Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"EAT @explorer.com", IHSelfDeleteTASK, IHUninstallTrackingTASK


  • Please log in to reply
30 replies to this topic

#1 *bleepinglaptop*

*bleepinglaptop*

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 15 December 2013 - 07:29 AM

Hello,

 

Referred from here: http://www.bleepingcomputer.com/forums/t/517454/eat-explorercom/ ~ OB

 

I'd very much appreciate your help in sorting out my computer.

 

It's been running very slow over the last few days, and so I ran Ccleaner today, deleted various bits of junk, and then noticed in the Startup list there were:

 

  • IHSelfDeleteTASK
  • IHUninstallTrackingTASK

which looked suspicious, so I looked them up, found this Bleeping Computer post, and have been roughly following the guidance given there all day i.e.

 

  1. Downloaded and ran RogueKiller (several times) - deleted all the registry entries, clicked all the fix buttons, but in the Driver tab there were quite a few listings (which I don't really understand) but think quite a few were related to Trusteer Rapport software and ZoneAlarm, so I have temporarily disabled those, run RogueKiller again, but it was showing 3 "EAT @explorer.exe" entries - are these anything to worry about?
  2. Have also run Adwcleaner, Junkware Removal Tool, and ComboFix (to be honest I can't remember in which order) and have deleted (I think) anything they reported
  3. I ran RogueKiller again, which is still showing the 3 "EAT @explorer.exe" entries.
  4. Have also partially run Malwarebytes Anti-Malware (scans were taking so long that I tried the other scanning software suggested first, but I did notice that "Enable filesystem protection" and "Enable malicious website blocking" had been disabled - I have now re-enabled them).
  5. I then ran Malwarebytes Anti-Rootkit took (which wouldn't run at first - got a "DDA driver was not installed" message, so had to restart (manually) and then the scan continued, but has just finished and apparently found nothing.
  6. I have since reinstalled ZoneAlarm, Trusteer Rapport and reactivated MS Security Essentials realtime protection, after I ran DDS (and have since had a ZoneAlarm message popup advising me DDS Doesn't Do Squat' trying to access internet - I clicked on Deny.   Sorry - I had already done this before reading hamluis's post advising not to make any further changes to my computer.  
  7. I've posted in the "Am in infected" forum, and Toffee has advised me to run DDS - please see the DDS.txt report below:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16526  BrowserJavaVersion: 10.45.2
Run by Me at 17:25:58 on 2013-12-14
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2045.828 [GMT 0:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Polar\Daemon\polard.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\Polar\WebSync\WebSync.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE
mRun: [HSON] c:\program files\toshiba\tbs\HSON.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [SmoothView] c:\program files\toshiba\smoothview\SmoothView.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\polarw~1.lnk - c:\program files\polar\websync\WebSync.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{066DE6DE-8342-4DCE-9FEE-C20BFCA2A5F9} : DHCPNameServer = 192.168.1.254
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\me\appdata\roaming\mozilla\firefox\profiles\h2thvyj6.default-1387011424951\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2012-8-19 21504]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-22 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-22 701512]
R2 Polar Daemon;Polar Daemon;c:\program files\polar\daemon\polard.exe [2012-12-12 419536]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2006-12-15 7168]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-22 22856]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2012-8-19 19968]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2012-12-1 36608]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 104768]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-10-23 280288]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2013-12-14 16:04:08    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-12-14 16:03:00    --------    d-----w-    C:\MalwareBytes RootKit
2013-12-14 16:00:51    74456    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-12-14 14:39:47    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-12-14 14:24:26    98816    ----a-w-    c:\windows\sed.exe
2013-12-14 14:24:26    256000    ----a-w-    c:\windows\PEV.exe
2013-12-14 14:24:26    208896    ----a-w-    c:\windows\MBR.exe
2013-12-14 14:10:05    --------    d-----w-    c:\windows\ERUNT
2013-12-14 13:32:52    --------    d-----w-    C:\AdwCleaner
2013-12-14 12:05:44    --------    d-----w-    c:\users\me\appdata\local\CrashDumps
2013-12-13 22:52:17    --------    d-----w-    c:\windows\pss
2013-12-13 20:11:56    7772552    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{9474d1f5-3ae9-4db6-a743-fb7a0578b344}\mpengine.dll
2013-12-12 20:05:22    7772552    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-12-11 07:42:00    2050560    ----a-w-    c:\windows\system32\win32k.sys
2013-12-11 07:41:57    1304064    ----a-w-    c:\windows\system32\WMALFXGFXDSP.dll
2013-12-11 07:41:56    335360    ----a-w-    c:\windows\system32\SysFxUI.dll
2013-12-11 07:41:56    167936    ----a-w-    c:\windows\system32\drivers\portcls.sys
2013-12-11 07:41:56    130048    ----a-w-    c:\windows\system32\drivers\drmk.sys
2013-12-11 07:41:48    155648    ----a-w-    c:\windows\system32\wscript.exe
2013-12-11 07:41:48    131072    ----a-w-    c:\windows\system32\wshom.ocx
2013-12-11 07:41:47    36864    ----a-w-    c:\windows\system32\wshcon.dll
2013-12-11 07:41:47    172032    ----a-w-    c:\windows\system32\scrrun.dll
2013-12-11 07:41:47    135168    ----a-w-    c:\windows\system32\cscript.exe
2013-12-11 07:41:42    158208    ----a-w-    c:\windows\system32\imagehlp.dll
2013-12-06 02:09:23    719224    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{16655244-0dea-4454-bd93-9057ddbfb701}\gapaengine.dll
.
==================== Find3M  ====================
.
2013-12-11 08:15:55    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 08:15:55    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-11-19 10:21:30    230048    ------w-    c:\windows\system32\MpSigStub.exe
2013-11-14 22:50:50    1806848    ----a-w-    c:\windows\system32\jscript9.dll
2013-11-14 22:42:41    1129472    ----a-w-    c:\windows\system32\wininet.dll
2013-11-14 22:42:32    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-11-14 22:38:54    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-11-14 22:38:16    420864    ----a-w-    c:\windows\system32\vbscript.dll
2013-11-14 22:35:52    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-10-11 02:08:02    444928    ----a-w-    c:\windows\system32\IKEEXT.DLL
2013-10-11 02:07:57    596480    ----a-w-    c:\windows\system32\FWPUCLNT.DLL
2013-10-08 06:50:41    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-10-03 12:45:50    297984    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-03 12:45:45    993792    ----a-w-    c:\windows\system32\crypt32.dll
2013-09-27 09:53:06    214696    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2013-09-27 09:53:06    104768    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
.
============= FINISH: 17:27:36.70 ===============
 

