Jump to content

Can't install anti-rootkit driver

Recommended Posts

Occasionally, I get a popup from malwarebytes saying that it was unable to load the anti-rootkit driver and that it needs to reboot to do so. When I do, an error message pops up right before it reboots (I don't catch what it says), it reboots, updates, does a scan, and everything seems fine until it pops up again later. I tried a clean reinstall from the 1st part of the list you guys post a lot, and it didn't fix the problem. I'm attaching some logs here, thanks for your time!





Link to post
Share on other sites

Hello Izoold and welcome to Malwarebytes forum.


This system appears to have a rogue or rootkit infecttion.

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.



Restart your system, Windows, so that it is a fresh start.

Please download Malwarebytes Anti-Rootkit (MBAR)  and save it to your desktop,
from here   

•Be sure to print out ( if possible) and follow the instructions provided on that same page.

•Doubleclick on the MBAR file you downloaded and approve the UAC prompt in Vista and newer operating systems.
•Click **OK** on the next screen, to allow the package to extract the contents of the file to its own folder, mbar.
•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
•After reading the Introduction, click '**Next**' if you agree.
•On the Update Database screen, click on the '**Update**' button.
•Once you see 'Success: Database was successfully updated' click on 'Next'.
•Click the '**Scan**' button.

With some infections, you may see two messages boxes.
  1.'Could not load protection driver'. Click 'OK'.
  2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, do **NOT** press the Cleanup button when the scan completes. Click EXIT.
Then, please send the following logs as attachments to your reply. These logs are located in the mbar folder on your desktop where the tool extracted itself to.

**mbar-log-2014-xx-xx(xx-xx-xx).txt** (where xx-xx(xx-xx-xx) is the date and time of the scan)
+ also

I need to have both of those files attached in your next reply.  Thanks.

Link to post
Share on other sites


You may want to print out or copy these instructions to Notepad for offline reference!

These steps are for member izoold only. If you are a casual viewer, do NOT try this on your system!

If you are not izoold and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.


Close any of your open programs while you run these tools.

On most all of the following programs and tools, you will need to do a right-click on the program link or shortcut or desktop icon (as appropriate) and then select "Run as Administrator". Please remember that as you go along and use these tools, each in turn.


OK. Lets do this at this point.

Part A

Please download Rkill by Grinler and save it to your desktop. You only need for 1 of these to work.


If the first does not work, go to the 2nd or a next.

http://download.bleepingcomputer.com/grinler/rkill.scr  {link 2}

http://download.bleepingcomputer.com/grinler/rkill.pif   {link 3}

http://download.bleepingcomputer.com/grinler/rkill.exe    {link 4}

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 or 8, right-click on it and select Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

If the tool does not run from any of the links provided, please let me know.

If your antivirus program gives a prompt message, respond positive to allow RKILL to run.

If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

IF you still have a problem running RKILL, you can download http://download.bleepingcomputer.com/grinler/iExplore.exe  or http://download.bleepingcomputer.com/grinler/eXplorer.exe , which are renamed copies of rkill.com, and try them instead.

When all done, rkill.txt log file will be on your desktop. Attach contents of Rkill.txt into your next reply.




Part B

If you have a prior copy of Combofix, delete it now

Download Combofix from any of the links below, and SAVE it to your Desktop.

Link 1

Link 2

**Note: It is important that it is saved directly to your Desktop and not run straight away from download **

Turn OFF your antivirus, otherwise it will interfere.  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Have infinite patience during the run & scan by Combofix. It has many phases:  some 50+ stages

It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.

You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.

Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power  (AC power)or a UPS system

Important:  Have no other programs running.  Your Task Bar should be clear of any program entries including your Browser.

Right- click on Combo-Fix.exe on your Desktop cf-icon.jpg and select "Run as Administrator".

  • A window may open with a warning or prompts.  Accept the EULA and follow the prompts during the start phase of Combofix.

    When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.  


A file will be created at => C:\Combofix.txt.  


[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.

That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh :excl:

Reply & Copy & Paste contents of the C:\Combofix.txt log

and tell me, How is the system now icon_question.gif

Re-enable your antivirus program.

Link to post
Share on other sites

I haven't gotten the popup since yesterday, so everything seems fine?

