Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With System Tool Computer Only Boots In Safe Mode


  • This topic is locked This topic is locked
26 replies to this topic

#1 jengirl

jengirl

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 03 March 2011 - 01:52 AM

My computer started displaying the System Tool pop up and the dreadful blue screen that said there was an error within the computer and the program was closing to save it (paraphrased of course-the screen came and went so fast)it then said if recent hardware had be installed try uninstalling it then it restarted. It went from that to now only being able to boot in safe mode. Now the wireless network is disabled...it says connection status unknown- the dependency service or group failed to start.


DDS (Ver_10-12-12.02) - NTFSx86 MINIMAL
Run by msladydebbie at 23:09:48.71 on Wed 03/02/2011
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2813.2347 [GMT -6:00]

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Users\msladydebbie\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:55677
mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AROReminder] c:\program files\aro 2011\ARO.exe -rem
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Skytel] Skytel.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [GrpConv] grpconv -o
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [<NO NAME>]
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\photag~1.lnk - c:\program files\photags express\Photags AutoDetect.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\users\mslady~1\appdata\roaming\mozilla\firefox\profiles\gyg0nix8.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55677
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programdata\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\users\msladydebbie\appdata\roaming\mozilla\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-12-24 24576]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-2-6 238952]
S2 gupdate1c9caa1cfdca0d0;Google Update Service (gupdate1c9caa1cfdca0d0);c:\program files\google\update\GoogleUpdate.exe [2009-5-1 133104]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-25 45056]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-25 131072]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-2-6 36608]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-4 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-5-25 38496]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-03-03 01:15:26 -------- d-----w- C:\$RECYCLE.BIN
2011-03-03 00:50:49 -------- d-----w- c:\users\mslady~1\appdata\local\temp
2011-03-03 00:36:50 98816 ----a-w- c:\windows\sed.exe
2011-03-03 00:36:50 89088 ----a-w- c:\windows\MBR.exe
2011-03-03 00:36:50 256512 ----a-w- c:\windows\PEV.exe
2011-03-03 00:36:50 161792 ----a-w- c:\windows\SWREG.exe
2011-03-01 05:55:19 -------- d-----w- c:\windows\pss
2011-03-01 01:21:22 -------- d-----w- C:\!KillBox
2011-02-27 07:45:38 -------- d-----w- C:\$AVG
2011-02-27 07:39:55 -------- d-----w- c:\users\mslady~1\appdata\roaming\AVG10
2011-02-27 07:39:08 -------- d--h--w- c:\progra~2\Common Files
2011-02-27 07:37:59 -------- d-----w- c:\progra~2\AVG10
2011-02-27 07:29:25 -------- d-----w- c:\program files\AVG
2011-02-23 00:56:48 -------- d-----w- c:\users\mslady~1\appdata\roaming\Sammsoft
2011-02-23 00:56:30 -------- d-----w- c:\program files\ARO 2011
2011-02-22 06:22:47 143 ----a-w- c:\users\mslady~1\appdata\roaming\microsoft\gb_1976641.bat
2011-02-22 05:41:28 143 ----a-w- c:\users\mslady~1\appdata\roaming\microsoft\gb_2027014.bat
2011-02-07 19:34:41 197120 ----a-w- c:\program files\windows nt\dwm.exe
2011-02-07 19:33:27 180224 ----a-w- c:\program files\internet explorer\conhost.exe

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_ rev.1.10 -> Harddisk0\DR0 ->

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85D87555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85d8d7b0]; MOV EAX, [0x85d8d82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82053962] -> \Device\Harddisk0\DR0[0x85CE0770]
3 CLASSPNP[0x829A98B3] -> ntkrnlpa!IofCallDriver[0x82053962] -> [0x8572F5F8]
5 acpi[0x8060E6BC] -> ntkrnlpa!IofCallDriver[0x82053962] -> [0x858E9A10]
\Driver\ahcix86s[0x85D6B3E0] -> IRP_MJ_CREATE -> 0x85D87555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\0000005a -> \??\SCSI#Disk&Ven_Hitachi&Prod_HTS543216L9A3#4&1daa7e31&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
error: Read Insufficient system resources exist to complete the requested service.
Warning: possible TDL3 rootkit infection !

============= FINISH: 23:11:47.93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 PM

Posted 10 March 2011 - 10:32 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 jengirl

jengirl
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 11 March 2011 - 12:20 PM

My computer is still doing the same thing as I haven't tried anything else since my initial post. Here is the DDS log and attached is the gmer file.

DDS (Ver_10-12-12.02) - NTFSx86 MINIMAL
Run by msladydebbie at 9:36:50.78 on Fri 03/11/2011
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2813.2342 [GMT -6:00]

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32Info.exe
C:\Users\msladydebbie\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:55677
mURLSearchHooks: AOL Toolbar Search Class: {f0e98552-8e47-4c6c-9b3a-11ab0549f94d} - c:\program files\aol toolbar\aoltb.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AOL Toolbar: {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - c:\program files\aol toolbar\aoltb.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AROReminder] c:\program files\aro 2011\ARO.exe -rem
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Skytel] Skytel.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [GrpConv] grpconv -o
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRunOnce: [<NO NAME>]
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\photag~1.lnk - c:\program files\photags express\Photags AutoDetect.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: lbxfile - {56831180-F115-11d2-B6AA-00104B2B9943} - c:\program files\libronix dls\system\FileProt.dll
Handler: lbxres - {24508F1B-9E94-40EE-9759-9AF5795ADF52} - c:\program files\libronix dls\system\ResProt.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\users\mslady~1\appdata\roaming\mozilla\firefox\profiles\gyg0nix8.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55677
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\programdata\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\users\msladydebbie\appdata\roaming\mozilla\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

S2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ETService;Empowering Technology Service;c:\program files\acer\empowering technology\service\ETService.exe [2008-12-24 24576]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-2-6 238952]
S2 gupdate1c9caa1cfdca0d0;Google Update Service (gupdate1c9caa1cfdca0d0);c:\program files\google\update\GoogleUpdate.exe [2009-5-1 133104]
S2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-25 45056]
S2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-25 131072]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-2-6 36608]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-4 30192]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-03-03 01:15:26 -------- d-----w- C:\$RECYCLE.BIN
2011-03-03 00:50:49 -------- d-----w- c:\users\mslady~1\appdata\local\temp
2011-03-03 00:36:50 98816 ----a-w- c:\windows\sed.exe
2011-03-03 00:36:50 89088 ----a-w- c:\windows\MBR.exe
2011-03-03 00:36:50 256512 ----a-w- c:\windows\PEV.exe
2011-03-03 00:36:50 161792 ----a-w- c:\windows\SWREG.exe
2011-03-01 05:55:19 -------- d-----w- c:\windows\pss
2011-03-01 01:21:22 -------- d-----w- C:\!KillBox
2011-02-27 07:45:38 -------- d-----w- C:\$AVG
2011-02-27 07:39:55 -------- d-----w- c:\users\mslady~1\appdata\roaming\AVG10
2011-02-27 07:39:08 -------- d--h--w- c:\progra~2\Common Files
2011-02-27 07:37:59 -------- d-----w- c:\progra~2\AVG10
2011-02-27 07:29:25 -------- d-----w- c:\program files\AVG
2011-02-23 00:56:48 -------- d-----w- c:\users\mslady~1\appdata\roaming\Sammsoft
2011-02-23 00:56:30 -------- d-----w- c:\program files\ARO 2011
2011-02-22 06:22:47 143 ----a-w- c:\users\mslady~1\appdata\roaming\microsoft\gb_1976641.bat
2011-02-22 05:41:28 143 ----a-w- c:\users\mslady~1\appdata\roaming\microsoft\gb_2027014.bat

