Jump to content

Recommended Posts

Hello, experts:

My turn to ask for help -- need to be sure undetected rootkit is not to blame for new, intermittent inability to boot.

System has been fully stable, running MBAM PRO and KIS2011 and SAS Free with no indication of infection on Win7/64 factory image from 8/2010, fully patched.

Routine daily quick scans with both MBAM and KIS have always been clean.

WED 16th:

Normal shut down to go to work. Returned several hours later. Powered on from tower & got a couple of odd KIS pop-ups about Windows files being moved to trusted as desktop loaded. Network adapter wouldn't connect (yellow exclamation) & network troubleshooter said to check router/modem (which were fine; but I power cycled them anyway). Attempted to restart the system, and Windows would not boot. Could not get into F8 or even F12, but somehow eventually booted into startup repair which ran for ~30 min and said it could not fix system.

Placed call to live, US, TS at Dell w/remote assist. Eventually, we were able to boot into safe mode with networking, run hardware diagnostics/mem test, and perform a system restore to 6 days earlier. After roll-back (which of course required a "repair" of KIS to update databases), all seemed to work OK, although rebooting was VERY slow the first few times. No abnormal behavior. Both a warm and cold start went fine.

THUR 17th:

Normal shut down to go to work. Returned several hours later. Powered on from tower. No problems. Booted fine.

FRI 18th:

Normal shut down to go to work. Returned several hours later. Powered on from tower. This time, no alerts from KIS, but system only loaded wallpaper & shortcuts, clock (no other icons in system tray), and quick launch icons in task bar. Clicked start orb -> start menu opened and then froze. Had mouse, but could not shut down from start menu.

Placed another live call to Dell. Booted into safe mode with networking. Disabled all non-MS services and all start-up programs and was able to boot back into normal mode. Selectively re-enabled some services and start-ups OK. For a reason I can't remember now (I was pretty stressed out @ the time), we decided to uninstall & reinstall KIS (and MBAM and SAS). All of this went fine. Quick scans with MBAM, SAS, KIS and even the ESET online scanner were fine. Warm restarts several times were fine. System working fine, except loss of some icons from the icon notification menu, so used a tutorial from sevenforums.com to rebuild the icon cache db. Computer working fine. Planned to run an overnight chkdsk prior to out-bound call back from Dell.

SAT 19th:

CHKDSK /f /r returned "no problems found", and the necessary restarts were fine, as were 2 others needed to add a couple of previously deleted services from msconfig (1 for my Adobe license verification, the other for MBAM service to allow activation of the protection module). Further investigation in Windows Reliability Monitor Console (which I had forgotten even exists!) revealed 2 identical errors time-stamped to the date/time of the original bootup error on Wed 16th:

Driver Management concluded the process to install driver NULL Driver for Device Instance ID ROOT\MULTIFUNCTION\0000 with the following status: 0xe0000203.

Computer has been working completely fine, including 2 warm restarts while on remote assist with Dell yesterday for followup call.

TODAY:

I have not attempted a cold start again during this time.

The WRM log shows no further driver errors despite all the restarts (but these seem to have occurred only with attempted cold boots).

Computer is behaving normally with nothing suggestive of infection.

A deep scan with KIS is clean.

All flash and Quick scans with MBAM are clean, as was a SAS quick scan.

MBAM and DDS logs will follow below.

I was unable to run GMER (it crashed both times, despite "run as administrator" and pausing KIS).

I am pretty sure this is a driver corruption issue in Windows, which may require a factory image or even a reformat (I cannot run a repair install from the DVD because it was SP0 and the system is now SP1).

But I am paranoid this could be a rootkit affecting system OS bootup that may have somehow escaped detection. And I am too nervous to try another cold boot until I know.

Please advise as to the next step (perhaps TDSSRootkiller?).

As I expect the pasted log files will make my post too large, I am going to reply to my own thread in a moment with the MBAM & DDS logs.

