Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

random BSOD's after thorough cleaning


  • This topic is locked This topic is locked
43 replies to this topic

#16 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:04 AM

Posted 04 April 2014 - 05:13 AM

Ahhh, very good. Since you've done most of the usual/expected troubleshoot things already, we may need only to finish updating some software and try one final cleanup endeavor. Let's do this:
Download FileHippo's Update Checker. Double-click the FHSetup.exe file to install it. When the install completes, you'll find the Update Checker shortcut on the desk top. Double-click on it and a scan begins with the results showing in your browser.

Any software it finds to be out of date, will be presented in your browser. Just click on the download link provided there to download your software updates. Ignore the beta software unless you want that...during the scanner initialization, you can click the settings link, then click the results tab and check the box "Hide beta versions".

After clicking the OK button, click the "Retry" link to continue the scan with those settings. Please remember when you post back to let us know your results.

Next:
1) Click the "Start" button and type "cmd" in the "Search programs and files" box.
2) In the returned search results, right click the "cmd.exe" and select Run as administrator.
3) When the cmd prompt opens, type or copy and paste:
set devmgr_show_nonpresent_devices=1
...and press enter. (Note that nothing seems to happen--this is expected. We are actually setting an environment variable which is going to help us to see hidden devices)
4) On the next cmd prompt line, type in:
devmgmt.msc
...and press enter. This will launch the Windows Device Manager Console.
5) In the Device Manager Console, from the "View" menu, select "Show Hidden Devices".

Note:
This is NOT the same as just selecting 'Show Hidden Devices' from within the menu of the normal default view in device manager. This method exposes the super hidden drivers/devices from having changed the environment variable.

Now, scroll down to and click "Non-Plug and Play Drivers" in the listing. You will see not only the items that Windows currently detects as installed on your pc (these are the usual items displayed), but you will also see drivers, devices, and services which have been loaded in the past but were not uninstalled properly or are not currently started.

These are identified by those drivers listed which are grayed out...

Please scroll through that listing and make note of all the "grayed out" items present there. Be careful to note the item precisely as it appears. Create a list of them and post that information back here in your next reply. Thanks!

Edited by 1972vet, 04 April 2014 - 05:25 AM.

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


BC AdBot (Login to Remove)

 


#17 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 04 April 2014 - 11:58 AM

thanks 1972vet. Glad to see you made it through the storms. Hope it didn't get too rough.

 

Ran the update checker and updated noted "non-beta" software.

 

As to the grayed out items within the "non-plug and play" devices, here's the list:

 

95151527

Fs_Rec

mbr

MpKslb421af1a

 

(side note: kind of makes me nervous seeing "mbr" in this list. Just hoping that "mbr" here is different from "MBR" that I'm thinking)

 

Thanks,

Skeet


Edited by skeeterbyte, 04 April 2014 - 12:07 PM.


#18 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:04 AM

Posted 04 April 2014 - 02:49 PM

Alright, thanks. As to the driver listed above labeled "95151527", you can return to the device manager, right click on that one and select "Delete". The mbr driver you refer to is most likely one that was left behind after running a scan with any number of different free tools available online...my guess would be combofix. That could be deleted as well but it'll come back before we're finished since I plan to use another tool that would create it again.

 

Please find all the DDS scan logs on board and delete them. Run a fresh scan with DDS and post back THOSE results. Thanks!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#19 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 04 April 2014 - 03:02 PM

Deleted "95151527" as directed.

