TechSpot

IE and Firefox crashes/Google redirect?

Inactive
By Silver78
Jun 7, 2011
  1. Having a problem with Internet explorer 7 and 8 as well as Firefox 4 - automatically shutting down when typing in search engines.

    Ran couple of programs to scan and clean (most of which are now uninstalled). Now also having other issues such as general display properties switching from the usual XP appearance to older 'classic' looking start bars/buttons and windows, etc. Firewall is also being disabled and when restarting Firewall/Internet Connection Sharing (ICS) it's only temporary. More recently now also is being unable to connect to Wireless router (although other devices are able to).

    Any help much appreciated.

    Here are the logs:

    _______________________________________________

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6697

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    07/06/2011 19:19:45
    mbam-log-2011-06-07 (19-19-45).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 237860
    Time elapsed: 38 minute(s), 15 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ___________________________________________

    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-07 19:25:18
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST96812AS rev.8.04
    Running: 16fl30y9.exe; Driver: C:\DOCUME~1\Manager\LOCALS~1\Temp\kwdyakow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86D3853B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 86D3853B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86D3853B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86D3853B

    ---- EOF - GMER 1.0.15 ----
    _______________________________________

    .
    DDS (Ver_2011-06-03.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Manager at 21:44:15 on 2011-06-07
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.464 [GMT 1:00]
    .
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Virgin Media\Service Manager\ServicepointService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    uSearch Bar = hxxp://www.google.com/ie
    uStart Page = hxxp://www.google.co.uk/
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
    BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
    BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: {E3215F20-3212-11D6-9F8B-00D0B743919D} - No File
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
    mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
    mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [ServiceManager.exe] "c:\program files\virgin media\service manager\ServiceManager.exe" /AUTORUN
    mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\manager\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\manager\application data\leadertech\powerregister\Seagate 2GE2924M Product Registration.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1175004690421
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{7BCF4583-D434-42A5-A6ED-DF941F0B1EB5} : DhcpNameServer = 192.168.0.1
    Notify: igfxcui - igfxdev.dll
    Notify: TPSvc - TPSvc.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\manager\application data\mozilla\firefox\profiles\mdvh54bh.default\
    FF - plugin: c:\program files\adobe\reader 8.0\reader\browser\nppdf32(2).dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\virgin media\service manager\nprpspa.dll
    FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-6-5 11608]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-5 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-5 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-5 61960]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
    R2 ServicepointService;ServicepointService;c:\program files\virgin media\service manager\ServicepointService.exe [2011-5-14 689464]
    .
    =============== Created Last 30 ================
    .
    2011-06-05 21:40:54 -------- d-----w- c:\documents and settings\manager\application data\Avira
    2011-06-05 21:30:54 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-06-05 21:30:53 -------- d-----w- c:\program files\Avira
    2011-06-05 21:30:53 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2011-06-05 19:35:22 -------- d-----w- c:\windows\SxsCaPendDel
    2011-06-05 19:32:00 -------- d-----w- c:\windows\system32\appmgmt
    2011-06-05 18:26:50 -------- d-sh--w- c:\documents and settings\manager\IECompatCache
    2011-06-05 18:23:39 -------- d-sh--w- c:\documents and settings\manager\PrivacIE
    2011-06-05 18:22:09 -------- d-sh--w- c:\documents and settings\manager\IETldCache
    2011-06-05 18:17:06 -------- dc-h--w- c:\windows\ie8
    2011-05-29 22:14:33 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-05-29 22:14:33 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2011-05-26 11:03:12 -------- d-----w- c:\windows\system32\NtmsData
    2011-05-21 14:56:06 -------- d-sh--w- C:\found.000
    2011-05-21 14:32:24 -------- d-----w- c:\documents and settings\all users\application data\STOPzilla!
    2011-05-21 03:59:21 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-05-21 03:59:21 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-21 02:35:04 -------- d-----w- c:\documents and settings\manager\application data\Malwarebytes
    2011-05-21 02:34:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-21 02:34:54 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-05-21 02:34:50 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-21 02:34:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-21 02:11:06 -------- d-----w- c:\documents and settings\manager\application data\6A0213806059A36A68CD3E05CD71C89F
    2011-05-14 18:55:16 -------- d-----w- c:\program files\Virgin Media
    .
    ==================== Find3M ====================
    .
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST96812AS rev.8.04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D386F0]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86d3ea10]; MOV EAX, [0x86d3ea8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86DA7528]
    3 CLASSPNP[0xF767DFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000077[0x86DCDF18]
    5 ACPI[0xF7514620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86CF9940]
    \Driver\atapi[0x86D0C270] -> IRP_MJ_CREATE -> 0x86D386F0
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86D3853B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 21:45:36.60 ===============

    ___________________________________________________



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-03.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 27/03/2007 14:59:24
    System Uptime: 07/06/2011 14:47:26 (7 hours ago)
    .
    Motherboard: Dell Inc. | | 0NF743
    Processor: Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz | Microprocessor | 1830/166mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 56 GiB total, 28.874 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 21/05/2011 04:31:36 - System Checkpoint
    RP2: 21/05/2011 04:58:10 - Restore Operation
    RP3: 21/05/2011 15:32:16 - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
    RP4: 22/05/2011 18:27:09 - System Checkpoint
    RP5: 23/05/2011 18:56:52 - System Checkpoint
    RP6: 05/06/2011 19:18:36 - Installed Windows Internet Explorer 8.
    .
    ==== Installed Programs ======================
    .
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.2.4
    ALPS Touch Pad Driver
    Avira AntiVir Personal - Free Antivirus
    Broadcom Management Programs
    Compatibility Pack for the 2007 Office system
    Conexant HDA D110 MDC V.92 Modem
    D-i-v-X AVI Codec Pack Pro 2.4.0
    Dell Support 3.2.1
    Digital Line Detect
    High Definition Audio Driver Package - KB835221
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Huawei Modems
    ImgBurn
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless Software
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 21
    K-Lite Codec Pack 4.0.0 (Full)
    Malwarebytes' Anti-Malware
    mCore
    mDrWiFi
    mHlpDell
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft Application Error Reporting
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    mIWA
    mLogView
    mMHouse
    Modem Helper
    Mozilla Firefox 4.0.1 (x86 en-GB)
    mPfMgr
    mPfWiz
    mProSafe
    MSN
    mSSO
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    mWlsSafe
    mWMI
    mXML
    mZConfig
    NetWaiting
    PowerDVD 5.7
    QuickSet
    Reason 4.0
    Roxio DLA
    Roxio Express Labeler
    Roxio RecordNow Audio
    Roxio RecordNow Copy
    Roxio RecordNow Data
    Seagate Manager Installer
    SearchAssist
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB2416400)
    Security Update for Windows Internet Explorer 7 (KB2482017)
    Security Update for Windows Internet Explorer 7 (KB2497640)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sonic Update Manager
    Spelling Dictionaries Support For Adobe Reader 8
    Spybot - Search & Destroy
    Unlocker 1.8.8
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    URL Assistant
    Virgin Media Service Manager 3.7.47
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows XP Service Pack 3
    Winmail Opener 1.4
    WinRAR archiver
    ZipCentral 4.01
    .
    ==== Event Viewer Messages From Past Week ========
    .
    05/06/2011 13:48:37, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: Access is denied.
    05/06/2011 13:12:35, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    01/06/2011 05:48:34, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
    01/06/2011 05:46:04, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    .
    ==== End Of File ===========================

    ____________________________________________________________
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help with the malware, but you may have system problems also.

