Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System restarts before it reaches Windows login screen


  • This topic is locked This topic is locked
14 replies to this topic

#1 sandem

sandem

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 16 September 2011 - 02:19 AM

Hello,

I've been unable to access windows due to the system restarting itself before it reaches the login screen. Here is a rundown of the problem (and where it may have started) from the beginning (I apologize if this message is quite long but I will try to be as detailed as possible so as to avoid wasting anyoneís time asking questions that I can provide info for right away):

To begin, I'm running fully updated Windows XP Professional (no other operating systems) along with up to date McAfee anti-virus software. Up to this point I haven't been having any issues/problems or suspicious behavior with my system and haven't had any for a long time. Nor have I at any point agreed to install anything suspicious from the internet (i.e. pop-ups warning me of viruses on my computer and recommending that I install such and such program, etc.).

Last night I shut down my system, opting to let Windows install some system updates and shut down on its own when it was done, as is often the case. I turned on my PC this morning, logged in, and Windows proceeded to load normally.

Less than a minute after the desktop loaded a window proclaiming to be Windows Malicious Software Removal Tool popped up and informed me that it had found several threats on my system (I knew that it was the name of a real Microsoft program and it looked pretty legitimate and I assumed that it was probably something Windows had just recently installed the night before as an update for safety reasons. Plus I had just booted up and couldn't remember anything unusual happening or anything risky being downloaded the day before). It asked if I wanted to perform a more thorough full system scan than what it had done and warned that it may take up to several hours to perform on some slower systems. I unchecked the box opting not to bother until later and clicked "next." I believe I then clicked on some blue highlighted text or something allowing me the option of viewing a list or log of the threats that it found. There was a list of apparently normal files that hadn't been removed and at the top were two directory locations in which it listed viruses that had been found. I know that one was "bamital"(a real virus I later found out) and the other may have been the same, only in a different directory. It was listed as something like "Trojan:" followed by the directory and file name and then status of "Removed" or "Quarantined" or something like that. I think i clicked next and it told me that it had removed the threats and that to complete the removal process it had to restart my computer so I said OK.

After startup is when the problem began. All of a sudden, after showing the Windows XP logo screen with the loading bar, instead of flashing black for a second or two and then showing the login screen, the screen stayed black for 20-30 seconds, much longer than usual, and then the system restarted. Up until now that's as far as I can get. I've tried almost every option on the F8 menu including safe mode, safe mode with networking, debugging mode, load last known settings that worked, and a few others that I can't recall off the top of my head. I also tried don't restart after system failure. The only difference with that is that instead of restarting after a while on the black screen it goes to a blue screen that reads:

Stop: c000021a {fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000034 (0x00000000 0x00000000)
The system has been shut down

I am guessing that the sudden appearance of the malicious software removal tool, whether fake or real, has something to do with this. Maybe an important system file has been deleted or disabled. Either that or it's a huge coincidence and my hardware happened to break down at exactly the same time. Have tried looking up the problem all over the web and so far can't find anyone with the exact same problem. Any instances of a fake removal tool that Iíve found on the net donít sound like the program I encountered aside from the name and general appearance and didnít result in the same issue. In all cases that Iíve found it prompts the user to install some kind of anti-virus software to remove the fake viruses that it says itís detected. Finally, I donít have a Windows XP CD since my system didnít come with one so unfortunately I wonít be able to perform any recovery or boot options that require it. I donít have a recovery disc either.

Please Help! Thank you.

BC AdBot (Login to Remove)

 


#2 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:02:49 PM

Posted 16 September 2011 - 04:47 AM

Hello and :welcome: to the BC forums.

Please sit tight and be patient.

I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#3 sandem

sandem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 16 September 2011 - 05:30 PM

Thanks

Here is an update:

I ran chkdsk from the recovery console and it said "volume appears to be in good condition and was not checked. Use /p if you want to check the volume anyway." I tried chkdsk /r and when it finished it said "found and fixed one or more errors on the volume" but that was it. No log of errors or anything. Rebooted after that but no difference.

Also managed to find an old 2003 Windows XP Home w/SP1a CD but not sure if that will help with Win. XP Pro. issues.

#4 sandem

sandem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 19 September 2011 - 06:16 PM

Wondering whether I should repost, perhaps with a shorter message this time. Has been close to 4 days and bumped to third page. Not sure whether I can expect a reply at this point... Also, maybe this should be posted in a different forum i.e. in one of the security forums? Any advice from anyone?

Edited by sandem, 19 September 2011 - 06:21 PM.


#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:49 AM

Posted 20 September 2011 - 12:24 AM

No need to.

Lets give it a try.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

Edited by Orange Blossom, 20 September 2011 - 12:35 AM.
Moved to log forum. ~ OB

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 sandem

sandem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 21 September 2011 - 05:54 PM

Thanks very much for your help. Instructions were very clear and easy to follow.

Here are the three logs below and the .bin file is attached as a .zip
(It wouldn't let me attach as a .7z or a .rar)
I copied and pasted the logs/reports from notepad so hopefully the formating is ok.
If not, I can post them as attachments.
report.txt is huge but I'll assume that's normal.



****** filefind.txt ******

Search results for Winlogon.exe

01c3346c241652f43aed8e2149881bfe /mnt/sda2/WINDOWS/$NtServicePackUninstall$/winlogon.exe
490.5K Aug 4 2004

2d513a17593e1be98b6a8be474d3943b /mnt/sda2/WINDOWS/system32/dllcache/winlogon.exe
496.0K Jun 27 02:03

ed0ef0a136dec83df69f04118870003e /mnt/sda2/WINDOWS/ServicePackFiles/i386/winlogon.exe
496.0K Apr 14 2008

2b0e480e975ee51f2d5ce5f068fed6e2 /mnt/sda1/MiniNT/system32/winlogon.exe
420.0K Aug 17 2001

2b0e480e975ee51f2d5ce5f068fed6e2 /mnt/sda1/i386/system32/winlogon.exe
420.0K Aug 16 2001


Search results for volsnap.sys

ee4660083deba849ff6c485d944b379b /mnt/sda2/WINDOWS/$NtServicePackUninstall$/volsnap.sys
51.1K Aug 4 2004

4c8fcb5cc53aab716d810740fe59d025 /mnt/sda2/WINDOWS/system32/drivers/volsnap.sys
51.1K Apr 13 2008

4c8fcb5cc53aab716d810740fe59d025 /mnt/sda2/WINDOWS/ServicePackFiles/i386/volsnap.sys
51.1K Apr 13 2008


Search results for explorer.exe

7712df0cdde3a5ac89843e61cd5b3658 /mnt/sda2/WINDOWS/$hf_mig$/KB938828/SP2QFE/explorer.exe
1009.0K Jun 13 2007

500f8a03c47582f65e8440609b60ba9f /mnt/sda2/WINDOWS/explorer.exe
1009.5K Oct 30 2010

97bd6515465659ff8f3b7be375b2ea87 /mnt/sda2/WINDOWS/$NtServicePackUninstall$/explorer.exe
1009.0K Jun 13 2007

500f8a03c47582f65e8440609b60ba9f /mnt/sda2/WINDOWS/system32/dllcache/explorer.exe
1009.5K Oct 30 2010

a0732187050030ae399b241436565e64 /mnt/sda2/WINDOWS/$NtUninstallKB938828$/explorer.exe
1008.0K Aug 4 2004

12896823fb95bfb3dc9b46bcaedc9923 /mnt/sda2/WINDOWS/ServicePackFiles/i386/explorer.exe
1009.5K Apr 14 2008


Search results for Userinit.exe

39b1ffb03c2296323832acbae50d2aff /mnt/sda2/WINDOWS/$NtServicePackUninstall$/userinit.exe
24.0K Aug 4 2004

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda2/WINDOWS/system32/userinit.exe
25.5K Apr 14 2008

a93aee1928a9d7ce3e16d24ec7380f89 /mnt/sda2/WINDOWS/ServicePackFiles/i386/userinit.exe
25.5K Apr 14 2008

585398603f570f9705774d65d292e5d1 /mnt/sda1/MiniNT/system32/userinit.exe
21.0K Aug 17 2001

585398603f570f9705774d65d292e5d1 /mnt/sda1/i386/system32/userinit.exe
21.0K Aug 16 2001


Search results for Exit



****** report.txt : ******

Wed Sep 21 17:54:08 UTC 2011
Driver report for /mnt/sda2/WINDOWS/system32/drivers
adaa34740e9f6aff94cc75d5cf8ed7e2 AsInsHelp32.sys has NO Company Name!
edaa17ce771c696655b6585f7cad2100 AsInsHelp64.sys has NO Company Name!
2b4e66fac6503494a2c6f32bb6ab3826 AsIO.sys has NO Company Name!
b99575d16f887883b821d372ff292c20 oreans32.sys has NO Company Name!