Here are the logs: 



ComboFix 14-06-04.01 - Plengsri 06/06/2014  10:05:45.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8150.6095 [GMT -4:00]
Running from: c:\users\Plengsri\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
(((((((((((((((((((((((((   Files Created from 2014-05-06 to 2014-06-06  )))))))))))))))))))))))))))))))
2014-06-06 14:15 . 2014-06-06 14:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-06-06 14:07 . 2014-06-06 14:07 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2EF9AE16-4DF8-4CC3-875D-2089B9E2A287}\offreg.dll
2014-06-06 11:48 . 2014-05-20 05:18 10702536 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2EF9AE16-4DF8-4CC3-875D-2089B9E2A287}\mpengine.dll
2014-06-05 03:06 . 2014-06-05 03:07 -------- d-----w- C:\FRST
2014-06-04 00:20 . 2014-06-04 00:20 91352 ----a-w- c:\windows\system32\drivers\28E20C35.sys
2014-05-30 07:22 . 2014-05-30 07:22 -------- d-----w- c:\users\Plengsri\AppData\Roaming\roi
2014-05-30 07:22 . 2014-05-30 07:22 -------- d-----w- c:\program files (x86)\AGEIA Technologies
2014-05-16 00:16 . 2014-05-16 00:16 29208 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-05-16 00:16 . 2014-05-16 00:16 43152 ----a-w- c:\windows\avastSS.scr
2014-05-14 07:04 . 2014-05-06 04:40 23544320 ----a-w- c:\windows\system32\mshtml.dll
2014-05-14 07:04 . 2014-05-06 03:00 84992 ----a-w- c:\windows\system32\mshtmled.dll
2014-05-14 07:04 . 2014-05-06 04:17 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-14 07:04 . 2014-05-06 03:07 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-05-14 07:04 . 2014-05-14 07:04 -------- d-----w- c:\program files\Common Files\DESIGNER
2014-05-14 03:55 . 2014-03-04 11:32 599840 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2014-05-12 01:57 . 2014-06-06 12:03 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-12 01:57 . 2014-06-01 15:29 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-05-12 01:57 . 2014-05-12 11:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
2014-06-05 16:43 . 2014-02-06 10:27 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-16 00:17 . 2014-01-13 17:14 85328 ----a-w- c:\windows\system32\drivers\aswstm.sys
2014-05-16 00:17 . 2013-08-31 00:01 423240 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-05-16 00:17 . 2013-08-31 00:01 1039096 ----a-w- c:\windows\system32\drivers\aswsnx.sys
2014-05-16 00:16 . 2013-08-31 00:01 208416 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-05-16 00:16 . 2013-08-31 00:01 65776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-05-16 00:16 . 2013-08-31 00:01 79184 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-05-16 00:16 . 2013-01-08 02:34 334648 ----a-w- c:\windows\system32\aswBoot.exe
2014-05-16 00:16 . 2013-08-31 00:01 93568 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-05-14 07:02 . 2012-12-19 21:58 93223848 ----a-w- c:\windows\system32\MRT.exe
2014-05-14 00:50 . 2012-12-20 15:42 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-14 00:50 . 2012-12-20 15:42 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-12 11:25 . 2012-12-19 00:30 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-23 07:54 . 2013-12-26 23:43 185344 ----a-w- C:\translator.dll
2014-04-21 21:20 . 2014-04-21 21:20 1218641 ----a-w- c:\windows\unins000.exe
2014-04-15 00:13 . 2014-04-28 06:43 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-03-31 13:35 . 2010-11-21 03:27 270496 ------w- c:\windows\system32\MpSigStub.exe
2014-03-10 08:39 . 2012-12-18 23:51 25640 ----a-w- c:\windows\gdrv.sys
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown 
"Akamai NetSession Interface"="c:\users\Plengsri\AppData\Local\Akamai\netsession_win.exe" [2014-04-18 4672920]
"DAEMON Tools Ultra Agent"="c:\program files (x86)\DAEMON Tools Ultra\DTAgent.exe" [2013-05-23 3123744]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2014-01-17 759496]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2012-05-23 5120144]
"USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-05-20 291648]
"PlusService"="c:\program files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [2014-02-23 811520]