    You do have a rootkit so let's work on that first:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ==========================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ==========================================
    Please be sure and note this:
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    You're running quite a few unnecessary processes in the background, including some Dell preloads. We'll work on that after the system is clean.
     
  3. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    Thanks for the response, here is the log from Combofix...
    _____________________________________________

    ComboFix 11-06-07.03 - Manager 09/06/2011 2:30.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.647 [GMT 1:00]
    Running from: c:\documents and settings\Manager\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Manager\Application Data\Adobe\plugs
    c:\documents and settings\Manager\Application Data\Adobe\shed
    c:\documents and settings\Manager\Application Data\alot
    c:\documents and settings\Manager\Application Data\alot\TimerManager\TimerManager.xml
    c:\windows\system32\1302026650.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-09 to 2011-06-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-09 01:08 . 2011-06-09 01:08 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-06-05 21:40 . 2011-06-05 21:40 -------- d-----w- c:\documents and settings\Manager\Application Data\Avira
    2011-06-05 21:30 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-06-05 21:30 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-06-05 21:30 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-06-05 21:30 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-06-05 21:30 . 2011-06-05 21:30 -------- d-----w- c:\program files\Avira
    2011-06-05 21:30 . 2011-06-05 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-06-05 19:35 . 2011-06-05 19:35 -------- d-----w- c:\windows\SxsCaPendDel
    2011-06-05 18:26 . 2011-06-05 18:26 -------- d-sh--w- c:\documents and settings\Manager\IECompatCache
    2011-06-05 18:23 . 2011-06-05 18:23 -------- d-sh--w- c:\documents and settings\Manager\PrivacIE
    2011-06-05 18:23 . 2011-06-05 18:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-06-05 18:22 . 2011-06-05 18:22 -------- d-sh--w- c:\documents and settings\Manager\IETldCache
    2011-06-05 18:17 . 2011-06-05 18:19 -------- dc-h--w- c:\windows\ie8
    2011-06-05 18:12 . 2011-06-09 01:00 -------- d-----w- c:\documents and settings\Manager\Application Data\U3
    2011-05-30 00:56 . 2011-05-30 00:56 -------- d-----w- c:\documents and settings\Manager\Local Settings\Application Data\Mozilla
    2011-05-29 22:14 . 2011-05-30 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-05-29 22:14 . 2011-05-29 23:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-05-26 11:03 . 2011-06-05 22:36 -------- d-----w- c:\windows\system32\NtmsData
    2011-05-21 14:56 . 2011-05-21 14:56 -------- d-----w- C:\found.000
    2011-05-21 14:32 . 2011-06-05 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2011-05-21 04:47 . 2011-05-21 04:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-05-21 03:59 . 2011-05-21 03:59 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-21 02:35 . 2011-05-21 02:35 -------- d-----w- c:\documents and settings\Manager\Application Data\Malwarebytes
    2011-05-21 02:34 . 2011-05-21 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-21 02:34 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-21 02:34 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-21 02:34 . 2011-05-21 02:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-21 02:11 . 2011-05-21 03:13 -------- d-----w- c:\documents and settings\Manager\Application Data\6A0213806059A36A68CD3E05CD71C89F
    2011-05-14 18:55 . 2011-05-14 18:55 -------- d-----w- c:\program files\Virgin Media
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-14 16:41 . 2011-05-30 00:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-06 176128]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\Manager\Start Menu\Programs\Startup\
    Seagate 2GE2924M Product Registration.lnk - c:\documents and settings\Manager\Application Data\Leadertech\PowerRegister\Seagate 2GE2924M Product Registration.exe [2009-8-21 1731736]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-3-12 24576]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Virgin Media\\Service Manager\\ServicepointService.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [05/06/2011 22:30 136360]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [16/01/2009 16:31 161064]
    R2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [14/05/2011 19:55 689464]
    .
    .
    ------- Supplementary Scan -------
    .
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    It is important that you do the scans in the order I give them:

    Number 1:
    It appears that you ran this: C:\TDSSKiller_Quarantine but you did not leave the log.

    Number 2: The Combofix log is not complete. Please run the TDSSKiller first, then update and rescan with Combofix. This log does not end here: ------- Supplementary Scan -------

    Please be sure to include both full logs.
     
  5. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    Sorry, here are the two logs in full....

    please also note (not sure if its relevant) but when I was running the scans and even since then, I regularly get a window popping up stating that; 'Generic Host Process for Win32 Services encountered a problem and needed to close.'

    TDSSKiller log (the first and only one I ran - have not run another one since).



