Author Topic: I'm really, really lost.... (Read 37426 times)

trekkie · « **Reply #30 on:** May 02, 2011, 12:28:24 PM »

Arrgh! It won't let me turn on System Restore in Safe Mode, and I can't guarantee that I can get it to turn on in Normal Mode. WHY DID YOU TELL ME TO TURN IT OFF?!?

SuperDave · « **Reply #31 on:** May 02, 2011, 12:31:59 PM »

Just hold off on that. I'm going to do a consult on this problem with my colleagues.

SuperDave · « **Reply #32 on:** May 02, 2011, 04:22:44 PM »

Please see if you can run this in Normal Mode.

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.

trekkie · « **Reply #33 on:** May 06, 2011, 10:53:15 AM »

Sorry I took so long to get back to you - since Easter is over, I'm back to work, so my free time will be limited. By the way, are you the only Malware Removal Specialist left? Just, nobody else is posting here with that qualification. Almost nobody else from ComputerHope is posting here, for that matter. It just seems to be you, people like me looking for help and Allan sometimes pops in to do admin things like moving off-topic posts. .....

Anyways, Process Explorer log:

Process            PID   CPU   Private Bytes   Working Set   Company Name               Virtual Size   Command Line

explorer.exe         916      12,152 K   16,972 K   Microsoft Corporation            89,520 K   C:\WINDOWS\Explorer.EXE

op_mon.exe         1232      11,584 K   16,704 K   Agnitum Ltd.               55,384 K   "C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" /tray /noservice

procexp.exe         1064   1.93   11,188 K   15,144 K   Sysinternals - www.sysinternals.com      112,332 K   "C:\ProcessExplorer\procexp.exe"

iTunesHelper.exe      1224      9,236 K      14,068 K   Apple Inc.               87,344 K   "C:\Program Files\iTunes\iTunesHelper.exe"

WG111v3.exe         1412   12.56   4,748 K      8,672 K                        51,700 K   "C:\Program Files\NETGEAR\WG111v3\WG111v3.exe"

AppleMobileDeviceService.exe   352      4,964 K      8,068 K      Apple Inc.               52,448 K   "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"

jqs.exe            460      3,636 K      6,892 K      Sun Microsystems, Inc.            69,484 K   "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

svchost.exe         1988   27.54   6,392 K      6,788 K      Microsoft Corporation            47,580 K   C:\WINDOWS\System32\svchost.exe -k netsvcs

taskmgr.exe         1040      4,092 K      6,716 K      Microsoft Corporation            56,012 K   taskmgr.exe

svchost.exe         332      2,996 K      6,372 K      Microsoft Corporation            45,252 K   C:\WINDOWS\System32\svchost.exe -k Akamai

acs.exe            312   13.77   2,344 K      4,468 K      Agnitum Ltd.               32,420 K   C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe

hpqtra08.exe         1368      1,072 K      4,124 K      Hewlett-Packard Development Company, L.P.   33,188 K   "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"

nvsvc32.exe         484      2,608 K      4,120 K      NVIDIA Corporation            36,112 K   C:\WINDOWS\system32\nvsvc32.exe

svchost.exe         1884   10.39   1,368 K      3,512 K      Microsoft Corporation            32,984 K   C:\WINDOWS\system32\svchost.exe -k rpcss

services.exe         1660      1,692 K      3,396 K      Microsoft Corporation            20,800 K   C:\WINDOWS\system32\services.exe

winlogon.exe         1616      6,964 K      3,376 K      Microsoft Corporation            57,460 K   winlogon.exe

ctfmon.exe         1304      924 K      3,312 K      Microsoft Corporation            31,780 K   "C:\WINDOWS\system32\ctfmon.exe"

mDNSResponder.exe      444   14.49   1,044 K      3,240 K      Apple Inc.               26,704 K   "C:\Program Files\Bonjour\mDNSResponder.exe"

csrss.exe         1592      1,440 K      3,236 K      Microsoft Corporation            21,440 K   C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

svchost.exe         1840      1,232 K      3,040 K      Microsoft Corporation            31,464 K   C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe         176   17.39   1,264 K      3,020 K      Microsoft Corporation            28,984 K   C:\WINDOWS\system32\svchost.exe -k NetworkService

