Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zero Access and Katusha


  • This topic is locked This topic is locked
111 replies to this topic

#1 Tiger-Heli

Tiger-Heli

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 29 August 2011 - 06:00 AM

Probably infected with Zero Access and Katusha.

I was trying to install a program and AVG Free said the IPSEC was infected - but said the file was white-listed and took no action.

After that, AVG started generating a lot of threat detections (which I ignored b/c they were in generally known good locations), and MBAM would not allow me to open it.

AVG identified a problem with WinPump.F in one of the files, which it moved to the virus vault.
It then found a problem BackDoor.Generic.14.UFQ in ipsec.sys - which it said was white-listed, so as far as I can tell, it didn't do anything.
It then found Katusha.a in wuaclt.exe, and my APC backup files, and AVG's own files.
It also found a desktop.ini file, which is consistent with Zero Access.
I am attaching the AVG .csv log file. I had so much AVG activity that I ended up disabling the systray app at startup so I can at least use the computer in a limited sense. (Actually, I don't seem to have disabled AVG - I kept the tray icon from showing up, but I noticed the AVG services are still running, sometimes. I'm attaching the AVG history .csv file as well.

I googled IPSEC on another computer and found a thread recommending TDSSKiller, and I ran it and it found Zaccess.c, but could not cure it.

TDSSKiller would report ipsec.sys as infected, and I would let it cure and re-boot and rescan, and it would report redbook.sys as infected, and I would cure and re-boot and it would report afd.sys as infected, etc.

Symptoms are somewhat similar to this post.

I tried the WebRoot AntiZeroAccess file as reported in the other thread, and one file on the scan showed red (infected), but at the end of the scan, it said the system was not infected (not that the system had been cleaned, but that it didn't find anything to report). TDSSKiller and AVG still say I am infected.

Symptoms are mainly a lot of my systray programs don't work. I can't start MBAM or GMER or Speedfan or Tclock. APC systray works intermittently. AVG shows no active components, but the AVG services seem to be working - maybe. I suspect I will have to use SET ACL once we figure out how to kill the viruses and rootkits. (After running the preparation steps, I double-clicked SETACL.ocx and it registered, but I don't know how to do anything useful with it.)

I ran through the preparation thread - results attached. (The rootkit ate GMER - when I clicked SCAN, GMER vanished and then Windows said I didn't have permission to access GMER.exe when I clicked on it again.)

All help appreciated.

DDS Scan:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by <user named edited> at 22:14:55 on 2011-08-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1093 [GMT -4:00]
.
.
============== Running Processes ===============
.
G:\PROGRA~1\AVG\AVG10\avgchsvx.exe
G:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\3795484241:2927740189.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
G:\program files\PS Tray Factory\PSTrayFactory.exe
G:\program files\AutoShutdown\AutoShutdown.exe
G:\program files\Wallpaper Master\Wallpaper.exe
G:\program files\Logitech\SetPoint\SetPoint.exe
G:\program files\PhenomMsrTweaker\PhenomMsrTweaker.exe
C:\MultiRes\MultiRes.exe
G:\program files\WKeyKill\WKeyKill.exe
G:\program files\taskbar_shuffle\taskbarshuffle.exe
G:\program files\Mozilla Sunbird\sunbird.exe
G:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
G:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - g:\program files\avg\avg10\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [WallpaperChanger] g:\program files\wallpaper master\Wallpaper.exe
uRun: [PPWebCap] g:\progra~1\scansoft\paperp~1\PPWebCap.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AutoShutdown Pro] g:\program files\autoshutdown\AutoShutdown.exe
mRun: [TrayFactory] g:\program files\ps tray factory\PSTrayFactory.exe /start
mRunOnce: [PSTF] g:\program files\ps tray factory\PSTrayFactory.exe /start
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - g:\program files\batchrun\startup.brs
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 01000000
uPolicies-explorer: NoStrCmpLogical = 01000000
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272050581828
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - g:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - g:\program files\avg\avg10\avgpp.dll
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - g:\program files\common files\microsoft shared\information retrieval\itss51.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - g:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2009-9-2 189968]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-11-25 10384]
R2 StarWindService;StarWind iSCSI Service;g:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 WinRing0_1_2_0;WinRing0_1_2_0;g:\program files\phenommsrtweaker\WinRing0.sys [2008-7-26 14416]
S2 AutoShutdown;AutoShutdown Service;g:\progra~1\autosh~1\AS_Service.exe [2009-9-6 150016]
S2 AVGIDSAgent;AVGIDSAgent;g:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
S2 avgwd;AVG WatchDog;g:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
S2 PhenomMsrTweaker;PhenomMsrTweaker service;g:\program files\phenommsrtweaker\PhenomMsrTweakerService.exe [2009-3-19 21504]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\brooks~1\locals~1\temp\alsysio.sys --> c:\docume~1\brooks~1\locals~1\temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-5 1684736]
S3 AODDriver;AODDriver;c:\program files\gigabyte\et6\i386\AODDriver.sys [2009-2-23 7168]
S3 CTUPnPSv;Creative Centrale Media Server;g:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2009-9-5 17488]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-4-23 580096]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;g:\program files\sisoftware\sisoftware sandra lite 2009.sp4\RpcAgentSrv.exe [2009-9-14 99176]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2009-9-20 223128]
S4 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-9-5 68136]
.
=============== Created Last 30 ================
.
2011-08-24 22:51:06 43408 --sha-w- c:\windows\system32\c_69692.nl_
2011-08-24 02:32:31 -------- d-----w- g:\program files\Siber Systems
.
==================== Find3M ====================
.
2011-08-26 16:50:24 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-25 22:07:02 455296 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-25 01:18:42 248656 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-08-25 00:31:48 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-25 00:25:22 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-25 00:21:47 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-25 00:09:17 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
.
============= FINISH: 22:15:05.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:42 PM

Posted 02 September 2011 - 07:02 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 03 September 2011 - 10:45 AM

Hi Gringo,

Thanks for helping me. I will have limited Internet Access until Tuesday, so I might not want to run anything that will lock up the computer before then - I also will limit usage of it.

Here is the new DDS Scan:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by <User Name Edited> at 11:21:51 on 2011-09-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1090 [GMT -4:00]
.
.
============== Running Processes ===============
.
G:\PROGRA~1\AVG\AVG10\avgchsvx.exe
G:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
G:\program files\PS Tray Factory\PSTrayFactory.exe
G:\program files\AutoShutdown\AutoShutdown.exe
G:\Program Files\AVG\AVG10\avgtray.exe
G:\program files\Wallpaper Master\Wallpaper.exe
G:\program files\Logitech\SetPoint\SetPoint.exe
G:\program files\PhenomMsrTweaker\PhenomMsrTweaker.exe
G:\program files\TClockEx\Win32\Clock.exe
C:\MultiRes\MultiRes.exe
G:\program files\WKeyKill\WKeyKill.exe
G:\program files\taskbar_shuffle\taskbarshuffle.exe
G:\program files\Mozilla Sunbird\sunbird.exe
G:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
G:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
G:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
============== Pseudo HJT Report ===============
.
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - g:\program files\avg\avg10\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [WallpaperChanger] g:\program files\wallpaper master\Wallpaper.exe
uRun: [PPWebCap] g:\progra~1\scansoft\paperp~1\PPWebCap.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AutoShutdown Pro] g:\program files\autoshutdown\AutoShutdown.exe
mRun: [TrayFactory] g:\program files\ps tray factory\PSTrayFactory.exe /start
mRun: [AVG_TRAY] g:\program files\avg\avg10\avgtray.exe
mRunOnce: [PSTF] g:\program files\ps tray factory\PSTrayFactory.exe /start
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - g:\program files\batchrun\startup.brs
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 01000000
uPolicies-explorer: NoStrCmpLogical = 01000000
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
LSP: mswsock.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1272050581828
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - g:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - g:\program files\avg\avg10\avgpp.dll
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - g:\program files\common files\microsoft shared\information retrieval\itss51.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - g:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2009-9-2 189968]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-11-25 10384]
R2 StarWindService;StarWind iSCSI Service;g:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]
R3 WinRing0_1_2_0;WinRing0_1_2_0;g:\program files\phenommsrtweaker\WinRing0.sys [2008-7-26 14416]
S2 AutoShutdown;AutoShutdown Service;g:\progra~1\autosh~1\AS_Service.exe [2009-9-6 150016]
S2 AVGIDSAgent;AVGIDSAgent;g:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
S2 avgwd;AVG WatchDog;g:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
S2 PhenomMsrTweaker;PhenomMsrTweaker service;g:\program files\phenommsrtweaker\PhenomMsrTweakerService.exe [2009-3-19 21504]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\brooks~1\locals~1\temp\alsysio.sys --> c:\docume~1\brooks~1\locals~1\temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-9-5 1684736]
S3 AODDriver;AODDriver;c:\program files\gigabyte\et6\i386\AODDriver.sys [2009-2-23 7168]
S3 CTUPnPSv;Creative Centrale Media Server;g:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 etdrv;etdrv;c:\windows\etdrv.sys [2009-9-5 17488]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2010-4-23 580096]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;g:\program files\sisoftware\sisoftware sandra lite 2009.sp4\RpcAgentSrv.exe [2009-9-14 99176]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2009-9-20 223128]
S4 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-9-5 68136]
.
=============== Created Last 30 ================
.
2011-08-24 22:51:06 43408 --sha-w- c:\windows\system32\c_69692.nl_
2011-08-24 02:32:31 -------- d-----w- g:\program files\Siber Systems
.
==================== Find3M ====================
.
2011-08-26 16:50:24 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-25 22:07:02 455296 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-25 01:18:42 248656 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-08-25 00:31:48 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-25 00:25:22 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-25 00:21:47 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-25 00:09:17 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
.
============= FINISH: 11:22:01.89 ===============

