Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Problems New Logs


  • This topic is locked This topic is locked
4 replies to this topic

#1 dljones

dljones

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 15 November 2012 - 07:57 PM

I have been down this road before and thought everything was "clean." Having new problems in that Windows Services will start then quit and I cannot download and install new programs or Window's Updates etc. In particular, Window's Themes, Window's Desktop Manager, and Window's Update services will not operate properly and I cannot install any software updates or any other program for that matter. I think perhaps the whole cleaning process has messed things up a bit. Thanks for your help.... logs to follow:

DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 9.0.8112.16450 BrowserJavaVersion: 10.9.2
Run by Doug at 17:24:21 on 2012-11-15
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Norton Internet Security\Engine\19.9.0.9\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Windows\System32\svchost.exe -k NetworkServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.khou.com/
mStart Page = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: PBlockHelper Class: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - c:\program files\netscape accelerator\PBHelper.dll
BHO: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton internet security\engine\19.9.0.9\coieplg.dll
BHO: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton internet security\engine\19.9.0.9\ips\ipsbho.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: NOW!Imaging: {9AA2F14F-E956-44B8-8694-A5B615CDF341} - c:\program files\netscape accelerator\components\NOWImaging.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton internet security\engine\19.9.0.9\coieplg.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
mRun: [KBD] c:\hp\kbd\KbdStub.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:1073741823
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab
DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} - hxxps://support.dell.com/systemprofiler/SysProExe.CAB
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} - hxxp://ib.dancik.com/ib/download/actimage8.0915.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{176AA2CC-1C1A-41BD-8334-0DEA79F5EB0B} : DHCPNameServer = 192.168.2.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\doug\appdata\roaming\mozilla\firefox\profiles\5rfxry8u.default\
FF - prefs.js: browser.startup.homepage - hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtC0B0BzyyDyEyDtDyByE0C0E0C0FtN0D0Tzu0CtAtCzytN1L2XzutBtFtBtFtDtFtAyEyE&cr=294326415
FF - prefs.js: keyword.URL -
FF - prefs.js: browser.search.selectedEngine - Funmoods
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_110.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
FF - ExtSQL: 2012-09-23 16:46; {97E22097-9A2F-45b1-8DAF-36AD648C7EF4}; c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
FF - ExtSQL: 2012-10-12 20:06; {BBDA0591-3099-440a-AA10-41764D9DB4DB}; c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.1.3\IPSFFPlgn
FF - ExtSQL: 2012-10-14 08:16; {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}; c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_19.1.1.3\coFFPlgn
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://searchfunmoods.com/?f=1&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtC0B0BzyyDyEyDtDyByE0C0E0C0FtN0D0Tzu0CtAtCzytN1L2XzutBtFtBtFtDtFtAyEyE&cr=294326415
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://searchfunmoods.com/?f=2&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtC0B0BzyyDyEyDtDyByE0C0E0C0FtN0D0Tzu0CtAtCzytN1L2XzutBtFtBtFtDtFtAyEyE&cr=294326415
