TechSpot

Can only boot into safe mode

By johnpb
Aug 11, 2010
  1. Hello everyone and thanks in advance for your help

    I have a dell inspiron 1501 runing windows Vista Home SP2
    32 bit operating system

    My problem started yesterday when I started the computer. It will show the Dell Inspiron screen, go to windows password logon screen. Once you enter the password windows will boot and go to the desktop. Once the desktop comes up, the screen goes blue with scattered small white boxes for a few seconds then reboots.

    My first though was a virus so I attempted to load avira to do the first 6 steps. I downloaded Avira free version and attempted to install, it extracted all files then when attempting to install I received the following message

    "Installation of the microsoft runtime redistributable kit has failed"

    I then attempted to install vcredis_x86 and received the following error message

    "windows installer could not be accessed"

    So I attempted to install windows installer and recieved the following error

    "not enough storage is available to process this command"

    I then attempted to and sucessfully installed Avast but when I try to open it I get the following error

    "The application has failed to start because it's side by side configuration is incorrect"

    At this point I ran TFC, Malwarebytes, gmer and dds, all logs to follow

    Any and all help is greatly appreciated. If you do not feel this is a virus problem please direct me to the proper forum.

    Thanks in advance
    John
     
  2. johnpb

    johnpb TS Rookie Topic Starter

    Malwarebytes log part 1

    Here is the corect log, Sorry about that

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4417

    Windows 6.0.6002 Service Pack 2 (Safe Mode)
    Internet Explorer 8.0.6001.18928

    8/11/2010 5:57:05 AM
    mbam-log-2010-08-11 (05-57-05).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 283107
    Time elapsed: 1 hour(s), 9 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWebSearchService (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  3. johnpb

    johnpb TS Rookie Topic Starter

    malwarebytes log part 2

    correct log fit in first post
     
  4. johnpb

    johnpb TS Rookie Topic Starter

    GMER log

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-11 08:01:11
    Windows 6.0.6002 Service Pack 2
    Running: lg3kox9b.exe; Driver: C:\Users\kameron\AppData\Local\Temp\uxddafow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    Device \FileSystem\fastfat \Fat 8299AA7A

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
     
  5. johnpb

    johnpb TS Rookie Topic Starter

    DDS log

    DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL
    Run by kameron at 8:01:23.91 on Wed 08/11/2010
    Internet Explorer: 8.0.6001.18928
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1324 [GMT -6:00]


    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\Explorer.EXE
    C:\Users\kameron\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uSearch Page =
    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://www.msn.com
    mDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=2071031
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: PlaySushi: {21608b66-026f-4dcb-9244-0daca328dced} - c:\program files\playsushi\PSText.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
    uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
    uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; GTB6.3; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)" -"http://www.miniclip.com/games/basketball-slam/en/"
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [SigmatelSysTrayApp] sttray.exe
    mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    StartupFolder: c:\users\kameron\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop(585).ini
    StartupFolder: c:\programdata\microsoft\windows\start menu\programs\startup\desktop(504).ini
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &Search
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
    Trusted Zone: microsoft.com\*.windowsupdate
    Trusted Zone: microsoft.com\update
    Trusted Zone: windowsupdate.com
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
    DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.39.5/ttinst.cab
    DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

    ============= SERVICES / DRIVERS ===============

    S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-11 162768]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-11 19024]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-8-11 51792]
    S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-11 40384]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
    S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-7-11 632792]
    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-11 40384]
    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-11 40384]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-1-28 21504]
    S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-10-31 30192]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-7 38224]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== Created Last 30 ================

