Unsolved
This post is more than 5 years old
15 Posts
0
4450
Fake Virus Popups & Unable to update
Also am getting "Host process for windows services stopped working correctly and was closed" message. Started getting it only when idle for a while but now get it often during operation.
Was getting erratic browser behavior such as additional tabs or windows opening, sometimes just hanging. Noticed my status loading bar turned blue but is now back to green after I did some cleaning with Spybot and Malware Bytes, along with my MSE virus, but I cannot update through Windows Vist Home Premium, MSE or direct from Microsoft site. Browser issues seem cleared up except for intermittent popups at first instance opening of browser, not always related to fake virus or registry scanners. Have seen some url references to AV8. MSE finds many Java exploit items of late that until only recently seems to have been able to do anything about. Was concidering a System Restore only to be informed it has been turned off, which I may have done ages ago but hard to believe I forgot to turn it back on. Question if some of these Windows messages are truly from Windows. Had a virus a few weeks back that emulated MSE message windows identically. Appreciate your help....
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:57:07 PM, on 10/30/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\Program Files\Folder Guard 32-bit\FGKey.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\ctfmon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Squeezebox\SqueezeTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\SQUEEZ~2\server\SQUEEZ~3.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\Software\HiJackThis.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 172.16.1.36 HP0015604AFAB6
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard 32-bit\FGKey.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Squeezebox Server Tray Tool.lnk = C:\Program Files\Squeezebox\SqueezeTray.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: FGLITE - WinAbility® Corporation - C:\Program Files\WinAbility\Folder Guard Lite\FGLite.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~2\server\Bin\MSWIN3~1\mysqld.exe
--
End of file - 8479 bytes
Thanks,
Robert
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
November 7th, 2010 02:00
Hi Robert,
Welcome. Thank you for using Dell Community Forums. :emotion-1:
Sorry we could not get to you sooner. I am reviewing your log. In the meantime, you can help me by addressing the following:
* Have you have posted this issue on another forum? If so, please provide a link to the topic.
* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.
* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE.
* If this computer belongs to someone else, do you have authority to apply the fixes we will use?
* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.
* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.
* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.
I look forward to your reply so we can begin cleaning.
No Reply within 3 days will result in this topic being closed, and I will remove it from my subscriptions. If you require more time, please let me know.
Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
November 7th, 2010 12:00
Please disable Spybot's Teatimer via MSCONFIG:
http://www.netsquirrel.com/msconfig/msconfig_vista.html
When you get to the Startup tab, UNcheck the entry for TeaTimer until this is over...
1. Open Spybot
2. Click Mode -> Advanced Mode
3. Click Yes
4. Click Tools (located in the bottom left corner) -> Resident
5. Uncheck 'Resident "TeaTimer" (Protection of over-all system settings) active'
6. Then close Spybot.
Reboot.
Verify that Teatimer is not running.
After ALL cleaning of your system has been completed and we have confirmed that your computer is clean, reverse these steps and re-enable the protection applets for TeaTimer
Please update Malwarebytes Anti-Malware, run a scan, and please post the log from that scan.
In addition, we need to see some more information about what is happening in your machine.
1. DDS.txt
2. Attach.txt
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE.
RGibran
15 Posts
0
November 7th, 2010 12:00
Bugbatter,
Thank you for your time.
Responding to your questions…
I have not posted this on any other forum.
System Restore is enabled.
I am not running any cracked software.
I do not run any P2P programs.
This is my computer.
I await your instructions.
Robert
RGibran
15 Posts
0
November 7th, 2010 15:00
I disabled Teatimer and noted 108233.exe from unknown manufacturer was running at startup. I believe I saw this associated with a desktop shortcut planted by a 'System Defragmenter' program full of fake messages...FYI. I am no longer recieving those particular popups but thought I would mention this .