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://searchfunmoods.com/?f=3&a=download&chnl=download&cd=2XzuyEtN2Y1L1QzutDtDtC0B0BzyyDyEyDtDyByE0C0E0C0FtN0D0Tzu0CtAtCzytN1L2XzutBtFtBtFtDtFtAyEyE&cr=294326415&q=
FF - user.js: extensions.funmoods.id - 001BB9545074CECF
FF - user.js: extensions.funmoods.instlDay - 15658
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2219:2:4
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - download
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - download
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
.
============= SERVICES / DRIVERS ===============
.
R? AGCoreService;AG Core Services
R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? cpuz136;cpuz136
R? esgiguard;esgiguard
R? ISLNDIS4;ISLNDIS4 Protocol Driver
R? ivusb;Initio Driver for USB Default Controller
R? MBAMScheduler;MBAMScheduler
R? MBAMService;MBAMService
R? PSMounter;Macrium Reflect Image Explorer Service
R? Revoflt;Revoflt
R? TsUsbFlt;TsUsbFlt
R? VST_DPV;VST_DPV
R? VSTHWBS2;VSTHWBS2
R? WatAdminSvc;Windows Activation Technologies Service
S? BHDrvx86;BHDrvx86
S? ccSet_NIS;Norton Internet Security Settings Manager
S? cpuz132;cpuz132
S? EraserUtilRebootDrv;EraserUtilRebootDrv
S? FreeAgentGoNext Service;Seagate Service
S? hcw18bda;Hauppauge WinTV 418 Driver
S? HsfXAudioService;HsfXAudioService
S? IDSVix86;IDSVix86
S? MBAMProtector;MBAMProtector
S? NIS;Norton Internet Security
S? pssnap;Paramount Software Snapshot Filter
S? ReflectService;Macrium Reflect Image Mounting Service
S? SymDS;Symantec Data Store
S? SymEFA;Symantec Extended File Attributes
S? SymIRON;Symantec Iron Driver
S? SymNetS;Symantec Network Security WFP Driver
.
=============== Created Last 30 ================
.
2012-11-15 01:40:42 -------- d-----w- c:\program files\AGI
2012-11-15 01:39:29 -------- d-----w- c:\programdata\agi
2012-11-14 22:11:32 -------- d-----w- c:\users\doug\appdata\local\{6CB3637E-A7FB-4B85-B15E-6F369D795CF0}
2012-11-12 23:42:10 -------- d-----w- c:\users\doug\appdata\local\{2B205D4F-3D42-40AD-BAF1-0DEF7B9F6E3C}
2012-11-11 17:00:18 6918632 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{6df1f4e8-19ba-4881-9099-b2fa46920df6}\mpengine.dll
2012-11-11 03:22:41 -------- d-----w- c:\users\doug\appdata\local\Macromedia
2012-11-11 02:14:18 -------- d-----w- c:\users\doug\appdata\local\VS Revo Group
2012-11-11 02:14:09 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-11-10 18:30:59 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-11-10 18:30:19 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-10 18:09:50 -------- d-----w- c:\program files\VS Revo Group
2012-11-10 17:17:21 -------- d-----w- c:\users\doug\appdata\local\{249BD392-91F2-44D7-A107-196F50DB7A8D}
2012-11-10 01:24:43 -------- d-----w- c:\users\doug\appdata\local\{A9CCFB7E-643B-473F-A34E-F827C023A515}
2012-11-10 01:10:52 -------- d-sh--w- C:\$RECYCLE.BIN
2012-11-10 00:05:09 -------- d-----w- c:\users\doug\appdata\local\temp
2012-11-09 22:43:43 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-09 02:27:11 -------- d-----w- C:\$WINDOWS.~BT
2012-11-07 22:38:51 -------- d-----w- c:\users\doug\appdata\local\{5556D98E-5D88-4928-A660-261209A50DAA}
2012-11-05 16:35:20 -------- d-----w- c:\windows\ERUNT
2012-11-05 16:35:19 -------- d-----w- C:\JRT
2012-11-05 13:04:13 -------- d-----w- c:\programdata\Malwarebytes
2012-11-05 13:04:12 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-05 13:04:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-11-05 12:36:27 -------- d-----w- c:\users\doug\appdata\local\{8D587621-750E-44FC-8EC6-03D9B50E7033}
2012-11-03 20:39:19 388096 ----a-r- c:\users\doug\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-11-03 20:39:18 -------- d-----w- c:\program files\Trend Micro
2012-11-03 18:31:32 -------- d-----w- c:\users\doug\appdata\local\{4A1D66A2-6FE7-4FF4-AC29-64A221645456}