    2011/06/09 02:05:25.0343 2996 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48
    2011/06/09 02:05:25.0359 2996 ================================================================================
    2011/06/09 02:05:25.0359 2996 SystemInfo:
    2011/06/09 02:05:25.0359 2996
    2011/06/09 02:05:25.0359 2996 OS Version: 5.1.2600 ServicePack: 3.0
    2011/06/09 02:05:25.0359 2996 Product type: Workstation
    2011/06/09 02:05:25.0359 2996 ComputerName: EYL0012LAP005
    2011/06/09 02:05:25.0359 2996 UserName: Manager
    2011/06/09 02:05:25.0359 2996 Windows directory: C:\WINDOWS
    2011/06/09 02:05:25.0359 2996 System windows directory: C:\WINDOWS
    2011/06/09 02:05:25.0359 2996 Processor architecture: Intel x86
    2011/06/09 02:05:25.0359 2996 Number of processors: 2
    2011/06/09 02:05:25.0359 2996 Page size: 0x1000
    2011/06/09 02:05:25.0359 2996 Boot type: Normal boot
    2011/06/09 02:05:25.0359 2996 ================================================================================
    2011/06/09 02:05:25.0781 2996 Initialize success
    2011/06/09 02:05:45.0625 3760 ================================================================================
    2011/06/09 02:05:45.0625 3760 Scan started
    2011/06/09 02:05:45.0625 3760 Mode: Manual;
    2011/06/09 02:05:45.0625 3760 ================================================================================
    2011/06/09 02:05:46.0671 3760 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    2011/06/09 02:05:46.0765 3760 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/06/09 02:05:46.0812 3760 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/06/09 02:05:46.0890 3760 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    2011/06/09 02:05:46.0921 3760 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/06/09 02:05:47.0000 3760 AegisP (375eb0b97e3950adef3633c27a82438b) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    2011/06/09 02:05:47.0062 3760 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
    2011/06/09 02:05:47.0140 3760 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/06/09 02:05:47.0156 3760 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    2011/06/09 02:05:47.0187 3760 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    2011/06/09 02:05:47.0203 3760 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    2011/06/09 02:05:47.0234 3760 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2011/06/09 02:05:47.0265 3760 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    2011/06/09 02:05:47.0296 3760 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    2011/06/09 02:05:47.0312 3760 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    2011/06/09 02:05:47.0343 3760 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    2011/06/09 02:05:47.0390 3760 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
    2011/06/09 02:05:47.0453 3760 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
    2011/06/09 02:05:47.0500 3760 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/06/09 02:05:47.0531 3760 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    2011/06/09 02:05:47.0546 3760 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    2011/06/09 02:05:47.0578 3760 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    2011/06/09 02:05:47.0625 3760 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/06/09 02:05:47.0671 3760 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/06/09 02:05:47.0734 3760 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/06/09 02:05:47.0796 3760 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/06/09 02:05:47.0984 3760 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2011/06/09 02:05:48.0125 3760 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2011/06/09 02:05:48.0203 3760 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2011/06/09 02:05:48.0312 3760 bcm4sbxp (6489310d11971f6ba6c7f49be0baf6e0) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
    2011/06/09 02:05:48.0375 3760 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/06/09 02:05:48.0421 3760 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    2011/06/09 02:05:48.0437 3760 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/06/09 02:05:48.0500 3760 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    2011/06/09 02:05:48.0531 3760 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/06/09 02:05:48.0593 3760 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/06/09 02:05:48.0656 3760 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/06/09 02:05:48.0734 3760 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/06/09 02:05:48.0781 3760 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    2011/06/09 02:05:48.0812 3760 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/06/09 02:05:48.0843 3760 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    2011/06/09 02:05:48.0906 3760 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    2011/06/09 02:05:48.0921 3760 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    2011/06/09 02:05:49.0000 3760 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/06/09 02:05:49.0062 3760 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
    2011/06/09 02:05:49.0078 3760 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
    2011/06/09 02:05:49.0109 3760 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
    2011/06/09 02:05:49.0140 3760 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
    2011/06/09 02:05:49.0156 3760 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
    2011/06/09 02:05:49.0171 3760 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
    2011/06/09 02:05:49.0203 3760 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
    2011/06/09 02:05:49.0218 3760 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
    2011/06/09 02:05:49.0234 3760 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
    2011/06/09 02:05:49.0312 3760 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/06/09 02:05:49.0375 3760 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/06/09 02:05:49.0406 3760 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/06/09 02:05:49.0421 3760 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/06/09 02:05:49.0453 3760 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    2011/06/09 02:05:49.0484 3760 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/06/09 02:05:49.0546 3760 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
    2011/06/09 02:05:49.0562 3760 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
    2011/06/09 02:05:49.0750 3760 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys
    2011/06/09 02:05:49.0906 3760 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/06/09 02:05:50.0062 3760 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/06/09 02:05:50.0156 3760 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/06/09 02:05:50.0203 3760 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/06/09 02:05:50.0250 3760 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/06/09 02:05:50.0312 3760 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/06/09 02:05:50.0343 3760 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/06/09 02:05:50.0375 3760 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/06/09 02:05:50.0406 3760 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/06/09 02:05:50.0437 3760 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/06/09 02:05:50.0500 3760 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/06/09 02:05:50.0531 3760 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    2011/06/09 02:05:50.0671 3760 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
    2011/06/09 02:05:50.0781 3760 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
    2011/06/09 02:05:50.0843 3760 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/06/09 02:05:50.0906 3760 hwdatacard (4a77f036f7234ed24351ac486d2a29b9) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
    2011/06/09 02:05:50.0953 3760 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    2011/06/09 02:05:50.0984 3760 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    2011/06/09 02:05:51.0031 3760 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/06/09 02:05:51.0109 3760 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2011/06/09 02:05:51.0203 3760 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/06/09 02:05:51.0250 3760 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    2011/06/09 02:05:51.0281 3760 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/06/09 02:05:51.0328 3760 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/06/09 02:05:51.0375 3760 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/06/09 02:05:51.0421 3760 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/06/09 02:05:51.0453 3760 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/06/09 02:05:51.0500 3760 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/06/09 02:05:51.0531 3760 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/06/09 02:05:51.0562 3760 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/06/09 02:05:51.0640 3760 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/06/09 02:05:51.0687 3760 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/06/09 02:05:51.0718 3760 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/06/09 02:05:51.0781 3760 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/06/09 02:05:51.0890 3760 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2011/06/09 02:05:51.0921 3760 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/06/09 02:05:51.0984 3760 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/06/09 02:05:52.0031 3760 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/06/09 02:05:52.0078 3760 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/06/09 02:05:52.0125 3760 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/06/09 02:05:52.0171 3760 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    2011/06/09 02:05:52.0187 3760 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/06/09 02:05:52.0265 3760 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/06/09 02:05:52.0312 3760 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/06/09 02:05:52.0375 3760 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/06/09 02:05:52.0390 3760 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/06/09 02:05:52.0421 3760 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/06/09 02:05:52.0453 3760 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/06/09 02:05:52.0484 3760 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/06/09 02:05:52.0531 3760 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/06/09 02:05:52.0562 3760 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/06/09 02:05:52.0593 3760 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/06/09 02:05:52.0625 3760 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/06/09 02:05:52.0687 3760 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/06/09 02:05:52.0703 3760 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/06/09 02:05:52.0750 3760 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/06/09 02:05:52.0875 3760 NETw3x32 (71371ed9086a3d65f43967c89634e9a9) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
    2011/06/09 02:05:53.0015 3760 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/06/09 02:05:53.0062 3760 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/06/09 02:05:53.0109 3760 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/06/09 02:05:53.0187 3760 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/06/09 02:05:53.0281 3760 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/06/09 02:05:53.0375 3760 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/06/09 02:05:53.0406 3760 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/06/09 02:05:53.0453 3760 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/06/09 02:05:53.0500 3760 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/06/09 02:05:53.0531 3760 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/06/09 02:05:53.0562 3760 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/06/09 02:05:53.0578 3760 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/06/09 02:05:53.0734 3760 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/06/09 02:05:53.0750 3760 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2011/06/09 02:05:53.0875 3760 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    2011/06/09 02:05:53.0906 3760 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    2011/06/09 02:05:53.0968 3760 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/06/09 02:05:54.0000 3760 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/06/09 02:05:54.0031 3760 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/06/09 02:05:54.0078 3760 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/06/09 02:05:54.0125 3760 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    2011/06/09 02:05:54.0140 3760 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    2011/06/09 02:05:54.0156 3760 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    2011/06/09 02:05:54.0187 3760 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    2011/06/09 02:05:54.0218 3760 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    2011/06/09 02:05:54.0250 3760 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/06/09 02:05:54.0296 3760 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/06/09 02:05:54.0328 3760 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/06/09 02:05:54.0343 3760 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/06/09 02:05:54.0375 3760 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/06/09 02:05:54.0390 3760 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/06/09 02:05:54.0421 3760 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/06/09 02:05:54.0468 3760 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/06/09 02:05:54.0515 3760 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/06/09 02:05:54.0640 3760 s24trans (daef68fc328342d219de928c8ee610b2) C:\WINDOWS\system32\DRIVERS\s24trans.sys
    2011/06/09 02:05:54.0718 3760 SDDMI2 (8edd7b9e4a4b4c16e2dab9188caa861b) C:\WINDOWS\system32\DDMI2.sys
    2011/06/09 02:05:54.0750 3760 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/06/09 02:05:54.0812 3760 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/06/09 02:05:54.0828 3760 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/06/09 02:05:54.0890 3760 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/06/09 02:05:54.0984 3760 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    2011/06/09 02:05:55.0031 3760 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    2011/06/09 02:05:55.0078 3760 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/06/09 02:05:55.0125 3760 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/06/09 02:05:55.0171 3760 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/06/09 02:05:55.0218 3760 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2011/06/09 02:05:55.0328 3760 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
    2011/06/09 02:05:55.0437 3760 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/06/09 02:05:55.0468 3760 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/06/09 02:05:55.0531 3760 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    2011/06/09 02:05:55.0546 3760 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    2011/06/09 02:05:55.0609 3760 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    2011/06/09 02:05:55.0640 3760 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    2011/06/09 02:05:55.0687 3760 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/06/09 02:05:55.0765 3760 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/06/09 02:05:55.0812 3760 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/06/09 02:05:55.0859 3760 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/06/09 02:05:55.0890 3760 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/06/09 02:05:55.0968 3760 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    2011/06/09 02:05:56.0015 3760 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/06/09 02:05:56.0062 3760 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    2011/06/09 02:05:56.0171 3760 UnlockerDriver5 (f365fa561c3ab455d8685770d208691a) C:\Program Files\Unlocker\UnlockerDriver5.sys
    2011/06/09 02:05:56.0265 3760 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/06/09 02:05:56.0343 3760 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/06/09 02:05:56.0390 3760 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/06/09 02:05:56.0421 3760 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/06/09 02:05:56.0453 3760 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/06/09 02:05:56.0484 3760 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/06/09 02:05:56.0531 3760 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/06/09 02:05:56.0562 3760 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/06/09 02:05:56.0656 3760 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/06/09 02:05:56.0718 3760 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    2011/06/09 02:05:56.0750 3760 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/06/09 02:05:56.0781 3760 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/06/09 02:05:56.0843 3760 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/06/09 02:05:56.0890 3760 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/06/09 02:05:56.0984 3760 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
    2011/06/09 02:05:57.0046 3760 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2011/06/09 02:05:57.0125 3760 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
    2011/06/09 02:05:57.0125 3760 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/06/09 02:05:57.0125 3760 ================================================================================
    2011/06/09 02:05:57.0125 3760 Scan finished
    2011/06/09 02:05:57.0125 3760 ================================================================================
    2011/06/09 02:05:57.0140 3420 Detected object count: 1
    2011/06/09 02:05:57.0140 3420 Actual detected object count: 1
    2011/06/09 02:08:02.0500 3420 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
    2011/06/09 02:08:02.0500 3420 \Device\Harddisk0\DR0 - copied to quarantine
    2011/06/09 02:08:02.0500 3420 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
    2011/06/09 02:08:02.0546 3420 \Device\Harddisk0\DR0\TDLFS\cfg.ini - copied to quarantine
    2011/06/09 02:08:02.0578 3420 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
    2011/06/09 02:08:02.0578 3420 \Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine
    2011/06/09 02:08:02.0593 3420 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
    2011/06/09 02:08:02.0593 3420 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
    2011/06/09 02:08:02.0593 3420 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
    2011/06/09 02:08:02.0609 3420 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
    2011/06/09 02:08:02.0609 3420 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
    2011/06/09 02:08:02.0625 3420 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
    2011/06/09 02:08:02.0640 3420 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
    2011/06/09 02:08:02.0671 3420 \Device\Harddisk0\DR0\TDLFS\socks.dll - copied to quarantine
    2011/06/09 02:08:02.0671 3420 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Quarantine
    2011/06/09 02:12:19.0578 1640 Deinitialize success
     
