BleepingComputer.com: system restore virus

Hi. I was recently browsing the internet when firefox crashed (or appeared to). I reopened it and continued what I was doing and a few minutes later the same thing happened again. Then I suddenly got all these error messages about disk read and memory errors and a fake "system restore" window popped up wanting me to scan for critical errors and such. I tried rebooting into safe mode but the fake window still popped up and I had no desktop icons (just black background) or any access to programs. For example if I clicked start>programs all that was there was this "system restore" thing. Anyway, I was able to run malwarebytes from the command line but the scan was extremely slow so I had to stop it after several hours. However, it did manage to remove several items and after reboot the malware window was no longer there but I still had no access to task manager, no desktop icons/background, and nothing under start>programs. So I ran system restore to the previous day and seemed to have full functionality back but my desktop icons were re-arranged after the restore which was somewhat disconcerting. Then after a few minutes I got a data execution prevention message for windows explorer and my desktop icons went back to the random arrangement from after the restore. Please advise on how to proceed. Thanks. -Andrew

UPDATE: Ran a full scan with Malwarebytes which removed two more items. However, during the scan internet explorer and itunes opened on their own and I have also been getting redirected on Google.

UPDATE 2: TDSSKiller and RKill won't run either!

This post has been edited by baronvonkrug: 31 October 2011 - 10:37 AM

Hi baronvonkrug,

We sincerely apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Do you still need help? If so, continue to follow these instructions:

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• Please do not attach logs or put logs in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can also help.
  
• Do not run anything while running a fix.
  
• If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

---

Is this the same computer that was infected back in May? (this topic)

If this is the same computer, I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread. It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and please be patient. There is currently a large backlog of people being helped. It may take several days for someone to respond.

If this is NOT the same computer:

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

Hi Jason, thanks for getting back to me. This is the same computer that was infected in May, however at this time I think I have managed to remove the infection. Malwarebytes, SAS, and TDSS killer (it runs again) come up clean and I am no longer being redirected on Google. Also, a suspicious IEXPLORER.EXE process that seemed to be the source of the problem is gone. However, yesterday my wireless internet suddenly stopped working even though it was still working after all the cleaning measures that I took. I can see plenty of networks but can't connect. The ethernet connection seems to work fine though. I tried resetting winsock and tcp/ip but that didn't help. My only other remaining symptom is that a random My Computer window showing C:\New Folder (which is empty) opens on reboot. Any ideas? Should I still make a new thread under Virus, Trojan, Spyware, and Malware Removal Logs or can you help me out directly? Thanks! -Andrew

Now the wireless is working. I have had some strange issues connecting to the wireless at work before so this may be unrelated to my malware problems. -Andrew

Hi baronvonkrug,

I'm think you're still infected, even though you don't have any symptoms. You may need help from the Malware Removal Team, but before I recommend you there, let's do the following:

Please download a new copy of GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

This post has been edited by jntkwx: 07 November 2011 - 12:18 PM

Hi Jason. I left the GMER scan to run overnight as it took quite a long time. Here is the log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-08 08:42:55
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HTS72108 rev.MC4O
Running: eu8f8m3i.exe; Driver: D:\DOCUME~1\CLASS2~1\LOCALS~1\Temp\pxtdqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF613DEBF]
? D:\DOCUME~1\CLASS2~1\LOCALS~1\Temp\pxtdqpoc.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mvstdi5x.sys (Anti-Virus Mini-Firewall Driver/Network Associates, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\web_hightrust.config 12200 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\DefaultWsdlHelpGenerator.aspx 61724 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\enterprisesec.config 21768 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\enterprisesec.config.cch 51452 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\machine.config 226636 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config 29001 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\security.config.cch 56327 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\web_hightrust.config.default 12200 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\web_lowtrust.config 8707 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\web_lowtrust.config.default 8707 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\web_mediumtrust.config 11445 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\web_mediumtrust.config.default 11445 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\web_minimaltrust.config 7646 bytes
File C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG\web_minimaltrust.config.default 7646 bytes

---- EOF - GMER 1.0.15 ----

Oddly, the computer was somewhat unresponsive after the scan and neither firefox or notepad would run. I had to restart to get back to normal.

Jason, are you still there?