2012-11-03 00:27:25 -------- d-----w- c:\users\doug\appdata\local\{E60891EB-AD6F-4FE9-9181-BA0AD96A09C8}
2012-11-02 21:58:06 -------- d-----w- c:\users\doug\appdata\local\{71CF6672-AB77-496F-A5FC-F239D05CC313}
2012-11-01 00:15:15 -------- d-----w- c:\users\doug\appdata\local\{CF3E3D88-2F9F-43EC-9ABC-3DC38D3DD040}
2012-10-30 20:38:19 -------- d-----w- c:\users\doug\appdata\local\{B8270136-800C-4D2E-8A36-B896B9FB24FB}
2012-10-29 21:55:32 -------- d-----w- c:\users\doug\appdata\local\{FDB4FA65-C6D0-4B53-BDC7-CAE5C063084E}
2012-10-29 01:05:01 -------- d-----w- c:\users\doug\appdata\local\{AF450F20-1031-4924-A0A5-551DEB1EB622}
2012-10-28 15:29:34 -------- d-----w- c:\users\doug\appdata\roaming\RealNetworks
2012-10-27 16:24:32 -------- d-----w- c:\users\doug\appdata\local\{02D26ADB-76BB-4007-8821-363D4D95F057}
2012-10-26 22:27:53 -------- d-----w- c:\users\doug\appdata\local\{9C9A6FC1-6C52-438A-8553-E97CFE03D70D}
2012-10-25 22:03:12 -------- d-----w- c:\users\doug\appdata\local\{940FCBE4-CA72-4A49-A7C9-102F43DDE28C}
2012-10-24 21:22:32 -------- d-----w- c:\users\doug\appdata\local\{BBD8EB40-E5DA-42C7-916B-98C6686DB80C}
2012-10-23 21:46:52 -------- d-----w- c:\users\doug\appdata\local\{8404CFB9-5F53-4671-B6D7-6A45CD0A6E81}
2012-10-22 20:42:31 -------- d-----w- c:\users\doug\appdata\local\{7E32A375-B227-4C6A-B16D-E4C013BF91C7}
2012-10-21 14:19:36 -------- d-----w- c:\users\doug\appdata\local\{BD85C05B-E5BB-4512-8A53-D07B0FF1B2FC}
2012-10-20 22:11:47 -------- d-----w- c:\users\doug\appdata\local\{32ED0EA9-FA6E-45FD-BADB-1E8B00B19348}
2012-10-19 21:41:59 -------- d-----w- c:\users\doug\appdata\local\{CFD91242-7222-4968-A257-27295145AD64}
2012-10-18 22:16:01 -------- d-----w- c:\users\doug\appdata\local\{3BE4631F-49E9-4956-A087-8343C5A34367}
2012-10-17 22:20:08 -------- d-----w- c:\users\doug\appdata\local\{F7F75A6E-DC3B-4B0A-A2E6-8BCCBC9F1E91}
2012-10-17 22:00:40 -------- d-----w- c:\program files\PC Tools
2012-10-17 21:57:15 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-10-17 21:57:15 -------- d-----w- c:\program files\common files\PC Tools
2012-10-17 21:56:45 -------- d-----w- c:\programdata\PC Tools
2012-10-17 21:56:44 -------- d-----w- c:\users\doug\appdata\roaming\TestApp
2012-10-17 00:53:56 -------- d-----w- c:\users\doug\appdata\local\{32827F55-ECB3-405D-8E0D-955CB7948FE9}
.
==================== Find3M ====================
.
2012-11-11 03:19:15 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-11 03:19:15 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-08 21:23:07 9575864 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-09-14 18:28:53 2048 ----a-w- c:\windows\system32\tzres.dll
2012-08-31 17:18:09 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-08-30 17:12:02 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-24 16:57:48 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16:54 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16:46 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16:46 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16:36 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:12:27 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-08-21 18:01:22 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 18:01:22 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-08-20 17:40:31 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-08-20 17:40:01 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-08-20 17:37:58 271360 ----a-w- c:\windows\system32\conhost.exe
2012-08-20 15:33:28 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
.
============= FINISH: 17:25:51.12 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-11-15 18:48:37
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\0000006a WDC_WD50 rev.12.0
Running: gmer.exe; Driver: C:\Users\Doug\AppData\Local\Temp\fftciaob.sys


