TechSpot

Both browsers redirecting, blue screens at various intervals - do I have a virus?

By khartley
Apr 28, 2011
  1. My system seems to be in a downward spiral. (Windows 7 Ultimate 32 bit) I'm getting increasingly frequent BSODs - the other day they were talking about a memory error, but since I followed some instructions regarding hibernation sometimes causing this I turned that off, and now the BSODs have changed to "IRQL_Not_Less_or_Equal." Along with this my IE and Firefox destinations are being redirected - sometimes when following search result links, and sometimes when I just type in a URL. (Good old Firefox at least does it on a separate tab)

    I've run MBRCheck - here are the results below. What should I do next?

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7
    Windows Information: (build 7600), 32-bit
    Base Board Manufacturer: ASUSTeK Computer INC.
    BIOS Manufacturer: American Megatrends Inc.
    System Manufacturer: System manufacturer
    System Product Name: System Product Name
    Logical Drives Mask: 0x0000001d

    Kernel Drivers (total 158):
    0x82A0A000 \SystemRoot\system32\ntkrnlpa.exe
    0x82E1A000 \SystemRoot\system32\halmacpi.dll
    0x86872000 \SystemRoot\system32\kdcom.dll
    0x83001000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x83079000 \SystemRoot\system32\PSHED.dll
    0x8308A000 \SystemRoot\system32\BOOTVID.dll
    0x83092000 \SystemRoot\system32\CLFS.SYS
    0x830D4000 \SystemRoot\system32\CI.dll
    0x8317F000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x831F0000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x83212000 \SystemRoot\system32\DRIVERS\ACPI.sys
    0x8325A000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
    0x83263000 \SystemRoot\system32\DRIVERS\msisadrv.sys
    0x8326B000 \SystemRoot\system32\DRIVERS\pci.sys
    0x83295000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
    0x832A0000 \SystemRoot\System32\drivers\partmgr.sys
    0x832B1000 \SystemRoot\system32\DRIVERS\volmgr.sys
    0x832C1000 \SystemRoot\System32\drivers\volmgrx.sys
    0x8330C000 \SystemRoot\system32\DRIVERS\pciide.sys
    0x83313000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    0x83321000 \SystemRoot\System32\drivers\mountmgr.sys
    0x83337000 \SystemRoot\system32\DRIVERS\atapi.sys
    0x83340000 \SystemRoot\system32\DRIVERS\ataport.SYS
    0x83363000 \SystemRoot\system32\DRIVERS\amdxata.sys
    0x8336C000 \SystemRoot\system32\drivers\fltmgr.sys
    0x833A0000 \SystemRoot\system32\drivers\fileinfo.sys
    0x8B808000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8B937000 \SystemRoot\System32\Drivers\msrpc.sys
    0x8B962000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x8B975000 \SystemRoot\System32\Drivers\cng.sys
    0x8B9D2000 \SystemRoot\System32\drivers\pcw.sys
    0x8B9E0000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x8BA1E000 \SystemRoot\system32\drivers\ndis.sys
    0x8BAD5000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8BB13000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x8BC01000 \SystemRoot\System32\drivers\tcpip.sys
    0x8BD4A000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8BD7B000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
    0x8BD84000 \SystemRoot\system32\DRIVERS\volsnap.sys
    0x8BDC3000 \SystemRoot\System32\Drivers\spldr.sys
    0x8BDCB000 \SystemRoot\System32\drivers\rdyboost.sys
    0x8BB38000 \SystemRoot\System32\Drivers\mup.sys
    0x8BDF8000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x8BB48000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x8BB7A000 \SystemRoot\system32\DRIVERS\disk.sys
    0x8BB8B000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    0x833B1000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8BBE2000 \SystemRoot\System32\Drivers\Null.SYS
    0x8BBE9000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8BBF0000 \SystemRoot\System32\drivers\vga.sys
    0x833D0000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8BA00000 \SystemRoot\System32\drivers\watchdog.sys
    0x8BA0D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8BA15000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8B9E9000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x8B9F1000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x833F1000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x90620000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x90637000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x90642000 \SystemRoot\system32\drivers\afd.sys
    0x9069C000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x906CE000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x906D5000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x906F4000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x90702000 \SystemRoot\system32\DRIVERS\serial.sys
    0x9071C000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x9072F000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x9073F000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x90780000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x9078A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x90794000 \SystemRoot\System32\drivers\discache.sys
    0x9141F000 \SystemRoot\system32\drivers\csc.sys
    0x91483000 \SystemRoot\System32\Drivers\dfsc.sys
    0x9149B000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x914A9000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x914CA000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x99C0D000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    0x9A68B000 \SystemRoot\system32\DRIVERS\nvBridge.kmd
    0x9A68D000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x9A744000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x9A77D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x9A788000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x9A7D3000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x914DC000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x9A7E2000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x9A7E8000 \SystemRoot\system32\DRIVERS\L1E62x86.sys
    0x914FB000 \SystemRoot\system32\DRIVERS\1394ohci.sys
    0x99C00000 \SystemRoot\system32\DRIVERS\fdc.sys
    0x99C0B000 \SystemRoot\system32\DRIVERS\ASACPI.sys
    0x91527000 \SystemRoot\system32\DRIVERS\serenum.sys
    0x91531000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
    0x9153E000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x91550000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x91568000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x91573000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x91595000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x915AD000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x915C4000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x915DB000 \SystemRoot\system32\DRIVERS\rdpbus.sys
    0x915E5000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x915F2000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x9A7F7000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x907A0000 \SystemRoot\system32\DRIVERS\ks.sys
    0x91400000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x91E19000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x91E5D000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0x91E67000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x91E78000 \SystemRoot\system32\drivers\HdAudio.sys
    0x91EC8000 \SystemRoot\system32\drivers\portcls.sys
    0x91EF7000 \SystemRoot\system32\drivers\drmk.sys
    0x91F10000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x91F1D000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x91F28000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0x91F31000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x9B3B0000 \SystemRoot\System32\win32k.sys
    0x91F42000 \SystemRoot\System32\drivers\Dxapi.sys
    0x91F4C000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x91F63000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x8D2D4000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x8D2DF000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x8D2EA000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0x8D2FD000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x8D304000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0x8D310000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x9B210000 \SystemRoot\System32\TSDDD.dll
    0x9B220000 \SystemRoot\System32\ATMFD.DLL
    0x8D31B000 \SystemRoot\system32\drivers\luafv.sys
    0x9B290000 \SystemRoot\System32\cdd.dll
    0x8D336000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x8D346000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x8D359000 \SystemRoot\system32\drivers\HTTP.sys
    0x8D3DE000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x8CC00000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x8CC12000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x91F65000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x91FA0000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0xA0A2D000 \SystemRoot\system32\drivers\peauth.sys
    0xA0AC4000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xA0ACE000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0xA0AEF000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xA0AFC000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xA0B4B000 \SystemRoot\System32\DRIVERS\srv.sys
    0xA0BA1000 \SystemRoot\System32\drivers\rdpdr.sys
    0xA0BC6000 \SystemRoot\system32\drivers\tdtcp.sys
    0xA0BD0000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
    0x91FBB000 \SystemRoot\System32\Drivers\RDPWD.SYS
    0xBCE75000 \SystemRoot\system32\DRIVERS\asyncmac.sys
    0xBCE7E000 \SystemRoot\system32\drivers\usbaudio.sys
    0x8CC35000 \SystemRoot\system32\DRIVERS\lvuvc.sys
    0x76E70000 \Windows\System32\ntdll.dll
    0x47F70000 \Windows\System32\smss.exe
    0x770B0000 \Windows\System32\apisetschema.dll
    0x00450000 \Windows\System32\autochk.exe
    0x77010000 \Windows\System32\oleaut32.dll
    0x76FE0000 \Windows\System32\imagehlp.dll
    0x76E20000 \Windows\System32\gdi32.dll
    0x76D40000 \Windows\System32\kernel32.dll
    0x76D00000 \Windows\System32\ws2_32.dll