As requested:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5067
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975
11/7/2010 4:47:53 PM
mbam-log-2010-11-07 (16-47-53).txt
Scan type: Full scan (C:\|)
Objects scanned: 258654
Time elapsed: 1 hour(s), 15 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
=================================================================================================================
DDS (Ver_10-11-08.01) - NTFSx86
Run by Robert at 16:51:54.33 on Sun 11/07/2010
Internet Explorer: 8.0.6001.18975
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2045.1054 [GMT -6:00]
AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: BitDefender Antispyware *enabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\Program Files\Folder Guard 32-bit\FGKey.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\ctfmon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Squeezebox\SqueezeTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Program Files\WinAbility\Folder Guard Lite\FGLite.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\PROGRA~1\SQUEEZ~2\server\Bin\MSWIN3~1\mysqld.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\SQUEEZ~2\server\SQUEEZ~3.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Robert\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uDefault_Page_URL = hxxp://att.net
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://att.net/
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://att.net
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
mSearch Page =
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [108233] c:\users\robert\appdata\local\temp\108233.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [EnvyHFCPL] c:\program files\via\viaudioi\envyadeck\EnMixCPL.exe 1
mRun: [FG_Monitor] c:\program files\folder guard 32-bit\FGKey.exe /Start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [ ]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\squeez~1.lnk - c:\program files\squeezebox\SqueezeTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Hosts: 172.16.1.36 HP0015604AFAB6
============= SERVICES / DRIVERS ===============
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-3-11 151216]
R2 FGLITE;FGLITE;c:\program files\winability\folder guard lite\FGLite.exe [2008-11-21 86016]
R2 FGUARD32;FGUARD32;c:\program files\folder guard 32-bit\FGUARD32.SYS [2008-11-21 54480]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-9-12 1153368]
R2 SqueezeMySQL;SqueezeMySQL;c:\progra~1\squeez~2\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\progra~2\squeez~2\cache\my.cnf squeezemysql --> c:\progra~1\squeez~2\server\bin\mswin3~1\mysqld.exe --defaults-file=c:\progra~2\squeez~2\cache\my.cnf SqueezeMySQL [?]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2009-9-16 673600]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-3-11 42368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-9-29 135664]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-9-6 14216]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-9-6 8456]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
=============== Created Last 30 ================
2010-11-03 18:12:28 6146896 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{039fb457-ea9f-4145-b8ff-485680dd1a49}\mpengine.dll
2010-10-29 22:57:30 -------- d-----w- c:\users\robert\appdata\roaming\Malwarebytes
2010-10-29 22:57:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-29 22:57:17 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-29 22:57:17 -------- d-----w- c:\progra~2\Malwarebytes
2010-10-29 22:57:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-27 14:42:33 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 14:42:31 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-27 14:42:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-13 16:29:24 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-10-13 16:29:24 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
2010-10-13 16:29:12 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-10-13 16:29:11 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-10-13 16:29:11 17920 ----a-w- c:\windows\system32\netevent.dll
2010-10-13 16:29:11 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-10-13 16:29:11 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-10-13 16:29:03 274944 ----a-w- c:\windows\system32\schannel.dll
2010-10-13 16:29:02 339968 ----a-w- c:\program files\windows nt\accessories\wordpad.exe
2010-10-13 16:29:02 1316864 ----a-w- c:\windows\system32\ole32.dll
2010-10-13 16:29:00 157184 ----a-w- c:\windows\system32\t2embed.dll
==================== Find3M ====================
2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-15 09:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST380013AS rev.8.12 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-2
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-2 -> \??\IDE#DiskST380013AS______________________________8.12____#5&d16988c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x85C61292
user != kernel MBR !!!
sectors 156249998 (+239): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
Registry trace:
called modules: ntkrnlpa.exe MpFilter.sys hal.dll
============= FINISH: 16:52:53.38 ===============
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_10-11-08.01)
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 9/16/2009 2:49:08 PM
System Uptime: 11/7/2010 3:24:23 PM (1 hours ago)
Motherboard: Dell Inc. | | 0U7077
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Microprocessor | 2992/800mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 46 GiB total, 13.839 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is FIXED (NTFS) - 25 GiB total, 20.043 GiB free.
H: is FIXED (NTFS) - 233 GiB total, 99.9 GiB free.
