Totally infected - TDDS, redirect and more

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

4 Pages
1
2
3
→
Last »

You cannot start a new topic
You cannot reply to this topic

Totally infected - TDDS, redirect and more

#1 newgma

Member

Group: Members
Posts: 98
Joined: 25-May 10

Posted 01 June 2011 - 04:33 PM

Used the tutorial to remove "Windows Vista Recovery" last week. It appeared to work, but audio ads persisted and a google redirect showed up afterwards (may have always been there, but I didn't check before or after following the tutorial before I gave this laptop back to my daughter)

Have had a host of probs today, because I ran "Stopzilla" before verifying its legitimacy.

This is what I did today and what happened before I got here right now: (will post logs in next post)

Quote

3.43-3:54: black screen, no cursor
3:54 Did a hard start (in Safe Mode with internet access
3:58 – blue screen
4:00 - Restart “windows start up recovery” – I selected normal start up.
Logo started to show then black screen again, cursor present occasionally with “working” circle.
4:02 – “welcome” screen
4:03 black screen and cursor, when I move cursor, “working” circle shows
4:04 – cursor remains on screen
4:15 - Shut down by itself
4:17: restart good – fast, correctly. Spy sweeper auto on, running. Tile reading “! Windows has blocked some start up programs…” from tray, hovering cursor reveals “Blocked Startup Programs”.
Checking internet connection now – it opened quickly.
4:25 – “Solve Computer Problems tile pops up. “Click to see solutions Windows has found for your computer” I don’t recognize the icon in the task tray. Hovering mouse reveals “Problem Reports and Solutions”
4;35 – black screen again, shut down as if no power.

4:36 – restart computer by pressing power button
4:36 MS start up logo
4:36 black screen, no cursor
4:40 cursor on black screen
4:41 Windows logo and screen saver “Welcome”
4:42 normal screen loading, then Tile reading “! Windows has blocked some start up programs…” from tray, hovering cursor reveals “Blocked Startup Programs”.
4:43 keep getting the “wait circular animation” near cursor, as if something is loading.
4:45: I opened Rkill to stop processes. Taking forever to open and run….
4:46 opened, asked for permission to run.
4:46 Spyware Sweeper opened, then IE window, then HP wireless assistant from task menu (WLAN on), Then Java update in task bar.
4:47 IE is still not loaded, I gave Java permission to update
4:48 Belkin Updater tile “ATTENTION: Your Belkin router may not work properly unless it has this newest update: -Music Mover”
4:49- Another Java Update notification from the task bar
4:50 – IE window is still not fully loaded –still has animated circle “working”
4:51 – Windows has blocked some start up programs notice again.
4:52 - hovering cursor over Spyware Sweeper icon shows that it is “loading”
4:54 – “foxnews” address finally shows up in IE address line
4:55 – finally IE is showing the website, I shut off Spyware Sweeper
Program damaged tile. Error tile next “The connection to the program engine has been lost or terminated. The program will now close and restart. If you experience any problems, please contact WEbroot support at …”
4:57 ; “Solve computer problems Click to see solutions Windows….” Notice from task bar, again
4: 59- running TDSS rootkit removal tool again, gave permission, cursor and animated circle.
5:00 cursor disappeared.
5:02 “you have files waiting to be burned to disc” notice from task bar
5:02 “Windows has blocked some startup programs….” Etc
5:03 Adobe Acrobat Update ready to install notice from task bar – I am trying to open “iExplore” to run, not opening.
5:07 requ for permission from “iExplore” to access the computer I allowed.
DOS window opened and a tile with “iexplore has stopped working” opened.
Killed : \\?\C:\Windows\system3\wbem\WMIADAP.EXE
5:12 – tried running TDDS killer again. Nothing
5:25 – running DDS.

Couldn't figure why I'd not gotten a response yet, but *der* I never uploaded the DDS results!

Also, GMER never completes - the laptop shuts down (off) before it finishes.

Also, never got back start menu after using tutorial to remove Windows Vista Recovery...

(Looks like we're all infected with the same bug!)

DDS:

.
DDS (Ver_2011-06-01.06) - NTFSx86
Internet Explorer: 8.0.6001.19048
Run by Owner at 17:23:00 on 2011-06-01
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1723 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spy Sweeper *Disabled/Updated* {E840FC75-2A0B-9A7C-D915-4D1380A5C223}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.foxnews.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [QlbCtrl.exe] "c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe" /Start
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Health Check Scheduler] "c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [hpWirelessAssistant] "c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{08F46703-A7D7-478D-A637-B3B69C52CEBC} : DhcpNameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{63CE5A2C-DB70-4882-BC84-6F3F88CEADF9} : DhcpNameServer = 192.168.2.1
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2011-3-22 29832]
R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\belkin\belkin usb print and storage center\BkBackupScheduler.exe [2010-8-19 152064]
R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\belkin\belkin usb print and storage center\Bkapcs.exe [2010-8-19 49152]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-22 365952]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2011-3-22 4048256]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2010-8-6 1201656]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-22 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2010-3-10 247320]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-01 16:17:24 -------- d-----w- c:\program files\STOPzilla!
2011-06-01 16:17:22 -------- d-----w- c:\program files\common files\iS3
2011-06-01 16:17:21 -------- d-----w- c:\programdata\STOPzilla!
2011-06-01 15:39:30 775168 ----a-w- c:\windows\isRS-000.tmp
2011-05-31 18:41:24 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5a851009-924c-40e3-87cd-dbc558773487}\mpengine.dll
2011-05-10 21:51:32 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
.
==================== Find3M ====================
.
2011-04-20 13:34:48 1563024 ----a-w- c:\windows\WRSetup.dll
2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-22 14:14:22 29832 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2011-03-22 14:14:22 23176 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-03-22 14:14:22 176776 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
.
============= FINISH: 17:23:44.91 ===============

Attach060111-2.txt (12.75K)
Number of downloads: 0

Ran MBAM (finally, without crashing!)
& it found the following:
(next, I will try the Gmer again, and hope it doesn't crash)

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6693

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

6/2/2011 12:20:11 PM
mbam-log-2011-06-02 (12-19-31).txt

Scan type: Full scan (C:\|)
Objects scanned: 315585
Time elapsed: 1 hour(s), 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Owner\AppData\Local\Temp\0.1871382091842253.exe (Trojan.Dropper) -> No action taken.

