Rootkit.ZeroAccess (PING.exe)

[Elise]

Can you right click the problem devices in Device Manager and select Update Driver?

[edshead]

I can.

Keyboard

• Auto-detect - best driver already installed.
  
• I do not have a driver file for the keyboard, so no other options are available to update.
  

Touchpad

• Auto-detect - best driver already installed.
  
• Point to driver file, it installs the Alps driver. Still, Device now reads Dell Touchpad, with the same Code 39 error. Windows Auto-detect says best-driver installed.
  

Soundcard

• Auto-detect - best driver already installed.
  
• Point to driver file (Let me pick .... Have disk) - The folder you specified doesn't contain a compatible software driver for your device. (Tried both the Dell supplied Sigmatel Vista driver, and the IDT Win7 driver I had working prior to ZA's dirty deeds.)
  

Reboot, and everything remains the same.

[Elise]

Can you please post me the contents of c:\qoobox\quarantine\combofix-quarantined-files.txt

[edshead]

2012-02-14 19:32:33 . 2012-02-14 19:32:33			  924 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\AddRemove-uTorrent.reg.dat
2012-02-14 19:32:08 . 2012-02-14 19:32:08			  558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-67586644.sys.reg.dat
2012-02-14 19:32:08 . 2012-02-14 19:32:08			  558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-58699906.sys.reg.dat
2012-02-14 19:32:08 . 2012-02-14 19:32:08			  558 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\SafeBoot-16715399.sys.reg.dat
2012-02-14 19:27:41 . 2012-02-15 14:45:48		   14,622 ----a-w-  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-02-12 09:43:38 . 2012-02-12 09:43:38			   26 -c--a-w-  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2524188640\cfg.ini.vir
2012-02-12 09:43:37 . 2012-02-12 09:43:38		    2,048 -c--a-w-  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2524188640\@.vir
2012-02-12 09:43:37 . 2012-02-12 09:43:37		   74,752 -c--a-w-  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2524188640\L\zoosrkng.vir
2012-02-12 09:43:37 . 2012-02-12 10:29:38		    4,608 -c--a-w-  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2524188640\Desktop.ini.vir
2012-02-12 09:43:37 . 2012-02-12 09:43:37			    0 -c--a-we  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\1603181558.vir
2012-02-08 04:22:00 . 2012-02-08 04:22:00			    0 -c--a-we  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\1613924063.vir
2012-02-07 20:18:20 . 2012-02-15 14:32:25		    1,426 ----a-w-  C:\Qoobox\Quarantine\catchme.log
2012-02-07 01:01:45 . 2012-02-07 06:13:19			  272 -c--a-w-  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2524188640\oemid.vir
2012-02-07 00:43:41 . 2012-02-07 18:29:50			  862 -c--a-w-  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2524188640\version.vir
2012-02-07 00:43:18 . 2012-02-07 00:43:18			    0 -c--a-we  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2494558991.vir
2012-02-06 05:52:32 . 2012-02-07 00:43:39		    2,048 -c--a-w-  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2524188640\U\00000001.@.vir
2012-02-05 13:32:04 . 2012-02-07 00:43:39		   66,048 -c--a-w-  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2524188640\U\80000000.@.vir
2012-01-29 00:09:53 . 2012-02-07 00:43:40		   73,216 -c--a-w-  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2524188640\U\80000032.@.vir