I: is Removable
J: is Removable
==== Disabled Device Manager Items =============
Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0002
Manufacturer: Microsoft
Name: Microsoft ISATAP Adapter #3
PNP Device ID: ROOT\*ISATAP\0002
Service: tunnel
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Officejet 7200 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Officejet 7200 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
==== System Restore Points ===================
RP619: 10/30/2010 2:53:20 PM - After unable to Update problem
==== Installed Programs ======================
32 Bit HP CIO Components Installer
7-Zip 4.57
7200
7200_Help
7200Trb
Adobe Flash Player 10 ActiveX
Adobe Photoshop Album
Adobe Reader 8.1.3
AIO_CDB_ProductContext
AIO_CDB_Software
AIO_Scan
ATI Control Panel
Banctec Service Agreement
Broadcom Advanced Control Suite 2
BufferChm
CCleaner (remove only)
ClearType Tuning Control Panel Applet
Cool Beans System Info 2.0
Copy
CustomerResearchQFolder
dBpowerAMP CD Writer
dBpoweramp FLAC Codec
dBpowerAMP Music Converter
dBpoweramp Windows Media Audio 10 Codec
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell System Restore
Destinations
DeviceManagementQFolder
dMC AccurateRip
DocProc
DocProcQFolder
EASEUS Partition Master 6.1.1 Home Edition
EPSON Printer Software
eSupportQFolder
Exact Audio Copy 0.95b4
Express Burn
Fax
ffdshow [rev 529] [2006-11-13]
File-Folder-Lock Lite Installation
FLAC 1.1.4b (remove only)
Folder Guard
foobar2000 v0.9.5 beta 5
Free Disk Analyzer
Free Download Manager 2.5
Free Mp3 Wma Converter V 1.9
Free RAR Extract Frog
FW LiveUpdate
GdiplusUpgrade
Google Toolbar for Internet Explorer
Google Update Helper
HDtracks Download Manager
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 8.0
HP Driver Diagnostics
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Photosmart Essential
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B
HP Product Assistant
HP Solution Center 8.0
HP Update
HPSSupply
Intel(R) Matrix Storage Manager
Internet Explorer Default Page
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Java Auto Updater
Java(TM) 6 Update 2
Java(TM) 6 Update 22
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Logitech Harmony Remote Software 7
Macromedia Flash Player
Malwarebytes' Anti-Malware
MarketResearch
MFC RunTime files
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Antimalware
Microsoft IntelliPoint 6.01
Microsoft IntelliType Pro 6.01
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Robocopy GUI
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Move Media Player
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NCH Toolbox
NetDeviceManager
Noise Ninja 2.0.1
Norton AntiVirus SYMLT MSI
Norton CleanSweep
Norton PartitionMagic
Norton PartitionMagic 8.0
Norton Speed Disk 7.0 for Windows NT
Norton Utilities 2003 for Windows
OGA Notifier 2.0.0048.0
Paint.NET v3.36
PaperPort 8.0 SE
PCCloneEX
Photo Click
Platform
QuickTime
RealPlayer Basic
Remote Control USB Driver
Rhapsody Player Engine
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
SolutionCenter
SoundTap Streaming Audio Recorder
Spybot - Search & Destroy
Squeezebox Server 7.5.1
Stamp Uninstall
Status
SureThing CD Labeler - Stomper Edition 32 bit
Time and Chaos
Toolbox
TrayApp
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VIA Platform Device Manager
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vodei Multimedia Processor 2.10
WebFldrs XP
WebReg
Winamp
Winamp Detector Plug-in
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10
WMA 9 Lossless to PCM Conversion Tool
Yahoo! BrowserPlus 2.9.2
==== Event Viewer Messages From Past Week ========
11/7/2010 8:21:06 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.93.1067.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6301.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
11/7/2010 3:25:26 PM, Error: Service Control Manager [7023] - The HP CUE DeviceDiscovery Service service terminated with the following error: Unspecified error
11/7/2010 3:24:44 PM, Error: atikmdag [45062] - CRT invalid display type
11/7/2010 2:08:14 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.93.1067.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6301.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
11/5/2010 6:18:44 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.93.1067.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6301.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
11/5/2010 3:25:57 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.93.1067.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6301.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
11/4/2010 2:14:44 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.93.1067.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6301.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
11/3/2010 6:28:27 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.93.1067.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6301.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
11/3/2010 12:56:17 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MpFilter spldr Wanarpv6
11/3/2010 12:56:17 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
11/3/2010 12:53:43 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.93.627.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6301.0 Error code: 0x8024001e Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
11/3/2010 1:16:52 PM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/FakeSysdef&threatid=2147639286 User: D2LP6871\Robert Name: Trojan:Win32/FakeSysdef ID: 2147639286 Severity: Severe Category: Trojan Path: Action: Remove Error Code: 0x80508023 Error description: The program could not find the spyware and other potentially unwanted software on this computer. Status: Signature Version: AV: 1.93.1067.0, AS: 1.93.1067.0 Engine Version: 1.1.6301.0
11/3/2010 1:11:49 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.93.627.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6301.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
11/2/2010 5:30:21 PM, Error: Service Control Manager [7031] - The Windows Modules Installer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
11/2/2010 4:10:18 PM, Error: Service Control Manager [7034] - The Volume Shadow Copy service terminated unexpectedly. It has done this 1 time(s).
11/2/2010 4:10:18 PM, Error: Service Control Manager [7034] - The Microsoft Software Shadow Copy Provider service terminated unexpectedly. It has done this 1 time(s).
11/2/2010 3:41:17 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
11/2/2010 12:45:18 PM, Error: EventLog [6008] - The previous system shutdown at 12:44:00 PM on 11/2/2010 was unexpected.
11/2/2010 12:31:49 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.93.627.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6301.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
11/2/2010 1:24:03 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Background Intelligent Transfer Service service, but this action failed with the following error: An instance of the service is already running.
11/2/2010 1:01:47 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Update service, but this action failed with the following error: An instance of the service is already running.
