Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijack/redirects/blue screen of death..


  • This topic is locked This topic is locked
12 replies to this topic

#1 thekitin

thekitin

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 30 March 2011 - 08:22 PM

Hi,

Running windows vista home basic, 32 bit.. I recently was infected with antivirus system 2011,and about 10 other rogues.... used Malwarebytes and seems to have removed them all. Computer IS in some better shape but am still having major redirect issues on google, blue screen of death occasionally..stalls an some locking up of programs, and constant error of windows host process has stopped working....which removed my wallpaper and vista color scheme! Please HELP :(

THANKS SO MUCH


Here is the DDS log file and Gmer and attach, attachments

Attached File  ark.txt   19.97KB   1 downloads
Attached File  Attach.txt   3.92KB   1 downloads

THANKS!
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Mary at 18:32:25.11 on Wed 03/30/2011
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_22
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {453BACFB-A054-453B-9740-A450324ABEA0} - No File
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - No File
TB: {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {620395C9-5C2B-4474-89B6-D2A63CEA2EF8} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [AdobeBridge]
uRun: [Driver Updater]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [eRecoveryService]
mRun: [CorelDRAW Graphics Suite 11b]
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxywXRhE
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
regfile=???????????
scrfile=???S??a?
.
=============== Created Last 30 ================
.
2011-03-30 02:38:46 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{63b8bcb4-affc-40b5-8ac9-28615b15edb5}\MpKsl725f0bd8.sys
2011-03-29 23:11:06 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{63b8bcb4-affc-40b5-8ac9-28615b15edb5}\MpKsl374ba5a6.sys
2011-03-26 21:12:41 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{7b3da039-6689-4c23-b87c-1e9f4892d36d}\gapaengine.dll
2011-03-26 21:11:13 6792528 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{63b8bcb4-affc-40b5-8ac9-28615b15edb5}\mpengine.dll
2011-03-23 00:54:38 -------- d-----w- c:\users\mary\appdata\roaming\Malwarebytes
2011-03-23 00:53:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-23 00:53:50 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-23 00:53:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-23 00:53:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-20 21:09:40 5943120 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-09 00:54:20 -------- d-----w- c:\program files\Enigma Software Group
2011-03-09 00:53:10 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-03-07 03:32:36 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2011-03-07 02:11:30 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-05 19:40:58 -------- d-----w- c:\progra~2\STOPzilla!
.
==================== Find3M ====================
.
2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6000 Disk: Hitachi_ rev.P22O -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8792A59F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x879307b0]; MOV EAX, [0x8793082c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82027F3B] -> \Device\Harddisk0\DR0[0x84D74580]
3 nt[0x820B07E2] -> ntkrnlpa!IofCallDriver[0x82027F3B] -> [0x839A8608]
5 acpi[0x806D732A] -> ntkrnlpa!IofCallDriver[0x82027F3B] -> [0x839A5740]
\Driver\nvstor32[0x84D7D538] -> IRP_MJ_CREATE -> 0x8792A59F
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\00000070 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDS721616PLA#4&311ed49&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 18:36:19.29 ===============

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:03 PM

Posted 31 March 2011 - 07:57 PM

Hi

Please do the following:

Download Combofix from either of the links below. You must rename it to iexplore before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------

  • Double click on the renamed ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------


Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 thekitin

thekitin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 01 April 2011 - 01:01 AM

Hi, thanks. Here are the combofix results...However, It restarted my computer and when I try to connect to internet, trying to open google chrome or ie give error messages that read illegal operation on an item marked for registry delete.. I rebooted and am in safemode with network enabled and it allowed me to run google chrome.

