Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Many trojans, infected files...


  • This topic is locked This topic is locked
40 replies to this topic

#1 dawnzig

dawnzig

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:02:14 PM

Posted 01 November 2011 - 05:46 PM

Where to start? Got this infected Compaq Presario laptop running XP SP3 from an elderly lady. Originally the browser was hijacked and continually redirecting so you couldn't go anyway but to a Yahoo blogs search page. She had a Yahoo toolbar and remnants of a Google one that was non-functional. It was getting all kinds of popup error msgs ("Rundll Photo Gallery...installing"--related to her printer, and which I corrected; plus, "RUNDLL Error in InetCpl.cpl Missing entry ClearMyTracks By Process"), none of which it has anymore: see my removal processes below.

Her Norton Security Center (which was years out of date) had been disabled (found Disabled.Security Center# ANTIVIRUS DISABLE) tho the services were still running (I disabled all Norton/Symantic svcs after that and had been trying to remove--so I could put on Avast--but am still unable to: "Fatal error during installation")

Her Windows Firewall had been running tho I shut it off--had wanted to install Zone Alarm, but that's part of the problem: it wasn't letting me install anything at first (MBAM, SAS, Hijack This, nothing...).

Turned off system restore b/c it only had a few days' worth of logs and she'd been infected for a couple months.
She has zero personal files; and b/c the registry appeared so infected, I didn't put ERUNT on yet...

I had CCleaner on flash drive and got that to run, so cleaned the system first.

Then, got MBAM to run from the flash drive and it found (and 'healed') trojan.dropper/GEN-PHP, trojan.Agent/Gen, trojan.unclassified/Helper-DD.

Then I ran DrWeb CureIt which found 2 infected files: C:WINDOWS\Downloaded Program Files\Adware.MegaSearch (said it was "incurable-deleted") and C:WINDOWS\Downloaded Program Files|/invalid path to file (???--not sure I wrote this down correctly)--which it 'cured'.

Ran Trend Micro Housecall but it didn't find anything.

I was then able to get hijack this to work and deleted
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: YSPManager - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - C:\Program Files\Yahoo!\Search Protection\ysp.dll (she didn't want the toolbars and it didn't appear in Add/Remove)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - (no file)
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -update activex (User 'Default user')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html (again, nothing in Add/Remove)
O9 - Extra button: (no name) - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll
O9 - Extra 'Tools' menuitem: Yahoo! Search Protection - {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - C:\Program Files\Yahoo!\Search Protection\ysp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop

This file: O18 - Filter hijack: text/html - {2158d66c-28cd-4875-be73-a1c23454d955} - C:\WINDOWS\batmeter16.dll did not get removed even after checking it.....

I had been able to start it in Safe Mode when I needed to, but it's now freezing on WINDOWS\System32\DRIVERS\mup.sys and just stays on the DOS screen at that file name.

During all these processes, some of the other error msgs that came up (after I'd gotten rid of the initial ones):
"Run a DLL as an App has encountered a problem and needs to close," "The file or directory C:\???? is corrupt and unreadable. Please run Chkdsk utility."--which it did and allegedly fixed. However, when I restart now, I've been getting chkdsk each time.

Ran Panda ActiveScan which said there were 76 infected files, but didn't show which or offer a cure.

Finally could install SAS, ran it and found/removed 3 ad cookies.

Ran MBAM again, it found: "Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5B4C3B43-49B6-42A7-A602-F7ACDCA0D409} (Adware.OneStepSearch)" -> No action taken.

Internet is painfully slow and bogs down unexpectedly but doesn't have any weird processes popping up in task manager every few seconds like it did before. Still can't download some programs, specifically if they need to run via a connection.

Anyway, it's time to put this to the real pros! :) Thanks so much for your help!! :inlove:

DDS:

DDS (Ver_09-12-01.01) - NTFSx86
Run by Grace Lay at 14:11:06.15 on Tue 11/01/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.50 [GMT -4:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Norton Internet Security 2006 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Grace Lay\Desktop\helpers\dds -- shows runnin progs.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://start.verizon.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: text/html - {2158d66c-28cd-4875-be73-a1c23454d955} -
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2011-10-31 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 EraserUtilDrv10633;EraserUtilDrv10633;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10633.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10633.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-1 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-27 198368]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-17 191848]
S4 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-9-17 202088]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-17 169320]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-6-19 1251720]