HPZipm12.exe         516      556 K      1,844 K      HP                  15,224 K   C:\WINDOWS\system32\HPZipm12.exe

realplay.exe         1444      976 K      1,692 K      RealNetworks, Inc.            33,804 K

lsass.exe         1672      2,088 K      1,252 K      Microsoft Corporation            37,584 K   C:\WINDOWS\system32\lsass.exe

realsched.exe         1280      1,088 K      644 K      RealNetworks, Inc.            35,240 K

smss.exe         1016      172 K      432 K      Microsoft Corporation            3,808 K      \SystemRoot\System32\smss.exe

System            4      0 K      244 K                        860 K

realplay.exe         1500      380 K      88 K                        2,708 K

System Idle Process      0      0 K      28 K                        0 K

Interrupts         n/a   1.21   0 K      0 K                        0 K

DPCs            n/a   0.72   0 K      0 K                        0 K

P.S. Text Wrap sucks.

SuperDave · « **Reply #34 on:** May 06, 2011, 12:34:53 PM »

Quote

By the way, are you the only Malware Removal Specialist left? Just, nobody else is posting here with that qualification. Almost nobody else from ComputerHope is posting here, for that matter. It just seems to be you, people like me looking for help and Allan sometimes pops in to do admin things like moving off-topic posts. .....

I have a few more helpers that I can go to if I get snowed under but so far it's not that busy. We must be winning the war.
It will take some time to analyse this log.

trekkie · « **Reply #35 on:** May 08, 2011, 07:18:45 AM »

Is it because it's confusing to look at? If so, I can start posting the log one item at a time or something. Just tell me.

SuperDave · « **Reply #36 on:** May 08, 2011, 01:03:12 PM »

Quote from: trekkie on May 08, 2011, 07:18:45 AM

Is it because it's confusing to look at? If so, I can start posting the log one item at a time or something. Just tell me.

No. I just have to analyze all the processes. I should have it done in about a day or so.

trekkie · « **Reply #37 on:** May 09, 2011, 01:31:44 PM »

OK, just keep me posted.

SuperDave · « **Reply #38 on:** May 12, 2011, 07:57:49 PM »

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

Double-click mbr.exe to start the program.
When done scanning, it will save a log on the Desktop called mbr.log.
Please post the contents of that log in your next reply.

trekkie · « **Reply #39 on:** May 14, 2011, 03:50:38 AM »

MBR only ran for a split second, and the log is very short. Is this normal?

Anyways, MBR log:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST340014AS rev.8.12 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Also, just as a matter of interest: http://www.computerhope.com/forum/index.php/topic,69848.msg456085.html#msg456085
When I post to my thread, it always appears at the top (just under the stickies). But he says it should go to the bottom of the pile. So...

SuperDave · « **Reply #40 on:** May 14, 2011, 12:35:21 PM »

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory..

trekkie · « **Reply #41 on:** May 15, 2011, 12:08:52 PM »

TDSSKiller Log:

2011/05/15 19:03:12.0984 1408   TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/15 19:03:14.0890 1408   ================================================================================
2011/05/15 19:03:14.0890 1408   SystemInfo:
2011/05/15 19:03:14.0890 1408
2011/05/15 19:03:14.0890 1408   OS Version: 5.1.2600 ServicePack: 3.0
2011/05/15 19:03:14.0890 1408   Product type: Workstation
2011/05/15 19:03:14.0890 1408   ComputerName: DIMENSION-E520E
2011/05/15 19:03:14.0890 1408   UserName: Anna McManus
2011/05/15 19:03:14.0890 1408   Windows directory: C:\WINDOWS
2011/05/15 19:03:14.0890 1408   System windows directory: C:\WINDOWS
2011/05/15 19:03:14.0890 1408   Processor architecture: Intel x86
2011/05/15 19:03:14.0890 1408   Number of processors: 2
2011/05/15 19:03:14.0890 1408   Page size: 0x1000
2011/05/15 19:03:14.0890 1408   Boot type: Safe boot with network
2011/05/15 19:03:14.0890 1408   ================================================================================
2011/05/15 19:03:16.0046 1408   Initialize success
2011/05/15 19:04:10.0203 0660   ================================================================================
2011/05/15 19:04:10.0203 0660   Scan started
2011/05/15 19:04:10.0203 0660   Mode: Manual;
2011/05/15 19:04:10.0203 0660   ================================================================================
2011/05/15 19:04:16.0218 0660   ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/15 19:04:16.0562 0660   ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/15 19:04:17.0156 0660   aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/15 19:04:17.0484 0660   AegisP (30bb1bde595ca65fd5549462080d94e5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/05/15 19:04:17.0812 0660   AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/15 19:04:18.0156 0660   afw (14ba5ca5d11771ce8e8b6cc6830a2436) C:\WINDOWS\system32\DRIVERS\afw.sys
2011/05/15 19:04:18.0500 0660   afwcore (1f3d61965a9bd278a205d3062176e45c) C:\WINDOWS\system32\drivers\afwcore.sys
2011/05/15 19:04:20.0875 0660   ASWFilt (1f9827d87260dad71555a34c7a8624c3) C:\WINDOWS\system32\Filt\ASWFilt.dll
2011/05/15 19:04:21.0171 0660   AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/15 19:04:21.0484 0660   atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/15 19:04:22.0000 0660   Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/15 19:04:22.0312 0660   audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/15 19:04:22.0593 0660   Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/15 19:04:22.0953 0660   Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/05/15 19:04:23.0078 0660   BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
2011/05/15 19:04:23.0390 0660   BVRPMPR5 (51b327292408b5f3a42e295bce055859) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2011/05/15 19:04:23.0656 0660   cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/15 19:04:24.0171 0660   Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/15 19:04:24.0468 0660   Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/15 19:04:24.0765 0660   cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
2011/05/15 19:04:25.0046 0660   Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/15 19:04:26.0546 0660   Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/15 19:04:27.0093 0660   dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/15 19:04:27.0656 0660   dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/15 19:04:28.0000 0660   dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/15 19:04:28.0359 0660   DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/15 19:04:28.0968 0660   drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/15 19:04:29.0312 0660   e1express (6f7ccd3c02b26d530900f06d98171a69) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/05/15 19:04:29.0703 0660   ElbyCDIO (28cb0b64134ad62c2acf77db8501a619) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2011/05/15 19:04:30.0078 0660   Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/15 19:04:30.0406 0660   Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/05/15 19:04:30.0703 0660   Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/15 19:04:31.0000 0660   Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/15 19:04:31.0312 0660   FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/05/15 19:04:31.0625 0660   Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/15 19:04:31.0953 0660   Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/15 19:04:32.0281 0660   GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/15 19:04:32.0703 0660   Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/15 19:04:33.0062 0660   HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/15 19:04:33.0359 0660   hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/15 19:04:33.0968 0660   HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/05/15 19:04:34.0265 0660   HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/05/15 19:04:34.0531 0660   HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/05/15 19:04:34.0906 0660   HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/05/15 19:04:35.0625 0660   HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/05/15 19:04:36.0265 0660   HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/15 19:04:37.0156 0660   i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
2011/05/15 19:04:37.0468 0660   Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/15 19:04:38.0281 0660   intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/15 19:04:38.0578 0660   Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/05/15 19:04:38.0859 0660   IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/15 19:04:39.0171 0660   IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/15 19:04:39.0484 0660   IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/15 19:04:39.0859 0660   IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/15 19:04:40.0140 0660   IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/15 19:04:40.0468 0660   isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/15 19:04:40.0796 0660   Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/15 19:04:41.0062 0660   kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/15 19:04:41.0375 0660   kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/15 19:04:42.0343 0660   KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/15 19:04:42.0953 0660   mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/05/15 19:04:43.0250 0660   mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/15 19:04:43.0515 0660   Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/15 19:04:43.0812 0660   MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/05/15 19:04:44.0093 0660   Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/15 19:04:44.0359 0660   mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/15 19:04:44.0640 0660   MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/15 19:04:45.0187 0660   MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/15 