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_ rev.1.10 -> Harddisk0\DR0 ->

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85D88555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85d8e7b0]; MOV EAX, [0x85d8e82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82081962] -> \Device\Harddisk0\DR0[0x85CE0758]
3 CLASSPNP[0x8299E8B3] -> ntkrnlpa!IofCallDriver[0x82081962] -> [0x85CDA020]
5 acpi[0x806126BC] -> ntkrnlpa!IofCallDriver[0x82081962] -> [0x858E9998]
\Driver\ahcix86s[0x85D6B498] -> IRP_MJ_CREATE -> 0x85D88555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
\Device\0000005a -> \??\SCSI#Disk&Ven_Hitachi&Prod_HTS543216L9A3#4&1daa7e31&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
error: Read Insufficient system resources exist to complete the requested service.
Warning: possible TDL3 rootkit infection !

============= FINISH: 9:39:17.81 ===============

Attached Files



#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 PM

Posted 11 March 2011 - 12:39 PM

Thank you.

Give me some time and I will return with some instructions, after I analyze your logs completely.

DR

#5 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 PM

Posted 12 March 2011 - 08:20 AM

Hi jengirl:

Before we start cleaning I need to inform you of what is on your computer and what it could do.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.


OK, so first, please:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your Desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your next post.

I can see that you have already run ComboFix. I would like to see that log with your next post.

You should find that log located at C:/Combofix.txt.

Please do not attach the scan results from ComboFix. Use copy/paste.

So you need to post 2 logs, one from TDSS Killer and the other from the previous run of ComboFix.

Also please describe how your computer behaves at the moment.

Thanks.

DR

#6 jengirl

jengirl
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 12 March 2011 - 11:49 PM

Ok...thanks for your help so far. Here are the requested logs:

TDSSKILLER:

2011/03/12 22:36:29.0288 1560 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/12 22:36:29.0303 1560 ================================================================================
2011/03/12 22:36:29.0303 1560 SystemInfo:
2011/03/12 22:36:29.0303 1560
2011/03/12 22:36:29.0303 1560 OS Version: 6.0.6002 ServicePack: 2.0
2011/03/12 22:36:29.0303 1560 Product type: Workstation
2011/03/12 22:36:29.0303 1560 ComputerName: MSLADYDEBBIE-PC
2011/03/12 22:36:29.0303 1560 UserName: msladydebbie
2011/03/12 22:36:29.0303 1560 Windows directory: C:\Windows
2011/03/12 22:36:29.0303 1560 System windows directory: C:\Windows
2011/03/12 22:36:29.0303 1560 Processor architecture: Intel x86
2011/03/12 22:36:29.0303 1560 Number of processors: 1
2011/03/12 22:36:29.0303 1560 Page size: 0x1000
2011/03/12 22:36:29.0303 1560 Boot type: Safe boot
2011/03/12 22:36:29.0303 1560 ================================================================================
2011/03/12 22:36:29.0646 1560 Initialize success
2011/03/12 22:36:35.0184 1680 ================================================================================
2011/03/12 22:36:35.0184 1680 Scan started
2011/03/12 22:36:35.0184 1680 Mode: Manual;
2011/03/12 22:36:35.0184 1680 ================================================================================
2011/03/12 22:36:36.0698 1680 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/03/12 22:36:36.0854 1680 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/03/12 22:36:36.0994 1680 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/03/12 22:36:37.0181 1680 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/03/12 22:36:37.0290 1680 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/03/12 22:36:37.0478 1680 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/03/12 22:36:37.0634 1680 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/03/12 22:36:37.0712 1680 ahcix86s (4fa58a158c9d3769ff9248675b53d6a7) C:\Windows\system32\DRIVERS\ahcix86s.sys
2011/03/12 22:36:37.0790 1680 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/03/12 22:36:37.0992 1680 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/03/12 22:36:38.0070 1680 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/03/12 22:36:38.0133 1680 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/03/12 22:36:38.0289 1680 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/03/12 22:36:38.0382 1680 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2011/03/12 22:36:38.0585 1680 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/03/12 22:36:38.0694 1680 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/03/12 22:36:38.0835 1680 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/03/12 22:36:38.0944 1680 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/03/12 22:36:39.0256 1680 atikmdag (47dcf5d78c395159d72c65c25129fc44) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/03/12 22:36:39.0474 1680 AtiPcie (5a1465ad2e7c1bc39cda12a355329096) C:\Windows\system32\DRIVERS\AtiPcie.sys
2011/03/12 22:36:39.0740 1680 BCM43XX (c38077d14adf896ee1e1dbbcbcf77e14) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/03/12 22:36:39.0942 1680 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/03/12 22:36:40.0036 1680 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/03/12 22:36:40.0192 1680 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2011/03/12 22:36:40.0317 1680 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/03/12 22:36:40.0348 1680 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/03/12 22:36:40.0535 1680 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/03/12 22:36:40.0629 1680 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/03/12 22:36:40.0691 1680 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/03/12 22:36:40.0816 1680 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/03/12 22:36:40.0956 1680 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/03/12 22:36:41.0206 1680 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/03/12 22:36:41.0378 1680 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/03/12 22:36:41.0549 1680 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/03/12 22:36:41.0690 1680 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/03/12 22:36:41.0924 1680 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/03/12 22:36:41.0970 1680 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/03/12 22:36:42.0033 1680 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/03/12 22:36:42.0314 1680 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/03/12 22:36:42.0392 1680 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/03/12 22:36:42.0532 1680 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/03/12 22:36:42.0766 1680 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/03/12 22:36:42.0860 1680 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
2011/03/12 22:36:43.0078 1680 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
2011/03/12 22:36:43.0172 1680 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2011/03/12 22:36:43.0359 1680 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
2011/03/12 22:36:43.0468 1680 DritekPortIO (5c918d413f5837e67a85775c9873775e) C:\PROGRA~1\LAUNCH~1\DPortIO.sys
2011/03/12 22:36:43.0671 1680 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/03/12 22:36:43.0749 1680 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2011/03/12 22:36:43.0905 1680 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/03/12 22:36:44.0030 1680 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/03/12 22:36:44.0217 1680 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/03/12 22:36:44.0310 1680 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2011/03/12 22:36:44.0544 1680 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/03/12 22:36:44.0638 1680 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/03/12 22:36:44.0825 1680 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/03/12 22:36:44.0919 1680 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/03/12 22:36:44.0997 1680 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/03/12 22:36:45.0137 1680 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/03/12 22:36:45.0246 1680 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/03/12 22:36:45.0465 1680 FsUsbExDisk (790a4ca68f44be35967b3df61f3e4675) C:\Windows\system32\FsUsbExDisk.SYS
2011/03/12 22:36:45.0605 1680 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/03/12 22:36:45.0746 1680 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/03/12 22:36:45.0855 1680 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/03/12 22:36:46.0104 1680 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/03/12 22:36:46.0292 1680 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/03/12 22:36:46.0448 1680 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/03/12 22:36:46.0541 1680 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/03/12 22:36:46.0682 1680 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/03/12 22:36:46.0775 1680 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/03/12 22:36:46.0994 1680 HTTP (0eeeca26c8d4bde2a4664db058a81937) C:\Windows\system32\drivers\HTTP.sys
2011/03/12 22:36:47.0165 1680 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/03/12 22:36:47.0368 1680 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/03/12 22:36:47.0446 1680 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/03/12 22:36:47.0649 1680 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/03/12 22:36:47.0774 1680 int15 (58ff11c95c3681c9250914521cb9f036) C:\Windows\system32\drivers\int15.sys
2011/03/12 22:36:47.0976 1680 IntcAzAudAddService (5d26ccb06e1f3b5c26e863df3f4f2611) C:\Windows\system32\drivers\RTKVHDA.sys
2011/03/12 22:36:48.0210 1680 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/03/12 22:36:48.0288 1680 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/03/12 22:36:48.0491 1680 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/03/12 22:36:48.0647 1680 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/03/12 22:36:48.0694 1680 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/03/12 22:36:48.0881 1680 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/03/12 22:36:48.0959 1680 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/03/12 22:36:49.0037 1680 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/03/12 22:36:49.0162 1680 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/03/12 22:36:49.0271 1680 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/03/12 22:36:49.0318 1680 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/03/12 22:36:49.0474 1680 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/03/12 22:36:49.0614 1680 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/03/12 22:36:49.0817 1680 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/03/12 22:36:49.0973 1680 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/03/12 22:36:50.0067 1680 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/03/12 22:36:50.0129 1680 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/03/12 22:36:50.0238 1680 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/03/12 22:36:50.0394 1680 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/03/12 22:36:50.0519 1680 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/03/12 22:36:50.0691 1680 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/03/12 22:36:50.0753 1680 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/03/12 22:36:50.0816 1680 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/03/12 22:36:50.0894 1680 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/03/12 22:36:51.0018 1680 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/03/12 22:36:51.0143 1680 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/03/12 22:36:51.0206 1680 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/03/12 22:36:51.0330 1680 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/03/12 22:36:51.0408 1680 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/03/12 22:36:51.0518 1680 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/03/12 22:36:51.0674 1680 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/03/12 22:36:51.0830 1680 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/03/12 22:36:51.0908 1680 msahci (f70590424eefbf5c27a40c67afdb8383) C:\Windows\system32\drivers\msahci.sys