Thanks VERY much in advance,

daledoc1

Link to post
Share on other sites

I could not get GMER to run.

Here are the others.

I await your expert advice.

Thanks!

MBAM:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6110

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

3/20/2011 7:11:42 AM

mbam-log-2011-03-20 (07-11-42).txt

Scan type: Quick scan

Objects scanned: 176902

Time elapsed: 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS.txt:

DDS (Ver_11-03-05.01) - NTFS_AMD64

Run by MOXIE at 7:01:08.90 on Sun 03/20/2011

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8151.5928 [GMT -5:00]

.

AV: Kaspersky Internet Security *Disabled/Outdated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Kaspersky Internet Security *Disabled/Outdated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}

FW: Kaspersky Internet Security *Disabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\system32\atiesrxx.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\atieclxx.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\APC\APC PowerChute Personal Edition\mainserv.exe

C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\svchost.exe -k HPService

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\WUDFHost.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\MSGTAG Status\MSGTAGStatus.exe

C:\Program Files\Windows Sidebar\sidebar.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files (x86)\stickies\stickies.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe

C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

C:\Program Files (x86)\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Program Files (x86)\Firetrust\MailWasher\MailWasherPro.exe

C:\Program Files (x86)\Firetrust\MailWasher\MailWasherProApp.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Users\MOXIE\Desktop\dds.scr

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.huffingtonpost.com/

mWinlogon: Userinit=userinit.exe

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitBHO.dll

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\ievkbd.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - C:\Program Files (x86)\TechSmith\Snagit 10\SnagitIEAddin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll

uRun: [MSGTAG] "C:\Program Files (x86)\MSGTAG Status\MSGTAGStatus.exe" /startup

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

mRun: [<NO NAME>]

mRun: [shwiconXP9106] C:\Program Files (x86)\Multimedia Card Reader(9106)\ShwiconXP9106.exe

mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun: [Display] C:\Program Files (x86)\APC\APC PowerChute Personal Edition\DataCollectionLauncher.exe

mRun: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe

mRun: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe"

mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\Users\MOXIE\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Stickies.lnk - C:\Program Files (x86)\stickies\stickies.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\APCUPS~1.LNK - C:\Program Files (x86)\APC\APC PowerChute Personal Edition\Display.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm

IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll

IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL

IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\klwtbbho.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll

BHO-X64: SnagIt Toolbar Loader: {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitBHO64.dll

BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\x64\ievkbd.dll

BHO-X64: IEVkbdBHO - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

BHO-X64: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\x64\klwtbbho.dll

BHO-X64: link filter bho - No File

TB-X64: Snagit: {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 10\DLLx64\SnagitIEAddin64.dll

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

TB-X64: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

TB-X64: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File

mRun-x64: [RunDLLEntry_THXCfg] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64

mRun-x64: [RunDLLEntry_EptMon] C:\Windows\system32\RunDLL32.exe C:\Windows\system32\EptMon64.dll,RunDLLEntry EptMon64

mRun-x64: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s

AppInit_DLLs-X64: C:\PROGRA~2\KASPER~1\KASPER~1\x64\sbhook64.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\MOXIE\AppData\Roaming\Mozilla\Firefox\Profiles\0k81yqkg.Crash\

FF - prefs.js: browser.startup.homepage - hxxp://www.huffingtonpost.com/

FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru\components\abhelperxpcom.dll

FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

FF - Ext: Anti-Banner: KavAntiBanner@Kaspersky.ru - C:\Program Files (x86)\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru

FF - Ext: Kaspersky URL Advisor: linkfilter@kaspersky.ru - C:\Program Files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}

FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}

FF - Ext: NoSquint: nosquint@urandom.ca - %profile%\extensions\nosquint@urandom.ca

FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}

FF - Ext: Google Shortcuts: {5C46D283-ABDE-4dce-B83C-08881401921C} - %profile%\extensions\{5C46D283-ABDE-4dce-B83C-08881401921C}