19:04:45.0609 0660   MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/15 19:04:46.0046 0660   Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/15 19:04:46.0359 0660   MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/15 19:04:46.0625 0660   MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/15 19:04:46.0890 0660   MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/15 19:04:47.0218 0660   mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/15 19:04:47.0750 0660   Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/15 19:04:48.0125 0660   NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/15 19:04:48.0437 0660   NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/15 19:04:48.0703 0660   Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/15 19:04:49.0015 0660   NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/15 19:04:49.0328 0660   NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/15 19:04:49.0625 0660   NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/15 19:04:49.0953 0660   NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/15 19:04:50.0671 0660   Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/15 19:04:51.0093 0660   Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/15 19:04:51.0562 0660   Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/15 19:04:53.0796 0660   nv (5950e6cc9fb3fabb61604d395dbc8550) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/15 19:04:56.0046 0660   NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/15 19:04:56.0312 0660   NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/15 19:04:56.0640 0660   Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/05/15 19:04:56.0968 0660   PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/15 19:04:57.0296 0660   ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/15 19:04:57.0578 0660   PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/15 19:04:58.0156 0660   PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/15 19:04:58.0421 0660   Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/15 19:05:00.0218 0660   PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/15 19:05:00.0515 0660   prodrv06 (f2e3c8f1eb6ba0733e0a1f6373df7957) C:\WINDOWS\System32\drivers\prodrv06.sys
2011/05/15 19:05:00.0843 0660   prohlp02 (150307b52807d0c493c605ab913038ad) C:\WINDOWS\system32\drivers\prohlp02.sys
2011/05/15 19:05:01.0187 0660   PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/15 19:05:01.0484 0660   Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/15 19:05:02.0984 0660   RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/15 19:05:03.0312 0660   Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/15 19:05:03.0625 0660   RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/15 19:05:03.0906 0660   Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/15 19:05:04.0250 0660   Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/15 19:05:04.0562 0660   RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/15 19:05:04.0890 0660   rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/15 19:05:05.0250 0660   RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/15 19:05:05.0578 0660   redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/15 19:05:06.0015 0660   RTL8187B (de4635e8b7975d2b5d961299469a7462) C:\WINDOWS\system32\DRIVERS\wg111v3.sys
2011/05/15 19:05:06.0625 0660   SandBox (a981b8e884f25701e58c55b3c44d869e) C:\WINDOWS\system32\drivers\SandBox.sys
2011/05/15 19:05:06.0984 0660   SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/15 19:05:07.0171 0660   SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/15 19:05:07.0500 0660   Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/15 19:05:07.0843 0660   Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/05/15 19:05:08.0156 0660   sfhlp01 (462aee0ea0481ea8bd45cac876a4ccc4) C:\WINDOWS\system32\drivers\sfhlp01.sys
2011/05/15 19:05:08.0390 0660   Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/15 19:05:09.0171 0660   splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/15 19:05:09.0562 0660   sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/15 19:05:09.0984 0660   Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/15 19:05:11.0390 0660   STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sys
2011/05/15 19:05:12.0031 0660   swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/15 19:05:12.0562 0660   swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/15 19:05:13.0734 0660   sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/15 19:05:14.0171 0660   Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/15 19:05:14.0609 0660   Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
2011/05/15 19:05:14.0968 0660   TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/15 19:05:15.0234 0660   TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/15 19:05:15.0531 0660   TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/15 19:05:16.0140 0660   tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
2011/05/15 19:05:16.0421 0660   Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/15 19:05:17.0218 0660   Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/15 19:05:17.0671 0660   USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/15 19:05:17.0953 0660   usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/15 19:05:18.0250 0660   usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/15 19:05:18.0531 0660   usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/15 19:05:18.0843 0660   usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/15 19:05:19.0109 0660   usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/15 19:05:19.0390 0660   usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/15 19:05:19.0656 0660   usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/15 19:05:20.0015 0660   VBEngNT (8dfcd62c767741576bb9cd8da9854517) C:\WINDOWS\system32\drivers\VBEngNT.sys
2011/05/15 19:05:20.0421 0660   VBFilt (442e677f49d0e310a7b0841cb880e821) C:\WINDOWS\system32\Filt\VBFilt.dll
2011/05/15 19:05:20.0765 0660   VClone (9bf2ea54e5ed5acdf96f1dec84c117c4) C:\WINDOWS\system32\DRIVERS\VClone.sys
2011/05/15 19:05:21.0031 0660   VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/15 19:05:21.0546 0660   VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/15 19:05:21.0890 0660   Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/15 19:05:22.0453 0660   wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/15 19:05:22.0984 0660   winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/05/15 19:05:23.0640 0660   WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/15 19:05:23.0953 0660   WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/15 19:05:24.0296 0660   ================================================================================
2011/05/15 19:05:24.0296 0660   Scan finished
2011/05/15 19:05:24.0296 0660   ================================================================================