2012-01-19 20:39:49 . 2012-01-19 20:39:59	    1,754,499 ----a-w-  C:\Qoobox\Quarantine\C\Users\edshead\AppData\Local\Microsoft\Windows\Temporary Internet Files\{BBF45F7A-B2B5-4B17-8F0C-8AFF191052BF}.xps.vir
2012-01-11 05:47:37 . 2012-01-11 05:47:51	    8,358,653 ----a-w-  C:\Qoobox\Quarantine\C\Users\edshead\AppData\Local\Microsoft\Windows\Temporary Internet Files\{60AB8352-887E-45E3-8F58-758DC68C0059}.xps.vir
2012-01-09 06:23:06 . 2012-01-09 06:23:06		  146,684 ----a-w-  C:\Qoobox\Quarantine\C\Users\edshead\AppData\Local\Microsoft\Windows\Temporary Internet Files\{626A19B9-AD67-43B6-9D00-6523804475BA}.xps.vir
2011-12-26 08:08:18 . 2011-12-26 08:08:18		  119,538 ----a-w-  C:\Qoobox\Quarantine\C\Users\edshead\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F9856367-8FE8-4F13-8D7F-02AD13377AA0}.xps.vir
2011-12-26 08:08:05 . 2011-12-26 08:08:05		   72,308 ----a-w-  C:\Qoobox\Quarantine\C\Users\edshead\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8C73AC1C-7981-44F0-92EC-07E78650C4D1}.xps.vir
2011-12-26 08:07:27 . 2011-12-26 08:07:27		   66,957 ----a-w-  C:\Qoobox\Quarantine\C\Users\edshead\AppData\Local\Microsoft\Windows\Temporary Internet Files\{22A1C55B-BA93-4BB6-A725-A3A9AD505593}.xps.vir
2011-12-26 08:07:22 . 2011-12-26 08:07:22		  105,587 ----a-w-  C:\Qoobox\Quarantine\C\Users\edshead\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E1B8643D-DEE8-4F03-8EE4-B7C9B580D065}.xps.vir
2011-12-26 08:07:09 . 2011-12-26 08:07:09		  229,846 ----a-w-  C:\Qoobox\Quarantine\C\Users\edshead\AppData\Local\Microsoft\Windows\Temporary Internet Files\{8833B2C5-3150-4C0F-9AD8-9CB45EB95ECC}.xps.vir
2011-12-26 08:06:57 . 2011-12-26 08:06:57		   82,778 ----a-w-  C:\Qoobox\Quarantine\C\Users\edshead\AppData\Local\Microsoft\Windows\Temporary Internet Files\{F423D0D1-2C10-4F58-B585-B1F2F85FBCFF}.xps.vir
2011-12-26 08:06:51 . 2011-12-26 08:06:51		  122,341 ----a-w-  C:\Qoobox\Quarantine\C\Users\edshead\AppData\Local\Microsoft\Windows\Temporary Internet Files\{7529EB3F-E253-4F74-BDF3-9CF4768B0C2B}.xps.vir
2011-12-11 03:55:08 . 2011-12-10 22:59:26		   11,362 ----a-w-  C:\Qoobox\Quarantine\C\Windows\system32\mingwm10.dll.vir
2011-12-02 12:07:49 . 2012-02-07 00:43:42		  224,768 -c--a-w-  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2524188640\U\00000002.@.vir
2011-11-29 13:10:08 . 2012-02-07 00:43:39		   12,800 -c--a-w-  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2524188640\U\80000004.@.vir
2011-11-02 17:48:14 . 2012-02-07 00:43:39		    1,024 -c--a-w-  C:\Qoobox\Quarantine\C\Windows\$NtUninstallKB39316$\2524188640\U\00000004.@.vir
2011-05-11 09:30:41 . 2011-03-25 02:57:58		   43,008 ----a-w-  C:\Qoobox\Quarantine\C\Windows\system32\Drivers\usbehci.sys.vir
2010-11-20 21:29:03 . 2010-11-20 21:29:03		  108,544 ----a-w-  C:\Qoobox\Quarantine\C\Windows\system32\Drivers\hdaudbus.sys.vir
2010-01-13 09:20:26 . 2010-01-13 09:20:26			    0 ----a-w-  C:\Qoobox\Quarantine\C\hb_28F.tmp.vir
2009-07-13 23:11:24 . 2009-07-13 23:11:24		   80,896 ----a-w-  C:\Qoobox\Quarantine\C\Windows\system32\Drivers\i8042prt.sys.vir
2008-08-27 03:52:55 . 2008-08-27 03:51:19		  720,896 ----a-w-  C:\Qoobox\Quarantine\C\Windows\iun6002.exe.vir
2008-08-02 17:48:35 . 2010-01-08 04:30:59			  435 ----a-w-  C:\Qoobox\Quarantine\C\Windows\system32\Drivers\etc\hosts.ics.vir
2008-07-02 01:22:50 . 2008-07-02 01:38:48		    1,844 ----a-w-  C:\Qoobox\Quarantine\C\Users\edshead\AppData\Roaming\Install.dat.vir

[Elise]

Lets do a search for all drivers that were involved here as all seem related to the problems you have.