Here is the attach scan:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/5/2009 8:27:55 PM
System Uptime: 9/3/2011 7:29:24 AM (4 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | GA-MA785GMT-UD2H
Processor: AMD Athlon™ II X2 240 Processor | Socket M2 | 2812/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 29 GiB total, 19.563 GiB free.
D: is CDROM ()
F: is Removable
G: is FIXED (NTFS) - 436 GiB total, 41.279 GiB free.
H: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP203: 7/10/2011 4:54:23 PM - System Checkpoint
RP204: 7/10/2011 5:51:37 PM - System Checkpoint
RP205: 7/11/2011 7:36:49 PM - System Checkpoint
RP206: 7/12/2011 8:32:45 PM - System Checkpoint
RP207: 7/14/2011 7:50:57 PM - System Checkpoint
RP208: 7/17/2011 9:52:57 AM - System Checkpoint
RP209: 7/18/2011 6:44:07 PM - System Checkpoint
RP210: 7/19/2011 7:18:25 PM - System Checkpoint
RP211: 7/20/2011 7:23:09 PM - System Checkpoint
RP212: 7/21/2011 8:35:21 PM - System Checkpoint
RP213: 7/22/2011 8:41:43 PM - System Checkpoint
RP214: 7/23/2011 8:44:17 PM - System Checkpoint
RP215: 7/25/2011 7:14:16 PM - System Checkpoint
RP216: 7/26/2011 8:06:53 PM - System Checkpoint
RP217: 7/28/2011 9:38:14 PM - System Checkpoint
RP218: 7/30/2011 8:36:49 AM - System Checkpoint
RP219: 7/31/2011 7:26:45 PM - System Checkpoint
RP220: 8/1/2011 8:02:54 PM - System Checkpoint
RP221: 8/2/2011 9:43:30 PM - System Checkpoint
RP222: 8/3/2011 10:13:29 PM - System Checkpoint
RP223: 8/4/2011 11:14:30 PM - System Checkpoint
RP224: 8/6/2011 12:02:44 PM - System Checkpoint
RP225: 8/7/2011 12:45:29 PM - System Checkpoint
RP226: 8/8/2011 7:13:55 PM - System Checkpoint
RP227: 8/10/2011 7:09:07 PM - System Checkpoint
RP228: 8/11/2011 7:23:29 PM - System Checkpoint
RP229: 8/12/2011 7:36:04 PM - System Checkpoint
RP230: 8/13/2011 10:40:28 PM - System Checkpoint
RP231: 8/16/2011 6:44:57 PM - System Checkpoint
RP232: 8/18/2011 7:04:12 PM - System Checkpoint
RP233: 8/19/2011 7:21:20 PM - System Checkpoint
RP234: 8/21/2011 10:31:01 AM - System Checkpoint
RP235: 8/22/2011 6:59:55 PM - System Checkpoint
RP236: 8/24/2011 8:06:06 PM - System Checkpoint
RP237: 8/24/2011 8:09:56 PM - Restore Operation
RP238: 8/24/2011 8:12:09 PM - Restore Operation
RP239: 8/24/2011 8:14:07 PM - Restore Operation
RP240: 8/30/2011 8:51:16 PM - Installed AVG 2011
RP241: 9/1/2011 6:46:26 PM - System Checkpoint
RP242: 9/3/2011 8:32:10 AM - System Checkpoint
.
==== Installed Programs ======================
.
12noon Display Changer
1st Clock 3.0 RC1 (30-day trial)
3D Fish School 2 Screen Saver
7-Zip 4.43 beta
A-Ray Scanner 2.0.2.3
Abound Screensaver 1.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Aftermath 2.0 (inc addon packs A-D)
AGEIA PhysX v7.07.09
Algebra 2 7.0
AMD Processor Driver
Angel Writer 3.1
AnyDVD
AnyFolder shell extension
APC PowerChute Personal Edition
ATI Catalyst Install Manager
ATI Parental Control & Encoder
Audacity 1.3.7 (Unicode)
AutoHotkey 1.0.37.01
AutoShutdown Pro v4.3
AVG 2011
Batchrun 4.1
Battlecraft Vietnam
Battlefield 1861
Battlefield 1942
Battlefield 2™
Battlefield Mod Development Toolkit 2.5
Battlefield Vietnam™
Battlefield Vietnam: WW2 Mod
Battlegroup42 Vietnam 0.1 Pacific
BEAT THE MARKET
Before You Know It 3.6
Belarc Advisor 8.1
Beyond Compare Version 2.2.7
Bf1918 3.0
BlindBossKey 1.1.3 Lite
BlindWrite suite
BlindWrite5
Burnout™ Paradise The Ultimate Box
Call of Duty
Call of Duty - United Offensive
Call of Duty® 2
Call of Duty® 2 Patch 1.3
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.7 Patch
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner (remove only)
CDCheck
CDDRV_Installer
Chemistry 3.5
CloneCD
CloneDVD2
College Exam Prep 2004
ConBuilder
Copy-Discovery 2000 2.06
CPUID CPU-Z 1.52.2
Creative Centrale
Creative Removable Disk Manager
Creative Software Update
Creative ZEN Mozaic User's Guide
CryEngine®2 Sandbox™2
Crysis® SP Demo
DaemonScript
DC Realism 1.0
DCFX
DCXtended .9
Delta Force Black Hawk Down Demo
DesertCombat 0.7
DH Driver Cleaner Professional Edition
Diskeeper Lite
Dup Detector
DVD Identifier
Easy Tune 6 B09.0515.1
EasySaver B9.0610.1
erLT
ERUNT 1.1h
Eve of Destruction 0.15
Eve of Destruction 2.0 Levels
Eve of Destruction v2.0
EVEREST Home Edition v2.20
Exact Audio Copy 0.95b4
Filzip 2.01
foobar2000 v0.9.4.3
Forgotten Honor
Forgotten Hope 0.70
Foxit Reader
Fraps (remove only)
Galactic Conquest Release 5.3
Geometry 7.0
GTK+ 2.8.18-1 runtime environment
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB954550-v5)
Human 3D LR1n
IconArt
ID3-TagIT 3
ID3 renamer 2.15.15
IrfanView (remove only)
Java Auto Updater
Java™ 6 Update 20
K-Lite Mega Codec Pack 5.1.6
Karen's Directory Printer
KhalInstallWrapper
Logitech SetPoint
Magic 2000 ScreenSaver
Malwarebytes' Anti-Malware version 1.51.0.1200
MaXimus DVD Version 1.2
Medal of Honor Airborne
Medal of Honor Allied Assault
Medal of Honor Allied Assault™ Breakthrough
Medal of Honor Allied Assault™ Breakthrough Patch v2.40
Medal of Honor Allied Assault™ Spearhead
Medal of Honor Allied Assault™ Spearhead Patch 2.15
Medal of Honor Pacific Assault™
Medal of Honor Pacific Assault™ Patch2
MediaMonkey 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Encarta Encyclopedia 2000
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Train Simulator
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Word 2000 SR-1
Mp3 Tag Tools v1.2
Mp3tag v2.48
MSTS Patch 1.8.0521 EN
Nero Media Player
Nero OEM
Norton PartitionMagic
Norton PartitionMagic 8.0
Norwegian Resistance Hotfix 0.86
Norwegian Resistance v0.85
Norwegian Resistance v0.86b Hotfixhotfix
Nvu 1.0
OneTouch Version 3.0
OpenOffice.org 3.1
Opera 10.10
Paint Shop Pro 7 Try And Buy
Paint.NET v3.36
PanaVue ImageAssembler
PANZERS DEMO #2
PaperPort 7.02
PDF Password Remover v2.1
PDFCreator
pdfsam
PE Builder 3.1.10a
PhenomMsrTweaker
Physics I 3.5
PoE v1.0.0.0
PS Tray Factory 3.2
PS/2 Rate Adjuster PLUS
PunkBuster for Battlefield Vietnam
QuickTime 3.0
RAR Password Recovery Magic v6.1.1.232
Realtek High Definition Audio Driver
RegSupreme 1.3
RegWorks 1.3.4
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973507)
SereneScreen Marine Aquarium 2.6
SiSoftware Sandra Lite 2009.SP4
Skins
Sophos Anti-Rootkit 1.5.4
SpeedFan (remove only)
Star Trek Armada II DEMO
Star Trek Legacy
Star Trek Legacy Patch v1.1
Star Trek Legacy Patch v1.2
Star Trek Voyager Elite Force Demo
Star Trek: Armada Demo
Star Wars Battlefront
Stargate Single Player
The GIMP 2.2.13
The Legendary Generations Mod
Train Store V3.2
Trigonometry 7.0
TuneXP 1.5
Tweak UI
uberOptions 4.60.4
Unlocker 1.8.1
Update for Windows XP (KB898461)
Update for Windows XP (KB955839)
Update for Windows XP (KB973815)
US Government 1.5
VirtualCloneDrive
Visual Install Pack
VLC media player 1.0.2
VP-Man
W311U
Washington, DC #1
Washington, DC #2
WebFldrs XP
WinDirStat 1.1.2
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
WinZip 14.5
Works Suite OS Pack
Works Synchronization
Writing Master 1.5
XAce Plus v2.6
XBCD 1.07
XnView 1.92
XP16
.
==== Event Viewer Messages From Past Week ========
.
9/2/2011 1:35:38 PM, error: Service Control Manager [7001] - The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
9/2/2011 1:35:38 PM, error: DCOM [10005] - DCOM got error "%1068" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
8/28/2011 8:49:20 PM, error: Service Control Manager [7000] - The PhenomMsrTweaker service service failed to start due to the following error: Access is denied.
8/28/2011 8:49:20 PM, error: Service Control Manager [7000] - The CT Device Query service service failed to start due to the following error: Access is denied.
8/28/2011 8:49:20 PM, error: Service Control Manager [7000] - The AVGIDSAgent service failed to start due to the following error: Access is denied.
8/28/2011 8:49:20 PM, error: Service Control Manager [7000] - The AVG WatchDog service failed to start due to the following error: Access is denied.
8/28/2011 8:49:20 PM, error: Service Control Manager [7000] - The AutoShutdown Service service failed to start due to the following error: Access is denied.
8/28/2011 8:49:20 PM, error: Service Control Manager [7000] - The APC UPS Service service failed to start due to the following error: Access is denied.
.
==== End Of File ===========================

Here is the RK Unhooker Scan (I selected Stealth Code, not Stealth - I'm pretty sure that was correct).

