Jump to content

unable to load the anti-root DDA Driver

Recommended Posts

When I was using mbam's last beta version. I got this error message - the date in the hi-jack forum was Sept. 15th.

I was asked by Advanced Setup and another staff member to let you know if it comes up again?  

At appx: 2pm AZ. time this afternoon, today I started the notebook and this message was the 1st. item on the desktop. 

I did not hit yes or no.......just figure I should post logs as the staff member asked. (sorry I forgot the name of the other staff member) 

Running Windows 7 - 64 bit-  Logs are below.. thanks for your time.




mbam hyper scan.txt

Link to post
Share on other sites

  • Root Admin

I'm wondering if it might be due to your installation of the Diskeeper HyperBoot application. We'll run the other steps listed below for general cleanup but if the issue continues you might want to try disabling this Diskeeper application at least for testing purposes.


What HyperBoot does is that it physically remaps Windows boot data on the disk-drive bringing it closer for minimizing spindle access delays, the application also continues to optimize Windows as new application are installed offering overall PC performance boost including faster shutdown times.

Already partnered with ASUS, the company has announced to provide its new HyperBoot™ "instant-on" boot time technology as a pre-installed feature partnering with worldwide OEM brands, the latest version of HyperBoot works with Windows XP and Windows 7 supporting hard-disk drivers and solid-state disk SSD) drives.


Please go to your Control Panel, Add/Remove and look for and uninstall the AVG Secure Search toolbar.
Insecure AVG search tool
Vulnerability Note VU#960193 - AVG Safeguard and Secure Search ActiveX controls provides insecure methods

Next, please visit the AVG support site and download their manaul removal tool.
It looks like you removed AVG antivirus already but may have some left over elements of that program and their manual removal tool should remove those items.


You have some old Java on the system. Let's remove all of your Java. If at all possible I would highly recommend trying to use your computer without Java.
If and only if you really have to have it then make sure you always have the latest version from www.java.com  using older versions can help to easily infect your computer.

Please go into Control Panel, Add/Remove and uninstall ALL versions of Java and then run the following.
Please download JavaRa-1.16 and save it to your computer.

  • Double click to open the zip file and then select all and choose Copy.
  • Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
  • Quit all browsers and other running applications.
  • Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.


Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

The Event Logs show the following error or similar error on your computer from WMI (Windows Management Instrumentation) that control data management on the system.

Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Please run the following Microsoft Fixit routine to try to automatically correct that error.
Event ID 10 is logged in the Application log after you install Service Pack 1 for Windows 7 or Windows Server 2008 R2

The Windows Media Player Network Sharing service is having an issue starting and is used for allowing sharing of your media library over a local area network or the internet. If you're not using it you don't need that service and it can be disabled or removed.


Here is an article about disabling it. Disable Windows Media Player Network Sharing and Configuration application

Please run this fix script which will reset your default scope and home page for Internet Explorer and also remove entries for Java from IE and Firefox as well as a couple other issues.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.




Link to post
Share on other sites

The Diskeeper paid version I have is from 2010 (lifetime Licence Key before condusiv.com took the comp. over) Build: (14.0.915.0)
I"m not near there current version of Diskeeper 12+  I needed it to defrag the page file & MFT which the MS defragger would stop 
at 33% after I put more ram in an XP pc. its on the mbam forum - early posts. Diskeepers tech. staff said my version will run with Win 7 !!
advise if you want it removed please?
Your Step 01  ---  read both websites, I cannot find an AVG Secure Search Toolbar?
Step 02 -- I used the 64 bit and 32 bit removal tool from AVG. (the 64 bit ran more than once), (I have a txt. log if you want it posted)
Step 03 -- All java removed as instructed and, by the zip file remover.  Log attached as requested
Step -- 04 TFC by Old Timer ran as said ! 
Step -- 05  Ran the MS Fix-It tool  to correct error 


Step - 06  Windows Media Player is disabled from Network Sharing 
Opended "regedit" and went to: HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences\HME
DWORD values called DisableBrowse and DisableDiscovery. were modified to the values and set at: 1 and 2 respectively
Step--07  Where is the hotlink? or link to FRST or FRST64? I ran the link fixlist.txt attached at the bottom of your post?
              and attached it here.  Let me know if its what you want please? 
On a Bad Note:  I may have picked up a trojan as that passed along the screen to fast for me to see. maybe an F/P ?
Its in MBAM in Quarantine - it also took out or removed my SAS scanner - almost all of the icons are gone?
I'll wait for your reply before I do anything...... will not even re-install SAS until I hear from you!
   Thank you very for your time ..........