EDIT: Posts merged ~Budapest

This post has been edited by Budapest: 02 June 2011 - 05:19 PM

#2 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 07 June 2011 - 08:55 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
Please Do not Attach logs or put in code boxes.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

DeFogger

desktop

DeFogger

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger may ask you to reboot the machine, if it does - click OK

Do not

Download DDS:

DDS by sUBs

Link1

Link2

Link3

Please disable any anti-malware program that will block scripts from running before running DDS.

Double-Click on dds.scr and a command window will appear. This is normal.
Shortly after two logs will appear:
- DDS.txt
- Attach.txt
A window will open instructing you save & post the logs
Save the logs to a convenient place such as your desktop
Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

Please Download Rootkit Unhooker Save it to your desktop.
Now double-click on RKUnhookerLE.exe to run it.
Click the Report tab, then click Scan.
Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

information and logs:

In your next post I need the following

.logs from DDS
log from RKUnHooker
let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

#3 newgma

Member

Group: Members
Posts: 98
Joined: 25-May 10

Posted 08 June 2011 - 01:41 PM

Thanks, Gringo! what a relief!

(I uninstalled Webroot Spysweeper and that seemed to 'fix' the system shutdowns.)

.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 8.0.6001.19048
Run by Owner at 14:23:08 on 2011-06-08
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1522 [GMT -4:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Belkin\Belkin USB Print and Storage Center\connect.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files\Belkin\Router Setup and Monitor\dlnaPlugin.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.foxnews.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [QlbCtrl.exe] "c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe" /Start
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Health Check Scheduler] "c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [hpWirelessAssistant] "c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{08F46703-A7D7-478D-A637-B3B69C52CEBC} : DhcpNameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{63CE5A2C-DB70-4882-BC84-6F3F88CEADF9} : DhcpNameServer = 192.168.2.1
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\rc44lm6z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\belkin\belkin usb print and storage center\BkBackupScheduler.exe [2010-8-19 152064]
R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\belkin\belkin usb print and storage center\Bkapcs.exe [2010-8-19 49152]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-22 365952]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-22 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2010-3-10 247320]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-06-07 17:07:22 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{57531d01-979d-4c0a-bc20-c782ef43bce6}\mpengine.dll
2011-06-01 16:17:24 -------- d-----w- c:\program files\STOPzilla!
2011-06-01 16:17:22 -------- d-----w- c:\program files\common files\iS3
2011-06-01 16:17:21 -------- d-----w- c:\programdata\STOPzilla!
2011-06-01 15:39:30 775168 ----a-w- c:\windows\isRS-000.tmp
2011-05-10 21:51:32 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
.
==================== Find3M ====================
.
2011-04-13 22:40:10 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-12 21:55:52 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
============= FINISH: 14:23:44.12 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-03.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 5/24/2009 10:23:00 AM
System Uptime: 6/8/2011 12:40:12 PM (2 hours ago)
.
Motherboard: Wistron | | 3612
Processor: Intel® Celeron® CPU 900 @ 2.20GHz | CPU | 2194/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 138 GiB total, 61.927 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 1.436 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0005
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter
PNP Device ID: ROOT\*6TO4MP\0005
Service: tunnel
.
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0018
Manufacturer: Microsoft
Name: Microsoft 6to4 Adapter #3
PNP Device ID: ROOT\*6TO4MP\0018
Service: tunnel
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.3
Adobe Shockwave Player
AstrolDeluxe ReportWriter
Atheros Driver Installation Program
Belkin Daily DJ
Belkin Music Labeler
Belkin Setup and Router Monitor
Belkin USB Print and Storage Center
BSELCLG InetViewer ActiveX
CCScore
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CyberLink DVD Suite
