Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another Goodle redict infection problem


  • Please log in to reply
15 replies to this topic

#1 John Knee

John Knee

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 October 2011 - 11:55 AM

I basically booted up my Windows XP PC today and within the first 30 seasons or so of Windows opening up (ie, the bit programmes like Skype load up etc), my firewall Bullguard informed me that the programme X8BD.exe was requesting permission to use the internet etc. Not recognising it, I naturally refused access, made note of the programme and tried to google it to make sure it wasn't a virus. Google came up with hits and from the notes from the small descriptions under each link, there were suggestions it was not completely ok....

I click on one of the links and it got redirected to ebay.... I hit my "homepage" key (where Google is my default page) and typed in Bleeping Computer in order to visit here. Again ebay popped up. I hit the back key and I got rerouted to another website. I didn't note down which but it appeared to be another ebay buy and sell type place. I killed the internet connection....

I then ran Bullguard anti-virus and it came up with 4 infections - one of which was a cookie. I hit the disenfect/remove button and it deleted two of them to leave the following:

A0501797.exe (GEN:Varient.VBKrypt.39) C:\System Volume Information\-restore{7159C566-.........}
A0501798.exe (Trojen.generic.6675122 C:\System Volume Information\-restore{7159C566-.........}

Bullguard said it couldn't directly delete the viruses and to submit them - Bullguard would then mail me back with further instructions within the hour. In the meantime, both were quarentined.

I then did a quickscan via Malbyteware in the meantime and it discovered 6 infections - 2 x Registery Keys , 1 x Registery Values and 3 files. I took the option for Malbyteware to remove which it did successfully. It said it needed to reboot to clean up completely so I rebooted.

Rather than trust everything to be ok, I then ran a Full Scan and it picked up another infection. This was at: C:\system volume information\_restore{7159c566-b27d-45b5-9001-47f14422cf9} \rp729\A050797.exe. Again I selected the disenfection option, and I was asked to reboot again.

This is where my mind gets a little hazy - I went out shopping and left my PC running while doing a further scan to be extra sure - so I can't recall exactly what order I have done things. But...

Having go an apparently clean bill of health, I connected to the internet to test out the re-routing of google issue - I was hoping that the clearance of the above would solve things. Again though, I was re-routed. On one site, I tried to back away, a pop up came up asking if I really wanted to back away from the offer on the page with an "OK to select" or "Cancel to leave" option. Not trusting the site, I CONTROL+ALT+DEL and crashed out of Firefox (version 3.6.23) rather than risk being tricked into ticking the wrong box.

I've since ran Malbyteware and Bullguard, disinfected/deleted the necessary (or quarantined if failed) and assuming the Malbyteware full scan I am running as I type comes up clean, then *technically* I am clean for now. The other quarantined items in Bullguard anti-virus are:

emcsronwxa.exe (Gen:Variant.Kazy 38766)
nxamesorwc.tmp (Application.generic.379177)
osrecxwamn.tmp (Gen:Variant.VBKrypt 39)

All three found in C:\Documents and settings\Matt\Local Settings\Temp

setup.exe (Gen:Variant.Graftor.1321) which is found in locations C:\Windows\Temp\bawanf\ and C:\Windows\Temp\akkhrq

I am unsure if the Malbyteware scans have since deleted the quarantined items...

Despite all threats apparently contained and non-dangerous, the cynic in me suggests every reroute is probably sending me to a website where malware is being downloaded.


So, erm, please advise...

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 PM

Posted 05 October 2011 - 12:41 PM

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 October 2011 - 02:00 PM

-deleted after reposting-

Edited by John Knee, 05 October 2011 - 02:19 PM.


#4 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 October 2011 - 02:04 PM

-deleted after reposting-

Edited by John Knee, 05 October 2011 - 02:18 PM.


#5 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 October 2011 - 02:06 PM

-deleted after reposting-

Edited by John Knee, 05 October 2011 - 02:15 PM.


#6 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 October 2011 - 02:14 PM

Please download MiniToolBox and run it.

Checkmark following boxes:

  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go and post the result.



MiniToolBox by Farbar
Ran by Matt (administrator) on 05-10-2011 at 19:37:58
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

Hosts file not detected in the default directory
========================= IP Configuration: ================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : Skruttis

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8169/8110 Family Gigabit Ethernet NIC

Physical Address. . . . . . . . . : 00-18-F3-CD-0C-8B

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : 05 October 2011 19:30:56

Lease Expires . . . . . . . . . . : 06 October 2011 19:30:56

Server: UnKnown
Address: 192.168.0.1

Name: google.com
Addresses: 209.85.169.99, 209.85.169.104, 209.85.169.103, 209.85.169.105
209.85.169.147, 209.85.169.106



Pinging google.com [209.85.169.103] with 32 bytes of data:



Reply from 209.85.169.103: bytes=32 time=29ms TTL=49

Reply from 209.85.169.103: bytes=32 time=29ms TTL=49



Ping statistics for 209.85.169.103:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 29ms, Maximum = 29ms, Average = 29ms

Server: UnKnown
Address: 192.168.0.1

Name: yahoo.com
Addresses: 98.139.180.149, 209.191.122.70, 67.195.160.76, 72.30.2.43
98.137.149.56



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=202ms TTL=46

Reply from 72.30.2.43: bytes=32 time=195ms TTL=46



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 195ms, Maximum = 202ms, Average = 198ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 18 f3 cd 0c 8b ...... Realtek RTL8169/8110 Family Gigabit Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.3 192.168.0.3 20
192.168.0.3 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.3 192.168.0.3 20
224.0.0.0 240.0.0.0 192.168.0.3 192.168.0.3 20
255.255.255.255 255.255.255.255 192.168.0.3 192.168.0.3 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (10/05/2011 10:55:23 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/05/2011 10:55:23 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/05/2011 10:55:22 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/04/2011 05:58:27 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: EventType clr20r3, P1 nxamesorwc.tmp, P2 0.0.0.0, P3 4e799e57, P4 mscorlib, P5 2.0.0.0, P6 4d8c190a, P7 344a, P8 21c, P9 clr20r30, P10 clr20r31.