Temp File Cleaner.txt



Link to post
Share on other sites

  • Root Admin

In STEP 1 I don't think you have to uninstall. There should be an option to disable that HyperBoot maybe in an advanced area.

There as a false positive on SAS. You can restore it from Quarantine and just check for updates in MBAM and it should no longer be detected.

You need to have the FIXLIST.TXT file in the same location as the FRST program and then click the Fix

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply as well.
Link to post
Share on other sites

In Automatic Defragmentation mode, Diskeeper works automatically in the background, with no negative performance impact on other applications that are running, improving the performance of your computer without slowing down other operations while doing so. For this reason, Automatic Defragmentation is the recommended method for keeping your computer running at its peak potential. By default, Automatic Defragmentation is enabled on all your volumes when Diskeeper is installed.


I un-checked 15+ boxes in the above. HyperFast is un-checked. No Hyperboot in this version. Unless I re-start from boot into Defrag. Its pretty much shut off now.


Done - FIXLIST.TXT file in the same location as the FRST  program and then click the Fix (I hope I did this right? When I download the Farbar scan I hit Fix)


Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-10-2014

Ran by Edward (administrator) on EMERALD-PC on 25-10-2014 02:27:45

Running from C:\Users\Edward\Desktop

Loaded Profile: Edward (Available profiles: Edward)

Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)

Internet Explorer Version 11

Boot Mode: Normal


==================== Processes (Whitelisted) =================


(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)


(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe

(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe

(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe

(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe

(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(Diskeeper Corporation) C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe



==================== Registry (Whitelisted) ==================


(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)


HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [3890208 2014-08-08] (AVAST Software)

HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)

HKLM-x32\...\Run: [] => [X]

HKU\S-1-5-21-365542771-2037688270-357355618-1003\...\Run: [sUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7767832 2014-10-01] (SUPERAntiSpyware)

Startup: C:\Users\Edward\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk

ShortcutTarget: ERUNT AutoBackup.lnk -> C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)


==================== Internet (Whitelisted) ====================


(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)


HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/

SearchScopes: HKLM-x32 - DefaultScope value is missing.

BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)

Tcpip\Parameters: [DhcpNameServer]




FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_14_0_0_179.dll No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)

FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_179.dll No File

FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1211151.dll (Adobe Systems, Inc.)

FF Plugin-x32: @java.com/DTPlugin,version=10.65.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll No File

FF Plugin-x32: @java.com/JavaPlugin,version=10.65.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll No File

FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)




CHR HomePage: Default -> https://www.google.com/

CHR StartupUrls: Default -> "https://www.google.com/"

CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}

CHR Profile: C:\Users\Edward\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google Docs) - C:\Users\Edward\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-06-24]

CHR Extension: (Google Drive) - C:\Users\Edward\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-06-24]

CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Edward\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-24]

CHR Extension: (YouTube) - C:\Users\Edward\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-06-24]

CHR Extension: (Google Search) - C:\Users\Edward\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-06-24]

CHR Extension: (Avast Online Security) - C:\Users\Edward\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-06-24]

CHR Extension: (Google Maps) - C:\Users\Edward\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2014-06-24]

CHR Extension: (Google Wallet) - C:\Users\Edward\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-06-24]

CHR Extension: (Gmail) - C:\Users\Edward\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-06-24]

CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-07-18]


==================== Services (Whitelisted) =================


(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)


R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-06-24] (AVAST Software)

R2 Diskeeper; C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe [2435960 2012-07-28] (Diskeeper Corporation)

R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)

R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)