Thx

ComboFix 11-03-31.02 - Mary 04/01/2011 0:03.1.1 - x86
Running from: c:\users\Mary\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\INSTALL.LOG
c:\programdata\avcodec-51.dll
c:\programdata\avformat-51.dll
c:\programdata\avutil-49.dll
c:\programdata\swscale-0.dll
c:\users\Mary\AppData\Local\{4275BD14-852F-4417-8A26-7331A1407F53}
c:\users\Mary\AppData\Local\{4275BD14-852F-4417-8A26-7331A1407F53}\chrome.manifest
c:\users\Mary\AppData\Local\{4275BD14-852F-4417-8A26-7331A1407F53}\chrome\content\_cfg.js
c:\users\Mary\AppData\Local\{4275BD14-852F-4417-8A26-7331A1407F53}\chrome\content\overlay.xul
c:\users\Mary\AppData\Local\{4275BD14-852F-4417-8A26-7331A1407F53}\install.rdf
c:\users\Mary\AppData\Roaming\completescan
c:\users\Mary\AppData\Roaming\install
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\gotomon.log
c:\windows\system32\spool\prtprocs\w32x86\GoToPrintProcessor.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-01 to 2011-04-01 )))))))))))))))))))))))))))))))
.
.
2011-04-01 05:27 . 2011-04-01 05:27 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKslb0f0c5c4.sys
2011-04-01 05:14 . 2011-04-01 05:30 -------- d-----w- c:\users\Mary\AppData\Local\temp
2011-04-01 05:14 . 2011-04-01 05:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-31 22:33 . 2011-03-31 22:33 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl5eac8433.sys
2011-03-31 16:29 . 2011-03-31 16:29 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl56f131ef.sys
2011-03-31 01:12 . 2011-03-31 01:12 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl8c183935.sys
2011-03-30 02:38 . 2011-03-30 02:38 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl725f0bd8.sys
2011-03-29 23:11 . 2011-03-29 23:11 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl374ba5a6.sys
2011-03-26 21:12 . 2010-11-30 16:43 439632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7B3DA039-6689-4C23-B87C-1E9F4892D36D}\gapaengine.dll
2011-03-26 21:11 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\mpengine.dll
2011-03-23 00:54 . 2011-03-23 00:54 -------- d-----w- c:\users\Mary\AppData\Roaming\Malwarebytes
2011-03-23 00:53 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-23 00:53 . 2011-03-23 00:53 -------- d-----w- c:\programdata\Malwarebytes
2011-03-23 00:53 . 2011-03-23 00:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-23 00:53 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-20 21:09 . 2011-02-23 15:35 5943120 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-09 00:54 . 2011-03-09 00:54 -------- d-----w- c:\program files\Enigma Software Group
2011-03-09 00:53 . 2011-03-23 00:11 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-03-07 03:32 . 2010-11-30 16:43 439632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-03-07 02:11 . 2011-03-07 02:15 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-05 19:40 . 2011-03-23 00:10 -------- d-----w- c:\programdata\STOPzilla!
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 09:41 . 2011-01-28 06:19 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7A38153E-3D21-4029-B2E8-825A410D05E0}\mpengine.dll
2011-01-13 08:47 . 2011-01-29 04:57 38848 ----a-w- c:\windows\avastSS.scr
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Camio Viewer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Camio Viewer.lnk
backup=c:\windows\pss\Camio Viewer.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Kodak Picture Easy 3.1 Batch Transfer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Kodak Picture Easy 3.1 Batch Transfer.lnk
backup=c:\windows\pss\Kodak Picture Easy 3.1 Batch Transfer.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Mary^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Introducing Media Manager.lnk]
path=c:\users\Mary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Introducing Media Manager.lnk
backup=c:\windows\pss\Introducing Media Manager.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
2010-10-22 02:09 319488 ----a-w- c:\acer\Empowering Technology\SysMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2010-08-20 11:03 33120 ----a-w- c:\program files\Alcohol Soft\Alcohol 52\AxAutoMntSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BellSouthWCC_McciTrayApp]
2006-03-10 18:01 543232 ----a-w- c:\program files\BellSouthWCC\McciTrayApp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-02-27 23:40 135664 ----atw- c:\users\Mary\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2010-11-30 19:20 997408 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-06-20 05:04 13535776 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-06-20 05:04 92704 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2008-06-20 05:04 547360 ----a-w- c:\windows\System32\nvsvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recordpad]
2008-01-07 21:07 577540 ----a-w- c:\program files\NCH Swift Sound\Recordpad\recordpad.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-02-15 09:07 4390912 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-09 03:01 1232896 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-10-09 11:43 729088 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-12-21 05:45 39424 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2006-11-02 12:34 2159104 ----a-w- c:\windows\System32\oobefldr.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-11-02 12:34 201728 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 MpKsl06571b86;MpKsl06571b86;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A101111C-F6DA-4C90-831F-4B0858668ECF}\MpKsl06571b86.sys [x]
R1 MpKsl1ae3b07b;MpKsl1ae3b07b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{366C991D-9138-4F2F-95AC-8596044C9025}\MpKsl1ae3b07b.sys [x]
R1 MpKsl1be2f2f5;MpKsl1be2f2f5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKsl1be2f2f5.sys [x]
R1 MpKsl29403807;MpKsl29403807;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A101111C-F6DA-4C90-831F-4B0858668ECF}\MpKsl29403807.sys [x]
R1 MpKsl2ce087a2;MpKsl2ce087a2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{366C991D-9138-4F2F-95AC-8596044C9025}\MpKsl2ce087a2.sys [x]
R1 MpKsl360024f7;MpKsl360024f7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKsl360024f7.sys [x]
R1 MpKsl45350d28;MpKsl45350d28;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKsl45350d28.sys [x]
R1 MpKsl51e5c217;MpKsl51e5c217;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{366C991D-9138-4F2F-95AC-8596044C9025}\MpKsl51e5c217.sys [x]
R1 MpKsl549b5845;MpKsl549b5845;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKsl549b5845.sys [x]
R1 MpKsl6c799674;MpKsl6c799674;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKsl6c799674.sys [x]
R1 MpKsl7dd0637c;MpKsl7dd0637c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{366C991D-9138-4F2F-95AC-8596044C9025}\MpKsl7dd0637c.sys [x]
R1 MpKsl8f3c4c76;MpKsl8f3c4c76;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKsl8f3c4c76.sys [x]