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
ESU for Microsoft Vista
FOX News Live Stream
Google Updater
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Help and Support
HP Quick Launch Buttons 6.40 H2
HP Total Care Advisor
HP Total Care Setup
HP Update
HP User Guides 0118
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
Intel® Graphics Media Accelerator Driver
Java Auto Updater
Java™ 6 Update 21
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
LabelPrint
LightScribe System Software 1.14.17.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Live Search Toolbar
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Works
Mozilla Firefox 4.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Mover
muvee Reveal
netbrdg
NetWaiting
Norton Internet Security
Notifier
OfotoXMI
OGA Notifier 2.0.0048.0
PCDADDIN
PCDHELP
Picasa 3
Power2Go
PowerDirector
Realtek 8169 8168 8101E 8102E Ethernet Driver
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2466156)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2464583)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
SFR
SHASTA
SKIN0001
SKINXSDK
Spelling Dictionaries Support For Adobe Reader 9
staticcr
Synaptics Pointing Device Driver
tooltips
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (KB2536413)
VPRINTOL
WIRELESS
.
==== Event Viewer Messages From Past Week ========
.
6/7/2011 9:23:25 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SRTSP SRTSPX
6/7/2011 9:23:25 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
6/7/2011 9:23:25 PM, Error: Service Control Manager [7000] - The Norton Internet Security service failed to start due to the following error: The system cannot find the path specified.
6/7/2011 9:23:07 PM, Error: EventLog [6008] - The previous system shutdown at 3:52:14 PM on 6/7/2011 was unexpected.
6/7/2011 8:29:10 AM, Error: EventLog [6008] - The previous system shutdown at 9:05:22 PM on 6/6/2011 was unexpected.
6/7/2011 3:51:14 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the hpqwmiex service to connect.
6/7/2011 3:51:14 PM, Error: Service Control Manager [7000] - The hpqwmiex service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/7/2011 3:50:43 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service hpqwmiex with arguments "" in order to run the server: {F5539356-2F02-40D4-999E-FA61F45FE12E}
6/7/2011 3:47:15 PM, Error: EventLog [6008] - The previous system shutdown at 3:43:39 PM on 6/7/2011 was unexpected.
6/7/2011 3:39:40 PM, Error: EventLog [6008] - The previous system shutdown at 3:36:09 PM on 6/7/2011 was unexpected.
6/7/2011 3:35:28 PM, Error: Service Control Manager [7034] - The Webroot Client Service service terminated unexpectedly. It has done this 1 time(s).
6/7/2011 3:35:24 PM, Error: Service Control Manager [7034] - The Webroot Spy Sweeper Engine service terminated unexpectedly. It has done this 1 time(s).
6/7/2011 2:39:19 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: spldr SRTSP SRTSPX Wanarpv6
6/7/2011 2:39:19 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
6/7/2011 2:39:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
6/7/2011 2:38:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
6/7/2011 2:38:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/7/2011 2:38:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
6/7/2011 2:38:27 PM, Error: EventLog [6008] - The previous system shutdown at 2:37:01 PM on 6/7/2011 was unexpected.
6/7/2011 2:25:00 PM, Error: EventLog [6008] - The previous system shutdown at 2:22:48 PM on 6/7/2011 was unexpected.
6/7/2011 2:20:10 PM, Error: EventLog [6008] - The previous system shutdown at 2:14:04 PM on 6/7/2011 was unexpected.
6/7/2011 2:15:02 PM, Error: Service Control Manager [7000] - The Windows Update service failed to start due to the following error: The system cannot find the path specified.
6/7/2011 2:15:02 PM, Error: Service Control Manager [7000] - The TPM Base Services service failed to start due to the following error: The system cannot find the path specified.
6/7/2011 2:15:02 PM, Error: Service Control Manager [7000] - The KtmRm for Distributed Transaction Coordinator service failed to start due to the following error: The system cannot find the path specified.
6/7/2011 2:15:02 PM, Error: Service Control Manager [7000] - The HP Health Check Service service failed to start due to the following error: The system cannot find the path specified.
6/7/2011 2:12:15 PM, Error: EventLog [6008] - The previous system shutdown at 2:07:38 PM on 6/7/2011 was unexpected.
6/7/2011 2:04:50 PM, Error: EventLog [6008] - The previous system shutdown at 2:00:56 PM on 6/7/2011 was unexpected.
6/7/2011 1:59:02 PM, Error: EventLog [6008] - The previous system shutdown at 1:55:50 PM on 6/7/2011 was unexpected.