  6. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    Combofix log:



    ComboFix 11-06-07.03 - Manager 09/06/2011 2:30.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.647 [GMT 1:00]
    Running from: c:\documents and settings\Manager\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Manager\Application Data\Adobe\plugs
    c:\documents and settings\Manager\Application Data\Adobe\shed
    c:\documents and settings\Manager\Application Data\alot
    c:\documents and settings\Manager\Application Data\alot\TimerManager\TimerManager.xml
    c:\windows\system32\1302026650.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-09 to 2011-06-09 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-09 01:08 . 2011-06-09 01:08 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-06-05 21:40 . 2011-06-05 21:40 -------- d-----w- c:\documents and settings\Manager\Application Data\Avira
    2011-06-05 21:30 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-06-05 21:30 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-06-05 21:30 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-06-05 21:30 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-06-05 21:30 . 2011-06-05 21:30 -------- d-----w- c:\program files\Avira
    2011-06-05 21:30 . 2011-06-05 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-06-05 19:35 . 2011-06-05 19:35 -------- d-----w- c:\windows\SxsCaPendDel
    2011-06-05 18:26 . 2011-06-05 18:26 -------- d-sh--w- c:\documents and settings\Manager\IECompatCache
    2011-06-05 18:23 . 2011-06-05 18:23 -------- d-sh--w- c:\documents and settings\Manager\PrivacIE
    2011-06-05 18:23 . 2011-06-05 18:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-06-05 18:22 . 2011-06-05 18:22 -------- d-sh--w- c:\documents and settings\Manager\IETldCache
    2011-06-05 18:17 . 2011-06-05 18:19 -------- dc-h--w- c:\windows\ie8
    2011-06-05 18:12 . 2011-06-09 01:00 -------- d-----w- c:\documents and settings\Manager\Application Data\U3
    2011-05-30 00:56 . 2011-05-30 00:56 -------- d-----w- c:\documents and settings\Manager\Local Settings\Application Data\Mozilla
    2011-05-29 22:14 . 2011-05-30 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-05-29 22:14 . 2011-05-29 23:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-05-26 11:03 . 2011-06-05 22:36 -------- d-----w- c:\windows\system32\NtmsData
    2011-05-21 14:56 . 2011-05-21 14:56 -------- d-----w- C:\found.000
    2011-05-21 14:32 . 2011-06-05 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2011-05-21 04:47 . 2011-05-21 04:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-05-21 03:59 . 2011-05-21 03:59 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-21 02:35 . 2011-05-21 02:35 -------- d-----w- c:\documents and settings\Manager\Application Data\Malwarebytes
    2011-05-21 02:34 . 2011-05-21 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-21 02:34 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-21 02:34 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-21 02:34 . 2011-05-21 02:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-21 02:11 . 2011-05-21 03:13 -------- d-----w- c:\documents and settings\Manager\Application Data\6A0213806059A36A68CD3E05CD71C89F
    2011-05-14 18:55 . 2011-05-14 18:55 -------- d-----w- c:\program files\Virgin Media
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-14 16:41 . 2011-05-30 00:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-06 176128]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\Manager\Start Menu\Programs\Startup\
    Seagate 2GE2924M Product Registration.lnk - c:\documents and settings\Manager\Application Data\Leadertech\PowerRegister\Seagate 2GE2924M Product Registration.exe [2009-8-21 1731736]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-3-12 24576]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Virgin Media\\Service Manager\\ServicepointService.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [05/06/2011 22:30 136360]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [16/01/2009 16:31 161064]
    R2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [14/05/2011 19:55 689464]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\Manager\Application Data\Mozilla\Firefox\Profiles\mdvh54bh.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Notify-mekomdo - (no file)
    Notify-TPSvc - TPSvc.dll
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-09 02:42
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST96812AS rev.8.04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86D2E53B
    user & kernel MBR OK
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-604322290-1607540692-1261844187-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    Completion time: 2011-06-09 02:46:46
    ComboFix-quarantined-files.txt 2011-06-09 01:46
    .
    Pre-Run: 31,405,879,296 bytes free
    Post-Run: 31,617,503,232 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 06D58962F8573EFD25F3CE5ED608B333
     
  7. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    Also, Sound/audio has stopped working, saying that there is no audio device, as well as being unable to play video and requiring an adobe update.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You are questioning a redirect. A browser crash is not a redirect. A redirect is when you choose a site from a search and get a different site instead- usually 'search', adware or spyware related.