11/1/2010 11:57:46 AM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.93.627.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6301.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
11/1/2010 11:34:39 AM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
11/1/2010 11:30:22 AM, Error: Microsoft Antimalware [1008] - Microsoft Antimalware has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Adware:JS/Pornpop.A&threatid=153970 User: D2LP6871\Robert Name: Adware:JS/Pornpop.A ID: 153970 Severity: Medium Category: Adware Path: Action: Remove Error Code: 0x80070057 Error description: The parameter is incorrect. Status: Signature Version: AV: 1.93.627.0, AS: 1.93.627.0 Engine Version: 1.1.6301.0
10/31/2010 6:05:36 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.93.627.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6301.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
==== End Of File ===========================
Many thanks,
Robert
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
November 7th, 2010 15:00
Spybot is in your running processes. Please either disable it or uninstall Spybot. It is outdated and not doing you any good, anyway.
It appears that we are dealing with a rootkit.
Next: Please read carefully and follow these steps.
RGibran
15 Posts
0
November 7th, 2010 20:00
Spybot uninstalled
2010/11/07 22:23:47.0493 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43
2010/11/07 22:23:47.0493 ================================================================================
2010/11/07 22:23:47.0493 SystemInfo:
2010/11/07 22:23:47.0493
2010/11/07 22:23:47.0493 OS Version: 6.0.6002 ServicePack: 2.0
2010/11/07 22:23:47.0493 Product type: Workstation
2010/11/07 22:23:47.0493 ComputerName: D2LP6871
2010/11/07 22:23:47.0493 UserName: Robert
2010/11/07 22:23:47.0493 Windows directory: C:\Windows
2010/11/07 22:23:47.0493 System windows directory: C:\Windows
2010/11/07 22:23:47.0493 Processor architecture: Intel x86
2010/11/07 22:23:47.0493 Number of processors: 2
2010/11/07 22:23:47.0493 Page size: 0x1000
2010/11/07 22:23:47.0493 Boot type: Normal boot
2010/11/07 22:23:47.0493 ================================================================================
2010/11/07 22:23:48.0570 Initialize success
2010/11/07 22:23:55.0683 ================================================================================
2010/11/07 22:23:55.0683 Scan started
2010/11/07 22:23:55.0683 Mode: Manual;
2010/11/07 22:23:55.0683 ================================================================================
2010/11/07 22:23:56.0027 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\Windows\system32\DRIVERS\ABP480N5.SYS
2010/11/07 22:23:56.0089 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/11/07 22:23:56.0183 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2010/11/07 22:23:56.0229 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2010/11/07 22:23:56.0276 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2010/11/07 22:23:56.0339 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2010/11/07 22:23:56.0463 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/11/07 22:23:56.0573 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2010/11/07 22:23:56.0619 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\Windows\system32\DRIVERS\aha154x.sys
2010/11/07 22:23:56.0651 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\Windows\system32\DRIVERS\aic78u2.sys
2010/11/07 22:23:56.0744 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/11/07 22:23:56.0791 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2010/11/07 22:23:56.0838 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2010/11/07 22:23:56.0900 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2010/11/07 22:23:56.0931 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2010/11/07 22:23:56.0994 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2010/11/07 22:23:57.0087 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\Windows\system32\DRIVERS\amsint.sys
2010/11/07 22:23:57.0165 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2010/11/07 22:23:57.0212 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2010/11/07 22:23:57.0275 asc (62d318e9a0c8fc9b780008e724283707) C:\Windows\system32\DRIVERS\asc.sys
2010/11/07 22:23:57.0306 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\Windows\system32\DRIVERS\asc3350p.sys
2010/11/07 22:23:57.0337 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\Windows\system32\DRIVERS\asc3550.sys
2010/11/07 22:23:57.0384 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\Windows\system32\drivers\ASCTRM.sys
2010/11/07 22:23:57.0477 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) C:\Windows\system32\drivers\Aspi32.sys
2010/11/07 22:23:57.0555 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/11/07 22:23:57.0602 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/11/07 22:23:57.0821 atikmdag (a23efb72057fed7128eb558866055fdf) C:\Windows\system32\DRIVERS\atikmdag.sys
2010/11/07 22:23:58.0148 b57nd60x (502f1c30bd50b32d00ce4dcaecc3d3c7) C:\Windows\system32\DRIVERS\b57nd60x.sys
2010/11/07 22:23:58.0289 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/11/07 22:23:58.0413 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2010/11/07 22:23:58.0507 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/11/07 22:23:58.0725 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/11/07 22:23:58.0835 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/11/07 22:23:58.0928 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/11/07 22:23:59.0006 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/11/07 22:23:59.0069 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/11/07 22:23:59.0115 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/11/07 22:23:59.0178 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/11/07 22:23:59.0365 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\Windows\system32\DRIVERS\cd20xrnt.sys
2010/11/07 22:23:59.0412 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/11/07 22:23:59.0537 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/11/07 22:23:59.0677 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2010/11/07 22:23:59.0755 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/11/07 22:23:59.0864 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2010/11/07 22:23:59.0911 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
2010/11/07 22:23:59.0989 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\Windows\system32\DRIVERS\cpqarray.sys
2010/11/07 22:24:00.0020 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2010/11/07 22:24:00.0067 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2010/11/07 22:24:00.0176 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\Windows\system32\DRIVERS\dac2w2k.sys
