Jump to content

Infected by XPGuard unable to run MBAM please help


Recommended Posts

My computer is Infected by XPGuard unable to run MBAM.

Attached is the requested zip file. Here is my DDS log please help and thanks in advance for all of your hard work:

DDS (Ver_10-11-10.01) - NTFSx86

Run by gwagner at 17:22:30.53 on Wed 11/17/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1437 [GMT -8:00]

============== Running Processes ===============


C:\WINDOWS\system32\svchost -k DcomLaunch


C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs



C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe



C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc



C:\Documents and Settings\gwagner\Local Settings\Application Data\pw.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\iTunes\iTunesHelper.exe



C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe

C:\Program Files\Panasonic\PHOTOfunSTUDIO -viewer-\PhAutoRun.exe

C:\Program Files\MOTU\Audio\MFWAKeys.exe

C:\Documents and Settings\gwagner\Application Data\Dropbox\bin\Dropbox.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Opera\opera.exe

C:\Documents and Settings\gwagner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>;*.local

uInternet Settings,ProxyServer = http=

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common


BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common

files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\adobe

acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program


BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program


TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat


EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat


EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [Logitech Utility] Logi_MwX.Exe

mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart

mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\gwagner\startm~1\programs\startup\dropbox.lnk - c:\documents and

settings\gwagner\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\acroba~1.lnk - c:\program

files\adobe\adobe acrobat 6.0\distillr\acrotray.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common

files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\asuswi~1.lnk - c:\program files\asus

wifi-ap solo\RtWLan.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\motupe~1.lnk - c:\program


StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\photof~1.lnk - c:\program

files\panasonic\photofunstudio -viewer-\PhAutoRun.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -


Trusted Zone: trionworld.com\vpn.sdg

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -


DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://vpn.sdg.trionworld.com/CACHE/stc/1/binaries/vpnweb.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -


DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -


DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab





DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -


Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} -


================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gwagner\applic~1\mozilla\firefox\profiles\m1ks85hd.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla


FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla


FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla



c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); //


c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); //


c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); //


c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); //


============= SERVICES / DRIVERS ===============

R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe

[2008-3-28 370360]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\motubus.sys [2009-7-3 23600]

R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network

Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-1-19 269824]

R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-1-19 13532]

S3 mfwamidi;MOTU Audio MIDI;c:\windows\system32\drivers\mfwamidi.sys [2010-3-8 26160]

S3 mfwawave;MOTU Audio Wave;c:\windows\system32\drivers\mfwawave.sys [2010-3-8 69680]

S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\motufwa.sys [2010-3-8 466992]

S3 Srvrogortm;Srvrogortm; [x]

S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2008-1-22 18432]

=============== File Associations ===============


=============== Created Last 30 ================

2010-11-18 00:12:06 185856 --sha-w- c:\docume~1\gwagner\locals~1\applic~1\pw.exe

2010-11-16 17:41:30 6146896 ----a-w- c:\docume~1\alluse~1.win\applic~1\microsoft\windows

defender\definition updates\{d84b39e5-df17-4bd7-8d0d-a0eaea88396f}\mpengine.dll

2010-11-03 16:56:32 -------- d-----w- c:\program files\Bonjour

2010-11-01 00:33:51 -------- d-----w- c:\program files\common files\VST3

2010-10-31 19:20:39 -------- d-----w- c:\docume~1\gwagner\applic~1\Drumagog 5

2010-10-31 19:19:54 -------- d-----w- c:\program files\Drumagog 5

2010-10-30 17:59:51 -------- d-----w- c:\docume~1\gwagner\applic~1\LolClient

2010-10-30 17:51:23 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin

2010-10-30 17:51:22 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin

2010-10-30 17:51:22 1 ----a-w- c:\windows\system32\nvdrssel.bin

2010-10-30 17:51:04 888424 ----a-w- c:\windows\system32\nvdispco32.dll

2010-10-30 17:51:04 813672 ----a-w- c:\windows\system32\nvgenco32.dll

2010-10-29 15:33:20 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Blizzard


2010-10-28 23:10:21 -------- d-----w- C:\Riot Games

2010-10-28 22:26:53 -------- d-----w- c:\docume~1\gwagner\locals~1\applic~1\PMB Files

2010-10-28 22:26:48 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\PMB Files

2010-10-28 22:26:23 -------- d-----w- c:\program files\Pando Networks

==================== Find3M ====================

2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-10-16 19:04:22 81920 ----a-w- c:\windows\system32\nvwddi.dll

2010-10-16 19:04:16 277608 ----a-w- c:\windows\system32\nvmccs.dll

2010-10-16 19:04:16 13851752 ----a-w- c:\windows\system32\nvcpl.dll

2010-10-16 19:04:16 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-10-16 19:04:14 156776 ----a-w- c:\windows\system32\nvsvc32.exe