Here's the contents of the DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.16521  BrowserJavaVersion: 11.0.2
Run by Gatis at 15:57:33 on 2014-04-04
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3454.2361 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Xobni\XobniService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\zHotkey.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\ModPS2Key.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k SDRSVC
.
============== Pseudo HJT Report ===============
.
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre8\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre8\bin\jp2ssv.dll
TB: &RoboForm: {724D43A0-0D85-11D4-9908-00400523E39A} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [CHotkey] zHotkey.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe  startup
mRun: [ModPS2] ModPS2Key.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\gatis\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote 2007 Screen Clipper and Launcher.lnk.disabled
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\w98Eject.lnk.disabled
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Customize Menu - c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Fill Forms - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_51-windows-i586.cab
TCP: NameServer = 97.81.22.195 71.92.29.130 24.217.201.67
TCP: Interfaces\{514E703C-6EDB-451D-88B0-B252DA38F525} : DHCPNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} -
AppInit_DLLs= c:\progra~1\google\google~1\GO36F4~1.DLL
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\33.0.1750.154\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\gatis\appdata\roaming\mozilla\firefox\profiles\2swkcybu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wunderground.com/cgi-bin/findweather/getForecast?query=30519
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.23.9\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\dtplugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\users\gatis\appdata\local\microsoft\internet explorer\downloaded program files\npsoe.dll
FF - plugin: c:\users\gatis\appdata\local\roblox\versions\version-ccfce68b6145482d\NPRobloxProxy.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2014-1-25 231960]
R0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;c:\windows\system32\drivers\SSFS041A.sys [2007-3-22 13824]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes anti-malware\mbamscheduler.exe [2014-4-2 1809720]
R2 MBAMService;MBAMService;c:\program files\malwarebytes anti-malware\mbamservice.exe [2014-4-2 857912]
R2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-1-20 104264]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2012-1-18 450848]
R2 XobniService;XobniService;c:\program files\xobni\XobniService.exe [2011-5-18 62184]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-3-20 23256]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-4-2 51416]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2014-3-11 279776]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-1-30 30192]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-3-18 108032]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-4-2 107736]
S3 OXSDIDRV_x32;Oxford Semi eSATA Filter (x32);c:\windows\system32\drivers\OXSDIDRV_x32.sys [2009-9-28 52656]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\drivers\OXUDIDRV_x32.sys [2012-8-19 24880]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2013-4-13 14848]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2014-3-20 49152]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2013-4-13 27136]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-4-13 1343400]
.
=============== File Associations ===============
.
ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
.
=============== Created Last 30 ================
.
2014-04-04 16:13:26    --------    d-----w-    c:\users\gatis\appdata\local\Skype
2014-04-04 16:13:16    --------    d-----r-    c:\program files\Skype
2014-04-04 16:05:26    --------    d-----w-    c:\program files\FileHippo.com
2014-04-04 15:04:49    765968    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{df30f92d-10bc-42c6-af91-65d9a0d1c9b4}\gapaengine.dll
2014-04-04 15:04:34    7969936    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\{5dbb952a-dae4-4908-8c6a-a8428e22630a}\mpengine.dll
2014-04-03 23:55:40    96664    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-04-03 20:56:44    --------    d-----w-    c:\program files\ESET
2014-04-02 21:35:00    7969936    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2014-04-02 20:48:05    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-02 20:47:44    73432    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-04-02 20:47:44    51416    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-04-02 20:47:44    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-03-25 18:25:13    765968    ----a-w-    c:\programdata\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2014-03-23 16:00:30    --------    d-----w-    c:\program files\iPod
2014-03-23 16:00:29    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-03-23 16:00:29    --------    d-----w-    c:\program files\iTunes
2014-03-23 15:53:33    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin5.dll
2014-03-23 15:53:33    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin4.dll
2014-03-23 15:53:33    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin3.dll
2014-03-23 15:53:33    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin2.dll
2014-03-23 15:53:33    159744    ----a-w-    c:\program files\internet explorer\plugins\npqtplugin.dll
2014-03-23 03:02:24    --------    d-----w-    c:\windows\ERUNT
2014-03-22 18:44:17    --------    d-----w-    C:\FRST
2014-03-21 23:36:05    --------    d-----w-    c:\programdata\Oracle
2014-03-21 23:22:55    --------    d-----w-    c:\program files\VS Revo Group
2014-03-21 04:01:48    5694464    ----a-w-    c:\windows\system32\mstscax.dll
2014-03-21 03:53:54    194552    ----a-w-    c:\program files\mozilla firefox\maintenanceservice_installer.exe
2014-03-21 03:53:39    119808    ----a-w-    c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2014-03-21 03:37:41    --------    d-----w-    c:\windows\system32\catroot2
2014-03-21 03:14:52    --------    d-----w-    c:\windows\system32\wbem\repository
2014-03-21 03:08:34    --------    d-----w-    C:\RegBackup
2014-03-21 02:21:02    --------    d-----w-    c:\program files\Tweaking.com
2014-03-21 01:59:36    --------    d-----w-    C:\AdwCleaner
2014-03-20 19:22:26    32256    ----a-w-    c:\windows\system32\TsUsbGDCoInstaller.dll
2014-03-20 19:22:20    12800    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-03-20 19:22:19    49152    ----a-w-    c:\windows\system32\drivers\TsUsbFlt.sys
2014-03-20 19:22:17    17920    ----a-w-    c:\windows\system32\wksprtPS.dll
2014-03-20 19:22:17    14336    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-03-20 19:22:16    855552    ----a-w-    c:\windows\system32\rdvidcrl.dll
2014-03-20 19:22:16    76288    ----a-w-    c:\windows\system32\TSWbPrxy.exe
2014-03-20 19:22:16    53248    ----a-w-    c:\windows\system32\tsgqec.dll
2014-03-20 19:22:16    50176    ----a-w-    c:\windows\system32\MsRdpWebAccess.dll
2014-03-20 19:22:16    350208    ----a-w-    c:\windows\system32\wksprt.exe
2014-03-20 19:22:16    1068544    ----a-w-    c:\windows\system32\mstsc.exe
2014-03-20 19:21:50    792576    ----a-w-    c:\windows\system32\TSWorkspace.dll
2014-03-20 17:55:20    --------    d-----w-    c:\users\gatis\appdata\roaming\Malwarebytes
2014-03-20 17:55:06    --------    d-----w-    c:\programdata\Malwarebytes
2014-03-20 17:55:04    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-20 17:54:53    --------    d-----w-    c:\users\gatis\appdata\local\Programs
2014-03-18 23:10:59    7211008    ----a-w-    c:\program files\internet explorer\F12Resources.dll
2014-03-18 23:09:59    2349056    ----a-w-    c:\windows\system32\win32k.sys
2014-03-18 23:09:58    185344    ----a-w-    c:\windows\system32\wwansvc.dll
2014-03-18 23:09:57    381440    ----a-w-    c:\windows\system32\wer.dll
.
==================== Find3M  ====================
.
2014-03-20 21:02:18    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-20 21:02:18    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-11 13:52:30    104264    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-01 04:11:20    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2014-03-01 04:10:48    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2014-03-01 03:52:43    61952    ----a-w-    c:\windows\system32\iesetup.dll
2014-03-01 03:51:53    51200    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2014-03-01 03:38:26    112128    ----a-w-    c:\windows\system32\ieUnatt.exe
2014-03-01 03:38:23    108032    ----a-w-    c:\windows\system32\ieetwcollector.exe
2014-03-01 03:37:35    553472    ----a-w-    c:\windows\system32\jscript9diag.dll
2014-03-01 03:31:30    646144    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-01 03:14:15    4244480    ----a-w-    c:\windows\system32\jscript9.dll
2014-03-01 03:00:08    1964032    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-03-01 02:32:16    1820160    ----a-w-    c:\windows\system32\wininet.dll
2014-02-04 02:04:22    1230336    ----a-w-    c:\windows\system32\WindowsCodecs.dll
2014-02-04 02:04:11    509440    ----a-w-    c:\windows\system32\qedit.dll
2014-01-25 05:19:42    231960    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2014-01-19 07:32:23    231584    ------w-    c:\windows\system32\MpSigStub.exe
2014-01-17 20:24:12    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2014-01-17 20:24:12    69632    ----a-w-    c:\windows\system32\QuickTime.qts
.
============= FINISH: 15:58:54.44 ===============
 