Error: (10/04/2011 05:58:27 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: EventType clr20r3, P1 nxamesorwc.tmp, P2 0.0.0.0, P3 4e799e57, P4 mscorlib, P5 2.0.0.0, P6 4d8c190a, P7 df, P8 b, P9 clr20r30, P10 clr20r31.

Error: (10/04/2011 05:58:27 PM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: EventType clr20r3, P1 nxamesorwc.tmp, P2 0.0.0.0, P3 4e799e57, P4 system, P5 2.0.0.0, P6 4db9c770, P7 3a8d, P8 288, P9 clr20r30, P10 clr20r31.

Error: (10/03/2011 02:43:49 PM) (Source: Application Error) (User: )
Description: Faulting application thunderbird.exe, version 1.8.20100.22820, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00010f1e.
Processing media-specific event for [thunderbird.exe!ws!]

Error: (10/01/2011 10:35:09 PM) (Source: Application Error) (User: )
Description: Faulting application thunderbird.exe, version 1.8.20100.22820, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x00010829.
Processing media-specific event for [thunderbird.exe!ws!]

Error: (10/01/2011 07:13:02 PM) (Source: Application Error) (User: )
Description: Faulting application thunderbird.exe, version 1.8.20100.22820, faulting module msvcrt.dll, version 7.0.2600.5512, fault address 0x00037740.
Processing media-specific event for [thunderbird.exe!ws!]

Error: (10/01/2011 02:23:04 PM) (Source: Application Error) (User: )
Description: Faulting application thunderbird.exe, version 1.8.20100.22820, faulting module xpcom_core.dll, version 1.8.20100.22820, fault address 0x00007111.
Processing media-specific event for [thunderbird.exe!ws!]


System errors:
=============
Error: (10/05/2011 07:34:05 PM) (Source: DCOM) (User: )
Description: The machine wide Default Launch and Activation security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Error: (10/05/2011 07:33:25 PM) (Source: DCOM) (User: )
Description: The machine wide Default Launch and Activation security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Error: (10/05/2011 07:33:25 PM) (Source: DCOM) (User: )
Description: The machine wide Default Launch and Activation security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Error: (10/05/2011 07:32:45 PM) (Source: DCOM) (User: )
Description: The machine wide Default Launch and Activation security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Error: (10/05/2011 07:32:45 PM) (Source: DCOM) (User: )
Description: The machine wide Default Launch and Activation security descriptor is invalid. It contains Access Control Entries with permissions that are invalid. The requested action was therefore not performed. This security permission can be corrected using the Component Services administrative tool.

Error: (10/05/2011 07:32:03 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Lbd

Error: (10/05/2011 07:32:03 PM) (Source: Service Control Manager) (User: )
Description: The CyberLink Task Scheduler (CTS) service hung on starting.

Error: (10/05/2011 07:30:59 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (10/05/2011 07:30:59 PM) (Source: W32Time) (User: )
Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
minutes.
The error was: A socket operation was attempted to an unreachable host. (0x80072751)

Error: (10/05/2011 07:30:28 PM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.


Microsoft Office Sessions:
=========================
Error: (10/05/2011 10:55:23 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/05/2011 10:55:23 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/05/2011 10:55:22 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/04/2011 05:58:27 PM) (Source: .NET Runtime 2.0 Error Reporting)(User: )
Description: clr20r3nxamesorwc.tmp0.0.0.04e799e57mscorlib2.0.0.04d8c190a344a21csystem.io.ioexceptionNIL

Error: (10/04/2011 05:58:27 PM) (Source: .NET Runtime 2.0 Error Reporting)(User: )
Description: clr20r3nxamesorwc.tmp0.0.0.04e799e57mscorlib2.0.0.04d8c190adfbsystem.argumentnullexceptionNIL

Error: (10/04/2011 05:58:27 PM) (Source: .NET Runtime 2.0 Error Reporting)(User: )
Description: clr20r3nxamesorwc.tmp0.0.0.04e799e57system2.0.0.04db9c7703a8d288system.componentmodel.win32NIL

Error: (10/03/2011 02:43:49 PM) (Source: Application Error)(User: )
Description: thunderbird.exe1.8.20100.22820ntdll.dll5.1.2600.605500010f1e

Error: (10/01/2011 10:35:09 PM) (Source: Application Error)(User: )
Description: thunderbird.exe1.8.20100.22820ntdll.dll5.1.2600.605500010829

Error: (10/01/2011 07:13:02 PM) (Source: Application Error)(User: )
Description: thunderbird.exe1.8.20100.22820msvcrt.dll7.0.2600.551200037740

Error: (10/01/2011 02:23:04 PM) (Source: Application Error)(User: )
Description: thunderbird.exe1.8.20100.22820xpcom_core.dll1.8.20100.2282000007111