=============== Created Last 30 ================

2011-11-01 17:22:26 0 d-----w- c:\program files\SUPERAntiSpyware
2011-11-01 03:54:01 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2011-11-01 03:53:40 0 d-----w- c:\program files\Panda Security
2011-10-28 15:25:15 0 d-----w- c:\program files\WOT
2011-10-28 04:31:08 0 d-----w- c:\program files\trend micro
2011-10-27 21:54:09 0 d-----w- c:\docume~1\gracel~1\applic~1\SUPERAntiSpyware.com
2011-10-27 21:54:09 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-10-27 21:52:42 0 d-----w- c:\docume~1\gracel~1\applic~1\Malwarebytes
2011-10-27 21:52:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-10-27 21:52:28 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-27 21:52:27 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-27 21:17:24 0 d-----w- c:\windows\pss
2011-10-27 19:37:45 0 d-----w- c:\program files\CCleaner
2011-10-12 17:50:33 916 ----a-w- C:\DefragData.xml
2011-10-12 17:47:42 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-10-12 17:47:22 2295 ----a-w- c:\windows\PC2644115740230803.ini
2011-10-10 16:48:12 0 d-----w- C:\49df70fc61769767fe96

==================== Find3M ====================

2011-09-26 15:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:20 220160 ------w- c:\windows\system32\dllcache\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\dllcache\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-09 09:12:13 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-09-06 13:20:51 1858944 ------w- c:\windows\system32\dllcache\win32k.sys
2011-09-05 13:56:22 667136 ----a-w- c:\windows\system32\wininet.dll
2011-09-05 13:56:22 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2011-09-05 13:56:22 633344 ------w- c:\windows\system32\dllcache\urlmon.dll
2011-09-05 13:56:22 37888 ------w- c:\windows\system32\dllcache\url.dll
2011-09-05 13:56:22 1510400 ------w- c:\windows\system32\dllcache\shdocvw.dll
2011-09-05 13:56:21 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-09-05 13:56:21 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2011-09-05 13:56:21 532480 ----a-w- c:\windows\system32\dllcache\mstime.dll
2011-09-05 13:56:21 449536 ------w- c:\windows\system32\dllcache\mshtmled.dll
2011-09-05 13:56:21 3086336 ------w- c:\windows\system32\dllcache\mshtml.dll
2011-09-05 13:56:21 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
2011-09-05 13:56:21 1025024 ------w- c:\windows\system32\dllcache\browseui.dll
2011-08-17 13:49:54 138496 ------w- c:\windows\system32\dllcache\afd.sys
2011-08-12 17:51:26 26488 ----a-w- c:\windows\system32\spupdsvc.exe

============= FINISH: 14:11:53.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 05 November 2011 - 05:08 PM

Hi,

Please don't do any other scans or removals while we are working together unless I request it, or it may interfere with a fix.

Please try the Norton removal tool, to remove all traces of Norton that remain

  • Download the appropriate Norton Removal Tool from HERE and save it to your desktop.
  • Next Double click on Norton_Removal_Tool.exe to run the tool.
  • Follow the on-screen instructions.
  • Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.


NEXT

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:02:14 PM

Posted 05 November 2011 - 10:12 PM

Hi CatByte and thanks so much for helping!

I followed your instructions and got rid of Norton (oddly, I'd tried using that tool earlier in the healing/disinfection process and Norton Removal Tool wouldn't download).

Anyway, I then installed Combofix, which then repaired/reinstalled the Windows Recovery Console and went on to its scan, supposedly. However, it's now been almost 90 minutes and all I have is the screen that tells me the scan should last for 10 minutes or twice that for highly infected systems... and I don't see anything happening other than the hard drive light flickering on in one second intervals. Is Combofix stalled?

Edit 10 minutes later: it appears that computer is locked-up--the cursor won't move (Btw, I'm typing this from my own uninfected computer)--should I shutdown and try again??

Thank you again SO much for your assistance. :D

Kindly,
Dawn(zig)

Edited by dawnzig, 05 November 2011 - 10:30 PM.


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 06 November 2011 - 07:33 AM

Hi,

Yes, ComboFix can take longer than expected sometimes,

If you have closed down your machine, then delete the copy of combofix that you have on your desktop, and download a fresh copy but rename it to svchost.exe before saving it, then run it.

