Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.ZeroAccess HELP!


  • This topic is locked This topic is locked
11 replies to this topic

#1 mds.82

mds.82

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:N.Cambria, PA USA
  • Local time:05:38 AM

Posted 21 September 2011 - 06:23 PM

Hello all,

I have solved (i think) most of the issue thus far. Using my own knowledge and that of a friend, we sucessfully got rid of the #########:#########.exe that was in taskmanager. It was not allowing alot of applications to run, and was causing serious issues with browsing/using the internet.

I managed to get combofix to run successfully and it did state that I was infected with rootkit.zeroaccess in the tcp/ip drivers i believe.

When all was said n done, the logfile stated it deleted a few dozen or so files/folders, save one. A $NTUninstallK folder in C:/windows. I cannot delete the folder myself either, a popup box says access is denied, write protected/in use. I want to make certain that I remove this virus FULLY, as it was a severe pain to remove with my limited anti-virus knowledge. Should I be concerned about this issue? My friend says that if combofix was trying to delete it, there was a reason, and I should remove it.

I am still having permission issues with some programs, though I have re-installed Microsoft Security Essentials (which is currently running as I type this), as well as Kaspersky AV. They are both now functioning properly with no more permission issues. Are my worries with this virus over? Or am I dealing with the left-over permission issues created by it?

Since I have already run Combofix, i have posted the log file Attached File  ComboFix.txt   18.95KB   1 downloads
as well as the requested DDS below & Attached File  attach.txt   22.27KB   2 downloads
GMER log file Attached File  ark.txt   8.11KB   1 downloads
(hope this isnt an issue!). I really appreciate any/all help on this issue, as my family relies on this PC and I dont want to have future problems because I failed to completely remove that SOB of a virus. THANKS!

DDS LOG.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by MDS at 19:48:49 on 2011-09-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1188 [GMT 1:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.tweakguides.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [StartupDelayer] "c:\program files\r2 studios\startup delayer\Startup Launcher GUI.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoLogoff = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: com\www.msi
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/RELEASECAB/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15116/CTPID.cab
TCP: DhcpNameServer = 68.87.75.198 68.87.64.150
TCP: Interfaces\{CCC6850B-960C-4A3D-B487-7D0CF5733AC7} : DhcpNameServer = 68.87.75.198 68.87.64.150
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2010-7-12 184848]
R0 FTT3;FTT3;c:\windows\system32\drivers\FTT3.sys [2010-7-8 162824]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl26d1a40e;MpKsl26d1a40e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{098fe6c2-8f6b-4980-95d1-ab78a8d2e45b}\MpKsl26d1a40e.sys [2011-9-21 28752]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2010-7-9 12672]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-7-9 10448]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2011-8-17 101392]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171096]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324120]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72792]
RUnknown 60216792;60216792; [x]
RUnknown 7482648drv;7482648drv; [x]
S0 FTT3s;FTT3s;c:\windows\system32\drivers\FTT3s.sys [2011-3-13 170504]
S1 MpKsl1e69479d;MpKsl1e69479d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{978578ff-723f-4d8a-94cf-cced19ab0603}\mpksl1e69479d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{978578ff-723f-4d8a-94cf-cced19ab0603}\MpKsl1e69479d.sys [?]
S1 MpKsl340ac0f8;MpKsl340ac0f8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c16dbbd7-0ae5-4d06-84d7-887a12295579}\mpksl340ac0f8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c16dbbd7-0ae5-4d06-84d7-887a12295579}\MpKsl340ac0f8.sys [?]
S1 MpKsld7c0a120;MpKsld7c0a120;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{616039be-fb74-4f38-8ede-ba446997f0ea}\mpksld7c0a120.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{616039be-fb74-4f38-8ede-ba446997f0ea}\MpKsld7c0a120.sys [?]
S2 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;"c:\program files\emsisoft anti-malware\a2service.exe" --> c:\program files\emsisoft anti-malware\a2service.exe [?]
S2 AODService;AODService;c:\program files\amd\overdrive\AODAssist.exe [2011-5-26 136616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 a2acc;a2acc;\??\c:\program files\emsisoft anti-malware\a2accx86.sys --> c:\program files\emsisoft anti-malware\a2accx86.sys [?]
S3 atidgllk;atidgllk;c:\documents and settings\mds\my documents\radeon bios\winflash20114\atidgllk.sys [2011-5-11 12048]
S3 cpuz130;cpuz130;\??\c:\docume~1\mds\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\mds\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-7-9 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2009-6-4 171096]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2009-6-4 1324120]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2009-6-4 72792]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\drivers\LwAdiHid.sys [2010-8-5 20864]
S3 MSI_DVD_010507;MSI_DVD_010507;c:\progra~1\msi\msiwdev\DVDSYS32_100507.sys [2010-5-10 22328]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\progra~1\msi\msiwdev\msibios32_100507.sys [2010-5-10 25912]
S3 MSI_VGASYS_010507;MSI_VGASYS_010507;c:\progra~1\msi\msiwdev\VGASYS32_100507.sys [2010-5-10 16696]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2011-8-2 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2011-8-2 8576]
S3 NTIOLib_1_0_8;NTIOLib_1_0_8;c:\progra~1\msi\msiwdev\NTIOLib.sys [2011-1-27 7680]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
UnknownUnknown vdrv1000;vdrv1000; [x]
.
=============== Created Last 30 ================
.
2011-09-21 17:36:20 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{098fe6c2-8f6b-4980-95d1-ab78a8d2e45b}\MpKsl26d1a40e.sys
2011-09-21 17:36:15 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{098fe6c2-8f6b-4980-95d1-ab78a8d2e45b}\offreg.dll
2011-09-21 17:36:14 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{098fe6c2-8f6b-4980-95d1-ab78a8d2e45b}\mpengine.dll
2011-09-21 17:35:52 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-09-21 17:35:45 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-21 17:02:05 -------- d-----w- C:\1b3508b23294fdc50389dd44
2011-09-21 16:17:00 -------- d-sha-r- C:\cmdcons
2011-09-21 16:15:37 98816 ----a-w- c:\windows\sed.exe
2011-09-21 16:15:37 518144 ----a-w- c:\windows\SWREG.exe
2011-09-21 16:15:37 256000 ----a-w- c:\windows\PEV.exe
2011-09-21 16:15:37 208896 ----a-w- c:\windows\MBR.exe
2011-09-21 16:12:56 4222691 ------r- C:\dado.exe
2011-09-21 12:03:47 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-21 10:19:06 -------- d-----w- c:\program files\MWBANMW
2011-09-21 00:42:14 0 ----a-w- c:\windows\ativpsrm.bin
2011-09-20 23:57:51 388096 ----a-r- c:\documents and settings\mds\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-09-20 23:57:50 -------- d-----w- c:\program files\Trend Micro
2011-09-20 23:25:36 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-09-20 23:25:36 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-20 23:24:57 -------- d-----w- c:\program files\common files\PCSuite
2011-09-20 23:23:10 -------- d-----w- c:\program files\PE Explorer
2011-09-20 22:51:18 -------- d-----w- c:\windows\system32\Adobe
2011-09-20 22:20:46 -------- d-----w- c:\program files\a-squared Free
2011-09-20 17:53:05 -------- d-----w- c:\documents and settings\mds\application data\Malwarebytes
2011-09-20 17:52:50 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-10 09:21:44 -------- d-----w- C:\DriveKey
2011-09-09 12:02:19 -------- d-----w- c:\documents and settings\mds\application data\com.comcast.callerid.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2011-09-09 12:02:11 -------- d-----w- c:\program files\Comcast Universal Caller ID
2011-09-01 11:06:25 -------- d--h--w- c:\windows\PIF
.
==================== Find3M ====================
.
2011-09-09 09:11:14 599552 ----a-w- c:\windows\system32\crypt32.dll
2011-09-03 14:13:46 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2011-09-03 14:13:46 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2011-08-17 12:20:20 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-31 07:35:46 65536 ----a-w- c:\windows\system32\frapsvid.dll
2011-07-28 22:20:10 7084544 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2011-07-28 22:17:42 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-07-28 22:01:36 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-07-28 22:01:30 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-07-28 21:57:54 5697536 ----a-w- c:\windows\system32\aticaldd.dll
2011-07-28 21:40:22 18440192 ----a-w- c:\windows\system32\atioglxx.dll
2011-07-28 21:34:58 3973696 ----a-w- c:\windows\system32\ati3duag.dll
2011-07-28 21:32:10 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-07-28 21:31:06 303104 ----a-w- c:\windows\system32\ati2dvag.dll
2011-07-28 21:27:30 956160 ----a-w- c:\windows\system32\ativvamv.dll
2011-07-28 21:15:32 3166208 ----a-w- c:\windows\system32\ativvaxx.dll
2011-07-28 21:14:02 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-07-28 21:13:50 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-07-28 21:13:40 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-07-28 21:13:34 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-07-28 21:13:20 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-07-28 21:12:06 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-07-28 21:10:48 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-07-28 21:09:28 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-07-28 21:05:36 704512 ----a-w- c:\windows\system32\atikvmag.dll
2011-07-28 21:01:08 208896 ----a-w- c:\windows\system32\atiadlxx.dll
2011-07-28 21:00:46 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-07-28 20:59:14 507904 ----a-w- c:\windows\system32\atiok3x2.dll
2011-07-28 20:55:02 876544 ----a-w- c:\windows\system32\ati2cqag.dll
2011-07-28 20:53:52 64512 ----a-w- c:\windows\system32\atimpc32.dll
2011-07-28 20:53:52 64512 ----a-w- c:\windows\system32\amdpcom32.dll
2011-07-28 20:53:18 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-29 22:11:19 33280 ----a-w- c:\windows\system32\rundll32.exe
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 19:49:22.60 ===============