OTL

-----

We need to run an OTL Custom Scan

1. Please reopen on your desktop.
   
2. Click the NONE button.
   
3. Copy and Paste the following code into the textbox.
   

   /md5start
   usbehci.sys
   hdaudbus.sys
   i8042prt.sys
   /md5stop

   
   

4. Push
   
5. A report will open. Copy and Paste that report in your next reply.
   

[edshead]

OTL logfile created on: 2/17/2012 12:31:49 AM - Run 9
OTL by OldTimer - Version 3.2.31.0	 Folder = C:\Users\edshead\Desktop\fixes
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.50 Gb Total Physical Memory | 1.90 Gb Available Physical Memory | 54.45% Memory free
6.99 Gb Paging File | 5.16 Gb Available in Paging File | 73.83% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 410.15 Gb Total Space | 149.73 Gb Free Space | 36.50% Space Free | Partition Type: NTFS
Drive F: | 970.13 Mb Total Space | 886.09 Mb Free Space | 91.34% Space Free | Partition Type: FAT

Computer Name: DERENOPHOCIM | User Name: edshead | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

[color=#E56717]========== Custom Scans ==========[/color]



[color=#A23BEC]< MD5 for: HDAUDBUS.SYS  >[/color]
[2009/04/10 20:42:44 | 000,561,152 | ---- | M] (Microsoft Corporation) MD5=062452B7FFD68C8C042A6261FE8DFF4A -- C:\Temp\sandbox\x86_hdaudbus.inf_31bf3856ad364e35_6.0.6002.18005_none_790d0bed83a8ec35\hdaudbus.sys
[2009/04/10 20:42:44 | 000,561,152 | ---- | M] (Microsoft Corporation) MD5=062452B7FFD68C8C042A6261FE8DFF4A -- C:\Temp\x86_hdaudbus.inf_31bf3856ad364e35_6.0.6002.18005_none_790d0bed83a8ec35\hdaudbus.sys
[2010/11/20 13:29:03 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=9036377B8A6C15DC2EEC53E489D159B5 -- C:\Windows\System32\drivers\HDAudBus.sys
[2010/11/20 13:29:03 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=9036377B8A6C15DC2EEC53E489D159B5 -- C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_x86_neutral_77479a4820fb8643\hdaudbus.sys
[2010/11/20 13:29:03 | 000,108,544 | ---- | M] (Microsoft Corporation) MD5=9036377B8A6C15DC2EEC53E489D159B5 -- C:\Windows\winsxs\x86_hdaudbus.inf_31bf3856ad364e35_6.1.7601.17514_none_7928fccce4c939f4\hdaudbus.sys

[color=#A23BEC]< MD5 for: I8042PRT.SYS  >[/color]
[2008/01/18 21:49:20 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=22D56C8184586B7A1F6FA60BE5F5A2BD -- C:\Temp\sandbox\x86_keyboard.inf_31bf3856ad364e35_6.0.6002.18005_none_9939e6e4d61ab7ca\i8042prt.sys
[2008/01/18 21:49:20 | 000,054,784 | ---- | M] (Microsoft Corporation) MD5=22D56C8184586B7A1F6FA60BE5F5A2BD -- C:\Temp\x86_keyboard.inf_31bf3856ad364e35_6.0.6002.18005_none_9939e6e4d61ab7ca\i8042prt.sys
[2009/07/13 15:11:24 | 000,080,896 | ---- | M] (Microsoft Corporation) MD5=F151F0BDC47F4A28B1B20A0818EA36D6 -- C:\Windows\System32\drivers\i8042prt.sys
[2009/07/13 15:11:24 | 000,080,896 | ---- | M] (Microsoft Corporation) MD5=F151F0BDC47F4A28B1B20A0818EA36D6 -- C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_x86_neutral_50ad659974198591\i8042prt.sys
[2009/07/13 15:11:24 | 000,080,896 | ---- | M] (Microsoft Corporation) MD5=F151F0BDC47F4A28B1B20A0818EA36D6 -- C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_x86_neutral_7a9084e0177406eb\i8042prt.sys
[2009/07/13 15:11:24 | 000,080,896 | ---- | M] (Microsoft Corporation) MD5=F151F0BDC47F4A28B1B20A0818EA36D6 -- C:\Windows\winsxs\x86_keyboard.inf_31bf3856ad364e35_6.1.7601.17514_none_9955d7c4373b0589\i8042prt.sys
[2009/07/13 15:11:24 | 000,080,896 | ---- | M] (Microsoft Corporation) MD5=F151F0BDC47F4A28B1B20A0818EA36D6 -- C:\Windows\winsxs\x86_msmouse.inf_31bf3856ad364e35_6.1.7600.16385_none_4e0a61a033aec8c3\i8042prt.sys

