I have 5 computers on my network, but Qwest is not able to tell me which one it is coming from. I will submit a separate topic for each computer. This one is for a Gateway laptop running windows Vista Home SP1 wireless to the router.
When this started happening, I was using ZoneAlarm Extreme Security only for my computer security.
My ISP (Qwest) has suggested many different software solutions, which I have implemented and scanned with. They include Microsoft Malicious Software Removal Tool, TrendMicro RUBotted, BotHunter, Microsoft Security Essentials. I have also received information from several local computer techs to use MalwareBytes, SuperAntiSpyware, AVG free and Avast Anti-virus. The last one I spoke with said everything Qwest has suggested is useless as is AVG free and ZoneAlarm (except maybe the firewall). He recommends MalwareBytes, SuperAntiSpyware and Avast. I have been unable to install and run Avast on this computer, as the computer will not run, but freezes when I install it. As soon as I uninstall it again, the computer runs.
Quick scans by any of these programs find nothing. Full scans produce adware cookies, but nothing else for the past month+. I pretty much run a full scan by one of them each day and remove anything that they find.
Here is the most recent log Qwest sent me of the detected Bot activity. This is the first time I have heard that it is Torpig, which I guess is an infection of the master boot record, which can cause all the other programs to not be able to detect it.
Date & Time (GMT) Source Port MW Type
Date/Time Seen (GMT) Infection Data (*)
--------------- -------------------- ------------------------------
date: 2010-05-27 list: bots
2010-05-26 18:02:15 srcport 13466 mwtype Torpig destaddr 91.20.208.178
2010-05-26 18:02:49 srcport 13467 mwtype Torpig destaddr 91.20.208.178
2010-05-26 21:03:49 srcport 22708 mwtype Torpig destaddr 91.20.208.178
2010-05-26 21:04:25 srcport 22709 mwtype Torpig destaddr 91.20.208.178
Here is the most recent email Qwest sent me to resolve the problem.
--------------Begin Email-------------
Mebroot is a rootkit, which means that the master boot record itself is infected. Trend Micro suggests performing a system recovery in addition to updating and running the latest antivirus:
http://www.trendmicro.com/vinfo/virusencyc...AD&VSect=Sn
Looks like McAfee suggests similar steps:
http://vil.nai.com/vil/content/v_143908.htm#tab5
It looks like Torpig/Anserin removal isn't complete until registry keys are removed.
Symantec:
http://www.symantec.com/security_response/...-99&tabid=3
Torpig is also on the list of signatures that the Microsoft Malicious Software Removal Tool has:
http://www.microsoft.com/security/malwareremove/default.mspx
--------------End of Email---------------
I first downloaded and scanned with the Microsoft Malicious Software Removal Tool, which found nothing.
When I attempted to use the Windows Recovery Console and use "fixmbr", I got the following message:
** CAUTION **
This computer appears to have a non-standard or invalid master boot record.
FIXMBR could cause all the partitions on the current hard disk to become inaccessible.
If you are not having problems accessing your drive, do not continue.
Are you sure you want to write a new MBR?
----------------------------------------------
Since I am not having problems accessing my drive, it does not seem that I should continue.
Therefore, I answered N and exited the process.
That is when I did more research and found your website.
I have run the steps as specified in the Preparation Guide.