SuperDave · « **Reply #42 on:** May 15, 2011, 04:25:03 PM »

Download and run SVCHOST Diag by DragonMaster Jay.

Post the log from it when it launches.

trekkie · « **Reply #43 on:** May 16, 2011, 10:40:32 AM »

I had a hunch the program could only find the problem in Normal Mode, but I also had a hunch that, paradoxically, the problem would hinder the program if I ran it in Normal Mode. So, I ran it in both Normal and Safe Mode and got 2 different logs (well, I haven't looked at them, so their contents could be the same). So...

Normal Mode log:

SVCHOST Diag

~~~~~Services loaded under SVCHOST~~~~~

~~~~~Modules loaded under SVCHOST~~~~~

~~~~~SVCHOST service~~~~~

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"HTTPFilter"=hex(7):48,00,54,00,54,00,50,00,46,00,69,00,6c,00,74,00,65,00,72,\
00,00,00,00,00
"LocalService"=hex(7):41,00,6c,00,65,00,72,00,74,00,65,00,72,00,00,00,57,00,65,\
00,62,00,43,00,6c,00,69,00,65,00,6e,00,74,00,00,00,4c,00,6d,00,48,00,6f,00,\
73,00,74,00,73,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,52,00,65,00,67,\
00,69,00,73,00,74,00,72,00,79,00,00,00,75,00,70,00,6e,00,70,00,68,00,6f,00,\
73,00,74,00,00,00,53,00,53,00,44,00,50,00,53,00,52,00,56,00,00,00,00,00
"NetworkService"=hex(7):44,00,6e,00,73,00,43,00,61,00,63,00,68,00,65,00,00,00,\
00,00
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,\
76,00,65,00,72,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,\
00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,\
73,00,65,00,6e,00,67,00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,\
00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,\
00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,\
00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,\
74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,\
00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,\
63,00,65,00,73,00,73,00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,\
00,00,00,53,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,\
4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,\
00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,\
00,65,00,73,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,\
32,00,54,00,69,00,6d,00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,\
00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,\
00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,77,00,73,00,63,00,73,\
00,76,00,63,00,00,00,78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,6e,00,\
61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,68,00,6b,00,6d,00,73,00,76,\
00,63,00,00,00,42,00,49,00,54,00,53,00,00,00,77,00,75,00,61,00,75,00,73,00,\
65,00,72,00,76,00,00,00,53,00,68,00,65,00,6c,00,6c,00,48,00,57,00,44,00,65,\
00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,00,00,00,68,00,65,00,6c,00,70,00,\
73,00,76,00,63,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,4e,00,00,\
00,00,00
"DcomLaunch"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,68,\
00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,00,00
"rpcss"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"eapsvcs"=hex(7):65,00,61,00,70,00,68,00,6f,00,73,00,74,00,00,00,00,00
"dot3svc"=hex(7):64,00,6f,00,74,00,33,00,73,00,76,00,63,00,00,00,00,00
"imgsvc"=hex(7):53,00,74,00,69,00,53,00,76,00,63,00,00,00,00,00
"termsvcs"=hex(7):54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,\
65,00,00,00,00,00
"WudfServiceGroup"=hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,\
00
"Akamai"=hex(7):41,00,6b,00,61,00,6d,00,61,00,69,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\DComLaunch]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\dot3svc]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\eapsvcs]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\HTTPFilter]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00002000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00003020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\PCHealth]
"CoInitializeSecurityParam"=dword:00000002
"AuthenticationCapabilities"=dword:00000040

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsvcs]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