 

So to sum up, I'm not sure exactly what malware had installed itself on my system (if anything?) and if it has / had installed, whether or not I've removed it.

 

Many thanks for your help with this.

 

UPDATES:

 

(1)I have just run a full Malwarebytes Anti-malware scan in Safe Mode, and no malicious items were detected.    I am still concerned that there is something lurking on my system though...

 

(2) Have just run RogueKiller again, also  in Safe Mode, and the 3 "EAT @explorer.exe" entries did not show up.

 

(3) As I had made changes to my laptop (reinstalled / reactivated software) after running DDS, I have run DDS again today:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16526  BrowserJavaVersion: 10.45.2
Run by Me at 12:05:03 on 2013-12-15
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.44.1033.18.2045.824 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Polar\WebSync\WebSync.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Polar\Daemon\polard.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Me\Desktop\RogueKiller(2).exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [TPwrMain] c:\program files\toshiba\power saver\TPwrMain.EXE
mRun: [HSON] c:\program files\toshiba\tbs\HSON.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [SmoothView] c:\program files\toshiba\smoothview\SmoothView.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\polarw~1.lnk - c:\program files\polar\websync\WebSync.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {C08CAF1D-C0A3-40D5-9970-06D067EAC017} - http://www.webtip.ch/cgi-bin/toshiba/tracker_url.pl?EN
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{066DE6DE-8342-4DCE-9FEE-C20BFCA2A5F9} : DHCPNameServer = 192.168.1.254
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\me\appdata\roaming\mozilla\firefox\profiles\h2thvyj6.default-1387011424951\
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20913.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
FF - ExtSQL: 2013-12-15 10:38; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\me\appdata\roaming\mozilla\firefox\profiles\h2thvyj6.default-1387011424951\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-9-27 214696]
R1 MpKslf80e0360;MpKslf80e0360;c:\programdata\microsoft\microsoft antimalware\definition updates\{6f185a6a-4162-450a-95d4-25c0eb792120}\MpKslf80e0360.sys [2013-12-15 40392]
R1 RapportCerberus_59849;RapportCerberus_59849;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_59849.sys [2013-12-14 340432]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-12-2 155704]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-12-2 228888]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2012-8-19 21504]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-22 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-22 701512]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 104768]
R2 Polar Daemon;Polar Daemon;c:\program files\polar\daemon\polard.exe [2012-12-12 419536]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-12-2 1444120]
R2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files\checkpoint\zonealarm\ZAPrivacyService.exe [2013-10-15 50704]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2006-12-15 7168]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-22 22856]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-10-23 280288]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2012-8-19 19968]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2012-12-1 36608]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
.
=============== Created Last 30 ================
.
2013-12-15 11:53:44    40392    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{6f185a6a-4162-450a-95d4-25c0eb792120}\MpKslf80e0360.sys
2013-12-15 11:53:39    26624    ----a-w-    c:\windows\system32\TrueSight.sys
2013-12-15 10:34:00    7772552    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{6f185a6a-4162-450a-95d4-25c0eb792120}\mpengine.dll
2013-12-14 18:24:10    --------    d-----w-    c:\program files\Trusteer
2013-12-14 17:54:02    --------    d-----w-    C:\39026837e1c59f4847aa
2013-12-14 17:49:29    7772552    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-12-14 16:04:08    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-12-14 16:03:00    --------    d-----w-    C:\MalwareBytes RootKit
2013-12-14 16:00:51    74456    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-12-14 14:39:47    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-12-14 14:24:26    98816    ----a-w-    c:\windows\sed.exe
2013-12-14 14:24:26    256000    ----a-w-    c:\windows\PEV.exe
2013-12-14 14:24:26    208896    ----a-w-    c:\windows\MBR.exe
2013-12-14 14:10:05    --------    d-----w-    c:\windows\ERUNT
2013-12-14 13:32:52    --------    d-----w-    C:\AdwCleaner
2013-12-14 12:05:44    --------    d-----w-    c:\users\me\appdata\local\CrashDumps
2013-12-13 22:52:17    --------    d-----w-    c:\windows\pss
2013-12-11 07:42:00    2050560    ----a-w-    c:\windows\system32\win32k.sys
2013-12-11 07:41:57    1304064    ----a-w-    c:\windows\system32\WMALFXGFXDSP.dll
2013-12-11 07:41:56    335360    ----a-w-    c:\windows\system32\SysFxUI.dll
2013-12-11 07:41:56    167936    ----a-w-    c:\windows\system32\drivers\portcls.sys
2013-12-11 07:41:56    130048    ----a-w-    c:\windows\system32\drivers\drmk.sys
2013-12-11 07:41:48    155648    ----a-w-    c:\windows\system32\wscript.exe
2013-12-11 07:41:48    131072    ----a-w-    c:\windows\system32\wshom.ocx
2013-12-11 07:41:47    36864    ----a-w-    c:\windows\system32\wshcon.dll
2013-12-11 07:41:47    172032    ----a-w-    c:\windows\system32\scrrun.dll
2013-12-11 07:41:47    135168    ----a-w-    c:\windows\system32\cscript.exe
2013-12-11 07:41:42    158208    ----a-w-    c:\windows\system32\imagehlp.dll
2013-12-06 02:09:23    719224    ------w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{16655244-0dea-4454-bd93-9057ddbfb701}\gapaengine.dll
2013-12-02 19:00:04    107256    ----a-w-    c:\windows\system32\drivers\RapportKELL.sys
.
==================== Find3M  ====================
.
2013-12-11 08:15:55    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-11 08:15:55    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-11-19 10:21:30    230048    ------w-    c:\windows\system32\MpSigStub.exe
2013-11-14 22:50:50    1806848    ----a-w-    c:\windows\system32\jscript9.dll
2013-11-14 22:42:41    1129472    ----a-w-    c:\windows\system32\wininet.dll
2013-11-14 22:42:32    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-11-14 22:38:54    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-11-14 22:38:16    420864    ----a-w-    c:\windows\system32\vbscript.dll
2013-11-14 22:35:52    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2013-10-11 02:08:02    444928    ----a-w-    c:\windows\system32\IKEEXT.DLL
2013-10-11 02:07:57    596480    ----a-w-    c:\windows\system32\FWPUCLNT.DLL
2013-10-08 06:50:41    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-10-03 12:45:50    297984    ----a-w-    c:\windows\system32\gdi32.dll
2013-10-03 12:45:45    993792    ----a-w-    c:\windows\system32\crypt32.dll
2013-09-27 09:53:06    214696    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2013-09-27 09:53:06    104768    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
.
============= FINISH: 12:07:46.00 ===============


