Windows has encountered a critical problem and will restart automatic

frankiesweeney · Jan 11, 2013

Malwarebytes Anti-Rootkit BETA 1.01.0.1011
(c) Malwarebytes Corporation 2011-2012
OS version: 6.0.6001 Windows Vista Service Pack 1 x86
Account is Administrative
Internet Explorer version: 8.0.6001.19088
Java version: 1.6.0_38
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED
CPU speed: 2.128000 GHz
Memory total: 1062924288, free: 144977920
------------ Kernel report ------------
01/11/2013 03:51:12
------------ Loaded modules -----------
\SystemRoot\system32\ntkrnlpa.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_GenuineIntel.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\BOOTVID.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\System32\Drivers\sptd.sys
\SystemRoot\system32\drivers\acpi.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\DRIVERS\compbatt.sys
\SystemRoot\system32\DRIVERS\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\system32\drivers\intelide.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
\SystemRoot\system32\DRIVERS\pcmcia.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\DRIVERS\iaStor.sys
\SystemRoot\system32\drivers\atapi.sys
\SystemRoot\system32\drivers\ataport.SYS
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\DRIVERS\MpFilter.sys
\SystemRoot\System32\Drivers\PxHelp20.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\msrpc.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\ecache.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\drivers\crcdisk.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\tunmp.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\igdkmd32.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\system32\DRIVERS\b57nd60x.sys
\SystemRoot\system32\DRIVERS\bcmwl6.sys
\SystemRoot\system32\DRIVERS\ohci1394.sys
\SystemRoot\system32\DRIVERS\1394BUS.SYS
\SystemRoot\system32\drivers\tifm21.sys
\SystemRoot\system32\DRIVERS\sdbus.sys
\SystemRoot\system32\DRIVERS\CmBatt.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\DKbFltr.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\nscirda.sys
\SystemRoot\system32\drivers\irenum.sys
\SystemRoot\System32\DRIVERS\dvd43llh.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\NTIDrvr.sys
\SystemRoot\System32\Drivers\apbvftea.SYS
\SystemRoot\System32\Drivers\SCSIPORT.SYS
\SystemRoot\system32\DRIVERS\VMNetSrv.sys
\SystemRoot\system32\DRIVERS\msiscsi.sys
\SystemRoot\system32\DRIVERS\storport.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHDA.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\HSXHWAZL.sys
\SystemRoot\system32\DRIVERS\HSX_DPV.sys
\SystemRoot\system32\DRIVERS\HSX_CNXT.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\smb.sys
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\??\C:\Windows\system32\Drivers\vmm.sys
\SystemRoot\System32\Drivers\SCDEmu.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\NuidFltr.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\system32\DRIVERS\point32k.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_dumpata.sys
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\irda.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\spsys.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\??\C:\Windows\system32\drivers\int15.sys
\SystemRoot\system32\DRIVERS\mdmxsdk.sys
\SystemRoot\system32\DRIVERS\NisDrvWFP.sys
\SystemRoot\system32\drivers\peauth.sys
\??\C:\Windows\system32\drivers\SECDRV.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\system32\DRIVERS\xaudio.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E81B4A53-4456-465F-A647-823416C65A77}\MpKsle86443cb.sys
\??\C:\Windows\system32\drivers\TrueSight.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\mbamswissarmy.sys
\Windows\System32\ntdll.dll
\Program Files\DAEMON Tools Lite\Engine.dll
----------- End -----------
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR2
Upper Device Object: 0xffffffff84892ac8
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\0000009b\
Lower Device Object: 0xffffffff847f3440
Lower Device Driver Name: \Driver\USBSTOR\
Driver name found: USBSTOR
DriverEntry returned 0x0
Function returned 0x0
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff85037718
Upper Device Driver Name: \Driver\disk\
Lower Device Name: \Device\Ide\IdeDeviceP2T0L0-3\
Lower Device Object: 0xffffffff84f0d2b8
Lower Device Driver Name: \Driver\atapi\
Driver name found: atapi
DriverEntry returned 0x0
Function returned 0x0
Host not found
Downloaded database version: v2013.01.11.03
Downloaded database version: v2013.01.04.01
Initializing...
Done!
<<<2>>>
Device number: 0, partition: 2
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff85037718, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff85037408, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff85037718, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff8456e900, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff84f0d2b8, DeviceName: \Device\Ide\IdeDeviceP2T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Upper DeviceData: 0xffffffffae266f88, 0xffffffff85037718, 0xffffffff847877d8
Lower DeviceData: 0xffffffffacc40a78, 0xffffffff84f0d2b8, 0xffffffff841388c0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning directory: C:\Windows\system32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: CC6623CC
Partition information:
Partition 0 type is Other (0x27)
Partition is NOT ACTIVE.
Partition starts at LBA: 2048 Numsec = 20480000
Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 20482048 Numsec = 67911680
Partition file system is NTFS
Partition is bootable
Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 88393728 Numsec = 67905536
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 80026361856 bytes
Sector size: 512 bytes
Scanning physical sectors of unpartitioned space on drive 0 (1-2047-156281488-156301488)...
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff84892ac8, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8696eac0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xffffffff84892ac8, DeviceName: \Device\Harddisk1\DR2\, DriverName: \Driver\disk\
DevicePointer: 0xffffffff847f3440, DeviceName: \Device\0000009b\, DriverName: \Driver\USBSTOR\
------------ End ----------
Upper DeviceData: 0xffffffffae2a56a0, 0xffffffff84892ac8, 0xffffffff847d77d8
Lower DeviceData: 0xffffffffa99472b8, 0xffffffff847f3440, 0xffffffffa4273040
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 35A72B
Partition information:
Partition 0 type is Other (0xb)
Partition is ACTIVE.
Partition starts at LBA: 32 Numsec = 946144
Partition file system is FAT32
Partition is not bootable
Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0
Disk Size: 484442112 bytes
Sector size: 512 bytes
Done!
Performing system, memory and registry scan...
Done!
Scan finished
=======================================