c1536905ad2067812a238bce998f4bff 1394bus.sys
Microsoft Corporation

9859c0f6936e723e4892d7141b1327d5 acpiec.sys
Microsoft Corporation

8fd99680a539792a30e97944fdaecf17 acpi.sys
Microsoft Corporation

8bed39e3c35d6a489438b8141717a557 aec.sys
Microsoft Corporation

355556d9e580915118cd7ef736653a89 afd.sys
Microsoft Corporation

08fd04aa961bdc77fb983f328334e3d7 agp440.sys
Microsoft Corporation

03a7e0922acfe1b07d5db2eeb0773063 agpcpq.sys
Microsoft Corporation

593aefc67283d409f34cc1245d00a509 AGRSM.sys
Agere Systems

cb08aed0de2dd889a8a820cd8082d83c alim1541.sys
Microsoft Corporation

95b4fb835e28aa1336ceeb07fd5b9398 amdagp.sys
Advanced Micro Devices

d7701d7e72243286cc88c9973d891057 amdk6.sys
Microsoft Corporation

8fce268cdbdd83b23419d1f35f42c7b1 amdk7.sys
Microsoft Corporation

b5b8a80875c1dededa8b02765642c32f arp1394.sys
Microsoft Corporation

d48659bb24c48345d926ecb45c1ebdf5 ASACPI.sys
tH((VS_VERSION_INFO%?(aStringFileInfodbCommentsCompanyNameRFileDescriptionATKACPIUtility@FileVersion,,,bInternalNameATK$LegalCopyright(LegalTrademarksbOriginalFilenameATKPrivateBuildJProductNameATKACPIUtility@ProductVersion,,,SpecialBuildDVarFileInfo$Translationtx'