    2010-08-11 13:15:24 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-08-11 13:15:15 0 d-----w- c:\programdata\Alwil Software
    2010-08-11 12:50:58 65536 --sha-w- c:\users\kameron\ntuser.dat{eed2f275-a546-11df-9cda-a164f8e91013}.TM.blf
    2010-08-11 12:50:58 524288 --sha-w- c:\users\kameron\ntuser.dat{eed2f275-a546-11df-9cda-a164f8e91013}.TMContainer00000000000000000002.regtrans-ms
    2010-08-11 12:50:58 524288 --sha-w- c:\users\kameron\ntuser.dat{eed2f275-a546-11df-9cda-a164f8e91013}.TMContainer00000000000000000001.regtrans-ms
    2010-08-11 12:48:25 0 --sha-w- c:\users\kameron\ntuser.dat{9f9b1014-a546-11df-bddb-001c23b33ad9}.TMContainer00000000000000000002.regtrans-ms
    2010-08-11 12:48:25 0 --sha-w- c:\users\kameron\ntuser.dat{9f9b1014-a546-11df-bddb-001c23b33ad9}.TMContainer00000000000000000001.regtrans-ms
    2010-08-11 12:48:25 0 --sha-w- c:\users\kameron\ntuser.dat{9f9b1014-a546-11df-bddb-001c23b33ad9}.TM.blf
    2010-08-07 14:46:46 139624 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-07-19 19:59:33 0 d-----w- c:\windows\CheckSur
    2010-07-16 02:49:12 65536 --sha-w- c:\users\kameron\ntuser.dat{953f4095-9084-11df-a0c1-001c23b33ad9}.TM.blf
    2010-07-16 02:49:12 524288 --sha-w- c:\users\kameron\ntuser.dat{953f4095-9084-11df-a0c1-001c23b33ad9}.TMContainer00000000000000000002.regtrans-ms
    2010-07-16 02:49:12 524288 --sha-w- c:\users\kameron\ntuser.dat{953f4095-9084-11df-a0c1-001c23b33ad9}.TMContainer00000000000000000001.regtrans-ms

    ==================== Find3M ====================

    2010-08-11 03:30:09 1366 ----a-w- c:\users\kameron\appdata\roaming\wklnhst.dat
    2010-07-12 01:26:38 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-07-12 01:26:38 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-07-12 01:26:37 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-07-12 01:26:36 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-07-12 01:26:05 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
    2010-07-12 01:25:38 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
    2010-07-12 00:17:55 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
    2010-07-11 06:40:57 766656 ----a-w- c:\windows\fonts\arial.ttf
    2010-05-26 17:06:41 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-26 14:47:41 289792 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-21 20:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
    2009-01-28 17:49:58 174 --sha-w- c:\program files\desktop.ini
    2007-12-25 13:52:53 51200 ----a-w- c:\windows\inf\infpub(751).dat
    2007-12-25 13:52:36 665600 ----a-w- c:\windows\inf\drvindex(749).dat
    2007-12-25 13:52:35 86016 ----a-w- c:\windows\inf\infstrng(753).dat
    2007-12-25 13:52:35 86016 ----a-w- c:\windows\inf\infstor(752).dat
    2006-11-02 12:50:50 174 --sha-w- c:\program files\desktop(277).ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2009-03-07 20:38:36 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
    2009-03-07 20:38:36 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
    2009-03-07 20:58:07 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat
    2009-12-15 04:40:57 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-12-15 04:38:53 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2007-10-31 13:21:36 8192 --sha-w- c:\windows\users\default\NTUSER(896).DAT
    2007-10-31 13:21:36 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 8:02:00.36 ===============
     
  6. johnpb

    johnpb TS Rookie Topic Starter

    DDS attach log

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 10/30/2007 11:29:29 PM
    System Uptime: 8/11/2010 7:20:53 AM (1 hours ago)

    Motherboard: Dell Inc. | | 0UW744
    Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-55 | Socket M2/S1G1 | 1800/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 64 GiB total, 22.522 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 6.089 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP525: 7/20/2010 11:20:33 AM - Windows Update
    RP526: 8/3/2010 10:01:17 AM - Windows Update
    RP527: 8/5/2010 7:32:00 PM - Windows Update
    RP528: 8/5/2010 7:40:14 PM - Windows Update
    RP529: 8/7/2010 11:35:34 PM - Scheduled Checkpoint
    RP530: 8/9/2010 8:31:48 AM - Windows Update

