1.2.23205.0.[/quote] Code: Event[33951]: Log Name: System Source: Service Control Manager Date: 2017-08-01T19:37:07.111 Event ID: 7001 Task: N/A Level: Error Opcode: N/A Keyword: Classic User: N/A User Name: N/A Computer: MainSSD Description: The Windows Defender Network Inspection System Driver service depends on the Base Filtering Engine service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.[/quote] Code: Installation Started: Windows has started installing the following update: OneNote[/quote] Code: Event[34920]: Log Name: System Source: Microsoft-Windows-TaskScheduler Date: 2017-08-05T18:55:48.004 Event ID: 408 Task: Idle detection error Level: Error Opcode: Info Keyword: N/A User: S-1-5-18 User Name: NT AUTHORITY\SYSTEM Computer: MainSSD Description: Task Scheduler service failed to initialize idle state detection module. Idle tasks may not be started as required. Additional Data: Error Value: 2.[/quote] Code: Event[25306]: Log Name: System Source: Microsoft-Windows-Ntfs Date: 2017-02-04T11:56:31.004 Event ID: 98 Task: N/A Level: Warning Opcode: Info Keyword: N/A User: S-1-5-18 User Name: NT AUTHORITY\SYSTEM Computer: MainSSD Description: Volume ?? (\Device\HarddiskVolumeShadowCopy6) requires an Online Scan. An Online Scan will automatically run as part of the next scheduled maintenance task. Alternatively you may run "CHKDSK /SCAN" locally via the command line, or run "REPAIR-VOLUME <drive:> -SCAN" locally or remotely via PowerShell.[/quote] Code: Event[13842]: Log Name: System Source: cdrom Date: 2016-07-16T16:11:03.215 Event ID: 7 Task: N/A Level: Error Opcode: N/A Keyword: Classic User: N/A User Name: N/A Computer: MainSSD Description: The device, \Device\CdRom0, has a bad block.[/quote]

 

1) Run HDTune: HD Tune website


to check the drive health,
scan for errors, no quick scan but full scan
run a benchmark.


It may take some time, but please take the time you need to perform it properly.
When above is done please make screenshots of the following
the health,
the error scan,
the benchmark incl. following
transfer rate,
access time,
burst rate,
cpu usage.
Take Screenshot in Windows 10 Windows 10 General Tips Tutorials


2) Run Sea tools for windows on your drive using SMART, short and long generic tests:

How to use SeaTools for Windows
http://www.seagate.com/support/downl...ls-win-master/
How to use SeaTools for Windows
http://www.seagate.com/support/downloads/seatools/

 

Still working the scans (each are taking nearly 24 hours) but to answer your HP question, I have a HP muti-device (printer, scanner, etc). If you think I should change something, let me know. Thanks again!

 

For each virus scan please post images of the results into the thread.

 

Windows Defender is done, but not sure what log to upload. I tried a couple of things and it told me I had an invalid file.

ESET ran for 19 hours but seemed stuck on the memory scan (it was there when I went to bed last night and still there in the AM and when I got back from work) so I stopped it and ran it again with no memory scan - running now. Still working through the C: windows but found 3 infected files thus far.

 

So windows defender can not scan in quick, full, or offline or in just one mode?
Or the scan completed with finding no malware?
Or the scan completed find malware? Was anything quarantined?
Was anything deleted?
ESET is taking a lot of time but it is finding malware.

This part was from post #4:
Please list the current active malware programs.
Please list the malware program that was in use when all the infections happened.
Please list the malware programs that require manual use and how often had they been used.

 

Defender ran in full (no offline choice) and found two issues and quarantined them (I then deleted them).

No malware program beyond Defender prior to me starting to work your list.

 

Didn't you have a problem with malwarebytes?

In the left lower corner search type winver and post the image into the thread. (if the operating system malfunction prevents you from doing this please post the information into the thread.)

When you open the windows defender security center click on virus and threat protection. Then click on advanced scan. Do you see custom scan and / or Windows defender offline scan?

Please post images of all malware findings.
Please post files of all malware findings.
And please post images and files of what was quarantined and fixed and what was not able to be quarantined or fixed.

 

EZET finished now - it found 59 items, but all seemed "potentially unwanted" vs a virus. I cleaned all 59 as none looked like something I had to have. Attached is the list and the finish screen.

FYI - G drive is an old boot drive - I have not touched it in the 3 years since I made the new one, so I plan to format that drive. F drive is where I keep a lot of files.

 

Hey just a heads-up. I notice you mentioned Kaspersky anti virus earlier. I used to use Kaspersky anti virus a long time ago, and it was a very good anti virus. As a matter of fact it was practically the best, because it found infections that other virus scanners didn't find on the computer. But over time it expired, then I never renewed it or whatnot, etc.

But lately I have heard on the news about Kaspersky anti virus that it was used to hack into people's computers from Russia. So I wouldn't recommend that at this climate in time because of politics.