    Processes (total 69):
    0 System Idle Process
    4 System
    260 C:\Windows\System32\smss.exe
    348 csrss.exe
    404 C:\Windows\System32\wininit.exe
    416 csrss.exe
    456 C:\Windows\System32\services.exe
    480 C:\Windows\System32\lsass.exe
    488 C:\Windows\System32\lsm.exe
    604 C:\Windows\System32\svchost.exe
    668 C:\Windows\System32\nvvsvc.exe
    724 C:\Windows\System32\svchost.exe
    748 C:\Windows\System32\winlogon.exe
    836 C:\Windows\System32\svchost.exe
    896 C:\Windows\System32\svchost.exe
    988 C:\Windows\System32\svchost.exe
    1100 C:\Windows\System32\svchost.exe
    1220 C:\Windows\System32\svchost.exe
    1340 C:\Windows\System32\svchost.exe
    1456 C:\Windows\System32\spoolsv.exe
    1484 C:\Windows\System32\svchost.exe
    1600 C:\Windows\System32\svchost.exe
    1660 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1700 C:\Windows\System32\atashost.exe
    1724 C:\Program Files\Bonjour\mDNSResponder.exe
    1760 C:\Windows\System32\svchost.exe
    1892 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    1976 C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
    2024 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    332 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
    2244 C:\Windows\System32\svchost.exe
    2432 C:\Users\karen.MASTERBEAT\AppData\Roaming\SonicWALL\VirtualAssist\VASAC.exe
    2492 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
    3036 C:\Windows\System32\nvvsvc.exe
    3068 C:\Windows\System32\svchost.exe
    3544 C:\Windows\System32\dwm.exe
    3572 C:\Windows\explorer.exe
    3600 C:\Windows\System32\taskhost.exe
    2532 C:\Program Files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe
    2660 C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
    2736 C:\Program Files\iTunes\iTunesHelper.exe
    2752 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    2924 C:\Program Files\E.W.E.-Software\Befree4iPhone\befree4iphone.exe
    2936 C:\Users\karen.MASTERBEAT\AppData\Local\Google\Update\GoogleUpdate.exe
    2900 C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    3020 C:\Windows\System32\spool\drivers\w32x86\3\E_FATIGMA.EXE
    2984 C:\Users\karen.MASTERBEAT\AppData\Local\Citrix\GoToAssist Express Expert\274\g2ax_start.exe
    3044 C:\Program Files\McAfee Security Scan\3.0.199\SSScheduler.exe
    3092 C:\Program Files\Intuit\IDN\Common\TinyWeb\TINY.EXE
    276 C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    2628 C:\Program Files\Intuit\QuickBooks 2011\QBW32.EXE
    3148 C:\Program Files\Trillian\trillian.exe
    2388 C:\Program Files\iPod\bin\iPodService.exe
    536 C:\Users\karen.MASTERBEAT\AppData\Local\Citrix\GoToAssist Express Expert\274\g2ax_comm_expert.exe
    3844 C:\Users\karen.MASTERBEAT\AppData\Local\Citrix\GoToAssist Express Expert\274\g2ax_user_expert.exe
    4784 C:\Windows\System32\msiexec.exe
    4504 WmiPrvSE.exe
    4736 C:\Program Files\Intuit\QuickBooks 2011\QBHelp.exe
    5844 C:\Windows\System32\SearchIndexer.exe
    1616 C:\Windows\System32\audiodg.exe
    3864 C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
    4824 C:\Program Files\Mozilla Firefox\firefox.exe
    5052 C:\Program Files\Mozilla Firefox\plugin-container.exe
    5048 C:\Windows\System32\SearchProtocolHost.exe
    5676 C:\Windows\System32\SearchFilterHost.exe
    4440 WmiPrvSE.exe
    6016 C:\Users\karen.MASTERBEAT\Desktop\MBRCheck.exe
    2824 C:\Windows\System32\conhost.exe
    5924 C:\Windows\System32\dllhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`007e0000 (NTFS)