6/7/2011 1:33:01 PM, Error: EventLog [6008] - The previous system shutdown at 1:20:51 PM on 6/7/2011 was unexpected.
6/6/2011 4:41:35 PM, Error: EventLog [6008] - The previous system shutdown at 12:47:48 PM on 6/6/2011 was unexpected.
6/5/2011 6:00:17 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 00242C3BD6D1 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
6/5/2011 5:58:36 PM, Error: EventLog [6008] - The previous system shutdown at 3:22:27 PM on 6/5/2011 was unexpected.
6/5/2011 3:22:27 PM, Error: EventLog [6008] - The previous system shutdown at 7:34:35 AM on 6/4/2011 was unexpected.
6/4/2011 7:07:16 AM, Error: EventLog [6008] - The previous system shutdown at 6:48:39 AM on 6/4/2011 was unexpected.
6/3/2011 8:23:50 PM, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.105.929.0 Loading engine version: 1.1.6903.0
6/3/2011 8:22:16 PM, Error: EventLog [6008] - The previous system shutdown at 8:07:09 PM on 6/3/2011 was unexpected.
6/3/2011 7:21:24 AM, Error: EventLog [6008] - The previous system shutdown at 6:19:44 PM on 6/2/2011 was unexpected.
6/3/2011 6:44:32 PM, Error: EventLog [6008] - The previous system shutdown at 6:30:36 PM on 6/3/2011 was unexpected.
6/3/2011 6:25:59 PM, Error: EventLog [6008] - The previous system shutdown at 6:22:34 PM on 6/3/2011 was unexpected.
6/3/2011 6:14:46 PM, Error: EventLog [6008] - The previous system shutdown at 5:56:33 PM on 6/3/2011 was unexpected.
6/3/2011 5:12:45 PM, Error: EventLog [6008] - The previous system shutdown at 4:50:32 PM on 6/3/2011 was unexpected.
6/3/2011 3:00:35 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{63CE5A2C-DB70-4882-BC84-6F3F88CEADF9} because another computer on the network has the same name. The server could not start.
6/3/2011 3:00:20 PM, Error: Microsoft-Windows-ResourcePublication [1002] - Element Provider\Microsoft.Base.Publication/Publication/Computer failed to publish. Ensure that both PKEY_PUBSVCS_METADATA and PKEY_PUBSVCS_TYPE are set properly on the function instance and there were no errors adding the function instance.
6/3/2011 3:00:10 PM, Error: EventLog [6008] - The previous system shutdown at 8:03:29 AM on 6/3/2011 was unexpected.
6/2/2011 9:18:30 AM, Error: EventLog [6008] - The previous system shutdown at 6:44:23 AM on 6/2/2011 was unexpected.
6/2/2011 4:26:52 PM, Error: EventLog [6008] - The previous system shutdown at 4:12:30 PM on 6/2/2011 was unexpected.
6/2/2011 3:29:54 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 00242C3BD6D1 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
6/2/2011 3:29:41 PM, Error: EventLog [6008] - The previous system shutdown at 3:05:02 PM on 6/2/2011 was unexpected.
6/1/2011 8:09:03 PM, Error: EventLog [6008] - The previous system shutdown at 8:00:03 PM on 6/1/2011 was unexpected.
6/1/2011 7:04:14 PM, Error: EventLog [6008] - The previous system shutdown at 6:42:35 PM on 6/1/2011 was unexpected.
6/1/2011 4:56:27 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Webroot Spy Sweeper Engine service to connect.
6/1/2011 4:56:27 PM, Error: Service Control Manager [7000] - The Webroot Spy Sweeper Engine service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/1/2011 4:45:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WebrootSpySweeperService with arguments "" in order to run the server: {1281A68F-9E75-418F-B3AC-D5B23DD86408}
6/1/2011 4:36:59 PM, Error: EventLog [6008] - The previous system shutdown at 4:33:11 PM on 6/1/2011 was unexpected.
6/1/2011 4:20:22 PM, Error: EventLog [6008] - The previous system shutdown at 4:02:39 PM on 6/1/2011 was unexpected.
6/1/2011 4:00:01 PM, Error: EventLog [6008] - The previous system shutdown at 3:40:17 PM on 6/1/2011 was unexpected.
6/1/2011 12:56:00 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: is3srv SRTSP SRTSPX
6/1/2011 12:55:35 PM, Error: EventLog [6008] - The previous system shutdown at 12:46:32 PM on 6/1/2011 was unexpected.
6/1/2011 12:27:50 PM, Error: EventLog [6008] - The previous system shutdown at 12:23:31 PM on 6/1/2011 was unexpected.
6/1/2011 12:15:05 PM, Error: Service Control Manager [7031] - The Software Licensing service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
6/1/2011 12:08:43 PM, Error: EventLog [6008] - The previous system shutdown at 12:01:18 PM on 6/1/2011 was unexpected.
6/1/2011 1:41:21 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Health Check Service service to connect.
6/1/2011 1:41:21 PM, Error: Service Control Manager [7000] - The HP Health Check Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/1/2011 1:03:11 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
6/1/2011 1:03:11 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/1/2011 1:03:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
.
==== End Of File ===========================