If it still won't run, then run TDSSKiller first, then give ComboFix another try:


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:02:14 PM

Posted 06 November 2011 - 02:37 PM

Mornin' Catbyte (I work nights! ;->),

Well, here are the developments. (And please forgive the weird paragraph breaks here, in using this computer, the auto-word-wrap
isn't working....)

Anyway, per your instructions, tried Combofix again, no good. Even after renaming. Used your link for TDSS and nothing happened whenever I tried to
open/run it. So I went to Kaspersky and downloaded the zip file--however, I also had to rename it in order to do so--as the page would just
sit otherwise. After unzipping, I renamed the program itself and got it to run.

The scan showed 0 infected files:

14:28:51.0230 4068 TDSS rootkit removing tool 2.6.15.0 Nov 3 2011 17:15:49
14:28:51.0667 4068 ============================================================
14:28:51.0667 4068 Current date / time: 2011/11/06 14:28:51.0667
14:28:51.0667 4068 SystemInfo:
14:28:51.0667 4068
14:28:51.0667 4068 OS Version: 5.1.2600 ServicePack: 3.0
14:28:51.0667 4068 Product type: Workstation
14:28:51.0667 4068 ComputerName: PC264411574023
14:28:51.0667 4068 UserName: Grace Lay
14:28:51.0667 4068 Windows directory: C:\WINDOWS
14:28:51.0667 4068 System windows directory: C:\WINDOWS
14:28:51.0667 4068 Processor architecture: Intel x86
14:28:51.0667 4068 Number of processors: 1
14:28:51.0667 4068 Page size: 0x1000
14:28:51.0667 4068 Boot type: Normal boot
14:28:51.0667 4068 ============================================================
14:28:53.0245 4068 Initialize success
14:29:00.0574 1356 ============================================================
14:29:00.0574 1356 Scan started
14:29:00.0574 1356 Mode: Manual;
14:29:00.0574 1356 ============================================================
14:29:02.0059 1356 Abiosdsk - ok
14:29:02.0137 1356 abp480n5 - ok
14:29:02.0231 1356 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:29:02.0246 1356 ACPI - ok
14:29:02.0481 1356 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
14:29:02.0481 1356 ACPIEC - ok
14:29:02.0637 1356 adpu160m - ok
14:29:02.0778 1356 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:29:02.0778 1356 aec - ok
14:29:02.0965 1356 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:29:02.0981 1356 AFD - ok
14:29:03.0090 1356 Aha154x - ok
14:29:03.0231 1356 aic78u2 - ok
14:29:03.0371 1356 aic78xx - ok
14:29:03.0637 1356 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
14:29:03.0637 1356 AliIde - ok
14:29:03.0746 1356 amsint - ok
14:29:03.0934 1356 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:29:03.0934 1356 Arp1394 - ok
14:29:04.0137 1356 asc - ok
14:29:04.0293 1356 asc3350p - ok
14:29:04.0387 1356 asc3550 - ok
14:29:04.0653 1356 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:29:04.0653 1356 AsyncMac - ok
14:29:04.0840 1356 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:29:04.0840 1356 atapi - ok
14:29:04.0934 1356 Atdisk - ok
14:29:05.0262 1356 ati2mtag (287b11a781f2b7a28f283fd4b7434daf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
14:29:05.0325 1356 ati2mtag - ok
14:29:05.0590 1356 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:29:05.0590 1356 Atmarpc - ok
14:29:05.0778 1356 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:29:05.0778 1356 audstub - ok
14:29:05.0950 1356 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
14:29:05.0981 1356 BCM43XX - ok
14:29:06.0262 1356 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:29:06.0262 1356 Beep - ok
14:29:06.0465 1356 BTWUSB (e76dc88f00d50f46072feb2371769978) C:\WINDOWS\system32\Drivers\btwusb.sys
14:29:06.0465 1356 BTWUSB - ok
14:29:06.0622 1356 CAMCAUD (c2ef37f09cfee9665e6cd7c0b0afb84f) C:\WINDOWS\system32\drivers\camc6aud.sys
14:29:06.0622 1356 CAMCAUD - ok
14:29:06.0793 1356 CAMCHALA (512df898de5c0654647acd5c82f0bd99) C:\WINDOWS\system32\drivers\camc6hal.sys
14:29:06.0809 1356 CAMCHALA - ok
14:29:06.0965 1356 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:29:06.0965 1356 cbidf2k - ok
14:29:07.0122 1356 cd20xrnt - ok
14:29:07.0294 1356 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:29:07.0294 1356 Cdaudio - ok
14:29:07.0481 1356 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:29:07.0481 1356 Cdfs - ok
14:29:07.0653 1356 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:29:07.0653 1356 Cdrom - ok
14:29:07.0794 1356 Changer - ok
14:29:07.0872 1356 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:29:07.0872 1356 CmBatt - ok