=========================== Installed Programs ============================

(Version: 6.9.1)
Ad-Aware Email Scanner for Outlook (Version: 1.0.0)
Adobe Acrobat 7.0 Professional - English, Français, Deutsch (Version: 7.1.0)
Adobe Acrobat 7.1.0 Professional - English, Français, Deutsch (Version: 7.1.0)
Adobe Bridge 1.0 (Version: 001.000.004)
Adobe Common File Installer (Version: 1.00.0000)
Adobe Flash Player 10 ActiveX (Version: 10.0.45.2)
Adobe Flash Player 10 Plugin (Version: 10.3.183.10)
Adobe Help Center 1.0 (Version: 001.000.000)
Adobe Photoshop CS2 (Version: 9.0)
Adobe Reader 7.1.0 (Version: 7.1.0)
Adobe Stock Photos 1.0 (Version: 1.0.8)
Aspell English Dictionary-0.50-2
Audacity 1.2.6
AudibleManager (Version: 2089884432.1000.2089884374.2090320032)
Audio Converter
AutoUpdate (Version: 1.1)
BitTorrent 5.0.7
BullGuard 8.5 (Version: 8.5)
Canon iP4600 series Printer Driver
Canon iP4600 series User Registration
Canon MP Navigator EX 2.0
CanoScan LiDE 100 Scanner Driver
CD-LabelPrint
Civilization III Complete Edition (Version: 1.00.0000)
Command & Conquer Generals (Version: 0.50.0000)
Command & Conquer The First Decade (Version: 1.00.0000)
Compatibility Pack for the 2007 Office system (Version: 12.0.6425.1000)
ConvertHelper 2.2
Creative Centrale (Version: 1.16.02)
Creative Removable Disk Manager
Creative Software Update (Version: 1.03.01)
Creative System Information
Creative ZEN V Series (R2) (Version: 1.0)
Creative ZEN X-Fi User's Guide
Creative ZEN X-Fi Video Converter
Creative ZEN X-Fi Video Converter (Version: 1.00.03)
DivX Converter (Version: 7.1.0)
DivX Player (Version: 7.2.0)
DivX Plus DirectShow Filters
DivX Setup (Version: 1.0.1.5)
DivX Version Checker (Version: 7.1.0.9)
DivX Web Player (Version: 1.5.0)
Football Manager 2007
Football Manager 2009 (Version: 9.0.0.0)
GNU Aspell 0.50-3
GTK+ Runtime 2.10.13 rev a (remove only)
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
HAM (Version: 6.1.110.236)
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
HighMAT Extension to Microsoft Windows XP CD Writing Wizard (Version: 1.1.1905.1)
Horse Racing Manager
Intel® Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 5 (Version: 1.5.0.50)
Java Auto Updater (Version: 2.0.2.4)
Java™ 6 Update 21 (Version: 6.0.210)
Java™ 6 Update 5 (Version: 1.6.0.50)
Java™ 6 Update 7 (Version: 1.6.0.70)
JGoodies JDiskReport 1.3.2 (Version: 1.3.2 (2009-12-18 11:57:44))
LADSPA_plugins-win-0.4.15
LAME v3.98.3 for Audacity
Malwarebytes' Anti-Malware version 1.51.2.1300 (Version: 1.51.2.1300)
MediaShow 3.0
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Works (Version: 08.04.0623)
Mozilla Firefox (3.6.23) (Version: 3.6.23 (en-GB))
Mozilla Thunderbird (2.0.0.0) (Version: 2.0.0.0 (en-GB))
MSN
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
Network Print Monitor for Windows 2000/XP/2003
NVIDIA Drivers (Version: 1.3)
PhotoNow! 1.0
Pidgin (Version: 2.2.0)
Portal
Portal 2
Power2Go 4.0
PowerBackup 1.0
PowerCinema 4.0
PowerDirector Express
PowerDVD
PowerDVD Copy 1.0
PowerProducer
PowerStarter
QuickTime
RealPlayer
Realtek High Definition Audio Driver (Version: 5.10.0.5324)
Segoe UI (Version: 14.0.4327.805)
Skype Toolbars (Version: 5.3.7555)
Skype™ 5.3 (Version: 5.3.120)
SmartFTP Client 2.0 (Version: 2.0.1002)
SmartFTP Client 2.0 Setup Files (remove only) (Version: "2.0")
Spiral Knights
Spotify (Version: 0.3.16)
Steam (Version: 1.0.0.0)
Team Fortress 2
Tiscali 10.0
Tiscali Internet Access (Version: 7.0)
UFO Aftermath (Version: 1.4)
UFO Aftershock (Version: 1.0)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.4053 (Version: 1.1.0)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (Version: 9.0.30729.01)
WebFldrs XP (Version: 9.50.7523)
Winamp (remove only)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.7.0018.5)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8117.0416)
Windows Live Communications Platform (Version: 14.0.8117.416)
Windows Live Essentials (Version: 14.0.8117.0416)
Windows Live Essentials (Version: 14.0.8117.416)
Windows Live Messenger (Version: 14.0.8117.0416)
Windows Live Sign-in Assistant (Version: 5.000.818.6)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3 (Version: 20080414.031525)
WinRAR archiver
WM Capture
ZENcast Organizer

========================= Memory info: ===================================

Percentage of memory in use: 34%
Total physical RAM: 2047.17 MB
Available physical RAM: 1350.12 MB
Total Pagefile: 3940.11 MB
Available Pagefile: 3294.36 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.83 MB

========================= Partitions: =====================================

2 Drive c: (Windows) (Fixed) (Total:228.49 GB) (Free:99.72 GB) NTFS

========================= Users: ========================================

User accounts for \\SKRUTTIS

Administrator ASPNET Guest
HelpAssistant IUSR_YOUR-A97EC67E86 IWAM_YOUR-A97EC67E86
Matt SUPPORT_388945a0


**** End of log ****



=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Once the program has loaded, select Perform quick scan, then click Scan.
=============================================================================


I know it says quick scan but a full scan was close to finishing:

>Malwarebytes' Anti-Malware 1.51.2.1300
>www.malwarebytes.org

>Database version: 7874

>Windows 5.1.2600 Service Pack 3
>Internet Explorer 8.0.6001.18702

>05/10/2011 19:00:17
>mbam-log-2011-10-05 (19-00-17).txt

>Scan type: Full scan (C:\|)
>Objects scanned: 294242
>Time elapsed: 1 hour(s), 23 minute(s), 16 second(s)

>Memory Processes Infected: 0
>Memory Modules Infected: 0
>Registry Keys Infected: 0
>Registry Values Infected: 0
>Registry Data Items Infected: 0
>Folders Infected: 0
>Files Infected: 0

>Memory Processes Infected:
>(No malicious items detected)

>Memory Modules Infected:
>(No malicious items detected)

>Registry Keys Infected:
>(No malicious items detected)

>Registry Values Infected:
>(No malicious items detected)

>Registry Data Items Infected:
>(No malicious items detected)

>Folders Infected:
>(No malicious items detected)

>Files Infected:
>(No malicious items detected)