Edited by Orange Blossom, 15 December 2013 - 07:42 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:37 AM

Posted 18 December 2013 - 09:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Nothing suspicious was found on your DDS logs.
Lets check further.

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please restart the computer before running this security check.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 *bleepinglaptop*

*bleepinglaptop*
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 19 December 2013 - 03:24 AM

Hello nasdaq,

 

Thank you for your reply & for helping me :)

 

I have run Adwcleaner again, and here is the log that was just produced (NB I will post the log from the 1st time that I ran Adwcleaner underneath it for comparison - the latest Adwcleaner scan appears to show nothing, but I am still concerned that something is lurking on my laptop - for one thing, the processor is constantly noisy at the moment, and I'm not sure why):

 

Adwcleaner - Latest log:

 

# AdwCleaner v3.015 - Report created 19/12/2013 at 08:04:44
# Updated 10/12/2013 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Me - OURLAPTOP
# Running from : C:\Users\Me\Desktop\adwcleaner(3).exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526


-\\ Mozilla Firefox v25.0.1 (en-GB)

[ File : C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\h2thvyj6.default-1387011424951\prefs.js ]


[ File : C:\Users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\uaayti40.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [2234 octets] - [14/12/2013 13:33:03]
AdwCleaner[R1].txt - [1006 octets] - [14/12/2013 13:44:27]
AdwCleaner[R2].txt - [1069 octets] - [14/12/2013 14:00:19]
AdwCleaner[R3].txt - [1130 octets] - [14/12/2013 14:02:49]
AdwCleaner[R4].txt - [1190 octets] - [14/12/2013 14:08:57]
AdwCleaner[R5].txt - [404 octets] - [14/12/2013 14:22:41]
AdwCleaner[R6].txt - [1310 octets] - [14/12/2013 14:41:13]
AdwCleaner[R7].txt - [1370 octets] - [14/12/2013 15:08:08]
AdwCleaner[R8].txt - [1230 octets] - [19/12/2013 08:04:44]
AdwCleaner[S0].txt - [2339 octets] - [14/12/2013 13:36:18]
AdwCleaner[S1].txt - [1452 octets] - [14/12/2013 15:15:00]

########## EOF - C:\AdwCleaner\AdwCleaner[R8].txt - [1410 octets] ##########
 

AdwCleaner - First log ("R0" in the list above):

 

# AdwCleaner v3.015 - Report created 14/12/2013 at 13:33:03
# Updated 10/12/2013 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Me - OURLAPTOP
# Running from : C:\Users\Me\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Found C:\ProgramData\Ask
Folder Found C:\Users\Me\AppData\Local\PackageAware
Folder Found C:\Users\Me\AppData\LocalLow\Conduit
Folder Found C:\Users\Me\AppData\Roaming\CheckPoint\ZoneAlarm LTD Toolbar
Folder Found C:\Users\Ian\AppData\Roaming\CheckPoint\ZoneAlarm LTD Toolbar

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZoneAlarm LTD Toolbar
Key Found : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Value Found : HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist [1]

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526


-\\ Mozilla Firefox v25.0.1 (en-GB)

[ File : C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\h2thvyj6.default-1387011424951\prefs.js ]


[ File : C:\Users\Ian\AppData\Roaming\Mozilla\Firefox\Profiles\uaayti40.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [2094 octets] - [14/12/2013 13:33:03]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2154 octets] ##########
 

Here is the latest Junkware Removal Tool log (NB JRT asked me to reboot my PC during the scan, in order to remove a module which it had found):

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows Vista ™ Home Premium x86
Ran by Me on 19/12/2013 at  8:39:12.83
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\Me\AppData\Roaming\mozilla\firefox\profiles\h2thvyj6.default-1387011424951\minidumps [1 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 19/12/2013 at  8:47:20.79
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Here is the Security Check log:

 

 Results of screen317's Security Check version 0.99.77  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
 Java 7 Update 45  
 Adobe Flash Player     11.9.900.170  
 Adobe Reader 10.1.8 Adobe Reader out of Date!  
 Mozilla Firefox (25.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 CheckPoint ZoneAlarm vsmon.exe  
 CheckPoint ZoneAlarm ZAPrivacyService.exe  
 CheckPoint ZoneAlarm zatray.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

 

NB It says Adobe Reader is out of date, but I have checked the Adobe website, and the latest version appears to be 10.1.4 (I seem have 10.1.8 installed) so not sure what is going on there...