adaa34740e9f6aff94cc75d5cf8ed7e2 AsInsHelp32.sys

edaa17ce771c696655b6585f7cad2100 AsInsHelp64.sys

2b4e66fac6503494a2c6f32bb6ab3826 AsIO.sys

71356a1370739e25375a1d17b6ae318f ASLM75.SYS

de91d0d73c3e61e6826d98fac2fac729 ASUSHWIO.SYS

b153affac761e7f5fcfa822b9c4e97bc asyncmac.sys
Microsoft Corporation

9f3a2f5aa6875c72bf062c712cfa2674 atapi.sys
Microsoft Corporation

d649c57da6fa762c64013747e5d7d2d6 ati1btxx.sys
ATI Technologies

60b6aa2dc1521da343f781b70eb7895a ati1mdxx.sys
ATI Technologies

6fdc61e8e8e17f6ecc2d9a10fa8df347 ati1pdxx.sys
ATI Technologies

9d318099bf3876a4af4bc75966d27603 ati1raxx.sys
ATI Technologies

bcaf267b10620f8c93f6e87ab726e145 ati1rvxx.sys
ATI Technologies

dac7d785cf62f5bd41441e9d6f5a6efe ati1snxx.sys
ATI Technologies

f7706dae7d101f1b19ce552d772ebfce ati1ttxx.sys
ATI Technologies

6f714b4720dd80ffa9f8d2731594ea4c ati1tuxx.sys
ATI Technologies

67ffbc158dd4d27ba3fc92c6acd87f73 ati1xbxx.sys
ATI Technologies

0d8cab1f08f7d3c4de228b49e12e596a ati1xsxx.sys
ATI Technologies

2d030c2f6b036ca0bc243e1b16d924d1 ati2mtaa.sys
ATI Technologies

8759322ffc1a50569c1e5528ee8026b7 ati2mtag.sys
ATI Technologies

993e7bd6438fe989e328c6b4bca246a9 atinbtxx.sys
ATI Technologies

ed4c2bf8403f4437987c0ba09cf48716 atinmdxx.sys
ATI Technologies

e90ac2b14e98f1a4372e5891b4278784 atinpdxx.sys
ATI Technologies

da36687d701c833430605a298731410b atinraxx.sys
ATI Technologies

a7a01b907db63898d40b0a14248ff9a2 atinrvxx.sys
ATI Technologies

ceddee2e0591894d19654d458fd3b9be atinsnxx.sys
ATI Technologies

d80a8f6c0a717446496c3a06d33b0d9c atinttxx.sys
ATI Technologies

edd66332608d27f4fd5069bcd0bc5164 atintuxx.sys
ATI Technologies

3e7d485cbd0b0d9f6ea2ad9442411831 atinxbxx.sys
ATI Technologies

77b575d7aab35d5908ae6ce681608d62 atinxsxx.sys
ATI Technologies

9916c1225104ba14794209cfa8012159 atmarpc.sys
Microsoft Corporation

39a0a59180f19946374275745b21aeba atmepvc.sys
Microsoft Corporation

ae76348a2605fb197fa8ff1d6f547836 atmlane.sys
Microsoft Corporation

e7ef69b38d17ba01f914ae8f66216a38 atmuni.sys
Microsoft Corporation

d9f724aa26c010a217c97606b160ed68 audstub.sys
Microsoft Corporation

da1f27d85e0d1525f6621372e7b685e9 beep.sys
Microsoft Corporation

f934d1b230f84e1d19dd00ac5a7a83ed bridge.sys
Microsoft Corporation

92a964547b96d697e5e9ed43b4297f5a BrScnUsb.sys
Brother Industries

b279426e3c0c344893ed78a613a73bde bthenum.sys
Microsoft Corporation

fca6f069597b62d42495191ace3fc6c1 bthmodem.sys
Microsoft Corporation

80602b8746d3738f5886ce3d67ef06b6 bthpan.sys
Microsoft Corporation

662bfd909447dd9cc15b1a1c366583b4 bthport.sys
Microsoft Corporation

bb68cebffd181e18a26112d1b9f90f3d bthprint.sys
Microsoft Corporation

61364cd71ef63b0f038b7e9df00f1efa bthusb.sys
Microsoft Corporation

90a673fc8e12a79afbed2576f6a7aaf9 cbidf2k.sys
Microsoft Corporation

0be5aef125be881c4f854c554f2b025c ccdecode.sys
Microsoft Corporation

c1b486a7658353d33a10cc15211a873b cdaudio.sys
Microsoft Corporation

c885b02847f5d2fd45a24e219ed93b32 cdfs.sys
Microsoft Corporation

837eef65af62d4e8a37c41d3879f7274 cdr4_xp.sys
Sonic Solutions

579da2f9f5401f55dae2cf8779d61dfc cdralw2k.sys
Sonic Solutions

1f4260cc5b42272d71f79e570a27a4fe cdrom.sys
Microsoft Corporation

3aa24c9b887ec431b3138d31d7210ba5 cfwids.sys
McAfee

b562592b7f5759c99e179ca467ecfb4c cinemst2.sys
Ravisent Technologies

fe47dd8fe6d7768ff94ebec6c74b2719 classpnp.sys
Microsoft Corporation

ef44c32b1aef62380426b260bf2c66f1 COMMONFX.sys
Creative Technology

9624293e55ad405415862b504ca95b73 cpqdap01.sys
Compaq Computer Corp

f50d9bdbb25cce075e514dc07472a22f crusoe.sys
Microsoft Corporation

7fb95dfbbd4ac8f24dd9887591cb10d4 CT0531FL.SYS
Creative Technology

357c534b38019b597f51c8bf7186c118 ctac32k.sys
Creative Technology

691f8259a1f9c983356d8db2cde8043c ctaud2k.sys
Creative Technology

7fc78aa6521ef3d9f16e51efab0bf13b CTAUDFX.sys
Creative Technology

8545d70b0335a05498f34e7e3f8ca9a2 ctdvda2k.sys
Creative Technology

16f448354067914e7deaea709011bd60 CTERFXFX.sys
Creative Technology

b4f6b60feed3eb5f85be85e8fa4c0cc1 CTGAME.SYS
Creative Technology

0d588158831a1798428d497b11499eb7 CTMMFILT.SYS
Creative Technology

ae896073e1bbf98fefc2ec52f62c0fba ctoss2k.sys
Creative Technology

4d71541283aea28fb839007be90b5fc7 ctprxy2k.sys
Creative Technology

64c83684661be137023f5186a612cf34 CTSBLFX.sys
Creative Technology

632194572ebde8d461728cf382a7e964 ctsfm2k.sys
Creative Technology

e65e2353a5d74ea89971cb918eeeb2f6 diskdump.sys
Microsoft Corporation

044452051f3e02e7963599fc8f4f3e25 DISK.SYS
Microsoft Corporation

d992fe1274bde0f84ad826acae022a41 dmboot.sys
Microsoft Corp

7c824cf7bbde77d95c08005717a95f6f dmio.sys
Microsoft Corp

e9317282a63ca4d188c0df5e09c6ac5f dmload.sys
Microsoft Corp

8a208dfcf89792a484e76c40e5f50b45 dmusic.sys
Microsoft Corporation

77ce63a8a34ae23d9fe4c7896d1debe7 Dot4Prt.sys
Microsoft Corporation

bd05306428da63369692477ddc0f6f5f Dot4scan.sys
Microsoft Corporation

3e4b043f8bc6be1d4820cc6c9c500306 dot4.sys
Microsoft Corporation

6ec3af6bb5b30e488a0c559921f012e1 Dot4usb.sys
Microsoft Corporation

8f5fcff8e8848afac920905fbd9d33c8 drmkaud.sys
Microsoft Corporation

6cb08593487f5701d2d2254e693eafce drmk.sys
Microsoft Corporation

fe97d0343acfdebdd578fc67cc91fa87 dxapi.sys
Microsoft Corporation

ac7280566a7bb85cb3291f04ddc1198e dxg.sys
Microsoft Corporation

a73f5d6705b1d820c19b18782e176efd dxgthk.sys
Microsoft Corporation

4590c6fe0b9fee3ef6592df041c6cde7 e1e5132.sys
Intel Corporation

bacd9cc06d7a787e529e7ebf56b671aa emupia2k.sys
Creative Technology

80d1b490b60e74e002dc116ec5d41748 enum1394.sys
Microsoft Corporation

38d332a6d56af32635675f132548343e fastfat.sys
Microsoft Corporation

92cdd60b6730b9f50f6a1a0c1f8cdc81 fdc.sys
Microsoft Corporation

d45926117eb9fa946a6af572fbe1caa3 fips.sys
Microsoft Corporation

9d27e7b80bfcdf1cdd9b555862d5e7f0 flpydisk.sys
Microsoft Corporation

b2cf4b0786f8212cb92ed2b50c6db6b0 fltmgr.sys
Microsoft Corporation

3e1e2bd4f39b0e2b7dc4f4d2bcc2779a fs_rec.sys
Microsoft Corporation

c6ee3a87fe609d3e1db9dbd072a248de fssfltr_tdi.sys
Microsoft Corporation

455f778ee14368468560bd7cb8c854d0 fsvga.sys
Microsoft Corporation

6ac26732762483366c3969c9e4d2259d ftdisk.sys
Microsoft Corporation

3a74c423cf6bcca6982715878f450a3b gagp30kx.sys
Microsoft Corporation

8182ff89c65e4d38b2de4bb0fb18564e GEARAspiWDM.sys
GEAR Software

70606233f3ed0e53cb3ea17f846d6a4f ha10kx2k.sys
Creative Technology

a0c69ad2a61e576b0207acdd9626e167 haP16v2k.sys
Creative Technology

2ee89452c574d259ada4fc9fc1c07243 haP17v2k.sys
Creative Technology

573c7d0a32852b48f3058cfd8026f511 hdaudbus.sys
Windows Server DDK provider

2a013e7530beab6e569faa83f517e836 Hdaudio.sys
Windows Server DDK provider

7bd2de4c85eb4241eed57672b16a7d8d hidbth.sys
Microsoft Corporation

1af592532532a402ed7c060f6954004f hidclass.sys
Microsoft Corporation

bb1a6fb7d35a91e599973fa74a619056 hidir.sys
Microsoft Corporation

96eccf28fdbf1b2cc12725818a63628d hidparse.sys
Microsoft Corporation

ccf82c5ec8a7326c3066de870c06daf1 hidusb.sys
Microsoft Corporation

970178e8e003eb1481293830069624b9 hsfbs2s2.sys
Conexant

1225ebea76aac3c84df6c54fe5e5d8be hsfcxts2.sys
Conexant

ebb354438a4c5a3327fb97306260714a hsfdpsp2.sys
Conexant

f80a415ef82cd06ffaf0d971528ead38 http.sys
Microsoft Corporation

4a0b06aa8943c1e332520f7440c0aa30 i8042prt.sys
Microsoft Corporation

81efe1c5542afb2570758f39ae3b1151 ialmnt5.sys
Intel Corporation

c0f65389c1544e917b3c4b9441130691 imagedrv.sys
Ahead Software

96de706d0cf3d163d3d2c375d6622783 imagesrv.sys
Ahead Software

083a052659f5310dd8b6a6cb05edcf8e imapi.sys
Microsoft Corporation

8c953733d8f36eb2133f5bb58808b66b intelppm.sys
Microsoft Corporation

3bb22519a194418d5fec05d800a19ad0 ip6fw.sys
Microsoft Corporation

731f22ba402ee4b62748adaf6363c182 ipfltdrv.sys
Microsoft Corporation

b87ab476dcf76e72010632b5550955f5 ipinip.sys
Microsoft Corporation

cc748ea12c6effde940ee98098bf96bb ipnat.sys
Microsoft Corporation

23c74d75e36e7158768dd63d92789a91 ipsec.sys
Microsoft Corporation

b43b36b382aea10861f7c7a37f9d4ae2 irbus.sys
Microsoft Corporation

c93c9ff7b04d772627a3646d89f7bf89 irenum.sys
Microsoft Corporation

05a299ec56e52649b1cf2fc52d20f2d7 isapnp.sys
Microsoft Corporation

39a2f7ebcb6817c4a016b544921c7982 iteatapi.sys
Integrated Technology Express

463c1ec80cd17420a542b7f36a36f128 kbdclass.sys
Microsoft Corporation

692bcf44383d056aed41b045a323d378 kmixer.sys
Microsoft Corporation

b467646c54cc746128904e1654c750c1 ksecdd.sys
Microsoft Corporation

0753515f78df7f271a5e61c20bcd36a1 ks.sys
Microsoft Corporation

2f81e367875c5d7d6f05454ba84d27a9 LV532AV.SYS