    ==== Installed Programs ======================

    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.0
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    ATI Catalyst Control Center Ex
    ATI PCI Express (3GIO) Filter Driver
    avast! Free Antivirus
    Bonjour
    Browser Address Error Redirector
    Canon RAW Image Task for ZoomBrowser EX
    Canon Utilities CameraWindow
    Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
    Canon Utilities Digital Photo Professional 3.3
    Canon Utilities EOS Utility
    Canon Utilities MyCamera
    Canon Utilities Original Data Security Tools
    Canon Utilities PhotoStitch
    Canon Utilities Picture Style Editor
    Canon Utilities RemoteCapture Task for ZoomBrowser EX
    Canon Utilities WFT-E1/E2/E3 Utility
    Canon Utilities ZoomBrowser EX
    Canon ZoomBrowser EX Memory Card Utility
    Conexant HDA D110 MDC V.92 Modem
    Conquer 2.0
    DeductionPro 2008
    Dell Support Center (Support Software)
    Dell System Customization Wizard
    Dell Wireless WLAN Card
    DellSupport
    Digital Line Detect
    Disney Pirates of the Caribbean Online
    Disney Toontown Online
    EOS USB WIA Driver
    FamilyFeudOnlineParty (remove only)
    Free Realms
    Free Realms Installer
    Games, Music, & Photos Launcher
    Google Desktop
    Google Toolbar for Internet Explorer
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Internet Service Offers Launcher
    iTunes
    Java(TM) SE Runtime Environment 6
    LimeWire 4.14.12
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    MobileMe Control Panel
    Modem Diagnostic Tool
    MSN Toolbar
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NetWaiting
    Pdf995 (installed by TaxCut)
    PdfEdit995 (installed by TaxCut)
    PL-2303 USB-to-Serial
    PL-2303 Vista Driver Installer
    Playsushi
    Product Documentation Launcher
    QuickSet
    QuickTime
    RCA Detective™ 2.0.0.99
    RCA easyRip 2.1.6.0
    RCA SMV Video Converter
    Registry Mechanic 9.0
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler
    Roxio MyDVD DE
    Roxio Update Manager
    RTC Client API v1.2
    Safari
    Shareaza 2.4.0.0
    SigmaTel Audio
    Sonic Activation Module
    Synaptics Pointing Device Driver
    TaxCut Premium + Efile 2008
    Unity Web Player
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    User's Guides
    Viewpoint Media Player
    W Photo Studio
    WeatherBug
    Windows Live OneCare safety scanner
    WinRAR archiver
    Wise Disk Cleaner 4.83
    Wise Registry Cleaner 4 Free 4.92
    Wizard101