RKunhooker:

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #1
==============================================
>Drivers
==============================================
0x90C08000 C:\Windows\system32\DRIVERS\igdkmd32.sys 9555968 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
0x83E1C000 C:\Windows\system32\ntkrnlpa.exe 3907584 bytes (Microsoft Corporation, NT Kernel & System)
0x83E1C000 PnpManager 3907584 bytes
0x83E1C000 RAW 3907584 bytes
0x83E1C000 WMIxWDM 3907584 bytes
0x9B830000 Win32k 2113536 bytes
0x9B830000 C:\Windows\System32\win32k.sys 2113536 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8C804000 C:\Windows\system32\drivers\ql2300.sys 1277952 bytes (QLogic Corporation, QLogic Fibre Channel Stor Miniport Driver)
0x8CE05000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x9180E000 C:\Windows\system32\DRIVERS\athr.sys 1105920 bytes (Atheros Communications, Inc., Atheros Extensible Wireless LAN device driver)
0x8CA77000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x91C01000 C:\Windows\system32\DRIVERS\HSX_DPV.sys 1060864 bytes (Conexant Systems, Inc., HSF_DP driver)
0x8CC05000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x804D3000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0xB0074000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8C60F000 C:\Windows\system32\drivers\megasr.sys 749568 bytes (LSI Corporation, Inc., LSI MegaRAID Software RAID Driver)
0x91D04000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 741376 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x82200000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x8C23E000 C:\Windows\system32\drivers\iastorv.sys 659456 bytes (Intel Corporation, Intel Matrix Storage Manager driver (base))
0x91525000 C:\Windows\System32\drivers\dxgkrnl.sys 655360 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8C4F9000 C:\Windows\system32\drivers\elxstor.sys 606208 bytes (Emulex, Storport Miniport Driver for LightPulse HBAs)
0x8CD60000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x8060F000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x8CA06000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x80409000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x82307000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8C375000 C:\Windows\system32\drivers\adp94xx.sys 434176 bytes (Adaptec, Inc., Adaptec Windows SAS/SATA Storport Driver)
0x8C93C000 C:\Windows\system32\drivers\ql40xx.sys 348160 bytes (QLogic Corporation, QLogic iSCSI Storport Miniport Driver)
0xB0009000 C:\Windows\System32\DRIVERS\srv.sys 323584 bytes (Microsoft Corporation, Server driver)
0x9BA80000 C:\Windows\System32\ATMFD.DLL 315392 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x8C406000 C:\Windows\system32\drivers\adpahci.sys 311296 bytes (Adaptec, Inc., Adaptec Windows SATA Storport Driver)
0x8076C000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x91E18000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x80698000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80492000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8C31F000 C:\Windows\system32\drivers\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x91A2F000 C:\Windows\system32\DRIVERS\sxuptp.sys 258048 bytes (silex technology, Inc., SXUPTP Driver)
0x91B58000 C:\Windows\system32\DRIVERS\HSXHWAZL.sys 253952 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x8CD22000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x91EC9000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8C6EC000 C:\Windows\system32\drivers\uliahci.sys 245760 bytes (ULi Electronics Inc., ULi SATA Controller Driver)
0x91ACB000 C:\Windows\system32\drivers\CHDRT32.sys 241664 bytes (Conexant Systems Inc., High Definition Audio Function Driver)
0x8CBAD000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0x91F7C000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x8CF1D000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x91A85000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x841D6000 ACPI_HAL 208896 bytes
0x841D6000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8C775000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x91E60000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x9193F000 C:\Windows\system32\DRIVERS\SynTP.sys 196608 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0x91998000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x91B06000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8C728000 C:\Windows\system32\drivers\ulsata2.sys 180224 bytes (Promise Technology, Inc., Promise SATAII150 Series Windows Drivers)
0x8CB82000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x91A05000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x822C0000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x91FCD000 C:\Windows\System32\DRIVERS\srv2.sys 163840 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x8CF82000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x806EF000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8C493000 C:\Windows\system32\drivers\adpu320.sys 155648 bytes (Adaptec, Inc., Adaptec StorPort Ultra320 SCSI Driver)
0x8C46D000 C:\Windows\system32\drivers\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)
0x91B33000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8C7D9000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x8C7B7000 C:\Windows\system32\DRIVERS\Rtlh86.sys 139264 bytes (Realtek Corporation , Realtek 8101E/8168/8169 NDIS6 32-bit Driver )
0x8C20E000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x91DC6000 C:\Windows\system32\drivers\IntcHdmi.sys 135168 bytes (Intel® Corporation, Intel® High Definition Audio HDMI)
0x823BF000 C:\Windows\system32\drivers\mrxdav.sys 135168 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x8C9D5000 C:\Windows\system32\drivers\ulsata.sys 135168 bytes (Promise Technology, Inc., Promise Ultra/Sata Series Driver for Win2003)
0x91BB2000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x8C754000 C:\Windows\system32\drivers\vsmraid.sys 135168 bytes (VIA Technologies Inc.,Ltd, VIA RAID DRIVER FOR AMD-X86-64)
0x823E0000 C:\Windows\system32\DRIVERS\mrxsmb.sys 126976 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x8C2E7000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x82374000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x80725000 C:\Windows\system32\drivers\mpio.sys 114688 bytes (Microsoft Corporation, MultiPath Support Bus-Driver)
0x8C452000 C:\Windows\system32\drivers\adpu160m.sys 110592 bytes (Adaptec, Inc., Adaptec LH Ultra160 Driver (x86))
0x8CCEF000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x91F61000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x805CD000 C:\Windows\system32\drivers\nvraid.sys 110592 bytes (NVIDIA Corporation, NVIDIA® nForce™ RAID Driver)
0x8C5BF000 C:\Windows\system32\drivers\lsi_fc.sys 106496 bytes (LSI Logic, LSI Logic Fusion-MPT FC Driver (StorPort))
0x8C305000 C:\Windows\system32\drivers\lsi_scsi.sys 106496 bytes (LSI Logic, LSI Logic Fusion-MPT SCSI Driver (StorPort))
0x805B3000 C:\Windows\system32\drivers\msdsm.sys 106496 bytes (Microsoft Corporation, Microsoft Device Specific Module)
0x82391000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x91980000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x8C5D9000 C:\Windows\system32\drivers\lsi_sas.sys 98304 bytes (LSI Logic, LSI Logic Fusion-MPT SAS Driver (StorPort))
0x91FB5000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 98304 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x91F0F000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x919D2000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x8C4CD000 C:\Windows\system32\drivers\arc.sys 90112 bytes (Adaptec, Inc., Adaptec RAID Storport Driver)
0x8C4E3000 C:\Windows\system32\drivers\arcsas.sys 90112 bytes (Adaptec, Inc., Adaptec SAS RAID WS03 Driver)