"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"LWS"="c:\program files (x86)\Logitech\LWS\Webcam Software\LWS.exe" [2012-09-13 204136]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2013-08-29 1861968]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-06-01 3888648]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"BlueStacks Agent"="c:\program files (x86)\BlueStacks\HD-Agent.exe" [2014-03-13 819984]
"GamingMouse"="c:\program files (x86)\Gaming Mouse\hid.exe" [2013-05-22 263168]
c:\users\Plengsri\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Core Temp.lnk - c:\program files\Core Temp\Core Temp.exe [2012-12-18 854480]
Rainmeter - Shortcut.lnk - c:\program files (x86)\Rainmeter\Rainmeter.exe [2012-12-19 40112]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2013-10-29 36536]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
R2 BstHdAndroidSvc;BlueStacks Android Service;c:\program files (x86)\BlueStacks\HD-Service.exe BstHdAndroidSvc Android;c:\program files (x86)\BlueStacks\HD-Service.exe BstHdAndroidSvc Android [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys;c:\windows\SYSNATIVE\Drivers\ssadadb.sys [x]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe;c:\windows\SYSNATIVE\AppleChargerSrv.exe [x]
R3 Beat;Beat;c:\game\SoftnyxGame\LoveRitmoPS\avital\lbeat64.sys;c:\game\SoftnyxGame\LoveRitmoPS\avital\lbeat64.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys;c:\windows\SYSNATIVE\drivers\EagleX64.sys [x]
R3 etdrv;etdrv;c:\windows\etdrv.sys;c:\windows\etdrv.sys [x]
R3 GVTDrv64;GVTDrv64;c:\windows\GVTDrv64.sys;c:\windows\GVTDrv64.sys [x]
R3 ICCS;Intel® Integrated Clock Controller Service - Intel® ICCS;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe;c:\program files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 LVRS64;Logitech RightSound Filter Driver;c:\windows\system32\DRIVERS\lvrs64.sys;c:\windows\SYSNATIVE\DRIVERS\lvrs64.sys [x]
R3 LVUVC64;Logitech HD Webcam C310(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des;c:\windows\SYSNATIVE\GameMon.des [x]
R3 ose64;Office 64 Source Engine;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE;c:\program files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [x]
R3 PlantronicsGC;PLTGC Interface;c:\windows\system32\drivers\PLTGC.sys;c:\windows\SYSNATIVE\drivers\PLTGC.sys [x]
R3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys;c:\windows\SYSNATIVE\DRIVERS\pneteth.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RivaTuner64;RivaTuner64;c:\program files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys;c:\program files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner64.sys [x]
R3 rzendpt;rzendpt;c:\windows\system32\DRIVERS\rzendpt.sys;c:\windows\SYSNATIVE\DRIVERS\rzendpt.sys [x]
R3 rzudd;Razer Mouse Driver;c:\windows\system32\DRIVERS\rzudd.sys;c:\windows\SYSNATIVE\DRIVERS\rzudd.sys [x]
R3 SaiK0CD7;SaiK0CD7;c:\windows\system32\DRIVERS\SaiK0CD7.sys;c:\windows\SYSNATIVE\DRIVERS\SaiK0CD7.sys [x]
R3 SaiK0CFA;SaiK0CFA;c:\windows\system32\DRIVERS\SaiK0CFA.sys;c:\windows\SYSNATIVE\DRIVERS\SaiK0CFA.sys [x]
R3 SaiU0CD7;SaiU0CD7;c:\windows\system32\DRIVERS\SaiU0CD7.sys;c:\windows\SYSNATIVE\DRIVERS\SaiU0CD7.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys;c:\windows\SYSNATIVE\DRIVERS\ssadserd.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
R3 X6va015;X6va015;c:\windows\SysWOW64\Drivers\X6va015;c:\windows\SysWOW64\Drivers\X6va015 [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AppleCharger.sys [x]
S1 aswKbd;aswKbd; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\Malwarebytes Anti-Exploit\MBAE.sys;c:\program files\Malwarebytes Anti-Exploit\MBAE.sys [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 BstHdDrv;BlueStacks Hypervisor;c:\program files (x86)\BlueStacks\HD-Hypervisor-amd64.sys;c:\program files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [x]
S2 BstHdLogRotatorSvc;BlueStacks Log Rotator Service;c:\program files (x86)\BlueStacks\HD-LogRotatorService.exe;c:\program files (x86)\BlueStacks\HD-LogRotatorService.exe [x]
S2 BstHdUpdaterSvc;BlueStacks Updater Service;c:\program files (x86)\BlueStacks\HD-UpdaterService.exe;c:\program files (x86)\BlueStacks\HD-UpdaterService.exe [x]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 MessengerPlus;MessengerPlus Ptc;c:\program files\Yuna Software\Messenger Plus!\Messenger Plus! Ptc\MsgGuard.exe;c:\program files\Yuna Software\Messenger Plus!\Messenger Plus! Ptc\MsgGuard.exe [x]