attaching the "attach.txt" file. Let me know if you'd rather I copy/paste it.

Attached Files



#20 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:04 AM

Posted 04 April 2014 - 04:04 PM

Great, thanks...sigh

From the looks of things, the blue screen issue could be resulting from one of two problems:
1) All the remote access software installed and running, some of which could be conflicting with the others, and/or...
2) The driver left behind from using Webroots "SpySweeper", which is also still running

 

...So, let me first ask if you know how long this issue has been occurring, and if you know how long ago it was that SpySweeper was used. Also, do you know what all the remote access software is being used for or if in fact it is even being used at all? One last question this session, have you configured Windows to prevent the automatic reboot when a system crash occurs? Thanks!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#21 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 04 April 2014 - 04:21 PM

understand that sigh.......

 

Question about how long it's been occurring.....I don't have any idea. When he brought it, I got the wonderful "my wife said it's been shutting down and won't work. I don't really know anything". So no, I have no idea on that. Likewise, I have no clue about any remote access software reason or use. As to setting it so Windows doesn't automatically reboot on system crash....yes, I have that configured. I haven't set up anything to do a screen grab of that though. Which do you prefer?

As to any software that might be causing/interferring/etc., if it needs to go, then it just needs to go. Thanks!



#22 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:04 AM

Posted 05 April 2014 - 03:10 AM

Great, then the next time the system crashes, write down exactly what appears on the blue screen specifically, the mention of any driver which would be detailed in the text appearing on the bottom of that screen.

 

Meanwhile,

Please disable the active protection component of your antivirus and antispyware programs by following the directions that apply Here.
...of those, many people overlook the Windows Defender since, for most, there is no icon for it in the system tray. Scroll through those directives above and look for this application specifically, to make certain it is disabled (Microsoft Security Essentials users can disregard the Windows Defender disable instruction since while MSE is installed, Windows Defender is disabled already by default).

Please download combofix from This Webpage...and read through the instructions there for running the tool.

When you've finished running the combofix scan, it will produce a log file for you. Please post that log back here on your next reply. Thanks!

Note:
Do not mouseclick combofix's window while it's running....that may cause the scan to stall

 


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#23 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 05 April 2014 - 12:20 PM

This computer is being seriously argumentative this morning.

Ready for a long list of BSOD's?

Here's what's happened so far:

 

On initial startup, got a BSOD with STOP 0x0000008E (0xC000001D,0x8C6F407B,0xA4B69571,0x00000000)

ntfs.sys - Address 8C6F4073 base at 8C653000, Datestamp 5167f0ab

 

Restarted. Got BSOD with STOP 0x0000008E (0xC0000005, 0x948C543E,0x807E2E55,0x00000000) no additional info given on this one

 

Restarted and was able to get ComboFix to start. It crashed and gave the following BSOD: STOP 0x0000007F (0x00000000,0x00000000,0x00000000,0x00000000)

 

Restarted and got the following BSOD: PAGE_FAULT_IN_NONPAGED_AREA  STOP 0x00000050 (0xB0C65C65, 0x00000001,0x968C4FBB, 0x00000002)

 

Restarted and got ComboFix started again. Again it crashed and gave the same message referenced in the first ComboFix line above.

 

Let me note here that earlier on, I had created an additional new admin account called "Repair" as a "just in case". So on the next restart, I used that account rather than ones that were existing on this computer.

 

After restarting and getting ComboFix started again (it did run longer this time and along the way gave me the pev.3XE has stopped working message. Chose the "close" in the message and ComboFix continued.). When it crashed this time while running ComboFix, I got the following BSOD:

DRIVER_IRQL_NOT_LESS_OR_EQUAL 0x000000D1 (0x00000000, 0x00000002, 0x00000008, 0x00000000)

 

On restart, got this BSOD: 0x0000008E (0xC0000001D, 0x8C6F907B, 0x807FB6E9, 0x00000000)

ntfs.sys - Address 8C6F907B base at 8C658000, Datestamp 5167f0ab

 

Restarted and got this BSOD: IRQL_NOT_LESS_OR_EQUAL 0x0000000A (0x57F3Faa7, 0x00000002, 0x00000001, 0x832E0AAE)

 

 

So that's where I am so far. Question for you....since previously I had better success getting it to run without crashing in safe mode, can ComboFix be run in safe mode?