0xB0170000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x91E92000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x805E8000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0x823AA000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8C3DF000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8CF5E000 C:\Windows\system32\drivers\sbp2port.sys 86016 bytes (Microsoft Corporation, SBP-2 Protocol Driver)
0x8C99E000 C:\Windows\system32\drivers\sisraid4.sys 86016 bytes (Silicon Integrated Systems, SiS AHCI Stor-Miniport Driver)
0x8C4B9000 C:\Windows\system32\drivers\djsvs.sys 81920 bytes (Adaptec, Inc., Adaptec Ultra SCSI miniport)
0x8CBE8000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x91E04000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x9191C000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x822F4000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x91EB6000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x8CFA9000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x91ABA000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x80479000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8C7A7000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x8C597000 C:\Windows\system32\drivers\iirsp.sys 65536 bytes (Intel Corp./ICP vortex GmbH, Intel/ICP Raid Storport Driver)
0x822B0000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x807E1000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8CDED000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x8CD0A000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x80716000 C:\Windows\system32\drivers\isapnp.sys 61440 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB0186000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x8CF73000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x80741000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x915EB000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x915DC000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8075D000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x9BA70000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x91EA8000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8C6D1000 C:\Windows\system32\drivers\nfrd960.sys 57344 bytes (IBM Corporation, IBM ServeRAID Controller Driver)
0x91BEE000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x807BD000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x91F26000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x91DB9000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x8C6DF000 C:\Windows\system32\drivers\nvstor.sys 53248 bytes (NVIDIA Corporation, NVIDIA® nForce™ Sata Performance Driver)
0x8C991000 C:\Windows\system32\drivers\sisraid2.sys 53248 bytes (Microsoft Corporation, SiS RAID Stor Miniport Driver)
0x91A78000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8068B000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x8C5A7000 C:\Windows\system32\drivers\iteatapi.sys 49152 bytes (Integrated Technology Express, Inc., ITE IT8211 ATA/ATAPI SCSI miniport)
0x8C5B3000 C:\Windows\system32\drivers\iteraid.sys 49152 bytes (Integrated Technology Express, Inc., ITE IT8212 ATA RAID SCSI miniport)
0x8C9B3000 C:\Windows\system32\drivers\symc8xx.sys 49152 bytes (LSI Logic, LSI Logic 8XX SCSI Miniport Driver)
0xB015C000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x91BA6000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x915C5000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x91F33000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x8C36A000 C:\Windows\system32\drivers\hpcisss.sys 45056 bytes (Hewlett-Packard Company, Smart Array Storport Driver)
0x91934000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x91971000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8C6C6000 C:\Windows\system32\drivers\mraid35x.sys 45056 bytes (LSI Logic Corporation, MegaRAID RAID Controller Driver for Windows Vista/Longhorn for x86)
0x91BE3000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x919E9000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8C9BF000 C:\Windows\system32\drivers\sym_hi.sys 45056 bytes (LSI Logic, LSI Logic Hi-Perf SCSI Miniport Driver)
0x8C9CA000 C:\Windows\system32\drivers\sym_u3.sys 45056 bytes (LSI Logic, LSI Logic Ultra160 SCSI Miniport Driver)
0x919C7000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8CFF0000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x915D1000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x80753000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x91F3E000 C:\Windows\System32\Drivers\dump_msahci.sys 40960 bytes
0x91F48000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8C58D000 C:\Windows\system32\drivers\i2omp.sys 40960 bytes (Microsoft Corporation, I2O Miniport Driver)
0x8C5F1000 C:\Windows\system32\drivers\megasas.sys 40960 bytes (LSI Corporation, MEGASAS RAID Controller Driver for Windows Vista/Longhorn for x86)
0x8C360000 C:\Windows\system32\drivers\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
0x91A6E000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x822EA000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x91F05000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0xB0152000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xB01A5000 C:\Windows\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0x8CFBA000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x91DE7000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x91B96000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x9BA50000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8CFE5000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8CD19000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x806DE000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8C2DF000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x8048A000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x807D9000 C:\Windows\system32\drivers\cmdide.sys 32768 bytes (CMD Technology, Inc., CMD PCI IDE Bus Driver)
0x806E7000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x91BD3000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x91BDB000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8CF56000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8C236000 C:\Windows\system32\drivers\viaide.sys 32768 bytes (VIA Technologies, Inc., VIA Generic PCI IDE Bus Driver)
0x8CF15000 C:\Windows\system32\drivers\wd.sys 32768 bytes (Microsoft Corporation, Microsoft Watchdog Timer Driver)
0xB0168000 C:\Windows\system32\DRIVERS\xaudio.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
0x807CB000 C:\Windows\system32\drivers\aliide.sys 28672 bytes (Acer Laboratories Inc., ALi mini IDE Driver)
0x807D2000 C:\Windows\system32\drivers\amdide.sys 28672 bytes (Microsoft Corporation, AMD IDE Driver)
0x91DF7000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x91B9F000 C:\Windows\system32\drivers\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x807B6000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x80402000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB0195000 C:\Users\Owner\AppData\Local\Temp\mbr.sys 28672 bytes
0x91DF0000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8C22F000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x9192F000 C:\Windows\system32\DRIVERS\HpqKbFiltr.sys 20480 bytes (Hewlett-Packard Development Company, L.P., HpqKbFiltr Keyboard Filter Driver)
0x9197C000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB0070000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0x80750000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x919F4000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x9196F000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0x884EF1ED unknown_irp_handler 3603 bytes
==============================================
>Stealth
==============================================
0x884F0A91 Unknown page with executable code, 1391 bytes
0x884F1191 Unknown page with executable code, 3695 bytes
0x884F3E7A Unknown thread object [ ETHREAD 0x886D1530 ] TID: 260, 600 bytes
0x884F6008 Unknown thread object [ ETHREAD 0x886E3668 ] TID: 264, 600 bytes
0x884F5CDC Unknown page with executable code, 804 bytes