    PhysicalDrive0 Model Number: WDCWD5000AADS-00S9B0, Rev: 01.00A01
    PhysicalDrive1 Model Number: ST3500418AS, Rev: CC34

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
    SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
    465 GB \\.\PhysicalDrive1 Unknown MBR code
    SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help you sort out the malware.

    But tell me- why did you think you needed to run the MBR check on your own? You end up with a log you know know how to handle! I'm going to hold off taking any action based on that scan until I have more information.

    Let's back up and see if we can find the cause of the redirects:

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Important
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    There is no way to tell if the BSODs are related to malware at this point.
     
  3. khartley

    khartley TS Rookie Topic Starter

    Sorry, I kind of jumped the gun on that in a panic yesterday. I took a step back and read through the warnings on the site about following the steps, etc. - since this was the first thing that I ran (I now know better!), and I see that you often ask for the log in your discussions, I thought I'd display the results. Here are the results from the eight steps...

    Malwarebytes' log:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6465

    Windows 6.1.7600
    Internet Explorer 9.0.8112.16421

    4/28/2011 10:55:49 AM
    mbam-log-2011-04-28 (10-55-49).txt

    Scan type: Quick scan
    Objects scanned: 176529
    Time elapsed: 4 minute(s), 11 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ----------------------------
    The GMER log was completely empty.
    ----------------------------
    DDS.txt:
    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by karen at 13:03:21.41 on Thu 04/28/2011
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
    Microsoft Windows 7 Ultimate N 6.1.7600.0.1252.1.1033.18.3327.1959 [GMT -7:00]
    .
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\svchost.exe -k Akamai
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Windows\system32\atashost.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\nvvsvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
    C:\Program Files\Pitney Bowes\PC Meter Connect\mailstationAssistant.exe
    C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\E.W.E.-Software\Befree4iPhone\befree4iphone.exe
    C:\Users\karen.MASTERBEAT\AppData\Local\Google\Update\GoogleUpdate.exe
    C:\Users\karen.MASTERBEAT\AppData\Local\Citrix\GoToAssist Express Expert\274\g2ax_start.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\McAfee Security Scan\3.0.199\SSScheduler.exe
    C:\Users\karen.MASTERBEAT\AppData\Local\Citrix\GoToAssist Express Expert\274\g2ax_comm_expert.exe
    C:\Program Files\Intuit\IDN\Common\TinyWeb\TINY.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\Users\karen.MASTERBEAT\AppData\Local\Citrix\GoToAssist Express Expert\274\g2ax_user_expert.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\Intuit\QuickBooks 2011\QBW32.EXE
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\NOTEPAD.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\conhost.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Intuit\QuickBooks 2011\QBHelp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Users\karen.MASTERBEAT\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = https://www.masterbeat.com/
    uDefault_Page_URL = hxxp://companyweb
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
    BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll
    BHO: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Trillian Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
    TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0401.0\npwinext.dll
    uRun: [BeFree4iPhone] "c:\program files\e.w.e.-software\befree4iphone\befree4iphone.exe" /min
    uRun: [Google Update] "c:\users\karen.masterbeat\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [EPSONB8161D (WorkForce 840)] c:\windows\system32\spool\drivers\w32x86\3\e_fatigma.exe /fu "c:\windows\temp\E_S6EA6.tmp" /EF "HKCU"
    uRun: [EPSON WorkForce 840 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatigma.exe /fu "c:\windows\temp\E_S3EFF.tmp" /EF "HKCU"
    uRun: [GoToAssist Express Expert] "c:\users\karen.masterbeat\appdata\local\citrix\gotoassist express expert\274\g2ax_start.exe" "/Trigger RunAtLogon"
    mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [PC Meter Connect] c:\program files\pitney bowes\pc meter connect\mailstationAssistant.exe minimize
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [MSN Toolbar] "c:\program files\msn toolbar\platform\4.0.0401.0\mswinext.exe"
    mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
    mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\users\karen~1.mas\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\ereg\eReg.exe
    StartupFolder: c:\users\karen~1.mas\appdata\roaming\micros~1\windows\startm~1\programs\startup\trillian.lnk - c:\program files\trillian\trillian.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.199\SSScheduler.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\osr_ti~1.lnk - c:\program files\intuit\idn\common\tinyweb\TINY.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~2.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\intuit\quickbooks 2011\QBW32.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1\exchan~1.lnk - c:\program files\common files\intuit\quickbooks\qbwebconnector\QBWebConnector.exe
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: RunStartupScriptSync = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
    IE: Edit with Altova X&MLSpy - c:\program files\altova\xmlspy2011\spy.htm
    IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
    IE: {2222EF56-F49E-4d07-A14E-8D2B08766958} - c:\program files\altova\xmlspy2011\spy.htm
    IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - c:\program files\amazon\add to wish list ie extension\run.htm
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    Trusted Zone: sonicwall.com\assist.va