Please download GMER from one of the following locations and save it to your desktop:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-05 19:57:03
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 ST3250820AS rev.3.AAE
Running: o28un0uk.exe; Driver: C:\DOCUME~1\Matt\LOCALS~1\Temp\fwlyypob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB71F1360, 0x3D46A5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1400] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\Explorer.EXE[1400] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F4000A
.text C:\WINDOWS\Explorer.EXE[1400] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C1000C
.text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DF000A
.text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E0000A
.text C:\WINDOWS\System32\svchost.exe[1588] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DE000C
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01FB000A
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 01FC000A
.text C:\WINDOWS\System32\svchost.exe[1588] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 0235000A
.text C:\WINDOWS\System32\svchost.exe[1588] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 01FA000A
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2608] USER32.dll!SetScrollInfo 7E419056 5 Bytes JMP 0128E144 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2608] USER32.dll!GetScrollInfo 7E42DFE2 5 Bytes JMP 0128E0C0 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2608] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 0128E1C8 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2608] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 0128E0EC C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2608] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 0128E170 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2608] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 0128E118 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2608] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 0128E19C C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[2608] USER32.dll!EnableScrollBar 7E468005 5 Bytes JMP 0128E094 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0162000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3624] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0163000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3624] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0150000C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B7110928] \??\C:\WINDOWS\system32\Drivers\AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B7110928] \??\C:\WINDOWS\system32\Drivers\AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B7110928] \??\C:\WINDOWS\system32\Drivers\AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B7110928] \??\C:\WINDOWS\system32\Drivers\AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B7110928] \??\C:\WINDOWS\system32\Drivers\AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B7110928] \??\C:\WINDOWS\system32\Drivers\AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B7110928] \??\C:\WINDOWS\system32\Drivers\AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs BdFileSpy.sys (BullGuard File Monitor (x86)/BullGuard Ltd.)

Device \Driver\Tcpip \Device\Ip AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\Tcp AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A75A31B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A75A31B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A75A31B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A75A31B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A75A31B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-e 8A75A31B
Device \Driver\Tcpip \Device\Udp AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\RawIp AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)
Device \Driver\Tcpip \Device\IPMULTICAST AfwCore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \FileSystem\Fastfat \Fat BdFileSpy.sys (BullGuard File Monitor (x86)/BullGuard Ltd.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000ea134c705 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000ea134c705
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000ea134c705 (not active ControlSet)
Reg HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@c!s!j!\30!\22!s!t!i!\30!t!y!f!\22!\24!\30!i! 71230

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior


---- EOF - GMER 1.0.15 ----

#7 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 October 2011 - 02:21 PM

Sorry about the multi postings.... The connection on the dodgy PC kept dying... I e-mailed over a .txt file to a clean computer and pasted it in from there....

Oh, and there is svchost.exe running at 50% CPU constantly.... Size about 250,000 in memory usage... I'm sure it started up when I tried to post the above etc.

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 PM

Posted 05 October 2011 - 02:22 PM

I still need Security Check log.

Then....

Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 October 2011 - 02:58 PM

From SECURITY CHECK log...

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
BullGuard 8.5
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
Java™ 6 Update 21
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.3.183.10
Adobe Reader 7.1.0
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.23)
Mozilla Thunderbird (2.0.0) Thunderbird Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````End of Log````````````

-----------------------------

From TDSSKiller log:

20:41:07.0109 1176 TDSS rootkit removing tool 2.6.4.0 Oct 3 2011 17:37:01
20:41:09.0109 1176 ============================================================
20:41:09.0109 1176 Current date / time: 2011/10/05 20:41:09.0109
20:41:09.0109 1176 SystemInfo:
20:41:09.0109 1176
20:41:09.0109 1176 OS Version: 5.1.2600 ServicePack: 3.0
20:41:09.0109 1176 Product type: Workstation
20:41:09.0109 1176 ComputerName: SKRUTTIS
20:41:09.0109 1176 UserName: Matt
20:41:09.0109 1176 Windows directory: C:\WINDOWS
20:41:09.0109 1176 System windows directory: C:\WINDOWS
20:41:09.0109 1176 Processor architecture: Intel x86
20:41:09.0109 1176 Number of processors: 2
20:41:09.0109 1176 Page size: 0x1000
20:41:09.0109 1176 Boot type: Normal boot
20:41:09.0109 1176 ============================================================
20:41:15.0296 1176 Initialize success
20:41:26.0250 2876 ============================================================
20:41:26.0250 2876 Scan started
20:41:26.0250 2876 Mode: Manual;
20:41:26.0250 2876 ============================================================
20:41:30.0328 2876 Abiosdsk - ok
20:41:30.0437 2876 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
20:41:30.0453 2876 abp480n5 - ok
20:41:31.0125 2876 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:41:31.0125 2876 ACPI - ok
20:41:31.0218 2876 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:41:31.0250 2876 ACPIEC - ok
20:41:31.0703 2876 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
20:41:31.0734 2876 adpu160m - ok
20:41:32.0421 2876 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:41:32.0453 2876 aec - ok
20:41:33.0312 2876 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
20:41:33.0328 2876 AFD - ok
20:41:33.0796 2876 afw (52b095044e73df356d814234c3003b74) C:\WINDOWS\system32\DRIVERS\afw.sys
20:41:33.0812 2876 afw - ok
20:41:33.0921 2876 AfwCore (795f71e771adff833a8cfaa6537fc7c0) C:\WINDOWS\system32\Drivers\AfwCore.sys
20:41:33.0984 2876 AfwCore - ok
20:41:34.0140 2876 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
20:41:34.0156 2876 agp440 - ok
20:41:34.0421 2876 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
20:41:34.0421 2876 agpCPQ - ok
20:41:34.0531 2876 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
20:41:34.0546 2876 Aha154x - ok
20:41:34.0828 2876 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
20:41:34.0843 2876 aic78u2 - ok
20:41:34.0937 2876 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
20:41:34.0953 2876 aic78xx - ok
20:41:35.0109 2876 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
20:41:35.0109 2876 AliIde - ok
20:41:35.0375 2876 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
20:41:35.0390 2876 alim1541 - ok
20:41:35.0453 2876 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
20:41:35.0468 2876 amdagp - ok
20:41:35.0578 2876 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
20:41:35.0593 2876 amsint - ok
20:41:35.0703 2876 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
20:41:35.0718 2876 asc - ok
20:41:35.0906 2876 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
20:41:35.0921 2876 asc3350p - ok
20:41:36.0031 2876 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
20:41:36.0046 2876 asc3550 - ok
20:41:36.0140 2876 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:41:36.0140 2876 AsyncMac - ok
20:41:36.0187 2876 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:41:36.0187 2876 atapi - ok
20:41:36.0218 2876 Atdisk - ok
20:41:36.0281 2876 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:41:36.0281 2876 Atmarpc - ok
20:41:36.0390 2876 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:41:36.0406 2876 audstub - ok
20:41:36.0468 2876 BdFileSpy (8c455a0b7bcd2bec2919a4da525d53bd) C:\WINDOWS\system32\drivers\BdFileSpy.sys
20:41:36.0484 2876 BdFileSpy - ok
20:41:36.0531 2876 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:41:36.0562 2876 Beep - ok
20:41:37.0156 2876 bfastfao - ok
20:41:37.0312 2876 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
20:41:37.0312 2876 BthEnum - ok
20:41:37.0515 2876 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
20:41:37.0531 2876 BTHMODEM - ok
20:41:37.0656 2876 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
20:41:37.0656 2876 BthPan - ok
20:41:37.0796 2876 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
20:41:37.0859 2876 BTHPORT - ok
20:41:38.0203 2876 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
20:41:38.0203 2876 BTHUSB - ok
20:41:38.0453 2876 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
20:41:38.0468 2876 cbidf - ok
20:41:38.0703 2876 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:41:38.0703 2876 cbidf2k - ok
20:41:39.0531 2876 CCDECODE (fdc06e2ada8c468ebb161624e03976cf) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:41:39.0562 2876 CCDECODE - ok
20:41:40.0187 2876 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
20:41:40.0187 2876 cd20xrnt - ok
20:41:40.0390 2876 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:41:40.0421 2876 Cdaudio - ok
20:41:40.0671 2876 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:41:40.0734 2876 Cdfs - ok
20:41:40.0968 2876 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:41:40.0968 2876 Cdrom - ok
20:41:41.0625 2876 Changer - ok
20:41:41.0921 2876 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
20:41:41.0921 2876 CmdIde - ok
20:41:42.0156 2876 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
20:41:42.0156 2876 Cpqarray - ok
20:41:42.0218 2876 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
20:41:42.0234 2876 dac2w2k - ok
20:41:42.0265 2876 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
20:41:42.0265 2876 dac960nt - ok
20:41:42.0312 2876 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:41:42.0312 2876 Disk - ok
20:41:42.0390 2876 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:41:42.0609 2876 dmboot - ok
20:41:42.0703 2876 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:41:42.0703 2876 dmio - ok
20:41:42.0984 2876 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:41:42.0984 2876 dmload - ok
20:41:43.0234 2876 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:41:43.0234 2876 DMusic - ok
20:41:43.0343 2876 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
20:41:43.0343 2876 dpti2o - ok
20:41:43.0687 2876 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:41:43.0703 2876 drmkaud - ok
20:41:44.0203 2876 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:41:44.0312 2876 Fastfat - ok
20:41:45.0000 2876 fasttx2k (3acbc73531dedd69837fe73b1623d49c) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys
20:41:45.0046 2876 fasttx2k - ok
20:41:45.0500 2876 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:41:45.0531 2876 Fdc - ok
20:41:45.0968 2876 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:41:46.0000 2876 Fips - ok
20:41:46.0484 2876 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:41:46.0500 2876 Flpydisk - ok
20:41:46.0609 2876 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:41:46.0671 2876 FltMgr - ok
20:41:46.0765 2876 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:41:46.0796 2876 Fs_Rec - ok
20:41:46.0984 2876 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:41:47.0000 2876 Ftdisk - ok
20:41:47.0359 2876 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:41:47.0390 2876 Gpc - ok
20:41:47.0671 2876 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:41:47.0687 2876 HDAudBus - ok
20:41:47.0937 2876 HidBth (7bd2de4c85eb4241eed57672b16a7d8d) C:\WINDOWS\system32\DRIVERS\hidbth.sys
20:41:47.0953 2876 HidBth - ok
20:41:48.0093 2876 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:41:48.0093 2876 HidUsb - ok
20:41:48.0265 2876 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
20:41:48.0265 2876 hpn - ok
20:41:48.0343 2876 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:41:48.0343 2876 HTTP - ok