Thanks.


Edited by skeeterbyte, 05 April 2014 - 12:20 PM.


#24 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 05 April 2014 - 04:31 PM

update....after letting it sit for awhile, decided to give it another try. Was so very hopeful as ComboFix got much further. Completed all stages, deleted some files and was in the "deleting folders" stage when it crashed.

BSOD 0x0000008E (0xC00000005, 0x370450A1, 0xAA2E4B9C, 0x00000000)

 

Tried again and it again ran about the same length but crashing as it was at the "deleting files" part.

BSOD was PAGE_FAULT_IN_NONPAGED_AREA

0x00000050 (0xFFFFFFC!, 0x00000001, 0x832A95CD, 0x00000000)

 

I'll let it wait until I get further direction from you.

Thanks!


Edited by skeeterbyte, 05 April 2014 - 05:08 PM.


#25 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:04 AM

Posted 06 April 2014 - 03:18 AM

Have you considered the possibility that the BIOS needs to be updated? Check with the manufacturer of that system's motherboard to see what BIOS version is out there for that thing. You may also consider that there is some conflict with other hardware installed. You can try running combofix in safe mode. Try it...but regardless, combofix may indeed have produced a log. See if you can find one and post it back here on your next reply. Thanks!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#26 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 06 April 2014 - 10:21 AM

Didn't see any log from the previous tries at ComboFix. Did run it in safe mode and here's the log from that:

 