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xA6B07000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 6074368 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xB47AF000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 5165056 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xA7539000 C:\WINDOWS\system32\drivers\RtKHDMI.sys 3735552 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF20B000 C:\WINDOWS\System32\ati3duag.dll 3702784 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF593000 C:\WINDOWS\System32\ativvaxx.dll 2256896 bytes (Advanced Micro Devices, Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF060000 C:\WINDOWS\System32\ati2cqag.dll 692224 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF109000 C:\WINDOWS\System32\atikvmag.dll 643072 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xB9DC6000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA06BE000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xA05D9000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBF1A6000 C:\WINDOWS\System32\atiok3x2.dll 413696 bytes (Advanced Micro Devices, Inc., Ring 0 x2 component)
0xB464E000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA09F4000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9D5D2000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 319488 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xA0739000 C:\WINDOWS\system32\DRIVERS\avgtdix.sys 290816 bytes
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB9EAF000 ahcix86.sys 278528 bytes (Advanced Micro Devices, Inc, AMD AHCI Compatible Controller Driver for Windows family)
0x9BD57000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA059D000 C:\WINDOWS\system32\DRIVERS\avgldx86.sys 245760 bytes (AVG Technologies CZ, s.r.o., AVG AVI Loader Driver)
0xB46AC000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB9D99000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9B461000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA0649000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB4773000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA0696000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA0780000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0x9CCED000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA7515000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB474F000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB472C000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA0674000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x9D3AB000 C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys 131072 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Driver.)
0xB9E8F000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9D7F000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9EF3000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB9F0B000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB9E66000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB4715000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9D595000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB479B000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA0A4D000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB9E53000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9E7D000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB46DC000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA10F1000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA138000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA2B8000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA148000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA5B42000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA128000 C:\WINDOWS\system32\DRIVERS\AmdPPM.sys 53248 bytes (Advanced Micro Devices, AMD Processor Driver)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA168000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA248000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xA651B000 C:\WINDOWS\system32\DRIVERS\avgmfx86.sys 49152 bytes (AVG Technologies CZ, s.r.o., AVG Resident Shield Minifilter Driver)
0xB4D1C000 C:\WINDOWS\System32\Drivers\Pcouffin.sys 49152 bytes (VSO Software, Patin-Couffin low level access layer for CD devices)
0xBA198000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA268000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA158000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA188000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA288000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB4D0C000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
!!!!!!!!!!!Hidden driver: 0xB4CDC000 3125604648 36864 bytes
0x9BF8F000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA1121000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xB4D2C000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA2A8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA1181000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xA570E000 C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys 32768 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xBA3D0000 C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys 32768 bytes (Logitech, Inc., Logitech Mouse Filter Driver.)
0xA710A000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xA5C7E000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA408000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA340000 avgrkx86.sys 28672 bytes (AVG Technologies CZ, s.r.o., AVG Anti-Rootkit Driver)
0xBA418000 C:\WINDOWS\System32\Drivers\ElbyCDFL.sys 28672 bytes (SlySoft, Inc., ElbyCDIO Filter Driver)
0xA5C86000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA390000 C:\DOCUME~1\BROOKS~1\LOCALS~1\Temp\mbr.sys 28672 bytes
0xBA420000 C:\WINDOWS\System32\DRIVERS\Pcatip.sys 28672 bytes (VSO Software, Patin-Couffin Autoplay™ support driver)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA428000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA448000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA338000 VClone.sys 24576 bytes (Elaborate Bytes AG, VirtualCloneCD Driver)
0xA7112000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xA70FA000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xBA410000 C:\WINDOWS\System32\Drivers\AnyDVD.sys 20480 bytes (SlySoft, Inc., AnyDVD Filter Driver)
0xA07DE000 C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys 20480 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Filter Driver.)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys 20480 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Loader Driver.)
0xA74AA000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA438000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA440000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA430000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA400000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xA5C96000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4C4000 AVGIDSEH.Sys 16384 bytes (AVG Technologies CZ, s.r.o. , IDS Application Activity Monitor Helper Driver.)
0xBA4C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xB5D33000 C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys 16384 bytes (Logitech, Inc., Logitech PS2 Keyboard Filter Driver.)
0xB5D13000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0x9D750000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA4BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xA66FB000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xA5A3C000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA16B0000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB5D2F000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA2751000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB9D3F000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xA4B47000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5B2000 C:\WINDOWS\System32\Drivers\ElbyCDIO.sys 8192 bytes (Elaborate Bytes AG, ElbyCD Windows NT/2000/XP I/O driver)
0xBA5D6000 C:\WINDOWS\System32\Drivers\ElbyDelay.sys 8192 bytes (Elaborate Bytes AG, Elby Delay Lower Filter Driver)
0xA4B49000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xA4B45000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xA4B43000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5AE000 speedfan.sys 8192 bytes
0xBA5D8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5EA000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA646000 G:\program files\PhenomMsrTweaker\WinRing0.sys 8192 bytes (OpenLibSys.org, WinRing0)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA6E8000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA78B000 C:\WINDOWS\System32\Drivers\BANTExt.sys 4096 bytes
0xBA751000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA671000 giveio.sys 4096 bytes
0xA5D87000 C:\WINDOWS\System32\Drivers\LBeepKE.sys 4096 bytes (Logitech, Inc., Logitech Consumer Control Filter Driver.)
0xA4710000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA784000 C:\WINDOWS\System32\Drivers\PQNTDrv.SYS 4096 bytes (PowerQuest Corporation, PowerQuest Boot Mode Driver.)
!!!!!!!!!!!Hidden driver: 0xA7B459D0 00001338 1584 bytes
0xA7B459D0 unknown_irp_handler 1584 bytes
==============================================
>Stealth
==============================================
0xA7B45693 Unknown page with executable code, 2413 bytes
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\avgtdix.sys]
0xB4CE0E80 Unknown thread object [ ETHREAD 0x891E7160 ] TID: 444, 600 bytes
0xB4CE0E80 Unknown thread object [ ETHREAD 0x894E38E0 ] TID: 448, 600 bytes
0xA7B47105 Unknown thread object [ ETHREAD 0x8919C120 ] TID: 452, 600 bytes
0xA7B47105 Unknown thread object [ ETHREAD 0x88E26978 ] TID: 456, 600 bytes

Also - here is the defogger log - I ran it before my first DDS scan, but not sure it worked right as it says some files couldn't be read.

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 18:02 on 25/08/2011 (User Name)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read sptd.sys
Unable to read vaxscsi.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-

Since my initial post, I tried to re-install AVG free. The 5M with internet install file errored out with a Windows Installer Error - but I was able to download the 180M file from MajorGeeks and it installed and updated, but it ran a full scan in 5 seconds and came back clean and after several re-boots, it shows no components in the User Interface, so it is still broken.

Also - google searches don't go to the correct page, but I can copy the address bar and paste and go and get to the search results.

Thanks again for helping me!!!

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:42 PM

Posted 03 September 2011 - 12:47 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 04 September 2011 - 11:06 AM

Combofix log:

ComboFix 11-09-03.01 - user name 09/03/2011 23:51:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1280 [GMT -4:00]
Running from: g:\data\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\xml1.tmp
c:\documents and settings\All Users\Application Data\xml10.tmp
c:\documents and settings\All Users\Application Data\xml11.tmp
c:\documents and settings\All Users\Application Data\xml12.tmp
c:\documents and settings\All Users\Application Data\xml13.tmp
c:\documents and settings\All Users\Application Data\xml14.tmp
c:\documents and settings\All Users\Application Data\xml15.tmp
c:\documents and settings\All Users\Application Data\xml16.tmp
c:\documents and settings\All Users\Application Data\xml17.tmp
c:\documents and settings\All Users\Application Data\xml18.tmp
c:\documents and settings\All Users\Application Data\xml2.tmp
c:\documents and settings\All Users\Application Data\xml3.tmp
c:\documents and settings\All Users\Application Data\xml4.tmp
c:\documents and settings\All Users\Application Data\xml5.tmp
c:\documents and settings\All Users\Application Data\xml6.tmp
c:\documents and settings\All Users\Application Data\xml7.tmp
c:\documents and settings\All Users\Application Data\xml8.tmp
c:\documents and settings\All Users\Application Data\xml9.tmp
c:\documents and settings\All Users\Application Data\xmlA.tmp
c:\documents and settings\All Users\Application Data\xmlB.tmp
c:\documents and settings\All Users\Application Data\xmlC.tmp
c:\documents and settings\All Users\Application Data\xmlD.tmp
c:\documents and settings\All Users\Application Data\xmlE.tmp
c:\documents and settings\All Users\Application Data\xmlF.tmp
c:\documents and settings\user name\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\user name\Local Settings\Application Data\ApplicationHistory\Copy-Discovery 2000.exe.b2ff8a8a.ini
c:\documents and settings\user name\Local Settings\Application Data\ApplicationHistory\ID3-TagIT.exe.7529a631.ini
c:\documents and settings\user name\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\user name\Local Settings\Application Data\ApplicationHistory\Project1.exe.fb24368d.ini
c:\documents and settings\user name\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.11f1da13.ini
c:\documents and settings\user name\WINDOWS
c:\windows\$NtUninstallKB37987$\1367227106\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB37987$\1367227106\click.tlb
c:\windows\$NtUninstallKB37987$\1367227106\L\gpvnmaks
c:\windows\$NtUninstallKB37987$\1367227106\loader.tlb
c:\windows\$NtUninstallKB37987$\1367227106\U\@00000001
c:\windows\$NtUninstallKB37987$\1367227106\U\@000000c0
c:\windows\$NtUninstallKB37987$\1367227106\U\@000000cb
c:\windows\$NtUninstallKB37987$\1367227106\U\@000000cf
c:\windows\$NtUninstallKB37987$\1367227106\U\@80000000
c:\windows\$NtUninstallKB37987$\1367227106\U\@800000c0
c:\windows\$NtUninstallKB37987$\1367227106\U\@800000cb
c:\windows\$NtUninstallKB37987$\1367227106\U\@800000cf
c:\windows\$NtUninstallKB37987$\2540889112
c:\windows\3795484241
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\iun6002.exe
c:\windows\system32\drivers\avgtdix.sys
c:\windows\system32\mfc100deu.dll
c:\windows\system32\spool\prtprocs\w32x86\Ppbiproc.dll
g:\data\My Documents\1960.doc
c:\windows\$NtUninstallKB37987$ . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_517e3ae2
-------\Legacy_Avgtdix
-------\Service_Avgtdix
.
.
((((((((((((((((((((((((( Files Created from 2011-08-04 to 2011-09-04 )))))))))))))))))))))))))))))))
.
.
2011-08-24 22:51 . 2011-09-04 03:57 43408 --sha-w- c:\windows\system32\c_69692.nl_
2011-08-24 02:34 . 2011-08-24 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2011-08-24 02:32 . 2011-08-24 02:32 -------- d-----w- g:\program files\Siber Systems
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-26 16:50 . 2008-04-14 04:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-25 22:07 . 2008-04-14 04:47 455296 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-25 01:18 . 2010-09-07 07:48 248656 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-08-25 00:31 . 2008-04-14 04:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-25 00:25 . 2009-09-05 20:18 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-25 00:21 . 2008-04-14 04:49 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-25 00:09 . 2008-04-14 04:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2003-03-19 01:20 . 2010-06-25 01:14 1060864 ----a-w- g:\program files\mozilla firefox\plugins\mfc71.dll
2003-02-21 08:42 . 2010-06-25 01:14 348160 ----a-w- g:\program files\mozilla firefox\plugins\msvcr71.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-08-06 . 62BB79160F86CD962F312C68C6239BFD . 53472 . . [7.4.7600.226] . . c:\windows\system32\dllcache\wuauclt.exe
.
[-] 2009-09-03 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
c:\windows\System32\wuauclt.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WallpaperChanger"="g:\program files\Wallpaper Master\Wallpaper.exe" [2005-08-30 321536]
"PPWebCap"="g:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2001-08-10 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"AutoShutdown Pro"="g:\program files\AutoShutdown\AutoShutdown.exe" [2003-10-06 631808]
"TrayFactory"="g:\program files\PS Tray Factory\PSTrayFactory.exe" [2010-05-25 1304576]
"AVG_TRAY"="g:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PSTF"="g:\program files\PS Tray Factory\PSTrayFactory.exe" [2010-05-25 1304576]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Shortcut to startup.brs.lnk - g:\program files\Batchrun\startup.brs [2010-12-4 907]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoNetworkConnections"= 01000000
"NoStrCmpLogical"= 01000000
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- g:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0\0\0g:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0g:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"g:\\program files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutLauncher.exe"=
"g:\\program files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutConfigTool.exe"=
"g:\\program files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutParadise.exe"=
"g:\\program files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"g:\\program files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"g:\\program files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"g:\\program files\\Opera\\opera.exe"=
"g:\\program files\\JDownloader_PortableApps\\CommonFiles\\Java\\bin\\javaw.exe"=
"g:\\program files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"g:\\program files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"=
"g:\\program files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"g:\\program files\\Java\\jre6\\bin\\javaw.exe"=
"g:\\program files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"g:\\program files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"g:\\program files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=
"g:\\program files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"g:\\program files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe"=
"g:\\program files\\operator\\Opera\\opera.exe"=
"g:\\program files\\Firefox\\App\\Firefox\\firefox.exe"=
"g:\\program files\\Mozilla Sunbird\\sunbird.exe"=
"g:\\program files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP4\\RpcAgentSrv.exe"=
"g:\\program files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP4\\WNt500x86\\RpcSandraSrv.exe"=
"g:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"g:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"g:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
"g:\\program files\\windows media player\\wmplayer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [9/2/2009 9:39 PM 189968]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 248656]
R2 AutoShutdown;AutoShutdown Service;g:\progra~1\AUTOSH~1\AS_Service.exe [9/6/2009 9:51 PM 150016]
R2 avgwd;AVG WatchDog;g:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [11/25/2009 7:10 AM 10384]
R2 PhenomMsrTweaker;PhenomMsrTweaker service;g:\program files\PhenomMsrTweaker\PhenomMsrTweakerService.exe [3/19/2009 3:15 AM 21504]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 27216]
R3 WinRing0_1_2_0;WinRing0_1_2_0;g:\program files\PhenomMsrTweaker\WinRing0.sys [7/26/2008 10:30 PM 14416]
S2 AVGIDSAgent;AVGIDSAgent;g:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\BROOKS~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\BROOKS~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/5/2009 8:49 PM 1684736]
S3 AODDriver;AODDriver;c:\program files\Gigabyte\ET6\i386\AODDriver.sys [2/23/2009 12:16 AM 7168]
S3 CTUPnPSv;Creative Centrale Media Server;g:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 7:42 AM 64000]
S3 etdrv;etdrv;c:\windows\etdrv.sys [9/5/2009 11:13 PM 17488]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;g:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP4\RpcAgentSrv.exe [9/14/2009 8:51 PM 99176]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [9/20/2009 6:21 PM 223128]
S4 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [9/5/2009 8:43 PM 68136]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/16/2009 7:14 PM 685816]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - g:\program files\Common Files\microsoft shared\Information Retrieval\itss51.dll
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-08464316.sys
SafeBoot-22126168.sys
SafeBoot-42641701.sys
SafeBoot-42759898.sys
SafeBoot-45439035.sys
SafeBoot-54785830.sys
SafeBoot-55217796.sys
SafeBoot-56545048.sys
SafeBoot-58379217.sys
SafeBoot-76349632.sys
SafeBoot-94212430.sys
SafeBoot-94468454.sys
SafeBoot-97940298.sys
AddRemove-Battlecraft Vietnam1.2 - c:\windows\iun6002.exe
AddRemove-DesertCombat - c:\windows\iun6002.exe
AddRemove-MDT - c:\windows\iun6002.exe
AddRemove-TuneXP_1.5 - c:\windows\iun6002.exe
AddRemove-The Legendary Generations Mod - g:\program files\Bethesda Softworks\Star Trek Legacy LG\Uninstal.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-03 23:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\3795484241:2927740189.exe 816 bytes executable
c:\windows\$NtUninstallKB37987$:SummaryInformation 0 bytes hidden from API
.
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-823518204-746137067-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
g:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\3795484241:2927740189.exe
g:\program files\Creative\Shared Files\CTDevSrv.exe
c:\windows\system32\locator.exe
g:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wscntfy.exe
g:\program files\AVG\AVG10\avgemcx.exe
g:\program files\AVG\AVG10\avgchsvx.exe
g:\program files\Logitech\SetPoint\SetPoint.exe
g:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
g:\program files\PhenomMsrTweaker\PhenomMsrTweaker.exe
c:\multires\MultiRes.exe
g:\program files\WKeyKill\WKeyKill.exe
g:\program files\taskbar_shuffle\taskbarshuffle.exe
g:\program files\Mozilla Sunbird\sunbird.exe
g:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
g:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2011-09-04 00:00:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-04 04:00
.
Pre-Run: 20,918,095,872 bytes free
Post-Run: 20,863,787,008 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 80C53F979A3354C2E5D21CB105204716

Combofix ran fine. Microsoft Recovery Console seemed to work. I don't get Google re-directs anymore.

I do have some remaining errors - AVG shows all components (showed all components - does not anymore, but says Resident Sheild is disabled, but if I click to turn it on, the checkbox to enable it is already clicked. I haven't tried a re-install - probably will next. MBAM won't start and says I don't have permission to access it. My APC power supply tray app shows a Yellow Exclamation point and SpeedFan that used to run in the systray to monitor system temps is not loading (and gives an error - Permission denied on manual load).

But we're making progress!!!

Thanks again!!!

Edited by Tiger-Heli, 04 September 2011 - 11:08 AM.


#6 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 04 September 2011 - 11:25 AM

Did a repair install of AVG and database update. AVG seems to be working okay. It did find a "Trojan Horse: Backdoor Generic14.SCQ" in g:\program files\Sophos\Sophos Anti-Rootkit/helper.exe and I had it move that to the virus vault.

Just FYI, I guess ...