Logitech

a07e5d2c7a6f3f0665c479a98e8034d4 LVUSBSta.sys
Logitech

b309912717c29fc67e1ba4730a82b6dd mbamswissarmy.sys
Malwarebytes Corporation

3d2c13377763eeac0ca6fb46f57217ed mbam.sys
Malwarebytes Corporation

d1f8be91ed4ddb671d42e473e3fe71ab mcd.sys
Microsoft Corporation

195741aee20369980796b557358cd774 mdmxsdk.sys
Conexant

83505fb1986d8592d20b7983120492f5 mfeapfk.sys
McAfee

4b1e2da747c42ff36d8f64233baa7651 mfeavfk.sys
McAfee

47ae4dac456e01934da41991850a0472 mfebopk.sys
McAfee

7efe27f721fc62e36261f23f05a9590c mfeclnk.sys
McAfee

47f1605212d5be923acdbab92b189976 mfefirek.sys
McAfee

317997eb32fe039e7881704e596a2ed1 mfehidk.sys
McAfee

b8f7b6d883d1fae092a9061ed2291228 mfendisk.sys
McAfee

6cc800b39cd878c0219c584e092c8bf6 mferkdet.sys
McAfee

41fe2f288e05a6c8ab85dd56770ffbad mferkdk.sys
McAfee

096b52ea918aa909ba5903d79e129005 mfesmfk.sys
McAfee

90d997166e8ee950b783bc6f07cf76f8 mfetdi2k.sys
McAfee

a7da20ab18a1bdae28b0f349e57da0d1 mf.sys
Microsoft Corporation

4ae068242760a1fb6e1a44bf4e16afa6 mnmdd.sys
Microsoft Corporation

dfcbad3cec1c5f964962ae10e0bcc8e1 modem.sys
Microsoft Corporation

35c9e97194c8cfb8430125f8dbc34d04 mouclass.sys
Microsoft Corporation

a80b9a0bad1b73637dbcbba7df72d3fd mountmgr.sys
Microsoft Corporation

70c14f5cca5cf73f8a645c73a01d8726 mqac.sys
Microsoft Corporation

11d42bb6206f33fbb3ba0288d3ef81bd mrxdav.sys
Microsoft Corporation

7d304a5eb4344ebeeab53a2fe3ffb9f0 mrxsmb.sys
Microsoft Corporation

c941ea2454ba8350021d774daf0f1027 msfs.sys
Microsoft Corporation

0a02c63c8b144bd8c86b103dee7c86a2 msgpc.sys
Microsoft Corporation

d1575e71568f4d9e14ca56b7b0453bf1 mskssrv.sys
Microsoft Corporation

325bb26842fc7ccc1fcce2c457317f3e mspclock.sys
Microsoft Corporation

bad59648ba099da4a17680b39730cb3d mspqm.sys
Microsoft Corporation

af5f4f3f14a8ea2c26de30f7a1e17136 mssmbios.sys
Microsoft Corporation

e53736a9e30c45fa9e7b5eac55056d1d mstee.sys
Microsoft Corporation

c53775780148884ac87c455489a0c070 mtlmnt5.sys
Smart Link

54886a652bf5685192141df304e923fd mtlstrm.sys
Smart Link

6dda78a0be692b61b668fab860f276cf mtxparhm.sys
Matrox Graphics

de6a75f5c270e756c5508d94b6cf68f5 mup.sys
Microsoft Corporation

b538dcd9816ea35fa4f637cfc261aaa8 mutohpen.sys
Microsoft Corporation

5b50f1b2a2ed47d560577b221da734db nabtsfec.sys
Microsoft Corporation

7ff1f1fd8609c149aa432f95a8163d97 ndisip.sys
Microsoft Corporation

1df7f42665c94b825322fae71721130d ndis.sys
Microsoft Corporation

0109c4f3850dfbab279542515386ae22 ndistapi.sys
Microsoft Corporation

f927a4434c5028758a842943ef1a3849 ndisuio.sys
Microsoft Corporation

edc1531a49c80614b2cfda43ca8659ab ndiswan.sys
Microsoft Corporation

9282bd12dfb069d3889eb3fcc1000a9b ndproxy.sys
Microsoft Corporation

5d81cf9a2f1a3a756b66cf684911cdf0 netbios.sys
Microsoft Corporation

74b2b2f5bea5e9a3dc021d685551bd3d netbt.sys
Microsoft Corporation

e9e47cfb2d461fa0fc75b7a74c6383ea nic1394.sys
Microsoft Corporation

be984d604d91c217355cdd3737aad25d nikedrv.sys
Diamond Multimedia Systems

1e421a6bcf2203cc61b821ada9de878b nmnt.sys
Microsoft Corporation

3182d64ae053d6fb034f44b6def8034a npfs.sys
Microsoft Corporation

78a08dd6a8d65e697c18e1db01c5cdca ntfs.sys
Microsoft Corporation

576b34ceae5b7e5d9fd2775e93b3db53 ntmtlfax.sys
Smart Link

73c1e1f395918bc2c6dd67af7591a3ad null.sys
Microsoft Corporation

ce34061a298bfb4ebd1a0bb8592dc977 nv4_mini.sys
NVIDIA Corporation

b305f3fad35083837ef46a0bbce2fc57 nwlnkflt.sys
Microsoft Corporation

c99b3415198d1aab7227f2c88fd664b9 nwlnkfwd.sys
Microsoft Corporation

8b8b1be2dba4025da6786c645f77f123 nwlnkipx.sys
Microsoft Corporation

56d34a67c05e94e16377c60609741ff8 nwlnknb.sys
Microsoft Corporation

c0bb7d1615e1acbdc99757f6ceaf8cf0 nwlnkspx.sys
Microsoft Corporation

36b9b950e3d2e100970a48d8bad86740 nwrdr.sys
Microsoft Corporation

ca33832df41afb202ee7aeb05145922f ohci1394.sys
Microsoft Corporation

4bb30ddc53ebc76895e38694580cdfe9 oprghdlr.sys
Microsoft Corporation

b99575d16f887883b821d372ff292c20 oreans32.sys

c90018bafdc7098619a4a95b046b30f3 p3.sys
Microsoft Corporation

5575faf8f97ce5e713d108c2a58d7c7c parport.sys
Microsoft Corporation

beb3ba25197665d82ec7065b724171c6 partmgr.sys
Microsoft Corporation

70e98b3fd8e963a6a46a2e6247e0bea1 parvdm.sys
Microsoft Corporation

ccf5f451bb1a5a2a522a76e670000ff0 pciide.sys
Microsoft Corporation

52e60f29221d0d1ac16737e8dbf7c3e9 pciidex.sys
Microsoft Corporation

a219903ccf74233761d92bef471a07b1 pci.sys
Microsoft Corporation

9e89ef60e9ee05e3f2eef2da7397f1c1 pcmcia.sys
Microsoft Corporation

5b6c11de7e839c05248ced8825470fef pcouffin.sys
VSO Software

5d3f6637fe5981985bf4b7ee6d3e1d67 pfmodnt.sys
Creative Technology

e82a496c3961efc6828b508c310ce98f portcls.sys
Microsoft Corporation

a32bebaf723557681bfc6bd93e98bd26 processr.sys
Microsoft Corporation

09298ec810b07e5d582cb3a3f9255424 psched.sys
Microsoft Corporation

80d317bd1c3dbc5d4fe7b1678c60cadd ptilink.sys
Parallel Technologies

e42e3433dbb4cffe8fdd91eab29aea8e pxhelp20.sys
Sonic Solutions

fe0d99d6f31e4fad8159f690d68ded9c rasacd.sys
Microsoft Corporation

11b4a627bc9614b885c4969bfa5ff8a6 rasl2tp.sys
Microsoft Corporation

5bc962f2654137c9909c3d4603587dee raspppoe.sys
Microsoft Corporation

efeec01b1d3cf84f16ddd24d9d9d8f99 raspptp.sys
Microsoft Corporation

fdbb1d60066fcfbb7452fd8f9829b242 raspti.sys
Microsoft Corporation

01524cd237223b18adbb48f70083f101 rawwan.sys
Microsoft Corporation

7ad224ad1a1437fe28d89cf22b17780a rdbss.sys
Microsoft Corporation

4912d5b403614ce99c28420f75353332 rdpcdd.sys
Microsoft Corporation

15cabd0f7c00c47c70124907916af3f1 rdpdr.sys
Microsoft Corporation

fc105dd312ed64eb66bff111e8ec6eac rdpwd.sys
Microsoft Corporation

e9aaa0092d74a9d371659c4c38882e12 recagent.sys
Smart Link

f828dd7e1419b6653894a8f97a0094c5 redbook.sys
Microsoft Corporation

851c30df2807fcfa21e4c681a7d6440e rfcomm.sys
Microsoft Corporation

d9b34325ee5df78b8f28a3de9f577c7d RimSerial.sys
Research in Motion

a56fe08ec7473e8580a390bb1081cdd7 rio8drv.sys
Diamond Multimedia Systems

0a854df84c77a0be205bfeab2ae4f0ec riodrv.sys
Diamond Multimedia Systems

96f7a9a7bf0c9c0440a967440065d33c rmcast.sys
Microsoft Corporation

601844cbcf617ff8c868130ca5b2039d rndismp.sys
Microsoft Corporation

726548542afeca56257ff01eb13bb6d7 rndismpx.sys
Microsoft Corporation

d8b0b4ade32574b2d9c5cc34dc0dbbe7 rootmdm.sys
Microsoft Corporation

19eedb7e20d269d547ce74af90feae2d RtkHDAud.Sys
Realtek Semiconductor

0dbcc071a268e0340a2ba6bdd98bace4 s3gnbm.sys
SGraphics

aaf28ab6effd8990bfe20398e92f101e SbcpHid.sys
tHVS_VERSION_INFO?a|StringFileInfoXBCompanyName(FileDescriptionnFileVersion,,,InternalName$LegalCopyright(OriginalFilenameProductNamenProductVersion,,,DVarFileInfo$TranslationtT<@D

b244960e5a1db8e9d5d17086de37c1e4 sbp2port.sys
Microsoft Corporation

76c465f570e90c28942d52ccb2580a10 scsiport.sys
Microsoft Corporation

8d04819a3ce51b9eb47e5689b44d43c4 sdbus.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys
Macrovision Corporation

0f29512ccd6bead730039fb4bd2c85ce serenum.sys
Microsoft Corporation

cca207a8896d4c6a0c9ce29a4ae411a7 serial.sys
Microsoft Corporation

a9573045baa16eab9b1085205b82f1ed serscan.sys
Microsoft Corporation

0fa803c64df0914b41f807ea276bf2a6 sffdisk.sys
Microsoft Corporation

d66d22d76878bf3483a6be30183fb648 sffp_mmc.sys
Microsoft Corporation

c17c331e435ed8737525c86a7557b3ac sffp_sd.sys
Microsoft Corporation

8e6b8c671615d126fdc553d1e2de5562 sfloppy.sys
Microsoft Corporation

6b33d0ebd30db32e27d1d78fe946a754 sisagp.sys
Silicon Integrated Systems

866d538ebe33709a5c9f5c62b73b7d14 slip.sys
Microsoft Corporation

d9673011648a71ed1e1f77b831bc85e6 slnt7554.sys
Smart Link

2c1779c0feb1f4a6033600305eba623a slntamr.sys
Smart Link

f9b8e30e82ee95cf3e1d3e495599b99c slnthal.sys
Smart Link

db56bb2c55723815cf549d7fc50cfceb slwdmsup.sys
Smart Link

895be38a993b9bd5abbe570d63d88a2e smbali.sys
Microsoft Corporation

017daecf0ed3aa731313433601ec40fa smclib.sys
Microsoft Corporation

489703624dac94ed943c2abda022a1cd sonydcam.sys
Microsoft Corporation

ab8b92451ecb048a4d1de7c3ffcb4a9f splitter.sys
Microsoft Corporation

76bb022c2fb6902fd5bdd4f78fc13a5d sr.sys
Microsoft Corporation

47ddfc2f003f7f9f0592c6874962a2e7 srv.sys
Microsoft Corporation

1c9ee2c640b6f899cc3d84bcd1ea526f StMp3Rec.sys
tHVS_VERSION_INFO'?tStringFileInfobCommentsbCompanyNameGenericdFileDescriptionGenericMPPlayerUSBDriver>FileVersion,,,:rInternalNameStMpRec.sysNLegalCopyrightAllrightsreserved.(LegalTrademarksBrOriginalFilenameStMpRec.sysPrivateBuildFProductNameGenericMPPlayerBProductVersion,,,SpecialBuildDVarFileInfo$Translationtdhlp