[color=#A23BEC]< MD5 for: USBEHCI.SYS  >[/color]
[2009/04/10 20:42:54 | 000,039,936 | ---- | M] (Microsoft Corporation) MD5=79E96C23A97CE7B8F14D310DA2DB0C9B -- C:\Temp\sandbox\x86_usbport.inf_31bf3856ad364e35_6.0.6002.18005_none_bfadd87f00af6ca2\usbehci.sys
[2009/04/10 20:42:54 | 000,039,936 | ---- | M] (Microsoft Corporation) MD5=79E96C23A97CE7B8F14D310DA2DB0C9B -- C:\Temp\x86_usbport.inf_31bf3856ad364e35_6.0.6002.18005_none_bfadd87f00af6ca2\usbehci.sys
[2011/03/24 18:54:29 | 000,043,008 | ---- | M] (Microsoft Corporation) MD5=B1E46B8058AF716729D874B4DF7C68E0 -- C:\Windows\winsxs\x86_usbport.inf_31bf3856ad364e35_6.1.7601.21692_none_bffae6357b300705\usbehci.sys
[2010/11/20 13:29:03 | 000,042,496 | ---- | M] (Microsoft Corporation) MD5=CFBCE999C057D78979A181C9C60F208E -- C:\Windows\System32\DriverStore\FileRepository\usbport.inf_x86_neutral_f9abf85fd00186bd\usbehci.sys
[2010/11/20 13:29:03 | 000,042,496 | ---- | M] (Microsoft Corporation) MD5=CFBCE999C057D78979A181C9C60F208E -- C:\Windows\winsxs\x86_usbport.inf_31bf3856ad364e35_6.1.7601.17514_none_bfc9c95e61cfba61\usbehci.sys
[2011/03/24 18:57:58 | 000,043,008 | ---- | M] (Microsoft Corporation) MD5=F92DE757E4B7CE9C07C5E65423F3AE3B -- C:\Windows\System32\drivers\usbehci.sys
[2011/03/24 18:57:58 | 000,043,008 | ---- | M] (Microsoft Corporation) MD5=F92DE757E4B7CE9C07C5E65423F3AE3B -- C:\Windows\System32\DriverStore\FileRepository\usbport.inf_x86_neutral_18e46bb8fd6f032e\usbehci.sys
[2011/03/24 18:57:58 | 000,043,008 | ---- | M] (Microsoft Corporation) MD5=F92DE757E4B7CE9C07C5E65423F3AE3B -- C:\Windows\winsxs\x86_usbport.inf_31bf3856ad364e35_6.1.7601.17586_none_bf801a7e6206b0a6\usbehci.sys
< End of report >

[Elise]

Lets start with the Audio. Can you replace the following file using Ubuntu?

C:\Windows\System32\drivers\HDAudBus.sys: rename this file to hdaudbus.bak, then copy the following file and paste it into the Drivers folder: C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_x86_neutral_77479a4820fb8643\hdaudbus.sys

When done, restart the computer and see if there is any change (does the same error show up for your audio device?)

[edshead]

Made the switch, and same error unfortunately. No change at all.

[Elise]

Please try to use this copy as well: C:\Temp\x86_hdaudbus.inf_31bf3856ad364e35_6.0.6002.18005_none_790d0bed83a8ec35\hdaudbus.sys

[edshead]

I know you didn't ask for it, but I was bored and it's only a scan. Here's the results of:

sfc /VERIFYONLY

[edshead]

And apparently my prior post didn't go up. I tried your suggestion in #84 (swapped the mentioned file from ubuntu), and results are the same. Hence the post above to give you something hopefully helpful.

[Elise]

Did you have an actual log from the SFC scan? If so, can you please post that?