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:42 PM

Posted 04 September 2011 - 01:38 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\c_69692.nl_
c:\windows\3795484241:2927740189.exe
c:\windows\3795484241
c:\windows\$NtUninstallKB37987$

Folder::
c:\windows\$NtUninstallKB37987$


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

Edited by gringo_pr, 04 September 2011 - 01:39 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 04 September 2011 - 02:52 PM

Combofix log:

ComboFix 11-09-03.01 - user name 09/04/2011 15:30:53.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1244 [GMT -4:00]
Running from: g:\data\Desktop\ComboFix.exe
Command switches used :: g:\data\Desktop\cfscript.txt
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
FILE ::
"c:\windows\$NtUninstallKB37987$"
"c:\windows\3795484241"
"c:\windows\3795484241:2927740189.exe"
"c:\windows\system32\c_69692.nl_"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB37987$\1042155221
c:\windows\system32\c_69692.nl_
c:\windows\$NtUninstallKB37987$ . . . . Failed to delete
.
c:\windows\system32\drivers\cdrom.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((( Files Created from 2011-08-04 to 2011-09-04 )))))))))))))))))))))))))))))))
.
.
2011-08-24 02:34 . 2011-08-24 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2011-08-24 02:32 . 2011-08-24 02:32 -------- d-----w- g:\program files\Siber Systems
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-26 16:50 . 2008-04-14 04:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-25 22:07 . 2008-04-14 04:47 455296 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-25 00:31 . 2008-04-14 04:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-25 00:25 . 2009-09-05 20:18 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-25 00:21 . 2008-04-14 04:49 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-25 00:09 . 2008-04-14 04:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2003-03-19 01:20 . 2010-06-25 01:14 1060864 ----a-w- g:\program files\mozilla firefox\plugins\mfc71.dll
2003-02-21 08:42 . 2010-06-25 01:14 348160 ----a-w- g:\program files\mozilla firefox\plugins\msvcr71.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-09-03 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-09-04_03.57.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-05 04:59 . 2011-04-05 04:59 297168 c:\windows\system32\drivers\avgtdix.sys
+ 2010-09-07 07:48 . 2011-01-07 10:41 248656 c:\windows\system32\drivers\avgldx86.sys
- 2010-09-07 07:48 . 2011-08-25 01:18 248656 c:\windows\system32\drivers\avgldx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WallpaperChanger"="g:\program files\Wallpaper Master\Wallpaper.exe" [2005-08-30 321536]
"PPWebCap"="g:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2001-08-10 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"AutoShutdown Pro"="g:\program files\AutoShutdown\AutoShutdown.exe" [2003-10-06 631808]
"TrayFactory"="g:\program files\PS Tray Factory\PSTrayFactory.exe" [2010-05-25 1304576]
"AVG_TRAY"="g:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PSTF"="g:\program files\PS Tray Factory\PSTrayFactory.exe" [2010-05-25 1304576]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Shortcut to startup.brs.lnk - g:\program files\Batchrun\startup.brs [2010-12-4 907]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoNetworkConnections"= 01000000
"NoStrCmpLogical"= 01000000
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- g:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0\0\0g:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0g:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"g:\\program files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutLauncher.exe"=
"g:\\program files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutConfigTool.exe"=
"g:\\program files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutParadise.exe"=
"g:\\program files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"g:\\program files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"g:\\program files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"g:\\program files\\Opera\\opera.exe"=
"g:\\program files\\JDownloader_PortableApps\\CommonFiles\\Java\\bin\\javaw.exe"=
"g:\\program files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"g:\\program files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"=
"g:\\program files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"g:\\program files\\Java\\jre6\\bin\\javaw.exe"=
"g:\\program files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"g:\\program files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"g:\\program files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=
"g:\\program files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"g:\\program files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe"=
"g:\\program files\\operator\\Opera\\opera.exe"=
"g:\\program files\\Firefox\\App\\Firefox\\firefox.exe"=
"g:\\program files\\Mozilla Sunbird\\sunbird.exe"=
"g:\\program files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP4\\RpcAgentSrv.exe"=
"g:\\program files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP4\\WNt500x86\\RpcSandraSrv.exe"=
"g:\\program files\\windows media player\\wmplayer.exe"=
"g:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"g:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"g:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [9/2/2009 9:39 PM 189968]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 12:59 AM 297168]
R2 AVGIDSAgent;AVGIDSAgent;g:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]
R2 avgwd;AVG WatchDog;g:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [11/25/2009 7:10 AM 10384]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 27216]
R3 WinRing0_1_2_0;WinRing0_1_2_0;g:\program files\PhenomMsrTweaker\WinRing0.sys [7/26/2008 10:30 PM 14416]
S2 AutoShutdown;AutoShutdown Service;g:\progra~1\AUTOSH~1\AS_Service.exe --> g:\progra~1\AUTOSH~1\AS_Service.exe [?]
S2 PhenomMsrTweaker;PhenomMsrTweaker service;"g:\program files\PhenomMsrTweaker\PhenomMsrTweakerService.exe" --> g:\program files\PhenomMsrTweaker\PhenomMsrTweakerService.exe [?]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\BROOKS~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\BROOKS~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/5/2009 8:49 PM 1684736]
S3 AODDriver;AODDriver;c:\program files\Gigabyte\ET6\i386\AODDriver.sys [2/23/2009 12:16 AM 7168]
S3 CTUPnPSv;Creative Centrale Media Server;g:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 7:42 AM 64000]
S3 etdrv;etdrv;c:\windows\etdrv.sys [9/5/2009 11:13 PM 17488]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;g:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP4\RpcAgentSrv.exe [9/14/2009 8:51 PM 99176]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [9/20/2009 6:21 PM 223128]
S4 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [9/5/2009 8:43 PM 68136]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/16/2009 7:14 PM 685816]
.
.
------- Supplementary Scan -------
.
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - g:\program files\Common Files\microsoft shared\Information Retrieval\itss51.dll
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Sophos-AntiRootkit - g:\program files\Sophos\Sophos Anti-Rootkit\helper.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-04 15:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-823518204-746137067-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
g:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
g:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(2992)
c:\windows\system32\WININET.dll
g:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
g:\program files\PS Tray Factory\HKDll.dll
g:\program files\WKeyKill\WKeyKill.dll
g:\program files\AutoShutdown\asidle.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
g:\program files\taskbar_shuffle\tbhookin.dll
.
------------------------ Other Running Processes ------------------------
.
g:\progra~1\AVG\AVG10\avgchsvx.exe
g:\progra~1\AVG\AVG10\avgrsx.exe
c:\windows\system32\locator.exe
g:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
g:\program files\AVG\AVG10\avgnsx.exe
g:\program files\AVG\AVG10\avgemcx.exe
g:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
g:\program files\Logitech\SetPoint\SetPoint.exe
g:\program files\PhenomMsrTweaker\PhenomMsrTweaker.exe
c:\multires\MultiRes.exe
g:\program files\WKeyKill\WKeyKill.exe
g:\program files\taskbar_shuffle\taskbarshuffle.exe
g:\program files\Mozilla Sunbird\sunbird.exe
g:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
g:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-09-04 15:39:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-04 19:39
ComboFix2.txt 2011-09-04 04:00
.
Pre-Run: 20,794,994,688 bytes free
Post-Run: 20,802,813,952 bytes free
.
- - End Of File - - 82139FED18A339D7AA43578E22F867B7

Before I checked back, AVG found a lot of errors and I had it send what it could to the vault. I know you don't like attachments, but I'm attaching the AVG history.csv file. Odd to me, the Autoshutdown service and APC systray were infected, but still seem to work.

The script worked okay. Combofix said I was still infected with ZeroAccess. Combofix had to do an intensive search for some file, but it didn't error out.

Other than AVG seeming to work again, I don't see a huge improvement from before the script was run, but hopefully you can tell more from the log files!!!

Thanks again!

#9 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 04 September 2011 - 02:57 PM

AVG log attachment below:

Attached Files



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:42 PM

Posted 04 September 2011 - 04:12 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 04 September 2011 - 08:23 PM

I had run TDSKiller before posting to the forum and it always found an infection and on re-boot, it would be in a different file. This time it said cdrom.sys was infected with zero access, but on re-boot I rescanned and it said the system was clean - I might have gotten that once or twice before, though. I still can't start or access MBAM and other programs.

Thanks again!!!

Logs to follow!!!

#12 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 04 September 2011 - 08:24 PM

Here's the initial log with the cdrom.sys error:

2011/09/04 21:06:40.0406 2528 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/09/04 21:06:40.0406 2528 ================================================================================
2011/09/04 21:06:40.0406 2528 SystemInfo:
2011/09/04 21:06:40.0406 2528
2011/09/04 21:06:40.0406 2528 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/04 21:06:40.0406 2528 Product type: Workstation
2011/09/04 21:06:40.0406 2528 ComputerName: deleted
2011/09/04 21:06:40.0421 2528 UserName: deleted
2011/09/04 21:06:40.0421 2528 Windows directory: C:\WINDOWS
2011/09/04 21:06:40.0421 2528 System windows directory: C:\WINDOWS
2011/09/04 21:06:40.0421 2528 Processor architecture: Intel x86
2011/09/04 21:06:40.0421 2528 Number of processors: 2
2011/09/04 21:06:40.0421 2528 Page size: 0x1000
2011/09/04 21:06:40.0421 2528 Boot type: Normal boot
2011/09/04 21:06:40.0421 2528 ================================================================================
2011/09/04 21:06:41.0546 2528 Initialize success
2011/09/04 21:07:12.0156 2864 ================================================================================
2011/09/04 21:07:12.0156 2864 Scan started
2011/09/04 21:07:12.0156 2864 Mode: Manual;
2011/09/04 21:07:12.0156 2864 ================================================================================
2011/09/04 21:07:12.0984 2864 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/04 21:07:13.0015 2864 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/04 21:07:13.0046 2864 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/04 21:07:13.0062 2864 AegisP (15e655baa989444f56787ef558823643) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/09/04 21:07:13.0093 2864 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/09/04 21:07:13.0125 2864 ahcix86 (3936a49ecb74cf23bbb6979cd683dd56) C:\WINDOWS\system32\DRIVERS\ahcix86.sys
2011/09/04 21:07:13.0281 2864 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/09/04 21:07:13.0328 2864 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/09/04 21:07:13.0359 2864 AnyDVD (d1fc4ac47a26d5b666654258126540d9) C:\WINDOWS\system32\Drivers\AnyDVD.sys
2011/09/04 21:07:13.0390 2864 AODDriver (21ca6a013a75fcf6f930d4b08803973a) C:\Program Files\GIGABYTE\ET6\i386\AODDriver.sys
2011/09/04 21:07:13.0453 2864 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/04 21:07:13.0500 2864 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/04 21:07:13.0609 2864 ati2mtag (caadf7aa3abc6afcb3d02b129de9863a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/09/04 21:07:13.0687 2864 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/04 21:07:13.0718 2864 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/04 21:07:13.0750 2864 AVGIDSDriver (c403e7f715bb0a851a9dfae16ec4ae42) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/09/04 21:07:13.0765 2864 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/09/04 21:07:13.0796 2864 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/09/04 21:07:13.0796 2864 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/09/04 21:07:13.0828 2864 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/09/04 21:07:13.0843 2864 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/09/04 21:07:13.0875 2864 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2011/09/04 21:07:13.0890 2864 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/09/04 21:07:13.0921 2864 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2011/09/04 21:07:13.0953 2864 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/04 21:07:13.0968 2864 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/04 21:07:14.0000 2864 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/04 21:07:14.0015 2864 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/04 21:07:14.0015 2864 Cdrom (ce12b7a74531bde26b7533ac43bd16fa) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/04 21:07:14.0031 2864 Cdrom - detected Rootkit.Win32.ZAccess.c (0)
2011/09/04 21:07:14.0062 2864 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/09/04 21:07:14.0109 2864 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/04 21:07:14.0156 2864 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/04 21:07:14.0171 2864 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/04 21:07:14.0187 2864 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/04 21:07:14.0218 2864 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/04 21:07:14.0250 2864 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/04 21:07:14.0265 2864 ElbyCDFL (c61c83501268b0110b5c5db7e63dee0c) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
2011/09/04 21:07:14.0296 2864 ElbyCDIO (fa13264eea448b2e1b3a844ae4f75c7a) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2011/09/04 21:07:14.0296 2864 ElbyDelay (df9957db3bfe5136aad3c2c101806c98) C:\WINDOWS\system32\Drivers\ElbyDelay.sys
2011/09/04 21:07:14.0328 2864 etdrv (3af0ae042afe486b22644cd3fbebf2e2) C:\WINDOWS\etdrv.sys
2011/09/04 21:07:14.0343 2864 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/04 21:07:14.0359 2864 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/09/04 21:07:14.0375 2864 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/04 21:07:14.0390 2864 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/04 21:07:14.0406 2864 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/09/04 21:07:14.0421 2864 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/04 21:07:14.0437 2864 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/04 21:07:14.0453 2864 gdrv (d556cb79967e92b5cc69686d16c1d846) C:\WINDOWS\gdrv.sys
2011/09/04 21:07:14.0453 2864 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
2011/09/04 21:07:14.0500 2864 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/04 21:07:14.0515 2864 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/04 21:07:14.0531 2864 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2011/09/04 21:07:14.0562 2864 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/04 21:07:14.0593 2864 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/04 21:07:14.0656 2864 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/04 21:07:14.0671 2864 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/04 21:07:14.0796 2864 IntcAzAudAddService (e8656858d8b2da7c9cf59fb4e5ce32ed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/09/04 21:07:14.0906 2864 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/09/04 21:07:14.0921 2864 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/04 21:07:14.0937 2864 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/04 21:07:14.0953 2864 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/04 21:07:14.0968 2864 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/04 21:07:15.0000 2864 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/04 21:07:15.0015 2864 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/04 21:07:15.0046 2864 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/04 21:07:15.0062 2864 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/04 21:07:15.0093 2864 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/04 21:07:15.0109 2864 L8042Kbd (0c6e346cde730cf1356dd69ad6e9bc42) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2011/09/04 21:07:15.0109 2864 L8042mou (d6fc755ff505d99e6cc73e83492310df) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2011/09/04 21:07:15.0140 2864 LBeepKE (9ffd1cf2a782f2560e78eec4b8b8689e) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2011/09/04 21:07:15.0171 2864 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/09/04 21:07:15.0187 2864 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/09/04 21:07:15.0203 2864 LMouKE (c149bdad13194df16ea33f9f601ed7bf) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2011/09/04 21:07:15.0234 2864 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/04 21:07:15.0250 2864 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/04 21:07:15.0296 2864 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/09/04 21:07:15.0328 2864 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/04 21:07:15.0343 2864 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/04 21:07:15.0343 2864 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/04 21:07:15.0375 2864 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/04 21:07:15.0406 2864 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/04 21:07:15.0421 2864 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/04 21:07:15.0437 2864 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/04 21:07:15.0453 2864 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/04 21:07:15.0468 2864 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/04 21:07:15.0484 2864 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/04 21:07:15.0500 2864 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/04 21:07:15.0515 2864 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/04 21:07:15.0546 2864 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/04 21:07:15.0562 2864 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/04 21:07:15.0562 2864 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/04 21:07:15.0578 2864 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/04 21:07:15.0593 2864 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/04 21:07:15.0609 2864 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/04 21:07:15.0640 2864 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/04 21:07:15.0656 2864 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/04 21:07:15.0687 2864 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/04 21:07:15.0703 2864 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/04 21:07:15.0703 2864 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/04 21:07:15.0734 2864 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/09/04 21:07:15.0734 2864 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/04 21:07:15.0765 2864 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/04 21:07:15.0781 2864 Pcatip (7f60a1b1754f6f056318453a2001dfe6) C:\WINDOWS\system32\DRIVERS\Pcatip.sys
2011/09/04 21:07:15.0796 2864 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/04 21:07:15.0812 2864 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/04 21:07:15.0828 2864 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/04 21:07:15.0843 2864 Pcouffin (cd2425fd848e5fa09c9a213da56817a9) C:\WINDOWS\system32\Drivers\Pcouffin.sys
2011/09/04 21:07:15.0937 2864 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/04 21:07:15.0953 2864 PQNTDrv (04f3971b70a7855f04d351aa4bee7799) C:\WINDOWS\system32\drivers\PQNTDrv.sys
2011/09/04 21:07:15.0968 2864 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/09/04 21:07:15.0968 2864 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/04 21:07:15.0984 2864 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/04 21:07:16.0046 2864 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/04 21:07:16.0062 2864 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/04 21:07:16.0078 2864 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/04 21:07:16.0078 2864 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/04 21:07:16.0093 2864 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/04 21:07:16.0109 2864 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/04 21:07:16.0125 2864 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/04 21:07:16.0140 2864 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/04 21:07:16.0171 2864 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/04 21:07:16.0203 2864 rt2870 (4f73e0a397a85392a4f7410f8b808311) C:\WINDOWS\system32\DRIVERS\rt2870.sys
2011/09/04 21:07:16.0281 2864 RTHDMIAzAudService (3cf6631543c743c29a369287ea67ffe6) C:\WINDOWS\system32\drivers\RtKHDMI.sys
2011/09/04 21:07:16.0406 2864 SANDRA (230fd3749904ca045ea5ec0aa14006e9) G:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP4\WNt500x86\Sandra.sys
2011/09/04 21:07:16.0437 2864 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/04 21:07:16.0453 2864 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/09/04 21:07:16.0484 2864 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/04 21:07:16.0531 2864 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
2011/09/04 21:07:16.0562 2864 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/04 21:07:16.0593 2864 sptd (d390675b8ce45e5fb359338e5e649329) C:\WINDOWS\System32\Drivers\sptd.sys
2011/09/04 21:07:16.0625 2864 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/04 21:07:16.0656 2864 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/04 21:07:16.0671 2864 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/04 21:07:16.0687 2864 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/04 21:07:16.0750 2864 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/04 21:07:16.0781 2864 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/04 21:07:16.0796 2864 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/04 21:07:16.0828 2864 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/04 21:07:16.0843 2864 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/04 21:07:16.0875 2864 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/04 21:07:16.0906 2864 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/04 21:07:16.0937 2864 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/04 21:07:16.0953 2864 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/04 21:07:16.0968 2864 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/04 21:07:16.0984 2864 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/09/04 21:07:17.0000 2864 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/04 21:07:17.0031 2864 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/04 21:07:17.0031 2864 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/04 21:07:17.0062 2864 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys
2011/09/04 21:07:17.0093 2864 VClone (1a131c2ca1b99542f9b0dd0c901f6587) C:\WINDOWS\system32\DRIVERS\VClone.sys
2011/09/04 21:07:17.0109 2864 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/04 21:07:17.0125 2864 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/04 21:07:17.0140 2864 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/04 21:07:17.0171 2864 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/09/04 21:07:17.0218 2864 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/04 21:07:17.0265 2864 WinRing0_1_2_0 (845af1ba23c8d5e64def61bcc441604c) G:\program files\PhenomMsrTweaker\WinRing0.sys
2011/09/04 21:07:17.0312 2864 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/09/04 21:07:17.0343 2864 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/09/04 21:07:17.0359 2864 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/04 21:07:17.0390 2864 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/04 21:07:17.0406 2864 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/04 21:07:17.0531 2864 Boot (0x1200) (aab2d76107772047afa4676f545031e5) \Device\Harddisk0\DR0\Partition0
2011/09/04 21:07:17.0562 2864 Boot (0x1200) (06abc21c0df8d3e9c243545cd126ca86) \Device\Harddisk0\DR0\Partition1
2011/09/04 21:07:17.0562 2864 ================================================================================
2011/09/04 21:07:17.0562 2864 Scan finished
2011/09/04 21:07:17.0562 2864 ================================================================================
2011/09/04 21:07:17.0578 2700 Detected object count: 1
2011/09/04 21:07:17.0578 2700 Actual detected object count: 1
2011/09/04 21:07:32.0218 2700 Cdrom (ce12b7a74531bde26b7533ac43bd16fa) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/04 21:07:32.0218 2700 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\cdrom.sys) error 1813
2011/09/04 21:07:33.0078 2700 Backup copy found, using it..
2011/09/04 21:07:33.0078 2700 C:\WINDOWS\system32\DRIVERS\cdrom.sys - will be cured after reboot
2011/09/04 21:07:33.0078 2700 Rootkit.Win32.ZAccess.c(Cdrom) - User select action: Cure
2011/09/04 21:07:38.0640 4008 Deinitialize success