    DPF: {5554DCB0-700B-498D-9B58-4E40E5814405} - hxxp://192.168.4.29/Reports/Reserved.ReportViewerWebControl.axd?ReportSession=jgvsxjz1wfuik445foplgjmh&Culture=1033&CultureOverrides=False&UICulture=9&UICultureOverrides=False&ReportStack=1&ControlID=80a7fe8ea3464330bb2af776356e4931&OpType=PrintCab&Arch=X86
    DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://ipswitch.webex.com/client/T27LC/support/ieatgpc1.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
    TCP: {C0D322A8-43B7-4D25-A624-E1B403197FFD} = 192.168.1.20,8.8.8.8
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - c:\program files\intuit\quickbooks 2011\HelpAsyncPluggableProtocol.dll
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\karen~1.mas\appdata\roaming\mozilla\firefox\profiles\c3qmbyz8.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.masterbeat.com/#home/
    FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
    FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
    FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\users\karen.masterbeat\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
    FF - Ext: Charles Autoconfiguration: {3e9a3920-1b27-11da-8cd6-0800200c9a66} - %profile%\extensions\{3e9a3920-1b27-11da-8cd6-0800200c9a66}
    FF - Ext: Trillian Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-4-28 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-4-28 269480]
    R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2011-2-24 119608]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-4-28 61960]
    R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2010-12-2 1251840]
    R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-3-31 428640]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 sw_va_service;Virtual Assist;c:\users\karen.masterbeat\appdata\roaming\sonicwall\virtualassist\VASAC.exe [2011-3-31 1611648]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [2010-7-30 20600]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.199\McCHSvc.exe [2011-2-23 237008]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-23 1343400]
    S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
    S3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\drivers\WSDScan.sys [2009-7-13 20480]
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]
    .
    =============== Created Last 30 ================
    .
    2011-04-28 17:51:11 -------- d-----w- c:\users\karen~1.mas\appdata\roaming\Malwarebytes
    2011-04-28 17:51:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-28 17:51:05 -------- d-----w- c:\progra~2\Malwarebytes
    2011-04-28 17:51:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-28 17:51:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-04-28 17:33:31 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-04-28 17:33:31 -------- d-----w- c:\program files\Avira
    2011-04-28 17:33:31 -------- d-----w- c:\progra~2\Avira
    2011-04-28 00:51:55 -------- d-----w- c:\program files\GetMore
    2011-04-28 00:51:52 -------- d-----w- c:\program files\Help
    2011-04-28 00:16:40 801792 ----a-w- c:\windows\system32\FntCache.dll
    2011-04-28 00:16:40 739840 ----a-w- c:\windows\system32\d2d1.dll
    2011-04-28 00:16:40 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-04-28 00:16:40 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-04-28 00:16:40 283648 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-04-28 00:16:40 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
    2011-04-28 00:16:40 218624 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-04-28 00:16:40 161792 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-04-28 00:16:40 1495040 ----a-w- c:\windows\system32\ExplorerFrame.dll
    2011-04-28 00:16:40 135168 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-04-28 00:16:40 1170944 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-04-28 00:16:40 107520 ----a-w- c:\windows\system32\cdd.dll
    2011-04-28 00:16:40 1074176 ----a-w- c:\windows\system32\DWrite.dll
    2011-04-27 23:46:28 -------- d-----w- c:\progra~2\McAfee Security Scan
    2011-04-27 23:46:14 -------- d-----w- c:\program files\McAfee Security Scan
    2011-04-27 16:23:21 -------- d-----w- C:\Log
    2011-04-22 22:28:24 -------- d-----w- c:\users\karen~1.mas\appdata\roaming\dBpoweramp
    2011-04-21 23:12:24 -------- d-----w- c:\users\karen~1.mas\appdata\roaming\Mael
    2011-04-21 22:35:49 -------- d-----w- c:\program files\HxD
    2011-04-20 23:23:02 -------- d-----w- c:\users\karen~1.mas\appdata\roaming\AccurateRip
    2011-04-20 23:13:16 3835624 ----a-w- c:\windows\system32\SpoonUninstall.exe
    2011-04-14 10:39:02 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2011-04-14 10:39:02 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
    2011-04-06 17:58:16 -------- d-----w- c:\users\karen~1.mas\appdata\roaming\webex
    2011-04-04 19:34:59 110968 ----a-w- c:\users\karen.masterbeat\g2ax_expert_downloadhelper_win32_x86.exe
    2011-04-04 19:34:59 -------- d-----w- c:\users\karen~1.mas\appdata\local\Citrix
    2011-04-01 05:11:10 4333280 ----a-w- c:\windows\system32\drivers\lvuvc.sys
    2011-04-01 05:10:46 539232 ----a-w- c:\windows\system32\LVUI2RC.dll
    2011-04-01 05:10:24 543328 ----a-w- c:\windows\system32\LVUI2.dll
    2011-04-01 05:09:48 291424 ----a-w- c:\windows\system32\drivers\lvrs.sys
    2011-04-01 05:08:56 195168 ----a-w- c:\windows\system32\lvci13251014.dll
    2011-04-01 05:08:36 301664 ----a-w- c:\windows\system32\lvcodec2.dll
    2011-04-01 05:07:02 10877272 ----a-w- c:\windows\system32\LogiDPP.dll
    2011-04-01 05:07:02 102744 ----a-w- c:\windows\system32\LogiDPPApp.exe
    2011-04-01 05:06:56 331608 ----a-w- c:\windows\system32\DevManagerCore.dll
    2011-04-01 04:56:20 39318 ----a-w- c:\windows\system32\Repository.reg
    2011-03-31 17:18:22 -------- d-----w- c:\users\karen~1.mas\appdata\roaming\SonicWALL
    .
    ==================== Find3M ====================
    .
    2011-03-04 09:09:48 621568 ----a-r- c:\windows\system32\XmlSpyLib.dll
    2011-02-24 21:46:19 201528 ----a-w- c:\windows\system32\atsckernel.exe
    2011-02-24 21:46:19 119608 ----a-w- c:\windows\system32\atashost.exe
    2011-02-18 23:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    2011-02-03 04:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
    .
    ============= FINISH: 13:04:04.89 ===============
     