S2 NvNetworkService;NVIDIA Network Service;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe;c:\windows\SYSNATIVE\viakaraokesrv.exe [x]
S3 ALSysIO;ALSysIO;c:\users\Plengsri\AppData\Local\Temp\ALSysIO64.sys;c:\users\Plengsri\AppData\Local\Temp\ALSysIO64.sys [x]
S3 Disc Soft Bus Service;Disc Soft Bus Service;c:\program files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe;c:\program files (x86)\DAEMON Tools Ultra\DiscSoftBusService.exe [x]
S3 dtscsibus;DAEMON Tools Virtual SCSI Bus;c:\windows\system32\DRIVERS\dtscsibus.sys;c:\windows\SYSNATIVE\DRIVERS\dtscsibus.sys [x]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys;c:\windows\SYSNATIVE\Drivers\EtronHub3.sys [x]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys;c:\windows\SYSNATIVE\Drivers\EtronXHCI.sys [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR81xx PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys;c:\windows\SYSNATIVE\drivers\viahduaa.sys [x]
S3 WinRing0_1_2_0;WinRing0_1_2_0;c:\users\Plengsri\AppData\Local\Temp\tmpEE44.tmp;c:\users\Plengsri\AppData\Local\Temp\tmpEE44.tmp [x]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - dump_wmimmc
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-05-22 23:48 1091912 ----a-w- c:\program files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe
Contents of the 'Scheduled Tasks' folder
2014-06-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-12-20 00:50]
2014-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-18 23:42]
2014-06-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-12-18 23:42]
2014-06-06 c:\windows\Tasks\Malwarebytes Anti-Exploit.job
- c:\program files\Malwarebytes Anti-Exploit\mbae-loader.exe [2014-02-06 18:40]
--------- X64 Entries -----------
2014-05-16 00:16 290888 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
"GamecomSound"="c:\program files\Plantronics\GameCom780\GameCom780.exe" [2012-06-28 775560]
"ProfilerU"="c:\program files\SmartTechnology\Software\ProfilerU.exe" [2012-10-15 454144]
"SaiMfd"="c:\program files\SmartTechnology\Software\SaiMfd.exe" [2012-10-15 158208]
"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2014-02-05 2234144]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2014-02-05 1179576]
------- Supplementary Scan -------
uLocal Page = c:\windows\system32\blank.htm
uDefault_Search_URL = hxxp://www.google.com/ie
uStart Page = hxxp://www.plusnetwork.com/?publisher=MessengerPlus&dpid=pb2&co=TJ&userid=agent60778776-e165-4fd6-a67a-2084fcaae14b&sp=hp&searchtype=hp&t=c0127&uid=60778776-e165-4fd6-a67a-2084fcaae14b
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = localhost;; <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer =
- - - - ORPHANS REMOVED - - - -
Wow6432Node-HKCU-Run-AIM for Windows - c:\users\Plengsri\AppData\Local\AOL\AIM\aim.exe
c:\users\Plengsri\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GameStop Now.lnk - c:\program files (x86)\GameStop App\Now\GameStopNow.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Hawkes Update Notifier.lnk - c:\program files (x86)\Hawkes Learning Systems\Hawkes Update Service Manager\HawkesUpdater.exe /NOTIFY SILENT=FALSE
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-Developmental Math (Fall 2012 Student) - c:\programdata\{E0035BBD-458C-4A2D-B603-95E2F829468B}\dev-student-setup.exe
AddRemove-RivaTuner - c:\program files (x86)\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\uninstall.exe
AddRemove-{75D84EF7-0D8C-4e70-B3FA-7B42A5D4E0EB} - c:\program files (x86)\Common Files\BioWare\Uninstall Mass Effect 2.exe
AddRemove-{7CD6B202-CDCC-48CF-9B96-268A94BD97FB} - c:\programdata\{4546B217-0A64-4FF8-979A-F647CA110B15}\Hawkes Update Service Manager.exe
"ImagePath"="c:\windows\system32\GameMon.des -service"
--------------------- LOCKED REGISTRY KEYS ---------------------
@Denied: (A 2) (Everyone)
@Denied: (A 2) (Everyone)
@Denied: (A 2) (Everyone)
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1"
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1"
@Denied: (A 2) (Everyone)
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
@Denied: (Full) (Everyone)
Completion time: 2014-06-06  10:22:37
ComboFix-quarantined-files.txt  2014-06-06 14:22
Pre-Run: 275,681,148,928 bytes free
Post-Run: 279,648,268,288 bytes free
- - End Of File - - FB2C30510AA64447FF400CDF084D3F80
Link to post
Share on other sites