Edited by *bleepinglaptop*, 19 December 2013 - 04:21 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:37 AM

Posted 19 December 2013 - 10:59 AM

Check again.
Adobe Reader/Acrobat v11.0.05 released Oct 8, 2013

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
<<<>>>

If you problem still persists please run the RoguKiller tool and post a fresh log for my review.

#5 *bleepinglaptop*

*bleepinglaptop*
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 20 December 2013 - 02:07 AM

Many thanks Nasdaq - will run RogueKiller again in  a minute.    The processor on my laptop still seems to be working overtime at the moment.

 

I clicked on the get.adobe.com/reader link above, and that also says Version X (10.1.4) - I can see that there is a version XI available, but it seems that you need at least Windows 7 to install it (I have Vista).    Is this likely to be a security problem, if I can't install the latest version?  

 

Here is my latest RogueKiller report:

 

RogueKiller V8.7.13 [Dec 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Me [Admin rights]
Mode : Scan -- Date : 12/20/2013 07:25:28
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0xc0000033] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1    localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS541612J9SA00 ATA Device +++++
--- User ---
[MBR] 08d0f494c3ef39f57caa15cad98a6dd9
[BSP] 473a43ae86183e4bc766bbfa66afea32 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 112971 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_12202013_072528.txt >>
RKreport[0]_H_12152013_131956.txt


Edited by *bleepinglaptop*, 20 December 2013 - 02:30 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:37 AM

Posted 20 December 2013 - 08:32 AM

I would remove the Reader using the uninstaller
http://labs.adobe.com/downloads/acrobatcleaner.html

When done, restart the computer normally and install the latest version.
===

If the CPU is still acting up try this tool and see if you can find out what is causing this.


Download this Process Explorer tool.
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
RUN IT AND TRY to find the Process / file that is draining your CPU.
Instructions on the help file.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:37 AM

Posted 26 December 2013 - 08:56 AM

Are you still with me?

#8 *bleepinglaptop*

*bleepinglaptop*
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 27 December 2013 - 01:18 PM

Hi nasdaq,

 

Sorry for the delay in replying - I have not had the time to deal with my laptop issue over the last few days.

 

I have installed the latest version of Adobe Reader now (although I had to say that I had Windows 7 installed in order to download the latest version, when I actually have Vista).

 

I haven't yet had a chance to try the process explorer tool, and am going away for a few days, so hope to try this when I get back in the New Year.  

 

Many thanks :)


Edited by *bleepinglaptop*, 27 December 2013 - 01:19 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:37 AM

Posted 27 December 2013 - 04:49 PM

I'll be waiting.

#10 *bleepinglaptop*

*bleepinglaptop*
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 02 January 2014 - 09:03 AM

Hello nasdaq and Happy New Year!

 

I've now got some time to deal with my laptop issue :)

 

I was wondering if you knew what type of malware  it was that had installed on my system?   Would it be helpful if I posted some of the original Roguekiller etc logs?     EDIT: I have posted the original Roguekiller report below. 

 

NB I am still getting "Recommended for You" popups occasionally in Firefox (bottom right hand corner of screen) - are these signs of malware?

 

This is the Roguekiller report after I first ran Roguekiller a couple of weeks ago:

 

RogueKiller V8.7.11 [Dec  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Me [Admin rights]
Mode : Scan -- Date : 12/14/2013 10:52:09
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V2][SUSP PATH] IHSelfDeleteTASK : CMD - /C DEL C:\Users\Me\AppData\Local\Temp\IHUF8C9.tmp.exe [x][x] -> FOUND
[V2][SUSP PATH] IHUninstallTrackingTASK : CMD - /C DEL C:\Users\Me\AppData\Local\Temp\IHUEF37.tmp.exe [x][x] -> FOUND

¤¤¤ Startup Entries : 1 ¤¤¤
[Me][SUSP PATH] Canon IJ Status Monitor Canon MG5200 series Printer WS.lnk : C:\Users\Me\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Canon IJ Status Monitor Canon MG5200 series Printer WS.lnk @C:\Windows\system32\rundll32.exe C:\Users\Me\CNMSSC~1.DLL,SMStarterEntryPoint WSD-bad54733-d755-4ae8-960b-92c330bfcf4f.0031;Canon MG5200 series Printer WS;cnmss Canon MG5200 series Printer WS (Local).dll;Canon IJ Status Monitor Canon MG5200 series Printer WS.lnk [-][7][7][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x][x] -> FOUND

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (FwDoNothingOnObject) : FirewallAPI.dll -> HOOKED (Unknown @ 0x360CC466)
[Inline] EAT @explorer.exe (FwEnableMemTracing) : FirewallAPI.dll -> HOOKED (Unknown @ 0x360CC466)
[Inline] EAT @explorer.exe (FwSetMemLeakPolicy) : FirewallAPI.dll -> HOOKED (Unknown @ 0x360CC466)
[Inline] EAT @firefox.exe (NtMapViewOfSection) : ntdll.dll -> HOOKED (Unknown @ 0x71980022)
[Inline] EAT @firefox.exe (ZwMapViewOfSection) : ntdll.dll -> HOOKED (Unknown @ 0x71980022)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost
::1             localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS541612J9SA00 ATA Device +++++
--- User ---
[MBR] 08d0f494c3ef39f57caa15cad98a6dd9
[BSP] 473a43ae86183e4bc766bbfa66afea32 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 112971 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ ) SD Memory Card +++++
--- User ---
[MBR] 87163bfd5bb7f43cc343c4c51cb0cac3
[BSP] 3a25df3dbe3dbca5d5da4fa7ec49ec6b : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 101 | Size: 243 Mo
Error reading LL1 MBR! ([0x1] Incorrect function. )
Error reading LL2 MBR! ([0x1] Incorrect function. )