77813007ba6265c4b6098187e6ed79d2 streamip.sys
Microsoft Corporation

3e5d89099ded9e86e5639f411693218f stream.sys
Microsoft Corporation

3941d127aef12e93addf6fe6ee027e0f swenum.sys
Microsoft Corporation

8ce882bcc6cf8a62f2b2323d95cb3d01 swmidi.sys
Microsoft Corporation

6e65fe9eb2406d17fe560711060b08dc symlcbrd.sys
Symantec Corporation

8b83f3ed0f1688b4958f77cd6d2bf290 sysaudio.sys
Microsoft Corporation

fd6093e3decd925f1cffc8a0dd539d72 tape.sys
Microsoft Corporation

5d8c820e2d885c25ffc6bbc5d4fe073c tbhsd.sys
Rapid Solution Software

4e53bbcc4be37d7a4bd6ef1098c89ff7 tcpip6.sys
Microsoft Corporation

9aefa14bd6b182d61e3119fa5f436d3d tcpip.sys
Microsoft Corporation

0539d5e53587f82d1b4fd74c5be205cf tdi.sys
Microsoft Corporation

6471a66807f5e104e4885f5b67349397 tdpipe.sys
Microsoft Corporation

c56b6d0402371cf3700eb322ef3aaf61 tdtcp.sys
Microsoft Corporation

88155247177638048422893737429d9e termdd.sys
Microsoft Corporation

699450901c5ccfd82357cbc531cedd23 tosdvd.sys
Microsoft Corporation

d74a8ec75305f1d3cfde7c7fc1bd62a9 tsbvcap.sys
Toshiba Corporation

8f861eda21c05857eb8197300a92501c tunmp.sys
Microsoft Corporation

d85938f272d1bcf3db3a31fc0a048928 uagp35.sys
Microsoft Corporation

5787b80c2e3c5e2f56c2a233d91fa2c9 udfs.sys
Microsoft Corporation

402ddc88356b1bac0ee3dd1580c76a31 update.sys
Microsoft Corporation

bee793d4a059caea55d6ac20e19b3a8f usb8023.sys
Microsoft Corporation

b6cc50279d6cd28e090a5d33244adc9a usb8023x.sys
Microsoft Corporation

83cafcb53201bbac04d822f32438e244 usbaapl.sys
Apple

ce97845d2e3f0d274b8bac1ed07c6149 usbcamd2.sys
Microsoft Corporation

1c1a47b40c23358245aa8d0443b6935e usbcamd.sys
Microsoft Corporation

173f317ce0db8e21322e71b7e60a27e8 usbccgp.sys
Microsoft Corporation

596eb39b50d6ebd9b734dc4ae0544693 usbd.sys
Microsoft Corporation

65dcf09d0e37d4c6b11b5b0b76d470a7 usbehci.sys
Microsoft Corporation

1ab3cdde553b6e064d2e754efe20285c usbhub.sys
Microsoft Corporation

290913dc4f1125e5a82de52579a44c43 usbintel.sys
Microsoft Corporation

791912e524cc2cc6f50b5f2b52d1eb71 usbport.sys
Microsoft Corporation

a717c8721046828520c9edf31288fc00 usbprint.sys
Microsoft Corporation

a0b8cf9deb1184fbdd20784a58fa75d4 usbscan.sys
Microsoft Corporation

a32426d9b14a089eaa1d922e0c5801a9 usbstor.sys
Microsoft Corporation

26496f9dee2d787fc3e61ad54821ffe6 usbuhci.sys
Microsoft Corporation

63bbfca7f390f4c49ed4b96bfb1633e0 usbvideo.sys
Microsoft Corporation

9bf2ea54e5ed5acdf96f1dec84c117c4 VClone.sys
H`VS_VERSION_INFO?(aStringFileInfobFCompanyNameElaborateBytesAGTFileDescriptionVirtualCloneCDDrivervFileVersion,,,bInternalNameElbyVCDz+LegalCopyrightCopyright-ElaborateBytesAG@bOriginalFilenameElbyVCD.sys&PrivateBuildNoFProductNameVirtualCloneDrive:vProductVersion,,,LSpecialBuildWindows/XP/VISTADVarFileInfo$Translationt:Pe

55e01061c74a8cefff58dc36114a8d3f vdmindvd.sys
Ravisent Technologies

0d3a8fafceacd8b7625cd549757a7df1 vga.sys
Microsoft Corporation

754292ce5848b3738281b4f3607eaef4 viaagp.sys
Microsoft Corporation

e28726b72c46821a28830e077d39a55b videoprt.sys
Microsoft Corporation

4c8fcb5cc53aab716d810740fe59d025 volsnap.sys
Microsoft Corporation

aced8c149b30f8496c237bcba3727b48 wacompen.sys
Microsoft Corporation

0308aef61941e4af478fa1a0f83812f5 wadv07nt.sys
Intel Corporation

714038a8aa5de08e12062202cd7eaeb5 wadv08nt.sys
Intel Corporation

7bb3aa595e4507a788de1cdc63f4c8c4 wadv09nt.sys
Intel Corporation

36e6c405b6143d09687f4056fd9a0d10 wadv11nt.sys
Intel Corporation

e20b95baedb550f32dd489265c1da1f6 wanarp.sys
Microsoft Corporation

352fa0e98bc461ce1ce5d41f64db558d watv06nt.sys
Intel Corporation

791cc45de6e50445be72e8ad6401ff45 watv10nt.sys
Intel Corporation

6768acf64b18196494413695f0c3a00f wdmaud.sys
Microsoft Corporation

2f31b7f954bed437f2c75026c65caf7b wmilib.sys
Microsoft Corporation

cf4def1bf66f06964dc0d91844239104 wpdusb.sys
Microsoft Corporation

6abe6e225adb5a751622a9cc3bc19ce8 ws2ifsl.sys
Microsoft Corporation

c98b39829c2bbd34e454150633c62c78 wstcodec.sys
Microsoft Corporation

f15feafffbb3644ccc80c5da584e6311 WudfPf.sys
Microsoft Corporation

28b524262bce6de1f7ef9f510ba3985b WudfRd.sys
Microsoft Corporation

Driver report for /mnt/sda1/MiniNT/system32/drivers
3dcbaa767f4bda89e33729628ebe7739 Ramdrv.sys has NO Company Name!