Edited by mds.82, 21 September 2011 - 09:51 PM.


BC AdBot (Login to Remove)

 


#2 mds.82

mds.82
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:N.Cambria, PA USA
  • Local time:05:38 AM

Posted 21 September 2011 - 07:53 PM

Sorry, GMER is still running, will attach the results as soon as it is complete!

Also, I forgot to add that the folder in the combofix log that was NOT deleted, is showing 200,000+ folders when moused over. I cant actually open the folder to see whats even inside it though. Seems reeeeeeaaaaally suspicious to my untrained eye...

Edited by mds.82, 21 September 2011 - 08:01 PM.


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:38 AM

Posted 23 September 2011 - 06:23 PM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::

Rootkit::
c:\windows\$NtUninstallKB49139$ 

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT



Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#4 mds.82

mds.82
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:N.Cambria, PA USA
  • Local time:05:38 AM

Posted 23 September 2011 - 07:33 PM

ok... I just restarted the pc for the first time today since last post. I restarted the pc and it took quite a bit longer than usual. The folder is now gone... I do have MSE set to run quick scan everyday but its not showing anything regarding that folder in the logs. And (afaik) nobody else has touched the pc, not anyone that would have attempted to delete the folder.

Should I still be worried or what do you suggest? My only other concern was that the two lines in the registry that contained the virus' exe were in a folder that is also mentioned/named in the ark.txt file which I included above...

Device >>> >>> \Driver\00000779 \GLOBAL??\a914e918 >>> >>> >>> 890E6830
.......................................................................^ this was the folder name in the registry where there was a reference to the #########:#########.exe.

What do you think?

Edited by mds.82, 23 September 2011 - 07:34 PM.


#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:38 AM

Posted 23 September 2011 - 07:41 PM

Please run the script and the TDSSKiller as described in my last post

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 mds.82

mds.82
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:N.Cambria, PA USA
  • Local time:05:38 AM