Finished : << RKreport[0]_S_12142013_105209.txt >>

 

---

 

I also ran the ESET online scanner yesterday - this is the report:

 

C:\Program Files\CheckPoint\Install\zatb.exe    multiple threats    deleted - quarantined
C:\Users\Me\Downloads\cbsidlm-tr1_8-CutePDF_Writer-ORG2-10206470.exe    Win32/DownloadAdmin.E application    cleaned by deleting - quarantined
C:\Users\Me\Downloads\ccsetup327.exe    Win32/Bundled.Toolbar.Google.D application    cleaned by deleting - quarantined
C:\Users\Me\Downloads\ccsetup400.exe    Win32/Bundled.Toolbar.Google.D application    cleaned by deleting - quarantined
C:\Users\Me\Downloads\ccsetup404.exe    Win32/Bundled.Toolbar.Google.D application    cleaned by deleting - quarantined
C:\Users\Me\Downloads\ccsetup408.exe    Win32/Bundled.Toolbar.Google.D application    cleaned by deleting - quarantined
C:\Users\Me\Downloads\ccsetup409.exe    Win32/Bundled.Toolbar.Google.D application    cleaned by deleting - quarantined
D:\2012-08-18 Reinstall Ian\AppData\LocalLow\ZoneAlarm_Security\ldrtbZone.dll    a variant of Win32/Toolbar.Conduit.P application    cleaned by deleting - quarantined
D:\2012-08-18 Reinstall Ian\AppData\LocalLow\ZoneAlarm_Security\tbZone.dll    a variant of Win32/Toolbar.Conduit.B application    cleaned by deleting - quarantined
 

 




 


Edited by *bleepinglaptop*, 02 January 2014 - 10:13 AM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:37 AM

Posted 02 January 2014 - 10:18 AM

Please run the RogueKiller tool and remove these 2 tasks.

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V2][SUSP PATH] IHSelfDeleteTASK : CMD - /C DEL C:\Users\Me\AppData\Local\Temp\IHUF8C9.tmp.exe [x][x] -> FOUND
[V2][SUSP PATH] IHUninstallTrackingTASK : CMD - /C DEL C:\Users\Me\AppData\Local\Temp\IHUEF37.tmp.exe [x][x] -> FOUND

Restart the computer normally.

p.s.
These are random filenames. Nothing found on them.
Could be the reason you are see the Firefox popups.
===

NB I am still getting "Recommended for You" popups occasionally in Firefox (bottom right hand corner of screen) - are these signs of malware?

Just unwanted publicity.

Disable all your Firefox Extensions.
Test Firefox, if no more popups then one of the extensions is the culprit..

If no solution then run this tool.

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (Result.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.


#12 *bleepinglaptop*

*bleepinglaptop*
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 02 January 2014 - 10:47 AM

Thank you nasdaq - here is the latest Roguekiller report (I had removed the 2 scheduled tasks that you noted after running Roguekiller previously):

 

RogueKiller V8.8.0 [Dec 27 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : Me [Admin rights]
Mode : Scan -- Date : 01/02/2014 15:28:42
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] housecall.bin -- C:\Users\Me\AppData\Local\temp\HouseCall\housecall.bin [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0xc0000033] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1    localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS541612J9SA00 ATA Device +++++
--- User ---
[MBR] 08d0f494c3ef39f57caa15cad98a6dd9
[BSP] 473a43ae86183e4bc766bbfa66afea32 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 3074048 | Size: 112971 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ USB) BUFFALO HD-PCU2 USB Device +++++
--- User ---
[MBR] 518e8f3be284cdc13df88ae8d1c0e44c
[BSP] 2b6b9e2bac3101ea63420c3772262994 : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 64 | Size: 476937 Mo
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ ) SD Memory Card +++++
--- User ---
[MBR] 87163bfd5bb7f43cc343c4c51cb0cac3
[BSP] 3a25df3dbe3dbca5d5da4fa7ec49ec6b : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT16 (0x06) [VISIBLE] Offset (sectors): 101 | Size: 243 Mo
Error reading LL1 MBR! ([0x1] Incorrect function. )
Error reading LL2 MBR! ([0x1] Incorrect function. )

Finished : << RKreport[0]_S_01022014_152842.txt >>
 

---

 

The housecall.bin process must have been the Trend Micro Housecall scan that I've been running for the last few hours (it had got about 65% of the way through, but had not yet found anything).

 

Roguekiller listed a Browser Addon (Microsoft.NET Framework Assistant) but this is disabled in my browser for some reason (and it doesn't seem to be listed in the Roguekiller report).

 

I have only 2 other browser Addons: Adblock Plus 2.4, and Web of Trust - I am hoping that neither of these is the cause of the popups, as they are normally very useful addons!   But I'll disable them temporarily, and see what happens.    I may run the MiniToolBox tool anyway....



#13 *bleepinglaptop*

*bleepinglaptop*
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 02 January 2014 - 11:23 AM

Here are the MiniToolBox reports (I ran the program twice, as it wasn't run in Admin mode the first time):

 

Report from 1st Run:

 

MiniToolBox by Farbar  Version: 18-12-2013
Ran by Me (ATTENTION: The logged in user is not administrator) on 02-01-2014 at 16:07:02
Running from "C:\Users\Me\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================
The requested operation requires elevation.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1    localhost

========================= IP Configuration: ================================

Intel® PRO/Wireless 3945ABG Network Connection = Wireless Network Connection (Connected)
Intel® PRO/100 VE Network Connection = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=169.254.0.0/16 interface="iftype0_0" nexthop=192.168.1.66 metric=1
add route prefix=169.254.0.0/16 interface="iftype0_0" nexthop=192.168.1.67 metric=1


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : OurLaptop
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : lan