    ==== Event Viewer Messages From Past Week ========

    8/9/2010 6:46:51 PM, Error: EventLog [6008] - The previous system shutdown at 6:45:00 PM on 8/9/2010 was unexpected.
    8/9/2010 6:42:05 PM, Error: EventLog [6008] - The previous system shutdown at 6:30:28 PM on 8/9/2010 was unexpected.
    8/9/2010 3:40:35 PM, Error: EventLog [6008] - The previous system shutdown at 9:03:13 AM on 8/9/2010 was unexpected.
    8/8/2010 8:06:10 AM, Error: EventLog [6008] - The previous system shutdown at 8:04:40 AM on 8/8/2010 was unexpected.
    8/8/2010 7:42:42 PM, Error: EventLog [6008] - The previous system shutdown at 4:59:46 PM on 8/8/2010 was unexpected.
    8/8/2010 4:01:55 PM, Error: EventLog [6008] - The previous system shutdown at 3:59:45 PM on 8/8/2010 was unexpected.
    8/8/2010 2:37:42 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    8/7/2010 4:54:11 PM, Error: EventLog [6008] - The previous system shutdown at 1:52:23 PM on 8/7/2010 was unexpected.
    8/7/2010 12:10:31 PM, Error: EventLog [6008] - The previous system shutdown at 11:20:58 AM on 8/7/2010 was unexpected.
    8/11/2010 7:23:28 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2010 7:23:26 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    8/11/2010 7:23:25 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD aswRdr aswSP aswTdi DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    8/11/2010 7:22:56 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    8/11/2010 7:22:48 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    8/11/2010 7:22:48 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    8/11/2010 7:22:48 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    8/11/2010 7:22:44 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    8/11/2010 7:22:36 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    8/11/2010 7:15:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    8/11/2010 7:10:31 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: spldr Wanarpv6
    8/11/2010 7:06:46 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
    8/11/2010 7:03:18 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    8/11/2010 6:58:15 AM, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.87.1293.0 Loading engine version: 1.1.6004.0
    8/11/2010 6:53:19 AM, Error: Microsoft-Windows-Windows Defender [2004] - Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. Signatures Attempted: Current Error Code: 0x8050a001 Error description: The program can't find definition files that help detect unwanted software. Check for updates to the definition files, and then try again. For information on installing updates, see Help and Support. Signatures loading: Backup Loading signature version: 1.87.1293.0 Loading engine version: 1.1.6004.0
    8/11/2010 6:50:34 AM, Error: EventLog [6008] - The previous system shutdown at 6:48:51 AM on 8/11/2010 was unexpected.
    8/10/2010 9:52:03 PM, Error: Service Control Manager [7000] - The My Web Search Service service failed to start due to the following error: The system cannot find the path specified.
    8/10/2010 7:52:49 PM, Error: R300 [43015] - I2c return failed
    8/10/2010 10:01:06 PM, Error: EventLog [6008] - The previous system shutdown at 9:56:50 PM on 8/10/2010 was unexpected.

    ==== End Of File ===========================
     
  7. johnpb

    johnpb TS Rookie Topic Starter

    Anything missing?

    Please let me know if you need any further information or logs/programs ran.

    Thanks again
     
  8. crunchie

    crunchie Malware Helper Posts: 728

    Hi and welcome to TechSpot forums :)

    ==

    First thing I would like you to do is update MBA-M. Yours is woefully out of date and if that version found all that stuff on there, I would wager my next fortnights pay that when it is up-to-date, it will find a lot more.
     
  9. johnpb

    johnpb TS Rookie Topic Starter

    Correct Malwarebytes log

    Sorry, just realized that I posted the wrong log. I replaced the log posted at top of thread. I knew it was up to date, glad you caught that. Thanks and I will await further instructions.
     
  10. crunchie

    crunchie Malware Helper Posts: 728

    Please download and save SecurityCheck.exe to your Desktop from one of the links below.

    Link 1
    Link 2

    Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    A Notepad document should open automatically called checkup.txt
    Please post the contents of that document in your next reply.

    =============

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
  11. johnpb

    johnpb TS Rookie Topic Starter

    security log

    Results of screen317's Security Check version 0.99.5
    Windows Vista Service Pack 2 (UAC is disabled!)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Security Center service is not running! This report may not be accurate!
    Windows Firewall Enabled!
    avast! Free Antivirus
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Wise Disk Cleaner 4.83
    Wise Registry Cleaner 4 Free 4.92
    Java(TM) SE Runtime Environment 6
    Adobe Flash Player 10.0.12.36
    Adobe Reader 8.1.0
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ````````````````````````````````
    DNS Vulnerability Check:

    GREAT! (Not vulnerable to DNS cache poisoning)

    ``````````End of Log````````````
     
  12. johnpb

    johnpb TS Rookie Topic Starter

    combofix log

    Hope these help. Awaiting further instructions, Thanks you for your help, it is greatly appreciated.
    John

    ComboFix 10-08-11.05 - kameron 08/12/2010 6:57.2.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1917.1421 [GMT -6:00]
    Running from: c:\users\kameron\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_MyWebSearchService


    ((((((((((((((((((((((((( Files Created from 2010-07-12 to 2010-08-12 )))))))))))))))))))))))))))))))
    .