#13 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 04 September 2011 - 08:26 PM

Here's the "clean" log:

2011/09/04 21:09:25.0343 3044 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/09/04 21:09:25.0921 3044 ================================================================================
2011/09/04 21:09:25.0921 3044 SystemInfo:
2011/09/04 21:09:25.0921 3044
2011/09/04 21:09:25.0921 3044 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/04 21:09:25.0921 3044 Product type: Workstation
2011/09/04 21:09:25.0937 3044 ComputerName: Deleted
2011/09/04 21:09:25.0937 3044 UserName: Deleted
2011/09/04 21:09:25.0937 3044 Windows directory: C:\WINDOWS
2011/09/04 21:09:25.0937 3044 System windows directory: C:\WINDOWS
2011/09/04 21:09:25.0937 3044 Processor architecture: Intel x86
2011/09/04 21:09:25.0937 3044 Number of processors: 2
2011/09/04 21:09:25.0937 3044 Page size: 0x1000
2011/09/04 21:09:25.0937 3044 Boot type: Normal boot
2011/09/04 21:09:25.0937 3044 ================================================================================
2011/09/04 21:09:30.0718 3044 Initialize success
2011/09/04 21:09:37.0562 3636 ================================================================================
2011/09/04 21:09:37.0562 3636 Scan started
2011/09/04 21:09:37.0562 3636 Mode: Manual;
2011/09/04 21:09:37.0562 3636 ================================================================================
2011/09/04 21:09:40.0531 3636 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/04 21:09:40.0750 3636 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/04 21:09:40.0875 3636 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/04 21:09:40.0921 3636 AegisP (15e655baa989444f56787ef558823643) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/09/04 21:09:41.0156 3636 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/09/04 21:09:41.0328 3636 ahcix86 (3936a49ecb74cf23bbb6979cd683dd56) C:\WINDOWS\system32\DRIVERS\ahcix86.sys
2011/09/04 21:09:42.0250 3636 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/09/04 21:09:42.0750 3636 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
2011/09/04 21:09:43.0343 3636 AnyDVD (d1fc4ac47a26d5b666654258126540d9) C:\WINDOWS\system32\Drivers\AnyDVD.sys
2011/09/04 21:09:43.0562 3636 AODDriver (21ca6a013a75fcf6f930d4b08803973a) C:\Program Files\GIGABYTE\ET6\i386\AODDriver.sys
2011/09/04 21:09:43.0859 3636 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/04 21:09:44.0031 3636 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/04 21:09:45.0078 3636 ati2mtag (caadf7aa3abc6afcb3d02b129de9863a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/09/04 21:09:45.0296 3636 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/04 21:09:45.0312 3636 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/04 21:09:45.0343 3636 AVGIDSDriver (c403e7f715bb0a851a9dfae16ec4ae42) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/09/04 21:09:45.0375 3636 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/09/04 21:09:45.0390 3636 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/09/04 21:09:45.0406 3636 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/09/04 21:09:45.0421 3636 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/09/04 21:09:45.0453 3636 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/09/04 21:09:45.0468 3636 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2011/09/04 21:09:45.0484 3636 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/09/04 21:09:45.0515 3636 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2011/09/04 21:09:45.0546 3636 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/04 21:09:45.0578 3636 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/04 21:09:45.0609 3636 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/04 21:09:45.0625 3636 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/04 21:09:45.0625 3636 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/04 21:09:45.0687 3636 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/09/04 21:09:45.0750 3636 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/04 21:09:45.0796 3636 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/04 21:09:45.0812 3636 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/04 21:09:45.0828 3636 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/04 21:09:45.0859 3636 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/04 21:09:45.0890 3636 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/04 21:09:45.0921 3636 ElbyCDFL (c61c83501268b0110b5c5db7e63dee0c) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
2011/09/04 21:09:45.0937 3636 ElbyCDIO (fa13264eea448b2e1b3a844ae4f75c7a) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
2011/09/04 21:09:45.0953 3636 ElbyDelay (df9957db3bfe5136aad3c2c101806c98) C:\WINDOWS\system32\Drivers\ElbyDelay.sys
2011/09/04 21:09:45.0968 3636 etdrv (3af0ae042afe486b22644cd3fbebf2e2) C:\WINDOWS\etdrv.sys
2011/09/04 21:09:45.0984 3636 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/04 21:09:46.0015 3636 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/09/04 21:09:46.0031 3636 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/04 21:09:46.0031 3636 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/04 21:09:46.0062 3636 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/09/04 21:09:46.0078 3636 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/04 21:09:46.0093 3636 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/04 21:09:46.0125 3636 gdrv (d556cb79967e92b5cc69686d16c1d846) C:\WINDOWS\gdrv.sys
2011/09/04 21:09:46.0125 3636 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
2011/09/04 21:09:46.0156 3636 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/04 21:09:46.0187 3636 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/04 21:09:46.0218 3636 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2011/09/04 21:09:46.0234 3636 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/04 21:09:46.0265 3636 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/04 21:09:46.0328 3636 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/04 21:09:46.0343 3636 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/04 21:09:46.0468 3636 IntcAzAudAddService (e8656858d8b2da7c9cf59fb4e5ce32ed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/09/04 21:09:46.0578 3636 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/09/04 21:09:46.0593 3636 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/04 21:09:46.0609 3636 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/04 21:09:46.0625 3636 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/04 21:09:46.0640 3636 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/04 21:09:46.0671 3636 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/04 21:09:46.0687 3636 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/04 21:09:46.0703 3636 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/04 21:09:46.0734 3636 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/04 21:09:46.0750 3636 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/04 21:09:46.0765 3636 L8042Kbd (0c6e346cde730cf1356dd69ad6e9bc42) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2011/09/04 21:09:46.0781 3636 L8042mou (d6fc755ff505d99e6cc73e83492310df) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2011/09/04 21:09:46.0812 3636 LBeepKE (9ffd1cf2a782f2560e78eec4b8b8689e) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2011/09/04 21:09:46.0828 3636 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/09/04 21:09:46.0859 3636 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/09/04 21:09:46.0875 3636 LMouKE (c149bdad13194df16ea33f9f601ed7bf) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2011/09/04 21:09:46.0906 3636 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/04 21:09:46.0921 3636 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/04 21:09:46.0968 3636 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/09/04 21:09:47.0000 3636 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/04 21:09:47.0015 3636 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/04 21:09:47.0031 3636 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/04 21:09:47.0062 3636 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/04 21:09:47.0078 3636 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/04 21:09:47.0093 3636 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/04 21:09:47.0125 3636 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/04 21:09:47.0140 3636 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/04 21:09:47.0156 3636 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/04 21:09:47.0171 3636 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/04 21:09:47.0187 3636 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/04 21:09:47.0203 3636 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/04 21:09:47.0218 3636 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/04 21:09:47.0234 3636 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/04 21:09:47.0234 3636 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/04 21:09:47.0250 3636 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/04 21:09:47.0265 3636 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/04 21:09:47.0265 3636 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/04 21:09:47.0312 3636 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/04 21:09:47.0328 3636 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/04 21:09:47.0359 3636 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/04 21:09:47.0375 3636 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/04 21:09:47.0390 3636 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/04 21:09:47.0421 3636 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/09/04 21:09:47.0421 3636 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/04 21:09:47.0437 3636 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/04 21:09:47.0468 3636 Pcatip (7f60a1b1754f6f056318453a2001dfe6) C:\WINDOWS\system32\DRIVERS\Pcatip.sys
2011/09/04 21:09:47.0484 3636 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/04 21:09:47.0500 3636 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/04 21:09:47.0515 3636 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/04 21:09:47.0531 3636 Pcouffin (cd2425fd848e5fa09c9a213da56817a9) C:\WINDOWS\system32\Drivers\Pcouffin.sys
2011/09/04 21:09:47.0625 3636 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/04 21:09:47.0640 3636 PQNTDrv (04f3971b70a7855f04d351aa4bee7799) C:\WINDOWS\system32\drivers\PQNTDrv.sys
2011/09/04 21:09:47.0656 3636 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/09/04 21:09:47.0671 3636 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/04 21:09:47.0687 3636 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/04 21:09:47.0750 3636 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/04 21:09:47.0781 3636 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/04 21:09:47.0796 3636 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/04 21:09:47.0812 3636 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/04 21:09:47.0828 3636 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/04 21:09:47.0828 3636 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/04 21:09:47.0843 3636 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/04 21:09:47.0875 3636 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/04 21:09:47.0890 3636 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/04 21:09:47.0937 3636 rt2870 (4f73e0a397a85392a4f7410f8b808311) C:\WINDOWS\system32\DRIVERS\rt2870.sys
2011/09/04 21:09:48.0015 3636 RTHDMIAzAudService (3cf6631543c743c29a369287ea67ffe6) C:\WINDOWS\system32\drivers\RtKHDMI.sys
2011/09/04 21:09:48.0140 3636 SANDRA (230fd3749904ca045ea5ec0aa14006e9) G:\Program Files\SiSoftware\SiSoftware Sandra Lite 2009.SP4\WNt500x86\Sandra.sys
2011/09/04 21:09:48.0171 3636 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/04 21:09:48.0203 3636 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/09/04 21:09:48.0218 3636 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/04 21:09:48.0265 3636 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
2011/09/04 21:09:48.0296 3636 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/04 21:09:48.0328 3636 sptd (d390675b8ce45e5fb359338e5e649329) C:\WINDOWS\System32\Drivers\sptd.sys
2011/09/04 21:09:48.0359 3636 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/04 21:09:48.0375 3636 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/04 21:09:48.0406 3636 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/04 21:09:48.0406 3636 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/04 21:09:48.0468 3636 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/04 21:09:48.0500 3636 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/04 21:09:48.0515 3636 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/04 21:09:48.0546 3636 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/04 21:09:48.0562 3636 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/04 21:09:48.0593 3636 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/04 21:09:48.0625 3636 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/04 21:09:48.0656 3636 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/04 21:09:48.0671 3636 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/04 21:09:48.0687 3636 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/04 21:09:48.0703 3636 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/09/04 21:09:48.0718 3636 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/04 21:09:48.0734 3636 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/04 21:09:48.0750 3636 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/04 21:09:48.0765 3636 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys
2011/09/04 21:09:48.0796 3636 VClone (1a131c2ca1b99542f9b0dd0c901f6587) C:\WINDOWS\system32\DRIVERS\VClone.sys
2011/09/04 21:09:48.0812 3636 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/04 21:09:48.0843 3636 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/04 21:09:48.0875 3636 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/04 21:09:48.0906 3636 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/09/04 21:09:48.0968 3636 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/04 21:09:49.0015 3636 WinRing0_1_2_0 (845af1ba23c8d5e64def61bcc441604c) G:\program files\PhenomMsrTweaker\WinRing0.sys
2011/09/04 21:09:49.0046 3636 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/09/04 21:09:49.0093 3636 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/09/04 21:09:49.0109 3636 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/04 21:09:49.0125 3636 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/04 21:09:49.0156 3636 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/04 21:09:49.0265 3636 Boot (0x1200) (aab2d76107772047afa4676f545031e5) \Device\Harddisk0\DR0\Partition0
2011/09/04 21:09:49.0281 3636 Boot (0x1200) (06abc21c0df8d3e9c243545cd126ca86) \Device\Harddisk0\DR0\Partition1
2011/09/04 21:09:49.0296 3636 ================================================================================
2011/09/04 21:09:49.0296 3636 Scan finished
2011/09/04 21:09:49.0296 3636 ================================================================================
2011/09/04 21:09:49.0296 3628 Detected object count: 0
2011/09/04 21:09:49.0296 3628 Actual detected object count: 0
2011/09/04 21:11:27.0359 3028 Deinitialize success