==================== Drivers (Whitelisted) ====================


(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)


R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-07-18] ()

R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-07-18] (AVAST Software)

R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-07-18] (AVAST Software)

R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-07-18] ()

R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1041168 2014-07-18] (AVAST Software)

R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [427360 2014-07-18] (AVAST Software)

R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [92008 2014-07-18] (AVAST Software)

R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [224896 2014-07-18] ()

S3 DKRtWrt; C:\Windows\System32\DRIVERS\DKRtWrt.sys [52144 2010-03-10] (Diskeeper Corporation)

R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [93400 2014-10-01] (Malwarebytes Corporation)

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-10-01] (Malwarebytes Corporation)

R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-10-25] (Malwarebytes Corporation)

R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-10-01] (Malwarebytes Corporation)

R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)

R3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()

S3 VGPU; System32\drivers\rdvgkmd.sys [X]


==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)



==================== One Month Created Files and Folders ========


(If an entry is included in the fixlist, the file\folder will be moved.)


2014-10-25 02:27 - 2014-10-25 02:28 - 00009579 _____ () C:\Users\Edward\Desktop\FRST.txt

2014-10-25 02:25 - 2014-10-25 02:25 - 02112000 _____ (Farbar) C:\Users\Edward\Desktop\FRST64.exe

2014-10-24 21:52 - 2014-10-24 21:52 - 00001768 _____ () C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk

2014-10-23 15:13 - 2014-10-25 02:10 - 00002042 _____ () C:\Windows\PFRO.log

2014-10-21 10:54 - 2014-10-25 02:10 - 00000952 _____ () C:\Windows\setupact.log

2014-10-21 10:54 - 2014-10-21 10:54 - 00000000 _____ () C:\Windows\setuperr.log

2014-10-20 21:22 - 2014-10-20 21:24 - 00000195 _____ () C:\Windows\SysWOW64\debug.log

2014-10-20 21:19 - 2014-10-20 21:19 - 00000000 ____H () C:\Users\Edward\Documents\Default.rdp

2014-10-20 14:20 - 2014-10-25 02:27 - 00000000 ____D () C:\FRST

2014-10-14 00:39 - 2014-10-25 02:14 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-10-14 00:38 - 2014-10-14 00:38 - 00001102 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2014-10-14 00:38 - 2014-10-14 00:38 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-10-14 00:38 - 2014-10-14 00:38 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-10-14 00:38 - 2014-10-14 00:38 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware

2014-10-14 00:38 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-10-14 00:38 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2014-10-14 00:38 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2014-09-30 17:13 - 2014-09-24 19:08 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll

2014-09-30 17:13 - 2014-09-24 18:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll


==================== One Month Modified Files and Folders =======


(If an entry is included in the fixlist, the file\folder will be moved.)


2014-10-25 02:25 - 2014-05-28 15:06 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2014-10-25 02:18 - 2009-07-13 21:45 - 00026352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-10-25 02:18 - 2009-07-13 21:45 - 00026352 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-10-25 02:17 - 2014-05-28 14:34 - 01347779 _____ () C:\Windows\WindowsUpdate.log

2014-10-25 02:12 - 2014-05-28 15:06 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2014-10-25 02:11 - 2014-07-18 23:35 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware

2014-10-25 02:10 - 2009-07-13 22:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-10-24 21:52 - 2014-06-13 21:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware

2014-10-21 12:47 - 2014-09-24 16:34 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2014-10-21 10:31 - 2014-07-18 18:16 - 00000000 ____D () C:\Program Files\Java

2014-10-21 10:31 - 2014-05-28 15:12 - 00000000 ____D () C:\Program Files (x86)\Java

2014-10-21 10:12 - 2014-06-14 23:37 - 00000000 ____D () C:\Windows\system32\appmgmt

2014-10-21 09:27 - 2014-05-28 15:07 - 00002255 _____ () C:\Users\Public\Desktop\Google Chrome.lnk

2014-10-21 08:25 - 2014-08-11 16:15 - 00000000 ____D () C:\Users\Edward\AppData\Roaming\HpUpdate