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Intel® PRO/Wireless 3945ABG Network Connection
   Physical Address. . . . . . . . . : 00-19-D2-8B-42-1D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::6558:ffa1:d238:48ed%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.157(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 02 January 2014 15:51:56
   Lease Expires . . . . . . . . . . : 03 January 2014 15:51:55
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 268442066
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-C1-CB-41-00-A0-D1-6F-77-C2
   DNS Servers . . . . . . . . . . . : 192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection
   Physical Address. . . . . . . . . : 00-A0-D1-6F-77-C2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{5291AF49-A5C9-4154-90AC-597BAF10F533}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{066DE6DE-8342-4DCE-9FEE-C20BFCA2A5F9}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : isatap.lan
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  dsldevice.lan
Address:  192.168.1.254

Name:    google.com
Addresses:  2a00:1450:4001:806::1004
      212.56.71.245
      212.56.71.249
      212.56.71.227
      212.56.71.208
      212.56.71.241
      212.56.71.212
      212.56.71.234
      212.56.71.216
      212.56.71.240
      212.56.71.223
      212.56.71.251
      212.56.71.229
      212.56.71.218
      212.56.71.238
      212.56.71.219
      212.56.71.230



Pinging google.com [212.56.71.238] with 32 bytes of data:

Reply from 212.56.71.238: bytes=32 time=14ms TTL=60

Reply from 212.56.71.238: bytes=32 time=14ms TTL=60



Ping statistics for 212.56.71.238:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 14ms, Maximum = 14ms, Average = 14ms

Server:  dsldevice.lan
Address:  192.168.1.254

Name:    yahoo.com
Addresses:  98.139.183.24
      206.190.36.45
      98.138.253.109



Pinging yahoo.com [206.190.36.45] with 32 bytes of data:

Reply from 206.190.36.45: bytes=32 time=252ms TTL=43

Reply from 206.190.36.45: bytes=32 time=168ms TTL=43



Ping statistics for 206.190.36.45:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 168ms, Maximum = 252ms, Average = 210ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
 10 ...00 19 d2 8b 42 1d ...... Intel® PRO/Wireless 3945ABG Network Connection
  8 ...00 a0 d1 6f 77 c2 ...... Intel® PRO/100 VE Network Connection
  1 ........................... Software Loopback Interface 1
  9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 15 ...00 00 00 00 00 00 00 e0  isatap.{5291AF49-A5C9-4154-90AC-597BAF10F533}
 13 ...00 00 00 00 00 00 00 e0  isatap.{066DE6DE-8342-4DCE-9FEE-C20BFCA2A5F9}
 14 ...00 00 00 00 00 00 00 e0  isatap.lan
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254    192.168.1.157     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0     192.168.1.66    192.168.1.157     26
      169.254.0.0      255.255.0.0     192.168.1.67    192.168.1.157     26
      192.168.1.0    255.255.255.0         On-link     192.168.1.157    281
    192.168.1.157  255.255.255.255         On-link     192.168.1.157    281
    192.168.1.255  255.255.255.255         On-link     192.168.1.157    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.157    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.157    281
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
      169.254.0.0      255.255.0.0     192.168.1.66       1
      169.254.0.0      255.255.0.0     192.168.1.67       1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 10    281 fe80::/64                On-link
 10    281 fe80::6558:ffa1:d238:48ed/128
                                    On-link
  1    306 ff00::/8                 On-link
 10    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/02/2014 08:01:18 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\WINDOWS\SOFTWAREDISTRIBUTION\WUREDIR\7971F918-A847-4430-9279-4A52D1EFE18D\WUREDIR.CAB.BAK> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (01/02/2014 07:50:34 AM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16526 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: a74
Start Time: 01cf071c5f401138
Termination Time: 0

Error: (01/01/2014 06:06:25 PM) (Source: ESENT) (User: )
Description: WinMail (5856) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (01/01/2014 05:38:51 PM) (Source: Application Hang) (User: )
Description: The program CCleaner.exe version 4.9.0.4471 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 6b4
Start Time: 01cf070a044437a8
Termination Time: 980

Error: (01/01/2014 11:29:35 AM) (Source: Windows Backup) (User: )
Description: File backup failed due to an error writing to the backup location D:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check your hardware configuration. (0x81000006).

Error: (12/31/2013 10:41:45 PM) (Source: Application Hang) (User: )
Description: The program firefox.exe version 26.0.0.5087 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 101c
Start Time: 01cf06741db3b775
Termination Time: 0

Error: (12/23/2013 08:11:12 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\WINDOWS\SOFTWAREDISTRIBUTION\AUTHCABS\DOWNLOADED\7971F918-A847-4430-9279-4A52D1EFE18D.AUTH.CAB.EXTRACTED\AUTHORIZATION.XML> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/23/2013 05:36:47 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\ME\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\H2THVYJ6.DEFAULT-1387011424951\CACHE\8> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/23/2013 05:36:47 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\ME\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\H2THVYJ6.DEFAULT-1387011424951\CACHE\8> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/23/2013 05:36:45 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\ME\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\H2THVYJ6.DEFAULT-1387011424951\CACHE\7> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)


System errors:
=============
Error: (01/02/2014 04:03:42 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc

Error: (01/02/2014 04:03:12 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc

Error: (01/02/2014 03:53:14 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (01/02/2014 03:53:02 PM) (Source: Service Control Manager) (User: )
Description: Tosrfcom

Error: (01/02/2014 03:53:02 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (01/02/2014 03:33:23 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc

Error: (01/02/2014 03:32:53 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc

Error: (01/02/2014 03:13:24 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc

Error: (01/02/2014 03:12:53 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc

Error: (01/02/2014 02:53:24 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc


Microsoft Office Sessions:
=========================
Error: (08/29/2013 00:33:55 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 57 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (08/04/2013 01:32:45 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 15217 seconds with 180 seconds of active time.  This session ended with a crash.