~~~~~SVCHOST MD5~~~~~

27C6D03BCDB8CFEB96B716F3D8BE3E18 C:\WINDOWS\system32\svchost.exe

~~~~~END OF FILE!~~~~~

Safe Mode log:

SVCHOST Diag

~~~~~Services loaded under SVCHOST~~~~~

Image Name: svchost.exe
PID: 1680
Services: DcomLaunch
TermService

Image Name: svchost.exe
PID: 1740
Services: RpcSs

Image Name: svchost.exe
PID: 1924
Services: Browser
CryptSvc
Dhcp
dmserver
helpsvc
LanmanServer
lanmanworkstation
Netman
SharedAccess
winmgmt
WZCSVC

Image Name: svchost.exe
PID: 1940
Services: Dnscache

~~~~~Modules loaded under SVCHOST~~~~~

Image Name: svchost.exe
PID: 1680
Modules: ntdll.dll
kernel32.dll
ADVAPI32.dll
RPCRT4.dll
Secur32.dll
ShimEng.dll
AcGenral.DLL
USER32.dll
GDI32.dll
WINMM.dll
ole32.dll
msvcrt.dll
OLEAUT32.dll
MSACM32.dll
VERSION.dll
SHELL32.dll
SHLWAPI.dll
USERENV.dll
UxTheme.dll
IMM32.DLL
comctl32.dll
comctl32.dll
NTMARTA.DLL
SAMLIB.dll
WLDAP32.dll
rpcss.dll
WS2_32.dll
WS2HELP.dll
xpsp2res.dll
termsrv.dll
ICAAPI.dll
SETUPAPI.dll
WINTRUST.dll
CRYPT32.dll
MSASN1.dll
IMAGEHLP.dll
AUTHZ.dll
mstlsapi.dll
ACTIVEDS.dll
adsldpc.dll
NETAPI32.dll
ATL.DLL
REGAPI.dll
rsaenh.dll
CLBCATQ.DLL
COMRes.dll
Apphelp.dll

Image Name: svchost.exe
PID: 1740
Modules: ntdll.dll
kernel32.dll
ADVAPI32.dll
RPCRT4.dll
Secur32.dll
ShimEng.dll
AcGenral.DLL
USER32.dll
GDI32.dll
WINMM.dll
ole32.dll
msvcrt.dll
OLEAUT32.dll
MSACM32.dll
VERSION.dll
SHELL32.dll
SHLWAPI.dll
USERENV.dll
UxTheme.dll
IMM32.DLL
comctl32.dll
comctl32.dll
rpcss.dll
WS2_32.dll
WS2HELP.dll
xpsp2res.dll
rsaenh.dll
mswsock.dll
hnetcfg.dll
wshtcpip.dll
wship6.dll
DNSAPI.dll
iphlpapi.dll
winrnr.dll
WLDAP32.dll
mdnsNSP.dll
rasadhlp.dll
CLBCATQ.DLL
COMRes.dll

Image Name: svchost.exe