Hi baronvonkrug,

Yes, I'm still here. Sorry for the delay. I'm working with a colleague on where to go from here.

Hi baronvonkrug,

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
When asked to update to the latest definitions, select "Yes"
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


Please also provide a detailed description of any remaining problems, detailed word-for-word error messages that you are receiving, and/or screenshots of strange behavior.

Here is the log...

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-14 00:35:13
-----------------------------
00:35:13.765 OS Version: Windows 5.1.2600 Service Pack 2
00:35:13.765 Number of processors: 2 586 0xE08
00:35:13.765 ComputerName: G558 UserName:
00:35:14.640 Initialize success
00:43:45.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
00:43:45.546 Disk 0 Vendor: HTS72108 MC4O Size: 76319MB BusType: 3
00:43:45.562 Disk 0 MBR read successfully
00:43:45.562 Disk 0 MBR scan
00:43:45.562 Disk 0 Windows XP default MBR code
00:43:45.578 Disk 0 scanning sectors +156295440
00:43:45.640 Disk 0 scanning C:\WINDOWS\system32\drivers
00:43:53.859 Service scanning
00:43:55.296 Modules scanning
00:44:03.062 Disk 0 trace - called modules:
00:44:03.093 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys iaStor.sys
00:44:03.093 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a684ab8]
00:44:03.093 3 CLASSPNP.SYS[f74e805b] -> nt!IofCallDriver -> [0x8a718c08]
00:44:03.093 5 hpdskflt.sys[f7508ffd] -> nt!IofCallDriver -> \Device\000000ab[0x8a77af18]
00:44:03.421 7 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a778030]
00:44:03.437 Scan finished successfully
00:44:19.656 Disk 0 MBR has been saved successfully to "D:\Documents and Settings\Class2010\Desktop\cleaning\MBR.dat"
00:44:19.656 The log file has been saved successfully to "D:\Documents and Settings\Class2010\Desktop\cleaning\aswMBR.txt"

This post has been edited by baronvonkrug: 14 November 2011 - 12:45 AM

Hi baronvonkrug,

How's your computer running now?


Rerun Malwarebytes
Open Malwarebytes, click on the Update tab, and click the check for Updates button.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue (the latest update as of this post is 8160)
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Full Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you have trouble updating, troubleshoot Malwarebytes' Anti-Malware

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on this link to open ESET OnlineScan in a new window.
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the
    icon on your desktop.
  
  
• Check "YES, I accept the Terms of Use."
  
• Click the Start button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check "Scan Archives" and "Remove found threats"
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, click List Threats
  
• Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  
• Click the Back button.
  
• Click the Finish button.

Sorry for the delay, I've been very busy the past few days.

Malwarebytes log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8168

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

11/15/2011 4:03:54 PM
mbam-log-2011-11-15 (16-03-39).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 477201
Time elapsed: 2 hour(s), 41 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir (Trojan.Agent) -> No action taken.

ESET log:

C:\My Stuff\AVICodecPackPlus210.exe a variant of Win32/Adware.Webdir application deleted - quarantined
C:\Qoobox\Quarantine\C\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\serial.sys.vir a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{DD345828-D2C0-4F5F-A2C7-1D9335D7C436}\RP548\A0090643.exe a variant of Win32/Adware.Webdir application deleted - quarantined
D:\Documents and Settings\Class2010\Application Data\Sun\Java\Deployment\cache\6.0\47\fd7bfaf-361452b7 multiple threats deleted - quarantined
D:\Documents and Settings\Class2010\Application Data\Sun\Java\Deployment\cache\6.0\55\6dec7c37-7044dee4 Java/Agent.DW trojan deleted - quarantined
D:\Documents and Settings\Class2010\Desktop\Curriculum Vitae.doc W97M/Marker.O1 virus cleaned - quarantined
D:\Documents and Settings\Class2010\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\BC413B63-475C-4134-9FF1-BBA8A8\3C211B6A-C253-49F9-865D-59E7AE a variant of Win32/Adware.Webdir application cleaned by deleting - quarantined
D:\Documents and Settings\Class2010\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\DC45E3C0-7D9E-4E97-BB09-532E5B\79A61D4D-D9BE-48CF-A5E8-6A47BE a variant of Win32/Adware.Webdir application cleaned by deleting - quarantined
D:\Documents and Settings\Class2010\My Documents\Downloads\coreldraw-graphics-suite-x4.rar probably a variant of Win32/Agent.MEZGMEC trojan deleted - quarantined