14:29:07.0981 1356 CmdIde - ok
14:29:08.0169 1356 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:29:08.0184 1356 Compbatt - ok
14:29:08.0325 1356 Cpqarray - ok
14:29:08.0544 1356 dac2w2k - ok
14:29:08.0700 1356 dac960nt - ok
14:29:08.0872 1356 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:29:08.0872 1356 Disk - ok
14:29:09.0169 1356 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:29:09.0200 1356 dmboot - ok
14:29:09.0466 1356 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:29:09.0466 1356 dmio - ok
14:29:09.0731 1356 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:29:09.0731 1356 dmload - ok
14:29:09.0934 1356 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:29:09.0934 1356 DMusic - ok
14:29:10.0075 1356 dpti2o - ok
14:29:10.0356 1356 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:29:10.0356 1356 drmkaud - ok
14:29:10.0559 1356 eabfiltr (c6aca0190ee7b614673ee0c91863b1eb) C:\WINDOWS\system32\drivers\EABFiltr.sys
14:29:10.0559 1356 eabfiltr - ok
14:29:10.0700 1356 eabusb (da1011db09ad641de40cd5cca70c0c43) C:\WINDOWS\system32\drivers\eabusb.sys
14:29:10.0700 1356 eabusb - ok
14:29:10.0950 1356 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:29:10.0950 1356 Fastfat - ok
14:29:11.0169 1356 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
14:29:11.0169 1356 Fdc - ok
14:29:11.0419 1356 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:29:11.0419 1356 Fips - ok
14:29:11.0685 1356 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:29:11.0685 1356 Flpydisk - ok
14:29:11.0935 1356 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:29:11.0950 1356 FltMgr - ok
14:29:12.0200 1356 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:29:12.0200 1356 Fs_Rec - ok
14:29:12.0435 1356 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:29:12.0450 1356 Ftdisk - ok
14:29:12.0700 1356 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:29:12.0700 1356 Gpc - ok
14:29:12.0997 1356 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:29:12.0997 1356 HidUsb - ok
14:29:13.0200 1356 hpn - ok
14:29:13.0466 1356 HSFHWATI (14794f142befc962ab142584607a6631) C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
14:29:13.0482 1356 HSFHWATI - ok
14:29:13.0778 1356 HSF_DP (f99bb4e2b462198b2b0a82d0949f0c41) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
14:29:13.0841 1356 HSF_DP - ok
14:29:14.0122 1356 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:29:14.0138 1356 HTTP - ok
14:29:14.0341 1356 i2omgmt - ok
14:29:14.0560 1356 i2omp - ok
14:29:14.0825 1356 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:29:14.0825 1356 i8042prt - ok
14:29:15.0091 1356 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:29:15.0091 1356 Imapi - ok
14:29:15.0310 1356 ini910u - ok
14:29:15.0576 1356 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:29:15.0576 1356 IntelIde - ok
14:29:15.0810 1356 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:29:15.0810 1356 Ip6Fw - ok
14:29:15.0982 1356 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:29:15.0982 1356 IpFilterDriver - ok
14:29:16.0201 1356 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:29:16.0201 1356 IpInIp - ok
14:29:16.0451 1356 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:29:16.0466 1356 IpNat - ok
14:29:16.0701 1356 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:29:16.0716 1356 IPSec - ok
14:29:16.0951 1356 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:29:16.0951 1356 IRENUM - ok
14:29:17.0216 1356 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:29:17.0216 1356 isapnp - ok
14:29:17.0482 1356 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:29:17.0482 1356 Kbdclass - ok
14:29:17.0732 1356 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:29:17.0748 1356 kmixer - ok
14:29:17.0998 1356 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:29:17.0998 1356 KSecDD - ok
14:29:18.0248 1356 lbrtfdc - ok
14:29:18.0498 1356 MBAMSwissArmy - ok
14:29:18.0763 1356 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:29:18.0763 1356 mdmxsdk - ok
14:29:19.0029 1356 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
14:29:19.0029 1356 MHNDRV - ok
14:29:19.0279 1356 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:29:19.0279 1356 mnmdd - ok
14:29:19.0545 1356 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:29:19.0545 1356 Modem - ok
14:29:19.0795 1356 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:29:19.0795 1356 Mouclass - ok