  4. khartley

    khartley TS Rookie Topic Starter

    And here is Attach.txt:
    ---------------
    h..
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft Windows 7 Ultimate N
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/23/2010 2:38:29 PM
    System Uptime: 4/28/2011 12:53:20 PM (1 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P5QC
    Processor: Intel(R) Core(TM)2 CPU X6800 @ 2.93GHz | LGA 775 | 2936/266mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 466 GiB total, 342.901 GiB free.
    D: is FIXED (NTFS) - 466 GiB total, 165.623 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: iPhone
    Device ID: USB\VID_05AC&PID_1297&MI_00\0
    Manufacturer:
    Name: iPhone
    PNP Device ID: USB\VID_05AC&PID_1297&MI_00\0
    Service:
    .
    ==== System Restore Points ===================
    .
    RP54: 4/13/2011 7:29:23 PM - Scheduled Checkpoint
    RP56: 4/27/2011 12:00:05 AM - Scheduled Checkpoint
    RP57: 4/27/2011 9:42:54 AM - Installed Java(TM) 6 Update 24
    RP58: 4/27/2011 5:15:46 PM - Windows Modules Installer
    RP59: 4/27/2011 5:23:22 PM - Installed TortoiseSVN 1.6.15.21042 (32 bit)
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Community Help
    Adobe Creative Suite 5 Web Premium
    Adobe Flash Builder 4
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Media Player
    Adobe Photoshop CS5
    Adobe Reader 9.4.4
    Akamai NetSession Interface
    Altova MissionKit® 2011 rel. 2 sp1 for Enterprise Software Architects
    Amazon Add to Wish List IE Extension 1.0
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    Avira AntiVir Personal - Free Antivirus
    Befree4iPhone
    Bonjour
    CameraHelperMsi
    Charles
    Crystal Reports 2008 SP2
    Crystal Reports Basic for Visual Studio 2008
    dBpoweramp DSP Effects
    dBpoweramp FLAC Codec
    dBpoweramp Music Converter
    Definition update for Microsoft Office 2010 (KB982726)
    EPSON WorkForce 840 Series Printer Uninstall
    erLT
    FileZilla Client 3.4.0
    foobar2000 v1.1.1
    FreeRIP v3.5
    Google Chrome
    GoToAssist Expert 1.5.0.274
    GoToMeeting 4.5.0.457
    Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB971091)
    Hotfix for Microsoft Visual Studio 2008 Professional Edition - ENU (KB973674)
    HxD Hex Editor version 1.7.7.0
    ImageMagick 6.6.1-5 Q16 (2010-05-01)
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 24
    Logitech Webcam Software
    LWS Facebook
    LWS Gallery
    LWS Help_main
    LWS Launcher
    LWS Motion Detection
    LWS Pictures And Video
    LWS Twitter
    LWS Video Mask Maker
    LWS VideoEffects
    LWS Webcam Software
    LWS WLM Plugin
    LWS YouTube Plugin
    Malwarebytes' Anti-Malware
    Masterbeat Downloader
    McAfee Security Scan Plus
    Microsoft .NET Compact Framework 2.0 SP2
    Microsoft .NET Compact Framework 3.5
    Microsoft .NET Framework 4 Client Profile
    Microsoft Default Manager
    Microsoft Device Emulator version 3.0 - ENU
    Microsoft Document Explorer 2008
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
    Microsoft Office Visual Web Developer 2007
    Microsoft Office Visual Web Developer MUI (English) 2007
    Microsoft Office Word MUI (English) 2010
    Microsoft Search Enhancement Pack
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Backward compatibility
    Microsoft SQL Server 2005 Books Online (English)
    Microsoft SQL Server 2005 Tools
    Microsoft SQL Server Compact 3.5 Design Tools ENU
    Microsoft SQL Server Compact 3.5 ENU
    Microsoft SQL Server Compact 3.5 for Devices ENU
    Microsoft SQL Server Database Publishing Wizard 1.2
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft UI Engine
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual Studio 2005 Premier Partner Edition - ENU
    Microsoft Visual Studio 2005 Premier Partner Edition - ENU Service Pack 1 (KB926601)
    Microsoft Visual Studio 2005 Tools for Office Runtime
    Microsoft Visual Studio 2008 Professional Edition - ENU
    Microsoft Visual Studio Web Authoring Component
    Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
    Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
    Microsoft Windows SDK for Visual Studio 2008 Tools
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    MobileMe Control Panel
    Mozilla Firefox (3.6.16)
    MSN Toolbar
    MSN Toolbar Platform
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    NVIDIA Display Control Panel
    NVIDIA Drivers
    PC Meter Connect
    PDF Settings CS5
    Pixel Ruler
    PVSonyDll
    QB Connection Diagnostic Tool
    QBWebConnector
    QuickBooks
    QuickBooks Pro 2011
    QuickBooks SDK 10.0
    QuickTime
    Search Toolbar
    Security Update for 2007 Microsoft Office System (KB951550)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Service Pack 3 for SQL Server Tools and Workstation Components 2005 ENU (KB955706)
    Sonos Desktop Controller
    SQLXML4
    TextPad 5
    TicketBench Enterprise 6.20
    TortoiseSVN 1.6.15.21042 (32 bit)
    Trillian
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2010 (KB2202188)
    Update for Microsoft Outlook Social Connector (KB983403)
    Update for Microsoft Visual Studio 2005 Premier Partner Edition - ENU (KB932232)
    Update for Microsoft Visual Studio 2008 Professional Edition - ENU (KB972221)
    VC Runtimes MSI
    Visual Studio 2005 Tools for Office Second Edition Runtime
    Visual Studio Tools for the Office system 3.0 Runtime
    WebEx
    Windows Driver Package - Boca Systems Inc. Printer (10/01/2010 2.0.2.0)
    Windows Driver Package - Pitney Bowes (DM150Drv) USB (07/04/2010 2.0.1.5)
    Windows Live ID Sign-in Assistant
    Windows Live Sync
    Windows Mobile 5.0 SDK R2 for Pocket PC
    Windows Mobile 5.0 SDK R2 for Smartphone
    Windows Small Business Server 2008 ClientAgent
    WinRAR archiver
    XML Notepad 2007
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/28/2011 9:38:58 AM, Error: Microsoft-Windows-DistributedCOM [10009] - DCOM was unable to communicate with the computer SQL using any of the configured protocols.
    4/28/2011 9:33:18 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain MASTERBEAT due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
    4/28/2011 9:15:20 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Winmgmt service.
    4/28/2011 9:15:20 AM, Error: Microsoft-Windows-GroupPolicy [1065] - The processing of Group Policy failed. Windows could not evaluate the Windows Management Instrumentation (WMI) filter for the Group Policy object CN={26F9055B-DE95-47B1-A258-8AF8E9AEA3F2},CN=POLICIES,CN=SYSTEM,DC=MASTERBEAT,DC=LOCAL. This could be caused by RSOP being disabled or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service is started and the startup type is set to automatic. New Group Policy objects or settings will not process until this event has been resolved.
    4/28/2011 7:59:39 AM, Error: Microsoft-Windows-GroupPolicy [1065] - The processing of Group Policy failed. Windows could not evaluate the Windows Management Instrumentation (WMI) filter for the Group Policy object CN={9145BF83-F7E0-4438-9BA7-F228776F59E5},CN=POLICIES,CN=SYSTEM,DC=MASTERBEAT,DC=LOCAL. This could be caused by RSOP being disabled or Windows Management Instrumentation (WMI) service being disabled, stopped, or other WMI errors. Make sure the WMI service is started and the startup type is set to automatic. New Group Policy objects or settings will not process until this event has been resolved.
    4/28/2011 12:54:07 PM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
    4/28/2011 12:54:04 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000016, 0x00000002, 0x00000000, 0x82a4ba5b). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042811-42869-01.
    4/28/2011 11:31:34 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000001, 0x00000002, 0x00000000, 0x82a72f95). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042811-42354-01.
    4/28/2011 11:25:27 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000001, 0x00000002, 0x00000000, 0x82a87f95). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042811-41387-01.
    4/28/2011 11:16:31 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000001, 0x00000002, 0x00000000, 0x82aa0f95). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042811-44850-01.
    4/28/2011 10:42:56 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000a0 (0x00000001, 0x00000006, 0x86356430, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042811-50965-01.
    4/28/2011 10:37:14 AM, Error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    4/27/2011 9:38:12 AM, Error: Service Control Manager [7034] - The QBIDPService service terminated unexpectedly. It has done this 1 time(s).