Posted 23 September 2011 - 08:35 PM

COMBOFIX LOG----------------------------------------------------------------------------------------------------
ComboFix 11-09-23.03 - MDS 09/23/2011 21:10:37.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1392 [GMT 1:00]
Running from: c:\documents and settings\MDS\Desktop\dado.exe
Command switches used :: c:\documents and settings\MDS\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-23 to 2011-09-23 )))))))))))))))))))))))))))))))
.
.
2011-09-23 20:09 . 2011-09-23 20:09 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\MpKsl0170251e.sys
2011-09-23 20:06 . 2011-09-23 20:06 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\MpKsled0337a3.sys
2011-09-23 20:06 . 2011-09-23 20:06 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\MpKslca32e313.sys
2011-09-23 19:22 . 2011-09-23 19:22 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\MpKslfcde4641.sys
2011-09-23 04:05 . 2011-09-23 20:09 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\offreg.dll
2011-09-23 04:05 . 2011-09-12 15:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\mpengine.dll
2011-09-22 11:05 . 2011-09-12 15:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-09-22 06:24 . 2011-09-22 06:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-22 06:24 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-22 04:11 . 2011-09-12 15:14 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-21 17:35 . 2011-09-22 18:47 -------- d-----w- c:\program files\Microsoft Security Client
2011-09-21 10:19 . 2011-09-21 18:57 -------- d-----w- c:\program files\MWBANMW
2011-09-21 00:42 . 2011-09-21 00:42 0 ----a-w- c:\windows\ativpsrm.bin
2011-09-20 23:57 . 2011-09-20 23:57 388096 ----a-r- c:\documents and settings\MDS\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-20 23:57 . 2011-09-20 23:57 -------- d-----w- c:\program files\Trend Micro
2011-09-20 23:25 . 2011-09-20 23:25 -------- d-----w- c:\windows\system32\wbem\Repository
2011-09-20 23:24 . 2011-09-20 23:24 -------- d-----w- c:\program files\Common Files\PCSuite
2011-09-20 23:23 . 2011-09-20 23:23 -------- d-----w- c:\program files\PE Explorer
2011-09-20 22:51 . 2011-09-20 23:23 -------- d-----w- c:\windows\system32\Adobe
2011-09-20 22:20 . 2011-09-20 23:23 -------- d-----w- c:\program files\a-squared Free
2011-09-20 21:46 . 2011-09-20 23:23 -------- d-s---w- c:\documents and settings\Administrator.790FX-DRAGON
2011-09-20 17:53 . 2011-09-20 17:53 -------- d-----w- c:\documents and settings\MDS\Application Data\Malwarebytes
2011-09-20 17:52 . 2011-09-20 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-20 17:48 . 2011-09-20 17:48 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-09-20 16:44 . 2011-09-21 10:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-09-20 14:41 . 2011-09-20 14:41 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-09-10 09:21 . 2011-09-10 09:21 -------- d-----w- C:\DriveKey
2011-09-09 12:02 . 2011-09-09 12:02 -------- d-----w- c:\documents and settings\MDS\Application Data\com.comcast.callerid.13A1FA90F0FC9DC009FB0956ADD0F13F8608561B.1
2011-09-09 12:02 . 2011-09-09 12:02 -------- d-----w- c:\program files\Comcast Universal Caller ID
2011-09-09 12:02 . 2011-09-09 12:02 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-09-01 11:06 . 2011-09-01 11:06 -------- d--h--w- c:\windows\PIF
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:11 . 2006-02-28 12:00 599552 ----a-w- c:\windows\system32\crypt32.dll
2011-09-03 14:13 . 2010-07-09 20:11 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2011-09-03 14:13 . 2010-07-09 20:11 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2011-08-17 12:20 . 2011-05-16 21:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-31 07:35 . 2011-07-31 07:35 65536 ----a-w- c:\windows\system32\frapsvid.dll
2011-07-28 22:20 . 2010-07-09 19:36 7084544 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2011-07-28 22:17 . 2011-05-10 22:05 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2011-07-28 22:01 . 2011-05-09 18:30 57344 ----a-w- c:\windows\system32\aticalrt.dll
2011-07-28 22:01 . 2011-05-09 18:30 53248 ----a-w- c:\windows\system32\aticalcl.dll
2011-07-28 21:57 . 2011-05-09 18:30 5697536 ----a-w- c:\windows\system32\aticaldd.dll
2011-07-28 21:40 . 2011-05-10 22:05 18440192 ----a-w- c:\windows\system32\atioglxx.dll
2011-07-28 21:34 . 2010-07-09 19:36 3973696 ----a-w- c:\windows\system32\ati3duag.dll
2011-07-28 21:32 . 2011-05-10 22:05 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-07-28 21:31 . 2010-07-09 19:36 303104 ----a-w- c:\windows\system32\ati2dvag.dll
2011-07-28 21:27 . 2011-04-24 12:51 956160 ----a-w- c:\windows\system32\ativvamv.dll
2011-07-28 21:15 . 2010-07-09 19:36 3166208 ----a-w- c:\windows\system32\ativvaxx.dll
2011-07-28 21:14 . 2011-05-09 18:30 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2011-07-28 21:13 . 2011-05-10 22:05 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2011-07-28 21:13 . 2011-05-10 22:05 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2011-07-28 21:13 . 2011-05-09 18:30 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2011-07-28 21:13 . 2010-07-09 19:36 188416 ----a-w- c:\windows\system32\ati2evxx.dll
2011-07-28 21:12 . 2011-05-09 18:30 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2011-07-28 21:10 . 2011-05-10 22:05 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2011-07-28 21:09 . 2011-05-09 18:30 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-07-28 21:05 . 2010-08-31 16:44 704512 ----a-w- c:\windows\system32\atikvmag.dll
2011-07-28 21:01 . 2010-08-31 16:44 208896 ----a-w- c:\windows\system32\atiadlxx.dll
2011-07-28 21:00 . 2011-05-10 22:05 17408 ----a-w- c:\windows\system32\atitvo32.dll
2011-07-28 20:59 . 2010-08-31 16:44 507904 ----a-w- c:\windows\system32\atiok3x2.dll
2011-07-28 20:55 . 2010-07-09 19:36 876544 ----a-w- c:\windows\system32\ati2cqag.dll
2011-07-28 20:53 . 2011-05-09 18:30 64512 ----a-w- c:\windows\system32\atimpc32.dll
2011-07-28 20:53 . 2010-07-09 19:36 64512 ----a-w- c:\windows\system32\amdpcom32.dll
2011-07-28 20:53 . 2011-05-10 22:05 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-02-28 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-29 22:11 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\rundll32.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-21_16.37.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 1601-01-01 00:00 . 1601-01-01 00:00 0 c:\windows\temp\Perflib_Perfdata_2a8.dat
- 2006-02-28 12:00 . 2011-09-21 16:38 72378 c:\windows\system32\perfc009.dat
+ 2006-02-28 12:00 . 2011-09-23 19:26 72378 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2011-09-21 16:38 421584 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2011-09-23 19:26 421584 c:\windows\system32\perfh009.dat
+ 2010-03-25 20:30 . 2011-04-18 12:18 165648 c:\windows\system32\drivers\MpFilter.sys
- 2010-10-25 01:25 . 2011-04-18 12:18 165648 c:\windows\system32\drivers\MpFilter.sys
+ 2011-09-22 11:06 . 2011-09-22 11:06 785920 c:\windows\Installer\376893a.msi
+ 2011-09-22 11:05 . 2011-09-22 11:05 483840 c:\windows\Installer\3768911.msi
+ 2011-09-22 11:05 . 2011-09-22 11:05 301056 c:\windows\Installer\3768907.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]
"StartupDelayer"="c:\program files\r2 Studios\Startup Delayer\Startup Launcher GUI.exe" [2008-11-29 147456]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ServiceLayer"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"g:\\2K Games\\BioShock 2\\SP\\Builds\\Binaries\\Bioshock2.exe"=
"g:\\2K Games\\BioShock 2\\MP\\Builds\\Binaries\\Bioshock2.exe"=
"g:\\Neverwinter Nights 2\\nwn2main.exe"=
"g:\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"g:\\Neverwinter Nights 2\\nwupdate.exe"=
"g:\\Neverwinter Nights 2\\nwn2server.exe"=
"g:\\Borderlands\\Gearbox Software\\Borderlands\\Binaries\\Borderlands.exe"=
"g:\\Steam\\SteamApps\\common\\sniper ghost warrior\\Sniper_x86.exe"=
"g:\\Far Cry 2\\bin\\FarCry2.exe"=
"g:\\Far Cry 2\\bin\\FC2Launcher.exe"=
"g:\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\Steam\\SteamApps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
"g:\\Steam\\steam.exe"=