    These 'generic host services' are part of the operating system. For an unknown reason, one or more of them isn't working at all or is having some problem.

    This always makes my hair stand up straight:
    No telling what you ran, what was found, what was removed or even if what was done was correct!

    1. Browser crashes
    2. Display properties changing
    3. Firewall disabled
    4. Problem connecting to wireless router
    5. Sound/Audio no working.
    You did have a rootkit infection. It is possible that some of the files were corrupted. A basic Error Check may fix this or indicate further action.

    Right click on the Taskbar> Explore> My Computer> Right click on the Local Drive(C)> Properties> Tools> Error Check> Check both boxes on the screen that comes up> Click on Apply> OK the message that comes up> Reboot the Computer.

    The Error Checking will begin in a few seconds. Note: If this is not part of your usual maintenance, it is going to take a while. It's important that you let it finish. The system will reboot when done.

    It's important that you do not run any other scanning or cleaning programs while I'm helping you.

    See if that makes any difference in how the system works. If there are any new messages or anything different happens, please let me know what it is.
     
  9. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    Had previously tried Stopzilla (uninstalled), Spybot search & destroy (still installed, and have reports), Malwarebytes Anti-malware, Avira Antivirus, but reinstalled the last two from the links in the guide. Stopzilla kept picking up a 'Downloader.C' file which it couldn't remove and the other programs weren't even picking up. Number of other viruses removed and some items/registry keys quarantined.

    Sorry, wish I had found the guide earlier, but i do appreciate the help.
    Tried the error checking. Ran ok. No new messages or noticing anything different. Still experiencing the same symptoms as listed before:

    1. Browser crashes
    2. Display properties changing
    3. Firewall disabled
    4. Problem connecting to wireless router*
    5. Sound/Audio no working.

    *Connection to wireless router works when restarting the laptop, but once it goes into standby/power saving mode, it no longer works/connects regardless of what I try.

    Any idea what I may be able to try next?
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Check these Service settings:

    Click on Start> Run> type in services.msc> enter> find each of the following and double click to open> set Startup Type as given:
    Computer Browser> Set startup type to Manual
    Server> Set Startup type to Automatic>>> Note: If Server is already set to Automatic, change it to Manual.

    Reboot the computer. See if this solved the 'access denied'.
    ====================================
    Please also go ahead and run the following:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ===========================
    I'll be going over the Combofix log.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    When finished with previous instructions:

    You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.Note: Do not leave this log.
    Download and install then most current version and update of Java RuntimeEnvironment (JRE)HERE.
    ===========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\documents and settings\Manager\Application Data\Leadertech\PowerRegister\Seagate 2GE2924M Product Registration.exe 
    Folder::
    C:\found.000
    DirLook::
    c:\documents and settings\Manager\Application Data\6A0213806059A36A68CD3E05CD71C89F
    c:\documents and settings\Manager\Application Data\U3
    DDS::
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - No File
    BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
    BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: {E3215F20-3212-11D6-9F8B-00D0B743919D} - No File
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    StartupFolder: c:\docume~1\manager\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\manager\application data\leadertech\powerregister\Seagate 2GE2924M Product Registration.exe
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
     
     
  12. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    completed 'services.msc' step. Audio appeared to be functioning ok after I did this.

    Ran ESETScan, here is the log:
    ______________________________


    C:\Documents and Settings\Manager\Application Data\6A0213806059A36A68CD3E05CD71C89F\local.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\TDSSKiller_Quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0003.dta Win32/Olmarik.ADZ trojan
    C:\TDSSKiller_Quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan
    C:\TDSSKiller_Quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.R trojan
    C:\TDSSKiller_Quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.R trojan
    C:\TDSSKiller_Quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan
    C:\TDSSKiller_Quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0009.dta Win32/Olmarik.ACQ trojan


    _________________________________________


    Then completed java step (removing old and installing new), and Combofix step...

    Here is the combofix log:


    _____________________________________

    ComboFix 11-06-16.01 - Manager 16/06/2011 22:37:16.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.654 [GMT 1:00]
    Running from: c:\documents and settings\Manager\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Manager\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    FILE ::
    "c:\documents and settings\Manager\Application Data\Leadertech\PowerRegister\Seagate 2GE2924M Product Registration.exe"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\docume~1\manager\startm~1\programs\startup\seagat~1.lnk
    c:\documents and settings\manager\application data\leadertech\powerregister\Seagate 2GE2924M Product Registration.exe
    C:\found.000
    c:\found.000\file0000.chk
    c:\program files\bae\BAE.dll
    c:\windows\system32\dla\DLASHX_W.DLL
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-16 15:47 . 2011-06-16 15:47 -------- d-----w- c:\program files\ESET
    2011-06-13 19:15 . 2011-06-13 19:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-09 01:08 . 2011-06-09 01:08 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-06-05 21:40 . 2011-06-05 21:40 -------- d-----w- c:\documents and settings\Manager\Application Data\Avira
    2011-06-05 21:30 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-06-05 21:30 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-06-05 21:30 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-06-05 21:30 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-06-05 21:30 . 2011-06-05 21:30 -------- d-----w- c:\program files\Avira
    2011-06-05 21:30 . 2011-06-05 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-06-05 19:35 . 2011-06-05 19:35 -------- d-----w- c:\windows\SxsCaPendDel
    2011-06-05 18:26 . 2011-06-05 18:26 -------- d-sh--w- c:\documents and settings\Manager\IECompatCache
    2011-06-05 18:23 . 2011-06-05 18:23 -------- d-sh--w- c:\documents and settings\Manager\PrivacIE
    2011-06-05 18:23 . 2011-06-05 18:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-06-05 18:22 . 2011-06-05 18:22 -------- d-sh--w- c:\documents and settings\Manager\IETldCache
    2011-06-05 18:17 . 2011-06-05 18:19 -------- dc-h--w- c:\windows\ie8
    2011-06-05 18:12 . 2011-06-09 01:00 -------- d-----w- c:\documents and settings\Manager\Application Data\U3
    2011-05-30 00:56 . 2011-05-30 00:56 -------- d-----w- c:\documents and settings\Manager\Local Settings\Application Data\Mozilla
    2011-05-29 22:14 . 2011-05-30 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-05-29 22:14 . 2011-05-29 23:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-05-26 11:03 . 2011-06-05 22:36 -------- d-----w- c:\windows\system32\NtmsData
    2011-05-21 14:32 . 2011-06-05 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2011-05-21 04:47 . 2011-05-21 04:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-05-21 03:59 . 2011-05-21 03:59 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-21 02:35 . 2011-05-21 02:35 -------- d-----w- c:\documents and settings\Manager\Application Data\Malwarebytes
    2011-05-21 02:34 . 2011-05-21 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-21 02:34 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-21 02:34 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-21 02:34 . 2011-05-21 02:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-21 02:11 . 2011-05-21 03:13 -------- d-----w- c:\documents and settings\Manager\Application Data\6A0213806059A36A68CD3E05CD71C89F
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-16 21:13 . 2010-08-23 02:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-16 21:13 . 2010-08-23 02:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-04-14 16:41 . 2011-05-30 00:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\documents and settings\Manager\Application Data\6A0213806059A36A68CD3E05CD71C89F ----
    .
    2011-05-21 02:11 . 2011-05-21 02:11 26602 ----a-w- c:\documents and settings\Manager\Application Data\6A0213806059A36A68CD3E05CD71C89F\local.ini
    .
    ---- Directory of c:\documents and settings\Manager\Application Data\U3 ----
    .
    2011-06-07 20:42 . 2005-06-06 09:29 110592 ----a-w- c:\documents and settings\Manager\Application Data\U3\temp\cleanup.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-06-09_01.43.07 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2011-06-09 01:28 . 2011-06-09 01:28 16384 c:\windows\Temp\Perflib_Perfdata_110.dat
    + 2011-06-16 21:33 . 2011-06-16 21:33 16384 c:\windows\Temp\Perflib_Perfdata_110.dat
    + 2011-06-13 19:15 . 2011-06-13 19:15 238040 c:\windows\system32\Macromed\Flash\FlashUtil10s_Plugin.exe
    + 2011-06-16 21:13 . 2011-06-16 21:13 157472 c:\windows\system32\javaws.exe
    + 2011-06-16 21:13 . 2011-06-16 21:13 145184 c:\windows\system32\javaw.exe
    - 2010-08-23 02:14 . 2010-08-23 02:14 145184 c:\windows\system32\javaw.exe
    + 2011-06-16 21:13 . 2011-06-16 21:13 145184 c:\windows\system32\java.exe
    - 2010-08-23 02:14 . 2010-08-23 02:14 145184 c:\windows\system32\java.exe
    + 2011-06-16 21:13 . 2011-06-16 21:13 203776 c:\windows\Installer\1d49ab.msi
    + 2011-06-16 21:13 . 2011-06-16 21:13 675840 c:\windows\Installer\1d499d.msi
    + 2011-06-13 19:15 . 2011-06-13 19:15 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-06 176128]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
    "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-3-12 24576]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mekomdo]
    [BU]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
    [BU]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Virgin Media\\Service Manager\\ServicepointService.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [05/06/2011 22:30 136360]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [16/01/2009 16:31 161064]
    R2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [14/05/2011 19:55 689464]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\documents and settings\Manager\Application Data\Mozilla\Firefox\Profiles\mdvh54bh.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-16 22:49
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\docume~1\Manager\LOCALS~1\Temp\RGI1.tmp 7075 bytes
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST96812AS rev.8.04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86CB853B
    user & kernel MBR OK
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-604322290-1607540692-1261844187-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    Completion time: 2011-06-16 22:52:52
    ComboFix-quarantined-files.txt 2011-06-16 21:52
    .
    Pre-Run: 31,352,930,304 bytes free
    Post-Run: 31,369,125,888 bytes free
    .
    - - End Of File - - DC0D72E7F9015871E11C16CF5DDD357D




    _______________________________________________________________


    Appreciating the help on the matter....
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      
      :Files 
      C:\Documents and Settings\Manager\Application Data\6A0213806059A36A68CD3E05CD71C89F\local.ini 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\documents and settings\Manager\Application Data\U3\temp\cleanup.exe
    c:\docume~1\Manager\LOCALS~1\Temp\RGI1.tmp
    c:\windows\Temp\Perflib_Perfdata_110.dat
    c:\windows\Temp\Perflib_Perfdata_110.dat
    
    Folder::
    C:\TDSSKiller_Quarantine
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Dell QuickSet"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mekomdo]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Please give me an upate on the problems. Have they been resolved?
     
  14. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    OTM log:
    ____________________________

    All processes killed
    ========== FILES ==========
    C:\Documents and Settings\Manager\Application Data\6A0213806059A36A68CD3E05CD71C89F\local.ini moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 16384 bytes
    ->Temporary Internet Files folder emptied: 32768 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 49286 bytes

    User: Manager
    ->Temp folder emptied: 4737321 bytes
    ->Temporary Internet Files folder emptied: 35872105 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 83592641 bytes
    ->Flash cache emptied: 172444 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 112094 bytes
    ->Java cache emptied: 15 bytes
    ->Flash cache emptied: 6893 bytes

    User: PAYP
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes

    User: RRansley
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 483 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 119.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 06192011_002106

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    _______________________________________
     
  15. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    New combofix log:

    _________________________________

    ComboFix 11-06-17.04 - Manager 19/06/2011 0:54.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.648 [GMT 1:00]
    Running from: c:\documents and settings\Manager\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Manager\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    * Created a new restore point
    .
    FILE ::
    "c:\docume~1\Manager\LOCALS~1\Temp\RGI1.tmp"
    "c:\documents and settings\Manager\Application Data\U3\temp\cleanup.exe"
    "c:\windows\Temp\Perflib_Perfdata_110.dat"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Manager\Application Data\U3\temp\cleanup.exe
    C:\TDSSKiller_Quarantine
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\mbr0000\object.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\mbr0000\tsk0000.dta
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\mbr0000\tsk0000.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\object.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\object.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0000.dta
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0000.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0001.dta
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0001.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0002.dta
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0002.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0003.dta
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0003.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0004.dta
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0004.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0005.dta
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0005.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0006.dta
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0006.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0007.dta
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0007.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0008.dta
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0008.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0009.dta
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0009.ini
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0010.dta
    c:\tdsskiller_quarantine\09.06.2011_02.05.25\boot0000\tdlfs0000\tsk0010.ini
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-19 to 2011-06-19 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-18 23:21 . 2011-06-18 23:21 -------- d-----w- C:\_OTM
    2011-06-16 15:47 . 2011-06-16 15:47 -------- d-----w- c:\program files\ESET
    2011-06-13 19:15 . 2011-06-13 19:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-05 21:40 . 2011-06-05 21:40 -------- d-----w- c:\documents and settings\Manager\Application Data\Avira
    2011-06-05 21:30 . 2011-04-01 16:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-06-05 21:30 . 2011-04-01 16:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-06-05 21:30 . 2010-06-17 14:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-06-05 21:30 . 2010-06-17 14:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-06-05 21:30 . 2011-06-05 21:30 -------- d-----w- c:\program files\Avira
    2011-06-05 21:30 . 2011-06-05 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-06-05 19:35 . 2011-06-05 19:35 -------- d-----w- c:\windows\SxsCaPendDel
    2011-06-05 18:26 . 2011-06-05 18:26 -------- d-sh--w- c:\documents and settings\Manager\IECompatCache
    2011-06-05 18:23 . 2011-06-05 18:23 -------- d-sh--w- c:\documents and settings\Manager\PrivacIE
    2011-06-05 18:23 . 2011-06-05 18:23 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-06-05 18:22 . 2011-06-05 18:22 -------- d-sh--w- c:\documents and settings\Manager\IETldCache
    2011-06-05 18:17 . 2011-06-05 18:19 -------- dc-h--w- c:\windows\ie8
    2011-06-05 18:12 . 2011-06-09 01:00 -------- d-----w- c:\documents and settings\Manager\Application Data\U3
    2011-05-30 00:56 . 2011-05-30 00:56 -------- d-----w- c:\documents and settings\Manager\Local Settings\Application Data\Mozilla
    2011-05-29 22:14 . 2011-05-30 00:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-05-29 22:14 . 2011-05-29 23:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-05-26 11:03 . 2011-06-18 12:30 -------- d-----w- c:\windows\system32\NtmsData
    2011-05-21 14:32 . 2011-06-05 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2011-05-21 04:47 . 2011-05-21 04:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-05-21 03:59 . 2011-05-21 03:59 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-05-21 02:35 . 2011-05-21 02:35 -------- d-----w- c:\documents and settings\Manager\Application Data\Malwarebytes
    2011-05-21 02:34 . 2011-05-21 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-05-21 02:34 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-21 02:34 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-21 02:34 . 2011-05-21 02:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-05-21 02:11 . 2011-06-18 23:21 -------- d-----w- c:\documents and settings\Manager\Application Data\6A0213806059A36A68CD3E05CD71C89F
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-16 21:13 . 2010-08-23 02:14 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-16 21:13 . 2010-08-23 02:14 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-04-14 16:41 . 2011-05-30 00:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-06-09_01.43.07 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-06-18 23:51 . 2011-06-18 23:51 16384 c:\windows\Temp\Perflib_Perfdata_fc.dat
    + 2011-06-13 19:15 . 2011-06-13 19:15 238040 c:\windows\system32\Macromed\Flash\FlashUtil10s_Plugin.exe
    + 2011-06-16 21:13 . 2011-06-16 21:13 157472 c:\windows\system32\javaws.exe
    + 2011-06-16 21:13 . 2011-06-16 21:13 145184 c:\windows\system32\javaw.exe
    - 2010-08-23 02:14 . 2010-08-23 02:14 145184 c:\windows\system32\javaw.exe
    + 2011-06-16 21:13 . 2011-06-16 21:13 145184 c:\windows\system32\java.exe
    - 2010-08-23 02:14 . 2010-08-23 02:14 145184 c:\windows\system32\java.exe
    + 2011-06-16 21:13 . 2011-06-16 21:13 203776 c:\windows\Installer\1d49ab.msi
    + 2011-06-16 21:13 . 2011-06-16 21:13 675840 c:\windows\Installer\1d499d.msi
    + 2011-06-13 19:15 . 2011-06-13 19:15 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-06 176128]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152]
    "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-01-16 181544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
    "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-3-12 24576]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mekomdo]
    [BU]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TPSvc]
    [BU]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Virgin Media\\Service Manager\\ServicepointService.exe"=
    .
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [05/06/2011 22:30 136360]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [16/01/2009 16:31 161064]
    R2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [14/05/2011 19:55 689464]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/
    TCP: DhcpNameServer = 192.168.0.1
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - ProfilePath - c:\documents and settings\Manager\Application Data\Mozilla\Firefox\Profiles\mdvh54bh.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-19 01:06
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST96812AS rev.8.04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86CB653B
    user & kernel MBR OK
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-604322290-1607540692-1261844187-1006\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    Completion time: 2011-06-19 01:10:11
    ComboFix-quarantined-files.txt 2011-06-19 00:10
    .
    Pre-Run: 31,255,449,600 bytes free
    Post-Run: 31,249,297,408 bytes free
    .
    - - End Of File - - 717577FDD7BE3A5DFA6BEF20D74D015F


    _______________________________________________________







    Update on what has been fixed/not:

    1. Browser crashes - this is still happening.

    2. Display properties changing - seems OK so far, although this did happen again after the last combofix step, but have not noticed it again yet after the last restart I performed.

    3. Firewall disabled - now fixed and up and running.

    4. Problem connecting to wireless router - seems to be connecting fine at the moment.

    5. Sound/Audio no working - seems to be working ok at the moment.

    Also still getting the 'Generic Host Process for Win32 Services' encountering a problem and needing to close.


    Will let you know if anything changes as to what has been reported above.
     
  16. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    Still encountering the same problems with 1, 2, 4 and 5.

    Appearance changes, internet browser crashes after when going to certain sites or carrying out searches, and once stepping away from the machine for a short while, the internet connection is in use by another program and I cannot connect to my wireless router. This only gets resolved when I restart the machine. Also having the same problem with sound device/audio again.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Run this please:
    Please download VEW and save it to your Desktop:

    Setting up the program

    Double-click VEW.exe to run.

    • Select log to query, select
    • Application
    • System

      Under Select type to list, select:
    • Critical (Vista only)
    • Error

      Click the radio button for Number of events
    • Type 20 in the 1 to 20 box
    • Then click the Run button.
    • Notepad will open with the output log.

      Load the log
    • In Notepad, click Edit> Select all
    • Then press Edit > Copy
    • Press Ctrl+V on your keyboard to paste the log to your next reply.
    Run this in Normal Mode.
    (Courtesy rev-Olie)
    =========================================
    The same sites? When browser crashes, what actully happens?

    Do you know what this device is?
    =========================================
    I'd also like you to check the Device Manager.
    Using Safe Mode and Device Manager to troubleshoot.

    1) Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    2) Access the Device Manager: Control Panel> System> Hardware tab> Device Manager
    • Double-click (or highlight a device> Properties> This will show Device Status and Device Usage
    • Disable the drivers for the following devices (if present) using theDevice Usage for each
      [o] Display Adapters
      [o] Floppy Disk Controllers
      [o] Hard Disk Controllers
      [o] Keyboard
      [o] Mouse
      [o] Network Adapters
      [o] PCMCIA Socket
      [o] Ports
      [o] SCSI Controllers
      [o] Sound, Video, and Game Controllers

      This icon [​IMG] appears on devices that aren't responding or whose drivers aren't installed properly.
      This icon [​IMG] appears on devices that have been disabled.

    3) Reboot the computer into normal mode.
    • If the computer successfully boots into normal mode, reenable half of the device drivers that were disabled and reboot.
    • Continue rebooting and reenabling successively more devices until Windows no longer boots normally.
    • One of the device drivers in the most recently reenabled group of drivers is causing the problem.
     
  18. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    Hi Bobbye,

    In answer to your questions,

    1. Internet browser closes whenever I type into a search engine (typically google, but have also tried others) and press enter/submit. Ocassionally when I am on another site and I search something, it will also close. When I restart the browser or even laptop, and try to resume the previous page I was on, it will also close. A couple of times (but not always) when I have clicked on a recent link in the address bar (such as techspot mainpage) it will make my browser just exit/disappear. This has also happened when I tried to go back to the techspot forum page (and this thread). This did appear with one or two sites prior to starting this thread, but cannot recall exactly which websites they were (sorry). I now tend to just type the webpage into the address bar or navigate by clicking on links.

    2. No idea what 'Read A device' is that was meant to be attached to the system, nor why it is not functioning. Did not have anything in the drives, did not have my external hard drive plugged in. Don't think I would have left a USB stick in there either, but if you want I can always carry out the scan again to see if it comes up again.