    4/27/2011 9:30:52 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000a0 (0x00000001, 0x00000006, 0x863563d8, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042711-43649-01.
    4/27/2011 9:26:32 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the iPod Service service to connect.
    4/27/2011 9:26:32 AM, Error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    4/27/2011 9:26:32 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    4/27/2011 9:24:54 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007e (0xc0000005, 0x82ad42f1, 0x9362bb50, 0x9362b730). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042711-27892-01.
    4/27/2011 9:17:59 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SessionEnv service.
    4/27/2011 9:17:29 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Schedule service.
    4/27/2011 9:16:59 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MMCSS service.
    4/27/2011 9:16:29 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the CertPropSvc service.
    4/27/2011 9:15:59 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the BITS service.
    4/27/2011 6:43:46 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    4/27/2011 6:43:46 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Computer Browser service, but this action failed with the following error: An instance of the service is already running.
    4/27/2011 6:42:46 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Server service, but this action failed with the following error: An instance of the service is already running.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7034] - The Application Information service terminated unexpectedly. It has done this 1 time(s).
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The Windows Update service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The Remote Desktop Configuration service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The IP Helper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The Certificate Propagation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    4/27/2011 6:41:46 PM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/27/2011 6:39:16 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AeLookupSvc service.
    4/27/2011 6:39:16 PM, Error: Service Control Manager [7000] - The Application Experience service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    4/27/2011 5:44:42 PM, Error: Service Control Manager [7022] - The Windows Font Cache Service service hung on starting.
    4/27/2011 5:39:24 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x0417001c, 0x00000002, 0x00000000, 0x82a3ca5b). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042711-39873-01.
    4/27/2011 5:32:01 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x040d001c, 0x00000002, 0x00000000, 0x82a89a5b). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042711-41933-01.
    4/27/2011 5:27:03 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000a0 (0x00000001, 0x00000006, 0x86356250, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042711-36161-01.
    4/27/2011 4:36:34 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Multimedia Class Scheduler service, but this action failed with the following error: An instance of the service is already running.
    4/27/2011 4:34:34 PM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    4/27/2011 4:28:40 PM, Error: Microsoft-Windows-DistributedCOM [10009] - DCOM was unable to communicate with the computer SERVER-TESTING using any of the configured protocols.
    4/27/2011 2:18:50 PM, Error: Microsoft-Windows-DistributedCOM [10009] - DCOM was unable to communicate with the computer SERVER-SQL using any of the configured protocols.
    4/27/2011 10:02:22 AM, Error: Schannel [36887] - The following fatal alert was received: 40.
    4/26/2011 9:38:51 AM, Error: Service Control Manager [7000] - The Multimedia Class Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    4/26/2011 9:38:21 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanServer service.
    4/26/2011 4:30:17 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    4/26/2011 4:21:55 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    4/26/2011 4:14:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {D3DCB472-7261-43CE-924B-0704BD730D5F}
    4/26/2011 4:14:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    4/26/2011 4:14:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    4/26/2011 4:14:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    4/26/2011 4:14:11 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    4/26/2011 4:13:59 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
    4/26/2011 4:13:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
    4/26/2011 4:04:58 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000a0 (0x00000001, 0x00000006, 0x85337020, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042611-44007-01.
    4/26/2011 3:58:43 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    4/26/2011 3:57:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    4/26/2011 3:57:06 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    4/26/2011 3:56:42 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx Wanarpv6 WfpLwf
    4/26/2011 3:56:41 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0xb7000a6c, 0x00000002, 0x00000001, 0x82a85f9c). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042611-28376-01.
    4/26/2011 3:56:39 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    4/26/2011 3:56:39 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    4/26/2011 3:56:39 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    4/26/2011 3:56:39 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    4/26/2011 3:56:39 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    4/26/2011 3:56:39 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    4/26/2011 3:56:39 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    4/26/2011 3:56:39 PM, Error: Service Control Manager [7001] - The Netlogon service depends on the Workstation service which failed to start because of the following error: The dependency service or group failed to start.
    4/26/2011 3:56:39 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    4/26/2011 3:56:39 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    4/26/2011 3:56:39 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    4/26/2011 3:48:41 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000a0 (0x00000001, 0x00000006, 0x8533b020, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042611-47408-01.
    4/26/2011 2:56:10 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    4/26/2011 2:54:50 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000a0 (0x00000001, 0x00000006, 0x8533a3b0, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042611-32183-01.
    4/26/2011 10:16:12 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007e (0xc0000005, 0x82abb2f1, 0xae80fb50, 0xae80f730). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042611-46831-01.
    4/26/2011 10:11:52 AM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x040d0077, 0x00000002, 0x00000001, 0x82ac4784). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042611-32463-01.
    4/25/2011 8:27:17 AM, Error: Microsoft-Windows-TerminalServices-Printers [1111] - Driver HP Photosmart C7200 series fax required for printer HP Photosmart C7200 series fax is unknown. Contact the administrator to install the driver before you log in again.
    4/25/2011 5:35:30 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000007e (0xc0000005, 0x82b042f1, 0x97e3fb50, 0x97e3f730). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042511-30420-01.
    4/25/2011 5:26:16 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x000000a0 (0x00000001, 0x00000006, 0x85f5a450, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042511-44444-01.
    .
    ==== End Of File ===========================
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Just between the two of us, I will be suggesting that you take everything shown here off of the Startup menu:
    StartupFolder: c:\programs\sta rtup\logite~1.lnk - c:\program files\logitech\ereg\eReg.exe
    StartupFolder: c:\programs\sta rtup\trillian.lnk - c:\program files\trillian\trillian.exe
    StartupFolder: c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
    StartupFolder: c:\program files\mcafee security scan\3.0.199\SSScheduler.exe
    StartupFolder:c:\program files\intuit\idn\common\tinyweb\TINY.EXE
    StartupFolder: c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    StartupFolder: c:\program files\intuit\quickbooks 2011\QBW32.EXE
    StartupFolder: c:\program files\common files\intuit\quickbooks\qbwebconnector