"g:\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [7/12/2010 8:47 PM 184848]
R0 FTT3;FTT3;c:\windows\system32\drivers\FTT3.sys [7/8/2010 9:01 AM 162824]
R1 MpKsl0170251e;MpKsl0170251e;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\MpKsl0170251e.sys [9/23/2011 9:09 PM 28752]
R1 MpKslca32e313;MpKslca32e313;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\MpKslca32e313.sys [9/23/2011 9:06 PM 28752]
R1 MpKsled0337a3;MpKsled0337a3;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\MpKsled0337a3.sys [9/23/2011 9:06 PM 28752]
R1 MpKslfcde4641;MpKslfcde4641;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\MpKslfcde4641.sys [9/23/2011 8:22 PM 28752]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [7/9/2010 8:47 PM 10448]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [8/17/2011 9:44 PM 101392]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 7:46 AM 171096]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 7:46 AM 1324120]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 7:46 AM 72792]
S0 FTT3s;FTT3s;c:\windows\system32\drivers\FTT3s.sys [3/13/2011 4:15 PM 170504]
S1 MpKsl1e69479d;MpKsl1e69479d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{978578FF-723F-4D8A-94CF-CCED19AB0603}\MpKsl1e69479d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{978578FF-723F-4D8A-94CF-CCED19AB0603}\MpKsl1e69479d.sys [?]
S1 MpKsl340ac0f8;MpKsl340ac0f8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C16DBBD7-0AE5-4D06-84D7-887A12295579}\MpKsl340ac0f8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C16DBBD7-0AE5-4D06-84D7-887A12295579}\MpKsl340ac0f8.sys [?]
S1 MpKsl56cf267c;MpKsl56cf267c;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A565911C-3B2E-40A0-8B47-0AD2B7FB554C}\MpKsl56cf267c.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A565911C-3B2E-40A0-8B47-0AD2B7FB554C}\MpKsl56cf267c.sys [?]
S1 MpKsl68aff244;MpKsl68aff244;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{098FE6C2-8F6B-4980-95D1-AB78A8D2E45B}\MpKsl68aff244.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{098FE6C2-8F6B-4980-95D1-AB78A8D2E45B}\MpKsl68aff244.sys [?]
S1 MpKsl7bea2fb4;MpKsl7bea2fb4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A565911C-3B2E-40A0-8B47-0AD2B7FB554C}\MpKsl7bea2fb4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A565911C-3B2E-40A0-8B47-0AD2B7FB554C}\MpKsl7bea2fb4.sys [?]
S1 MpKsl850a6fed;MpKsl850a6fed;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{098FE6C2-8F6B-4980-95D1-AB78A8D2E45B}\MpKsl850a6fed.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{098FE6C2-8F6B-4980-95D1-AB78A8D2E45B}\MpKsl850a6fed.sys [?]
S1 MpKsld1498f98;MpKsld1498f98;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{098FE6C2-8F6B-4980-95D1-AB78A8D2E45B}\MpKsld1498f98.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{098FE6C2-8F6B-4980-95D1-AB78A8D2E45B}\MpKsld1498f98.sys [?]
S1 MpKsld5670ac1;MpKsld5670ac1;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A565911C-3B2E-40A0-8B47-0AD2B7FB554C}\MpKsld5670ac1.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A565911C-3B2E-40A0-8B47-0AD2B7FB554C}\MpKsld5670ac1.sys [?]
S1 MpKsld7c0a120;MpKsld7c0a120;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{616039BE-FB74-4F38-8EDE-BA446997F0EA}\MpKsld7c0a120.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{616039BE-FB74-4F38-8EDE-BA446997F0EA}\MpKsld7c0a120.sys [?]
S2 AODService;AODService;c:\program files\AMD\OverDrive\AODAssist.exe [5/26/2011 3:54 AM 136616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 7:16 PM 130384]
S3 a2acc;a2acc;\??\c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys --> c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [?]
S3 a2AntiMalware;Emsisoft Anti-Malware 5.1 - Service;"c:\program files\Emsisoft Anti-Malware\a2service.exe" --> c:\program files\Emsisoft Anti-Malware\a2service.exe [?]
S3 atidgllk;atidgllk;c:\documents and settings\MDS\My Documents\Radeon BIOS\WinFlash20114\atidgllk.sys [5/11/2011 6:16 PM 12048]
S3 cpuz130;cpuz130;\??\c:\docume~1\MDS\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\MDS\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [7/9/2010 9:11 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [6/4/2009 7:46 AM 171096]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [6/4/2009 7:46 AM 1324120]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [6/4/2009 7:46 AM 72792]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\drivers\LwAdiHid.sys [8/5/2010 8:24 PM 20864]
S3 MSI_DVD_010507;MSI_DVD_010507;c:\progra~1\MSI\MSIWDev\DVDSYS32_100507.sys [5/10/2010 3:44 PM 22328]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\progra~1\MSI\MSIWDev\msibios32_100507.sys [5/10/2010 3:44 PM 25912]
S3 MSI_VGASYS_010507;MSI_VGASYS_010507;c:\progra~1\MSI\MSIWDev\VGASYS32_100507.sys [5/10/2010 3:44 PM 16696]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [8/2/2011 11:44 PM 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [8/2/2011 11:44 PM 8576]
S3 NTIOLib_1_0_8;NTIOLib_1_0_8;c:\progra~1\MSI\MSIWDev\NTIOLib.sys [1/27/2011 7:43 PM 7680]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 10:06 PM 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 7:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-22 c:\windows\Tasks\HP Usg Daily FY04.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2011-04-17 05:09]
.
2011-09-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 14:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tweakguides.com/
Trusted Zone: com\www.msi
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-23 21:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-606747145-1957994488-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:87,91,94,9d,c9,67,49,98,d6,76,a2,d9,9f,e0,d6,bb,e4,e8,40,a2,36,eb,29,
9a,98,6c,78,94,5a,58,f1,19,92,13,61,0f,61,b6,26,8f,67,25,4a,2f,39,e4,9e,08,\
"??"=hex:67,80,0e,84,ae,be,55,e9,15,0a,2e,6d,9e,6f,43,9f
.
[HKEY_USERS\S-1-5-21-606747145-1957994488-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:97,8f,fc,4b,7c,b4,9f,76,c7,2f,e9,b9,49,9b,bf,98,33,6d,c5,7c,45,
2f,29,95,e8,37,aa,34,51,d5,75,0e,cf,17,a5,8d,6e,37,68,67,4a,80,8e,da,f1,91,\
"rkeysecu"=hex:ca,3d,dd,c3,ae,49,d3,d5,da,da,23,20,8e,40,ac,93
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(3408)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\msiexec.exe
c:\program files\AMD\OverDrive\AMD OverDrive.exe
.
**************************************************************************
.
Completion time: 2011-09-23 21:19:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-23 20:19
ComboFix2.txt 2011-09-21 16:39
.
Pre-Run: 221,701,922,816 bytes free
Post-Run: 221,864,636,416 bytes free
.
- - End Of File - - 58AC8DCE83A12A7C933C0ADC970DBAD4
.
.
.
TDSSKiller LOG----------------------------------------------------------------------------------------------------
21:31:07.0718 3624 TDSS rootkit removing tool 2.6.0.0 Sep 23 2011 07:42:37
21:31:07.0984 3624 ============================================================
21:31:07.0984 3624 Current date / time: 2011/09/23 21:31:07.0984
21:31:07.0984 3624 SystemInfo:
21:31:07.0984 3624
21:31:07.0984 3624 OS Version: 5.1.2600 ServicePack: 3.0
21:31:07.0984 3624 Product type: Workstation
21:31:07.0984 3624 ComputerName: 790FX-DRAGON
21:31:07.0984 3624 UserName: MDS
21:31:07.0984 3624 Windows directory: C:\WINDOWS
21:31:07.0984 3624 System windows directory: C:\WINDOWS
21:31:07.0984 3624 Processor architecture: Intel x86
21:31:07.0984 3624 Number of processors: 4
21:31:07.0984 3624 Page size: 0x1000
21:31:07.0984 3624 Boot type: Normal boot
21:31:07.0984 3624 ============================================================
21:31:09.0140 3624 Initialize success
21:31:12.0187 3816 ============================================================
21:31:12.0187 3816 Scan started
21:31:12.0187 3816 Mode: Manual;
21:31:12.0187 3816 ============================================================
21:31:13.0203 3816 a2acc - ok
21:31:13.0234 3816 Abiosdsk - ok
21:31:13.0234 3816 abp480n5 - ok
21:31:13.0265 3816 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:31:13.0265 3816 ACPI - ok
21:31:13.0296 3816 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:31:13.0296 3816 ACPIEC - ok
21:31:13.0312 3816 adpu160m - ok