ComboFix 14-04-05.01 - Repair 04/06/2014  10:55:30.5.2 - x86 MINIMAL
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3454.2481 [GMT -4:00]
Running from: c:\users\Repair\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-06 to 2014-04-06  )))))))))))))))))))))))))))))))
.
.
2014-04-06 15:04 . 2014-04-06 15:04    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2014-04-06 15:04 . 2014-04-06 15:04    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-04-06 15:04 . 2014-04-06 15:04    --------    d-----w-    c:\users\Noah\AppData\Local\temp
2014-04-06 15:04 . 2014-04-06 15:04    --------    d-----w-    c:\users\Gatis\AppData\Local\temp
2014-04-06 15:04 . 2014-04-06 15:04    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-04-06 15:04 . 2014-04-06 15:04    --------    d-----w-    c:\users\Bethany\AppData\Local\temp
2014-04-05 16:40 . 2014-04-05 16:41    --------    d-----w-    c:\users\Repair
2014-04-05 16:12 . 2014-04-05 16:12    39464    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DBB952A-DAE4-4908-8C6A-A8428E22630A}\MpKslaaf2d8e7.sys
2014-04-04 16:13 . 2014-04-04 16:13    --------    d-----w-    c:\users\Gatis\AppData\Local\Skype
2014-04-04 16:13 . 2014-04-04 16:13    --------    d-----w-    c:\program files\Common Files\Skype
2014-04-04 16:13 . 2014-04-04 16:13    --------    d-----r-    c:\program files\Skype
2014-04-04 16:09 . 2014-04-04 16:09    --------    d-----w-    c:\program files\Common Files\Java
2014-04-04 16:05 . 2014-04-04 16:05    --------    d-----w-    c:\program files\FileHippo.com
2014-04-04 15:04 . 2014-03-21 01:31    765968    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DF30F92D-10BC-42C6-AF91-65D9A0D1C9B4}\gapaengine.dll
2014-04-04 15:04 . 2014-03-07 01:35    7969936    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DBB952A-DAE4-4908-8C6A-A8428E22630A}\mpengine.dll
2014-04-03 23:55 . 2014-04-04 16:08    96664    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-04-03 23:55 . 2014-04-04 16:08    --------    d-----w-    c:\program files\Java
2014-04-03 20:56 . 2014-04-03 20:56    --------    d-----w-    c:\program files\ESET
2014-04-02 21:35 . 2014-03-07 01:35    7969936    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-04-02 20:48 . 2014-04-05 21:17    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-02 20:47 . 2014-04-02 20:47    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-04-02 20:47 . 2014-03-05 13:26    51416    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-04-02 20:47 . 2014-03-05 13:26    73432    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-03-25 18:25 . 2014-03-21 01:31    765968    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-03-23 16:00 . 2014-03-23 16:00    --------    d-----w-    c:\program files\iPod
2014-03-23 16:00 . 2014-03-23 16:01    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-03-23 16:00 . 2014-03-23 16:01    --------    d-----w-    c:\program files\iTunes
2014-03-23 15:53 . 2014-03-23 15:53    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2014-03-23 15:53 . 2014-03-23 15:53    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2014-03-23 15:53 . 2014-03-23 15:53    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2014-03-23 15:53 . 2014-03-23 15:53    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2014-03-23 15:53 . 2014-03-23 15:53    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2014-03-23 15:53 . 2014-03-23 15:53    --------    d-----w-    c:\program files\QuickTime
2014-03-23 03:02 . 2014-03-23 03:02    --------    d-----w-    c:\windows\ERUNT
2014-03-22 18:44 . 2014-03-22 18:58    --------    d-----w-    C:\FRST
2014-03-21 23:37 . 2014-03-21 23:37    --------    d-----w-    c:\users\Gatis\AppData\Roaming\Oracle
2014-03-21 23:36 . 2014-04-04 16:08    --------    d-----w-    c:\programdata\Oracle
2014-03-21 23:22 . 2014-03-21 23:29    --------    d-----w-    c:\program files\VS Revo Group
2014-03-21 04:01 . 2014-01-09 02:22    5694464    ----a-w-    c:\windows\system32\mstscax.dll
2014-03-21 03:37 . 2014-04-02 23:05    --------    d-----w-    c:\windows\system32\catroot2
2014-03-21 03:14 . 2014-04-06 14:53    --------    d-----w-    c:\windows\system32\wbem\repository
2014-03-21 03:11 . 2014-03-21 03:19    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2014-03-21 03:08 . 2014-03-21 03:08    --------    d-----w-    C:\RegBackup
2014-03-21 02:21 . 2014-03-21 02:21    --------    d-----w-    c:\program files\Tweaking.com
2014-03-21 01:59 . 2014-03-23 03:14    --------    d-----w-    C:\AdwCleaner
2014-03-20 19:22 . 2013-10-01 23:45    32256    ----a-w-    c:\windows\system32\TsUsbGDCoInstaller.dll
2014-03-20 19:22 . 2013-10-02 00:32    12800    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-03-20 19:22 . 2013-10-02 00:42    49152    ----a-w-    c:\windows\system32\drivers\TsUsbFlt.sys
2014-03-20 19:22 . 2013-10-02 00:30    14336    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-03-20 19:22 . 2013-10-02 00:14    17920    ----a-w-    c:\windows\system32\wksprtPS.dll
2014-03-20 19:22 . 2013-10-02 00:14    50176    ----a-w-    c:\windows\system32\MsRdpWebAccess.dll
2014-03-20 19:22 . 2013-10-01 23:58    53248    ----a-w-    c:\windows\system32\tsgqec.dll
2014-03-20 19:22 . 2013-10-01 23:08    855552    ----a-w-    c:\windows\system32\rdvidcrl.dll
2014-03-20 19:22 . 2013-10-01 23:00    76288    ----a-w-    c:\windows\system32\TSWbPrxy.exe
2014-03-20 19:22 . 2013-10-01 22:53    350208    ----a-w-    c:\windows\system32\wksprt.exe
2014-03-20 19:22 . 2013-10-01 22:34    1068544    ----a-w-    c:\windows\system32\mstsc.exe
2014-03-20 19:21 . 2013-09-25 01:57    792576    ----a-w-    c:\windows\system32\TSWorkspace.dll
2014-03-20 17:55 . 2014-04-02 20:47    --------    d-----w-    c:\users\Gatis\AppData\Roaming\Malwarebytes
2014-03-20 17:55 . 2014-04-02 20:47    --------    d-----w-    c:\programdata\Malwarebytes
2014-03-20 17:55 . 2014-03-05 13:26    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-20 17:54 . 2014-03-20 17:54    --------    d-----w-    c:\users\Gatis\AppData\Local\Programs
2014-03-18 23:10 . 2014-03-01 22:02    235224    ----a-w-    c:\program files\Internet Explorer\sqmapi.dll
2014-03-18 23:09 . 2014-02-07 01:07    2349056    ----a-w-    c:\windows\system32\win32k.sys
2014-03-18 23:09 . 2014-01-28 02:07    185344    ----a-w-    c:\windows\system32\wwansvc.dll
2014-03-18 23:09 . 2014-01-29 02:06    381440    ----a-w-    c:\windows\system32\wer.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-20 21:02 . 2012-04-02 15:44    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-20 21:02 . 2011-06-13 00:21    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 13:52 . 2013-01-20 19:59    104264    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-01-25 05:19 . 2014-01-25 05:19    231960    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2014-01-19 07:32 . 2010-09-20 05:34    231584    ------w-    c:\windows\system32\MpSigStub.exe
2014-01-17 20:24 . 2014-01-17 20:24    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2014-01-17 20:24 . 2014-01-17 20:24    69632    ----a-w-    c:\windows\system32\QuickTime.qts
2010-09-01 12:49 . 2014-03-21 03:53    119808    ----a-w-    c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
"CHotkey"="zHotkey.exe" [2006-11-07 547840]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-01 30192]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"ModPS2"="ModPS2Key.exe" [2006-11-07 53248]
"ShowWnd"="ShowWnd.exe" [2005-01-27 36864]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 951576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-01-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-03-04 224128]
.
c:\users\Noah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk.disabled [2007-3-24 1111]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-26 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-12-22 984936]
w98Eject.lnk.disabled [2009-4-26 549]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter4.1]
2008-06-18 04:13    198184    ----a-w-    c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
2006-09-06 20:12    323216    ----a-w-    c:\program files\Napster\napster.exe
.
R1 MpKslaaf2d8e7;MpKslaaf2d8e7;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DBB952A-DAE4-4908-8C6A-A8428E22630A}\MpKslaaf2d8e7.sys [2014-04-05 39464]
R1 MpKslbc4e79cd;MpKslbc4e79cd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DBB952A-DAE4-4908-8C6A-A8428E22630A}\MpKslbc4e79cd.sys [2014-04-04 39464]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-03-05 1809720]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-03-05 857912]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-10-23 172192]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2011-05-18 62184]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-09-01 30192]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-03-01 108032]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-03-05 23256]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-04-05 107736]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-03-05 51416]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-03-11 104264]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2014-03-11 279776]
R3 OXSDIDRV_x32;Oxford Semi eSATA Filter (x32);c:\windows\system32\DRIVERS\OXSDIDRV_x32.sys [2009-09-28 52656]
R3 OXUDIDRV;OXUDIDRV;c:\windows\system32\Drivers\OXUDIDRV_X32.sys [2010-05-25 24880]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 27136]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-04-13 1343400]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
S0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;c:\windows\SYSTEM32\Drivers\SSFS041A.SYS [2006-07-07 13824]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService    REG_MULTI_SZ       HsfXAudioService
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-21 00:23    1150280    ----a-w-    c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 21:02]
.
2014-03-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-23 13:18]
.
2014-04-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 06:34]
.
2014-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 06:34]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
FF - ProfilePath - c:\users\Gatis\AppData\Roaming\Mozilla\Firefox\Profiles\2swkcybu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wunderground.com/cgi-bin/findweather/getForecast?query=30519
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Malwarebytes' Anti-Malware_is1 - c:\program files\Malwarebytes' Anti-Malware\unins000.exe
.
.
.
Completion time: 2014-04-06  11:07:41
ComboFix-quarantined-files.txt  2014-04-06 15:07
ComboFix2.txt  2013-03-31 16:56
.
Pre-Run: 135,682,007,040 bytes free
Post-Run: 135,910,092,800 bytes free
.
- - End Of File - - A845D3ECE03A9A6AE75E4A6CB5CE4BA3
A36C5E4F47E84449FF07ED3517B43A31
 