    None of these programs need to start on boot and run n the background, using system resources!
    ==============================
    You also have 2 antivirus programs running. Please uninstall one of them:
    Avast: Avast Removal
    McAfee:McAfee Removal
    Please reboot when through.
    ==================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =========================================
    Please note: If you have Combofix on the desktop already, please uninstall it. The download the current version and do the scan:
    Uninstall ComboFix
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  6. khartley

    khartley TS Rookie Topic Starter

    Thanks, Bobbye -

    I've removed the items you mentioned from startup, as well as one of my antivirus programs. When I ran Eset NOD32, it found one threat - I can't paste in the exact working, because the next step caused my computer to blue screen again before I'd completed my post, and the file that you mention that should containg the Eset log does not exist - that being said, the threat that it found was "win32/toolbar.zugo."

    When I tried to run Combofix, it caused the system to blue screen. I can't seem to run it - every time, same result.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You never did tell me why you ran the MBR scan, but there are some other entries that need to be removed as well as tryig to fic a drive. So we'll try that and see if the system will become more stable:

    Bootkit Remover:
    Download bootkitremover.rar and save to your desktop.
    1. Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
    2. Double-click on the remover.exe file to run the program.
      NOTE: The tool should be run from a command line with Administrator privileges.
    3. Scanning should be completed quickly
    4. Paste the output in your next reply.
    =====================================
    When you finish the scan above, go ahead with the following:
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:
    Code:
    
    @ECHO OFF
    START 
    remover.exe fix  \\.\PhysicalDrive1  
    EXIT
    
    
    • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    • Then in the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double clicking.Run fix.bat to run.
      You may see a black box appear; this is normal.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    When done, run remover.exe again and post its output.

    Do NOT reboot computer!
     
  8. khartley

    khartley TS Rookie Topic Starter

    I did mention that I ran the MBR scan when I first started reading threads in this forum that I came across in my search for people encountering a similar problem - I was seeing that it had been suggested for people to run - and I hadn't realized that there were instructions at the top of the forum for how best to approach the situation. I just stumbled into it, in my panic. There was no real rhyme or reason to my running it.