[edshead]

I had assumed that the log didn't have scan from the Win7 Install CD because the date accessed hadn't changed but after looking further, I think it may in fact be in there. Here's the full log dating back to January (pre-ZA).

(Uncompressed file is 14mb)

CBS.zip

[Elise]

Can you please run the following scan and post me the log. Be careful NOT to remove any detected threats!

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on this link to open ESET OnlineScan in a new window.
   
2. Click the button.
   
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. 
      
   2. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
      
   3. Double click on the
      icon on your desktop.
      
      
   4. Check "YES, I accept the Terms of Use."
      
   5. Click the Start button.
      
   6. Accept any security warnings from your browser.
      
   7. Under scan settings, do not check "Scan Archives" and "Remove found threats"
      
   8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
      
   9. When the scan completes, click List Threats
      
   10. Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
       
   11. Click the Back button.
       
   12. Click the Finish button.
       
       

[edshead]

So Microsoft must've designed the progress bar for ESET. Got to 99% in 45 minutes. Scan took 3 hours.

Unfortunately (b/c I'm guessing they're not causing the problem), just an adware toolbar probably for a browser I don't really use.

ESET did not repair these, per instructions.

[edshead]

Helps if I attach the file doesn't it. Too late at early in the morning.

esetscan.txt

[Elise]

What often happens with this type of infection is that an overzealous security program removes additional registry services.

Can you see what AVG removed and post me an overview?

Alternatively can you look if there is a restore point present from before the infection (do not use it, just let me know).

[edshead]

Infection was 2/6 or 2/7 I believe, and the most recent restore point I have is 1/30. Also have two before that, one for each of the two prior weeks in January.

I'm having a lot of trouble (hour plus) deciphering my AVG logs since I uninstalled AVG per post 65, point 3, so I don't have the AVG log viewer. Lines look like the following. I can only assume that hash either is decrypted to a log entry, or matches a specific message string.

[AVG.SCAN] ERROR 2012-02-15 14:31:04,327 DERENOPHOCIM PID:3540 THID:5028 ID:LMK:3410.1773.d945c8f.0 MSG:aA8raDbvt6OqeJRq77TW/O8HsKdadlPIw

(Through narrowing down the timestamp by inference from several files, I've isolated all the lines like the one above that pertain to the suspect scans. Unfortunately, that's why I've given up. All lines that do have appropriate timestamps look like the one above, or are so generic - e.g. 5 threats found - that they're unhelpful. Sorry! - At least I got a refreshing in my advanced regex searching.)

If you'd like (almost 100% positive you wouldn't), I can turn over the whole log folder to you. Only 258 files totally 200 mb that I've wrapped into a wonderful 19mb zip package.

Based on the forum we're at, I'm assuming you trust that MBAM has only an appropriate amount of zealousness, and thus should not have removed my keyboard's functionality. That is still installed so I see no problem getting logs there if you'd like.

Also, I had been using Comodo's free personal firewall for firewall protection. It was actually the first to detect the infection. Although I thought that the Defense+ auxiliary component only did heuristic detection based on both system usage and program behavior, it popped up pointing out the rootkit infection and "helpfully" suggested I upgrade to Comodo's virus protection. Even though I chose not to upgrade (by closing the window), looking independently on Comodo's site, the alert appeared to be legitimate. (Way to make one's self look like malware though, right?

Long story not so short, I'm wondering if there might be something helpful in Comodo's logs. Given that I didn't even know it had a full virus scanner, and the fact that Comodo along with AVG has been uninstalled, I'd greatly appreciate advice on exactly how to provide Comodo log files if you'd like them.

Thank you again for your continued efforts.

[Elise]

Unfortunately AVs usually have no easy to read/retrieve log.

As you have a restore point from before the infection at this point the simplest solution might be to use that, and check your logs afterwards for any remiaining malware.

[edshead]

Here I was thinking I hadn't made that many changes since bringing the system back up b/c I was still using ubuntu mainly. Wrong. The information I gave you was 4 days old. Just tried to restore and was greeted with the following screen. I remember thinking... maybe I should backup/save/cling to for dear life that 1/30 restore. Oops. Well at least world hasn't ended yet. Mayans were really just talking about my computer.

[Elise]

Time for a manual check then...