2011/03/12 22:36:52.0017 1680 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/03/12 22:36:52.0188 1680 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/03/12 22:36:52.0282 1680 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/03/12 22:36:52.0376 1680 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/03/12 22:36:52.0532 1680 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/03/12 22:36:52.0641 1680 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/03/12 22:36:52.0812 1680 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/03/12 22:36:52.0937 1680 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/03/12 22:36:53.0093 1680 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/03/12 22:36:53.0187 1680 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/03/12 22:36:53.0343 1680 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/03/12 22:36:53.0468 1680 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/03/12 22:36:53.0686 1680 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/03/12 22:36:53.0764 1680 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/03/12 22:36:53.0904 1680 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/03/12 22:36:53.0998 1680 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/03/12 22:36:54.0138 1680 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/03/12 22:36:54.0294 1680 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/03/12 22:36:54.0482 1680 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/03/12 22:36:54.0622 1680 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/03/12 22:36:54.0809 1680 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/03/12 22:36:55.0028 1680 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/03/12 22:36:55.0230 1680 NTIDrvr (2757d2ba59aee155209e24942ab127c9) C:\Windows\system32\DRIVERS\NTIDrvr.sys
2011/03/12 22:36:55.0308 1680 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/03/12 22:36:55.0340 1680 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/03/12 22:36:55.0433 1680 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/03/12 22:36:55.0511 1680 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/03/12 22:36:55.0698 1680 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/03/12 22:36:55.0886 1680 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2011/03/12 22:36:56.0088 1680 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/03/12 22:36:56.0182 1680 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/03/12 22:36:56.0322 1680 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/03/12 22:36:56.0432 1680 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/03/12 22:36:56.0619 1680 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2011/03/12 22:36:56.0728 1680 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/03/12 22:36:56.0946 1680 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/03/12 22:36:57.0274 1680 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/03/12 22:36:57.0352 1680 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/03/12 22:36:57.0492 1680 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/03/12 22:36:57.0695 1680 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/03/12 22:36:57.0898 1680 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/03/12 22:36:58.0023 1680 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/03/12 22:36:58.0148 1680 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/03/12 22:36:58.0241 1680 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/03/12 22:36:58.0366 1680 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/03/12 22:36:58.0491 1680 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/03/12 22:36:58.0631 1680 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/03/12 22:36:58.0725 1680 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/03/12 22:36:58.0896 1680 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2011/03/12 22:36:58.0990 1680 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/03/12 22:36:59.0162 1680 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/03/12 22:36:59.0286 1680 regi (001b4278407f4303efc902a2b16f2453) C:\Windows\system32\drivers\regi.sys
2011/03/12 22:36:59.0552 1680 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\Windows\system32\DRIVERS\RimSerial.sys
2011/03/12 22:36:59.0645 1680 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
2011/03/12 22:36:59.0817 1680 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/03/12 22:36:59.0957 1680 RTL8169 (125c504a34d0a2e152517e342e7e432c) C:\Windows\system32\DRIVERS\Rtlh86.sys
2011/03/12 22:37:00.0113 1680 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/03/12 22:37:00.0269 1680 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/03/12 22:37:00.0347 1680 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/03/12 22:37:00.0503 1680 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/03/12 22:37:00.0612 1680 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/03/12 22:37:00.0800 1680 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2011/03/12 22:37:00.0878 1680 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2011/03/12 22:37:01.0018 1680 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2011/03/12 22:37:01.0112 1680 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/03/12 22:37:01.0205 1680 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2011/03/12 22:37:01.0346 1680 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2011/03/12 22:37:01.0439 1680 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2011/03/12 22:37:01.0626 1680 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/03/12 22:37:01.0751 1680 snapman (c3bf55189aa92b8f919108ef9e4accae) C:\Windows\system32\DRIVERS\snapman.sys
2011/03/12 22:37:01.0907 1680 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/03/12 22:37:02.0110 1680 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2011/03/12 22:37:02.0219 1680 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2011/03/12 22:37:02.0297 1680 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2011/03/12 22:37:02.0438 1680 sscdbus (d6870895fe46a464a19141440eb6cc1e) C:\Windows\system32\DRIVERS\sscdbus.sys
2011/03/12 22:37:02.0562 1680 sscdmdfl (0fe167362e4689b716cdc8d93adedda8) C:\Windows\system32\DRIVERS\sscdmdfl.sys
2011/03/12 22:37:02.0656 1680 sscdmdm (55a15707e32b6709242ad127e62ca55a) C:\Windows\system32\DRIVERS\sscdmdm.sys
2011/03/12 22:37:02.0796 1680 sscdserd (9fa66e361a99f8920c7609bae6814a0e) C:\Windows\system32\DRIVERS\sscdserd.sys
2011/03/12 22:37:02.0937 1680 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/03/12 22:37:03.0077 1680 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/03/12 22:37:03.0155 1680 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/03/12 22:37:03.0233 1680 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/03/12 22:37:03.0296 1680 SynTP (32e8b307f0e9f72b66b518fd62eab91e) C:\Windows\system32\DRIVERS\SynTP.sys
2011/03/12 22:37:03.0483 1680 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/03/12 22:37:03.0701 1680 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/03/12 22:37:03.0904 1680 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/03/12 22:37:04.0013 1680 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/03/12 22:37:04.0169 1680 tdrpman (3b7b6779eb231f731bba8f9fe67aadfc) C:\Windows\system32\DRIVERS\tdrpman.sys
2011/03/12 22:37:04.0325 1680 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/03/12 22:37:04.0403 1680 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/03/12 22:37:04.0544 1680 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/03/12 22:37:04.0668 1680 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\Windows\system32\DRIVERS\tifsfilt.sys
2011/03/12 22:37:04.0871 1680 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\Windows\system32\DRIVERS\timntr.sys
2011/03/12 22:37:05.0090 1680 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/03/12 22:37:05.0168 1680 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/03/12 22:37:05.0308 1680 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/03/12 22:37:05.0386 1680 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2011/03/12 22:37:05.0526 1680 UBHelper (f763e070843ee2803de1395002b42938) C:\Windows\system32\drivers\UBHelper.sys
2011/03/12 22:37:05.0636 1680 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/03/12 22:37:05.0760 1680 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2011/03/12 22:37:05.0854 1680 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2011/03/12 22:37:05.0994 1680 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/03/12 22:37:06.0088 1680 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/03/12 22:37:06.0244 1680 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/03/12 22:37:06.0369 1680 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
2011/03/12 22:37:06.0509 1680 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
2011/03/12 22:37:06.0603 1680 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/03/12 22:37:06.0728 1680 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/03/12 22:37:06.0837 1680 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/03/12 22:37:07.0008 1680 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/03/12 22:37:07.0133 1680 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
2011/03/12 22:37:07.0258 1680 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/03/12 22:37:07.0352 1680 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/03/12 22:37:07.0430 1680 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/03/12 22:37:07.0554 1680 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/03/12 22:37:07.0648 1680 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2011/03/12 22:37:07.0742 1680 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/03/12 22:37:07.0929 1680 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/03/12 22:37:08.0007 1680 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2011/03/12 22:37:08.0054 1680 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2011/03/12 22:37:08.0210 1680 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2011/03/12 22:37:08.0288 1680 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/03/12 22:37:08.0428 1680 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/03/12 22:37:08.0584 1680 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/03/12 22:37:08.0693 1680 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2011/03/12 22:37:08.0787 1680 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/03/12 22:37:08.0927 1680 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/12 22:37:08.0958 1680 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/12 22:37:09.0068 1680 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2011/03/12 22:37:09.0146 1680 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/03/12 22:37:09.0598 1680 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/03/12 22:37:09.0848 1680 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/03/12 22:37:09.0941 1680 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/03/12 22:37:10.0144 1680 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/03/12 22:37:10.0316 1680 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/12 22:37:10.0378 1680 ================================================================================
2011/03/12 22:37:10.0378 1680 Scan finished
2011/03/12 22:37:10.0378 1680 ================================================================================
2011/03/12 22:37:10.0425 1672 Detected object count: 1
2011/03/12 22:37:32.0998 1672 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/03/12 22:37:32.0998 1672 \HardDisk0 - ok
2011/03/12 22:37:32.0998 1672 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/12 22:37:43.0044 1640 Deinitialize success