PID: 1924
Modules: ntdll.dll
kernel32.dll
ADVAPI32.dll
RPCRT4.dll
Secur32.dll
ShimEng.dll
AcGenral.DLL
USER32.dll
GDI32.dll
WINMM.dll
ole32.dll
msvcrt.dll
OLEAUT32.dll
MSACM32.dll
VERSION.dll
SHELL32.dll
SHLWAPI.dll
USERENV.dll
UxTheme.dll
IMM32.DLL
comctl32.dll
comctl32.dll
NTMARTA.DLL
SAMLIB.dll
WLDAP32.dll
xpsp2res.dll
dhcpcsvc.dll
DNSAPI.dll
WS2_32.dll
WS2HELP.dll
iphlpapi.dll
wzcsvc.dll
rtutils.dll
WMI.dll
CRYPT32.dll
MSASN1.dll
EapolQec.dll
ATL.DLL
QUtil.dll
MSVCP60.dll
dot3api.dll
WTSAPI32.dll
WINSTA.dll
NETAPI32.dll
ESENT.dll
CLBCATQ.DLL
COMRes.dll
rsaenh.dll
WZCSAPI.DLL
rastls.dll
CRYPTUI.dll
WININET.dll
Normaliz.dll
urlmon.dll
iertutil.dll
WINTRUST.dll
IMAGEHLP.dll
MPRAPI.dll
ACTIVEDS.dll
adsldpc.dll
SETUPAPI.dll
RASAPI32.dll
rasman.dll
TAPI32.dll
SCHANNEL.dll
WinSCard.dll
PSAPI.DLL
wkssvc.dll
NTDSAPI.dll
raschap.dll
cryptsvc.dll
certcli.dll
msv1_0.dll
cryptdll.dll
dmserver.dll
srvsvc.dll
srsvc.dll
POWRPROF.dll
wmisvc.dll
VSSAPI.DLL
netman.dll
netshell.dll
credui.dll
dot3dlg.dll
OneX.DLL
eappcfg.dll
eappprxy.dll
pchsvc.dll
HNETCFG.DLL
ipnathlp.dll
MSWSOCK.dll
AUTHZ.dll
wshtcpip.dll
wship6.dll
browser.dll
wbemcomn.dll
wbemcore.dll
esscli.dll
FastProx.dll
wmiutils.dll
repdrvfs.dll
wmiprvsd.dll
NCObjAPI.DLL
wbemess.dll
ncprov.dll
upnp.dll
WINHTTP.dll
SSDPAPI.dll
wbemsvc.dll

Image Name: svchost.exe
PID: 1940
Modules: ntdll.dll
kernel32.dll
ADVAPI32.dll
RPCRT4.dll
Secur32.dll
ShimEng.dll
AcGenral.DLL
USER32.dll
GDI32.dll
WINMM.dll
ole32.dll
msvcrt.dll
OLEAUT32.dll
MSACM32.dll
VERSION.dll
SHELL32.dll
SHLWAPI.dll
USERENV.dll
UxTheme.dll
IMM32.DLL
comctl32.dll
comctl32.dll
dnsrslvr.dll
DNSAPI.dll
WS2_32.dll
WS2HELP.dll
iphlpapi.dll