 

While I wait for your review of the log, I'll see about the BIOS. I had thought about that but hadn't worked my way to that up to this point.

 

Thanks!

Skeet



#27 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:04 AM

Posted 06 April 2014 - 04:48 PM

If I appear to be vacillating about your blue screen issue, it's because I made the assumption that you've properly run a chkdsk on that system but I should have asked first before I jumped ahead. My apologies for that amateurish mistake.

Of the various error messages from the blue screens you posted, only two of them referenced any driver...and those two both referenced the same driver. That driver, ntfs.sys, implies to me that a chkdsk is in order but the confusing issue is as stated above, that you said you had done that. So, let me ask. When you did perform a chkdsk, did you run it with the r switch?

This of course would cause blue screen issues but assuming you had already cleared this, I then deferred to the possibility of the issue revolving around the left over driver from an old SpySweeper installation. That at least, will be address with these instructions.

Before we get to that though, I wanted to explain a bit about the Windows "Trusted Zone". When a home user places something from the internet in the trusted zone...something they really have no control over, it is equal to leaving their keys in the front door while they go away on vacation.

Now...If you agree that it is a bad idea to allow access through your front door while you're away, then please, remove these:
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com


...to do that, open "Internet Options" from within the control panel. Click the "Security" tab-->Trusted sites-->Sites button. Remove everything you find there inside the "Websites" window. Apply those changes and "OK" your way out to close the properties window...then close the control panel.

Next, We need to run combofix again, using a script this time...so please disable the on board security products as before, and run it from safe mode. Please open a blank Notepad. Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated along with the answer to my question above. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

dds::
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} -

Driver::
SSFS041A.sys

rootkit::
c:\windows\system32\drivers\SSFS041A.sys

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#28 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 06 April 2014 - 04:56 PM

Hi 1972vet,

 

Yes, I did run the CHKDSK in the initial stages of working on this computer. I don't recall running it with the r switch though. So I will certainly run that again. Do you want me to run it after I complete the other steps...i.e. clearing the trusted zones and running ComboFix, or before I complete those steps?

Thanks!!

 

Edit: correction. I know I ran it with the r switch. So I'll just move on to the steps you outlined.


Edited by skeeterbyte, 06 April 2014 - 05:04 PM.


#29 skeeterbyte

skeeterbyte
  • Topic Starter

  • Members
  • 67 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 06 April 2014 - 05:35 PM

Also, I should have told you no worries on not asking that from the get-go. If you're like me, this thing has tried to give me a massive headache and misalign my brain cells as well. ;-)

 

Here's the ComboFix log (again run in Safe Mode):

 