#4 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 08 June 2011 - 04:55 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1

Link 2

Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#5 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 11 June 2011 - 12:44 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

do you still need help with this?
do you need more time?
are you having problems following my instructions?
if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

<-- Don't worry every little bit helps.

#6 newgma

Member

Group: Members
Posts: 98
Joined: 25-May 10

Posted 11 June 2011 - 06:35 AM

Had some probs getting to daughters' house to fix

When I ran ComboFix, it initially had a screen freeze and shut down, then 2nd running, the laptop lost power/.

On a third run, the laptop took eons to boot up but when it did, the ComboFix window said preparing log, do not run other programs.

I had to go home, as the children were ready for bed, so here I am running it again.

Please don't close topic - I'm on it!

Also, the Belkin router suddenly needs to be re-loaded.

This post has been edited by newgma: 11 June 2011 - 06:39 AM

#7 newgma

Member

Group: Members
Posts: 98
Joined: 25-May 10

Posted 11 June 2011 - 06:50 AM

No more redirect on searching....

Can you tell me how to get rid of STOPZilla, too?

ComboFix 11-06-10.0A - Owner 06/11/2011 7:38.4.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1745 [GMT -4:00]
Running from: c:\users\Owner\Desktop\Computer Fix\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\users\Owner\0.638052493090059.exe
c:\users\Owner\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Recovery\Uninstall Windows Vista Recovery.lnk
c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Vista Recovery\Windows Vista Recovery.lnk
c:\users\Owner\Desktop\Windows Vista Recovery.lnk
c:\users\Owner\msiexec.exe
c:\windows\regsvr32.exe
c:\windows\system32\drivers\etc\lmhosts
.
-- Previous Run --
.
Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\ntfs.sys
.
--------
.
.
((((((((((((((((((((((((( Files Created from 2011-05-11 to 2011-06-11 )))))))))))))))))))))))))))))))
.
.
2011-06-11 11:44 . 2011-06-11 11:44 -------- d-----w- c:\users\Owner\AppData\Local\temp
2011-06-11 11:44 . 2011-06-11 11:44 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-06-11 11:44 . 2011-06-11 11:44 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-06-10 12:56 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{989A25F4-7102-446C-A6BF-BF012FDDDB3C}\mpengine.dll
2011-06-03 11:27 . 2011-06-03 11:27 -------- d-----w- c:\users\Owner\AppData\Local\Mozilla
2011-06-01 16:17 . 2011-06-01 16:17 -------- d-----w- c:\program files\STOPzilla!
2011-06-01 16:17 . 2011-06-01 16:17 -------- d-----w- c:\program files\Common Files\iS3
2011-06-01 16:17 . 2011-06-01 17:09 -------- d-----w- c:\programdata\STOPzilla!
2011-06-01 15:39 . 2011-06-01 15:39 775168 ----a-w- c:\windows\isRS-000.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-04-14 16:26 . 2011-06-03 11:27 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-2-20 282624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 Belkin Local Backup Service;Belkin Local Backup Service;c:\program files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe [2010-02-17 152064]
R2 Belkin Network USB Helper;Belkin Network USB Helper;c:\program files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe [2010-02-09 49152]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 BlackBox;BlackBox SR2; [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 sxuptp;SXUPTP Driver;c:\windows\system32\DRIVERS\sxuptp.sys [2010-03-10 247320]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-06 17:02]
.
2011-05-27 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 18:34]
.
2010-12-16 c:\windows\Tasks\User_Feed_Synchronization-{31185E75-74F2-4FC1-B949-516D1078DEEA}.job
- c:\windows\system32\msfeedssync.exe [2011-04-12 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\rc44lm6z.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-11 07:44
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-06-11 07:47:51
ComboFix-quarantined-files.txt 2011-06-11 11:47
ComboFix2.txt 2010-07-18 19:24
.
Pre-Run: 65,845,977,088 bytes free
Post-Run: 65,802,768,384 bytes free
.
- - End Of File - - 17890CFC44038BFEFD48127DAC6CA40D

This post has been edited by newgma: 11 June 2011 - 07:36 AM

#8 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 11 June 2011 - 01:26 PM

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

start

settings

control panel

add/remove programs

Adobe Reader 9.3.3

remove

Update Adobe Reader

http://www.adobe.com/products/acrobat/readstep2.html

Adobe Reader

here

Note:

AskBar

Your Java is out of date.

It can be updated by the Java control panel

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
An update should begin;
follow the prompts

Clear your Java Cache

click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

Please download TFC to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

Double-click mbam icon
go to the update tab at the top
click on check for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

Go Here to download HijackThis Installer
Save HijackThis Installer to your desktop.
Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

In your next post I need the following

Log From MBAM
report from Hijackthis
let me know of any problems you may have had
How is the computer doing now?

Gringo

<-- Don't worry every little bit helps.

#9 newgma

Member

Group: Members
Posts: 98
Joined: 25-May 10

Posted 11 June 2011 - 06:36 PM

Thank you! Will do so in morning!

#10 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 11 June 2011 - 08:32 PM

<-- Don't worry every little bit helps.

#11 newgma

Member

Group: Members
Posts: 98
Joined: 25-May 10

Posted 12 June 2011 - 12:10 PM

Something is terribly wrong...

Last night, no probs with start up, no redirects. Daughter took laptop home and accessed FB and AtlanticRealty.com. No probs.

This morning, failure to start up (blue screen), so she quit.

I restarted, allow the Windows start up recovery to run, and windows loaded.

But, there is now a readme type icon labeled "catchme" on her desktop and "msiexec.exe" keeps trying to access the internet, causing slowwwwww access to internet.

I think I got the Adobe file uninstalled, but not sure - shut off.

Also, I can't open gmail files.

WORST YET: now we can't boot up at all, even in Safe Mode. The computer just shuts off during mid-boot. Right now, I'm trying "start windows normally".

Got the welcome screen.

Seems to be loading normally, if slowly, this time.

There's the "msiexec.exe" request again. I just keep closing it.

Removed Adobe, Updated Java, cleared cache, ran TFC, ran MBAM (which I had to re-download, as it was 'missing'),

laptop shut down during launch,

Started laptop again. Got 2 error messages while it loaded: error 0 and error 440, but it ran.

Ran MBAM.

msiexec.exe continues to request access to the internet throughout.

Restarted.

Downloaded and set up HijackThis.

I do not get the option to run as administrator when I right click on the desktop icon.

I got this notice:

Quote

For some reason your system deied write acess to the Hosts file. If any hijacked domains are in this file, HijackThis may NOT be able to fix this.