~~~~~SVCHOST service~~~~~

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"HTTPFilter"=hex(7):48,00,54,00,54,00,50,00,46,00,69,00,6c,00,74,00,65,00,72,\
00,00,00,00,00
"LocalService"=hex(7):41,00,6c,00,65,00,72,00,74,00,65,00,72,00,00,00,57,00,65,\
00,62,00,43,00,6c,00,69,00,65,00,6e,00,74,00,00,00,4c,00,6d,00,48,00,6f,00,\
73,00,74,00,73,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,52,00,65,00,67,\
00,69,00,73,00,74,00,72,00,79,00,00,00,75,00,70,00,6e,00,70,00,68,00,6f,00,\
73,00,74,00,00,00,53,00,53,00,44,00,50,00,53,00,52,00,56,00,00,00,00,00
"NetworkService"=hex(7):44,00,6e,00,73,00,43,00,61,00,63,00,68,00,65,00,00,00,\
00,00
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,\
76,00,65,00,72,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,\
00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,\
73,00,65,00,6e,00,67,00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,\
00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,\
00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,\
00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,\
74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,\
00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,\
63,00,65,00,73,00,73,00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,\
00,00,00,53,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,\
4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,\
00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,\
00,65,00,73,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,\
32,00,54,00,69,00,6d,00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,\
00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,\
00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,77,00,73,00,63,00,73,\
00,76,00,63,00,00,00,78,00,6d,00,6c,00,70,00,72,00,6f,00,76,00,00,00,6e,00,\
61,00,70,00,61,00,67,00,65,00,6e,00,74,00,00,00,68,00,6b,00,6d,00,73,00,76,\
00,63,00,00,00,42,00,49,00,54,00,53,00,00,00,77,00,75,00,61,00,75,00,73,00,\
65,00,72,00,76,00,00,00,53,00,68,00,65,00,6c,00,6c,00,48,00,57,00,44,00,65,\
00,74,00,65,00,63,00,74,00,69,00,6f,00,6e,00,00,00,68,00,65,00,6c,00,70,00,\
73,00,76,00,63,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,4e,00,00,\
00,00,00
"DcomLaunch"=hex(7):44,00,63,00,6f,00,6d,00,4c,00,61,00,75,00,6e,00,63,00,68,\
00,00,00,54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
00,00,00,00
"rpcss"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"eapsvcs"=hex(7):65,00,61,00,70,00,68,00,6f,00,73,00,74,00,00,00,00,00
"dot3svc"=hex(7):64,00,6f,00,74,00,33,00,73,00,76,00,63,00,00,00,00,00
"imgsvc"=hex(7):53,00,74,00,69,00,53,00,76,00,63,00,00,00,00,00
"termsvcs"=hex(7):54,00,65,00,72,00,6d,00,53,00,65,00,72,00,76,00,69,00,63,00,\
65,00,00,00,00,00
"WudfServiceGroup"=hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,\
00
"Akamai"=hex(7):41,00,6b,00,61,00,6d,00,61,00,69,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\DComLaunch]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\dot3svc]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\eapsvcs]
"AuthenticationCapabilities"=dword:00003020
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\HTTPFilter]
"CoInitializeSecurityParam"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\LocalService]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00002000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs]
"CoInitializeSecurityParam"=dword:00000001
"AuthenticationCapabilities"=dword:00003020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\PCHealth]
"CoInitializeSecurityParam"=dword:00000002
"AuthenticationCapabilities"=dword:00000040

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\termsvcs]
"CoInitializeSecurityParam"=dword:00000001
"DefaultRpcStackSize"=dword:00000008

~~~~~SVCHOST MD5~~~~~

27C6D03BCDB8CFEB96B716F3D8BE3E18 C:\WINDOWS\system32\svchost.exe

~~~~~END OF FILE!~~~~~

SuperDave · « **Reply #44 on:** May 17, 2011, 11:16:09 AM »

We're pulling out the big guns to get this sucker.

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
Accept the License agreement and click on next.
It will, by default, install it to your desktop folder. Click Next.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.
Hidden Startup Objects
System Memory
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Computer Hope Forum

News:

Author Topic: I'm really, really lost.... (Read 37426 times)

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....

trekkie

Re: I'm really, really lost....

SuperDave

Re: I'm really, really lost....