0bb606c67a0fa5b49575fdffd41fab50 1394bus.sys
Microsoft Corporation

f5e227af17514d92c180b7723573a7de 1394vdbg.sys
Microsoft Corporation

6abb91494fe6c59089b9336452ab2ea3 abp480n5.sys
Microsoft Corporation

0d77d50de9e4aa8e71fb06cfc303210a acpiec.sys
Microsoft Corporation

1bec76bb56f57be93cfe588f6a8600dc acpi.sys
Microsoft Corporation

9a11864873da202c996558b2106b0bbc adpu160m.sys
Microsoft Corporation

560dce566000fed5bbfcbca321dbb84b afd.sys
Microsoft Corporation

c23ea9b5f46c7f7910db3eab648ff013 aha154x.sys
Microsoft Corporation

19dd0fb48b0c18892f70e2e7d61a1529 aic78u2.sys
Microsoft Corporation

b7fe594a7468aa0132deb03fb8e34326 aic78xx.sys
Microsoft Corporation

1140ab9938809700b46bb88e46d72a96 aliide.sys
Acer Laboratories

79f5add8d24bd6893f2903a3e2f3fad6 amsint.sys
Microsoft Corporation

69eb0cc7714b32896ccbfd5edcbea447 asc3350p.sys
Microsoft Corporation

5d8de112aa0254b907861e9e9c31d597 asc3550.sys
Advanced System Products

62d318e9a0c8fc9b780008e724283707 asc.sys
Advanced System Products

03f403b07a884fc2aa54a0916c410931 asyncmac.sys
Microsoft Corporation

a64013e98426e1877cb653685c5c0009 atapi.sys
Microsoft Corporation

9528b988ac46697efbcab6017e6525a0 b1cbase.sys
AVM GmbH

da1f27d85e0d1525f6621372e7b685e9 beep.sys
Microsoft Corporation

90a673fc8e12a79afbed2576f6a7aaf9 cbidf2k.sys
Microsoft Corporation

f3ec03299634490e97bbce94cd2954c7 cd20xrnt.sys
Microsoft Corporation

c1b486a7658353d33a10cc15211a873b cdaudio.sys
Microsoft Corporation

bab95bbefd0676eab2dc02cf88c99fc5 cdfs.sys
Microsoft Corporation

cb762e814f602229a574f4d78d3d6a30 cdrom.sys
Microsoft Corporation

488fcf3bc3651a4a7681f4f5052d6801 classpnp.sys
Microsoft Corporation

ed146077f90dc8c5efa48525a005f711 cmdide.sys
CMD Technology

3ee529119eed34cd212a215e8c40d4b6 cpqarray.sys
Microsoft Corporation

e550e7418984b65a78299d248f0a7f36 dac2w2k.sys
Mylex Corporation

683789caa3864eb46125ae86ff677d34 dac960nt.sys
Microsoft Corporation

5f34383e02721891f92bd2d7ba39b712 dgapci.sys
Digi International

9ae322f68cb80e6b1681b3a650e93edd digirlpt.sys
Digi International

99a1ffd0e527d3b88e34735d85eaaa04 dimaint.sys
Eicon Technology

46f833f8bcb4af005802a1743b6fcbaa diskdump.sys
Microsoft Corporation

43a10cd19d648e57ed039a6caa667a56 disk.sys
Microsoft Corporation

dcca5bfbe72293ffeae85fdffbdc2359 dmboot.sys
Microsoft Corp

dd4aaa1feaf418efcc3bf6b5515d76f7 dmio.sys
Microsoft Corp

e9317282a63ca4d188c0df5e09c6ac5f dmload.sys
Microsoft Corp

40f3b93b4e5b0126f2f5c0a7a5e22660 dpti2o.sys
Microsoft Corporation

fe97d0343acfdebdd578fc67cc91fa87 dxapi.sys
Microsoft Corporation

eb4d3fd051c7acedee85f430314aeb6e dxg.sys
Microsoft Corporation

a73f5d6705b1d820c19b18782e176efd dxgthk.sys
Microsoft Corporation

4063a77fa6f2c8cd48cbe9ac6eb8d213 em556n4.sys
Com Corporation

80d1b490b60e74e002dc116ec5d41748 enum1394.sys
Microsoft Corporation

52016d76b6f9810186dfdd5ccd53fa79 et4000.sys
Microsoft Corporation

998bbf32a142910b5e539df4225df892 fastfat.sys
Microsoft Corporation

f0196b7a8fe3098099721675db361272 fasttrak.sys
Promise Technology

2c0d70f0318870257ad99bf400f0c596 fasttx2k.sys
Promise Technology

19c5c7eac0190a42522290bf002f64ea fdc.sys
Microsoft Corporation

21e41e89b9b191b685f99b7a8885310b flpydisk.sys
Microsoft Corporation

3e1e2bd4f39b0e2b7dc4f4d2bcc2779a fs_rec.sys
Microsoft Corporation

7cb1a1f0cb7996f95b35e1bb3be5e3ad fsvga.sys
Microsoft Corporation

f0196b7a8fe3098099721675db361272 ft100.sys
Promise Technology

869fe1b01ac3bf08555d7a6d7d605aee ftdisk.sys
Microsoft Corporation

b16e2511bb8acd1180db6c3b25ea5f0f fttx2.sys
Promise Technology

8605e1476922cdf789ca0f2e682d8ca2 hidclass.sys
Microsoft Corporation

d099d5a07e97b09ca6a8070ca58678e7 hidparse.sys
Microsoft Corporation

1de6783b918f540149aa69943bdfeba8 hidusb.sys
Microsoft Corporation

b028377dea0546a5fcfba928a8aefae0 hpn.sys
Microsoft Corporation

28af0055d23aeb3eaefda362342704fd hpt366.sys
Microsoft Corporation

a59c16c709ba100c0f1d70f404cf129f hpt371.sys
HighPoint Technologies

cd983677b18396fd9d8788366a63d31f hpt374.sys
HighPoint Technologies

026ebdbf49a5017187a99c7e2634ce5f hpt3xxNT.sys
HighPoint Technologies

b077b7f8e79779ea967e84a4fc040227 hpt3xx.sys
HighPoint Technologies

24bd4052a2c5eb5dadc6cc69b57f0ffa hptpro.sys
HighPoint Technologies

aeb15ed12bb5a2ce62d900a97207e78b i2omgmt.sys
Microsoft Corporation

83e0f7a55077ba8d13421f0febbae2fa i2omp.sys
Microsoft Corporation

66f668c8f0fa089e2c6c1a9320425002 i8042prt.sys
Microsoft Corporation

d7731536e183b4397402ca6f9e1d52f7 iaStor.sys
Intel Corporation

4a40e045faee58631fd8d91afc620719 ini910u.sys
Microsoft Corporation

808720499635df975919e055d6c54a94 inport.sys
Microsoft Corporation

d57b586caf15482ae5beef2eb8082766 intelide.sys
Microsoft Corporation

8f1604ad7f8f8b6339e53d93c46187a8 io8.sys
Perle Systems

731f22ba402ee4b62748adaf6363c182 ipfltdrv.sys
Microsoft Corporation

f56dd863ba732a4e8ee58d486c31250f ipinip.sys
Microsoft Corporation

fc672ad6e9676814a0c844912f2abcff ipnat.sys
Microsoft Corporation

1c4802409cfd4a7051f458b744cfcaa5 ipsec.sys
Microsoft Corporation

d6bfe76282f47d1d054511639d17fc9e isapnp.sys
Microsoft Corporation

c53360c1932904fe89c6be55378628cb iteraid.sys
Integrated Technology Express

5d11ec35cb37a17562d8ff8056b4d14d kbdclass.sys
Microsoft Corporation

0d2b027eef0ca56a93e98015ec7f0533 kbdhid.sys
Microsoft Corporation

abc70e8b89cce44731a346deb764bf95 ksecdd.sys
Microsoft Corporation

08f2089704ffe8ba672ab2130fb82111 ks.sys
Microsoft Corporation

db35284e9acd15ec5337a50023d5394c lbrtfdc.sys
Toshiba Corporation

64e8b7c65eb4796939c0f64f8170821b loop.sys
Microsoft Corporation

d1f8be91ed4ddb671d42e473e3fe71ab mcd.sys
Microsoft Corporation

9c46695db5d49d9a7333807430a43be2 mf.sys
Microsoft Corporation

4ae068242760a1fb6e1a44bf4e16afa6 mnmdd.sys
Microsoft Corporation

7760873e4ec17f288e61f00044dea000 modem.sys
Microsoft Corporation

f6fd0aaa4f925b470e15fda1f07874c1 mouclass.sys
Microsoft Corporation

fe9f5189d425465373850ed362f8e817 mouhid.sys
Microsoft Corporation

d4face53a1c48cf8419b4cf494d2ee2e mountmgr.sys
Microsoft Corporation

3f4bb95e5a44f3be34824e8e7caf0737 mraid35x.sys
American Megatrends

a1831538e119363d0d90d757ac8a2012 msfs.sys
Microsoft Corporation

099a20936df7e93a4718a3577518a2f0 mup.sys
Microsoft Corporation

3b350e5a2a5e951453f3993275a4523a ndis.sys
Microsoft Corporation

59fc3fb44d2669bc144fd87826bb571f ndproxy.sys
Microsoft Corporation

20aba9f035e3a98877480e34fcc4dcb3 npfs.sys
Microsoft Corporation

70fae0dcfdfaa0838d6778fca028ce01 ntfs.sys
Microsoft Corporation

73c1e1f395918bc2c6dd67af7591a3ad null.sys
Microsoft Corporation

4b7a1230820ed27834050cb32a0e3b64 NvAtaBus.sys
NVIDIA Corporation

55db817feb931ac38c01a0fc9886fa76 nvraid.sys
NVIDIA Corporation

d72273fefcc1fb32f214e344667c243f ohci1394.sys
Microsoft Corporation

4bb30ddc53ebc76895e38694580cdfe9 oprghdlr.sys
Microsoft Corporation

548fd57f202b1078d3fb9a0c7915b00a parport.sys
Microsoft Corporation

3334430c29dc338092f79c38ef7b4cd0 partmgr.sys
Microsoft Corporation

93868ff47f04e1137ad510eec0955e45 parvdm.sys
Microsoft Corporation

eeee81c859fe3f1ae769c13adccc12c8 pciide.sys
Microsoft Corporation

9ea1e5058f8bc648b4d14425189d85a4 pciidex.sys
Microsoft Corporation

9390447f3b1be5064a3ebe98c555a1e5 pci.sys
Microsoft Corporation

a9bed83ec41b38bee62bf9413f4b7d24 pcmcia.sys
Microsoft Corporation

f50f7c27f131afe7beba13e14a3b9416 perc2hib.sys
Microsoft Corporation

6c14b9c19ba84f73d3a86dba11133101 perc2.sys
Microsoft Corporation

7244caa53fd234cec0cbfbf8cef7927f ppa3.sys
Microsoft Corporation

0a63fb54039eb5662433caba3b26dba7 ql1080.sys
QLogic Corporation

6503449e1d43a0ff0201ad5cb1b8c706 ql10wnt.sys
Microsoft Corporation

156ed0ef20c15114ca097a34a30d8a01 ql12160.sys
QLogic Corporation

70f016bebde6d29e864c1230a07cc5e6 ql1240.sys
Microsoft Corporation

907f0aeea6bc451011611e732bd31fcf ql1280.sys
QLogic Corporation

3e9e4476b6cda375409fd3216e5e824e ramdisk.sys
Microsoft Corporation

3dcbaa767f4bda89e33729628ebe7739 Ramdrv.sys

f18e651e4b6c7d8bd367454e016ab5d4 rndismp.sys
Microsoft Corporation

0d3830c0d64a2a9ec4238a758850ae39 sbp2port.sys
Microsoft Corporation

9b6b64c62f137b3a5e0df30f623c3c18 scsiport.sys
Microsoft Corporation

65a7c4d86c153c82e33a552c217abb29 serenum.sys
Microsoft Corporation

28d34224f1d792e85a4f98192db25d5a serial.sys
Microsoft Corporation

a1f76325cef251827a78e8aeb93504dd setupdd.sys
Microsoft Corporation

cc9f1e77ba1777a0d25b05b278731a7d sfloppy.sys
Microsoft Corporation

19b8d029bce41c88fc53167726774502 SI3114R.sys
Silicon Image

1582e88c6f340627247b1ecd00fa84fe SIWinAcc.sys
Silicon Image

80b86f9b9ec4cd0e25627e4a7c54826a slip.sys
Microsoft Corporation

017daecf0ed3aa731313433601ec40fa smclib.sys
Microsoft Corporation

83c0f71f86d3bdaf915685f3d568b20e sparrow.sys
Adaptec

fc127c45cf908c633b2c032f7c406718 spddlang.sys
Microsoft Corporation

f4901a7692349f01d20e39a7f3d1d3d6 speed.sys
Perle Systems

c0e7e159415c1d10a88297b7eba01066 streamip.sys
Microsoft Corporation

064740c5c02de46723c4b8200ee876df swenum.sys
Microsoft Corporation

1ff3217614018630d0a6758630fc698c symc810.sys
Symbios Logic

070e001d95cf725186ef8b20335f933c symc8xx.sys
LSI Logic

80ac1c4abbe2df3b738bf15517a51f2c sym_hi.sys
LSI Logic

bf4fab949a382a8e105f46ebb4937058 sym_u3.sys
LSI Logic

2352864ea90cb23dfc7ed5d44283bae7 tape.sys
Microsoft Corporation

fd6a09d156139030729cf5f08f5d0cb9 tdi.sys
Microsoft Corporation

550d77c8ea289f67c9ef7d179379015e tffsport.sys
M-Systems

699450901c5ccfd82357cbc531cedd23 tosdvd.sys
Microsoft Corporation

f85e286f98b44e20420a792aa5abf5a5 toside.sys
Microsoft Corporation

5b96ede913bfa5384725ce1cc4e2b6e4 u133.sys
Promise Technology

0bad94aa644ce926cdeb6e57fca09031 udfs.sys
Microsoft Corporation

1b698a51cd528d8da4ffaed66dfc51b9 ultra.sys
Promise Technology
Promise Technology
Promise Technology
Promise Technology
Promise Technology