The combofix run & the rkill run were worthwhile to do.  And if the original issue has not re-occurred ( as you report) then we can close this.
Delete the mbar.exe
and the \mbar folder


  • Highlight the line in this CODEBOX.
    Select & Copy the entire line within this codebox (so that it is in Windows clipboard memory)
    c:\users\Plengsri\Desktop\ComboFix.exe /uninstall
  • Start >> type in cmd >> press the Ctrl+Shift+Enter keyboard combination and cmd.exe will be launched as if you selected Run as Administrator. You will then see a User Account Control prompt asking if you would like to allow the Command Prompt to be able to make changes on your computer. Click on the Yes button and you will now be at the Elevated Command Prompt.

    Do a Right click within the command prompt window and select Paste.  This must show the line from Codebox above.
    Then tap Enter

IF in the case Combofix un-install has an issue, skip that step.


  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Then some suggestions for the scheduled tasks in the Anti-Malware:
Take a look inside the program. Start the Anti-Malware. Click on the Settings icon at the top bar up at top.
Then click the Advanced Settings button at the left.
Be sure all top 3 lines on that window are check-marked ( selected ).

Now a couple of changes for each of the Update task & the Threat scan task in the Scheduler.
Click on Automated Scheduling button.

Locate and click once on Check for Updates line and press Edit. Then press the Advanced button at bottom left.
Slide the window up so you can see all of it. {press the mouse on the very top bar and slide UP }

Look at the "starting time" of the task and use some good time when you know that your computer will be on & powered & that Windows would be on at that time.
Look at the line in Schedule Options. UN-check "Show notification after successful update".

In the Frequency and Settings. Select Hourly and I suggest using the Recurrence at 4 hours.
In the Recovery Options put a check-mark on "Recover missed tasks" and select 1 hour
When done, press the OK button.

Locate and click once on the Threat Scan line and press Edit.Then press the Advanced button at bottom left.
Slide the window up so you can see all of it. {press the mouse on the very top bar and slide UP }

In the Schedule Options, put a check-mark on the line Terminate program when no threats are found
{when no malwares are detected you want the scheduled task to close}.

In the Frequency and Settings block.
You should have Daily and the recurrence set to 1 day.
now UN-check the line Check for updates before scanning {{that line should be always off otherwise the task may not run at the time set. It maybe run +/- 15 minutes of that period.}

In the Recovery Options put a check-mark on "Recover missed tasks" and select 1 hour
When done, press the OK button.

When completely done, close the window.

A fresh Windows start would be good to do at this point. Use Logoff and Restart Windows.

Monitor your system over the next day or two and let me know how it goes.

Link to post
Share on other sites

  • 2 weeks later...

This tool will collect some information on the installation of Malwarebytes and create a report I need to review:
Download mbam-check.exe and save it to your desktop    from  http://downloads.malwarebytes.org/file/mbam_check
On Vista/Windows 7, 8, Right-click on mbam-check.exe & select Run as Administrator & allow to Run.
On XP,Double-click on mbam-check.exe to run it.
It should then open a log file CheckResults.txt
You should attach the CheckResults.txt file located on your desktop so that I can review.

Link to post
Share on other sites

Start the Anti-Malware. Click the Settings icon on the top bar.

Click Advanced Settings button.


Locate and look at the line Delay Protection at startup

put a checkmark there and select 30 seconds


Apply this change.  Let me know whether or not you have marked Enable self protection module.

Link to post
Share on other sites

Download   Farbar's Service Scanner utility
and Save to your Desktop.

If using Windows 7/8 or Vista, Right-Click on fss.exe and select Run As Admisnitrator.
If using XP, double-click to start.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services
Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Attach FSS.txt into your reply.

Link to post
Share on other sites

Save the attached W7SERV.zip file to the Desktop.


Now, close your open windows apps. Navigate ( position to ) the desktop so you can see the saved file.

Next then, un-zip ( extract all ) of W7SERV.zip to the desktop.


Right-click on W7SERV.bat and select Run as Administrator and allow to run.


This should run very quickly in a command-prompt-window then it should restart Windows.
This script is just to get some Windows services set to normal standard default settings.