Error: (04/14/2013 09:40:50 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 555 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (01/12/2013 05:40:24 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 64 seconds with 0 seconds of active time.  This session ended with a crash.


CodeIntegrity Errors:
===================================
  Date: 2014-01-02 15:01:54.375
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22497_none_b34d67897fc6850f\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:54.141
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22497_none_b34d67897fc6850f\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:53.876
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22497_none_b34d67897fc6850f\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:53.611
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22497_none_b34d67897fc6850f\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:51.817
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18311_none_b3144862666d6db3\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:51.583
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18311_none_b3144862666d6db3\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:51.318
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18311_none_b3144862666d6db3\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:51.068
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18311_none_b3144862666d6db3\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 14:16:18.615
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\2e00d1ae0f234ed468fbb47c2cd92fae\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 14:16:18.381
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\2e00d1ae0f234ed468fbb47c2cd92fae\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.


**** End of log ****

 

2nd Run:

 

MiniToolBox by Farbar  Version: 18-12-2013
Ran by Aardvark (administrator) on 02-01-2014 at 16:11:58
Running from "C:\Users\Me\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================

127.0.0.1    localhost

========================= IP Configuration: ================================

Intel® PRO/Wireless 3945ABG Network Connection = Wireless Network Connection (Connected)
Intel® PRO/100 VE Network Connection = Local Area Connection (Media disconnected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled
add route prefix=169.254.0.0/16 interface="iftype0_0" nexthop=192.168.1.66 metric=1
add route prefix=169.254.0.0/16 interface="iftype0_0" nexthop=192.168.1.67 metric=1


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : OurLaptop
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : lan

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Intel® PRO/Wireless 3945ABG Network Connection
   Physical Address. . . . . . . . . : 00-19-D2-8B-42-1D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::6558:ffa1:d238:48ed%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.157(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 02 January 2014 15:51:56
   Lease Expires . . . . . . . . . . : 03 January 2014 15:51:56
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 268442066
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-C1-CB-41-00-A0-D1-6F-77-C2
   DNS Servers . . . . . . . . . . . : 192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel® PRO/100 VE Network Connection
   Physical Address. . . . . . . . . : 00-A0-D1-6F-77-C2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{5291AF49-A5C9-4154-90AC-597BAF10F533}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{066DE6DE-8342-4DCE-9FEE-C20BFCA2A5F9}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : isatap.lan
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  dsldevice.lan
Address:  192.168.1.254

Name:    google.com
Addresses:  2a00:1450:4009:803::1009
      212.56.71.154
      212.56.71.181
      212.56.71.148
      212.56.71.152
      212.56.71.174
      212.56.71.163
      212.56.71.185
      212.56.71.187
      212.56.71.155
      212.56.71.170
      212.56.71.159
      212.56.71.166
      212.56.71.177
      212.56.71.165
      212.56.71.144
      212.56.71.176

Pinging google.com [212.56.71.251] with 32 bytes of data:Reply from 212.56.71.251: bytes=32 time=13ms TTL=60Reply from 212.56.71.251: bytes=32 time=216ms TTL=60Ping statistics for 212.56.71.251:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 13ms, Maximum = 216ms, Average = 114msServer:  dsldevice.lan
Address:  192.168.1.254

Name:    yahoo.com
Addresses:  98.138.253.109
      98.139.183.24
      206.190.36.45

Pinging yahoo.com [206.190.36.45] with 32 bytes of data:Reply from 206.190.36.45: bytes=32 time=234ms TTL=43Reply from 206.190.36.45: bytes=32 time=167ms TTL=43Ping statistics for 206.190.36.45:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 167ms, Maximum = 234ms, Average = 200msPinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
 10 ...00 19 d2 8b 42 1d ...... Intel® PRO/Wireless 3945ABG Network Connection
  8 ...00 a0 d1 6f 77 c2 ...... Intel® PRO/100 VE Network Connection
  1 ........................... Software Loopback Interface 1
  9 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 15 ...00 00 00 00 00 00 00 e0  isatap.{5291AF49-A5C9-4154-90AC-597BAF10F533}
 13 ...00 00 00 00 00 00 00 e0  isatap.{066DE6DE-8342-4DCE-9FEE-C20BFCA2A5F9}
 14 ...00 00 00 00 00 00 00 e0  isatap.lan
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254    192.168.1.157     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      169.254.0.0      255.255.0.0     192.168.1.66    192.168.1.157     26
      169.254.0.0      255.255.0.0     192.168.1.67    192.168.1.157     26
      192.168.1.0    255.255.255.0         On-link     192.168.1.157    281
    192.168.1.157  255.255.255.255         On-link     192.168.1.157    281
    192.168.1.255  255.255.255.255         On-link     192.168.1.157    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.1.157    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.1.157    281
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
      169.254.0.0      255.255.0.0     192.168.1.66       1
      169.254.0.0      255.255.0.0     192.168.1.67       1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 10    281 fe80::/64                On-link
 10    281 fe80::6558:ffa1:d238:48ed/128
                                    On-link
  1    306 ff00::/8                 On-link
 10    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/02/2014 08:01:18 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\WINDOWS\SOFTWAREDISTRIBUTION\WUREDIR\7971F918-A847-4430-9279-4A52D1EFE18D\WUREDIR.CAB.BAK> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (01/02/2014 07:50:34 AM) (Source: Application Hang) (User: )
Description: The program iexplore.exe version 9.0.8112.16526 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: a74
Start Time: 01cf071c5f401138
Termination Time: 0

Error: (01/01/2014 06:06:25 PM) (Source: ESENT) (User: )
Description: WinMail (5856) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (01/01/2014 05:38:51 PM) (Source: Application Hang) (User: )
Description: The program CCleaner.exe version 4.9.0.4471 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 6b4
Start Time: 01cf070a044437a8
Termination Time: 980

Error: (01/01/2014 11:29:35 AM) (Source: Windows Backup) (User: )
Description: File backup failed due to an error writing to the backup location D:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check your hardware configuration. (0x81000006).