The computer was running fine until the other day but now I have another strange problem. Everything is fine until I put the computer into hibernate and turn it back on, at which point the system process (not system idle) begins using almost 100% cpu and makes the computer unusable. Any idea what could cause that or should I ask in another forum? Thanks. -Andrew

Hi baronvonkrug,

ESET quarantined this file:

baronvonkrug, on 20 November 2011 - 10:21 PM, said:

This may be a false positive, or it may not be. Do you have other copies of this Word document?

Let's try this to fix when the computer comes out of hibernation:
Click on the Start menu.
Click on the Control Panel
Open the Power Options, and then click on the Hibernation tab.
Uncheck the box next to Enable Hibernation, and click Apply.

This will temporarily disable hiberation.
Enable hibernation by checking the box, and then click Apply.

Try putting your computer into hibernation, and then turn it back on and see if the System process continues to use 100% of the CPU.

Please download MiniToolBox and run it.

Checkmark following boxes:

• List last 10 Event Viewer Log Errors
  
• List Installed Programs
  
• List Users, Partitions and Memory size

Click Go . Please copy and paste the contents of the log that opens into your next reply.

All my important data is backed up so no concerns about the word file...although it probably is a false positive. After reapplying the hibernate setting the system process did not cause a problem when coming out of a test hibernation. However, it was not happening every time before either, so this may not be conclusive. Here is the minitoolbox log.

MiniToolBox by Farbar
Ran by akruegel (administrator) on 27-11-2011 at 17:16:04
Microsoft Windows XP Service Pack 2 (X86)

***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (11/23/2011 01:17:09 PM) (Source: Application Error) (User: )
Description: Faulting application acrord32.exe, version 10.0.1.434, faulting module wininet.dll, version 6.0.2900.3698, fault address 0x000289c8.
Processing media-specific event for [acrord32.exe!ws!]

Error: (11/21/2011 00:16:20 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x4003d0a8.
Processing media-specific event for [explorer.exe!ws!]

Error: (11/21/2011 11:21:22 AM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x4003d0a8.
Processing media-specific event for [explorer.exe!ws!]

Error: (11/15/2011 00:47:24 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x4003d0a8.
Processing media-specific event for [explorer.exe!ws!]

Error: (11/14/2011 00:43:31 AM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.3156, faulting module unknown, version 0.0.0.0, fault address 0x4003d0a8.
Processing media-specific event for [explorer.exe!ws!]

Error: (11/01/2011 03:16:53 PM) (Source: Application Error) (User: )
Description: Faulting application plugin-container.exe, version 1.9.2.3951, faulting module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.
Processing media-specific event for [plugin-container.exe!ws!]

Error: (11/01/2011 03:16:48 PM) (Source: Application Error) (User: )
Description: Faulting application firefox.exe, version 1.9.2.3951, faulting module unknown, version 0.0.0.0, fault address 0x00fe8a27.
Processing media-specific event for [firefox.exe!ws!]

Error: (11/01/2011 03:16:16 PM) (Source: Application Error) (User: )
Description: Faulting application plugin-container.exe, version 1.9.2.3951, faulting module ntdll.dll, version 5.1.2600.3520, fault address 0x0000100b.
Processing media-specific event for [plugin-container.exe!ws!]

Error: (11/01/2011 03:16:10 PM) (Source: Application Error) (User: )
Description: Faulting application firefox.exe, version 1.9.2.3951, faulting module unknown, version 0.0.0.0, fault address 0x00fe8a27.
Processing media-specific event for [firefox.exe!ws!]

Error: (11/01/2011 02:41:30 PM) (Source: Application Error) (User: )
Description: Faulting application firefox.exe, version 1.9.2.3951, faulting module unknown, version 0.0.0.0, fault address 0x00fe8a27.
Processing media-specific event for [firefox.exe!ws!]