21:31:13.0328 3816 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:31:13.0328 3816 aec - ok
21:31:13.0375 3816 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
21:31:13.0375 3816 AFD - ok
21:31:13.0375 3816 Aha154x - ok
21:31:13.0390 3816 ahcix86 (1ed718ca8a8b3f5ab77416a873c2bf9d) C:\WINDOWS\system32\DRIVERS\ahcix86.sys
21:31:13.0390 3816 ahcix86 - ok
21:31:13.0406 3816 aic78u2 - ok
21:31:13.0406 3816 aic78xx - ok
21:31:13.0421 3816 AliIde - ok
21:31:13.0437 3816 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
21:31:13.0437 3816 AmdPPM - ok
21:31:13.0437 3816 amsint - ok
21:31:13.0453 3816 asc - ok
21:31:13.0453 3816 asc3350p - ok
21:31:13.0468 3816 asc3550 - ok
21:31:13.0531 3816 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:31:13.0531 3816 AsyncMac - ok
21:31:13.0531 3816 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:31:13.0531 3816 atapi - ok
21:31:13.0531 3816 Atdisk - ok
21:31:13.0656 3816 ati2mtag (913da327ad22c6fa44c41d36fd8cc570) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
21:31:13.0687 3816 ati2mtag - ok
21:31:13.0796 3816 atidgllk (adf7ef046725442ba32c4aef12646fd0) C:\Documents and Settings\MDS\My Documents\Radeon BIOS\WinFlash20114\atidgllk.sys
21:31:13.0796 3816 atidgllk - ok
21:31:13.0828 3816 AtiHDAudioService (0d6b8359677d05142b624f09c28d643a) C:\WINDOWS\system32\drivers\AtihdXP3.sys
21:31:13.0828 3816 AtiHDAudioService - ok
21:31:13.0843 3816 AtiHdmiService - ok
21:31:13.0875 3816 atksgt (3c4b9850a2631c2263507400d029057b) C:\WINDOWS\system32\DRIVERS\atksgt.sys
21:31:13.0875 3816 atksgt - ok
21:31:13.0921 3816 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:31:13.0921 3816 Atmarpc - ok
21:31:13.0953 3816 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:31:13.0953 3816 audstub - ok
21:31:14.0031 3816 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:31:14.0031 3816 Beep - ok
21:31:14.0062 3816 catchme - ok
21:31:14.0171 3816 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:31:14.0171 3816 cbidf2k - ok
21:31:14.0187 3816 cd20xrnt - ok
21:31:14.0281 3816 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:31:14.0281 3816 Cdaudio - ok
21:31:14.0296 3816 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:31:14.0296 3816 Cdfs - ok
21:31:14.0328 3816 Cdr4_xp (a98cf22fda79892b913a83c5b261f6a4) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
21:31:14.0328 3816 Cdr4_xp - ok
21:31:14.0343 3816 Cdralw2k (cfae75879d822a9fc792d05be367d040) C:\WINDOWS\system32\drivers\Cdralw2k.sys
21:31:14.0343 3816 Cdralw2k - ok
21:31:14.0359 3816 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:31:14.0359 3816 Cdrom - ok
21:31:14.0390 3816 cdudf_xp (557bb630d2011f40214ef91b90e7df6d) C:\WINDOWS\system32\drivers\cdudf_xp.sys
21:31:14.0390 3816 cdudf_xp - ok
21:31:14.0406 3816 Changer - ok
21:31:14.0406 3816 CmdIde - ok
21:31:14.0421 3816 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
21:31:14.0421 3816 Compbatt - ok
21:31:14.0421 3816 Cpqarray - ok
21:31:14.0515 3816 cpuz130 - ok
21:31:14.0546 3816 cpuz132 (097a0a4899b759a4f032bd464963b4be) C:\WINDOWS\system32\drivers\cpuz132_x32.sys
21:31:14.0546 3816 cpuz132 - ok
21:31:14.0578 3816 CT20XUT (b9106942eb5dd0e034ab40a9d48d056e) C:\WINDOWS\system32\drivers\CT20XUT.SYS
21:31:14.0578 3816 CT20XUT - ok
21:31:14.0593 3816 CT20XUT.SYS (b9106942eb5dd0e034ab40a9d48d056e) C:\WINDOWS\System32\drivers\CT20XUT.SYS
21:31:14.0593 3816 CT20XUT.SYS - ok
21:31:14.0609 3816 ctac32k (f2b1d0a3d21bd0d9f46457cbcec1a0e9) C:\WINDOWS\system32\drivers\ctac32k.sys
21:31:14.0609 3816 ctac32k - ok
21:31:14.0625 3816 ctaud2k (44f60a5e3c3a8a6bba4c280948ea6095) C:\WINDOWS\system32\drivers\ctaud2k.sys
21:31:14.0625 3816 ctaud2k - ok
21:31:14.0671 3816 ctdvda2k (8cbe82d6bbf206e144f22cb33fab1f2c) C:\WINDOWS\system32\drivers\ctdvda2k.sys
21:31:14.0671 3816 ctdvda2k - ok
21:31:14.0703 3816 CTEXFIFX (4ae083d16ac9fc9bdf98498f93426226) C:\WINDOWS\system32\drivers\CTEXFIFX.SYS
21:31:14.0703 3816 CTEXFIFX - ok
21:31:14.0734 3816 CTEXFIFX.SYS (4ae083d16ac9fc9bdf98498f93426226) C:\WINDOWS\System32\drivers\CTEXFIFX.SYS
21:31:14.0750 3816 CTEXFIFX.SYS - ok
21:31:14.0750 3816 CTHWIUT (b610bfe02f9fc0cb0b1cde3ec4c13ffa) C:\WINDOWS\system32\drivers\CTHWIUT.SYS
21:31:14.0750 3816 CTHWIUT - ok
21:31:14.0765 3816 CTHWIUT.SYS (b610bfe02f9fc0cb0b1cde3ec4c13ffa) C:\WINDOWS\System32\drivers\CTHWIUT.SYS
21:31:14.0765 3816 CTHWIUT.SYS - ok
21:31:14.0781 3816 ctprxy2k (f0f19a13c948e5289601e354b08e0941) C:\WINDOWS\system32\drivers\ctprxy2k.sys
21:31:14.0781 3816 ctprxy2k - ok
21:31:14.0796 3816 ctsfm2k (c7b2c36a6203a5f3d0a378fd78c5ddd6) C:\WINDOWS\system32\drivers\ctsfm2k.sys
21:31:14.0796 3816 ctsfm2k - ok
21:31:14.0796 3816 dac2w2k - ok
21:31:14.0796 3816 dac960nt - ok
21:31:14.0843 3816 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:31:14.0843 3816 Disk - ok
21:31:14.0875 3816 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:31:14.0875 3816 dmboot - ok
21:31:14.0906 3816 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:31:14.0906 3816 dmio - ok
21:31:14.0921 3816 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:31:14.0921 3816 dmload - ok
21:31:14.0953 3816 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:31:14.0953 3816 DMusic - ok
21:31:14.0953 3816 dpti2o - ok
21:31:14.0984 3816 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:31:15.0000 3816 drmkaud - ok
21:31:15.0031 3816 DVDVRRdr_xp (9de20a3c5fc04802e7e155e9389c319d) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
21:31:15.0031 3816 DVDVRRdr_xp - ok
21:31:15.0062 3816 dvd_2K (543808acfedf574e7714c9091ad9c638) C:\WINDOWS\system32\drivers\dvd_2K.sys
21:31:15.0062 3816 dvd_2K - ok
21:31:15.0093 3816 emupia (fb2d6d4d14ae801f5267b0368fc0cb0c) C:\WINDOWS\system32\drivers\emupia2k.sys
21:31:15.0093 3816 emupia - ok
21:31:15.0125 3816 ENTECH (bdd170fecb0e496a914318009d85b819) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
21:31:15.0125 3816 ENTECH - ok
21:31:15.0140 3816 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:31:15.0140 3816 Fastfat - ok
21:31:15.0156 3816 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
21:31:15.0156 3816 Fdc - ok
21:31:15.0171 3816 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:31:15.0171 3816 Fips - ok
21:31:15.0203 3816 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:31:15.0203 3816 Flpydisk - ok
21:31:15.0234 3816 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:31:15.0234 3816 FltMgr - ok
21:31:15.0250 3816 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:31:15.0250 3816 Fs_Rec - ok
21:31:15.0250 3816 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:31:15.0250 3816 Ftdisk - ok
21:31:15.0296 3816 FTT3 (9c7b3e04aa6feb563ab30f0b3c646821) C:\WINDOWS\system32\DRIVERS\FTT3.sys
21:31:15.0296 3816 FTT3 - ok
21:31:15.0328 3816 FTT3s (9ae23195ca46217597ef1b5e6e6acc48) C:\WINDOWS\system32\DRIVERS\FTT3s.sys
21:31:15.0328 3816 FTT3s - ok
21:31:15.0359 3816 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:31:15.0359 3816 GEARAspiWDM - ok
21:31:15.0390 3816 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
21:31:15.0390 3816 giveio - ok
21:31:15.0390 3816 GMSIPCI - ok
21:31:15.0421 3816 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:31:15.0421 3816 Gpc - ok
21:31:15.0468 3816 ha20x2k (7ff1ced1201c169a783b0e81cc561fba) C:\WINDOWS\system32\drivers\ha20x2k.sys
21:31:15.0468 3816 ha20x2k - ok
21:31:15.0515 3816 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:31:15.0515 3816 HDAudBus - ok
21:31:15.0546 3816 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
21:31:15.0546 3816 HidBatt - ok
21:31:15.0562 3816 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:31:15.0578 3816 hidusb - ok
21:31:15.0578 3816 hpn - ok
21:31:15.0609 3816 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
21:31:15.0609 3816 HPZid412 - ok
21:31:15.0609 3816 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
21:31:15.0609 3816 HPZipr12 - ok
21:31:15.0625 3816 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
21:31:15.0625 3816 HPZius12 - ok
21:31:15.0640 3816 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:31:15.0640 3816 HTTP - ok
21:31:15.0656 3816 i2omgmt - ok
21:31:15.0656 3816 i2omp - ok
21:31:15.0671 3816 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
