Update: actually, I'll have to attach the Ark.txt file later; I was running gmer and it'd been running for a long time, when suddenly I got the blue screen of death and everything shut down on me. Will try again and attach file if I'm successful.
Update 2: tried to run gmer again but it shut down w/ an unexpected error. unzipped the program again and tried again and got the blue screen. went to safe mode and tried again, no luck: got the unexpected error message and the program shut down. Arrrgggg! What can I do now?
At one point yesterday, I went to system restore and restored to four days ago, but that didn't seem to change much.
Also, while trying to get rid of Antivirus Action, a site said one thing to do was replace the hosts file (now supposedly corrupt) with one the site offered. I did that and now I'm getting that Host Processes for etc etc Has Stopped Working notice all the time. Related?
Thanks!
DDS (Ver_10-12-05.01) - NTFSx86
Run by Erik at 8:07:45.84 on Fri 12/10/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1910 [GMT -5:00]
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files\Glary Utilities\Integrator.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Brownie\BrStsWnd.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\ClipMate7\ClipMate.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Erik\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.netflix.com/Queue?inqt=wn&lnkctr=queueTab-ELECTRONIC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: ClipMate ClipBar 7: {f60c63ce-52af-4915-aac9-f100fcde270f} - c:\progra~1\clipma~1\CLIPMA~1.DLL
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRunOnce: [BrStsWnd.exe] c:\program files\brownie\BrStsWnd.exe WindowsStartUpModel
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GoogleDesktopNetwork3.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
================= FIREFOX ===================
FF - ProfilePath - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/news?pz=1&zx=po7sdf-h1gwcy#changed|http://news.google.com/news?pz=1&zx=po7sdf-h1gwcy#-7065693423068381803
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - component: c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{4fd0131c-5156-4a4a-af5b-e04381314163}\components\WindowsLiveWriter.dll
FF - component: c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{6ff1d3c4-61bc-4021-89b7-af8a8f784ebb}\components\snagitmozextension.dll
FF - component: c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {597DCCE7-94BC-4A06-AA12-8E2608F198EF} - c:\users\erik\appdata\local\{597dcce7-94bc-4a06-aa12-8e2608f198ef}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\siber systems\ai roboform\Firefox
FF - Extension: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
FF - Extension: XULRunner: {597DCCE7-94BC-4A06-AA12-8E2608F198EF} - c:\users\erik\appdata\local\{597DCCE7-94BC-4A06-AA12-8E2608F198EF}
FF - Extension: Web Search Pro: {8B8A525A-CFCA-44cf-81C3-3969E6CB96E0} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{8B8A525A-CFCA-44cf-81C3-3969E6CB96E0}
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: Email This! Bookmarklet Extension: gmailthis@lazyrussian.com - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\gmailthis@lazyrussian.com
FF - Extension: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Extension: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
FF - Extension: Snagit Firefox Extension: {6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB}
FF - Extension: Blog This in Windows Live Writer: {4fd0131c-5156-4a4a-af5b-e04381314163} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{4fd0131c-5156-4a4a-af5b-e04381314163}
FF - Extension: CookieSafe: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Extension: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Extension: SkipScreen: SkipScreen@SkipScreen - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\SkipScreen@SkipScreen
FF - Extension: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Extension: Download Youtube Videos +: video.downloader.plugin@ffpimp.com - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\video.downloader.plugin@ffpimp.com
FF - Extension: <?xmlversion=1.0?><RDF xmlns=http://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=http://www.mozilla.org/2004/em-rdf#><Description about=urn:mozilla:install-manifest><em:id>{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}: {b9bfaf1c-a63f-47cd-8b9a-29526ced9060} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}
FF - Extension: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
============= SERVICES / DRIVERS ===============
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-15 11608]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-10-12 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 67656]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-15 55656]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-11-6 9472]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-15 185089]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-15 108289]
S4 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-22 193840]
S4 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-7-18 30192]
S4 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-10-19 309008]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-22 365952]
=============== Created Last 30 ================
2010-12-09 22:33:12 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{1ffaa17e-57cd-4910-9d40-1e7667c1333a}\mpengine.dll
2010-12-09 22:29:17 -------- d-----w- c:\users\erik\appdata\local\{597DCCE7-94BC-4A06-AA12-8E2608F198EF}
2010-12-08 22:36:25 -------- d-----w- c:\progra~2\Alwil Software
2010-12-08 02:40:42 -------- d-----w- C:\e1b9e42fb7fa4fa706b5
2010-12-07 23:47:48 -------- d-----w- c:\users\erik\appdata\roaming\4885F68A0E2DE955EB1258D19E55E3A2
2010-11-28 20:10:00 -------- d-----w- c:\program files\Search Toolbar
2010-11-24 13:58:58 -------- d-----w- c:\program files\Lame For Audacity
2010-11-23 23:05:21 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
==================== Find3M ====================
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST9250315AS rev.0003HPM1 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86840555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x868467b0]; MOV EAX, [0x8684682c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81E7C962] -> \Device\Harddisk0\DR0[0x8615B768]
3 CLASSPNP[0x805DE8B3] -> ntkrnlpa!IofCallDriver[0x81E7C962] -> [0x868A23A0]
\Driver\atapi[0x86567B18] -> IRP_MJ_CREATE -> 0x86840555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST9250315AS_____________________________0003HPM1#5&3b0a2a42&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
============= FINISH: 8:08:54.61 ===============
Malwarebytes file:
Objects scanned: 385400
Time elapsed: 2 hour(s), 5 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\Users\Erik\AppData\Local\Z1auib.dll (Trojan.Hiloti) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qnuyumafu (Trojan.Hiloti) -> Value: Qnuyumafu -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\erik\AppData\Local\Z1auib.dll (Trojan.Hiloti) -> Delete on reboot.
c:\Users\erik\AppData\Roaming\Adobe\plugs\KB660991.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\erik\AppData\Roaming\Adobe\plugs\KB704640.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\erik\AppData\Local\temp\0.4145912403978068.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
Note: When I rebooted the computer, I did get a message saying, error loading c:\Users\me\AppData\Local\Z1auib.dll
Attached Files
Edited by linter, 10 December 2010 - 09:25 AM.