System errors:
=============
Error: (11/27/2011 05:10:32 PM) (Source: DCOM) (User: SYSTEM)
Description: DCOM got error "%%1058" attempting to start the service IFXSpMgtSrv with arguments "-Service"
in order to run the server:
{FBCD9C6A-72CB-47BB-99DD-2317551491DE}

Error: (11/27/2011 05:10:28 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (11/27/2011 05:10:28 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (11/27/2011 05:10:27 PM) (Source: ipnathlp) (User: )
Description: The Network Address Translator (NAT) was unable to request an operation
of the kernel-mode translation module.
This may indicate misconfiguration, insufficient resources, or
an internal error.
The data is the error code.

Error: (11/27/2011 05:10:25 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service depends on the Workstation service which failed to start because of the following error:
%%1066

Error: (11/27/2011 05:10:25 PM) (Source: Service Control Manager) (User: )
Description: The Workstation service terminated with service-specific error 2250 (0x8CA).

Error: (11/27/2011 05:10:25 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (11/27/2011 05:10:25 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (11/27/2011 05:10:25 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (11/27/2011 05:10:25 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.


Microsoft Office Sessions:
=========================
Error: (11/23/2011 01:17:09 PM) (Source: Application Error)(User: )
Description: acrord32.exe10.0.1.434wininet.dll6.0.2900.3698000289c8

Error: (11/21/2011 00:16:20 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.3156unknown0.0.0.04003d0a8

Error: (11/21/2011 11:21:22 AM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.3156unknown0.0.0.04003d0a8

Error: (11/15/2011 00:47:24 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.3156unknown0.0.0.04003d0a8

Error: (11/14/2011 00:43:31 AM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.3156unknown0.0.0.04003d0a8

Error: (11/01/2011 03:16:53 PM) (Source: Application Error)(User: )
Description: plugin-container.exe1.9.2.3951ntdll.dll5.1.2600.35200000100b

Error: (11/01/2011 03:16:48 PM) (Source: Application Error)(User: )
Description: firefox.exe1.9.2.3951unknown0.0.0.000fe8a27

Error: (11/01/2011 03:16:16 PM) (Source: Application Error)(User: )
Description: plugin-container.exe1.9.2.3951ntdll.dll5.1.2600.35200000100b

Error: (11/01/2011 03:16:10 PM) (Source: Application Error)(User: )
Description: firefox.exe1.9.2.3951unknown0.0.0.000fe8a27

Error: (11/01/2011 02:41:30 PM) (Source: Application Error)(User: )
Description: firefox.exe1.9.2.3951unknown0.0.0.000fe8a27