21:31:15.0671 3816 i8042prt - ok
21:31:15.0671 3816 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:31:15.0671 3816 Imapi - ok
21:31:15.0687 3816 ini910u - ok
21:31:15.0687 3816 IntelIde - ok
21:31:15.0718 3816 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:31:15.0718 3816 Ip6Fw - ok
21:31:15.0750 3816 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:31:15.0750 3816 IpFilterDriver - ok
21:31:15.0750 3816 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:31:15.0765 3816 IpInIp - ok
21:31:15.0781 3816 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:31:15.0781 3816 IpNat - ok
21:31:15.0796 3816 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:31:15.0796 3816 IPSec - ok
21:31:15.0812 3816 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:31:15.0812 3816 IRENUM - ok
21:31:15.0828 3816 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:31:15.0828 3816 isapnp - ok
21:31:15.0843 3816 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:31:15.0843 3816 Kbdclass - ok
21:31:15.0859 3816 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:31:15.0859 3816 kbdhid - ok
21:31:15.0875 3816 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:31:15.0875 3816 kmixer - ok
21:31:15.0906 3816 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:31:15.0906 3816 KSecDD - ok
21:31:15.0953 3816 LBeepKE (ca63fe81705ad660e482bef210bf2c73) C:\WINDOWS\system32\Drivers\LBeepKE.sys
21:31:15.0953 3816 LBeepKE - ok
21:31:15.0953 3816 lbrtfdc - ok
21:31:16.0000 3816 LHidFilt (8b30311241f97b35167afe68d79e8530) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
21:31:16.0000 3816 LHidFilt - ok
21:31:16.0031 3816 lirsgt (4127e8b6ddb4090e815c1f8852c277d3) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
21:31:16.0031 3816 lirsgt - ok
21:31:16.0031 3816 LMouFilt (48d7422a6c4eec886b56ac534cfa3acf) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
21:31:16.0031 3816 LMouFilt - ok
21:31:16.0078 3816 LwAdiHid (a8fe41a339ceb3b517321a7ff0ed67c5) C:\WINDOWS\system32\DRIVERS\LwAdiHid.sys
21:31:16.0078 3816 LwAdiHid - ok
21:31:16.0078 3816 mcdbus - ok
21:31:16.0093 3816 mmc_2K (db790a7675d595d96588429cc14028ca) C:\WINDOWS\system32\drivers\mmc_2K.sys
21:31:16.0093 3816 mmc_2K - ok
21:31:16.0109 3816 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:31:16.0109 3816 mnmdd - ok
21:31:16.0125 3816 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:31:16.0125 3816 Modem - ok
21:31:16.0140 3816 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:31:16.0140 3816 Mouclass - ok
21:31:16.0156 3816 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:31:16.0156 3816 mouhid - ok
21:31:16.0187 3816 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:31:16.0187 3816 MountMgr - ok
21:31:16.0218 3816 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
21:31:16.0218 3816 MpFilter - ok
21:31:16.0312 3816 MpKsl0170251e (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\MpKsl0170251e.sys
21:31:16.0312 3816 MpKsl0170251e - ok
21:31:16.0328 3816 MpKsl1e69479d - ok
21:31:16.0328 3816 MpKsl340ac0f8 - ok
21:31:16.0328 3816 MpKsl56cf267c - ok
21:31:16.0343 3816 MpKsl68aff244 - ok
21:31:16.0343 3816 MpKsl7bea2fb4 - ok
21:31:16.0343 3816 MpKsl850a6fed - ok
21:31:16.0359 3816 MpKslca32e313 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\MpKslca32e313.sys
21:31:16.0359 3816 MpKslca32e313 - ok
21:31:16.0359 3816 MpKsld1498f98 - ok
21:31:16.0359 3816 MpKsld5670ac1 - ok
21:31:16.0375 3816 MpKsld7c0a120 - ok
21:31:16.0390 3816 MpKsled0337a3 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\MpKsled0337a3.sys
21:31:16.0390 3816 MpKsled0337a3 - ok
21:31:16.0406 3816 MpKslfcde4641 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3E6732E7-23D9-4C8F-B275-69250EE4FE4D}\MpKslfcde4641.sys
21:31:16.0406 3816 MpKslfcde4641 - ok
21:31:16.0453 3816 mraid35x - ok
21:31:16.0484 3816 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:31:16.0484 3816 MRxDAV - ok
21:31:16.0515 3816 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:31:16.0515 3816 MRxSmb - ok
21:31:16.0531 3816 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:31:16.0531 3816 Msfs - ok
21:31:16.0593 3816 MSI_DVD_010507 (09a00b8c911d32a0cfeb747be9ce5dab) C:\PROGRA~1\MSI\MSIWDev\DVDSYS32_100507.sys
21:31:16.0593 3816 MSI_DVD_010507 - ok
21:31:16.0609 3816 MSI_MSIBIOS_010507 (3846c05a66a3f5cd1d33e1a323c1762c) C:\PROGRA~1\MSI\MSIWDev\msibios32_100507.sys
21:31:16.0609 3816 MSI_MSIBIOS_010507 - ok
21:31:16.0609 3816 MSI_VGASYS_010507 (8d603678c3961bed302163964ad6a38e) C:\PROGRA~1\MSI\MSIWDev\VGASYS32_100507.sys
21:31:16.0609 3816 MSI_VGASYS_010507 - ok
21:31:16.0625 3816 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:31:16.0640 3816 MSKSSRV - ok
21:31:16.0687 3816 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:31:16.0687 3816 MSPCLOCK - ok
21:31:16.0687 3816 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:31:16.0687 3816 MSPQM - ok
21:31:16.0718 3816 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:31:16.0718 3816 mssmbios - ok
21:31:16.0750 3816 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:31:16.0765 3816 Mup - ok
21:31:16.0796 3816 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:31:16.0796 3816 NDIS - ok
21:31:16.0812 3816 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:31:16.0812 3816 NdisTapi - ok
21:31:16.0843 3816 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:31:16.0843 3816 Ndisuio - ok
21:31:16.0843 3816 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:31:16.0843 3816 NdisWan - ok
21:31:16.0859 3816 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:31:16.0859 3816 NDProxy - ok
21:31:16.0859 3816 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:31:16.0859 3816 NetBIOS - ok
21:31:16.0890 3816 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:31:16.0890 3816 NetBT - ok
21:31:16.0921 3816 nmwcd (cfe3462a9e94a57dcd9676f6b7fe7f67) C:\WINDOWS\system32\drivers\ccdcmb.sys
21:31:16.0921 3816 nmwcd - ok
21:31:16.0937 3816 nmwcdc (8f2a94f991f8c73cec26b4b5620d1edc) C:\WINDOWS\system32\drivers\ccdcmbo.sys
21:31:16.0953 3816 nmwcdc - ok
21:31:16.0968 3816 nmwcdnsu (99145c5d4b6c4d6f5ce83ee6abffe294) C:\WINDOWS\system32\drivers\nmwcdnsu.sys
21:31:16.0968 3816 nmwcdnsu - ok
21:31:16.0984 3816 nmwcdnsuc (faee7b61c6885b091cec1ff06da2e1ab) C:\WINDOWS\system32\drivers\nmwcdnsuc.sys
21:31:16.0984 3816 nmwcdnsuc - ok
21:31:17.0000 3816 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:31:17.0015 3816 Npfs - ok
21:31:17.0015 3816 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:31:17.0015 3816 Ntfs - ok
21:31:17.0093 3816 NTIOLib_1_0_8 (aa70ed3b0d93c1073260a5043805b6db) C:\PROGRA~1\MSI\MSIWDev\NTIOLib.sys
21:31:17.0093 3816 NTIOLib_1_0_8 - ok
21:31:17.0109 3816 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:31:17.0109 3816 Null - ok
21:31:17.0156 3816 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:31:17.0156 3816 NwlnkFlt - ok
21:31:17.0156 3816 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:31:17.0156 3816 NwlnkFwd - ok
21:31:17.0171 3816 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
21:31:17.0171 3816 NwlnkIpx - ok
21:31:17.0187 3816 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
21:31:17.0187 3816 NwlnkNb - ok
21:31:17.0203 3816 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
21:31:17.0203 3816 NwlnkSpx - ok
21:31:17.0250 3816 ossrv (ac5bf1a610effaae9cfc48cb53483f08) C:\WINDOWS\system32\drivers\ctoss2k.sys
21:31:17.0250 3816 ossrv - ok
21:31:17.0265 3816 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
21:31:17.0265 3816 Parport - ok
21:31:17.0281 3816 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:31:17.0281 3816 PartMgr - ok
21:31:17.0296 3816 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:31:17.0296 3816 ParVdm - ok
21:31:17.0312 3816 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
21:31:17.0312 3816 pccsmcfd - ok
21:31:17.0312 3816 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:31:17.0312 3816 PCI - ok
21:31:17.0328 3816 PCIDump - ok
21:31:17.0343 3816 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:31:17.0343 3816 PCIIde - ok
21:31:17.0359 3816 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:31:17.0359 3816 Pcmcia - ok