ComboFix 14-04-05.01 - Repair 04/06/2014  18:16:45.6.2 - x86 MINIMAL
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3454.2862 [GMT -4:00]
Running from: c:\users\Repair\Desktop\ComboFix.exe
Command switches used :: c:\users\Repair\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_SSFS041A
-------\Service_SSFS041A
.
.
(((((((((((((((((((((((((   Files Created from 2014-03-06 to 2014-04-06  )))))))))))))))))))))))))))))))
.
.
2014-04-06 22:24 . 2014-04-06 22:24    --------    d-----w-    c:\users\UpdatusUser\AppData\Local\temp
2014-04-06 22:24 . 2014-04-06 22:24    --------    d-----w-    c:\users\Public\AppData\Local\temp
2014-04-06 22:24 . 2014-04-06 22:24    --------    d-----w-    c:\users\Noah\AppData\Local\temp
2014-04-06 22:24 . 2014-04-06 22:24    --------    d-----w-    c:\users\Gatis\AppData\Local\temp
2014-04-06 22:24 . 2014-04-06 22:24    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-04-06 22:24 . 2014-04-06 22:24    --------    d-----w-    c:\users\Bethany\AppData\Local\temp
2014-04-05 16:40 . 2014-04-05 16:41    --------    d-----w-    c:\users\Repair
2014-04-04 16:13 . 2014-04-04 16:13    --------    d-----w-    c:\users\Gatis\AppData\Local\Skype
2014-04-04 16:13 . 2014-04-04 16:13    --------    d-----w-    c:\program files\Common Files\Skype
2014-04-04 16:13 . 2014-04-04 16:13    --------    d-----r-    c:\program files\Skype
2014-04-04 16:09 . 2014-04-04 16:09    --------    d-----w-    c:\program files\Common Files\Java
2014-04-04 16:05 . 2014-04-04 16:05    --------    d-----w-    c:\program files\FileHippo.com
2014-04-04 15:04 . 2014-03-21 01:31    765968    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DF30F92D-10BC-42C6-AF91-65D9A0D1C9B4}\gapaengine.dll
2014-04-04 15:04 . 2014-03-07 01:35    7969936    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DBB952A-DAE4-4908-8C6A-A8428E22630A}\mpengine.dll
2014-04-03 23:55 . 2014-04-04 16:08    96664    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2014-04-03 23:55 . 2014-04-04 16:08    --------    d-----w-    c:\program files\Java
2014-04-03 20:56 . 2014-04-03 20:56    --------    d-----w-    c:\program files\ESET
2014-04-02 21:35 . 2014-03-07 01:35    7969936    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-04-02 20:48 . 2014-04-06 17:35    107736    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-02 20:47 . 2014-04-02 20:47    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-04-02 20:47 . 2014-03-05 13:26    51416    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-04-02 20:47 . 2014-03-05 13:26    73432    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-03-25 18:25 . 2014-03-21 01:31    765968    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-03-23 16:00 . 2014-03-23 16:00    --------    d-----w-    c:\program files\iPod
2014-03-23 16:00 . 2014-03-23 16:01    --------    d-----w-    c:\programdata\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-03-23 16:00 . 2014-03-23 16:01    --------    d-----w-    c:\program files\iTunes
2014-03-23 15:53 . 2014-03-23 15:53    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2014-03-23 15:53 . 2014-03-23 15:53    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2014-03-23 15:53 . 2014-03-23 15:53    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2014-03-23 15:53 . 2014-03-23 15:53    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2014-03-23 15:53 . 2014-03-23 15:53    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2014-03-23 15:53 . 2014-03-23 15:53    --------    d-----w-    c:\program files\QuickTime
2014-03-23 03:02 . 2014-03-23 03:02    --------    d-----w-    c:\windows\ERUNT
2014-03-22 18:44 . 2014-03-22 18:58    --------    d-----w-    C:\FRST
2014-03-21 23:37 . 2014-03-21 23:37    --------    d-----w-    c:\users\Gatis\AppData\Roaming\Oracle
2014-03-21 23:36 . 2014-04-04 16:08    --------    d-----w-    c:\programdata\Oracle
2014-03-21 23:22 . 2014-03-21 23:29    --------    d-----w-    c:\program files\VS Revo Group
2014-03-21 04:01 . 2014-01-09 02:22    5694464    ----a-w-    c:\windows\system32\mstscax.dll
2014-03-21 03:37 . 2014-04-02 23:05    --------    d-----w-    c:\windows\system32\catroot2
2014-03-21 03:14 . 2014-04-06 22:27    --------    d-----w-    c:\windows\system32\wbem\repository
2014-03-21 03:11 . 2014-03-21 03:19    181064    ----a-w-    c:\windows\PSEXESVC.EXE
2014-03-21 03:08 . 2014-03-21 03:08    --------    d-----w-    C:\RegBackup
2014-03-21 02:21 . 2014-03-21 02:21    --------    d-----w-    c:\program files\Tweaking.com
2014-03-21 01:59 . 2014-03-23 03:14    --------    d-----w-    C:\AdwCleaner
2014-03-20 19:22 . 2013-10-01 23:45    32256    ----a-w-    c:\windows\system32\TsUsbGDCoInstaller.dll
2014-03-20 19:22 . 2013-10-02 00:32    12800    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-03-20 19:22 . 2013-10-02 00:42    49152    ----a-w-    c:\windows\system32\drivers\TsUsbFlt.sys
2014-03-20 19:22 . 2013-10-02 00:30    14336    ----a-w-    c:\windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-03-20 19:22 . 2013-10-02 00:14    17920    ----a-w-    c:\windows\system32\wksprtPS.dll
2014-03-20 19:22 . 2013-10-02 00:14    50176    ----a-w-    c:\windows\system32\MsRdpWebAccess.dll
2014-03-20 19:22 . 2013-10-01 23:58    53248    ----a-w-    c:\windows\system32\tsgqec.dll
2014-03-20 19:22 . 2013-10-01 23:08    855552    ----a-w-    c:\windows\system32\rdvidcrl.dll
2014-03-20 19:22 . 2013-10-01 23:00    76288    ----a-w-    c:\windows\system32\TSWbPrxy.exe
2014-03-20 19:22 . 2013-10-01 22:53    350208    ----a-w-    c:\windows\system32\wksprt.exe
2014-03-20 19:22 . 2013-10-01 22:34    1068544    ----a-w-    c:\windows\system32\mstsc.exe
2014-03-20 19:21 . 2013-09-25 01:57    792576    ----a-w-    c:\windows\system32\TSWorkspace.dll
2014-03-20 17:55 . 2014-04-02 20:47    --------    d-----w-    c:\users\Gatis\AppData\Roaming\Malwarebytes