20:41:48.0468 2876 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
20:41:48.0484 2876 i2omgmt - ok
20:41:48.0640 2876 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
20:41:48.0640 2876 i2omp - ok
20:41:48.0750 2876 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:41:48.0765 2876 i8042prt - ok
20:41:49.0093 2876 ialm (85d42b7f0dd406adf5e3ec7659a279ec) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
20:41:49.0187 2876 ialm - ok
20:41:49.0281 2876 iaStor (c9f030a5e43aedfabe0a39df0a0dcbeb) C:\WINDOWS\system32\DRIVERS\iaStor.sys
20:41:49.0296 2876 iaStor - ok
20:41:49.0375 2876 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:41:49.0390 2876 Imapi - ok
20:41:49.0484 2876 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
20:41:49.0484 2876 ini910u - ok
20:41:49.0718 2876 IntcAzAudAddService (60d7460b07012d364ced11dd9fd83e1f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
20:41:49.0859 2876 IntcAzAudAddService - ok
20:41:50.0078 2876 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
20:41:50.0078 2876 IntelIde - ok
20:41:50.0187 2876 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:41:50.0203 2876 intelppm - ok
20:41:50.0250 2876 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:41:50.0250 2876 Ip6Fw - ok
20:41:50.0421 2876 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:41:50.0421 2876 IpFilterDriver - ok
20:41:50.0546 2876 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:41:50.0546 2876 IpInIp - ok
20:41:50.0593 2876 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:41:50.0609 2876 IpNat - ok
20:41:50.0843 2876 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:41:50.0859 2876 IPSec - ok
20:41:50.0921 2876 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:41:50.0921 2876 IRENUM - ok
20:41:50.0984 2876 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:41:50.0984 2876 isapnp - ok
20:41:51.0125 2876 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:41:51.0140 2876 Kbdclass - ok
20:41:51.0203 2876 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:41:51.0203 2876 kbdhid - ok
20:41:51.0250 2876 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:41:51.0250 2876 kmixer - ok
20:41:51.0312 2876 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:41:51.0328 2876 KSecDD - ok
20:41:51.0375 2876 Lbd - ok
20:41:51.0421 2876 lbrtfdc - ok
20:41:51.0500 2876 m5287 (fc969e4e53c602884958a5fdffc53526) C:\WINDOWS\system32\DRIVERS\m5287.sys
20:41:51.0500 2876 m5287 - ok
20:41:51.0562 2876 m5289 (2424b13987360840b4bf4e5fb5a66d3f) C:\WINDOWS\system32\DRIVERS\m5289.sys
20:41:51.0562 2876 m5289 - ok
20:41:51.0671 2876 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
20:41:51.0671 2876 MHNDRV - ok
20:41:51.0843 2876 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:41:51.0875 2876 mnmdd - ok
20:41:53.0593 2876 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:41:53.0625 2876 Modem - ok
20:41:55.0375 2876 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:41:55.0390 2876 Mouclass - ok
20:41:56.0015 2876 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:41:56.0093 2876 mouhid - ok
20:41:56.0921 2876 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:41:57.0078 2876 MountMgr - ok
20:41:57.0859 2876 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
20:41:57.0875 2876 mraid35x - ok
20:41:58.0484 2876 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:41:58.0625 2876 MRxDAV - ok
20:41:59.0187 2876 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:41:59.0359 2876 MRxSmb - ok
20:42:00.0203 2876 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:42:00.0265 2876 Msfs - ok
20:42:01.0281 2876 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:42:01.0281 2876 MSKSSRV - ok
20:42:01.0906 2876 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:42:01.0921 2876 MSPCLOCK - ok
20:42:02.0312 2876 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:42:02.0312 2876 MSPQM - ok
20:42:02.0671 2876 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:42:02.0671 2876 mssmbios - ok
20:42:03.0468 2876 MSTEE (d5059366b361f0e1124753447af08aa2) C:\WINDOWS\system32\drivers\MSTEE.sys
20:42:03.0500 2876 MSTEE - ok
20:42:03.0734 2876 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
20:42:03.0750 2876 MTsensor - ok
20:42:04.0171 2876 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:42:04.0390 2876 Mup - ok
20:42:04.0906 2876 NABTSFEC (ac31b352ce5e92704056d409834beb74) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:42:04.0937 2876 NABTSFEC - ok
20:42:05.0359 2876 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:42:05.0843 2876 NDIS - ok
20:42:06.0515 2876 NdisIP (abd7629cf2796250f315c1dd0b6cf7a0) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:42:06.0562 2876 NdisIP - ok
20:42:07.0609 2876 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:42:07.0656 2876 NdisTapi - ok
20:42:08.0156 2876 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:42:08.0171 2876 Ndisuio - ok
20:42:08.0843 2876 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:42:08.0937 2876 NdisWan - ok
20:42:09.0984 2876 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:42:10.0078 2876 NDProxy - ok
20:42:10.0640 2876 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:42:10.0671 2876 NetBIOS - ok
20:42:11.0031 2876 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:42:11.0156 2876 NetBT - ok
20:42:11.0765 2876 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:42:11.0812 2876 Npfs - ok
20:42:12.0859 2876 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:42:13.0468 2876 Ntfs - ok
20:42:13.0875 2876 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:42:13.0921 2876 Null - ok
20:42:16.0453 2876 nv (bf506d232c5e6f2dae80f5c11b45c60e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:42:20.0296 2876 nv - ok
20:42:21.0062 2876 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:42:21.0093 2876 NwlnkFlt - ok
20:42:21.0500 2876 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:42:21.0515 2876 NwlnkFwd - ok
20:42:22.0234 2876 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:42:22.0234 2876 Parport - ok
20:42:22.0734 2876 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:42:22.0750 2876 PartMgr - ok
20:42:23.0218 2876 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:42:23.0296 2876 ParVdm - ok
20:42:23.0906 2876 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:42:23.0937 2876 PCI - ok
20:42:24.0250 2876 PCIDump - ok
20:42:24.0703 2876 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:42:24.0734 2876 PCIIde - ok
20:42:25.0187 2876 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:42:25.0343 2876 Pcmcia - ok
20:42:25.0562 2876 PDCOMP - ok
20:42:25.0750 2876 PDFRAME - ok
20:42:26.0187 2876 PDRELI - ok
20:42:26.0671 2876 PDRFRAME - ok
20:42:27.0375 2876 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
20:42:27.0375 2876 perc2 - ok
20:42:28.0093 2876 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
20:42:28.0093 2876 perc2hib - ok
20:42:29.0671 2876 ppa (411923a60e1fc2b136c77e6d50fc69bd) C:\WINDOWS\system32\DRIVERS\ppa.sys
20:42:29.0796 2876 ppa - ok
20:42:30.0296 2876 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:42:30.0328 2876 PptpMiniport - ok
20:42:30.0890 2876 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
20:42:30.0906 2876 Processor - ok
20:42:31.0187 2876 Profos (de11f5c3e9bda993b65e1518d46bc438) C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys
20:42:31.0343 2876 Profos - ok
20:42:32.0093 2876 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:42:32.0109 2876 PSched - ok
20:42:32.0718 2876 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:42:32.0734 2876 Ptilink - ok
20:42:33.0359 2876 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:42:33.0421 2876 PxHelp20 - ok