R1 MpKsl907c5618;MpKsl907c5618;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{366C991D-9138-4F2F-95AC-8596044C9025}\MpKsl907c5618.sys [x]
R1 MpKslb1c18eae;MpKslb1c18eae;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKslb1c18eae.sys [x]
R1 MpKslb642409b;MpKslb642409b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKslb642409b.sys [x]
R1 MpKslb68099ed;MpKslb68099ed;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKslb68099ed.sys [x]
R1 MpKslb9d386b0;MpKslb9d386b0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKslb9d386b0.sys [x]
R1 MpKslc8a58eb6;MpKslc8a58eb6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKslc8a58eb6.sys [x]
R1 MpKsle23e656c;MpKsle23e656c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKsle23e656c.sys [x]
R1 MpKsle7e4e4bc;MpKsle7e4e4bc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A101111C-F6DA-4C90-831F-4B0858668ECF}\MpKsle7e4e4bc.sys [x]
R1 MpKslf7ea2f43;MpKslf7ea2f43;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B7ED12DD-EE73-43D7-BB2A-B44AC4C26349}\MpKslf7ea2f43.sys [x]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\DRIVERS\WUSB54GCx86.sys [2007-03-11 256000]
R3 phaudlwr;Philips Audio Filter;c:\windows\system32\DRIVERS\phaudlwr.sys [2007-07-16 88320]
R3 PL-40R;CASIO USB MIDI;c:\windows\system32\Drivers\pl40rwdm.sys [2004-10-01 18048]
R3 SPC1300;USB2.0 PC Camera (SPC1300);c:\windows\system32\DRIVERS\spc1300.sys [2007-10-18 3033728]
R3 USB_RNDIS_VISTA;Westell WireSpeed Dual Connect Modem;c:\windows\system32\DRIVERS\usb8023.sys [2006-11-02 14848]
R3 XIRLINK;Dsc Pro Digital 640 Camera;c:\windows\system32\DRIVERS\C-itnt.sys [2000-04-27 447245]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-10-07 436792]
S1 MpKsl374ba5a6;MpKsl374ba5a6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl374ba5a6.sys [2011-03-29 28752]
S1 MpKsl56f131ef;MpKsl56f131ef;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl56f131ef.sys [2011-03-31 28752]
S1 MpKsl5eac8433;MpKsl5eac8433;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl5eac8433.sys [2011-03-31 28752]
S1 MpKsl725f0bd8;MpKsl725f0bd8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl725f0bd8.sys [2011-03-30 28752]
S1 MpKsl8c183935;MpKsl8c183935;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl8c183935.sys [2011-03-31 28752]
S1 MpKslb0f0c5c4;MpKslb0f0c5c4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKslb0f0c5c4.sys [2011-04-01 28752]
S2 MMIndexer;Media Manager Indexer;c:\program files\Common Files\Microsoft Shared\Media Manager\airsvcu.exe [1997-07-15 136704]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLB0F0C5C4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LPDService REG_MULTI_SZ LPDSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-01 c:\windows\Tasks\User_Feed_Synchronization-{583723AE-DD54-48A3-B019-B58EE3723BA5}.job
- c:\windows\system32\msfeedssync.exe [2006-11-02 09:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{453BACFB-A054-453B-9740-A450324ABEA0} - (no file)
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-Driver Updater - (no file)
HKLM-Run-eRecoveryService - (no file)
HKLM-Run-CorelDRAW Graphics Suite 11b - (no file)
MSConfigStartUp-Acer Assist Launcher - c:\program files\Acer Assist\launcher.exe
MSConfigStartUp-Acer Product Registration - c:\program files\Acer Registration\ACE1.exe
MSConfigStartUp-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
MSConfigStartUp-AdwareBot - c:\program files\AdwareBot\AdwareBot.exe
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-Apanel - c:\acersw\config\NewSetApanel.cmd
MSConfigStartUp-BM0f26f5cc - c:\windows\system32\aralsfyq.dll
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
MSConfigStartUp-eDataSecurity Loader - c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe
MSConfigStartUp-Etapon - c:\users\Mary\AppData\Local\utulogocelo.dll
MSConfigStartUp-GoToMyPC - c:\program files\Citrix\GoToMyPC\g2svc.exe
MSConfigStartUp-IS CfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe
MSConfigStartUp-iTunesHelper - e:\jpoe keep it real this be my folder\iTunesHelper.exe
MSConfigStartUp-jdyqgosn - c:\users\Mary\AppData\Local\sfiwbnhgs\nmppatlshdw.exe
MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
MSConfigStartUp-MSServer - c:\windows\system32\ssqPijgf.dll
MSConfigStartUp-osCheck - c:\program files\Norton Internet Security\osCheck.exe
MSConfigStartUp-PCMService - c:\acer\Empowering Technology\eMode\PCM\PCMService.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe
MSConfigStartUp-SandboxieControl - c:\program files\Sandboxie\SbieCtrl.exe
MSConfigStartUp-Sdasanomozolocem - c:\users\Mary\AppData\Local\deldsr.dll
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-WeatherWatcher - c:\program files\Weather Watcher\ww.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
AddRemove-Acer Registration - c:\program files\Acer Registration\uninstall.exe
AddRemove-{A7A34FC9-DF24-4A36-00AD-D4EFE94CC116} - e:\maxis\EAUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-01 00:28
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\Mary\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6000 Disk: Hitachi_ rev.P22O -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8792A59F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x879307b0]; MOV EAX, [0x8793082c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82027F3B] -> \Device\Harddisk0\DR0[0x84D61AD8]
3 nt[0x820B07E2] -> ntkrnlpa!IofCallDriver[0x82027F3B] -> [0x839B4870]
5 acpi[0x806D732A] -> ntkrnlpa!IofCallDriver[0x82027F3B] -> [0x839BD9D0]
\Driver\nvstor32[0x84D6D228] -> IRP_MJ_CREATE -> 0x8792A59F
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\00000075 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDS721616PLA#4&311ed49&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2786847773-3535864445-686843180-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CF61EA7F-D4B7-2BB3-06D3-B7BCC7431E46}*]
"haffagfiodjhpnmg"=hex:6b,61,6b,70,6e,68,61,64,68,65,6d,69,63,6f,61,66,6c,64,
6e,70,6b,64,00,00
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3264)
c:\windows\system32\UnToAnsi.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\rundll32.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\programdata\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxcccoms.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\tcpsvcs.exe
c:\program files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
c:\windows\system32\WUDFHost.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\RacAgent.exe
c:\windows\system32\lpremove.exe
c:\windows\system32\lpksetup.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-04-01 00:42:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-01 05:42
.
Pre-Run: 9,128,628,224 bytes free
Post-Run: 8,976,490,496 bytes free
.
- - End Of File - - DB634BB4F238C02212F21C80A9BA061C