2014-03-20 17:55 . 2014-04-02 20:47    --------    d-----w-    c:\programdata\Malwarebytes
2014-03-20 17:55 . 2014-03-05 13:26    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-03-20 17:54 . 2014-03-20 17:54    --------    d-----w-    c:\users\Gatis\AppData\Local\Programs
2014-03-18 23:10 . 2014-03-01 22:02    235224    ----a-w-    c:\program files\Internet Explorer\sqmapi.dll
2014-03-18 23:09 . 2014-02-07 01:07    2349056    ----a-w-    c:\windows\system32\win32k.sys
2014-03-18 23:09 . 2014-01-28 02:07    185344    ----a-w-    c:\windows\system32\wwansvc.dll
2014-03-18 23:09 . 2014-01-29 02:06    381440    ----a-w-    c:\windows\system32\wer.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-06 22:24 . 2007-03-22 12:22    13824    ----a-w-    c:\windows\system32\drivers\SSFS041A.sys
2014-03-20 21:02 . 2012-04-02 15:44    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-03-20 21:02 . 2011-06-13 00:21    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 13:52 . 2013-01-20 19:59    104264    ----a-w-    c:\windows\system32\drivers\NisDrvWFP.sys
2014-01-25 05:19 . 2014-01-25 05:19    231960    ----a-w-    c:\windows\system32\drivers\MpFilter.sys
2014-01-19 07:32 . 2010-09-20 05:34    231584    ------w-    c:\windows\system32\MpSigStub.exe
2014-01-17 20:24 . 2014-01-17 20:24    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2014-01-17 20:24 . 2014-01-17 20:24    69632    ----a-w-    c:\windows\system32\QuickTime.qts
2010-09-01 12:49 . 2014-03-21 03:53    119808    ----a-w-    c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
"CHotkey"="zHotkey.exe" [2006-11-07 547840]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-01 30192]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"ModPS2"="ModPS2Key.exe" [2006-11-07 53248]
"ShowWnd"="ShowWnd.exe" [2005-01-27 36864]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 951576]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-01-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-03-04 224128]
.
c:\users\Noah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk.disabled [2007-3-24 1111]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-6-26 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-12-22 984936]
w98Eject.lnk.disabled [2009-4-26 549]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter4.1]
2008-06-18 04:13    198184    ----a-w-    c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
.
R1 MpKslbc4e79cd;MpKslbc4e79cd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5DBB952A-DAE4-4908-8C6A-A8428E22630A}\MpKslbc4e79cd.sys [2014-04-04 39464]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-03-05 1809720]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2014-03-05 857912]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-10-23 172192]
R3 CFcatchme;CFcatchme;c:\users\Repair\AppData\Local\Temp\CFcatchme.sys [x]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-09-01 30192]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-03-01 108032]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-04-06 107736]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2014-03-05 51416]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2014-03-11 104264]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2014-03-11 279776]
R3 OXSDIDRV_x32;Oxford Semi eSATA Filter (x32);c:\windows\system32\DRIVERS\OXSDIDRV_x32.sys [2009-09-28 52656]
R3 OXUDIDRV;OXUDIDRV;c:\windows\system32\Drivers\OXUDIDRV_X32.sys [2010-05-25 24880]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2013-10-02 49152]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 27136]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2009-07-13 266752]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-04-13 1343400]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [2012-01-18 450848]
S2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [2011-05-18 62184]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2014-03-05 23256]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-09-28 315392]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HsfXAudioService    REG_MULTI_SZ       HsfXAudioService
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-21 00:23    1150280    ----a-w-    c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 21:02]
.
2014-03-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-23 13:18]
.
2014-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 06:34]
.
2014-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 06:34]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
FF - ProfilePath - c:\users\Gatis\AppData\Roaming\Mozilla\Firefox\Profiles\2swkcybu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wunderground.com/cgi-bin/findweather/getForecast?query=30519
.
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\NVIDIA Corporation\Display\nvxdsync.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\conhost.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\RtHDVCpl.exe
c:\windows\zHotkey.exe
c:\windows\ModPS2Key.exe
c:\program files\NVIDIA Corporation\Display\nvtray.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehPrivJob.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\System32\WUDFHost.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2014-04-06  18:31:50 - machine was rebooted
ComboFix-quarantined-files.txt  2014-04-06 22:31
ComboFix2.txt  2014-04-06 15:07
ComboFix3.txt  2013-03-31 16:56
.
Pre-Run: 136,231,178,240 bytes free
Post-Run: 135,973,416,960 bytes free
.
- - End Of File - - 9CC89E3327BD6D8752CB5034BC4C9F05
A36C5E4F47E84449FF07ED3517B43A31
 


Edited by skeeterbyte, 06 April 2014 - 05:35 PM.


#30 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:05:04 AM

Posted 06 April 2014 - 07:36 PM

Yeah, run the chkdsk /r and reboot it when it completes, then remove those items from trusted zone and run combfix. You should still run it though in safe mode. Post back THAT log. Thanks!


Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users