164cfae1d766905f56c432acfc54f28c update.sys
Microsoft Corporation

7f3366de16a0e9390da0ed32ab58d05d usbccgp.sys
Microsoft Corporation

596eb39b50d6ebd9b734dc4ae0544693 usbd.sys
Microsoft Corporation

2d0c2f3836f72e85d41d9c50aeeb5423 usbehci.sys
Microsoft Corporation

1766faa3a5079d0db3efb331dac587ed usbhub.sys
Microsoft Corporation

ba6b6215621255f0cd231f08b7d5d8cb usbohci.sys
Microsoft Corporation

81d55a273810e5b20456e4decb7e00ff usbport.sys
Microsoft Corporation

694f2b90124eb086c38c18da97a13e48 usbstor.sys
Microsoft Corporation

b8f6119fd7df389d823ba27a3023e150 usbuhci.sys
Microsoft Corporation

1e379233dd5ead78bd367c94576a1fc2 vga.sys
Microsoft Corporation

1c0cbb4e50d37059ce41cd134f6b5ab7 viaide.sys
Microsoft Corporation

81e7d3857a6ab6416fddf36a97fd65b7 videoprt.sys
Microsoft Corporation

2f31b7f954bed437f2c75026c65caf7b wmilib.sys
Microsoft Corporation

6abe6e225adb5a751622a9cc3bc19ce8 ws2ifsl.sys
Microsoft Corporation

Driver report for /mnt/sda1/i386/apps/app31606/src/support/symnet/symnet/system32/drivers

bf8fac216e36f9452effd96dc0072a88 symdns.sys
Symantec Corporation

bbb1edefd9996aa169d4a3729b09d6e8 symfw.sys
Symantec Corporation

d0f1312b45b4db0fbca5fb96f01e1886 symids.sys
Symantec Corporation

c033f8d06344bc90801621e0c8935e31 symndis.sys
Symantec Corporation

07990a566ff628bc55395db18957bf8a symredrv.sys
Symantec Corporation

db19ad125b720128af55f9fb7d642b2e symtdi.sys
Symantec Corporation



****** RegReport.txt : ******

Remote Registry Report

Hive </mnt/sda2/WINDOWS/system32/config/software>
\Microsoft\Windows NT\CurrentVersion> Value <ProductName> of type REG_SZ, data length 42 [0x2a]
Microsoft Windows XP
\Microsoft\Windows NT\CurrentVersion> Value <CSDVersion> of type REG_SZ, data length 30 [0x1e]
Service Pack 3
\Microsoft\Windows NT\CurrentVersion> Value <SystemRoot> of type REG_SZ, data length 22 [0x16]
C:\WINDOWS
\Microsoft\Windows NT\CurrentVersion\Windows> Value <AppInit_DLLs> of type REG_SZ, data length 2 [0x2]
(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 68 [0x44]
C:\WINDOWS\system32\userinit.exe,
(...)\Windows NT\CurrentVersion\Winlogon\Notify> Node has 12 subkeys and 0 values
<crypt32chain>
<cryptnet>
<cscdll>
<dimsntfy>
<igfxcui>
<ScCertProp>
<Schedule>
<sclgntfy>
<SensLogn>
<termsrv>
<WgaLogon>
<wlballoon>
\Microsoft\Windows\CurrentVersion\Run> Node has 1 subkeys and 30 values
<OptionalComponents>
size type value name [value if type DWORD]
26 REG_SZ <AGRSMMSG>
26 REG_SZ <High Definition Audio Property Page Shortcut>
118 REG_SZ <Acrobat Assistant 7.0>
112 REG_SZ <BluetoothAuthenticationAgent>
136 REG_SZ <IMJPMIG8.1>
66 REG_SZ <igfxtray>
60 REG_SZ <igfxhkcmd>
66 REG_SZ <igfxpers>
110 REG_SZ <SBDrvDet>
44 REG_SZ <UpdReg>
106 REG_SZ <NvCplDaemon>
36 REG_SZ <nwiz>
120 REG_SZ <CTDVDDET>
120 REG_SZ <NvMediaCenter>
148 REG_SZ <MaxMenuMgr>
190 REG_SZ <SSBkgdUpdate>
102 REG_SZ <PaperPort PTD>
108 REG_SZ <IndexSearch>
306 REG_SZ <PPort11reminder>
112 REG_SZ <BrMfcWnd>
124 REG_SZ <ControlCenter3>
112 REG_SZ <mcui_exe>
26 REG_SZ <CTXFIREG>
28 REG_SZ <CTHelper>
104 REG_SZ <QuickTime Task>
108 REG_SZ <NeroFilterCheck>
122 REG_SZ <DivXUpdate>
122 REG_SZ <SunJavaUpdateSched>
86 REG_SZ <iTunesHelper>
118 REG_SZ <Adobe ARM>
(...)\Windows\CurrentVersion\policies\system> Node has 0 subkeys and 6 values
4 REG_DWORD <dontdisplaylastusername> 0 [0x0]
4 REG_DWORD <legalnoticecaption> 1 [0x1]
8 REG_SZ <legalnoticetext>
4 REG_DWORD <shutdownwithoutlogon> 1 [0x1]
4 REG_DWORD <undockwithoutlogon> 1 [0x1]
4 REG_DWORD <DisableRegistryTools> 0 [0x0]


Hive </mnt/sda1/MiniNT/system32/config/software>
\Microsoft\Windows NT\CurrentVersion> Value <ProductName> of type REG_SZ, data length 42 [0x2a]
Microsoft Windows XP
\Microsoft\Windows NT\CurrentVersion> cat_vk: No such value <CSDVersion>
\Microsoft\Windows NT\CurrentVersion> cat_vk: No such value <SystemRoot>
\Microsoft\Windows NT\CurrentVersion\Windows> Value <AppInit_DLLs> of type REG_SZ, data length 2 [0x2]
(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 18 [0x12]
userinit
(...)\Windows NT\CurrentVersion\Winlogon\Notify> Node has 4 subkeys and 0 values
<cscdll>
<ScCertProp>
<SensLogn>
<wlballoon>
\Microsoft\Windows\CurrentVersion\RunOnce> Node has 0 subkeys and 0 values


Hive </mnt/sda1/i386/system32/config/software>
\Microsoft\Windows NT\CurrentVersion> Value <ProductName> of type REG_SZ, data length 42 [0x2a]
Microsoft Windows XP
\Microsoft\Windows NT\CurrentVersion> cat_vk: No such value <CSDVersion>
\Microsoft\Windows NT\CurrentVersion> cat_vk: No such value <SystemRoot>
\Microsoft\Windows NT\CurrentVersion\Windows> Value <AppInit_DLLs> of type REG_SZ, data length 2 [0x2]
(...)\Windows NT\CurrentVersion\Winlogon> Value <Shell> of type REG_SZ, data length 26 [0x1a]
Explorer.exe
(...)\Windows NT\CurrentVersion\Winlogon> Value <Userinit> of type REG_SZ, data length 18 [0x12]
userinit
(...)\Windows NT\CurrentVersion\Winlogon\Notify> Node has 4 subkeys and 0 values
<cscdll>
<ScCertProp>
<SensLogn>
<wlballoon>
\Microsoft\Windows\CurrentVersion\RunOnce> Node has 0 subkeys and 0 values


Hive </mnt/sda2/Documents and Settings/Ian/NTUSER.DAT>
(...)\Microsoft\Windows\CurrentVersion\RunOnce> Node has 0 subkeys and 0 values
(...)\Windows\CurrentVersion\Policies\Explorer> Node has 1 subkeys and 3 values
<run>
size type value name [value if type DWORD]
4 REG_DWORD <NoDriveTypeAutoRun> 323 [0x143]
4 REG_DWORD <NoDriveAutoRun> 67108863 [0x3ffffff]
4 REG_DWORD <NoDrives> 0 [0x0]
(...)\Windows\CurrentVersion\Policies\System> Node has 0 subkeys and 1 values
4 REG_DWORD <DisableRegistryTools> 0 [0x0]
\Software\Policies\Microsoft\Windows\System> Node has 0 subkeys and 1 values
4 REG_DWORD <DisableCMD> 0 [0x0]

Attached Files



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:49 AM

Posted 21 September 2011 - 06:48 PM

Boot to xPUD

  • Press File
  • Expand mnt
  • Browse to the sda2/WINDOWS/ServicePackFiles/i386 folder
  • Right click on the winlogon.exe file and select Copy.
  • Then browse to the sda2/WINDOWS/System32 folder.
  • Right click on an empty space and select Paste

That should copy the winlogon.exe file from the i386 folder to the System32 folder.

Restart the computer in Normal Mode. If successful, run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 sandem

sandem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 22 September 2011 - 02:09 AM

Worked like a charm and I can get into Windows again :):):)

Below is the text from the c:\combofix.txt log. One thing to note is that after combofix ran and then rebooted the machine, my McAfee security center started up again when windows started (which I was worried about because the combofix window that automatically opened said not to run any programs while it was operating/producing the log). I didn't want to open McAfee to disable scanning/firewall or open the task manager to shut down its processes at that point b/c I didn't want to stall/freeze or interfere with combofix. Then a McAfee message popped up and said it had blocked a potentially harmful program/process and it was in a combofix directory to I told it to "allow" and then proceeded to shut down McAfee again in case it tried to block anything else with combofix. Hopefully that didn't affect anything and the log is OK. I'd be very curious to know what the infection was if it's possible to tell exactly from the log.

Should I try running a scan with McAfee or Malwarebytes? Should I leave or delete ComboFix? I'll await further instructions.