Combofix:

ComboFix 11-03-02.01 - msladydebbie 03/02/2011 18:41:04.1.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2813.2327 [GMT -6:00]
Running from: c:\users\msladydebbie\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Microsoft
c:\program files\Common Files\Uninstall
c:\program files\Common Files\Uninstall\PersonalAV\Uninstall.lnk
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
c:\program files\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
c:\programdata\AuthFWWizFwk32.dll
c:\programdata\avrt32.dll
c:\programdata\basesrv32.dll
c:\programdata\bcdprov32.dll
c:\programdata\bcmwlcoi32.dll
c:\programdata\bitsprx532.dll
c:\programdata\brcoinst32.dll
c:\programdata\bthserv32.dll
c:\programdata\C_G1803032.dll
c:\programdata\C_ISCII32.dll
c:\programdata\catsrvps32.dll
c:\programdata\chsbrkr32.dll
c:\programdata\ci32.dll
c:\programdata\cic32.dll
c:\programdata\clbcatq32.dll
c:\programdata\clusapi32.dll
c:\programdata\cmdial3232.dll
c:\programdata\cmlua32.dll
c:\programdata\cngaudit3232.dll
c:\programdata\colbact32.dll
c:\programdata\COLORCNV32.dll
c:\programdata\comdlg3232.dll
c:\programdata\COMMDLG32.dll
c:\programdata\CompatUI32.dll
c:\programdata\compobj32.dll
c:\programdata\compstui3232.dll
c:\programdata\comsvcs32.dll
c:\programdata\console32.dll
c:\programdata\crypt323232.dll
c:\programdata\cryptext32.dll
c:\programdata\cryptui32.dll
c:\programdata\d2d132.dll
c:\programdata\d3d10_132.dll
c:\programdata\d3d1032.dll
c:\programdata\d3d10core32.dll
c:\programdata\d3d10warp32.dll
c:\programdata\d3d832.dll
c:\programdata\d3dim32.dll
c:\programdata\d3dim70032.dll
c:\programdata\d3dx9_2932.dll
c:\programdata\dbnmpntw32.dll
c:\programdata\DDEML32.dll
c:\programdata\ddrawex3232.dll
c:\programdata\deskmon32.dll
c:\programdata\devenum32.dll
c:\programdata\DfrgRes32.dll
c:\programdata\dhcpcsvc632.dll
c:\programdata\DIFxAPI32.dll
c:\programdata\dimsjob32.dll
c:\programdata\dinput832.dll
c:\programdata\diskcopy32.dll
c:\programdata\dmime32.dll
c:\programdata\dmocx32.dll
c:\programdata\dmstyle3232.dll
c:\programdata\dnshc32.dll
c:\programdata\dot3dlg3232.dll
c:\programdata\dpnaddr32.dll
c:\programdata\dpx32.dll
c:\programdata\dssec32.dll
c:\programdata\dunzip3232.dll
c:\programdata\Faultrep32.dll
c:\programdata\fdProxy32.dll
c:\programdata\filemgmt32.dll
c:\programdata\FMAPO32.dll
c:\programdata\fontsub32.dll
c:\programdata\FunctionDiscoveryFolder32.dll
c:\programdata\GameUXLegacyGDFs32.dll
c:\programdata\GdiPlus32.dll
c:\programdata\lJfFjDn08509
c:\programdata\lJfFjDn08509\lJfFjDn08509
c:\programdata\lJfFjDn08509\lJfFjDn08509.exe
c:\programdata\Microsoft\Windows\Start Menu\PersonalAV
c:\programdata\Microsoft\Windows\Start Menu\PersonalAV\Uninstall.lnk
c:\programdata\SysWoW32
c:\programdata\SysWoW32\@u1009185004v0
c:\programdata\SysWoW32\@u1009185004v1
c:\programdata\SysWoW32\@u1009185004v2
c:\programdata\SysWoW32\@u1009185004v3
c:\programdata\SysWoW32\@u1009185004v4
c:\programdata\SysWoW32\@u1009185004v5
c:\programdata\SysWoW32\@u1009185004v6
c:\programdata\SysWoW32\@u1009185004v7
c:\programdata\SysWoW32\_u1009185004v0
c:\programdata\SysWoW32\_u1009185004v1
c:\programdata\SysWoW32\_u1009185004v2
c:\programdata\SysWoW32\_u1009185004v3
c:\programdata\SysWoW32\_u1009185004v4
c:\programdata\SysWoW32\_u1009185004v5
c:\programdata\SysWoW32\_u1009185004v6
c:\programdata\SysWoW32\_u1009185004v7
c:\programdata\SysWoW32\mu1009185004v4
c:\programdata\SysWoW32\mu1009185004v4.kwd
c:\programdata\SysWoW32\mu1009185004v5
c:\programdata\SysWoW32\mu1009185004v5.kwd
c:\programdata\SysWoW32\mu1009185004v6
c:\programdata\SysWoW32\mu1009185004v6.kwd
c:\programdata\SysWoW32\mu1009185004v7
c:\programdata\SysWoW32\mu1009185004v7.kwd
c:\programdata\SysWoW32\wu1009185004v0
c:\programdata\SysWoW32\wu1009185004v0.kwd
c:\programdata\SysWoW32\wu1009185004v1
c:\programdata\SysWoW32\wu1009185004v1.kwd
c:\programdata\SysWoW32\wu1009185004v2
c:\programdata\SysWoW32\wu1009185004v2.kwd
c:\programdata\SysWoW32\wu1009185004v3
c:\programdata\SysWoW32\wu1009185004v3.kwd
c:\programdata\unrar.exe
c:\users\msladydebbie\AppData\Roaming\02000000bd719b53891C.manifest
c:\users\msladydebbie\AppData\Roaming\02000000bd719b53891O.manifest
c:\users\msladydebbie\AppData\Roaming\02000000bd719b53891P.manifest
c:\users\msladydebbie\AppData\Roaming\02000000bd719b53891S.manifest
c:\users\msladydebbie\AppData\Roaming\1713.tmp
c:\users\msladydebbie\AppData\Roaming\35B0.tmp
c:\users\msladydebbie\AppData\Roaming\651.tmp
c:\users\msladydebbie\AppData\Roaming\695F.tmp
c:\users\msladydebbie\AppData\Roaming\7375.tmp
c:\users\msladydebbie\AppData\Roaming\7CD0.tmp
c:\users\msladydebbie\AppData\Roaming\8004.tmp
c:\users\msladydebbie\AppData\Roaming\8ACE.tmp
c:\users\msladydebbie\AppData\Roaming\9FA.tmp
c:\users\msladydebbie\AppData\Roaming\AA3C.tmp
c:\users\msladydebbie\AppData\Roaming\ABFA.tmp
c:\users\msladydebbie\AppData\Roaming\C8C8.tmp
c:\users\msladydebbie\AppData\Roaming\D98D.tmp
c:\users\msladydebbie\AppData\Roaming\dwm.exe
c:\users\msladydebbie\AppData\Roaming\Microsoft\conhost.exe
c:\users\msladydebbie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AKM Antivirus 2010 Pro
c:\users\msladydebbie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AKM Antivirus 2010 Pro\AKM Antivirus 2010 Pro.lnk
c:\users\msladydebbie\AppData\Roaming\Mozilla\Firefox\Profiles\gyg0nix8.default\extensions\{416a636f-1fac-48ec-a797-5357d446bacb}
c:\users\msladydebbie\AppData\Roaming\Mozilla\Firefox\Profiles\gyg0nix8.default\extensions\{416a636f-1fac-48ec-a797-5357d446bacb}\chrome.manifest
c:\users\msladydebbie\AppData\Roaming\Mozilla\Firefox\Profiles\gyg0nix8.default\extensions\{416a636f-1fac-48ec-a797-5357d446bacb}\chrome\xulcache.jar
c:\users\msladydebbie\AppData\Roaming\Mozilla\Firefox\Profiles\gyg0nix8.default\extensions\{416a636f-1fac-48ec-a797-5357d446bacb}\defaults\preferences\xulcache.js
c:\users\msladydebbie\AppData\Roaming\Mozilla\Firefox\Profiles\gyg0nix8.default\extensions\{416a636f-1fac-48ec-a797-5357d446bacb}\install.rdf
c:\users\msladydebbie\AppData\Roaming\scdata
c:\users\msladydebbie\AppData\Roaming\scdata\dbsinit.exe
c:\users\msladydebbie\AppData\Roaming\scdata\images\i1.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\i2.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\i3.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\j1.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\j2.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\j3.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\jj1.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\jj2.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\jj3.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\l1.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\l2.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\l3.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\pix.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\t1.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\t2.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\Thumbs.db
c:\users\msladydebbie\AppData\Roaming\scdata\images\up1.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\up2.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\w1.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\w11.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\w2.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\w3.jpg
c:\users\msladydebbie\AppData\Roaming\scdata\images\word.doc
c:\users\msladydebbie\AppData\Roaming\scdata\images\wt1.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\wt2.gif
c:\users\msladydebbie\AppData\Roaming\scdata\images\wt3.gif
c:\users\msladydebbie\AppData\Roaming\scdata\wispex.html
c:\users\msladydebbie\AppData\Roaming\skynet.dat
c:\users\msladydebbie\AppData\Roaming\SystemProc
c:\users\msladydebbie\AppData\Roaming\SystemProc\lsass.exe
c:\users\msladydebbie\AppData\Roaming\SystemProc\upd.exe
c:\users\msladydebbie\AppData\Roaming\wp3.dat
c:\users\msladydebbie\AppData\Roaming\wp4.dat
c:\users\Public\RemoveSGP0.exe
c:\users\The Bubba\AppData\Roaming\dwm.exe
c:\users\The Bubba\AppData\Roaming\Microsoft\conhost.exe
c:\windows\GnuHashes.ini
c:\windows\system32\C_IS202232.dll
c:\windows\system32\c_iscii32.dll
c:\windows\system32\clusapi32.dll
c:\windows\system32\cmlua32.dll
c:\windows\system32\cngaudit32.dll
c:\windows\system32\colbact32.dll
c:\windows\system32\comcat32.dll
c:\windows\system32\csrsrv32.dll
c:\windows\system32\d3d932.dll
c:\windows\system32\d3d93232.dll
c:\windows\system32\d3dim70032.dll
c:\windows\system32\d3dx9_2732.dll
c:\windows\system32\dmvdsitf32.dll
c:\windows\system32\dot3cfg32.dll
c:\windows\system32\dot3dlg32.dll
c:\windows\system32\dot3gpui32.dll
c:\windows\system32\drivers\snetcfg.exe
c:\windows\system32\dtsh32.dll
c:\windows\system32\ndisapi.dll