    2010-08-12 13:05 . 2010-08-12 13:05 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-08-12 12:56 . 2010-08-12 12:56 -------- d-----w- C:\32788R22FWJFW
    2010-08-12 12:46 . 2010-08-12 13:05 -------- d-----w- c:\users\kameron\AppData\Local\temp
    2010-08-11 13:15 . 2010-04-14 16:31 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-08-11 13:15 . 2010-04-14 16:35 162768 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-08-11 13:15 . 2010-04-14 16:31 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-08-11 13:15 . 2010-04-14 16:35 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-08-11 13:15 . 2010-04-14 16:31 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-08-11 13:15 . 2010-04-14 16:47 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-08-11 13:15 . 2010-04-14 16:47 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-08-11 13:15 . 2010-08-11 13:15 -------- d-----w- c:\programdata\Alwil Software
    2010-08-11 13:15 . 2010-08-11 13:15 -------- d-----w- c:\program files\Alwil Software
    2010-08-07 14:46 . 2010-08-07 14:46 139624 ---ha-w- c:\windows\system32\mlfcache.dat
    2010-07-19 19:59 . 2010-07-19 19:59 -------- d-----w- c:\windows\CheckSur

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-12 12:46 . 2009-10-02 23:36 -------- d-----w- c:\program files\PlaySushi
    2010-08-12 02:12 . 2010-01-06 23:05 680 ----a-w- c:\users\kameron\AppData\Local\d3d9caps.dat
    2010-08-11 14:06 . 2009-03-07 23:40 -------- d-----w- c:\programdata\pdf995
    2010-08-11 03:38 . 2008-03-01 18:53 -------- d-----w- c:\program files\iWin
    2010-08-11 03:30 . 2008-01-08 03:47 1366 ----a-w- c:\users\kameron\AppData\Roaming\wklnhst.dat
    2010-07-16 15:15 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-07-12 15:35 . 2008-03-14 22:26 -------- d-----w- c:\program files\Microsoft Silverlight
    2010-07-12 02:54 . 2010-07-12 02:54 -------- d-----w- c:\program files\Common Files\PC Tools
    2010-07-12 02:23 . 2007-10-31 06:04 -------- d-----w- c:\program files\Microsoft Works
    2010-07-12 02:07 . 2010-07-12 02:07 -------- d-----w- c:\program files\Microsoft.NET
    2010-07-12 01:26 . 2010-07-12 01:26 -------- d-----w- c:\program files\Windows Portable Devices
    2010-07-12 01:26 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-07-12 01:26 . 2010-07-12 01:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
    2010-07-12 01:25 . 2010-07-12 01:25 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
    2010-07-12 00:55 . 2009-12-19 15:39 -------- d-----w- c:\program files\Conquer 2.0
    2010-07-12 00:28 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
    2010-07-12 00:28 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
    2010-07-12 00:28 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
    2010-07-12 00:28 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
    2010-07-12 00:28 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
    2010-07-12 00:28 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
    2010-07-11 06:04 . 2009-03-07 08:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-26 17:06 . 2010-07-11 06:37 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-26 14:47 . 2010-07-11 06:37 289792 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-21 20:14 . 2009-10-02 20:43 221568 ------w- c:\windows\system32\MpSigStub.exe
    2006-11-02 12:50 . 2006-11-02 12:50 174 --sha-w- c:\program files\desktop(277).ini
    2007-10-31 13:21 . 2007-10-31 13:11 8192 --sha-w- c:\windows\Users\Default\NTUSER(896).DAT
    2007-10-31 13:21 . 2007-10-31 13:11 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
    2008-10-30 03:55 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-30 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
    "RegistryMechanic"="c:\program files\Registry Mechanic\RMTray.exe" [2010-04-08 292824]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe" [2009-07-21 468408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-20 815104]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 90112]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1540096]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-09 30192]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "SigmatelSysTrayApp"="sttray.exe" [2007-02-08 303104]
    "SSDMonitor"="c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2010-04-08 104408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv"="grpconv -o" [X]

    c:\users\kameron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    desktop(585).ini [2007-12-3 174]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    desktop(504).ini [2006-11-2 174]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-30 50688]
    QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-10-30 45056]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):6d,25,e0,17,5a,21,cb,01