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 3.1.1)
ACD/Labs Software in C:\ACDFREE10\ (Version: v10.00, FREE)
Adobe AIR (Version: 2.5.1.17730)
Adobe Download Manager (Version: 1.6.2.63)
Adobe Flash Player 10 Plugin (Version: 10.0.45.2)
Adobe Flash Player 9 ActiveX (Version: 9)
Adobe Premiere Pro (Version: 7.0)
Adobe Reader X (10.0.1) (Version: 10.0.1)
AFPL Ghostscript 8.54
AFPL Ghostscript Fonts
Agere Systems HDA Modem
AOL Instant Messenger
Apple Application Support (Version: 1.1.0)
Apple Mobile Device Support (Version: 2.6.0.32)
Apple Software Update (Version: 2.1.1.116)
ATI Catalyst Control Center (Version: 1.2.2253.3538)
ATI Display Driver (Version: 8.223.4-060302a1-031384C)
Audacity 1.2.6
AVI Codec Pack
BitTornado 0.3.17 (Version: 0.3.17)
Bonjour (Version: 1.0.106)
Broadcom NetXtreme Ethernet Controller (Version: 8.22.12)
BufferChm (Version: 100.0.170.000)
CambridgeSoft ChemDraw Ultra 10.0 (Version: 10.0)
CCleaner (Version: 3.12)
Compatibility Pack for the 2007 Office system (Version: 12.0.6021.5000)
CorelDRAW® Graphics Suite X4 - Windows Shell Extension
CorelDRAW® Graphics Suite X4 - Windows Shell Extension (Version: 1.1)
COSMOSFloWorks (Version: 14.40.61)
COSMOSM 2.95 (2006/085) (Version: 13.2.0400)
COSMOSMotion (Version: 14.40.61)
COSMOSWorks 2006 SP04 (Version: 14.40.61)
Coupon Printer for Windows (Version: 4.0)
D2300 (Version: 70.0.185.000)
D2300_Help (Version: 70.0.185.000)
DataStudio (Version: 1.9.7.11)
DeviceManagementQFolder (Version: 1.00.0000)
DWGeditor (Version: 14.41.101)
eDrawings 2006 (Version: 6.4.197)
EndNote X3 (Version: 13.0.0.4094)
FireGL driver for 3D Studio MAX/VIZ (Version: 6.14.10.5015)
Gaim (remove only)
Google Earth (Version: 6.1.0.5001)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.1.2003.1856)
Google Update Helper (Version: 1.3.21.79)
GRE POWERPREP
GSview 4.8
GTK+ Runtime 2.6.9 rev a (remove only)
HiJackThis (Version: 1.0.0)
HijackThis 2.0.2 (Version: 2.0.2)
Hückel 3.1
HP BIOS Configuration for ProtectTools 2.00 C3 (Version: 2.00 C3)
HP Credential Manager for ProtectTools (Version: 1.5.0.631.36.E)
HP Embedded Security for ProtectTools (Version: 4.0.3)
HP Help and Support (Version: 4.2.0009)
HP Imaging Device Functions 7.0 (Version: 7.0)
HP Integrated Module with Bluetooth wireless technology (Version: 4.0.1.3301)
HP Mobile Data Protection System (Version: 1.00 A6)
HP Notebook Accessories Product Tour (Version: 12.00.0000)
HP Photosmart and Deskjet 7.0 Software (Version: 7.1)
HP Photosmart D5400 Printer Driver Software 10.0 Rel .3 (Version: 10.0)
HP ProtectTools Security Manager 2.00 C3 (Version: 2.00 C3)
HP Quick Launch Buttons 6.00 D2 (Version: 6.00 D2)
HP Smart Card Security for ProtectTools 5.00 D4 (Version: 5.00 D4)
HP Software Update (Version: 3.0.7.014)
HP User Guides 0020 (Version: 1.02.0003)
HP Wireless Assistant 2.00 E1 (Version: 2.00 E1)
hph_ProductContext (Version: 70.0.185.000)
hph_readme (Version: 70.0.185.000)
hph_software (Version: 70.0.185.000)
hph_software_req (Version: 70.0.185.000)
HPPhotoSmartExpress (Version: 70.0.170.000)
InterVideo DVD Check
InterVideo WinDVD (Version: 5.0-B11.684)
iTunes (Version: 9.0.3.15)
Jacquie Lawson Advent Calendar (Version: 1.0.1)
Java Auto Updater (Version: 2.0.1.2)
Java™ 6 Update 18 (Version: 6.0.180)
LightScribe 1.4.67.1 (Version: 1.4.67.1)
LimeWire 5.5.16 (Version: 5.5.16)
Logger Lite 1.4 (Version: 1.4)