----- File Replicators -----

c:\windows\Installer\{071EA6A1-4189-3D9C-6B3F-0BE15495CE80}\ARPPRODUCTICON.exe
c:\windows\Installer\{08137BF5-9879-EBDA-6462-79D3C6D113B2}\ARPPRODUCTICON.exe
c:\windows\Installer\{09621381-D4B0-2D6A-AB14-E8CE4CD424D9}\ARPPRODUCTICON.exe
c:\windows\Installer\{09D3675D-E1BB-1B3D-3F35-0338F7AAB0FD}\ARPPRODUCTICON.exe
c:\windows\Installer\{1DE63D16-8A5E-74AB-1A5F-6E1834234229}\ARPPRODUCTICON.exe
c:\windows\Installer\{254C0471-5FDF-D591-1219-112ABECED882}\ARPPRODUCTICON.exe
c:\windows\Installer\{285432CE-2033-7317-27FC-DFB027E24F33}\ARPPRODUCTICON.exe
c:\windows\Installer\{29E1DB75-A926-D7A5-6773-E24477526D49}\ARPPRODUCTICON.exe
c:\windows\Installer\{2B82EEF1-A86E-CE6A-E7E6-ED114131E383}\ARPPRODUCTICON.exe
c:\windows\Installer\{2F3FC1A5-37B4-7685-7295-37FD1B3FE806}\ARPPRODUCTICON.exe
c:\windows\Installer\{32EBA2B9-23F8-82A8-E229-0F283EE902B0}\ARPPRODUCTICON.exe
c:\windows\Installer\{3700194C-C5DD-439A-BE06-A66960CA4C70}\ARPPRODUCTICON.exe
c:\windows\Installer\{3A2536D9-53FF-CD79-F46C-9E3902D2EEBA}\ARPPRODUCTICON.exe
c:\windows\Installer\{3A6CE5E6-7416-37A1-1DA2-2BCB0A9CF444}\ARPPRODUCTICON.exe
c:\windows\Installer\{3A7D9B34-E8A9-A352-20C1-0607B1D5F8B6}\ARPPRODUCTICON.exe
c:\windows\Installer\{3F9544A3-63B0-E523-D212-5C010368E492}\ARPPRODUCTICON.exe
c:\windows\Installer\{41802C9A-1BF6-9A4E-D903-C6587560D758}\ARPPRODUCTICON.exe
c:\windows\Installer\{58D9BD9C-C96F-F308-5D72-371A9D3CC939}\ARPPRODUCTICON.exe
c:\windows\Installer\{6165BE73-8AC5-A2B6-8910-963387FE5B9B}\ARPPRODUCTICON.exe
c:\windows\Installer\{6A25BA91-82D1-0841-FC65-57CE27540922}\ARPPRODUCTICON.exe
c:\windows\Installer\{6A41CE62-8379-2A4D-E690-AA5D4DA8A279}\ARPPRODUCTICON.exe
c:\windows\Installer\{6BB99DE2-D79C-B223-8D4F-E3D80A478D0F}\ARPPRODUCTICON.exe
c:\windows\Installer\{6E52D2FB-5FB5-334E-86F9-4316EEDC2926}\ARPPRODUCTICON.exe
c:\windows\Installer\{7184F382-8A6C-4B85-A3AC-B63734B1E241}\ARPPRODUCTICON.exe
c:\windows\Installer\{72BBB36F-D323-0746-4F92-083E4C5EAC52}\ARPPRODUCTICON.exe
c:\windows\Installer\{7DDF474C-2AF9-4A3B-57E0-FBF31ED2C913}\ARPPRODUCTICON.exe
c:\windows\Installer\{7E992D2F-5D9F-0A2A-302E-E4AC8FB79F47}\ARPPRODUCTICON.exe
c:\windows\Installer\{84DB8DAE-531B-FDA4-E683-8C82F0F81F26}\ARPPRODUCTICON.exe
c:\windows\Installer\{865A7423-1322-E68E-4604-BEB0EEBFB624}\ARPPRODUCTICON.exe
c:\windows\Installer\{9FFC6670-6711-387B-3566-7D0DA1808531}\ARPPRODUCTICON.exe
c:\windows\Installer\{A8176277-4272-EA16-CDAE-1E37C62E14B2}\ARPPRODUCTICON.exe
c:\windows\Installer\{A9E38025-D8D8-FB5E-0DDB-12691243EF1F}\ARPPRODUCTICON.exe
c:\windows\Installer\{AFE52E73-FADF-7AEC-9F2E-9C490C77AB61}\ARPPRODUCTICON.exe
c:\windows\Installer\{B16469A5-D2FA-A0C8-D371-2F4C8D5707D4}\ARPPRODUCTICON.exe
c:\windows\Installer\{B463846D-85B8-5B31-59BD-AA68307ECC69}\ARPPRODUCTICON.exe
c:\windows\Installer\{B483D67F-8223-F1C5-1CBD-59B13676019E}\ARPPRODUCTICON.exe
c:\windows\Installer\{B7BA5747-159E-B1E7-B73D-E3B7575D783A}\ARPPRODUCTICON.exe
c:\windows\Installer\{BC4FBC02-B2B7-ACCA-C983-FFF31FC3C1C9}\ARPPRODUCTICON.exe
c:\windows\Installer\{C08B098D-E9A6-649F-120D-9263C0527C2E}\ARPPRODUCTICON.exe
c:\windows\Installer\{C22EDAB3-B9C3-3189-6FE5-8DC4CFADED81}\ARPPRODUCTICON.exe
c:\windows\Installer\{C4FA4F86-63E8-9CD5-8CD3-25E4AC0E8861}\ARPPRODUCTICON.exe
c:\windows\Installer\{C63225DD-4956-D968-E563-30371AA23FD8}\ARPPRODUCTICON.exe
c:\windows\Installer\{C7D5F833-4603-B3A3-4DB7-178022D73CC6}\ARPPRODUCTICON.exe
c:\windows\Installer\{CC4AD2ED-C8C8-6548-BAB0-59058B3FA658}\ARPPRODUCTICON.exe
c:\windows\Installer\{D04DA284-0680-277B-832E-B795D9302F8D}\ARPPRODUCTICON.exe
c:\windows\Installer\{D5B90069-DC5F-E482-D86A-B0CBBBD0E50E}\ARPPRODUCTICON.exe
c:\windows\Installer\{DF7A3C71-08FD-9154-BF1C-81BC491F4C2C}\ARPPRODUCTICON.exe
c:\windows\Installer\{EA78289C-35D1-10D4-CA0D-7C653B2E212A}\ARPPRODUCTICON.exe
c:\windows\Installer\{EAE06CC6-8838-CA77-347C-BD3E9DEC6C93}\ARPPRODUCTICON.exe
c:\windows\Installer\{EB18E9CE-A633-1192-BDF6-4EA15DA97785}\ARPPRODUCTICON.exe
c:\windows\Installer\{ECA47E2A-51B0-2F2F-67D3-A2A0639092B1}\ARPPRODUCTICON.exe
c:\windows\Installer\{ED5085E1-BA8E-1464-2E3D-400086526EDE}\ARPPRODUCTICON.exe
c:\windows\Installer\{FFA58E6D-8053-18D7-C9BB-C76312C1E12C}\ARPPRODUCTICON.exe
.
c:\windows\explorer.exe . . . is infected!!

Infected copy of c:\windows\System32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe

.
((((((((((((((((((((((((( Files Created from 2011-02-03 to 2011-03-03 )))))))))))))))))))))))))))))))
.