#4 thekitin

thekitin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 01 April 2011 - 01:06 AM

After posting combofix results, I rebooted again, in normal mode, and now chrome and ie work.

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:03 PM

Posted 01 April 2011 - 09:30 AM

Hi,

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


NEXT


Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 thekitin

thekitin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 01 April 2011 - 09:18 PM

OK, Here ya go,

TDS scan


2011/04/01 17:31:34.0297 2364 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/01 17:31:34.0734 2364 ================================================================================
2011/04/01 17:31:34.0734 2364 SystemInfo:
2011/04/01 17:31:34.0734 2364
2011/04/01 17:31:34.0734 2364 OS Version: 6.0.6000 ServicePack: 0.0
2011/04/01 17:31:34.0734 2364 Product type: Workstation
2011/04/01 17:31:34.0734 2364 ComputerName: MARY-PC
2011/04/01 17:31:34.0734 2364 UserName: Mary
2011/04/01 17:31:34.0734 2364 Windows directory: C:\Windows
2011/04/01 17:31:34.0734 2364 System windows directory: C:\Windows
2011/04/01 17:31:34.0734 2364 Processor architecture: Intel x86
2011/04/01 17:31:34.0734 2364 Number of processors: 1
2011/04/01 17:31:34.0734 2364 Page size: 0x1000
2011/04/01 17:31:34.0734 2364 Boot type: Normal boot
2011/04/01 17:31:34.0734 2364 ================================================================================
2011/04/01 17:31:36.0216 2364 Initialize success
2011/04/01 17:31:48.0914 3364 ================================================================================
2011/04/01 17:31:48.0914 3364 Scan started
2011/04/01 17:31:48.0914 3364 Mode: Manual;
2011/04/01 17:31:48.0914 3364 ================================================================================
2011/04/01 17:31:49.0304 3364 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys
2011/04/01 17:31:49.0507 3364 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\Windows\system32\drivers\adfs.sys
2011/04/01 17:31:49.0725 3364 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/04/01 17:31:49.0866 3364 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/04/01 17:31:49.0928 3364 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/04/01 17:31:50.0037 3364 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/04/01 17:31:50.0271 3364 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys
2011/04/01 17:31:50.0412 3364 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/04/01 17:31:50.0474 3364 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/04/01 17:31:50.0739 3364 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/04/01 17:31:50.0973 3364 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/04/01 17:31:51.0160 3364 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/04/01 17:31:51.0363 3364 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/04/01 17:31:51.0706 3364 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\DRIVERS\amdk8.sys
2011/04/01 17:31:51.0987 3364 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/04/01 17:31:52.0143 3364 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/04/01 17:31:52.0237 3364 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/04/01 17:31:52.0471 3364 atapi (b35cfcef838382ab6490b321c87edf17) C:\Windows\system32\drivers\atapi.sys
2011/04/01 17:31:52.0674 3364 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys
2011/04/01 17:31:52.0954 3364 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys
2011/04/01 17:31:53.0095 3364 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/04/01 17:31:53.0282 3364 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/04/01 17:31:53.0454 3364 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/04/01 17:31:53.0532 3364 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/04/01 17:31:53.0610 3364 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/04/01 17:31:53.0797 3364 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/04/01 17:31:54.0015 3364 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/04/01 17:31:54.0234 3364 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys
2011/04/01 17:31:54.0405 3364 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys
2011/04/01 17:31:54.0608 3364 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/04/01 17:31:54.0811 3364 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys
2011/04/01 17:31:55.0014 3364 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/04/01 17:31:55.0201 3364 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
2011/04/01 17:31:55.0388 3364 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/04/01 17:31:55.0528 3364 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/04/01 17:31:55.0872 3364 DfsC (a7179de59ae269ab70345527894ccd7c) C:\Windows\system32\Drivers\dfsc.sys
2011/04/01 17:31:56.0137 3364 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys
2011/04/01 17:31:56.0433 3364 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys
2011/04/01 17:31:56.0745 3364 DXGKrnl (b95202efd0464d226e7542c1e319c028) C:\Windows\System32\drivers\dxgkrnl.sys
2011/04/01 17:31:56.0917 3364 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/04/01 17:31:56.0995 3364 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys
2011/04/01 17:31:57.0260 3364 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/04/01 17:31:57.0775 3364 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys
2011/04/01 17:31:57.0931 3364 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/04/01 17:31:58.0227 3364 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys
2011/04/01 17:31:58.0414 3364 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys
2011/04/01 17:31:58.0539 3364 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/04/01 17:31:58.0648 3364 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys
2011/04/01 17:31:58.0789 3364 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys
2011/04/01 17:31:58.0882 3364 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/04/01 17:31:59.0054 3364 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/04/01 17:31:59.0179 3364 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/04/01 17:31:59.0304 3364 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/04/01 17:31:59.0397 3364 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/04/01 17:31:59.0475 3364 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/04/01 17:31:59.0553 3364 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\DRIVERS\hidusb.sys
2011/04/01 17:31:59.0694 3364 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/04/01 17:31:59.0772 3364 HTTP (3c3cba3ce1a66439a960d4531a167c39) C:\Windows\system32\drivers\HTTP.sys
2011/04/01 17:31:59.0865 3364 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/04/01 17:31:59.0974 3364 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/04/01 17:32:00.0068 3364 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/04/01 17:32:00.0146 3364 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/04/01 17:32:00.0255 3364 int15 (9d64201c9e5ac8d1f088762ba00ff3ab) C:\Acer\Empowering Technology\eRecovery\int15.sys
2011/04/01 17:32:00.0427 3364 IntcAzAudAddService (aef2fa29204056b81bc4cbf30260dee1) C:\Windows\system32\drivers\RTKVHDA.sys
2011/04/01 17:32:00.0583 3364 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
2011/04/01 17:32:00.0645 3364 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2011/04/01 17:32:00.0801 3364 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/04/01 17:32:00.0988 3364 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/04/01 17:32:01.0066 3364 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys
2011/04/01 17:32:01.0238 3364 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys
2011/04/01 17:32:01.0300 3364 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/04/01 17:32:01.0378 3364 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/04/01 17:32:01.0488 3364 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/04/01 17:32:01.0519 3364 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/04/01 17:32:01.0581 3364 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/04/01 17:32:01.0737 3364 kbdhid (ed61dbc6603f612b7338283edbacbc4b) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/04/01 17:32:01.0846 3364 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys
2011/04/01 17:32:02.0065 3364 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys
2011/04/01 17:32:02.0299 3364 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/04/01 17:32:02.0361 3364 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/04/01 17:32:02.0502 3364 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/04/01 17:32:02.0564 3364 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys
2011/04/01 17:32:02.0751 3364 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/04/01 17:32:02.0860 3364 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys
2011/04/01 17:32:02.0985 3364 MODEMCSA (7e222a1baaa42c8559db2ce8a12ad828) C:\Windows\system32\drivers\MODEMCSA.sys
2011/04/01 17:32:03.0079 3364 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
2011/04/01 17:32:03.0219 3364 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\Windows\system32\DRIVERS\motmodem.sys
2011/04/01 17:32:03.0297 3364 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys
2011/04/01 17:32:03.0500 3364 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys
2011/04/01 17:32:03.0703 3364 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys
2011/04/01 17:32:03.0781 3364 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\Windows\system32\DRIVERS\MpFilter.sys
2011/04/01 17:32:03.0906 3364 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/04/01 17:32:04.0124 3364 MpKsl242c2ba5 (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl242c2ba5.sys
2011/04/01 17:32:04.0327 3364 MpKsl374ba5a6 (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl374ba5a6.sys
2011/04/01 17:32:04.0561 3364 MpKsl56f131ef (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl56f131ef.sys
2011/04/01 17:32:04.0623 3364 MpKsl5eac8433 (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl5eac8433.sys
2011/04/01 17:32:04.0795 3364 MpKsl62f6e413 (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl62f6e413.sys
2011/04/01 17:32:04.0935 3364 MpKsl725f0bd8 (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl725f0bd8.sys
2011/04/01 17:32:05.0091 3364 MpKsl8c183935 (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsl8c183935.sys
2011/04/01 17:32:05.0325 3364 MpKslb0f0c5c4 (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKslb0f0c5c4.sys
2011/04/01 17:32:05.0528 3364 MpKsld310110f (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsld310110f.sys
2011/04/01 17:32:05.0669 3364 MpKsle49a8ab9 (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63B8BCB4-AFFC-40B5-8AC9-28615B15EDB5}\MpKsle49a8ab9.sys
2011/04/01 17:32:05.0871 3364 MpNWMon (f32e2d6a1640a469a9ed4f1929a4a861) C:\Windows\system32\DRIVERS\MpNWMon.sys
2011/04/01 17:32:05.0934 3364 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys
2011/04/01 17:32:06.0059 3364 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/04/01 17:32:06.0168 3364 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2011/04/01 17:32:06.0355 3364 MREMPR5 (2bc9e43f55de8c30fc817ed56d0ee907) C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
2011/04/01 17:32:06.0433 3364 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
2011/04/01 17:32:06.0573 3364 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2011/04/01 17:32:06.0714 3364 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys
2011/04/01 17:32:06.0776 3364 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/04/01 17:32:06.0917 3364 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/04/01 17:32:06.0995 3364 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/04/01 17:32:07.0135 3364 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2011/04/01 17:32:07.0197 3364 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/04/01 17:32:07.0338 3364 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys
2011/04/01 17:32:07.0416 3364 msisadrv (5f454a16a5146cd91a176d70f0cfa3ec) C:\Windows\system32\drivers\msisadrv.sys
2011/04/01 17:32:07.0525 3364 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys
2011/04/01 17:32:07.0572 3364 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/04/01 17:32:07.0634 3364 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys
2011/04/01 17:32:07.0743 3364 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys
2011/04/01 17:32:07.0837 3364 mssmbios (4385c80ede885e25492d408cad91bd6f) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/04/01 17:32:07.0962 3364 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys
2011/04/01 17:32:08.0055 3364 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys
2011/04/01 17:32:08.0180 3364 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys
2011/04/01 17:32:08.0321 3364 NDIS (227c11e1e7cf6ef8afb2a238d209760c) C:\Windows\system32\drivers\ndis.sys
2011/04/01 17:32:08.0445 3364 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/04/01 17:32:08.0539 3364 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/04/01 17:32:08.0648 3364 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/04/01 17:32:08.0757 3364 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys
2011/04/01 17:32:08.0882 3364 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys
2011/04/01 17:32:08.0960 3364 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys
2011/04/01 17:32:09.0132 3364 netr73 (757f999aa72b55780ee810d4cd1bdd47) C:\Windows\system32\DRIVERS\WUSB54GCx86.sys
2011/04/01 17:32:09.0257 3364 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/04/01 17:32:09.0366 3364 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys
2011/04/01 17:32:09.0475 3364 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys
2011/04/01 17:32:09.0631 3364 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys
2011/04/01 17:32:09.0881 3364 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
2011/04/01 17:32:10.0099 3364 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/04/01 17:32:10.0146 3364 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys
2011/04/01 17:32:10.0489 3364 nvlddmkm (ff58c7a7da6116c1f71e883cb088d598) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/04/01 17:32:10.0817 3364 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/04/01 17:32:10.0879 3364 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/04/01 17:32:10.0988 3364 nvstor32 (4a9a6368bef61c9608fe7cc21b1f8886) C:\Windows\system32\drivers\nvstor32.sys
2011/04/01 17:32:11.0113 3364 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/04/01 17:32:11.0316 3364 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/04/01 17:32:11.0472 3364 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\DRIVERS\parport.sys
2011/04/01 17:32:11.0550 3364 partmgr (555a5b2c8022983bc7467bc925b222ee) C:\Windows\system32\drivers\partmgr.sys
2011/04/01 17:32:11.0597 3364 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\DRIVERS\parvdm.sys
2011/04/01 17:32:11.0675 3364 pci (1085d75657807e0e8b32f9e19a1647c3) C:\Windows\system32\drivers\pci.sys
2011/04/01 17:32:11.0799 3364 pciide (caba65e9c41cd2900d4c92d4f825c5f8) C:\Windows\system32\drivers\pciide.sys
2011/04/01 17:32:11.0877 3364 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/04/01 17:32:12.0033 3364 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/04/01 17:32:12.0189 3364 phaudlwr (2eb9479db0d4e645fa5fbad0b4f43a46) C:\Windows\system32\DRIVERS\phaudlwr.sys
2011/04/01 17:32:12.0377 3364 PL-40R (e27087ed87311dc130e55a63e890615d) C:\Windows\system32\Drivers\pl40rwdm.sys
2011/04/01 17:32:12.0626 3364 PptpMiniport (c04dec5ace67c5247b150c4223970bb7) C:\Windows\system32\DRIVERS\raspptp.sys
2011/04/01 17:32:12.0673 3364 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/04/01 17:32:12.0829 3364 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys
2011/04/01 17:32:12.0923 3364 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/04/01 17:32:13.0079 3364 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/04/01 17:32:13.0219 3364 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys
2011/04/01 17:32:13.0313 3364 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys
2011/04/01 17:32:13.0453 3364 Rasl2tp (68b0019fee429ec49d29017af937e482) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/04/01 17:32:13.0578 3364 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/04/01 17:32:13.0687 3364 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys
2011/04/01 17:32:13.0765 3364 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/04/01 17:32:13.0937 3364 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/04/01 17:32:14.0015 3364 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys
2011/04/01 17:32:14.0139 3364 RDPWD (8830e790a74a96605faba74f9665bb3c) C:\Windows\system32\drivers\RDPWD.sys
2011/04/01 17:32:14.0311 3364 RMCAST (8804bcb4383859f66ffd51f049a1d744) C:\Windows\system32\DRIVERS\RMCAST.sys
2011/04/01 17:32:14.0451 3364 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys
2011/04/01 17:32:14.0545 3364 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/04/01 17:32:14.0685 3364 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/04/01 17:32:14.0795 3364 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
2011/04/01 17:32:14.0873 3364 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\DRIVERS\serial.sys
2011/04/01 17:32:14.0997 3364 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
2011/04/01 17:32:15.0138 3364 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2011/04/01 17:32:15.0216 3364 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/04/01 17:32:15.0263 3364 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2011/04/01 17:32:15.0372 3364 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/04/01 17:32:15.0559 3364 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/04/01 17:32:15.0684 3364 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/04/01 17:32:15.0777 3364 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/04/01 17:32:15.0933 3364 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys
2011/04/01 17:32:16.0089 3364 smserial (3850aba97b31094f93bcbe94d6abbe22) C:\Windows\system32\DRIVERS\smserial.sys
2011/04/01 17:32:16.0308 3364 SPC1300 (3f9db70c3c55194beeaefeb6a26571c6) C:\Windows\system32\DRIVERS\spc1300.sys
2011/04/01 17:32:16.0557 3364 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys
2011/04/01 17:32:16.0667 3364 sptd (a199171385be17973fd800fa91f8f78a) C:\Windows\System32\Drivers\sptd.sys
2011/04/01 17:32:16.0838 3364 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys
2011/04/01 17:32:16.0901 3364 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys
2011/04/01 17:32:17.0010 3364 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys
2011/04/01 17:32:17.0119 3364 swenum (1379bdb336f8158c176a465e30759f57) C:\Windows\system32\DRIVERS\swenum.sys
2011/04/01 17:32:17.0213 3364 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/04/01 17:32:17.0259 3364 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/04/01 17:32:17.0337 3364 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/04/01 17:32:17.0478 3364 Tcpip (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\drivers\tcpip.sys
2011/04/01 17:32:17.0571 3364 Tcpip6 (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\DRIVERS\tcpip.sys
2011/04/01 17:32:17.0681 3364 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys
2011/04/01 17:32:17.0743 3364 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys
2011/04/01 17:32:17.0837 3364 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys
2011/04/01 17:32:17.0946 3364 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
2011/04/01 17:32:18.0039 3364 TermDD (2c549bd9dd091fbfaa0a2a48e82ec2fb) C:\Windows\system32\DRIVERS\termdd.sys
2011/04/01 17:32:18.0227 3364 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/04/01 17:32:18.0289 3364 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys
2011/04/01 17:32:18.0351 3364 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys
2011/04/01 17:32:18.0476 3364 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/04/01 17:32:18.0539 3364 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys
2011/04/01 17:32:18.0695 3364 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/04/01 17:32:18.0757 3364 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/04/01 17:32:18.0851 3364 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/04/01 17:32:18.0975 3364 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/04/01 17:32:19.0053 3364 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys
2011/04/01 17:32:19.0225 3364 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
2011/04/01 17:32:19.0319 3364 usbaudio (f6bf998ae33e3fb6c7d27f0560f1173f) C:\Windows\system32\drivers\usbaudio.sys
2011/04/01 17:32:19.0428 3364 usbccgp (0916972fb98080355ac1e9a4f92183f7) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/04/01 17:32:19.0537 3364 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/04/01 17:32:19.0662 3364 usbehci (fb50f987304f907a0103b14a5f2f2344) C:\Windows\system32\DRIVERS\usbehci.sys
2011/04/01 17:32:19.0755 3364 usbhub (16675ab7e199635086ab0556137371f5) C:\Windows\system32\DRIVERS\usbhub.sys
2011/04/01 17:32:19.0880 3364 usbohci (4f8dd5c9b756efce251784d6ac63e4ab) C:\Windows\system32\DRIVERS\usbohci.sys
2011/04/01 17:32:19.0974 3364 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\DRIVERS\usbprint.sys
2011/04/01 17:32:20.0083 3364 usbscan (b1f95285c08ddfe00c0b955462637ec7) C:\Windows\system32\DRIVERS\usbscan.sys
2011/04/01 17:32:20.0192 3364 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/04/01 17:32:20.0317 3364 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/04/01 17:32:20.0426 3364 USB_RNDIS_VISTA (b930b3e1f15824cee12b5838ed8ee40b) C:\Windows\system32\DRIVERS\usb8023.sys
2011/04/01 17:32:20.0598 3364 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/04/01 17:32:20.0660 3364 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys
2011/04/01 17:32:20.0707 3364 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/04/01 17:32:20.0801 3364 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/04/01 17:32:20.0957 3364 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/04/01 17:32:21.0003 3364 volmgr (103e84c95832d0ed93507997cc7b54e8) C:\Windows\system32\drivers\volmgr.sys
2011/04/01 17:32:21.0081 3364 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys
2011/04/01 17:32:21.0237 3364 volsnap (80dc0c9bcb579ed9815001a4d37cbfd5) C:\Windows\system32\drivers\volsnap.sys
2011/04/01 17:32:21.0300 3364 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/04/01 17:32:21.0471 3364 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/04/01 17:32:21.0518 3364 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2011/04/01 17:32:21.0549 3364 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
2011/04/01 17:32:21.0643 3364 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/04/01 17:32:21.0768 3364 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys
2011/04/01 17:32:22.0002 3364 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2011/04/01 17:32:22.0158 3364 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/04/01 17:32:22.0251 3364 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys
2011/04/01 17:32:22.0376 3364 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/04/01 17:32:22.0485 3364 XIRLINK (bcc8c5bbbd2930b6c97fc01b5a467c6a) C:\Windows\system32\DRIVERS\C-itnt.sys
2011/04/01 17:32:22.0641 3364 yukonwlh (04e268adfc81964c49dc0c082d520f7e) C:\Windows\system32\DRIVERS\yk60x86.sys
2011/04/01 17:32:22.0938 3364 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/01 17:32:22.0938 3364 ================================================================================
2011/04/01 17:32:22.0938 3364 Scan finished
2011/04/01 17:32:22.0938 3364 ================================================================================
2011/04/01 17:32:22.0969 1628 Detected object count: 1
2011/04/01 17:32:46.0525 1628 \HardDisk1 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/01 17:32:46.0541 1628 \HardDisk1 - ok
2011/04/01 17:32:46.0541 1628 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
2011/04/01 17:32:54.0497 0976 Deinitialize success