Macromedia Shockwave Player (Version: 10.1.0.11)
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
MATLAB R2006a (Version: 7.2)
McAfee Anti-Spyware Enterprise Module (Version: 8.0.0.989)
McAfee VirusScan Enterprise (Version: 8.0.0)
MestReNova 6.2.1-7569 (Version: 6.2.1-7569)
MGLTools 1.5.4 (Version: 1.5.4)
Microsoft .NET Compact Framework 1.0 SP3 Developer (Version: 1.0.4292)
Microsoft .NET Compact Framework 2.0 (Version: 2.0.5238)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Device Emulator version 1.0 - ENU (Version: 1.0.50727.42)
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005 (Version: 8.0.50727.42)
Microsoft Office FrontPage 2003 (Version: 11.0.7969.0)
Microsoft Office Professional Edition 2003 (Version: 11.0.7969.0)
Microsoft Office Project Professional 2003 (Version: 11.0.7969.0)
Microsoft Office Visio Professional 2003 (Version: 11.0.7969.0)
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) (Version: 9.00.1399.06)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools (Version: 3.0.0.0)
Microsoft SQL Server 2005 Tools Express Edition (Version: 9.00.1399.06)
Microsoft SQL Server Desktop Engine (CAMBRIDGESOFT) (Version: 8.00.761)
Microsoft SQL Server Native Client (Version: 9.00.1399.06)
Microsoft SQL Server Setup Support Files (English) (Version: 9.00.1399.06)
Microsoft SQL Server VSS Writer (Version: 9.00.1399.06)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual J# 2.0 Redistributable Package (Version: 2.0.50727)
Morphyre
Mozilla Firefox (3.6.12) (Version: 3.6.12 (en-US))
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB973686) (Version: 6.20.2003.0)
National Instruments Software (Version: )
Nero 7 Ultra Edition (Version: 7.01.4028)
NetBeans IDE 5.0
NI-488.2 2.43 (Version: 2.43.3006)
NI-488.2 Provider for MAX (Version: 2.43.3006)
NI-653x Support (Version: 1.10.49154)
NI-DAQ C and VB6 API (Version: 1.60.49155)
NI-DAQ Document Set (Version: 1.07.49152)
NI-DAQ INF Files (Version: 18.00.3000)
NI-DAQmx - LabVIEW shared documentation (Version: 1.00.49152)
NI-DAQmx 8.0 (Version: 1.40.49157)
NI-DAQmx Documentation (Version: 1.20.49152)
NI-DAQmx DSA Support 1.5.0 (Version: 1.50.49154)
NI-DAQmx MAX Support 1.4.0 (Version: 1.40.49154)
NI-DAQmx OPC Support (Version: 1.00.49152)
NI-DAQmx support for LabVIEW (Version: 1.40.49154)
NI-DAQmx Switch Core 1.6.0 (Version: 1.60.49155)
NI-DIM 1.3.0f0 (Version: 1.30.49152)
NI-MDBG 1.3.0f0 (Version: 1.30.49152)
NI-MRU 2.4.0f0 (Version: 2.40.49152)
NI-MXDF 1.4.0f0 (Version: 1.40.49152)
NI-ORB 1.3.0f2 (Version: 1.30.49154)
NI-PAL 1.10.0f0 (Version: 9.110.49152)
NI-RPC 3.2.1f0 (Version: 3.21.49152)
NI-RPC 3.2.1f0 for Phar Lap ETS (Version: 3.21.49152)
NI-VISA 3.4 (Version: 3.64.768)
NI-VISA MAX Provider 3.4 (Version: 3.64.768)
NI-VISA Runtime 3.4 (Version: 3.64.768)
NI-VISA Server 3.4 (Version: 3.64.768)
NI Assistant Framework (Version: 2.5.209.0)
NI Assistant Framework LabVIEW Code Generator 6.1 (Version: 2.5.209.0)
NI Assistant Framework LabVIEW Code Generator 7.0 (Version: 2.5.209.0)
NI Assistant Framework LabVIEW Code Generator 7.1 (Version: 2.5.209.0)
NI Assistant Framework LabVIEW Code Generator 8.0 (Version: 2.5.207.0)
NI Calibration Provider for MAX (Version: 1.2.03010)
NI Common Digital 1.2.0 (Version: 1.50.49154)
NI DAQ Assistant 1.5.0 (Version: 1.50.49155)
NI DataSocket 4.3.0 (Version: 4.3.351.0)
NI EULA Depot (Version: 2.0.79)
NI Example Finder 8.0 (Version: 8.0.370.0)