If this happens, you need to edit the file yourself. Todo this, click Start, Run and type:

notepad C:\Windows\System32\drivers\etc\hosts

and press Enter. Find the line(s) HijackThis reports and delete them.
Save the fle as 'hosts.' (with the quotes), and reboot.

For Vista: simply, exit HijackThis, right click on the HijackThis icon,
choose 'Run as administrator'.

So, how do I get a logfile?

will follow with MBAM file,

#12 newgma

Member

Group: Members
Posts: 98
Joined: 25-May 10

Posted 12 June 2011 - 12:26 PM

Last restart is much better, no more requests from "msiexec.exe" to access the internet.

We still have no programs in the start menu.

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6841

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

6/12/2011 12:36:45 PM
mbam-log-2011-06-12 (12-36-45).txt

Scan type: Quick scan
Objects scanned: 160683
Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
c:\Users\Owner\0.638052493090059.exe (Trojan.Agent) -> 3220 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1574460323 (Trojan.Agent) -> Value: 1574460323 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Owner\0.638052493090059.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\temp\msi678A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\temp\msiE9A5.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Owner\msiexec.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#13 newgma

Member

Group: Members
Posts: 98
Joined: 25-May 10

Posted 12 June 2011 - 12:33 PM

Just ran a Google search for "Gimp", as this laptop does not have MSPaint and I hoped to do a "print screen" of the HijackThis log screens to post here.

Still have a redirect thing going on. Took me to "scour.com" for a list after clicking the Gimp.org website address.

#14 gringo_pr

Bleepin Gringo

Group: Malware Response Team
Posts: 85,462
Joined: 03-July 08
Gender:Male
Location:Puerto rico

Posted 12 June 2011 - 12:40 PM

Create and Run Batch File

Notepad

@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0

router.bat

Save type as - All Files

Desktop

router.bat

gringo

<-- Don't worry every little bit helps.

#15 newgma

Member

Group: Members
Posts: 98
Joined: 25-May 10

Posted 12 June 2011 - 12:56 PM

Woo!

Fast Reply!

Her laptop has been on both her router and my router. My laptop has no probs, nor the other 2 I run in my apartment, nor my desktop.

Results:

Windows IP Configuration

Host Name . . . . . . . . . . . . : Owner-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : Belkin

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : Belkin
Description . . . . . . . . . . . : Atheros AR5007 802.11b/g WiFi Adapter
Physical Address. . . . . . . . . : 00-24-2C-3B-D6-D1
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e55b:f0ab:d4e3:7492%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.2.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, June 12, 2011 12:39:56 PM
Lease Expires . . . . . . . . . . : Wednesday, July 19, 2147 8:23:32 PM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DHCPv6 IAID . . . . . . . . . . . : 234890284
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-11-AB-11-88-00-24-2C-3B-D6-D1
DNS Servers . . . . . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : hsd1.ga.comcast.net.
Description . . . . . . . . . . . : Realtek RTL8102E Family PCI-E Fast Ethernet NIC (NDIS 6.0)
Physical Address. . . . . . . . . : 00-1F-16-D2-DC-7A
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.hsd1.ga.comcast.net.
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:2853:328c:3f57:fdfc(Preferred)
Link-local IPv6 Address . . . . . : fe80::2853:328c:3f57:fdfc%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 12:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : Belkin
Description . . . . . . . . . . . : isatap.Belkin
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft 6to4 Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: router.belkin
Address: 192.168.2.1

Name: google.com
Addresses: 74.125.91.104
74.125.91.99
74.125.91.103
74.125.91.106
74.125.91.147
74.125.91.105

Server: router.belkin
Address: 192.168.2.1

Name: yahoo.com
Addresses: 209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43
98.137.149.56

Pinging google.com [74.125.91.104] with 32 bytes of data:

Reply from 74.125.91.104: bytes=32 time=25ms TTL=52

Reply from 74.125.91.104: bytes=32 time=26ms TTL=52

Ping statistics for 74.125.91.104:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 25ms, Maximum = 26ms, Average = 25ms

Pinging yahoo.com [209.191.122.70] with 32 bytes of data:

Reply from 209.191.122.70: bytes=32 time=38ms TTL=51

Reply from 209.191.122.70: bytes=32 time=37ms TTL=51

Ping statistics for 209.191.122.70:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 37ms, Maximum = 38ms, Average = 37ms

===========================================================================
Interface List
11 ...00 24 2c 3b d6 d1 ...... Atheros AR5007 802.11b/g WiFi Adapter
10 ...00 1f 16 d2 dc 7a ...... Realtek RTL8102E Family PCI-E Fast Ethernet NIC (NDIS 6.0)
1 ........................... Software Loopback Interface 1
16 ...00 00 00 00 00 00 00 e0 isatap.hsd1.ga.comcast.net.
12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
17 ...00 00 00 00 00 00 00 e0 isatap.Belkin
14 ...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.3 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.2.0 255.255.255.0 On-link 192.168.2.3 281
192.168.2.3 255.255.255.255 On-link 192.168.2.3 281
192.168.2.255 255.255.255.255 On-link 192.168.2.3 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.2.3 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.2.3 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 18 ::/0 On-link
1 306 ::1/128 On-link
12 18 2001::/32 On-link
12 266 2001:0:4137:9e76:2853:328c:3f57:fdfc/128
On-link
11 281 fe80::/64 On-link
12 266 fe80::/64 On-link
12 266 fe80::2853:328c:3f57:fdfc/128
On-link
11 281 fe80::e55b:f0ab:d4e3:7492/128
On-link
1 306 ff00::/8 On-link
12 266 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

This post has been edited by newgma: 12 June 2011 - 12:57 PM