2010-10-16 19:04:14 145000 ----a-w- c:\windows\system32\nvcolor.exe

2010-10-16 18:55:00 6359552 ----a-w- c:\windows\system32\nv4_disp.dll

2010-10-16 18:55:00 61440 ----a-w- c:\windows\system32\OpenCL.dll

2010-10-16 18:55:00 4882432 ----a-w- c:\windows\system32\nvcuda.dll

2010-10-16 18:55:00 2932840 ----a-w- c:\windows\system32\nvcuvid.dll

2010-10-16 18:55:00 2666600 ----a-w- c:\windows\system32\nvcuvenc.dll

2010-10-16 18:55:00 2293194 ----a-w- c:\windows\system32\nvdata.bin

2010-10-16 18:55:00 1462272 ----a-w- c:\windows\system32\nvapi.dll

2010-10-16 18:55:00 14532608 ----a-w- c:\windows\system32\nvoglnt.dll

2010-10-16 18:55:00 13012992 ----a-w- c:\windows\system32\nvcompiler.dll

2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 11:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-15 09:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-08 18:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx

2010-09-08 18:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

============= FINISH: 17:23:31.15 ===============


Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.


Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".


In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • RKU log

Thanks and again sorry for the delay.

Link to post
Share on other sites

Elise, thanks so much for helping me with this issue here is the log output you requested:

RkU Version: 3.8.388.590, Type LE (SR2)


OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2




0xB5D56000 C:\WINDOWS\System32\DRIVERS\nv4_mini.sys 9625600 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 260.99 )

0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6361088 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 260.99 )

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2150400 bytes

0x804D7000 RAW 2150400 bytes

0x804D7000 WMIxWDM 2150400 bytes

0xBF800000 Win32k 1855488 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xB5BCC000 C:\WINDOWS\System32\DRIVERS\NVNRM.SYS 1077248 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)

0xB7DED000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xA62FD000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xB5AC3000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xA63E2000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xA5651000 C:\WINDOWS\System32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)

0xB5B79000 C:\WINDOWS\System32\DRIVERS\NVSNPU.SYS 339968 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xA62BB000 C:\WINDOWS\System32\DRIVERS\RTL8187.sys 270336 bytes (Realtek Semiconductor Corporation , Realtek RTL8187 NDIS Driver)

0xA528D000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xAF8ED000 C:\WINDOWS\system32\drivers\ADIHdAud.sys 249856 bytes (Analog Devices, Inc., High Definition Audio Function Driver)

0xB5B21000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)

0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xA5721000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xB7DC0000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xA4C6D000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xA636D000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xB5CD3000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xA63BA000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xB7F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)

0xAF8C9000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xB5D1E000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xAF88F000 C:\WINDOWS\system32\drivers\adidts.sys 143360 bytes (Analog Devices, Inc., Analog Devices DTS Driver)

0xB5CFB000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xA6398000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x806E4000 ACPI_HAL 134400 bytes

0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xB7EA3000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xB7F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xB7DA6000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xA6291000 C:\WINDOWS\System32\Drivers\dump_nvata.sys 102400 bytes

0xB7EF2000 nvata.sys 102400 bytes (NVIDIA Corporation, NVIDIA

Link to post
Share on other sites

Hello again, it actually a good thing when a rootkit scanner doesn't detect malicious objects. :)



Going over your logs I noticed that you have uTorrent installed.

[*] Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.

[*]They are a security risk which can make your computer susceptible to a sm

Link to post
Share on other sites

Hi again, that is looking good. We need to fix a proxy first.



We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

uInternet Settings,ProxyServer = http=

Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



I don't see an Anti Virus Program running on your machine

Download and install an antivirus program, and make sure that you keep it updated

New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.

Three good antivirus programs free for non-commercial home use are Avast!, Antivir and Microsoft Security Essentials

Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

Finally, please launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

Hello again, that looks good. :) Do you have any problems left? Lets run one last scan to check for leftovers.



I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Hi Elise. I am currently traveling and am away from my computer. I did install Vira AV and did a full scan with it and MBAM , so far so good. I will do a final full scan when I get back after the holiday and post the log. Some quick questions for you. Is it ok to have MBAM real time and Vira running at the same time without conflicts? Also, can you recommend a second anti-malware free program that I can use to double check MBAM does not miss anything when I scan?

Thanks again for all of your help, you guys are doing such a great job.

Link to post
Share on other sites

Yes, MBAM and Avira go together fine. Here are some final steps you can do when you get back. In case the topic gets closed before you are able to reply, you can always send me a PM.



Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS and Rootkit Unhooker

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

  • 2 weeks later...
This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.