NI Fusion Standard Library (Version: 1.10.49152)
NI Instrument I/O Assistant (Version: 2.0.3002.0)
NI Instrument IO Assistant for LabVIEW 8.0 (Version: 1.0.3002.0)
NI LabVIEW 8.0 (Version: 8.0.905.0)
NI LabVIEW 8.0 Activity (Version: 8.0.905.0)
NI LabVIEW 8.0 Applibs (Version: 8.0.905.0)
NI LabVIEW 8.0 CINtools (Version: 8.0.905.0)
NI LabVIEW 8.0 Device Detection and Deployment Support (Version: 8.0.902.0)
NI LabVIEW 8.0 Examples (Version: 8.0.905.0)
NI LabVIEW 8.0 gMath (Version: 8.0.905.0)
NI LabVIEW 8.0 Help (Version: 8.0.902.0)
NI LabVIEW 8.0 Help File (Version: 8.0.902.0)
NI LabVIEW 8.0 iMath (Version: 8.0.905.0)
NI LabVIEW 8.0 Instr.lib (Version: 8.0.905.0)
NI LabVIEW 8.0 Manuals (Version: 8.0.902.0)
NI LabVIEW 8.0 MeasAppChm File (Version: 8.0.902.0)
NI LabVIEW 8.0 Menus (Version: 8.0.905.0)
NI LabVIEW 8.0 Project (Version: 8.0.905.0)
NI LabVIEW 8.0 Resource (Version: 8.0.905.0)
NI LabVIEW 8.0 Simulation (Version: 8.0.890.0)
NI LabVIEW 8.0 Templates (Version: 8.0.905.0)
NI LabVIEW 8.0 User.lib (Version: 8.0.905.0)
NI LabVIEW 8.0 VI.lib (Version: 8.0.905.0)
NI LabVIEW 8.0 WWW (Version: 8.0.905.0)
NI LabVIEW Broker (Version: 6.2.2014.0)
NI LabVIEW C Interface (Version: 1.0.0)
NI LabVIEW Deployable License 8.0 (Version: 8.0.893.0)
NI LabVIEW MAX XML (Version: 8.0.11.0)
NI LabVIEW Real-Time Error Dialog (Version: 8.0.358.0)
NI LabVIEW Run-Time Engine 7.1.1 (Version: 7.1.405)
NI LabVIEW Run-Time Engine 8.0 (Version: 8.0.701.0)
NI LabWindows/CVI 7.0 Code Generator (Version: 8.0.00107)
NI LabWindows/CVI 7.1.1 Run Time Engine (Version: 7.1.0350)
NI Legacy DAQmxRF (Version: 1.30.49155)
NI License Manager (Version: 3.1.126)
NI Logos 4.6 (Version: 4.6.595.0)
NI Logos LabVIEW 8.0 Support (Version: 8.0.112.0)
NI LVBrokerAux1071 (Version: 1.0.116)
NI LVBrokerAux71 (Version: 1.0.113)
NI LVBrokerAux8.0 (Version: 8.0.905.0)
NI Math Kernel Libraries (Version: 1.0.861.0)
NI MDF Support (Version: 2.1.81)
NI Measurement & Automation Explorer 4.0 (Version: 4.0.03010)
NI Measurement Studio Recipe Processor (Version: 8.0.0101)
NI Measurements eXtensions for PAL 1.3.0 (Version: 1.40.49152)
NI MIO Device Drivers 1.7.0 (Version: 1.70.49154)
NI MXS 4.0 (Version: 4.0.03010)
NI OPC Support (Version: 8.0.230.0)
NI Portable Configuration (Version: 4.0.03010)
NI PXI Platform Services for Windows 1.5.1 (Version: 1.51.49153)
NI PXI Platform Services Provider for MAX 1.5.1 (Version: 1.81.769)
NI Registration Wizard (Version: 1.1.17)
NI Remote Provider for MAX (Version: 4.0.03010)
NI Remote PXI Provider for MAX (Version: 2.0.03010)
NI SCXI 1.2.0 (Version: 1.50.49154)
NI Service Locator (Version: 8.0.546.0)
NI Software Provider for MAX (Version: 4.0.03010)
NI Spy 2.3.0 (Version: 2.48.770)
NI STC 1.2.0 (Version: 1.30.49152)
NI Timing 1.5.0 (Version: 1.50.49155)
NI Uninstaller (Version: 2.1.81)
NI USI 1.2.0 (Version: 1.2.02465)
NI Variable Engine (Version: 1.0.466.0)
NI Variable Engine LabVIEW 8.0 Support (Version: 8.0.115.0)
NI Variable Manager (Version: 8.0.63.0)
NI Web Pipeline (Version: 2.0.94)
Night Vision 2.2.1
PHAROS for Higher Education
Photo To Sketch 3.51
PS_SF_03_D5400_Software (Version: 100.0.206.000)
PS_SF_03_D5400_Software_Min (Version: 100.0.206.000)
PyMOL
PyMOL (32 bit) (Version: 1.3.0.0)
Python 2.5.2 (Version: 2.5.2150)
QuickTime (Version: 7.65.17.80)
R for Windows 2.6.2 (Version: 2.6.2)
ReaConverter 5.5 Pro
RealPlayer