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:42 PM

Posted 04 September 2011 - 08:29 PM

ok rerun combofix now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Tiger-Heli

Tiger-Heli
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 05 September 2011 - 09:35 AM

Combofix log:

ComboFix 11-09-03.01 - user name 09/05/2011 10:21:25.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1789.1057 [GMT -4:00]
Running from: g:\data\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-05 to 2011-09-05 )))))))))))))))))))))))))))))))
.
.
2011-08-24 02:34 . 2011-08-24 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\RoboForm
2011-08-24 02:32 . 2011-08-24 02:32 -------- d-----w- g:\program files\Siber Systems
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-05 01:08 . 2008-04-14 04:10 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-26 16:50 . 2008-04-14 04:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-25 22:07 . 2008-04-14 04:47 455296 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-25 00:31 . 2008-04-14 04:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-25 00:25 . 2009-09-05 20:18 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-08-25 00:21 . 2008-04-14 04:49 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-25 00:09 . 2008-04-14 04:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2003-03-19 01:20 . 2010-06-25 01:14 1060864 ----a-w- g:\program files\mozilla firefox\plugins\mfc71.dll
2003-02-21 08:42 . 2010-06-25 01:14 348160 ----a-w- g:\program files\mozilla firefox\plugins\msvcr71.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-09-03 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-09-04_03.57.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-05 04:59 . 2011-04-05 04:59 297168 c:\windows\system32\drivers\avgtdix.sys
+ 2010-09-07 07:48 . 2011-01-07 10:41 248656 c:\windows\system32\drivers\avgldx86.sys
- 2010-09-07 07:48 . 2011-08-25 01:18 248656 c:\windows\system32\drivers\avgldx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WallpaperChanger"="g:\program files\Wallpaper Master\Wallpaper.exe" [2005-08-30 321536]
"PPWebCap"="g:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2001-08-10 40960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"AutoShutdown Pro"="g:\program files\AutoShutdown\AutoShutdown.exe" [2003-10-06 631808]
"TrayFactory"="g:\program files\PS Tray Factory\PSTrayFactory.exe" [2010-05-25 1304576]
"AVG_TRAY"="g:\program files\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PSTF"="g:\program files\PS Tray Factory\PSTrayFactory.exe" [2010-05-25 1304576]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Shortcut to startup.brs.lnk - g:\program files\Batchrun\startup.brs [2010-12-4 907]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoNetworkConnections"= 01000000
"NoStrCmpLogical"= 01000000
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ----a-w- g:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:F *\0\0\0g:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0g:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"g:\\program files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutLauncher.exe"=
"g:\\program files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutConfigTool.exe"=
"g:\\program files\\Electronic Arts\\Burnout™ Paradise The Ultimate Box\\BurnoutParadise.exe"=
"g:\\program files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"g:\\program files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"g:\\program files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"g:\\program files\\Opera\\opera.exe"=
"g:\\program files\\JDownloader_PortableApps\\CommonFiles\\Java\\bin\\javaw.exe"=
"g:\\program files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"g:\\program files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"=
"g:\\program files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"g:\\program files\\Java\\jre6\\bin\\javaw.exe"=
"g:\\program files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"g:\\program files\\EA GAMES\\MOHAA\\moh_spearhead.exe"=
"g:\\program files\\EA GAMES\\MOHAA\\moh_Breakthrough.exe"=
"g:\\program files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"g:\\program files\\EA GAMES\\Medal of Honor Pacific Assault™\\mohpa.exe"=
"g:\\program files\\operator\\Opera\\opera.exe"=
"g:\\program files\\Firefox\\App\\Firefox\\firefox.exe"=
"g:\\program files\\Mozilla Sunbird\\sunbird.exe"=
"g:\\program files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP4\\RpcAgentSrv.exe"=
"g:\\program files\\SiSoftware\\SiSoftware Sandra Lite 2009.SP4\\WNt500x86\\RpcSandraSrv.exe"=
"g:\\program files\\windows media player\\wmplayer.exe"=
"g:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=
"g:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=
"g:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [9/2/2009 9:39 PM 189968]
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [9/13/2010 4:27 PM 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/7/2010 3:48 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [9/7/2010 3:48 AM 248656]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/5/2011 12:59 AM 297168]
R2 avgwd;AVG WatchDog;g:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 5:33 AM 269520]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [11/25/2009 7:10 AM 10384]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [8/19/2010 9:42 PM 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [8/19/2010 9:42 PM 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [8/19/2010 9:42 PM 27216]
R3 WinRing0_1_2_0;WinRing0_1_2_0;g:\program files\PhenomMsrTweaker\WinRing0.sys [7/26/2008 10:30 PM 14416]
S2 AutoShutdown;AutoShutdown Service;g:\progra~1\AUTOSH~1\AS_Service.exe --> g:\progra~1\AUTOSH~1\AS_Service.exe [?]
S2 AVGIDSAgent;AVGIDSAgent;g:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [4/18/2011 5:39 PM 7398752]
S2 PhenomMsrTweaker;PhenomMsrTweaker service;"g:\program files\PhenomMsrTweaker\PhenomMsrTweakerService.exe" --> g:\program files\PhenomMsrTweaker\PhenomMsrTweakerService.exe [?]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\BROOKS~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\BROOKS~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/5/2009 8:49 PM 1684736]
S3 AODDriver;AODDriver;c:\program files\Gigabyte\ET6\i386\AODDriver.sys [2/23/2009 12:16 AM 7168]
S3 CTUPnPSv;Creative Centrale Media Server;g:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 7:42 AM 64000]
S3 etdrv;etdrv;c:\windows\etdrv.sys [9/5/2009 11:13 PM 17488]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;g:\program files\SiSoftware\SiSoftware Sandra Lite 2009.SP4\RpcAgentSrv.exe [9/14/2009 8:51 PM 99176]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [9/20/2009 6:21 PM 223128]
S4 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [9/5/2009 8:43 PM 68136]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/16/2009 7:14 PM 685816]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WINRING0_1_2_0
.
.
------- Supplementary Scan -------
.
Handler: ms-its51 - {F6F1E82D-DE4D-11D2-875C-0000F8105754} - g:\program files\Common Files\microsoft shared\Information Retrieval\itss51.dll
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-76946266.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-05 10:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-823518204-746137067-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
g:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
g:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(3356)
c:\windows\system32\WININET.dll
g:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
g:\program files\PS Tray Factory\HKDll.dll
g:\program files\WKeyKill\WKeyKill.dll
g:\program files\AutoShutdown\asidle.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
g:\program files\taskbar_shuffle\tbhookin.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-09-05 10:25:55
ComboFix-quarantined-files.txt 2011-09-05 14:25
ComboFix2.txt 2011-09-04 19:39
ComboFix3.txt 2011-09-04 04:00
.
Pre-Run: 20,808,491,008 bytes free
Post-Run: 20,796,633,088 bytes free
.
- - End Of File - - 7C456070B9965586135E21BBD6663546

Combofix didn't need to re-boot this time, which might be a good sign.

Two points: AVG has been detecting some threats, and I have been selecting "Move unhealed to Virus Vault" - I didn't know if this was correct, or if it might interfere with what you are trying to help with.

I've been re-starting the computer between forum checks, b/c I don't get to check it that often - not sure if that matters either ...

Thanks again!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users