MBAM


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6241

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

4/1/2011 5:54:53 PM
mbam-log-2011-04-01 (17-54-53).txt

Scan type: Quick scan
Objects scanned: 150147
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESETSCAN


C:\ProgramData\Spybot - Search & Destroy\Recovery\FraudAntivirusSystemPro1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\FraudAntivirusSystemPro1.zip Win32/Bagle.gen.zip worm
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\2d80a0f3-2cbf845f a variant of Java/TrojanDownloader.OpenStream.NBF trojan

Thanks!

Mary

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:03 PM

Posted 01 April 2011 - 10:09 PM

Hi, please do the following:

Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 24 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 24 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u24 with JavaFX 1 License Agreement". Click on Continue. The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u24-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


Please post a fresh DDS Log and advise how your computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 thekitin

thekitin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 01 April 2011 - 11:28 PM

Doing your latest instructions now, and as of right now, redirects seemed to have stopped. No more blue screens or locking up today. Will post results of newest instructions asap! thanks so much

#9 thekitin

thekitin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 02 April 2011 - 12:38 AM

Adobe and java updated.
Here's the newest DDS Scan. As I posted earlier, redirects seemed to have stopped. No more blue screens or freezes ups, and no more host process for windows and stopped working, which was an every day occurrence.. Very pleased so far with results and am VERY appreciative!!

Thanks so much!!

Mary

DDS (Ver_11-03-05.01) - NTFSx86
Run by Mary at 0:29:47.13 on Sat 04/02/2011
Internet Explorer: 7.0.6000.16982
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {620395C9-5C2B-4474-89B6-D2A63CEA2EF8} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11

\REFIEBAR.DLL
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-

A67417AA88CD/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-04-02 05:27:11 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{63b8bcb4-affc-40b5-8ac9-28615b15edb5}

\MpKsl168944f8.sys
2011-04-02 05:11:13 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{63b8bcb4-affc-40b5-8ac9-28615b15edb5}

\MpKsl4a8d8b76.sys
2011-04-01 23:08:09 -------- d-----w- c:\program files\ESET
2011-04-01 22:46:07 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{63b8bcb4-affc-40b5-8ac9-28615b15edb5}

\MpKsl3c775d3a.sys
2011-04-01 22:34:26 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{63b8bcb4-affc-40b5-8ac9-28615b15edb5}

\MpKsl63d1d482.sys
2011-04-01 05:42:50 -------- d-----w- c:\users\mary\appdata\local\temp
2011-04-01 05:38:31 -------- d-sh--w- C:\$RECYCLE.BIN
2011-04-01 04:59:18 98816 ----a-w- c:\windows\sed.exe
2011-04-01 04:59:18 89088 ----a-w- c:\windows\MBR.exe
2011-04-01 04:59:18 256512 ----a-w- c:\windows\PEV.exe
2011-04-01 04:59:18 161792 ----a-w- c:\windows\SWREG.exe
2011-03-26 21:12:41 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{7b3da039-6689-4c23-b87c-1e9f4892d36d}

\gapaengine.dll
2011-03-26 21:11:13 6792528 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{63b8bcb4-affc-40b5-8ac9-28615b15edb5}

\mpengine.dll
2011-03-23 00:54:38 -------- d-----w- c:\users\mary\appdata\roaming\Malwarebytes
2011-03-23 00:53:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-23 00:53:50 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-23 00:53:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-23 00:53:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-20 21:09:40 5943120 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-09 00:54:20 -------- d-----w- c:\program files\Enigma Software Group
2011-03-09 00:53:10 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-03-07 03:32:36 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2011-03-07 02:11:30 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-05 19:40:58 -------- d-----w- c:\progra~2\STOPzilla!
.
==================== Find3M ====================
.
2011-04-02 05:18:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
.
============= FINISH: 0:32:44.72 ===============

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:03 PM

Posted 02 April 2011 - 06:33 AM

you appear to still have issues with your WMI

lets try re-registering it.