Following is DDS.txt
DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 6:40:30.37 on Sat 06/12/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_18
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.957.111 [GMT -7:00]
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Norton AntiVirus *disabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iWin Games\iWinTrusted.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\tlntsvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\1176845002\ee\aolsoftware.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://air1.com/
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT3707
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT3707
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MT3707
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\google\BAE.dll
BHO: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Foxit Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Windows Sidebar] "c:\program files\windows sidebar\Sidebar.exe" /autorun
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [MRC] "c:\program files\pc tune-up\PCTuneUp.exe" /MBRSTART
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AOL Fast Start] "c:\program files\aol 9.0a\AOL.EXE" -b
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [HostManager] "c:\program files\common files\aol\1176845002\ee\AOLSoftware.exe"
mRun: [WordPerfect Office 1215] "c:\program files\wordperfect office 12\programs\Registration.exe" /title="WordPerfect Office 12" /date=092107 serial=wo12wrx-0000002-hbu lang=EN
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag spirit\AGRemind.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Plant%20Tycoon/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {21BB8360-F943-447E-98F3-3C22345375A7} - hxxp://www.playfirst.com/play/game/chocolatier/ChocolatierWeb.1.0.0.13.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://www.playfirst.com/play/game/trijinx/TriJinx.1.0.0.86.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.playfirst.com/play/game/dinerdash2/DinerDash2.1.0.0.67.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://www.playfirst.com/play/game/dreamchronicles/dreamweb.1.0.0.9.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.playfirst.com/play/game/luxor/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://www.playfirst.com/play/game/dinerdashfloonthego/ddfotg.1.0.0.32.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Plant%20Tycoon/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://www.playfirst.com/play/game/feedingfrenzy/SproutLauncher.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://www.playfirst.com/play/game/weddingdash/WeddingDash.1.0.0.44.cab
DPF: {FC4CAF5F-91BD-4DD9-ADC1-F3C737E37BC4} - hxxp://download.playfirst.com/play/game/sweetopia/Sweetopia.1.0.0.22.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: DfLogon - LogonDll.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
================= FIREFOX ===================
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\wt0sdoxr.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://air1.com/
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\MozillaExtensions.dll
FF - component: c:\program files\checkpoint\zaforcefield\trustchecker\components\TrustCheckerMozillaPlugin.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\wt0sdoxr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\ksolo\npAVX.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\wt0sdoxr.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\wt0sdoxr.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-6 162768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-6 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-5-6 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-6 40384]
R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]
R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]
R2 iWinTrusted;iWinTrusted;c:\program files\iwin games\iWinTrusted.exe [2009-9-2 78104]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2010-3-12 582992]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-6 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-6 40384]
R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-10-14 35448]
R3 RTL85n86;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;c:\windows\system32\drivers\RTL85n86.sys [2006-11-2 311808]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-3-12 206608]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-11-20 21504]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-3-12 206608]
=============== Created Last 30 ================
2010-06-12 13:31:01 0 ----a-w- c:\users\owner\defogger_reenable
2010-06-12 10:42:47 0 d-----w- c:\program files\Windows Portable Devices
2010-06-12 10:42:05 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2010-06-12 10:23:35 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2010-06-12 10:23:33 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2010-06-12 10:23:32 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2010-06-12 10:21:59 481792 ----a-w- c:\windows\system32\dxgi.dll
2010-06-12 10:21:59 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2010-06-12 10:21:59 1030144 ----a-w- c:\windows\system32\d3d10.dll
2010-06-12 10:16:27 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2010-06-12 10:16:26 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2010-06-12 10:16:26 234496 ----a-w- c:\windows\system32\oleacc.dll
2010-06-12 08:49:50 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-06-12 08:49:48 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-06-12 08:49:47 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-12 03:42:38 0 d-----w- c:\windows\system32\eu-ES
2010-06-12 03:42:38 0 d-----w- c:\windows\system32\ca-ES
2010-06-12 03:42:36 0 d-----w- c:\windows\system32\vi-VN
2010-06-11 22:43:48 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-06-11 22:43:44 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-06-11 22:43:13 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-06-11 22:34:47 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-06-11 15:51:20 0 d-----w- c:\windows\system32\EventProviders
2010-06-10 22:57:30 0 d-----w- c:\users\owner\appdata\roaming\licenses
2010-06-10 22:57:27 0 d-----w- c:\users\owner\appdata\roaming\PCMM2009
2010-06-10 22:57:16 0 d-----w- c:\users\owner\appdata\roaming\PCMM2010
2010-06-08 20:00:37 0 d-----w- C:\7d7455a7af5ce4dadd748d2ad52e
2010-05-27 22:25:24 0 d-----w- c:\program files\Ask.com
2010-05-27 22:23:30 0 d-----w- c:\program files\Foxit Software
2010-05-26 19:45:06 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-25 00:50:36 864 ----a-w- c:\users\owner\.recently-used.xbel
==================== Find3M ====================
2010-06-12 10:42:33 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-06-12 10:42:33 51200 ----a-w- c:\windows\inf\infpub.dat
2010-06-12 10:42:32 86016 ----a-w- c:\windows\inf\infstor.dat
2010-06-12 10:42:32 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-06-12 02:58:16 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-05-12 18:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 05:59:21 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-14 16:31:23 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-21 00:49:13 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-03-02 03:07:59 32768 --sha-w- c:\windows\temp\cookies\index.dat
2010-03-02 03:07:59 49152 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-03-02 03:07:59 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
============= FINISH: 6:44:30.65 ===============
I had several problems running GMER. The computer repeatedly completely crashed - black screen. I then began watching it and saved the ark.txt file several times during the process. The one attached is done before the scan finished. It stopped while scanning the following entry.
\Device\HarddiskVolumeShadowCopy1
I then received the following message from Windows:
--------error message follows-----------
Microsoft Windows
gmer.exe has stopped working
A problem caused the program to stop working correctly.
Windows will close the program and notify you if a solution
is available.
-----------end of message--------------
Both attached.txt and ark.txt are zipped.