Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Generic Host Process for Win32 Services Error

  • This topic is locked This topic is locked
10 replies to this topic

#1 kpankov


  • Members
  • 16 posts
  • Local time:09:54 AM

Posted 12 December 2010 - 10:31 PM


Just yesterday, I started receiving this error message after my computer had been on for a while. I'm not sure what this means, but after the error, I find that my sound system no longer works. I was wondering what steps I should take to stop this error from happening. I noticed that another person who had a similar problem on this forum was infected with a rootkit, a backdoor trojan that could steal information and download or execute files. I would like to know if the same thing is happening to me.

Also, right before I received this error, I was infected with the fake Microsoft Security Essentials and Antimalware Doctor viruses. I followed the guides on this website to remove them, and it seemed to have worked. After, I started receiving this error message.

Please help as soon as you are available.

Edited by kpankov, 12 December 2010 - 10:32 PM.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 50,954 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:54 AM

Posted 14 December 2010 - 08:13 AM

Please post the complete results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-yyyy-mm-dd

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.

  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop. Vista/Windows 7 users refer to these instructions if you're unsure how to unzip a file.
  • If you don't have an extracting program, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • When the program opens, click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure is selected, then click Continue > Reboot now to finish the cleaning process.<- Important!!
    Note: If 'Suspicious' objects are detected, you will be given the option to Skip or Quarantine. Skip will be the default selection.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it before downloading and saving to the computer.

-- For any files detected as 'Suspicious' (except those identified as Forged to be cured after reboot) get a second opinion by submitting to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 kpankov

  • Topic Starter

  • Members
  • 16 posts
  • Local time:09:54 AM

Posted 14 December 2010 - 05:20 PM

Thanks a lot for the help!!! Please inform me of any future steps!

MBAM log:

Malwarebytes' Anti-Malware 1.50

Database version: 5291

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

14/12/2010 5:03:33 PM
mbam-log-2010-12-14 (17-03-33).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|)
Objects scanned: 179587
Time elapsed: 23 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\imsvbo.dll (Trojan.Hiloti.Gen) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{B77C79B7-4DAD-4DB0-8934-911457C117F3} (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chkarygshst.chkarygshst.1.0 (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\chkarygshst.chkarygshst (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{CD6EF876-4D5A-451B-9EE3-72769BB7F724} (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adfarygspr.adfarygspr.1.0 (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adfarygspr.adfarygspr (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CD6EF876-4D5A-451B-9EE3-72769BB7F724} (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CD6EF876-4D5A-451B-9EE3-72769BB7F724} (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svazamagabob (Trojan.Hiloti.Gen) -> Value: Svazamagabob -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bipro (Trojan.Agent.Gen) -> Value: bipro -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gchk (Trojan.Downloader) -> Value: gchk -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\networkservice\application data\sky-banners (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\sky-banners\skb (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\sky-banners (Adware.Adrotator) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\sky-banners\skb (Adware.Adrotator) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\imsvbo.dll (Trojan.Hiloti.Gen) -> Delete on reboot.
c:\documents and settings\Owner\local settings\Temp\wgfedg.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\$ntuninstallmtf197$\cbsxj.dll (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\sky-banners\skb\log.xml (Adware.Adrotator) -> Quarantined and deleted successfully.

TDSS Killer log:

2010/12/14 17:12:40.0078 TDSS rootkit removing tool Dec 8 2010 14:46:40
2010/12/14 17:12:40.0078 ================================================================================
2010/12/14 17:12:40.0078 SystemInfo:
2010/12/14 17:12:40.0078
2010/12/14 17:12:40.0078 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/14 17:12:40.0078 Product type: Workstation
2010/12/14 17:12:40.0078 ComputerName: OWNER-79E5D543B
2010/12/14 17:12:40.0078 UserName: Owner
2010/12/14 17:12:40.0078 Windows directory: C:\WINDOWS
2010/12/14 17:12:40.0078 System windows directory: C:\WINDOWS
2010/12/14 17:12:40.0078 Processor architecture: Intel x86
2010/12/14 17:12:40.0078 Number of processors: 2
2010/12/14 17:12:40.0078 Page size: 0x1000
2010/12/14 17:12:40.0078 Boot type: Normal boot
2010/12/14 17:12:40.0078 ================================================================================
2010/12/14 17:12:40.0359 Initialize success
2010/12/14 17:12:45.0500 ================================================================================
2010/12/14 17:12:45.0500 Scan started
2010/12/14 17:12:45.0500 Mode: Manual;
2010/12/14 17:12:45.0500 ================================================================================
2010/12/14 17:12:46.0015 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/14 17:12:46.0046 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/14 17:12:46.0156 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/14 17:12:46.0203 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/14 17:12:46.0421 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/14 17:12:46.0468 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/14 17:12:46.0515 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/14 17:12:46.0562 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/14 17:12:46.0625 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys
2010/12/14 17:12:46.0687 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2010/12/14 17:12:46.0734 AvgTdiX (92d8e1e8502e649b60e70074eb29c380) C:\WINDOWS\System32\Drivers\avgtdix.sys
2010/12/14 17:12:46.0781 BCM43XX (e7debb46b9ef1f28932e533be4a3d1a9) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/12/14 17:12:46.0828 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/14 17:12:46.0875 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/14 17:12:46.0921 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/14 17:12:46.0968 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/14 17:12:47.0000 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/14 17:12:47.0203 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/14 17:12:47.0281 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/14 17:12:47.0375 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/14 17:12:47.0437 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/14 17:12:47.0500 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/14 17:12:47.0562 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/14 17:12:47.0593 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/14 17:12:47.0640 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/14 17:12:47.0656 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/14 17:12:47.0671 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/14 17:12:47.0718 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/14 17:12:47.0781 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2010/12/14 17:12:47.0796 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/14 17:12:47.0812 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/14 17:12:47.0875 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/12/14 17:12:47.0921 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/14 17:12:47.0984 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/14 17:12:48.0015 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/14 17:12:48.0078 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/14 17:12:48.0156 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/14 17:12:48.0343 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/12/14 17:12:48.0562 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/14 17:12:48.0640 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/14 17:12:48.0687 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/14 17:12:48.0734 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/14 17:12:48.0765 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/14 17:12:48.0796 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/14 17:12:48.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/14 17:12:48.0875 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/14 17:12:48.0921 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/14 17:12:48.0953 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/14 17:12:49.0015 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/14 17:12:49.0062 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/14 17:12:49.0093 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/14 17:12:49.0125 L1e (9da9141e01edece0aa5add73a63afec5) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys
2010/12/14 17:12:49.0187 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/14 17:12:49.0250 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/14 17:12:49.0296 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/14 17:12:49.0328 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/14 17:12:49.0375 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/14 17:12:49.0406 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/14 17:12:49.0437 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/14 17:12:49.0468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/14 17:12:49.0515 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/14 17:12:49.0546 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/14 17:12:49.0562 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/14 17:12:49.0609 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/14 17:12:49.0625 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/12/14 17:12:49.0656 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/14 17:12:49.0703 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/14 17:12:49.0734 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/14 17:12:49.0765 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/14 17:12:49.0781 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/14 17:12:49.0796 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/14 17:12:49.0828 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/14 17:12:49.0859 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/14 17:12:49.0906 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/14 17:12:49.0937 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/14 17:12:50.0000 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2010/12/14 17:12:50.0031 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/14 17:12:50.0062 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/14 17:12:50.0093 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/14 17:12:50.0140 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/14 17:12:50.0156 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/14 17:12:50.0203 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/14 17:12:50.0218 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/14 17:12:50.0265 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/14 17:12:50.0328 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/14 17:12:50.0468 pfmfs_27B (a3e9309e52bf8ac1c8ad1b53f9d3c544) C:\WINDOWS\system32\Drivers\pfmfs_27B.sys
2010/12/14 17:12:50.0515 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/14 17:12:50.0546 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/14 17:12:50.0562 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/14 17:12:50.0656 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/14 17:12:50.0687 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/14 17:12:50.0703 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/14 17:12:50.0734 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/14 17:12:50.0765 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/14 17:12:50.0781 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/14 17:12:50.0828 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/14 17:12:50.0890 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/14 17:12:50.0984 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/14 17:12:51.0015 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/12/14 17:12:51.0046 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/12/14 17:12:51.0109 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/14 17:12:51.0156 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/14 17:12:51.0187 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/14 17:12:51.0250 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/14 17:12:51.0359 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/14 17:12:51.0390 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/14 17:12:51.0437 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/14 17:12:51.0453 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/14 17:12:51.0484 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/14 17:12:51.0593 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/14 17:12:51.0671 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/14 17:12:51.0718 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/14 17:12:51.0765 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/14 17:12:51.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/14 17:12:51.0921 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/14 17:12:52.0000 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/14 17:12:52.0062 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/14 17:12:52.0093 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/14 17:12:52.0140 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/14 17:12:52.0187 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/14 17:12:52.0234 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/14 17:12:52.0281 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/14 17:12:52.0296 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/14 17:12:52.0343 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/14 17:12:52.0390 VIAHdAudAddService (264f2f26975136e015c9aa5e025b39f4) C:\WINDOWS\system32\drivers\viahduaa.sys
2010/12/14 17:12:52.0437 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/14 17:12:52.0484 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/14 17:12:52.0546 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/12/14 17:12:52.0609 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/14 17:12:52.0671 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/14 17:12:52.0687 ================================================================================
2010/12/14 17:12:52.0687 Scan finished
2010/12/14 17:12:52.0687 ================================================================================
2010/12/14 17:12:52.0687 Detected object count: 1
2010/12/14 17:14:07.0531 \HardDisk0 - will be cured after reboot
2010/12/14 17:14:07.0531 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/14 17:14:17.0078 Deinitialize success