FF - Ext: CheckPlaces: checkplaces@andyhalford.com - %profile%\extensions\checkplaces@andyhalford.com

FF - Ext: Element Hiding Helper for Adblock Plus: elemhidehelper@adblockplus.org - %profile%\extensions\elemhidehelper@adblockplus.org

FF - Ext: ColorfulTabs: {0545b830-f0aa-4d7e-8820-50a4629a56fe} - %profile%\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}

FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}

FF - Ext: ShowIP: {3e9bb2a7-62ca-4efa-a4e6-f6f6168a652d} - %profile%\extensions\{3e9bb2a7-62ca-4efa-a4e6-f6f6168a652d}

.

============= SERVICES / DRIVERS ===============

.

R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-2-13 55280]

R1 kl2;kl2;C:\Windows\System32\drivers\kl2.sys [2010-6-9 11864]

R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\drivers\klim6.sys [2010-4-22 27736]

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]

R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]

R2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2010/02/13 19:33:18];C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl [2010-2-13 146928]

R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-2-13 202752]

R2 AVP;Kaspersky Anti-Virus Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe [2010-11-2 365336]

R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-2-13 13336]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-3-18 363344]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-2-13 56344]

R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2010-2-13 233984]

R3 k57nd60a;Broadcom NetLink Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2010-2-13 320040]

R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\System32\drivers\klmouflt.sys [2009-11-2 22544]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-3-18 24152]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 SessionLauncher;SessionLauncher;c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe --> c:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [?]

S3 Adobe Version Cue CS4;Adobe Version Cue CS4;C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-8-15 288112]

S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-8-17 1038088]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2011-2-23 20992]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-2-23 59392]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-15 1255736]

S4 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2010-6-29 128752]

S4 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]

S4 RoxMediaDB10;RoxMediaDB10;C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCom\RoxMediaDB10.exe [2009-6-26 1124848]

.

=============== Created Last 30 ================

.

2011-03-19 00:56:42 -------- d-----w- C:\Users\MOXIE\AppData\Roaming\SUPERAntiSpyware.com

2011-03-19 00:56:37 -------- d-----w- C:\PROGRA~3\!SASCORE

2011-03-19 00:56:36 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2011-03-19 00:44:33 -------- d-----w- C:\Users\MOXIE\AppData\Roaming\Malwarebytes

2011-03-19 00:44:15 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-03-19 00:44:15 -------- d-----w- C:\PROGRA~3\Malwarebytes

2011-03-19 00:44:12 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-03-19 00:44:12 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-03-18 21:06:23 109240 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\KavAntiBanner@Kaspersky.ru\components\abhelperxpcom.dll

2011-03-18 21:06:22 150200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll

2011-03-18 21:05:18 -------- d-----w- C:\Program Files (x86)\Kaspersky Lab

2011-03-18 21:05:18 -------- d-----w- C:\PROGRA~3\Kaspersky Lab

2011-03-18 21:04:01 -------- d-----w- C:\PROGRA~3\Kaspersky Lab Setup Files

2011-03-18 20:05:44 -------- d-----w- C:\Windows\pss

2011-03-05 04:38:46 25048 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\browserdirprovider.dll

2011-03-05 04:38:46 140248 ----a-w- C:\Program Files (x86)\Mozilla Firefox\components\brwsrcmp.dll

2011-02-23 17:58:36 -------- d-----w- C:\Windows\System32\SPReview

2011-02-23 17:57:43 -------- d-----w- C:\Windows\System32\EventProviders

2011-02-23 17:55:59 689152 ----a-w- C:\Windows\System32\FXSSVC.exe

2011-02-23 17:54:59 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys

2011-02-23 15:45:27 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll

2011-02-23 15:45:27 475648 ----a-w- C:\Windows\System32\XpsGdiConverter.dll

2011-02-23 15:45:27 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll

2011-02-23 15:45:27 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll

.