2014-10-20 22:26 - 2014-06-24 11:33 - 00000000 ____D () C:\Users\Edward

2014-10-20 22:25 - 2014-06-24 11:33 - 01048576 _____ () C:\Users\Edward\NTUSER.bak

2014-10-20 22:25 - 2009-07-13 19:34 - 54263808 _____ () C:\Windows\system32\config\SOFTWARE.bak

2014-10-20 22:25 - 2009-07-13 19:34 - 12845056 _____ () C:\Windows\system32\config\SYSTEM.bak

2014-10-20 22:25 - 2009-07-13 19:34 - 00262144 _____ () C:\Windows\system32\config\DEFAULT.bak

2014-10-20 22:25 - 2009-07-13 19:34 - 00061440 _____ () C:\Windows\system32\config\SAM.bak

2014-10-20 22:25 - 2009-07-13 19:34 - 00028672 _____ () C:\Windows\system32\config\SECURITY.bak

2014-10-20 21:22 - 2014-06-24 11:33 - 00000000 ____D () C:\Users\Edward\AppData\Roaming\Adobe

2014-10-20 14:19 - 2014-05-28 15:06 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA

2014-10-20 14:18 - 2014-05-28 15:06 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

2014-10-18 20:21 - 2014-06-24 17:42 - 00000000 ____D () C:\Program Files\CCleaner

2014-10-15 20:12 - 2014-05-28 15:20 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk

2014-10-13 23:53 - 2014-06-24 16:32 - 00000000 ____D () C:\Users\Edward\Desktop\other icons

2014-10-12 17:27 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\rescache

2014-10-12 14:58 - 2009-07-13 22:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-10-12 12:51 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\system32\NDF

2014-10-10 09:39 - 2014-06-24 16:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Diskeeper Corporation

2014-10-10 09:39 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\Help

2014-10-03 10:02 - 2014-05-28 16:28 - 103265616 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2014-10-02 15:53 - 2010-11-20 20:27 - 00278152 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

2014-10-02 15:47 - 2014-06-24 15:21 - 00002208 _____ () C:\Users\Public\Desktop\avast! Free Antivirus.lnk


==================== Bamital & volsnap Check =================


(There is no automatic fix for files that do not pass verification.)


C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\SysWOW64\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed



LastRegBack: 2014-10-12 17:19


==================== End Of Log ============================


Link to post
Share on other sites

only the "unable to load the anti-root DDA Driver" message, (never got a BSOD yet)! see post #1 - I started to remove AVG leftovers from my duo core tower. since back in Sept. 15th I reported the same DDA Driver message. Will keep an eye on both machines! and start a new topic here, if the same issue comes up.The notebook runs faster. MBAM runs good,

Thank you very much Ron for all your time on this matter......your the best !!!!!!!! :) regards, Ed  

Link to post
Share on other sites

No issues Ron! This was the notebook on the above posts. My tower gave me the same DDA Driver issue as post #1. I cleaned out AVG - which was also in the tower, with the tool. in step 2 & got rid of the old java, & old temp files.  I don't think we will see this issue again.   Nice work Ron !!  & thanks again....  :)

I guess you can close this thread.   best regards....... Ed

Link to post
Share on other sites

  • Root Admin

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

If you used FRST and can't delete the quarantine folder:
Download the fixlist.txt to the same folder as FRST.exe.
Run FRST.exe and click Fix only once and wait
That will delete the quarantine folder created by FRST.
The rest you can manually delete.
If there are any other left over Folders, Files, Logs then you can delete them on your own.
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP

As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

Link to post
Share on other sites

"At this time there are no more signs of an infection on your system"


Ran ESET online scanner, & Dr, Webcurit, -  results clean.             



Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, 

MBAR folder, etc....AdwCleaner > just run the program and click uninstall.


Done - no problems


DelFix  ver.10.8 done. - no issues


If you used FRST and can't delete the quarantine folder:


Done - no problems


Java - disabled, no issues  [i have good backups on external drives]


I have 4 License copies of mbam since 2006.+  Thanks again for all your help & time.

   best regards...

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.