21:31:17.0359 3816 PDCOMP - ok
21:31:17.0375 3816 PDFRAME - ok
21:31:17.0375 3816 PDRELI - ok
21:31:17.0375 3816 PDRFRAME - ok
21:31:17.0390 3816 perc2 - ok
21:31:17.0390 3816 perc2hib - ok
21:31:17.0437 3816 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:31:17.0437 3816 PptpMiniport - ok
21:31:17.0453 3816 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
21:31:17.0453 3816 Processor - ok
21:31:17.0468 3816 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:31:17.0468 3816 PSched - ok
21:31:17.0484 3816 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:31:17.0484 3816 Ptilink - ok
21:31:17.0515 3816 pwd_2k (a9694824a73dad758f863ae3b3e8c4b6) C:\WINDOWS\system32\drivers\pwd_2k.sys
21:31:17.0515 3816 pwd_2k - ok
21:31:17.0531 3816 ql1080 - ok
21:31:17.0531 3816 Ql10wnt - ok
21:31:17.0531 3816 ql12160 - ok
21:31:17.0546 3816 ql1240 - ok
21:31:17.0546 3816 ql1280 - ok
21:31:17.0562 3816 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:31:17.0562 3816 RasAcd - ok
21:31:17.0562 3816 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:31:17.0562 3816 Rasl2tp - ok
21:31:17.0578 3816 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:31:17.0578 3816 RasPppoe - ok
21:31:17.0578 3816 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:31:17.0578 3816 Raspti - ok
21:31:17.0593 3816 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:31:17.0593 3816 Rdbss - ok
21:31:17.0609 3816 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:31:17.0609 3816 RDPCDD - ok
21:31:17.0625 3816 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:31:17.0625 3816 rdpdr - ok
21:31:17.0656 3816 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
21:31:17.0656 3816 RDPWD - ok
21:31:17.0671 3816 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:31:17.0671 3816 redbook - ok
21:31:17.0734 3816 RivaTuner32 (c0c8909be3ecc9df8089112bf9be954e) C:\Program Files\RivaTunerv2.24\RivaTuner32.sys
21:31:17.0734 3816 RivaTuner32 - ok
21:31:17.0796 3816 RTLE8023xp (c6d34a1874cd2b212dc3e788091c64b4) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
21:31:17.0796 3816 RTLE8023xp - ok
21:31:17.0796 3816 SANDRA - ok
21:31:17.0812 3816 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:31:17.0812 3816 Secdrv - ok
21:31:17.0843 3816 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
21:31:17.0843 3816 Serial - ok
21:31:17.0875 3816 sfdrv01 (00de597b81b381053cb5b21a7f20e365) C:\WINDOWS\system32\drivers\sfdrv01.sys
21:31:17.0875 3816 sfdrv01 - ok
21:31:17.0890 3816 sfhlp02 (64b9ab76f1b16eb059cb6cdd906c067a) C:\WINDOWS\system32\drivers\sfhlp02.sys
21:31:17.0890 3816 sfhlp02 - ok
21:31:17.0906 3816 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:31:17.0906 3816 Sfloppy - ok
21:31:17.0921 3816 sfsync02 (798d918d8f20380008277ce3ce5319d1) C:\WINDOWS\system32\drivers\sfsync02.sys
21:31:17.0921 3816 sfsync02 - ok
21:31:17.0937 3816 Simbad - ok
21:31:17.0968 3816 snapman (7cdb603a351b65c1a3347840625ad74d) C:\WINDOWS\system32\DRIVERS\snapman.sys
21:31:17.0968 3816 snapman - ok
21:31:17.0968 3816 Sparrow - ok
21:31:17.0984 3816 speedfan (3fa2e254bfbce52b3c6f1bf23aab6911) C:\WINDOWS\system32\speedfan.sys
21:31:18.0000 3816 speedfan - ok
21:31:18.0015 3816 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:31:18.0015 3816 splitter - ok
21:31:18.0015 3816 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:31:18.0031 3816 sr - ok
21:31:18.0062 3816 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
21:31:18.0062 3816 Srv - ok
21:31:18.0078 3816 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:31:18.0078 3816 swenum - ok
21:31:18.0093 3816 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:31:18.0093 3816 swmidi - ok
21:31:18.0093 3816 symc810 - ok
21:31:18.0109 3816 symc8xx - ok
21:31:18.0109 3816 sym_hi - ok
21:31:18.0125 3816 sym_u3 - ok
21:31:18.0140 3816 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:31:18.0140 3816 sysaudio - ok
21:31:18.0171 3816 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:31:18.0171 3816 Tcpip - ok
21:31:18.0203 3816 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:31:18.0203 3816 TDPIPE - ok
21:31:18.0218 3816 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:31:18.0218 3816 TDTCP - ok
21:31:18.0234 3816 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:31:18.0234 3816 TermDD - ok
21:31:18.0234 3816 TosIde - ok
21:31:18.0265 3816 UDFReadr (cd0cbedd42180d60b9fab4b0cf237766) C:\WINDOWS\system32\drivers\UDFReadr.sys
21:31:18.0265 3816 UDFReadr - ok
21:31:18.0281 3816 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:31:18.0281 3816 Udfs - ok
21:31:18.0281 3816 ultra - ok
21:31:18.0328 3816 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:31:18.0328 3816 Update - ok
21:31:18.0359 3816 upperdev (ec01da44b090d2651fc032c8b9257232) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
21:31:18.0359 3816 upperdev - ok
21:31:18.0375 3816 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:31:18.0390 3816 usbccgp - ok
21:31:18.0390 3816 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:31:18.0390 3816 usbehci - ok
21:31:18.0406 3816 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:31:18.0406 3816 usbhub - ok
21:31:18.0406 3816 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
21:31:18.0406 3816 usbohci - ok
21:31:18.0421 3816 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:31:18.0421 3816 usbprint - ok
21:31:18.0437 3816 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:31:18.0453 3816 usbscan - ok
21:31:18.0468 3816 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
21:31:18.0468 3816 usbser - ok
21:31:18.0484 3816 UsbserFilt (4abd37cfbd710e64f01f9da8710c73f7) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
21:31:18.0484 3816 UsbserFilt - ok
21:31:18.0515 3816 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:31:18.0515 3816 usbstor - ok
21:31:18.0515 3816 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:31:18.0515 3816 VgaSave - ok
21:31:18.0515 3816 ViaIde - ok
21:31:18.0531 3816 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:31:18.0531 3816 VolSnap - ok
21:31:18.0546 3816 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:31:18.0546 3816 Wanarp - ok
21:31:18.0578 3816 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
21:31:18.0578 3816 WDC_SAM - ok
21:31:18.0593 3816 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
21:31:18.0593 3816 Wdf01000 - ok
21:31:18.0593 3816 WDICA - ok
21:31:18.0625 3816 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:31:18.0625 3816 wdmaud - ok
21:31:18.0656 3816 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
21:31:18.0656 3816 WmiAcpi - ok
21:31:18.0687 3816 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
21:31:18.0687 3816 WpdUsb - ok
21:31:18.0718 3816 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:31:18.0718 3816 WudfPf - ok
21:31:18.0734 3816 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:31:18.0734 3816 WudfRd - ok
21:31:18.0765 3816 xusb21 (f5e5f944e63a9b5f6e76c2ebb2ac462f) C:\WINDOWS\system32\DRIVERS\xusb21.sys
21:31:18.0765 3816 xusb21 - ok
21:31:18.0765 3816 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:31:18.0875 3816 \Device\Harddisk0\DR0 - ok
21:31:18.0875 3816 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
21:31:18.0968 3816 \Device\Harddisk1\DR1 - ok
21:31:18.0984 3816 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR2
21:31:19.0046 3816 \Device\Harddisk2\DR2 - ok
21:31:19.0046 3816 Boot (0x1200) (ffe190dbd50cfe12f54a57b0f6110284) \Device\Harddisk0\DR0\Partition0
21:31:19.0046 3816 \Device\Harddisk0\DR0\Partition0 - ok
21:31:19.0046 3816 Boot (0x1200) (031fdb000b194d121059c03d3b0868ca) \Device\Harddisk1\DR1\Partition0
21:31:19.0046 3816 \Device\Harddisk1\DR1\Partition0 - ok
21:31:19.0046 3816 Boot (0x1200) (f2aa9bd49da6d17f3134411c4a2e3cc8) \Device\Harddisk2\DR2\Partition0
21:31:19.0046 3816 \Device\Harddisk2\DR2\Partition0 - ok
21:31:19.0046 3816 ============================================================
21:31:19.0046 3816 Scan finished
21:31:19.0046 3816 ============================================================
21:31:19.0062 3804 Detected object count: 0
21:31:19.0062 3804 Actual detected object count: 0