frankiesweeney · Jan 11, 2013

As I said the system seems more stable...but restarts can fail to boot but not as bad as it was before ...im thinking this rootkit has been on the machine for a long time

frankiesweeney · Jan 11, 2013

I meant to say I could not access frst on the usb ,,,sorry for confusion

Broni · Jan 11, 2013

Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

========================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
If the connection is not there use restore point you created prior to running Combofix.

Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.

frankiesweeney · Jan 12, 2013

Having some problems........ combi fix ran perfect but windows shut down while I was saving text file I will run it again

frankiesweeney · Jan 12, 2013

ComboFix 13-01-11.02 - frank 12/01/2013 13:55:26.3.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.353.1033.18.1014.234 [GMT 0:00]
Running from: c:\users\frank\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-12-12 to 2013-01-12 )))))))))))))))))))))))))))))))
.
.
2013-01-12 14:17 . 2013-01-12 14:17--------d-----w-c:\users\frank\AppData\Local\temp
2013-01-12 14:17 . 2013-01-12 14:17--------d-----w-c:\users\fs2\AppData\Local\temp
2013-01-12 14:17 . 2013-01-12 14:17--------d-----w-c:\users\Default\AppData\Local\temp
2013-01-11 18:38 . 2013-01-11 18:3860872----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E84AD31C-CAA5-4F82-A62B-EEEA7650FE8A}\offreg.dll
2013-01-11 14:53 . 2012-11-08 18:006812136----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E84AD31C-CAA5-4F82-A62B-EEEA7650FE8A}\mpengine.dll
2013-01-10 14:20 . 2012-11-08 18:006812136----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-01-04 18:32 . 2013-01-04 18:32--------d-----w-c:\program files\Common Files\Java
2013-01-04 18:26 . 2013-01-04 18:26477168----a-w-c:\windows\system32\npdeployJava1.dll
2013-01-04 18:24 . 2013-01-04 18:24--------d-----w-c:\programdata\McAfee
2013-01-02 00:40 . 2013-01-02 01:1021840----atw-c:\windows\system32\SIntfNT.dll
2013-01-02 00:40 . 2013-01-02 01:1017212----atw-c:\windows\system32\SIntf32.dll
2013-01-02 00:40 . 2013-01-02 01:1012067----atw-c:\windows\system32\SIntf16.dll
2013-01-01 05:19 . 2013-01-01 05:191409----a-w-c:\windows\QTFont.for
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-10 08:35 . 2008-06-27 13:09132511717----a-w-c:\windows\DUMP74e0.tmp
2013-01-04 18:26 . 2010-04-22 22:39473072----a-w-c:\windows\system32\deployJava1.dll
2013-01-01 23:05 . 2008-01-21 02:33171008----a-w-c:\windows\system32\apphelp.dll
2013-01-01 11:07 . 2006-11-02 06:3711973----a-w-c:\windows\system32\drivers\secdrv.sys
2012-11-29 17:51 . 2012-11-29 17:55740840------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5D0E97DF-B4A4-4C32-8EEB-49D10FC560FD}\gapaengine.dll
2012-11-14 04:16 . 2009-07-10 19:13466008----a-w-c:\windows\system32\drivers\sptd.sys
2006-05-03 12:06163328--sha-r-c:\windows\System32\flvDX.dll
2007-02-21 13:4731232--sha-r-c:\windows\System32\msfDX.dll
2008-03-16 15:30216064--sha-r-c:\windows\System32\nbDX.dll
2010-01-07 00:00107520--sha-r-c:\windows\System32\TAKDSDecoder.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DCC39ACE-709B-44EA-B062-5F6BE2774644}]