Edited by kpankov, 14 December 2010 - 05:21 PM.

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 50,954 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:54 AM

Posted 14 December 2010 - 08:53 PM

This is the pertinent section of the log which indicates a TDSS rootkit infected the Master Boot Record (MBR) and that it will be cured after reboot.

2010/12/14 17:12:52.0671 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/14 17:12:52.0687 ================================================================================
2010/12/14 17:12:52.0687 Scan finished
2010/12/14 17:12:52.0687 ================================================================================
2010/12/14 17:12:52.0687 Detected object count: 1
2010/12/14 17:14:07.0531 \HardDisk0 - will be cured after reboot
2010/12/14 17:14:07.0531 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

This particular malware alters the MBR of the system drive to ensure persistent execution of malicious code. Essentially, it overwrites the MBR of the hard disk with its own code and stores a copy of the original MBR at another sector using rootkit techniques to hide itself. To learn more about these types of infections please refer to:Please reboot if you have not done so already. Rerun TDSSKiller again and post the new log to confirm the infection was cured.

Rescan again with Malwarebytes Anti-Malware (Quick Scan) in normal mode and and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally will prevent Malwarebytes' from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

The database in your previous log shows 5291. Last I checked it was 5312.

Try doing an online scan to see if it finds anything else (i.e. remnants) that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
  • This scan requires Internet Explorer to work. If using a different browser, you will be given the option to download and use the ESET Smart Installer.
  • Vista/Windows 7 users need to run Internet Explorer as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green Posted Image button.
  • Read the End User License Agreement and check the box:
  • Check Posted Image.
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)
  • Click the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • If offered the option to get information or buy software at any point, just close the window.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop as ESETScan.txt.
  • Push the Posted Image button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply.
Note: A log.txt file will also be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
If you did not save the ESETScan log, click Posted Image > Run..., then type or copy and paste everything in the code box below into the Open dialogue box:

C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • Click Ok and the scan results will open in Notepad.
  • Copy and paste the contents of log.txt in your next reply.
-- Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 kpankov

  • Topic Starter

  • Members
  • 16 posts
  • Local time:09:54 AM

Posted 15 December 2010 - 12:48 PM

Thanks. I didn't realize that my version of Malwarebytes was outdated. Several infections were found. Here are the new scan logs:

TDSS Killer:

2010/12/14 22:22:19.0906 TDSS rootkit removing tool Dec 8 2010 14:46:40
2010/12/14 22:22:19.0906 ================================================================================
2010/12/14 22:22:19.0906 SystemInfo:
2010/12/14 22:22:19.0906
2010/12/14 22:22:19.0906 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/14 22:22:19.0906 Product type: Workstation
2010/12/14 22:22:19.0906 ComputerName: OWNER-79E5D543B
2010/12/14 22:22:19.0906 UserName: Owner
2010/12/14 22:22:19.0906 Windows directory: C:\WINDOWS
2010/12/14 22:22:19.0906 System windows directory: C:\WINDOWS
2010/12/14 22:22:19.0906 Processor architecture: Intel x86
2010/12/14 22:22:19.0906 Number of processors: 2
2010/12/14 22:22:19.0906 Page size: 0x1000
2010/12/14 22:22:19.0906 Boot type: Normal boot
2010/12/14 22:22:19.0906 ================================================================================
2010/12/14 22:22:20.0515 Initialize success
2010/12/14 22:22:36.0875 ================================================================================
2010/12/14 22:22:36.0875 Scan started
2010/12/14 22:22:36.0875 Mode: Manual;
2010/12/14 22:22:36.0875 ================================================================================
2010/12/14 22:22:40.0781 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/14 22:22:40.0812 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/14 22:22:40.0859 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/14 22:22:40.0921 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/14 22:22:41.0187 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/14 22:22:41.0234 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/14 22:22:41.0281 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/14 22:22:41.0312 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/14 22:22:41.0375 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys
2010/12/14 22:22:41.0421 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2010/12/14 22:22:41.0468 AvgTdiX (92d8e1e8502e649b60e70074eb29c380) C:\WINDOWS\System32\Drivers\avgtdix.sys
2010/12/14 22:22:41.0546 BCM43XX (e7debb46b9ef1f28932e533be4a3d1a9) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/12/14 22:22:41.0593 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/14 22:22:41.0640 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/14 22:22:41.0687 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/14 22:22:41.0734 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/14 22:22:41.0781 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/14 22:22:41.0968 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/14 22:22:42.0031 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/14 22:22:42.0125 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/14 22:22:42.0171 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/14 22:22:42.0234 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/14 22:22:42.0328 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/14 22:22:42.0359 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/14 22:22:42.0406 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/14 22:22:42.0421 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/14 22:22:42.0453 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/14 22:22:42.0500 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/14 22:22:42.0562 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2010/12/14 22:22:42.0593 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/14 22:22:42.0609 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/14 22:22:42.0656 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/12/14 22:22:42.0718 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/14 22:22:42.0750 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/14 22:22:42.0796 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/14 22:22:42.0921 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/14 22:22:43.0015 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/14 22:22:43.0171 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/12/14 22:22:43.0375 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/14 22:22:43.0453 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/14 22:22:43.0468 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/14 22:22:43.0531 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/14 22:22:43.0562 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/14 22:22:43.0609 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/14 22:22:43.0640 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/14 22:22:43.0687 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/14 22:22:43.0750 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/14 22:22:43.0796 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/14 22:22:43.0859 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/14 22:22:43.0906 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/14 22:22:43.0953 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/14 22:22:44.0000 L1e (9da9141e01edece0aa5add73a63afec5) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys
2010/12/14 22:22:44.0062 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/14 22:22:44.0093 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/14 22:22:44.0109 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/14 22:22:44.0156 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/14 22:22:44.0187 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/14 22:22:44.0218 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/14 22:22:44.0250 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/14 22:22:44.0296 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/14 22:22:44.0343 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/14 22:22:44.0375 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/14 22:22:44.0406 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/14 22:22:44.0453 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/14 22:22:44.0468 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/12/14 22:22:44.0515 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/14 22:22:44.0562 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/14 22:22:44.0593 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/14 22:22:44.0625 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/14 22:22:44.0640 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/14 22:22:44.0671 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/14 22:22:44.0687 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/14 22:22:44.0718 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/14 22:22:44.0781 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/14 22:22:44.0843 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/14 22:22:44.0906 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2010/12/14 22:22:44.0953 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/14 22:22:44.0984 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/14 22:22:45.0015 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/14 22:22:45.0046 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/14 22:22:45.0078 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/14 22:22:45.0109 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/14 22:22:45.0125 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/14 22:22:45.0171 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/14 22:22:45.0234 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/14 22:22:45.0359 pfmfs_27B (a3e9309e52bf8ac1c8ad1b53f9d3c544) C:\WINDOWS\system32\Drivers\pfmfs_27B.sys
2010/12/14 22:22:45.0421 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/14 22:22:45.0437 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/14 22:22:45.0468 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/14 22:22:45.0562 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/14 22:22:45.0593 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/14 22:22:45.0609 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/14 22:22:45.0640 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/14 22:22:45.0671 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/14 22:22:45.0687 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/14 22:22:45.0734 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/14 22:22:45.0781 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/14 22:22:45.0890 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/14 22:22:45.0937 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/12/14 22:22:45.0953 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/12/14 22:22:46.0031 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/14 22:22:46.0078 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/14 22:22:46.0109 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/14 22:22:46.0156 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/14 22:22:46.0250 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/14 22:22:46.0296 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/14 22:22:46.0359 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/14 22:22:46.0421 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/14 22:22:46.0468 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/14 22:22:46.0609 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/14 22:22:46.0687 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/14 22:22:46.0750 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/14 22:22:46.0812 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/14 22:22:46.0843 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/14 22:22:46.0921 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/14 22:22:47.0000 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/14 22:22:47.0046 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/14 22:22:47.0093 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/14 22:22:47.0140 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/14 22:22:47.0156 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/14 22:22:47.0218 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/14 22:22:47.0265 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/14 22:22:47.0281 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/14 22:22:47.0328 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/14 22:22:47.0375 VIAHdAudAddService (264f2f26975136e015c9aa5e025b39f4) C:\WINDOWS\system32\drivers\viahduaa.sys
2010/12/14 22:22:47.0406 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/14 22:22:47.0453 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/14 22:22:47.0515 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/12/14 22:22:47.0578 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/14 22:22:47.0843 ================================================================================
2010/12/14 22:22:47.0843 Scan finished
2010/12/14 22:22:47.0843 ================================================================================