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :reg
  HKEY_local_machine\system\currentcontrolset\services\i8042prt /s
  HKEY_local_machine\system\currentcontrolset\services\HDAUDBUS /s
  HKEY_local_machine\system\currentcontrolset\services\usbehci /s
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_i8042prt /s
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_hdaudbus /s
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_usbehci /s
  

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

[edshead]

Here ya go!

SystemLook 30.07.11 by jpshortstuff
Log created at 08:14 on 19/02/2012 by edshead
Administrator - Elevation successful
========== reg ==========
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\i8042prt]
"Start"= 0x0000000003 (3)
"Type"= 0x0000000001 (1)
"ErrorControl"= 0x0000000001 (1)
"ImagePath"="system32\DRIVERS\i8042prt.sys"
"DisplayName"="i8042 Keyboard and PS/2 Mouse Port Driver"
"Group"="Keyboard Port"
"DriverPackageId"="keyboard.inf_x86_neutral_0c4a1880f2aa5a72"
"Tag"= 0x0000000006 (6)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\i8042prt\Parameters]
"PollingIterations"= 0x0000002ee0 (12000)
"PollingIterationsMaximum"= 0x0000002ee0 (12000)
"ResendIterations"= 0x0000000003 (3)
"LayerDriver JPN"="kbd101.dll"
"LayerDriver KOR"="kbd101a.dll"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\i8042prt\Enum]
"Count"= 0x0000000002 (2)
"NextInstance"= 0x0000000002 (2)
"INITSTARTFAILED"= 0x0000000001 (1)
"0"="ACPI\PNP0F13\4&2d25c4a5&0"
"1"="ACPI\PNP0303\4&2d25c4a5&0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\HDAUDBUS]
"Start"= 0x0000000003 (3)
"Type"= 0x0000000001 (1)
"ErrorControl"= 0x0000000001 (1)
"ImagePath"="system32\DRIVERS\HDAudBus.sys"
"DisplayName"="Microsoft UAA Bus Driver for High Definition Audio"
"Group"="Extended Base"
"DriverPackageId"="hdaudbus.inf_x86_neutral_349139f09f579763"
"Tag"= 0x000000000f (15)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\HDAUDBUS\Enum]
"Count"= 0x0000000001 (1)
"NextInstance"= 0x0000000001 (1)
"INITSTARTFAILED"= 0x0000000001 (1)
"0"="PCI\VEN_8086&DEV_284B&SUBSYS_022E1028&REV_02\3&2b8e0b4b&0&D8"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\usbehci]
"Start"= 0x0000000003 (3)
"Type"= 0x0000000001 (1)
"ErrorControl"= 0x0000000001 (1)
"ImagePath"="\SystemRoot\system32\drivers\usbehci.sys"
"DisplayName"="Microsoft USB 2.0 Enhanced Host Controller Miniport Driver"
"Group"="Base"
"DriverPackageId"="usbport.inf_x86_neutral_ba59fa32fc6a596d"
"BootFlags"= 0x0000000004 (4)
"Tag"= 0x0000000012 (18)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\usbehci\Enum]
"0"="PCI\VEN_8086&DEV_283A&SUBSYS_022E1028&REV_02\3&2b8e0b4b&0&D7"
"Count"= 0x0000000002 (2)
"NextInstance"= 0x0000000002 (2)
"1"="PCI\VEN_8086&DEV_2836&SUBSYS_022E1028&REV_02\3&2b8e0b4b&0&EF"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_i8042prt]
(Unable to open key - key not found)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_hdaudbus]
(Unable to open key - key not found)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_usbehci]
(Unable to open key - key not found)
-= EOF =-

[Elise]

Please do the following:

Press Windows key + R, type devmgmt.msc and press enter.

Click View > Show hidden devices.

Now expand Non Plug and Play devices.

Scroll down to i8042prt, hdaudbus and usbehci, right click on each of them, select Properties and let me know what is listed on the first tab.

[edshead]

Couldn't find those on the tree. Here's screenshots of the tree, plus hopefully detailed enough screenshots of the three 'devices' error'd out in the tree. (Screenshots for each device showing General tab, Driver tab + error when clicking Start service msgbox, and Driver Details.)

[edshead]

And again with the forgetting to click attach.

dvmg.zip