2012-08-23 19:03214448----a-w-c:\users\frank\AppData\Roaming\MyEmoticons\myemoticons-1.3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-11-08 16:58556056----a-w-c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-11-08 16:58556056----a-w-c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-11-08 16:58556056----a-w-c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-11-08 16:58556056----a-w-c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"DAEMON Tools Lite"="d:\program files\DAEMON Tools Lite\DTLite.exe" [2012-11-06 3673728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-08 4853760]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-26 150552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-12 947176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-26 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-26 173592]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi5"=sxgb.dll
"wave4"=sxgb.dll
"mixer4"=sxgb.dll
"aux3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AudioEndpointBuilder]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Audiosrv]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HdAudAddService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HDAudBus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MMCSS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318}]
@="[6cFgE][S?û?d, ?ìdeô ??d gª?è ¢o?tr?l?è?š !!! !!! !]"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{640167b4-59b0-47a6-b335-a6b3c0695aea}]
@="Portable Media Devices"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Post-it® Software Notes Lite.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Post-it® Software Notes Lite.lnk
backup=c:\windows\pss\Post-it® Software Notes Lite.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-03-08 11:3840048----a-w-c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:081259376----a-w-c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2008-11-17 17:50827904----a-w-c:\program files\dvd43\DVD43_Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-09-13 17:38136176----atw-c:\users\frank\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoogleDriveSync]
2012-11-08 16:5816070136----a-w-c:\program files\Google\Drive\googledrivesync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 19:0662760----a-w-c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-07 23:51858632----a-w-c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2012-07-03 12:46973488----a-w-c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-02-18 12:3977824----a-w-c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 21:2381920------w-c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Speech Recognition]
2008-01-21 02:3449664----a-w-c:\windows\Speech\Common\sapisvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 16:072260480--sha-r-c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-05-17 02:15296056----a-w-d:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-03-23 21:41399736----a-w-c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WarReg_PopUp]
2008-01-29 16:03303104----a-w-c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2007-12-20 15:1637376----a-w-c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:331008184----a-w-c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:35202240----a-w-c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetworkREG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 16:50]
.
2013-01-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-28 16:50]
.
2013-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1322574-3596047299-79548003-1003Core.job
- c:\users\frank\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-11 17:38]
.
2013-01-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1322574-3596047299-79548003-1003UA.job
- c:\users\frank\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-11 17:38]
.
2012-10-10 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1322574-3596047299-79548003-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 17:21]
.
2013-01-11 c:\windows\Tasks\ReclaimerUpdateFiles_frank.job