I would like for you to start the program.  Please look at the Dashboard screen.  Does it have the green-color bar with the check-mark "Your system is fully protected" ?

Click the **Settings** icon >> then **Detection and Protection**
are the 2 protections on for Malware protection + Malicious website protection ?   

Please let me know if you have any questions or need further assistance.


Link to post
Share on other sites

Zowie.  Kudos.

You may delete these items to cleanup after the tools I had you use:






I am glad that your Anti-Malware is now all good.


Suggestions that you should follow:
Get and put in place our  Anti-Exploit

Safer practices & malware prevention
Have a hardware router between the incoming internet-modem and your computer.

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

 Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

Check in at Windows Update and install any Important Updates offered.


Make certain that Automatic Updates is enabled.
How to configure and use Automatic Updates in Windows

Pay close attention when installing 3rd-party programs.

It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.

Furthermore, If the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you cancel the install and not use the free software.


Check on other update issues as well, by getting, installing and using Secunia Personal Software Inspector (PSI) on a monthly basis.
See How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector
Download, install, and keep updated Spyware Blaster (free): http://www.brightfort.com/spywareblaster.html
(all Protections should be enabled at all times)
Tutorial for Spywareblaster: Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware

I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
That would help to keep your browser away from known spyware/malware sites.
Get notified when the MVPS HOSTS file is updated

 Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
Having a total image backup of your system stored on DVD/CD is highly important.
Get and make use of imaging-backup utilities and save them to offline media. That way you have something to fall back to if a disaster hits.
Consider using Web of Trust    WOT add-on for your browser(s)

Take extreme care if you share USB-flash/thumb drives from other people {even from friends, roommates, relatives}
Don't plug in an unknown flash/thumb drive into your PC.
IF you must do so, hold down the SHIFT-key when you insert the drive.
Scan any file with your Antivirus prior to opening or using.

Link to post
Share on other sites

Tell me ( or remind me) why you are trying now to run the MBAR ?


When you  see two messages boxes.
  1.'Could not load protection driver'. Click 'OK'.
  2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.


If all that does not work, tell me, again, just why the need to run MBAR ?

Our Anti-Malware program version 2 contains antirootkit scanning capabilty.




Start the Anti-Malware program.

Click the Settings icon ( on the top bar) > then click **Detection and Protection** subtab, Detection Options, tick the box 'Scan for rootkits'.
Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
A Threat Scan will begin.

With _some infections_, you may see this message box.
'Could not load DDA driver'
Click 'Yes' to this message, to allow the driver to load after a restart.

Allow the computer to restart. Continue with the rest of these instructions.
When the scan is complete, click Apply Actions.
Wait for the prompt to restart the computer to appear, then click on Yes.

After the scan has completed, Click on the **History tab** > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click **'Copy to Clipboard'**
Paste the contents of the clipboard into your reply.


Link to post
Share on other sites

I ran MBAR before I even made the thread to see if that would fix it, I ran it again in my last reply to see if it was doing the same thing (which it was).

When I ran a scan, "Could not load DDA driver" popped up, when I hit yes to let it restart, something along the lines of "SDK failed to create code, error 20023" popped up and then it restarted. After the restart, mbam was able to run a normal scan and didn't catch anything.


Malwarebytes Anti-Malware
Scan Date: 6/22/2014
Scan Time: 9:41:02 PM
Administrator: Yes
Malware Database: v2014.06.23.01
Rootkit Database: v2014.06.20.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Plengsri
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 291535
Time Elapsed: 9 min, 11 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
In that log, it says malware, malicious website, and self-protection are disabled, but when I look in settings after the scan, malware and malicious website protection are enabled. 
Link to post
Share on other sites

Delete the mbar.exe  and also the \mbar folder.

You do not need to run that tool.


Your last scan shows no malwares detected.   Your system is good to go.


Have you restarted Windows today?


I would like for you to start the program.  Please look at the Dashboard screen.  Does it have the green-color bar with the check-mark "Your system is fully protected" ?

Does the top bar on the window show version **** ?    { you can also check Settings >> About button }

now, click on the **My Account** icon at the very top bar.   Does that show license state as "Licensed" ?  ( assuming you have a paid License)
let me know about all those

Click the **Settings** icon >> then **Detection and Protection**
are the 2 protections on for Malware protection + Malicious website protection ?    ( assuming you have a paid License and that it is activated)

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.