2010/11/07 22:24:00.0207 dac960nt (683789caa3864eb46125ae86ff677d34) C:\Windows\system32\DRIVERS\dac960nt.sys
2010/11/07 22:24:00.0317 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/11/07 22:24:00.0473 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/11/07 22:24:00.0582 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
2010/11/07 22:24:00.0644 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2010/11/07 22:24:00.0769 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
2010/11/07 22:24:00.0894 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\Windows\system32\DRIVERS\dpti2o.sys
2010/11/07 22:24:00.0972 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/11/07 22:24:01.0081 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/11/07 22:24:01.0175 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/11/07 22:24:01.0299 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/11/07 22:24:01.0424 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2010/11/07 22:24:01.0565 Envy24HFS (7c75bbb16d9e7ad95b494c9df8b3d257) C:\Windows\system32\drivers\Envy24HF.sys
2010/11/07 22:24:01.0674 Eplpdx02 (f9472131367d39435d750f5fa3d23582) C:\WINDOWS\system32\Drivers\EPLPDX02.SYS
2010/11/07 22:24:01.0783 epmntdrv (539ca34fbc74ec366a0d751028c32a08) C:\Windows\system32\epmntdrv.sys
2010/11/07 22:24:01.0861 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2010/11/07 22:24:01.0986 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\Windows\system32\EuGdiDrv.sys
2010/11/07 22:24:02.0126 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/11/07 22:24:02.0189 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/11/07 22:24:02.0298 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2010/11/07 22:24:02.0454 FGUARD32 (e5f7b0344f598c065f98d9fcb3612352) C:\Program Files\Folder Guard 32-bit\FGUARD32.SYS
2010/11/07 22:24:02.0579 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/11/07 22:24:02.0625 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/11/07 22:24:02.0688 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/11/07 22:24:02.0750 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/11/07 22:24:02.0828 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/11/07 22:24:02.0891 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2010/11/07 22:24:03.0000 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\drivers\hdaudbus.sys
2010/11/07 22:24:03.0047 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/11/07 22:24:03.0140 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/11/07 22:24:03.0249 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/11/07 22:24:03.0327 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2010/11/07 22:24:03.0390 hpn (b028377dea0546a5fcfba928a8aefae0) C:\Windows\system32\DRIVERS\hpn.sys
2010/11/07 22:24:03.0499 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/11/07 22:24:03.0608 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2010/11/07 22:24:03.0671 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/11/07 22:24:03.0780 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2010/11/07 22:24:03.0842 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/11/07 22:24:03.0936 ini910u (4a40e045faee58631fd8d91afc620719) C:\Windows\system32\DRIVERS\ini910u.sys
2010/11/07 22:24:03.0983 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2010/11/07 22:24:04.0029 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/11/07 22:24:04.0107 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/11/07 22:24:04.0232 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2010/11/07 22:24:04.0310 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/11/07 22:24:04.0419 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/11/07 22:24:04.0466 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2010/11/07 22:24:04.0544 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/11/07 22:24:04.0575 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/11/07 22:24:04.0638 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/11/07 22:24:04.0685 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/11/07 22:24:04.0763 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/11/07 22:24:04.0872 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/11/07 22:24:04.0997 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/11/07 22:24:05.0090 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2010/11/07 22:24:05.0137 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2010/11/07 22:24:05.0199 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2010/11/07 22:24:05.0246 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/11/07 22:24:05.0340 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2010/11/07 22:24:05.0418 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2010/11/07 22:24:05.0480 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/11/07 22:24:05.0543 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/11/07 22:24:05.0589 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/11/07 22:24:05.0636 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/11/07 22:24:05.0699 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/11/07 22:24:05.0777 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\Windows\system32\DRIVERS\MpFilter.sys
2010/11/07 22:24:05.0839 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2010/11/07 22:24:05.0886 MpNWMon (aeb186afff5d9cfed823c15d846aac3b) C:\Windows\system32\DRIVERS\MpNWMon.sys
2010/11/07 22:24:05.0948 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/11/07 22:24:06.0042 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/11/07 22:24:06.0104 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/11/07 22:24:06.0198 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/11/07 22:24:06.0260 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/11/07 22:24:06.0354 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/11/07 22:24:06.0463 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