---- System - GMER 1.0.15 ----

SSDT 8775B700 ZwAlertResumeThread
SSDT 8775B7E0 ZwAlertThread
SSDT 8775A0B8 ZwAllocateVirtualMemory
SSDT 86F3DEA8 ZwAlpcConnectPort
SSDT 8775CE90 ZwAssignProcessToJobObject
SSDT 8775B450 ZwCreateMutant
SSDT 8775CBB0 ZwCreateSymbolicLinkObject
SSDT 8775A500 ZwCreateThread
SSDT 8775CCA0 ZwCreateThreadEx
SSDT 8775CF70 ZwDebugActiveProcess
SSDT 8775A248 ZwDuplicateObject
SSDT 8775BEB0 ZwFreeVirtualMemory
SSDT 8775B540 ZwImpersonateAnonymousToken
SSDT 8775B620 ZwImpersonateThread
SSDT 86F3E4C8 ZwLoadDriver
SSDT 8775BDD0 ZwMapViewOfSection
SSDT 8775B370 ZwOpenEvent
SSDT 8775A3E8 ZwOpenProcess
SSDT 8775A188 ZwOpenProcessToken
SSDT 8775B1B0 ZwOpenSection
SSDT 8775A318 ZwOpenThread
SSDT 8775CDA0 ZwProtectVirtualMemory
SSDT 8775B8C0 ZwResumeThread
SSDT 8775BB60 ZwSetContextThread
SSDT 8775BC40 ZwSetInformationProcess
SSDT 8775B068 ZwSetSystemInformation
SSDT 8775B290 ZwSuspendProcess
SSDT 8775B9A0 ZwSuspendThread
SSDT 8775A5E0 ZwTerminateProcess
SSDT 8775BA80 ZwTerminateThread
SSDT 8775BD10 ZwUnmapViewOfSection
SSDT 8775BF80 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8304CA49 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830864D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 8308D510 4 Bytes [00, B7, 75, 87]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10E0 8308D515 3 Bytes [B7, 75, 87]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 8308D528 4 Bytes [B8, A0, 75, 87]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 8308D534 4 Bytes [A8, DE, F3, 86]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1153 8308D588 4 Bytes [90, CE, 75, 87] {NOP ; INTO ; JNZ 0xffffffffffffff8b}
.text ...
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 B38CB000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 B38CB123 629 Bytes [65, 8C, B3, FE, 05, 34, 65, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 B38CB399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F B38CB3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B B38CB4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer@GlobalAssocChangedCounter 4925
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo -900444768
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30262157
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo -900444768
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30262157
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3901751100-1000641821-2968842696-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo -900600768
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3901751100-1000641821-2968842696-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30262157
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3901751100-1000641821-2968842696-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo -900444768
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-3901751100-1000641821-2968842696-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30262157
Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_svchost.exe_Winm_46ebc188aa3c829c18e279766572bdd8afcb9b9a_03874ad5
Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles@CheckingForSolutionDialog 0x3C 0x01 0x07 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@NewClientID 9

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 dljones

dljones
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:04:11 PM

Posted 16 November 2012 - 09:58 AM

Bump :>

#3 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:11 PM

Posted 20 November 2012 - 01:47 PM

Hi dljones,

:welcome: back to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

When you had malware last time, I assume this was the topic where you were helped? http://www.bleepingcomputer.com/forums/topic474226.html (I just want to make sure it's the same computer.)

When did you start noticing the problems you described with Windows Services? It's possible that the malware caused it, but knowing when you first noticed problems could help us answer this better.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:11 PM

Posted 26 November 2012 - 10:07 AM

dljones,

It has been six days since my last post. Do you still need help?

If you do, please follow my previous instructions. :thumbup2:
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:11 PM

Posted 01 December 2012 - 04:36 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users