20:42:34.0500 2876 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
20:42:34.0515 2876 ql1080 - ok
20:42:35.0718 2876 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
20:42:35.0718 2876 Ql10wnt - ok
20:42:36.0968 2876 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
20:42:37.0046 2876 ql12160 - ok
20:42:37.0406 2876 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
20:42:37.0671 2876 ql1240 - ok
20:42:38.0250 2876 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
20:42:38.0312 2876 ql1280 - ok
20:42:39.0062 2876 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:42:39.0062 2876 RasAcd - ok
20:42:40.0218 2876 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:42:40.0218 2876 Rasl2tp - ok
20:42:40.0968 2876 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:42:41.0000 2876 RasPppoe - ok
20:42:41.0750 2876 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:42:41.0796 2876 Raspti - ok
20:42:43.0046 2876 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:42:43.0046 2876 Rdbss - ok
20:42:44.0156 2876 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:42:44.0187 2876 RDPCDD - ok
20:42:45.0156 2876 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:42:45.0187 2876 rdpdr - ok
20:42:45.0890 2876 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
20:42:46.0093 2876 RDPWD - ok
20:42:46.0859 2876 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:42:46.0937 2876 redbook - ok
20:42:47.0796 2876 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
20:42:47.0843 2876 RFCOMM - ok
20:42:48.0703 2876 RTL8023xp (1e11171c0b9989e1bdaa59e96b2e81c4) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
20:42:48.0750 2876 RTL8023xp - ok
20:42:50.0125 2876 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:42:50.0125 2876 Secdrv - ok
20:42:51.0578 2876 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:42:51.0593 2876 Serenum - ok
20:42:51.0875 2876 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:42:52.0156 2876 Serial - ok
20:42:52.0546 2876 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:42:52.0578 2876 Sfloppy - ok
20:42:52.0968 2876 Simbad - ok
20:42:53.0296 2876 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
20:42:53.0328 2876 sisagp - ok
20:42:53.0578 2876 SLIP (1ffc44d6787ec1ea9a2b1440a90fa5c1) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:42:53.0593 2876 SLIP - ok
20:42:53.0828 2876 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
20:42:53.0843 2876 Sparrow - ok
20:42:54.0625 2876 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:42:54.0640 2876 splitter - ok
20:42:57.0984 2876 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:42:58.0000 2876 sr - ok
20:42:59.0140 2876 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:42:59.0625 2876 Srv - ok
20:43:00.0375 2876 streamip (a9f9fd0212e572b84edb9eb661f6bc04) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:43:00.0390 2876 streamip - ok
20:43:01.0281 2876 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:43:01.0296 2876 swenum - ok
20:43:01.0781 2876 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:43:01.0812 2876 swmidi - ok
20:43:02.0468 2876 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
20:43:02.0515 2876 symc810 - ok
20:43:03.0390 2876 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
20:43:03.0421 2876 symc8xx - ok
20:43:04.0062 2876 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
20:43:04.0125 2876 sym_hi - ok
20:43:04.0625 2876 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
20:43:05.0078 2876 sym_u3 - ok
20:43:05.0968 2876 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:43:05.0984 2876 sysaudio - ok
20:43:06.0734 2876 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:43:07.0062 2876 Tcpip - ok
20:43:07.0781 2876 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:43:07.0812 2876 TDPIPE - ok
20:43:09.0046 2876 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:43:09.0078 2876 TDTCP - ok
20:43:10.0343 2876 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:43:10.0390 2876 TermDD - ok
20:43:11.0375 2876 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
20:43:11.0406 2876 TosIde - ok
20:43:12.0296 2876 Trufos (b16d66a71de03285e14e9f165b59eda4) C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys
20:43:12.0312 2876 Trufos - ok
20:43:12.0859 2876 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:43:12.0906 2876 Udfs - ok
20:43:13.0359 2876 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
20:43:13.0390 2876 ultra - ok
20:43:13.0921 2876 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:43:14.0171 2876 Update - ok
20:43:15.0156 2876 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
20:43:15.0187 2876 usbaudio - ok
20:43:15.0500 2876 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:43:15.0531 2876 usbccgp - ok
20:43:15.0906 2876 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:43:15.0937 2876 usbehci - ok
20:43:17.0015 2876 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:43:17.0046 2876 usbhub - ok
20:43:17.0734 2876 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:43:17.0750 2876 usbprint - ok
20:43:18.0703 2876 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:43:18.0734 2876 usbscan - ok
20:43:20.0062 2876 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:43:20.0109 2876 USBSTOR - ok
20:43:20.0859 2876 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:43:20.0875 2876 usbuhci - ok
20:43:21.0812 2876 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
20:43:21.0906 2876 usbvideo - ok
20:43:22.0671 2876 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:43:22.0687 2876 VgaSave - ok
20:43:24.0328 2876 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
20:43:24.0328 2876 viaagp - ok
20:43:26.0281 2876 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
20:43:26.0312 2876 ViaIde - ok
20:43:26.0984 2876 viamraid (65864aba65eee06ea586009301834e43) C:\WINDOWS\system32\DRIVERS\viamraid.sys
20:43:27.0015 2876 viamraid - ok
20:43:27.0250 2876 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:43:27.0265 2876 VolSnap - ok
20:43:27.0296 2876 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:43:27.0312 2876 Wanarp - ok
20:43:27.0328 2876 WDICA - ok
20:43:27.0843 2876 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:43:27.0890 2876 wdmaud - ok
20:43:34.0718 2876 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
20:43:34.0718 2876 WpdUsb - ok
20:43:36.0328 2876 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:43:36.0343 2876 WS2IFSL - ok
20:43:37.0406 2876 WSTCODEC (233cdd1c06942115802eb7ce6669e099) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:43:37.0406 2876 WSTCODEC - ok
20:43:39.0828 2876 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:43:39.0828 2876 WudfPf - ok
20:43:42.0343 2876 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:43:42.0343 2876 WudfRd - ok
20:43:45.0062 2876 MBR (0x1B8) (035ce1c0bf49cb716bd6db7a4cf480b7) \Device\Harddisk0\DR0
20:43:45.0062 2876 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - infected
20:43:45.0062 2876 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
20:43:45.0093 2876 Boot (0x1200) (97484e0ff60b719e0777120dbe9cc6b6) \Device\Harddisk0\DR0\Partition0
20:43:45.0093 2876 \Device\Harddisk0\DR0\Partition0 - ok
20:43:46.0234 2876 ============================================================
20:43:46.0234 2876 Scan finished
20:43:46.0234 2876 ============================================================
20:43:50.0500 3152 Detected object count: 1
20:43:50.0500 3152 Actual detected object count: 1
20:44:13.0765 3152 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - will be cured on reboot
20:44:13.0765 3152 \Device\Harddisk0\DR0 - ok
20:44:13.0765 3152 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - User select action: Cure
20:45:27.0437 1220 Deinitialize success