2010/11/07 22:24:06.0525 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2010/11/07 22:24:06.0603 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/11/07 22:24:06.0728 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/11/07 22:24:06.0791 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/11/07 22:24:06.0884 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/11/07 22:24:06.0947 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/11/07 22:24:07.0025 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/11/07 22:24:07.0103 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/11/07 22:24:07.0149 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/11/07 22:24:07.0243 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/11/07 22:24:07.0321 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/11/07 22:24:07.0461 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/11/07 22:24:07.0539 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/11/07 22:24:07.0602 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/11/07 22:24:07.0664 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/11/07 22:24:07.0742 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/11/07 22:24:07.0820 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/11/07 22:24:07.0898 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/11/07 22:24:08.0070 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/11/07 22:24:08.0148 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/11/07 22:24:08.0210 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/11/07 22:24:08.0351 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/11/07 22:24:08.0460 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/11/07 22:24:08.0538 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/11/07 22:24:08.0600 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2010/11/07 22:24:08.0678 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2010/11/07 22:24:08.0756 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2010/11/07 22:24:08.0928 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2010/11/07 22:24:09.0084 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
2010/11/07 22:24:09.0162 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/11/07 22:24:09.0224 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
2010/11/07 22:24:09.0302 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/11/07 22:24:09.0365 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2010/11/07 22:24:09.0521 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/11/07 22:24:09.0614 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/11/07 22:24:09.0739 pfc (2748103d03cb1dc0b07635c25d508208) C:\WINDOWS\system32\drivers\pfc.sys
2010/11/07 22:24:09.0911 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/11/07 22:24:09.0973 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2010/11/07 22:24:10.0098 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/11/07 22:24:10.0176 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\Windows\system32\Drivers\PxHelp20.sys
2010/11/07 22:24:10.0223 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\Windows\system32\DRIVERS\ql1080.sys
2010/11/07 22:24:10.0269 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\Windows\system32\DRIVERS\ql10wnt.sys
2010/11/07 22:24:10.0316 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\Windows\system32\DRIVERS\ql12160.sys
2010/11/07 22:24:10.0347 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\Windows\system32\DRIVERS\ql1240.sys
2010/11/07 22:24:10.0410 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\Windows\system32\DRIVERS\ql1280.sys
2010/11/07 22:24:10.0503 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2010/11/07 22:24:10.0613 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/11/07 22:24:10.0722 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/11/07 22:24:10.0815 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/11/07 22:24:10.0971 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/11/07 22:24:11.0081 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/11/07 22:24:11.0159 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/11/07 22:24:11.0252 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/11/07 22:24:11.0439 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/11/07 22:24:11.0502 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2010/11/07 22:24:11.0627 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/11/07 22:24:11.0736 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/11/07 22:24:11.0861 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/11/07 22:24:11.0939 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/11/07 22:24:12.0048 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/11/07 22:24:12.0141 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
2010/11/07 22:24:12.0204 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
2010/11/07 22:24:12.0438 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/11/07 22:24:12.0531 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2010/11/07 22:24:12.0594 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2010/11/07 22:24:12.0656 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2010/11/07 22:24:12.0719 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/11/07 22:24:12.0797 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2010/11/07 22:24:12.0843 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2010/11/07 22:24:12.0890 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2010/11/07 22:24:12.0968 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/11/07 22:24:13.0124 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\Windows\system32\DRIVERS\sparrow.sys
2010/11/07 22:24:13.0187 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/11/07 22:24:13.0280 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2010/11/07 22:24:13.0374 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2010/11/07 22:24:13.0436 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2010/11/07 22:24:13.0561 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
2010/11/07 22:24:13.0639 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/11/07 22:24:13.0717 symc810 (1ff3217614018630d0a6758630fc698c) C:\Windows\system32\DRIVERS\symc810.sys
2010/11/07 22:24:13.0764 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/11/07 22:24:13.0826 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys
2010/11/07 22:24:13.0873 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/11/07 22:24:13.0920 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/11/07 22:24:14.0076 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2010/11/07 22:24:14.0201 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2010/11/07 22:24:14.0325 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/11/07 22:24:14.0403 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/11/07 22:24:14.0481 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/11/07 22:24:14.0559 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/11/07 22:24:14.0637 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/11/07 22:24:14.0825 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/11/07 22:24:14.0887 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/11/07 22:24:14.0981 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/11/07 22:24:15.0043 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2010/11/07 22:24:15.0105 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/11/07 22:24:15.0215 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2010/11/07 22:24:15.0261 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2010/11/07 22:24:15.0308 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/11/07 22:24:15.0371 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/11/07 22:24:15.0433 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\Windows\system32\DRIVERS\ultra.sys