- c:\users\frank\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-14 16:06]
.
2013-01-11 c:\windows\Tasks\ReclaimerUpdateXML_frank.job
- c:\users\frank\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-14 16:06]
.
2013-01-12 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_frank.job
- c:\users\frank\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-14 16:06]
.
2013-01-12 c:\windows\Tasks\User_Feed_Synchronization-{769BB95A-F5F4-48A1-A0E4-139FF95664FB}.job
- c:\windows\system32\msfeedssync.exe [2011-10-02 04:32]
.
2012-05-30 c:\windows\Tasks\{0D7D0023-D227-44DF-B2FA-BBFF441C858B}.job
- c:\users\frank\appdata\local\google\chrome\application\chrome.exe [2011-10-11 00:06]
.
2012-10-01 c:\windows\Tasks\{29FF558E-8E14-4CEC-8B51-8EB1F850DC87}.job
- c:\users\frank\appdata\local\google\chrome\application\chrome.exe [2011-10-11 00:06]
.
2012-05-30 c:\windows\Tasks\{4B4D1DDD-F3D8-4EFB-8AAC-590CEB692A8A}.job
- c:\users\frank\appdata\local\google\chrome\application\chrome.exe [2011-10-11 00:06]
.
2012-06-02 c:\windows\Tasks\{7E4C7D4F-C4E3-4F3B-8C47-B3BBB8DAE6A4}.job
- c:\users\frank\appdata\local\google\chrome\application\chrome.exe [2011-10-11 00:06]
.
2012-06-02 c:\windows\Tasks\{CF1BBED9-A311-4C26-9F3B-FA3ED12529E6}.job
- c:\users\frank\appdata\local\google\chrome\application\chrome.exe [2011-10-11 00:06]
.
2012-04-23 c:\windows\Tasks\{D796EF20-F94A-4EC1-8E0F-7E1875FFD9CF}.job
- c:\users\frank\appdata\local\google\chrome\application\chrome.exe [2011-10-11 00:06]
.
2012-09-30 c:\windows\Tasks\{FA7315CD-74C4-4A70-BE0D-B09E54D83B1D}.job
- c:\users\frank\appdata\local\google\chrome\application\chrome.exe [2011-10-11 00:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/?affID=112060&tt=4812_3&babsrc=HP_ss&mntrId=5a003357000000000000001fe2a7249a
mStart Page = hxxp://en.ie.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.sharewareisland.com/quicksearch.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Free YouTube Download - c:\users\frank\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-12 14:17
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1322574-3596047299-79548003-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:97,fb,88,10,ef,53,24,f6,94,cf,7f,51,b0,43,4a,ee,b0,bf,e1,88,c0,7a,25,
be,e4,50,15,46,e5,dc,3a,75,96,03,2c,7a,a6,ea,a5,cd,c7,89,24,ea,b5,de,b2,79,\
"??"=hex:e8,c1,83,c9,08,05,0c,71,8a,56,db,ff,2c,c5,cc,b0
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2013-01-12 14:22:43
ComboFix-quarantined-files.txt 2013-01-12 14:22
ComboFix2.txt 2013-01-12 06:13
.
Pre-Run: 7,126,511,616 bytes free
Post-Run: 7,085,608,960 bytes free
.
- - End Of File - - 516DF28761D288A48FA8F6B4CD8DE4DF

Broni · Jan 12, 2013

I don't see anything malicious on your computer.

In this forum, we make sure, your computer is free of malware and your computer is clean
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

frankiesweeney · Jan 12, 2013

Thanks broni must be the hard drive then..... even though the scans etc seemed to have helped ....say hello to sunny california for me....thanks again

Broni · Jan 12, 2013

TechSpot

Welcome to TechSpot

Windows has encountered a critical problem and will restart automatic

frankiesweeney Newcomer, in training Posts: 20

frankiesweeney Newcomer, in training Posts: 20

frankiesweeney Newcomer, in training Posts: 20

Broni Malware Annihilator Posts: 39,331 +175

frankiesweeney Newcomer, in training Posts: 20

frankiesweeney Newcomer, in training Posts: 20

Broni Malware Annihilator Posts: 39,331 +175

frankiesweeney Newcomer, in training Posts: 20

Broni Malware Annihilator Posts: 39,331 +175

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.