2011-03-03 00:50 . 2011-03-03 01:16 -------- d-----w- c:\users\msladydebbie\AppData\Local\temp
2011-03-03 00:50 . 2011-03-03 00:50 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-03-03 00:50 . 2011-03-03 00:50 -------- d-----w- c:\users\The Bubba\AppData\Local\temp
2011-03-03 00:50 . 2011-03-03 00:50 -------- d-----w- c:\users\Jendayi\AppData\Local\temp
2011-03-03 00:50 . 2011-03-03 00:50 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-03-03 00:50 . 2011-03-03 00:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-01 23:36 . 2011-03-01 23:36 -------- d-----w- c:\users\Jendayi\AppData\Local\Adobe
2011-03-01 23:32 . 2011-03-01 23:32 -------- d-----w- c:\users\Jendayi\AppData\Roaming\Malwarebytes
2011-03-01 01:21 . 2011-03-02 00:09 -------- d-----w- C:\!KillBox
2011-02-27 07:45 . 2011-02-27 07:45 -------- d-----w- C:\$AVG
2011-02-27 07:39 . 2011-02-27 07:39 -------- d-----w- c:\users\msladydebbie\AppData\Roaming\AVG10
2011-02-27 07:39 . 2011-02-27 07:39 -------- d--h--w- c:\programdata\Common Files
2011-02-27 07:37 . 2011-03-01 00:42 -------- d-----w- c:\programdata\AVG10
2011-02-27 07:29 . 2011-02-27 07:29 -------- d-----w- c:\program files\AVG
2011-02-23 00:56 . 2011-02-23 00:56 -------- d-----w- c:\users\msladydebbie\AppData\Roaming\Sammsoft
2011-02-23 00:56 . 2011-02-23 00:56 -------- d-----w- c:\program files\ARO 2011
2011-02-22 06:22 . 2011-02-22 06:22 143 ----a-w- c:\users\msladydebbie\AppData\Roaming\Microsoft\gb_1976641.bat
2011-02-22 05:41 . 2011-02-22 05:41 143 ----a-w- c:\users\msladydebbie\AppData\Roaming\Microsoft\gb_2027014.bat
2011-02-19 17:15 . 2011-02-19 17:15 143 ----a-w- c:\users\The Bubba\AppData\Roaming\Microsoft\gb_841447771.bat
2011-02-07 19:34 . 2011-02-07 19:36 197120 ----a-w- c:\program files\Windows NT\dwm.exe
2011-02-07 19:33 . 2011-02-07 23:47 180224 ----a-w- c:\program files\Internet Explorer\conhost.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 09:41 . 2011-01-21 07:33 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3BC2E5AD-25C8-4108-88ED-25F137014A18}\mpengine.dll
2010-08-15 16:20 . 2010-08-15 16:20 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[-] 2009-04-11 . B3BD36B68AED3CC354988B9D08711DDD . 2926592 . . [6.0.6000.16386] . . c:\windows\explorer.exe
[7] 2009-04-11 . D07D4C3038F3578FFCE1C0237F2A1253 . 2926592 . . [6.0.6002.18005] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[7] 2008-10-30 . 50BA5850147410CDE89C523AD3BC606E . 2927616 . . [6.0.6001.22298] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[7] 2008-10-29 . 4F554999D7D5F05DAAEBBA7B5BA1089D . 2927104 . . [6.0.6001.18164] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[7] 2008-10-29 . 37440D09DEAE0B672A04DCCF7ABF06BE . 2923520 . . [6.0.6000.16771] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[7] 2008-10-28 . E7156B0B74762D9DE0E66BDCDE06E5FB . 2923520 . . [6.0.6000.20947] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[7] 2008-01-21 . FFA764631CB70A30065C12EF8E174F9F . 2927104 . . [6.0.6001.18000] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe

[-] 2008-01-21 . 7A28767CEF683FE01195AE83D8655BC8 . 96768 . . [6.0.6000.16386] . . c:\windows\System32\wininit.exe
[7] 2008-01-21 . 101BA3EA053480BB5D957EF37C06B5ED . 96768 . . [6.0.6001.18000] . . c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-11-07 116056]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"AROReminder"="c:\program files\ARO 2011\ARO.exe" [2011-01-25 2312048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-23 846344]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-15 30192]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-10 2595792]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-10 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-10 136472]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Skytel"="Skytel.exe" [2008-06-25 1826816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-04-06 1277584]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Photags AutoDetect.lnk - c:\program files\PhoTags Express\Photags AutoDetect.exe [2010-5-7 368640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-11-28 24576]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-11-07 238952]
R2 gupdate1c9caa1cfdca0d0;Google Update Service (gupdate1c9caa1cfdca0d0);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 133104]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-26 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-26 131072]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-11-02 36608]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-15 30192]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-04-06 38496]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 21:14]

2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 21:14]

2011-02-27 c:\windows\Tasks\User_Feed_Synchronization-{3C40EAF7-8D11-42D8-88F8-7CB2F8A6BBD4}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:55677
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\msladydebbie\AppData\Roaming\Mozilla\Firefox\Profiles\gyg0nix8.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55677
FF - prefs.js: network.proxy.type - 1
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-RTHDBPL - c:\users\msladydebbie\AppData\Roaming\SystemProc\lsass.exe
HKCU-Run-conhost - c:\users\msladydebbie\AppData\Roaming\Microsoft\conhost.exe
HKLM-Run-FBSSA - c:\program files\SGPSA\ie3sh.exe
HKLM-Run-NPSStartup - (no file)
HKLM-Run-conhost - c:\users\msladydebbie\AppData\Roaming\Microsoft\conhost.exe
HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 19:16
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
FBSSA = c:\program files\SGPSA\ie3sh.exe? address requests. You do not need Search Guard Plus to use M?NINST
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
RTHDBPL = c:\users\msladydebbie\AppData\Roaming\SystemProc\lsass.exe??????????????????????????#???????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(592)
c:\windows\system32\relog_ap.dll
.
Completion time: 2011-03-02 19:25:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-03 01:25

Pre-Run: 15,932,727,296 bytes free
Post-Run: 16,319,291,392 bytes free

- - End Of File - - B8526BC7544BD6FCBAFFF68948AF38B4

As far as the behaviour of the computer. It still rebooted into safe mode without giving me the option to select normal mode or not but it is moving a bit faster. Im guessing the virus deactivated my ability to get online. Under wireless network it says Connection Status: unknown - The dependency service or group failed to start.

Thanks for your help in resolving this.

#7 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 PM

Posted 13 March 2011 - 01:39 PM

Hi jengirl:

First I would like you to delete the ComboFix that is (still?) located on your desktop and download another from one of the following links (or transfer it with a Flash Drive):

Link 1
Link 2

* IMPORTANT !!! Save ComboFix to your Desktop.

If you transfer files with a Flash Drive, in order to protect your clean computer, download Flash_Disinfector onto it before inserting the Flash Drive.

  • Download Flash_Disinfector.exe by sUBs and save it to your desktop (of the Clean Computer).
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.

    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean the drive.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note:
Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


OK, so now you need to run a ComboFix Script, on the infected computer.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad and copy/paste the text in the quotebox below into it:

FILE::
c:\users\msladydebbie\AppData\Roaming\Microsoft\gb_1976641.bat
c:\users\msladydebbie\AppData\Roaming\Microsoft\gb_2027014.bat
c:\users\The Bubba\AppData\Roaming\Microsoft\gb_841447771.bat
c:\program files\Windows NT\dwm.exe
c:\program files\Internet Explorer\conhost.exe
c:\program files\SGPSA\ie3sh.exe
c:\users\msladydebbie\AppData\Roaming\SystemProc\lsass.exe

REGISTRY::
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"FBSSA"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDBPL"=-

FCOPY::
c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe | c:\windows\explorer.exe
c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe | c:\windows\System32\wininit.exe

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:55677

FIREFOX::
FF - ProfilePath - c:\users\msladydebbie\AppData\Roaming\Mozilla\Firefox\Profiles\gyg0nix8.default\
FF - prefs.js: network.proxy.http
FF - prefs.js: network.proxy.http_port
FF - prefs.js: network.proxy.type

Save this as CFScript.txt, on your Desktop.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Also please describe how your computer behaves at the moment.

Thanks.

DR

Edited by rigacci, 13 March 2011 - 01:41 PM.