Malwarebytes' Anti-Malware 1.50

Database version: 5315

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

14/12/2010 10:34:58 PM
mbam-log-2010-12-14 (22-34-58).txt

Scan type: Quick scan
Objects scanned: 137726
Time elapsed: 3 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\4RBPZMXX4S (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\msvideoz.dll (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\adgs.bat (Malware.Trace) -> Quarantined and deleted successfully.


C:\Documents and Settings\All Users\Documents\Server\hlp.dat Win32/Bamital.DZ trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\59\72a437bb-4f60d99b multiple threats deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\62\588b6b3e-3504215c a variant of Java/TrojanDownloader.OpenStream.NAS trojan deleted - quarantined
C:\Documents and Settings\Owner\Application Data\8BBDC3C511D5663D084FF0A653328A31\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
C:\Documents and Settings\Owner\Application Data\8BBDC3C511D5663D084FF0A653328A31\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application cleaned by deleting - quarantined
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\57\32952e79-72fb5a98 probably a variant of Java/TrojanDownloader.Agent.AB trojan cleaned by deleting - quarantined
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache8484937754900001933.tmp multiple threats deleted - quarantined
C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL a variant of Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL Win32/Toolbar.AskSBar application cleaned by deleting - quarantined
C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll Win32/Toolbar.MegaUpload application cleaned by deleting - quarantined
C:\WINDOWS\ajaqumofut.dll a variant of Win32/Cimag.CD trojan cleaned by deleting (after the next restart) - quarantined


#6 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 50,954 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:54 AM

Posted 15 December 2010 - 01:30 PM

How is your computer running now?
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 kpankov

  • Topic Starter

  • Members
  • 16 posts
  • Local time:09:54 AM

Posted 15 December 2010 - 07:52 PM

Everything seems to be fine, except this error message pops up after start-up. It says...

"Error loading C:\WINDOWS\ajaqumofut.dll The specified module could not be found."

Despite this error message, I have not noticed any problems with the computer, or any programs I ran.

Please let me know if any further action is needed. Thank you.

#8 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 50,954 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:54 AM

Posted 15 December 2010 - 11:06 PM

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to a malware file that was set to run at startup in the registry but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry still remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there.
    Vista/Windows 7 users refer to these instructions.
  • Open the folder and double-click on autoruns.exe to launch it.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • If found, right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.
If you're going to keep and use Autoruns, be sure to read:
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 kpankov

  • Topic Starter

  • Members
  • 16 posts
  • Local time:09:54 AM

Posted 25 January 2011 - 10:34 PM


I followed the above step, and everything seemed to be fixed. My computer worked fine with no problems until about 2 days ago, when I received the same error message, "Generic Host Process for Win32 Services". I ran the same steps as before, and it seemed like everything was okay. However, now, after my computer has been on for a while, I get 2 messages at the same time.

One is a typical "... crashed" report, asking me whether I want to send an error report or not. It says that a program called "wrt.exe" crashed, and I have no idea what this program is. The other message says "The application failed to initialize properly (0xc0000142). Click on OK to terminate." The blue bar at the top of the window says "at.exe - Application Error". Whenever I click on OK, or just click on the close button, the same message pops up again.

I ran Malwarebytes, but it did not find any malware or infections. I even tried running TDSS Killer again, just in case, and it found no infections. Can you please tell me what actions need to be taken to fix this? Thanks.

#10 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 50,954 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:54 AM

Posted 26 January 2011 - 07:11 AM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself or infect critical system files which cannot be cleaned. Sometimes there is an undetected hidden piece of malware such as a rootkit which protects malicious files and registry keys so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the Malware Response Team.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Budapest


    Bleepin' Cynic

  • Moderator
  • 23,573 posts
  • Gender:Male
  • Local time:12:54 AM

Posted 26 January 2011 - 10:51 PM

Malware topic here: http://www.bleepingcomputer.com/forums/topic375964.html

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MR Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users