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:38 AM

Posted 23 September 2011 - 08:51 PM

Hi,

Looking good, just a couple more scans to make certain there are no more leftovers


Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 mds.82

mds.82
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:N.Cambria, PA USA
  • Local time:05:38 AM

Posted 24 September 2011 - 05:07 AM

MBAM LOG
.
--------------------------------------------------
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7782

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/24/2011 1:48:50 AM
mbam-log-2011-09-24 (01-48-50).txt

Scan type: Quick scan
Objects scanned: 187452
Time elapsed: 1 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
.


ESET LOG
---------------------------------------------------------------------------
C:\Documents and Settings\MDS\My Documents\Downloads\attsetup-[mar2011].exe Win32/OpenCandy application


Thats it... that applications is ATI Tray tools. I've used it previously and I'm pretty certain that file is "safe".

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:38 AM

Posted 24 September 2011 - 06:38 AM

Hi

Yes, ESET is just describing the type of program it is so we can decide what to do with it,

so just some housekeeping to do now,

Please do the following:


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Posted Image Your Java is out of date.
Java™ 6 Update 26 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT




You can delete the TDSSKiller, DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 mds.82

mds.82
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:N.Cambria, PA USA
  • Local time:05:38 AM

Posted 24 September 2011 - 08:01 AM

thank u so much for your help. I really feel confident now that the issue is resolved, and the additional information you suggested will 'hopefully' keep my family's pc running clean in the future.
Its good to know that while ppl are creating dangerous and malicious virii(sp?), that ppl such as yourself and others on this site are offering good, useful, and complete solutions for those who need it...

Keep up the great work! It is much appreciated!

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:38 AM

Posted 24 September 2011 - 08:03 AM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:06:38 AM

Posted 24 September 2011 - 08:03 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users