REALTEK RTL8187 Wireless LAN Driver and Utility (Version: Package:1.00.0023 Driver:5.1313.613.2008 UI:0.0.0.0)
ResearchSoft Direct Export Helper
Riva FLV Player (Version: 1.0.0000)
Rome - Total War™ (Version: 1.0)
Rosetta Stone Version 3 (Version: 3.3.5.2)
Scientific Notebook 5.5 (Version: 5.50)
SolidWorks 2006 SP04.1 (Version: 14.1.0412)
Sonic Audio Module (Version: 2.0.4)
Sonic Copy Module (Version: 2.0.4)
Sonic Data Module (Version: 2.0.4)
Sonic DLA (Version: 5.2.0)
Sonic Express Labeler (Version: 2.0.0)
Sonic MyDVD Plus (Version: 6.2.0)
Sonic Update Manager (Version: 3.0.0)
SoundMAX (Version: 5.10.01.4321)
Status (Version: 70.0.170.000)
Sunbelt CounterSpy (Version: 1.5.82)
SUPERAntiSpyware (Version: 5.0.1134)
Synaptics Pointing Device Driver (Version: 8.2.4.0)
Texas Instruments PCIxx21/x515/xx12 drivers. (Version: 1.15.0000)
TextPad 4.7 (Version: 4.7.2)
Tinn-R 1.19.4.7
TIPCI (Version: 1.15.0000)
Toolbox (Version: 100.0.170.000)
Toolbox (Version: 70.0.170.000)
TrayApp (Version: 70.0.170.000)
Tweak UI
Universal Document Converter (Version: 4.2)
Unload (Version: 7.0.0)
UnloadSupport (Version: 10.0.0)
Vina (Version: 1.1.1)
VLC media player 1.1.11 (Version: 1.1.11)
WD Diagnostics (Version: 1.07.0000)
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 100.0.170.000)
Winamp (remove only)
Windows Driver Package - PASCO Scientific (PASCO) USB 01/17/2004 1.9.0.0 (Version: 1.9.0.0)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.5.0530.0)
Windows Imaging Component (Version: 3.0.0.0)
Windows Installer 3.1 (KB893803) (Version: 3.1)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
Windows XP Hotfix - KB873339 (Version: 20041117.092459)
Windows XP Hotfix - KB883667 (Version: 20040812.104354)
Windows XP Hotfix - KB884575 (Version: 20040827.145237)
Windows XP Hotfix - KB885464 (Version: 20040927.152742)
Windows XP Hotfix - KB885835 (Version: 20041027.181713)
Windows XP Hotfix - KB885836 (Version: 20041028.173203)
Windows XP Hotfix - KB885855 (Version: 20040930.104104)
Windows XP Hotfix - KB886185 (Version: 20041021.090540)
Windows XP Hotfix - KB887472 (Version: 20041014.162858)
Windows XP Hotfix - KB887742 (Version: 20041103.095002)
Windows XP Hotfix - KB888113 (Version: 20041116.131036)
Windows XP Hotfix - KB888239 (Version: 20041124.162528)
Windows XP Hotfix - KB888302 (Version: 20041207.111426)
Windows XP Hotfix - KB888402 (Version: 20041117.151732)
Windows XP Hotfix - KB889673 (Version: 20041116.085848)
Windows XP Hotfix - KB890859 (Version: 1)
Windows XP Hotfix - KB891781 (Version: 20050110.165439)
Windows XP Hotfix - KB892559 (Version: 2)
WinHTTrack Website Copier 3.44-1 (Version: 3.44.1)
WinRAR archiver
WinSCP 4.2.9 (Version: 4.2.9)
Wolfram Notebook Indexer 2.0 (Version: 2.13.24133)
XnView 1.96.5 (Version: 1.96.5)

========================= Memory info: ===================================

Percentage of memory in use: 27%
Total physical RAM: 2047.36 MB
Available physical RAM: 1490.66 MB
Total Pagefile: 3428.19 MB
Available Pagefile: 3105.71 MB
Total Virtual: 2047.88 MB
Available Virtual: 2003.34 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:39.18 GB) (Free:7.56 GB) NTFS
2 Drive d: (DATA) (Fixed) (Total:35.35 GB) (Free:0.08 GB) NTFS

========================= Users: ========================================

User accounts for \\

Administrator akruegel ASPNET
Guest HelpAssistant SUPPORT_388945a0


**** End of log ****