==================== Find3M ====================

.

2011-02-23 18:01:33 175616 ----a-w- C:\Windows\System32\msclmd.dll

2011-02-23 18:01:33 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll

2011-02-19 12:05:15 1139200 ----a-w- C:\Windows\System32\FntCache.dll

2011-02-19 12:04:37 1544192 ----a-w- C:\Windows\System32\DWrite.dll

2011-02-19 12:04:17 902656 ----a-w- C:\Windows\System32\d2d1.dll

2011-02-19 06:30:51 1076736 ----a-w- C:\Windows\SysWow64\DWrite.dll

2011-02-19 06:30:50 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll

2011-02-03 03:40:23 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2011-01-07 12:14:11 46080 ----a-w- C:\Windows\System32\atmlib.dll

2011-01-07 09:51:01 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2011-01-07 09:20:44 366592 ----a-w- C:\Windows\System32\atmfd.dll

2011-01-07 07:45:57 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2011-01-07 06:01:22 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-01-07 05:43:36 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll

2011-01-05 10:34:00 612864 ----a-w- C:\Windows\System32\vbscript.dll

2011-01-05 06:56:24 3129344 ----a-w- C:\Windows\System32\win32k.sys

2011-01-05 05:55:55 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll

2010-12-23 10:42:53 1118720 ----a-w- C:\Windows\System32\sbe.dll

2010-12-23 10:42:51 961024 ----a-w- C:\Windows\System32\CPFilters.dll

2010-12-23 10:42:51 723968 ----a-w- C:\Windows\System32\EncDec.dll

2010-12-23 10:36:02 259072 ----a-w- C:\Windows\System32\mpg2splt.ax

2010-12-23 05:54:18 850944 ----a-w- C:\Windows\SysWow64\sbe.dll

2010-12-23 05:54:17 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll

2010-12-23 05:54:17 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll

2010-12-23 05:50:23 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax

.

============= FINISH: 7:01:57.52 ===============

DDS.attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume2

Install Date: 8/15/2010 3:28:54 PM

System Uptime: 3/19/2011 2:33:42 PM (17 hours ago)

.

Motherboard: Dell Inc. | | 0T568R

Processor: Intel® Core i7 CPU 860 @ 2.80GHz | CPU 1 | 2801/133mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 1383 GiB total, 1302.552 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

J: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID:

Description: Officejet 7400 series

Device ID: ROOT\MULTIFUNCTION\0000

Manufacturer:

Name: Officejet 7400 series

PNP Device ID: ROOT\MULTIFUNCTION\0000

Service:

.

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}

Description: Officejet 7400 series

Device ID: ROOT\MULTIFUNCTION\0001

Manufacturer: HP

Name: Officejet 7400 series

PNP Device ID: ROOT\MULTIFUNCTION\0001

Service:

.

==== System Restore Points ===================

.

RP150: 3/15/2011 8:05:17 PM - Windows Backup

RP151: 3/16/2011 6:39:32 PM - After rollback - works OK but boots slow

RP152: 3/18/2011 4:04:39 PM - Installed Kaspersky Internet Security 2011.

RP153: 3/19/2011 7:04:31 AM - Windows Backup

RP154: 3/19/2011 2:38:55 PM - Removed Dell Support Center (Support Software).

.

==== Installed Programs ======================

.

7300_Help

7400

Acrobat.com

Adobe Acrobat 9 Pro - English, Fran

post-29793-0-65528500-1300626068.png

Link to post
Share on other sites

  • Staff

Hi daledoc1,

Looks like you're overreacting a little bit to everything that's been going on. I am confident that you don't have a rootkit installed; your logs don't indicate it, and you would be experiencing symptoms of infection if you were infected.

kuler is an Adobe product and is legitimate.

Link to post
Share on other sites

  • 1 month later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.