Please do the following:

This needs to be done from an elevated command window
  • Press the Start button > in the search box on the Start menu type in Cmd > when cmd.exe appears in the window above > right click the program and click Run as Administrator
  • Wait for the command window to open > type (or copy/paste) net stop winmgmt at the command prompt > press enter. Say yes to the prompts This will stop the WMI so we can fix it. (minimize the command window for the moment, we will re-use it later)
  • Now navigate to C:\Windows\System32\wbem > locate, then right click on the folder Repository > rename it to Repository_bad
  • go back to the elevated command window you used earlier and type net start winmgmt at the command prompt > press enter.
  • Now re-register the WMI by typing the following command at the command prompt, winmgmt /salvagerepository > press enter
  • This command will make Vista access the WMI folder and when it can't find it, (due to your renaming it earlier) it should automatically fix all the errors caused by the old WMI files by creating new WMI components, this should only take a moment.
  • type exit at the command prompt and reboot your computer.


Now please re-run DDS and post the resulting log

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 thekitin

thekitin
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:03 PM

Posted 02 April 2011 - 01:13 PM

All previous instructions ran smooth without fail. A new repository folder was created. After rebooting, received an error message stating 'WMPNetworkSvc' did not start correctly . see system event log. I copied the error log at bottom of page. Thanks!
Mary
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Mary at 13:06:03.02 on Sat 04/02/2011
Internet Explorer: 7.0.6000.16982
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {620395C9-5C2B-4474-89B6-D2A63CEA2EF8} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-04-02 17:56:47 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{63b8bcb4-affc-40b5-8ac9-28615b15edb5}\MpKsl869fd072.sys
2011-04-02 17:50:44 -------- d-----w- c:\windows\system32\wbem\repository
2011-04-02 05:27:11 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{63b8bcb4-affc-40b5-8ac9-28615b15edb5}\MpKsl168944f8.sys
2011-04-02 05:11:13 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{63b8bcb4-affc-40b5-8ac9-28615b15edb5}\MpKsl4a8d8b76.sys
2011-04-01 23:08:09 -------- d-----w- c:\program files\ESET
2011-04-01 05:42:50 -------- d-----w- c:\users\mary\appdata\local\temp
2011-04-01 05:38:31 -------- d-sh--w- C:\$RECYCLE.BIN
2011-04-01 04:59:18 98816 ----a-w- c:\windows\sed.exe
2011-04-01 04:59:18 89088 ----a-w- c:\windows\MBR.exe
2011-04-01 04:59:18 256512 ----a-w- c:\windows\PEV.exe
2011-04-01 04:59:18 161792 ----a-w- c:\windows\SWREG.exe
2011-03-26 21:12:41 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{7b3da039-6689-4c23-b87c-1e9f4892d36d}\gapaengine.dll
2011-03-26 21:11:13 6792528 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{63b8bcb4-affc-40b5-8ac9-28615b15edb5}\mpengine.dll
2011-03-23 00:54:38 -------- d-----w- c:\users\mary\appdata\roaming\Malwarebytes
2011-03-23 00:53:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-23 00:53:50 -------- d-----w- c:\progra~2\Malwarebytes
2011-03-23 00:53:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-23 00:53:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-20 21:09:40 5943120 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-09 00:54:20 -------- d-----w- c:\program files\Enigma Software Group
2011-03-09 00:53:10 -------- d-----w- c:\windows\41EBC322660F4D16A0DF53147210CBDB.TMP
2011-03-07 03:32:36 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2011-03-07 02:11:30 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-05 19:40:58 -------- d-----w- c:\progra~2\STOPzilla!
.
==================== Find3M ====================
.
2011-04-02 05:18:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
.
============= FINISH: 13:08:37.00 ===============


System event log

Log Name: System
Source: Microsoft-Windows-WMPNSS-Service
Date: 4/2/2011 1:01:38 PM
Event ID: 14332
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Mary-PC
Description:
Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WMPNSS-Service" Guid="{6A2DC7C1-930A-4FB5-BB44-80B30AEBED6C}" EventSourceName="WMPNetworkSvc" />
<EventID Qualifiers="49165">14332</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-04-02T18:01:38.000Z" />
<EventRecordID>469755</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>Mary-PC</Computer>
<Security />
</System>
<EventData>
<Data Name="ServiceName">WMPNetworkSvc</Data>
<Data Name="ErrorCode">0x80070005</Data>
</EventData>
</Event>

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:03 PM

Posted 02 April 2011 - 01:45 PM

Hi

That didn't fix the issues

what service pack Vista are you running?

Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80070005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.


that may be the problem

Notice how DDS doesn't show your running processes, drivers or OS and AV information which it should, similar to this log


DDS (Ver_11-03-05.01) - NTFSx86
Run by Joe at 9:06:33.92 on 31/03/2011
internet explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1014.298 [GMT 1:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService



If you are only at service pack one > then update to service pack 2

If you already have service pack 2, then I would try a repair install.

http://support.microsoft.com/kb/935791#Method3

http://www.vistax64.com/tutorials/88236-repair-install-vista.html

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:03 PM

Posted 08 April 2011 - 06:59 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users