Error: (12/31/2013 10:41:45 PM) (Source: Application Hang) (User: )
Description: The program firefox.exe version 26.0.0.5087 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: 101c
Start Time: 01cf06741db3b775
Termination Time: 0

Error: (12/23/2013 08:11:12 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\WINDOWS\SOFTWAREDISTRIBUTION\AUTHCABS\DOWNLOADED\7971F918-A847-4430-9279-4A52D1EFE18D.AUTH.CAB.EXTRACTED\AUTHORIZATION.XML> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/23/2013 05:36:47 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\ME\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\H2THVYJ6.DEFAULT-1387011424951\CACHE\8> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/23/2013 05:36:47 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\ME\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\H2THVYJ6.DEFAULT-1387011424951\CACHE\8> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)

Error: (12/23/2013 05:36:45 PM) (Source: Windows Search Service) (User: )
Description: The entry <C:\USERS\ME\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\H2THVYJ6.DEFAULT-1387011424951\CACHE\7> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog


Details:
    A device attached to the system is not functioning.   (0x8007001f)


System errors:
=============
Error: (01/02/2014 04:03:42 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc

Error: (01/02/2014 04:03:12 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc

Error: (01/02/2014 03:53:14 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}NT AUTHORITYLOCAL SERVICES-1-5-19LocalHost (Using LRPC)

Error: (01/02/2014 03:53:02 PM) (Source: Service Control Manager) (User: )
Description: Tosrfcom

Error: (01/02/2014 03:53:02 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058

Error: (01/02/2014 03:33:23 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc

Error: (01/02/2014 03:32:53 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc

Error: (01/02/2014 03:13:24 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc

Error: (01/02/2014 03:12:53 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc

Error: (01/02/2014 02:53:24 PM) (Source: Service Control Manager) (User: )
Description: 30000stisvc


Microsoft Office Sessions:
=========================
Error: (08/29/2013 00:33:55 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 57 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (08/04/2013 01:32:45 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 15217 seconds with 180 seconds of active time.  This session ended with a crash.

Error: (04/14/2013 09:40:50 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 555 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (01/12/2013 05:40:24 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 64 seconds with 0 seconds of active time.  This session ended with a crash.


CodeIntegrity Errors:
===================================
  Date: 2014-01-02 15:01:54.375
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22497_none_b34d67897fc6850f\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:54.141
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22497_none_b34d67897fc6850f\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:53.876
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22497_none_b34d67897fc6850f\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:53.611
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22497_none_b34d67897fc6850f\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:51.817
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18311_none_b3144862666d6db3\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:51.583
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18311_none_b3144862666d6db3\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:51.318
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18311_none_b3144862666d6db3\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 15:01:51.068
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\b635b7a7651f5dd1a95f6d85f3bb620f\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.18311_none_b3144862666d6db3\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 14:16:18.615
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\2e00d1ae0f234ed468fbb47c2cd92fae\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-01-02 14:16:18.381
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\SoftwareDistribution\Download.bak\2e00d1ae0f234ed468fbb47c2cd92fae\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.


**** End of log ****


 


Edited by *bleepinglaptop*, 02 January 2014 - 11:24 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,202 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:37 AM

Posted 02 January 2014 - 12:59 PM


+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ ) SD Memory Card +++++

Do you have any difficulties backing up your files on the Memory card?
===


Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

Please let me know of the current issues with this computer.

#15 *bleepinglaptop*

*bleepinglaptop*
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:02:37 PM

Posted 02 January 2014 - 01:32 PM

Hello,
 
Please find the aswMBR log below:

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-01-02 18:15:50
-----------------------------
18:15:50.813    OS Version: Windows 6.0.6002 Service Pack 2
18:15:50.813    Number of processors: 2 586 0xF02
18:15:50.814    ComputerName: OURLAPTOP  UserName: Me
18:15:55.999    Initialize success
18:18:07.981    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
18:18:07.987    Disk 0 Vendor: Hitachi_HTS541612J9SA00 SBDOC7DP Size: 114473MB BusType: 3
18:18:07.997    Disk 2  \Device\Harddisk2\SR0 -> \Device\SdBus-0
18:18:08.003    Disk 2 Vendor: (  Size: 243MB BusType: 12
18:18:08.119    Disk 0 MBR read successfully
18:18:08.124    Disk 0 MBR scan
18:18:08.128    Disk 0 Windows VISTA default MBR code
18:18:08.152    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS         1500 MB offset 2048
18:18:08.172    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       112971 MB offset 3074048
18:18:08.180    Disk 0 scanning sectors +234438656
18:18:08.253    Disk 0 scanning C:\Windows\system32\drivers
18:18:51.767    Service scanning
18:19:18.628    Modules scanning
18:19:44.298    Disk 0 trace - called modules:
18:19:44.711    ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys
18:19:44.721    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x866d3ac8]
18:19:44.731    3 CLASSPNP.SYS[895a88b3] -> nt!IofCallDriver -> [0x85e19918]
18:19:44.741    5 acpi.sys[88e536bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85e0d030]
18:19:44.751    Scan finished successfully
18:20:33.791    Disk 0 MBR has been saved successfully to "C:\Users\Me\Desktop\MBR.dat"
18:20:33.807    The log file has been saved successfully to "C:\Users\Me\Desktop\aswMBR.txt"

 

Please also find the MBR.zip file attached.

 

I don't think I've tried backing up the Memory Card yet - was planning to do a system backup shortly.   Should I try to include the memory card?

 

Right now, my computer's processor is quite quiet.   I haven't had any "Recommended for you" popups since I disabled the Firefox add-ons and ran MiniToolBox.   So it appears to be behaving normally...

Attached Files

  • Attached File  MBR.zip   558bytes   0 downloads

Edited by *bleepinglaptop*, 02 January 2014 - 02:29 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users