    R1 aswSP;aswSP; [x]
    R2 aswFsBlk;aswFsBlk; [x]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-04-14 51792]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-04-08 632792]
    R3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-12-09 30192]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - PXHELP20

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-07-11 06:13]

    2009-12-16 c:\windows\Tasks\Wise Disk Cleaner 4.job
    - c:\program files\Wise Disk Cleaner\WiseDiskCleaner.exe [2009-12-14 21:03]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    Trusted Zone: microsoft.com\*.windowsupdate
    Trusted Zone: microsoft.com\update
    Trusted Zone: windowsupdate.com
    DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://kingsisle.hs.llnwd.net/e1/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    HKLM-RunOnce-<NO NAME> - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-12 07:06
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-08-12 07:09:09
    ComboFix-quarantined-files.txt 2010-08-12 13:08

    Pre-Run: 23,591,489,536 bytes free
    Post-Run: 23,367,536,640 bytes free

    - - End Of File - - 599FBC04D9A98B03E9B12A914C0355B9
     
  13. johnpb

    johnpb TS Rookie Topic Starter

    Additional Information

    Tried to reboot and got the blue creen with scattered white blocks. Once I rebooted into safe mode I recieved an error box stating windows recovered from an unexpected shutdown. Under addition information it list:

    problem signature:
    Problem Event Name BlueScreen
    OS Version 6.0.6002.2.2.0.768.3
    Local ID: 1033

    Addition Information about the problem
    BC Code 1000008e
    BCP1: c0000005
    BCP2 8B025FF0
    BCP3: 95F11684
    BCP4: 00000000
    OS Version: 6_0_6002
    Service Pack: 2_0
    Product: 768_1


    I am attaching the dump file it shows as I am unable to open it to copy and paste
     

    Attached Files:

  14. crunchie

    crunchie Malware Helper Posts: 728

    You should probably re-enable UAC (even though it can be a pain :)) and also update Adobe Reader.

    Other than My Web Search, I don't see much there.

    Are the vents clear of dust for the internals cooling?

    Does it feel like it is getting hot?

    Try and run disk check as well to see if there are any problem there.

    Right click on the C drive and click properties, then under Tools > Error Checking, select Check Now.

    It will check the disk and attempt repair if there is anything wrong.

    Let me know how it goes.

    Also, when did you first run Combofix? Log says it has been run twice and I wouldn't mind seeing the first run. Log should be in C:\qoobox.
     
  15. johnpb

    johnpb TS Rookie Topic Starter

    Hello,

    As for the cooling vents they are clear of dust and it doesnt appear to be getting hot.

    I will run the disk check and let you know how it goes.

    Also, I ran combofix this morning but the first failed and rebooted and no log was created. I am not sure at what point it failed, when I returned back to the computer it was on the login screen. I did check for a log before re running it. I also just posted a little infor while you were replying, let me know what you think.

    Thanks again
     
  16. johnpb

    johnpb TS Rookie Topic Starter

    disk check

    I ran the diskcheck and everything checked out ok, no repairs were made. Let me know if you have any other advice.

    Thanks
     
  17. crunchie

    crunchie Malware Helper Posts: 728

    I am not convinced (looking at the logs) that this is actually malware related. Maybe you should post those error codes above to the Windows OS forum.
    If it is not solved there, you are welcome to come back and we will have another look :).
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...