    I ran VEW (and have pasted the log below). Am about to carry out the Device Manager instructions. But just had a quick question. If I am meant to be disabling/reenabling device drivers until the laptop can no longer successfully boot up, how am I meant to work with it/get passed that?


    First time I ran VEW, I got the following error message/warning pop up:

    VEWv01c

    Run-time error '429':

    ActiveX component can't create object

    [OK]

    then restarted and ran again (this time disabling Firewall/Antivirus just in case it was intefering). This time it ran successfully.
     
  19. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    VEW log created:


    Vino's Event Viewer v01c run on Windows XP in English
    Report run at 20/06/2011 22:13:17

    Note: All dates below are in the format dd/mm/yyyy

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'Application' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'Application' Date/Time: 19/06/2011 13:43:03
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 19/06/2011 01:29:46
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 19/06/2011 01:01:46
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 19/06/2011 00:34:10
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 18/06/2011 20:00:34
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 18/06/2011 11:58:44
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 16/06/2011 21:51:32
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.
     
  20. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    Log: 'Application' Date/Time: 17/06/2011 14:37:35
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 17/06/2011 08:27:58
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 16/06/2011 23:12:32
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 16/06/2011 22:43:56
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.
     
  21. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    Am trying to post the rest of the log - initially thought it would not post as it made the post too long (hence why I have split it). But there is something in the next part of the log that will not allow me to submit the post. Have managed to get it posted but have removed the address as listed in the log. Have replaced it with the section in bold:




    Log: 'Application' Date/Time: 16/06/2011 16:47:23
    Type: error Category: 0
    Event: 8 Source: crypt32
    Failed auto update retrieval of third-party root list sequence number from: <then there is an address> with error: This network connection does not exist.

    Log: 'Application' Date/Time: 16/06/2011 16:47:23
    Type: error Category: 0
    Event: 8 Source: crypt32
    Failed auto update retrieval of third-party root list sequence number from: <then there is an address> with error: The connection with the server was terminated abnormally

    Log: 'Application' Date/Time: 16/06/2011 16:11:01
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 16/06/2011 15:53:56
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 16/06/2011 14:21:45
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 15/06/2011 23:09:26
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 15/06/2011 22:10:22
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 15/06/2011 21:47:49
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.

    Log: 'Application' Date/Time: 14/06/2011 16:36:45
    Type: error Category: 100
    Event: 1000 Source: Application Error
    Faulting application svchost.exe, version 5.1.2600.5512, faulting module unknown, version 0.0.0.0, fault address 0x001a6f95.


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    'System' Log - error Type
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Log: 'System' Date/Time: 20/06/2011 21:42:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 21:30:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 21:20:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 21:10:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 21:08:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:58:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:48:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:46:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:42:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:38:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:36:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:32:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:28:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:26:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:20:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:18:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:12:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:06:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 20:04:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.

    Log: 'System' Date/Time: 20/06/2011 19:58:15
    Type: error Category: 0
    Event: 10010 Source: DCOM
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.
     
  22. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    The missing address is:


    <http://www.download.something.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
     
  23. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    the something is made up of two separate words (no spaces between them):

    windows

    and

    update



    Took a while to figure out that those two words cannot be submitted in a reply - as it keeps on coming up with an error message. Why is that?
     
  24. Silver78

    Silver78 TS Rookie Topic Starter Posts: 17

    Carried out Device Manager instructions. After reenabling the first set of devices (although did not reenable any network adapters), I restarted in normal mode and in Device Manager it shows an extra network adapter that has just appeared and is not disabled like the rest. It was labelled '1394 Net Adapter'.

    Only changes noticed was that the issue with appearance (from xp theme to classic appearance) was still present. Was unable to test internet browser crashes as had disabled those ones. Also still getting Win32 error message.

    Disabled the newly appeared Network Adapter, reenabled a number of other devices and then restarted again. All items on screen flashed a couple of times and appearance changed to classic theme (this is how it usually switches when I have previously encountered this problem). But it then returned to XP theme a couple of minutes later. Sound problem is also present despite reenabling the sound, video and game controllers on this most recent restart.

    Reenabled more devices (mainly network adapters). When doing so, a number of them were disappearing from the list of network adapters. (Was originally 8 network adapters - then went to 9 after rebooting, and now reduced to only 3 after reenabling them).

    After another reboot, still having problems connecting to wireless router.

    Lastly disabled secondary IDE channel (did not have the option to disable any others from IDE ATA/ATAPI controllers; serial ATA storage controller or the primary IDE channel). Audio was working ok, connected to wireless router fine, haven't yet noticed a change in appearance. However, internet browser still crashing/exiting. Upon restart, tried to click on the link for Techspot website in recent addresses and browser instantly shut down.

    Lastly I reenabled the secondary IDE channel. And restarted into normal mode. Seems to be connecting OK to wireless router, audio is working, not noticed changes in appearance (yet). Still having problem with internet browser exiting/crashing. Happened again just now when trying to navigate to this thread. When I clicked on the link for this thread, the browser just shut down. After reopening internet browser a couple of times I have managed to get back to this thread.

    Also still getting Win32 error message.
     
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I am not a hardware person. But I have assembled some information for you, based on logs entries and error events:

    The DCOM errors that are timing out are due to server performance:
    Most of the components which are failing or performing slowly are the basic system components only. For instance:These multiple errors>>
    The server {8BC3F05E-D86B-11D0-A075-00C04FB68820} did not register with DCOM within the required timeout.
    The GUID {8BC3F05E-D86B-11D0-A075-00C04FB68820} is the CLSID for WMI.(Windows Management Instrumentation.
    The GUID {BA126AD1-2166-11D1-B1D0-00805FC1270E} is the CLISID (class id) for Network Connection Manager

    Both have DCOM in common:>>

    Check the permissions on the HKCR\CLSID registry key. By default this is how the permission on that key should look like:
    http://blogs.msdn.com/blogfiles/distributedservices/WindowsLiveWriter/DCOMError10010intheEventlogsandSLUGGISHs_91E1/image_thumb.png[/b]
    If it does not, you will see that the USERS group is not listed in the ACL list for this registry key. You might see an account with the name RESTRICTED listed out there. To fix the problem, you can configure the ACLS on the HKCR\CLSID key in the default way. For Windows 2003, [B]this is how the default permissions on the HKCR\CLSID should look[/B]:
    [QUOTE]1. Administrators – FULL CONTROL
    2. Power Users – READ
    3. SYSTEM – FULL CONTROL
    4. Users – READ [/QUOTE]

    After making the registry change, you have to reboot the machine so that the programs can access the registry during the startup and hence function properly.
    Credit to msdn.com

    If this does not resolve the errors, see this section: [URL="http://blogs.msdn.com/b/distributedservices/archive/2009/01/21/dcom-error-10010-in-the-event-logs-and-sluggish-server-performance.aspx"][B][COLOR="RoyalBlue"]Please Note.[/COLOR][/B][/URL]
    ========================================
    I will leave you this also- although you may be ahead of me on it:
    [URL="http://www.pcguide.com/ref/hdd/if/ide/confChannels-c.html"][B][COLOR="RoyalBlue"]IDE/ATA Channels and Resource Usage[/COLOR][/B][/URL]
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.