#8 jengirl

jengirl
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 14 March 2011 - 01:02 AM

I did what you asked in the last post the message I received said combo fix will reboot your computer, don't try to do it yourself. My computer has been logging out for about 40 minutes, is that normal? Once it restarts I'll post the log you requested.

#9 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 PM

Posted 14 March 2011 - 06:49 AM

I wouldn't call it "normal" but it does happen. :angry:

If it continues, you will need to force a reboot. Let me know how it goes and I will see what we can do here.

D :mellow:

#10 jengirl

jengirl
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 14 March 2011 - 09:46 AM

Ok, I did have to force reboot. When I did, the prompt window came up that said combofix is created a log do not run any program until finished. Here is the log:

ComboFix 11-03-12.01 - msladydebbie 03/13/2011 23:51:37.1.1 - x86 MINIMAL
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2813.2293 [GMT -5:00]
Running from: c:\users\msladydebbie\Desktop\ComboFix.exe
Command switches used :: c:\users\msladydebbie\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\program files\Internet Explorer\conhost.exe"
"c:\program files\SGPSA\ie3sh.exe"
"c:\program files\Windows NT\dwm.exe"
"c:\users\msladydebbie\AppData\Roaming\Microsoft\gb_1976641.bat"
"c:\users\msladydebbie\AppData\Roaming\Microsoft\gb_2027014.bat"
"c:\users\msladydebbie\AppData\Roaming\SystemProc\lsass.exe"
"c:\users\The Bubba\AppData\Roaming\Microsoft\gb_841447771.bat"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\conhost.exe
c:\program files\Windows NT\dwm.exe
c:\users\msladydebbie\AppData\Roaming\Microsoft\gb_1976641.bat
c:\users\msladydebbie\AppData\Roaming\Microsoft\gb_2027014.bat
c:\users\The Bubba\AppData\Roaming\Microsoft\gb_841447771.bat
.
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
.
Infected copy of c:\windows\System32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
.
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
Infected copy of c:\windows\System32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe --> c:\windows\explorer.exe
c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe --> c:\windows\System32\wininit.exe
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-14 04:58 . 2011-03-14 14:37 -------- d-----w- c:\users\msladydebbie\AppData\Local\temp
2011-03-14 04:58 . 2011-03-14 04:58 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-03-14 04:58 . 2011-03-14 04:58 -------- d-----w- c:\users\The Bubba\AppData\Local\temp
2011-03-14 04:58 . 2011-03-14 04:58 -------- d-----w- c:\users\Jendayi\AppData\Local\temp
2011-03-14 04:58 . 2011-03-14 04:58 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-03-14 04:58 . 2011-03-14 04:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-05 18:41 . 2011-03-05 18:41 -------- d-----w- c:\users\The Bubba\AppData\Roaming\Malwarebytes
2011-03-01 23:36 . 2011-03-01 23:36 -------- d-----w- c:\users\Jendayi\AppData\Local\Adobe
2011-03-01 23:32 . 2011-03-01 23:32 -------- d-----w- c:\users\Jendayi\AppData\Roaming\Malwarebytes
2011-03-01 01:21 . 2011-03-02 00:09 -------- d-----w- C:\!KillBox
2011-02-27 07:45 . 2011-02-27 07:45 -------- d-----w- C:\$AVG
2011-02-27 07:39 . 2011-02-27 07:39 -------- d-----w- c:\users\msladydebbie\AppData\Roaming\AVG10
2011-02-27 07:39 . 2011-02-27 07:39 -------- d--h--w- c:\programdata\Common Files
2011-02-27 07:37 . 2011-03-01 00:42 -------- d-----w- c:\programdata\AVG10
2011-02-27 07:29 . 2011-02-27 07:29 -------- d-----w- c:\program files\AVG
2011-02-23 00:56 . 2011-02-23 00:56 -------- d-----w- c:\users\msladydebbie\AppData\Roaming\Sammsoft
2011-02-23 00:56 . 2011-02-23 00:56 -------- d-----w- c:\program files\ARO 2011
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 09:41 . 2011-01-21 07:33 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3BC2E5AD-25C8-4108-88ED-25F137014A18}\mpengine.dll
2010-08-15 16:20 . 2010-08-15 16:20 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-11-07 116056]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"AROReminder"="c:\program files\ARO 2011\ARO.exe" [2011-01-25 2312048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-02-22 1037608]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-07-23 846344]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-15 30192]
"BkupTray"="c:\program files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe" [2008-04-26 28672]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-10 2595792]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2008-04-10 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-10 136472]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Skytel"="Skytel.exe" [2008-06-25 1826816]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-04-06 1277584]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Photags AutoDetect.lnk - c:\program files\PhoTags Express\Photags AutoDetect.exe [2010-5-7 368640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\progra~1\Google\GOOGLE~1\GOEC62~1.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe [2008-03-03 16384]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-11-28 24576]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-11-07 238952]
R2 gupdate1c9caa1cfdca0d0;Google Update Service (gupdate1c9caa1cfdca0d0);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 133104]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe [2008-04-26 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe [2008-04-26 131072]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-11-02 36608]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-15 30192]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 21:14]
.
2011-02-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 21:14]
.
2011-02-27 c:\windows\Tasks\User_Feed_Synchronization-{3C40EAF7-8D11-42D8-88F8-7CB2F8A6BBD4}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\msladydebbie\AppData\Roaming\Mozilla\Firefox\Profiles\gyg0nix8.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 55677
FF - prefs.js: network.proxy.type - 1
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(596)
c:\windows\system32\relog_ap.dll
.
Completion time: 2011-03-14 09:44:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-14 14:43
.
Pre-Run: 16,334,454,784 bytes free
Post-Run: 16,284,766,208 bytes free
.
- - End Of File - - 643BB2221CB5E5D655574780088A6F72

#11 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 PM

Posted 14 March 2011 - 02:41 PM

Thanks.

Are you still unable to boot into Normal Mode?

DR

#12 jengirl

jengirl
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 14 March 2011 - 08:41 PM

No, still not able to boot into normal mode

#13 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 PM

Posted 15 March 2011 - 10:51 AM

I would like you to get the Error Code when you attempt to boot into Normal Mode.

First, you need to boot up under Safe Mode, to disable automatic restart when you have a system error.

  • Click Start, then click the right mouse button on My Computer. Select Properties.
  • Click Advanced System Settings, then click the Advanced tab.
  • Under Startup and Recovery, click Settings.
  • Under System failure, click the checkbox next to automatically restart to remove the checkmark.
  • Click OK to close the Startup and Recovery window, then click OK to close the System Properties window, then close the Properties window.
Then, "allow" it to BSOD and note down the error code, any parameters as well as any references to problem file(s) or driver(s).

As an example:
Posted Image


Please post that information here.

Thanks.

DR

#14 jengirl

jengirl
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 15 March 2011 - 05:10 PM

My computer won't even give me the option to boot in normal mode. It goes right into safe mode upon boot. I didn't get the BSOD.

#15 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:30 PM

Posted 15 March 2011 - 08:23 PM

And what about doing an F8 at the beginning of Boot-up? Tap the F8 right after the Logo and get the Advanced Boot Options menu. Or not! :whistle:

A silly question but you are sure you are in Safe Mode? It should have the "Safe" logo in the four corners of the screen and notify you that it is in Safe Mode. <_<

Let me get back to you. We may need some more info before deciding what is next.

DR




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users