****** combofix.txt log ******

ComboFix 11-09-21.04 - Ian 09/22/2011 2:16.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1306 [GMT -4:00]
Running from: c:\documents and settings\Ian\Desktop\ComboFix.exe
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\VCREDI~3.EXE
c:\documents and settings\Ian\Application Data\inst.exe
c:\documents and settings\Ian\Application Data\Microsoft\~DFKb6651c8.tmp
c:\documents and settings\Ian\Application Data\Microsoft\1eaadjc.dll
c:\documents and settings\Ian\Application Data\Microsoft\bass.dll
c:\documents and settings\Ian\Application Data\Microsoft\kfgresk.dll
c:\documents and settings\Ian\Application Data\Microsoft\mjcriu.dll
c:\documents and settings\Ian\Application Data\Microsoft\peaadje.dll
c:\documents and settings\Ian\Application Data\Microsoft\qwadjb.dll
c:\documents and settings\Ian\Application Data\Microsoft\rsaadjd.dll
c:\documents and settings\Ian\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Ian\Local Settings\Application Data\ApplicationHistory\csc.exe.3e4ac0af.ini
c:\documents and settings\Ian\Local Settings\Application Data\ApplicationHistory\MBKInstaller.exe.7de71b57.ini
c:\documents and settings\Ian\Local Settings\Application Data\ApplicationHistory\McAfeeDataBackup.exe.e548c4c.ini.inuse
c:\documents and settings\Ian\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Ian\Local Settings\Application Data\ApplicationHistory\qbw32.exe.e3eefc31.ini
c:\documents and settings\Ian\Local Settings\Application Data\ApplicationHistory\regasm.exe.11f1da13.ini
c:\documents and settings\Ian\Local Settings\Application Data\Windows Server
c:\documents and settings\Ian\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Ian\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Ian\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\Ian\My Documents\~WRD2455.tmp
c:\documents and settings\Ian\My Documents\~WRL0309.tmp
c:\documents and settings\Ian\WINDOWS
c:\program files\messenger\msmsgsin.exe
c:\windows\iun6002.exe
c:\windows\system32\comct332.ocx
c:\windows\system32\d3d9caps.dat
.
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_NPF
-------\Legacy_ovfsthoboulrgalxuiqjikmlkxewqxmqsqnswu
-------\Service_NPF
-------\Service_ovfsthoboulrgalxuiqjikmlkxewqxmqsqnswu
.
.
((((((((((((((((((((((((( Files Created from 2011-08-22 to 2011-09-22 )))))))))))))))))))))))))))))))
.
.
2011-09-22 01:34 . 2008-04-14 00:12 507904 ------w- c:\windows\system32\winlogon.exe
2011-09-10 21:59 . 2011-09-10 22:28 -------- d-----w- c:\documents and settings\Ian\Calibre Library
2011-09-10 21:59 . 2011-09-10 22:10 -------- d-----w- c:\documents and settings\Ian\Application Data\calibre
2011-09-10 21:58 . 2011-09-10 21:58 -------- d-----w- c:\program files\Calibre2
2011-09-03 10:17 . 2011-09-09 09:12 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2002-08-29 07:40 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-19 02:23 . 2011-07-04 21:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2002-08-29 05:59 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-12 15:20 . 2011-07-12 15:20 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20 . 2011-07-12 15:20 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20 . 2011-07-12 15:20 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20 . 2011-07-12 15:20 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-07-08 14:02 . 2001-08-23 16:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2002-01-01 01:02 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-09-07 13:54 . 2011-03-24 15:36 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2010-01-05 22:04 . 2010-04-20 22:15 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"igfxtray"="c:\windows\System32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\System32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\System32\igfxpers.exe" [2005-11-03 118784]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"nwiz"="nwiz.exe" [2008-12-26 1657376]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" [2003-06-18 45056]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-26 86016]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-03-27 181544]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-11-06 741376]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"CTHelper"="CTHELPER.EXE" [2010-03-18 19456]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMidi"="MIDIDEF.EXE" [2010-03-18 28672]
.
c:\documents and settings\Ian\Start Menu\Programs\Startup\
Wallpaper Changer.lnk - c:\program files\WallpaperToy\Wallpapertoy.Exe [2009-3-29 110592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-4-3 25214]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\CTHELPER.EXE"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/20/2010 6:14 PM 82952]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [1/4/2009 11:17 PM 33824]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [10/27/2009 3:15 AM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [10/27/2009 3:15 AM 234888]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [3/27/2009 3:54 PM 165160]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/5/2008 8:37 AM 94880]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/20/2010 6:14 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/20/2010 6:14 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/20/2010 6:15 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/20/2010 6:14 PM 141792]
R2 PfDetNT;PfDetNT;c:\windows\system32\drivers\pfmodnt.sys [3/18/2010 8:50 PM 15960]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/20/2010 6:14 PM 55456]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/20/2010 6:14 PM 312584]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/20/2010 6:14 PM 88480]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [6/10/2009 3:14 PM 47360]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S1 unqtgenv;unqtgenv;\??\c:\windows\system32\drivers\unqtgenv.sys --> c:\windows\system32\drivers\unqtgenv.sys [?]
S1 ynliualt;ynliualt;\??\c:\windows\system32\drivers\ynliualt.sys --> c:\windows\system32\drivers\ynliualt.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [3/18/2010 8:39 PM 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [8/27/2010 1:18 PM 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [3/18/2010 8:39 PM 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [3/18/2010 8:39 PM 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [3/18/2010 8:39 PM 566360]
S3 JakNDisMP;JakNDisMP;c:\windows\system32\DRIVERS\JakNDis.sys --> c:\windows\system32\DRIVERS\JakNDis.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/4/2009 2:05 PM 39984]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/20/2010 6:14 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/20/2010 6:14 PM 83496]
S3 PID_0920;Logitech QuickCam Express(PID_0920);c:\windows\system32\drivers\LV532AV.SYS [6/9/2007 6:00 PM 152576]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 20:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-57989841-725345543-1003Core.job
- c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-27 23:26]
.
2011-09-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1844237615-57989841-725345543-1003UA.job
- c:\documents and settings\Ian\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-27 23:26]
.
2011-09-22 c:\windows\Tasks\User_Feed_Synchronization-{F3CDAD25-BCD7-4F71-A9E6-98E4A1F7EBAE}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2011-05-19 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-04-27 05:46]
.
2011-07-19 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-06-06 22:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Ian\Application Data\Mozilla\Firefox\Profiles\ij048ut4.Mike\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-Mfaviqen - c:\windows\dbmstr.dll
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-CTXFIREG - CTxfiReg.exe
AddRemove-Azureus - c:\program files\Azureus\Uninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-22 02:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1844237615-57989841-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{25A9CCBC-8678-688A-13E5-1C7EBA2AB27A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oalnjjdibdoodhobpgeopfmecfmnhf"=hex:64,61,6c,64,6a,68,6b,6c,00,85
"oahcjmhdlgbdgbofigoiidbjdogfab"=hex:6a,61,6b,64,6b,68,64,6b,62,6c,6e,6b,67,6f,
70,65,6d,6f,70,61,00,02
"nanmphgnhjdcdgbjnimcacoldloh"=hex:6a,61,6c,64,66,6a,6d,63,69,6b,63,67,61,6a,
6e,64,66,63,62,61,00,02
.
[HKEY_USERS\S-1-5-21-1844237615-57989841-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9993DCA7-5BBA-14B2-6A41-069EC0BAA03F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaeijepedkdeaiadnaddlafjjopiea"=hex:64,61,64,6b,6a,6b,61,64,00,85
"oaapdladikmnikfhmmngjjpcnmpopl"=hex:6a,61,64,6b,6b,6b,6f,65,67,6d,61,65,62,6a,
70,64,63,64,64,61,00,0f
"nakoffknmlkhkcneanknkefcfiaa"=hex:69,61,62,6b,6a,65,64,6b,64,67,63,64,6e,6a,
65,67,6d,62,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3676)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Brother\Brmfcmon\BrMfcmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-09-22 02:42:34 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-22 06:42
.
Pre-Run: 8,792,379,392 bytes free
Post-Run: 14,330,564,608 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 1B206F4342BFC7E09C0DD05E70DA5DB5

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:49 AM

Posted 22 September 2011 - 02:31 PM

Lets scan for remnants.

Posted Image Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 sandem

sandem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 22 September 2011 - 07:37 PM

The reports for MBAM and ESET scans are below. Once the ESET scan was complete there is a box underneath "Uninstall application on close" that you can check to "Delete quarantined files" before clicking on Finish. Should I check it before exiting or leave it blank?

****** MBAM Log ******

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7775

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/22/2011 5:14:38 PM
mbam-log-2011-09-22 (17-14-38).txt

Scan type: Quick scan
Objects scanned: 176268
Time elapsed: 8 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\zz-winlogon.exe.tmp (Trojan.Agent) -> Quarantined and deleted successfully.


****** ESET Log ******

C:\Documents and Settings\Ian\Application Data\Sun\Java\Deployment\cache\6.0\55\5bc0e2f7-76c03985 Java/TrojanDownloader.OpenStream.NCA trojan deleted - quarantined
C:\Progs & Patches\Games\Gish 1.43 with Keygen\Gish trainer.zip probably a variant of Win32/Agent.JFLAXHV trojan deleted - quarantined
C:\System Volume Information\_restore{972C815E-E4E6-411C-A428-4FD8DB94EE7D}\RP296\A0031718.exe a variant of Win32/Keygen.AS application cleaned by deleting - quarantined
C:\System Volume Information\_restore{972C815E-E4E6-411C-A428-4FD8DB94EE7D}\RP296\A0031719.exe Win32/Keygen.AJ application cleaned by deleting - quarantined
C:\System Volume Information\_restore{972C815E-E4E6-411C-A428-4FD8DB94EE7D}\RP332\A0043389.exe Win32/Adware.Toolbar.Dealio application deleted - quarantined
C:\System Volume Information\_restore{972C815E-E4E6-411C-A428-4FD8DB94EE7D}\RP341\A0044060.exe multiple threats deleted - quarantined
C:\WINDOWS\system32\hlp.dat Win32/Bamital.DT trojan cleaned by deleting - quarantined

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:49 AM

Posted 22 September 2011 - 08:57 PM

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 sandem

sandem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 22 September 2011 - 09:15 PM

Seems to be doing fine now. No problems that I can notice at this point :)

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:49 AM

Posted 22 September 2011 - 09:18 PM

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.

  • Rename Combofix to Uninstall and click on it. That should remove the application.

Manually remove any tool left.

Create a Restore point:

  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 sandem

sandem
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 23 September 2011 - 03:03 AM

Done!

Thanks so much for helping me get rid of the infection. It is great what you guys are doing for ppl
on this site. Am just relieved to be able to use my own PC again. Hell of a job, and thank you again
for your time and patience! :thumbup2:

- All the best

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:12:49 AM

Posted 15 October 2011 - 02:50 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users