When I closed down, it didn't close down completely and having shut all programmes down, just kept displaying my wallpaper.... I did a soft reset and re-run TDSS Killer and it didn't detect anything. Do you wish me to post the follow up clear scan?

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 PM

Posted 05 October 2011 - 04:25 PM

That's fine. How is redirection?

Let's double check...

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 October 2011 - 04:37 PM

Re-direct seems to be ok now...

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB71BD000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 8089600 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 186.18 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 5910528 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 186.18 )
0xB4A9E000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4227072 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB27D0000 C:\WINDOWS\System32\Drivers\89850e15.sys 577536 bytes
0xB7E22000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB48B9000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB701D000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB499E000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB3B80000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBD5B5000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB3ED2000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB70D3000 C:\WINDOWS\system32\Drivers\AfwCore.sys 253952 bytes (Agnitum Ltd., Agnitum Firewall Core Driver)
0xB707B000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB7F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB417E000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB7DF5000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB28CF000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB4929000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB7181000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB4976000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB7F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB285D000 C:\WINDOWS\System32\Drivers\a767e5bd.sys 147456 bytes
0xB29C5000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB4A7A000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB715D000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB7111000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB4954000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB7EEB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB7F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB4873000 C:\WINDOWS\System32\Drivers\usbvideo.sys 122880 bytes (Microsoft Corporation, USB Video Class Driver)
0xB7DDB000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB7F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB47BB000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB7EC2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB70BC000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB7148000 C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys 86016 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xB3F89000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB7134000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB71A9000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB49F7000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB7EAF000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB7ED9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB7F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB70AB000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB8228000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB79E4000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB7A04000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB8178000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB79D4000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB40CE000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB81F8000 C:\WINDOWS\system32\drivers\usbaudio.sys 61440 bytes (Microsoft Corporation, USB Audio Class Driver)
0xB8188000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB80E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB7994000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB79C4000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xB80C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB47F3000 C:\WINDOWS\system32\drivers\BdFileSpy.sys 49152 bytes (BullGuard Ltd., BullGuard File Monitor (x86))
0xB79A4000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB81D8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB79F4000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xB80B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB79B4000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xB80A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB8168000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB4056000 C:\WINDOWS\system32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xB7974000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB295A000 C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\trufos.sys 40960 bytes (BitDefender S.R.L., Trufos Kernel Module)
0xB41AB000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xB80D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB8318000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB7984000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB81B8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB80F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB81A8000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB8418000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB83F8000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xB83A8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB83C8000 C:\WINDOWS\system32\DRIVERS\afw.sys 28672 bytes (Agnitum Ltd., Agnitum Firewall NDIS Driver)
0xB83B0000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xB8430000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB8328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB83B8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB83C0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB83A0000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xB8408000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB83F0000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xB8410000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB8338000 ppa.sys 20480 bytes (Microsoft Corporation, PPA Protocol Driver)
0xB83D8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB83E0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xB83D0000 C:\WINDOWS\system32\Drivers\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB8448000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB7A33000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB44DF000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB436F000 C:\Program Files\BullGuard Ltd\BullGuard\antirootkit\profos.sys 16384 bytes (BitDefender S.R.L., Profos Kernel Module)
0xB7A57000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xB84B8000 00000070 12288 bytes
0xB84BC000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB4A6E000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB7DAB000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xB84B8000 C:\WINDOWS\system32\KDCOM.DLL 12288 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB7A43000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB7D9B000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB4EC6000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
0xB85FA000 C:\WINDOWS\system32\DRIVERS\ASACPI.sys 8192 bytes (-, ATK0110 ACPI Utility)
0xB8604000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xB85AA000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xB860C000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xB8602000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xB8606000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB8608000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xB864A000 C:\WINDOWS\system32\drivers\splitter.sys 8192 bytes (Microsoft Corporation, Microsoft Kernel Audio Splitter)
0xB85FC000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xB8600000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xB85A8000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xB86DE000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB872F000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB86BD000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================


Nothing detected :(

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 PM

Posted 05 October 2011 - 04:41 PM

Good :)

Now we have to restore missing "hosts" file.

Open Notepad.
Paste the following text into it:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#  	102.54.94.97 	rhino.acme.com      	# source server
#   	38.25.63.10 	x.acme.com          	# x client host

127.0.0.1   	localhost

Go File>Save As and...

1. Name the file hosts. (no extension; make sure there is just a "dot" at the end <--- VERY IMPORTANT!)
2. Make sure, "Save as type:" is set to "All Files (*.*)
3. Make sure the file is saved to C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder

Posted Image

Then...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    :dir
    C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 October 2011 - 04:45 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 22:47 on 05/10/2011 by Matt
Administrator - Elevation successful

========== dir ==========

C:\WINDOWS\SYSTEM32\DRIVERS\ETC - Parameters: "(none)"

---Files---
hosts --a---- 711 bytes [21:46 05/10/2011] [21:46 05/10/2011]
hosts..txt --a---- 711 bytes [21:44 05/10/2011] [21:44 05/10/2011]
hosts.msn --a---- 734 bytes [16:39 23/07/2007] [19:00 10/08/2004]
lmhosts.sam --a---- 3683 bytes [17:56 07/03/2019] [19:00 10/08/2004]
networks --a---- 407 bytes [17:56 07/03/2019] [19:00 10/08/2004]
protocol --a---- 799 bytes [17:56 07/03/2019] [19:00 10/08/2004]
services --a---- 7116 bytes [17:56 07/03/2019] [19:00 10/08/2004]

---Folders---
None found.

-= EOF =-

Edited by John Knee, 05 October 2011 - 04:47 PM.


#14 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:10:12 PM

Posted 05 October 2011 - 04:49 PM

Well done :)

Couple more steps...

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    NOTE. If Eset doesn't find any threats it'll NOT produce any log.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#15 John Knee

John Knee
  • Topic Starter

  • Members
  • 96 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 05 October 2011 - 06:27 PM

ESET Online Scanner didn't produce a report log so I take it all was clean?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users