    Here's the output from Bootkitremover:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 (build 7600), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
    --------------------------------
    And here's the output from fix.bat:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 (build 7600), 32-bit

    System volume is \\.\C:
    main(): CreateFile() ERROR 5
    ERROR: Can't open volume device \\.\C:

    Done;
    Press any key to quit...
    --------------------------------
    And the output from running Bootkitremover again:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 (build 7600), 32-bit

    System volume is \\.\C:
    main(): CreateFile() ERROR 5
    ERROR: Can't open volume device \\.\C:

    Done;
    Press any key to quit...
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please use the Bootkit remover again with the following input:
    • Open Notepad
    • Copy and paste the text in the codebox into Notepad:
    Code:
    
    @ECHO OFF
    START 
    remover.exe fix   \\.\PhysicalDrive0  
    EXIT
    
    
    • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    • Then in the FILE NAME box type fix.bat.
    • Save fix.bat to your Desktop.
    • Double clicking.Run fix.bat to run.
      You may see a black box appear; this is normal.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    When done, run remover.exe again and post its output.

    Do NOT reboot computer!
     
  10. khartley

    khartley TS Rookie Topic Starter

    output of fix.bat:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 (build 7600), 32-bit

    System volume is \\.\C:
    main(): CreateFile() ERROR 5
    ERROR: Can't open volume device \\.\C:

    Done;
    Press any key to quit...
    --------------------------
    output of remover.bat:

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows 7 (build 7600), 32-bit

    System volume is \\.\C:
    main(): CreateFile() ERROR 5
    ERROR: Can't open volume device \\.\C:

    Done;
    Press any key to quit...
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, we're going to back up and pretend you didn't run the MBR check nor the Bootkit Remover. Your result and my result were not the same. The only information I need about that is for you to tell me what Drive D is.
    ==============================
    It's very difficult to try and run scans on an unstable computer. We are going to have to get past this:
    Questions:
    1. What did you do before ths downward spiral began?
    Did you install a new program?
    Did you update anything? What?
    2. Disable Hibernation if you're using it. It has almost always been know to cause problems frequently. If you're using a laptop, let it Sleep when you close it. This willsave your work to the memory and hard drive, them let's it snooze. When you reopen the laptop, everything is right there like you left it.
    • Click Start> choose Control Panel> Choose System & Security.
    • Choose Power Options> Select 'Choose what closing the lid' does in the Left Pane
    • There are 3 choices:
      [o]Do Nothing>> If you're plugged in, choose this
      [o]Hibernate>>
      [o]Shut down>> If you're running on batteries, choose this. If you're shutting down for the night, you should follow the logoff/shut down path.
    • Click on 'Save Changes' .

    I have never used Hibernate on my computers, desktop or laptop, Win 3.0>>>>>Win 7. That has served me well.
     
  12. khartley

    khartley TS Rookie Topic Starter

    Thanks for your help, Bobbye! This is a desktop machine, not a laptop, and turning hibernate off was the first thing that I did when this started to happen. I'm not sure what kicked the whole problem off, since I install a lot of things both large and small on a pretty frequent basis in the course of development work. However, installing the full-blown version of Norton Internet Security seems to have solved (or at least is successfully avoiding) the problem, so things are now acting normal.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do you still require help?
     
  14. khartley

    khartley TS Rookie Topic Starter

    I think I'm OK for now - thanks!
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay. Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Click on Start> right click on Computer> Properties
    • Select System Protection
    • Click on the Create button (near bottom)
    • Type a name for the Restore Point
    • Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
    • Click Start> Computer> right click the C Drive and choose Properties> enter.
    • Click Disk Cleanup from there.
      [​IMG]
    • Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
    • Click the More Options tab
      [​IMG]
    • Click the Clean up under System Restore and Shadow Copies.
    • Click OK.
    • You will get a confirmation screen> Just click Delete.
    • Click OK on the Disk Cleanup Screen.
    • Click Delete Files on the Confirmation screen.
    [​IMG]
    It will run the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Reopening thread as problem has either continued or resurfaced.

    It seems you have been busy since that thread: you said you had a 32bit OS, now it is 64bit! How did you do that?
     
  17. khartley

    khartley TS Rookie Topic Starter

    Sorry, I should have clarified. 64 bit machine, but running 32 bit OS.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay- that helps. Please tell me what's going on now. You made a reference to Norton> what's with that?
     
  19. khartley

    khartley TS Rookie Topic Starter

    Ah, well, I installed Norton Internet Security the other day - and that looks like it now finally has helped me to pinpoint and resolve the situation. I finally tracked down the problem to Rootkit.Win32.TDSS.tdl4, and successfully used TDSKiller to remove it. Now I can restart the system without blue screens, and the browsers aren't redirecting, all scans show clear, so I think it's finally been nailed. Sorry for the false alarm - it now looks like both threads can again be closed.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Here's some information you may benefit from reading: I haven't rechecked the links in a while, but most should still be good.

    Rootkits
    Definitions:

    A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network.

    Wikipedia: Rootkit
    http://en.wikipedia.org/wiki/Rootkit

    What are user-mode vs. kernel-mode rootkits?
    http://searchwindowssecurity.techtarget....69,00.html

    Rootkits in the Wild: rootkit technology is sometimes found with spyware and/or trojans, backdoors and RATs (remote access tools).

    Rootkits have been found on machines with Rbot and SDbot and keyloggers.
    http://www.dslreports.com/forum/remark,14493487
    http://www.dslreports.com/forum/remark,13680927

    Presumably the rootkit is used to hide the trojans which can be used by the attacker to take total control of a machine while the keyloggers transmit information back to the attackers including passwords and data from the infected machine. An ugly situation at best. In cases like this I think the safest thing for a user to do is format and reinstall because there is no way to tell how severly the machine has been compromised and what dangers may lurk inside, even if the trojans and rootkit files are removed, if they can even be removed.

    Here's an example where format and reinstall was advised on a severely compromised network computer:
    http://spywarewarrior.com/viewtopic.php?t=16273
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...