2010/11/07 22:24:15.0480 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/11/07 22:24:15.0573 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/11/07 22:24:15.0651 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/11/07 22:24:15.0761 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/11/07 22:24:15.0839 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/11/07 22:24:15.0917 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2010/11/07 22:24:15.0995 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/11/07 22:24:16.0057 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2010/11/07 22:24:16.0151 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/11/07 22:24:16.0213 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/11/07 22:24:16.0307 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/11/07 22:24:16.0369 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/11/07 22:24:16.0431 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2010/11/07 22:24:16.0478 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2010/11/07 22:24:16.0541 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2010/11/07 22:24:16.0587 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/11/07 22:24:16.0665 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/11/07 22:24:16.0743 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/11/07 22:24:16.0821 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2010/11/07 22:24:16.0915 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/11/07 22:24:16.0977 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/11/07 22:24:17.0055 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/11/07 22:24:17.0133 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2010/11/07 22:24:17.0196 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/11/07 22:24:17.0477 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
2010/11/07 22:24:17.0617 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/11/07 22:24:17.0711 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/11/07 22:24:17.0835 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/11/07 22:24:17.0991 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/11/07 22:24:17.0991 ================================================================================
2010/11/07 22:24:17.0991 Scan finished
2010/11/07 22:24:17.0991 ================================================================================
2010/11/07 22:24:18.0038 Detected object count: 1
2010/11/07 22:24:43.0170 \HardDisk1 - will be cured after reboot
2010/11/07 22:24:43.0170 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
2010/11/07 22:24:52.0171 Deinitialize success
Robert
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
November 8th, 2010 04:00
Good job.
Please visit this webpage for download links, and instructions for running ComboFix (If you have a prior copy of Combofix, delete it now!) :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please login as Administrator. If using Vista or Windows 7, do not attempt to simply run ComboFix with Admin Approval Mode.
Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Double click on ComboFix.exe & follow the prompts.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you.
Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log for further review.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
* Additional information on A/V control HERE. * ComboFix is not intended for use with servers.
* The presence of windows error codes may indicate hardware problems and could limit the success of infection removal.
RGibran
15 Posts
0
November 8th, 2010 10:00
Disabled Microsoft Security Essentials
Ran ComboFix
Which detected BitDefender running and asked I disable it before proceeding by pressing the OK button
Bitdefender program deleted over a year ago. Googled problem, found BitDefender Uninstall program, completed successfully.
Proceeded with Combofix by pressing OK button
Got window with following:
Please wait
ComboFix is preparing to run
Out of memory
- (flashing cursur)
Left window in this state for 5 minutes with no change…closed window
Please advise
Thanks
Robert
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
November 8th, 2010 12:00
That error usually happens if ComboFix sees active anti-virus files.You may have thought you removed it, but apparently it did not get uninstalled completely..Reboot into Safemode.
Try ComboFix in Safemode with Networking or try the Recovery Console.
RGibran
15 Posts
0
November 8th, 2010 18:00
Rebooted into Safe Mode.
Ran ComboFix which gave same window with same message as follows:
Please Wait
ComboFix preparing to run
Out of memory
Additional window over top of that appeared titled: SWREG.cfxxe-application error
Message:
The instrustion at 0x00403cba referenced memory at 0x0163c4a0.
The memory could not be read.
Click on OK to terminate program.
When I did that, two progress bars appeared, ran, and disapeared too quickly for me to catch the titles.
Original window now had following message, either added or now visible as it may have been blocked from view by overlay window. It read:
Runtime error 216 at 00403cba
IF you desire me to use recovery console please be more specific as to how to access and use.
Thanks,
Robert
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
November 8th, 2010 19:00
It sounds as if the infection is trying to suppress ComboFix. Did ComboFix finish in spite of the Runtime Error? Is your Desktop back?
If not, try recovery. Vista "recovery" consists of five separate Vista tools.
If you have a Windows Vista installation disc, you need to restart (boot) your computer using the installation disc.
If you do not restart your computer from the disc, the option to repair your computer will not appear.
If you have a Windows installation disc:
1. Insert the installation disc.
2. Restart your computer.
3. Click the Start button Picture of Start button, click the arrow next to the Lock button Picture of Lock button, and then click Restart.
4. If prompted, press any key to start Windows from the installation disc.
Once you have your Desktop back, skip ComboFix and please perform an online scan here:
http://www.eset.eu/online-scanner
This scan works best with IE. Alternate browsers require downloading and installing the ESET Smart Installer.
• Accept the Terms of Use:
• Approve the install of the required ActiveX Control, then follow on-screen instructions.
* Disable the protection of your resident anti-virus program after installing the
active X control that Eset has installed and again when you actually start scanning.
• Make sure enable (check) the Remove found threats option is checked, and run the scan.
• After the scan completes, the Details tab in the Results window will display what was found and removed. A record of these results will be found here: C:\program files\esetonlinescanner\log.txt. Please include a copy of that log in your next reply along with a fresh HijackThis log.
This online scan may take quite a bit of time to complete so please be patient. If necessary, allow the scan to run overnight. Please do not use the machine to do anything else (e.g. browse; check email; chat) until the scan completes.
** ESET Online Scanner works in Windows Vista, provided you first start Internet Explorer as an Administrator. To do so, right-click on the Internet Explorer icon in the Start Menu and select "Run as administrator" from the popup context menu.
RGibran
15 Posts
0
November 8th, 2010 19:00
Yes, desktop is OK. Never went away.
Don't think ComboFix completed. If it did, it did so in under 15 seconds.
It seemed to be hung, or had quit in the dos window.
I will run the ESET scan overnight and report back tomorrow.
Thanks.
Robert
RGibran
15 Posts
0
November 9th, 2010 05:00
FYI...ESET scan detected other virus programs (Windows Defender) and stated they could effect the quality of the scan. I was under the impression Windows Defender was disabled upon installing Microsoft Security Essentials, which is the only known to me virus program I run.
In addition, if we are going to be doing things that may require the recovery console I need to get some things in order, first. My upgraded version of Vista was downloaded and installed from Microsoft. I have what I believe is the installation file on an external drive, but I do not have a physical disk. If I recall, the file size is larger than CD capacity so I guess I would need to burn to a DVD. Not sure exactly what Im doing there but will try to research, tips appreciated.
Per your request:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=4942d25b7c2e324d834a8b89495b3022
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-09 05:55:14
# local_time=2010-11-08 11:55:14 (-0600, Central Standard Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 35883923 125886643 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=144217
# found=1
# cleaned=1
# scan_time=2999
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:04:36 AM, on 11/9/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\Program Files\Folder Guard 32-bit\FGKey.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\ctfmon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Squeezebox\SqueezeTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\SQUEEZ~2\server\SQUEEZ~3.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Downloads\Software\HiJackThis.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 172.16.1.36 HP0015604AFAB6
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard 32-bit\FGKey.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [108233] C:\Users\Robert\AppData\Local\Temp\108233.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Squeezebox Server Tray Tool.lnk = C:\Program Files\Squeezebox\SqueezeTray.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: FGLITE - WinAbility® Corporation - C:\Program Files\WinAbility\Folder Guard Lite\FGLite.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: SqueezeMySQL - Unknown owner - C:\PROGRA~1\SQUEEZ~2\server\Bin\MSWIN3~1\mysqld.exe
--
End of file - 7604 bytes
Thanks,
Robert
Bugbatter
3 Apprentice
3 Apprentice
•
20.5K Posts
0
November 9th, 2010 06:00
Apparently you had some remnants of an old verrsion of Windows Defender on there, just as you did with BitDefender. If you had Norton on there in the past that would create an issue as well. You may not need recovery if all goes well from now on.
Please launch HijackThis and place a checkmark next to the following:
O4 - HKCU\..\Run: [108233] C:\Users\Robert\AppData\Local\Temp\108233.exe
Close all other windows and cliick "Fix checked". Close HijackThis.
Please run your CCleaner. ** Because CCleaner removes everything in temp folders, if you have anything saved in a temp folder, back it up or move it to a permanent folder prior to running CCleaner.
** We will be cleaning cookies as well. Make a note of any passwords, etc. that you want to save. If you do not want to delete cookies, simply uncheck that option.
1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up. In the Windows Tab:
3. Click the "Analyze" button. When the list of files comes up, click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done. REBOOT.
Download Security Check by screen317 and save it to your Desktop: here or here
If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
We still need to clean up a few things, including your Java, but first tell me if you are getting any signs of malware. Are the errors gone?
RGibran
15 Posts
0
November 9th, 2010 10:00
FYI...
Researched and prepared a Vista Recovery Console Boot Disc. Tested and working.
Computer appears to be functioning normally.
Results of screen317's Security Check version 0.99.6
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
Norton AntiVirus SYMLT MSI
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
Microsoft Security Essentials successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner (remove only)
Java(TM) 6 Update 22
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player
Adobe Reader 8.1.3
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
``````````End of Log````````````
Thanks,
Robert