14:29:20.0060 1356 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:29:20.0060 1356 mouhid - ok
14:29:20.0295 1356 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:29:20.0295 1356 MountMgr - ok
14:29:20.0513 1356 mraid35x - ok
14:29:20.0654 1356 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
14:29:20.0654 1356 MREMP50 - ok
14:29:20.0842 1356 MREMP50a64 - ok
14:29:21.0045 1356 MREMPR5 - ok
14:29:21.0248 1356 MRENDIS5 - ok
14:29:21.0389 1356 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
14:29:21.0389 1356 MRESP50 - ok
14:29:21.0576 1356 MRESP50a64 - ok
14:29:21.0842 1356 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:29:21.0857 1356 MRxDAV - ok
14:29:22.0123 1356 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:29:22.0139 1356 MRxSmb - ok
14:29:22.0404 1356 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:29:22.0404 1356 Msfs - ok
14:29:22.0670 1356 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:29:22.0670 1356 MSKSSRV - ok
14:29:22.0889 1356 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:29:22.0889 1356 MSPCLOCK - ok
14:29:23.0123 1356 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:29:23.0123 1356 MSPQM - ok
14:29:23.0357 1356 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:29:23.0357 1356 mssmbios - ok
14:29:23.0623 1356 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:29:23.0623 1356 Mup - ok
14:29:23.0904 1356 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:29:23.0904 1356 NDIS - ok
14:29:24.0139 1356 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:29:24.0154 1356 NdisTapi - ok
14:29:24.0404 1356 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:29:24.0404 1356 Ndisuio - ok
14:29:24.0654 1356 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:29:24.0670 1356 NdisWan - ok
14:29:24.0936 1356 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:29:24.0936 1356 NDProxy - ok
14:29:25.0186 1356 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:29:25.0201 1356 NetBIOS - ok
14:29:25.0451 1356 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:29:25.0467 1356 NetBT - ok
14:29:25.0733 1356 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:29:25.0733 1356 NIC1394 - ok
14:29:25.0998 1356 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:29:25.0998 1356 Npfs - ok
14:29:26.0295 1356 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:29:26.0326 1356 Ntfs - ok
14:29:26.0577 1356 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
14:29:26.0577 1356 NuidFltr - ok
14:29:26.0827 1356 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:29:26.0827 1356 Null - ok
14:29:27.0077 1356 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:29:27.0077 1356 NwlnkFlt - ok
14:29:27.0295 1356 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:29:27.0295 1356 NwlnkFwd - ok
14:29:27.0561 1356 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:29:27.0561 1356 ohci1394 - ok
14:29:27.0811 1356 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
14:29:27.0811 1356 Parport - ok
14:29:28.0061 1356 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:29:28.0061 1356 PartMgr - ok
14:29:28.0311 1356 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:29:28.0311 1356 ParVdm - ok
14:29:28.0561 1356 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
14:29:28.0561 1356 pavboot - ok
14:29:28.0827 1356 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:29:28.0827 1356 PCI - ok
14:29:29.0014 1356 PCIDump - ok
14:29:29.0280 1356 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:29:29.0296 1356 PCIIde - ok
14:29:29.0546 1356 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
14:29:29.0546 1356 Pcmcia - ok
14:29:29.0780 1356 PDCOMP - ok
14:29:29.0983 1356 PDFRAME - ok
14:29:30.0186 1356 PDRELI - ok
14:29:30.0374 1356 PDRFRAME - ok
14:29:30.0577 1356 perc2 - ok
14:29:30.0796 1356 perc2hib - ok
14:29:31.0093 1356 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:29:31.0093 1356 PptpMiniport - ok
14:29:31.0343 1356 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
14:29:31.0343 1356 Processor - ok
14:29:31.0608 1356 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:29:31.0608 1356 PSched - ok
14:29:31.0858 1356 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:29:31.0858 1356 Ptilink - ok
14:29:32.0108 1356 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:29:32.0108 1356 PxHelp20 - ok
14:29:32.0311 1356 ql1080 - ok
14:29:32.0499 1356 Ql10wnt - ok
14:29:32.0702 1356 ql12160 - ok
14:29:32.0921 1356 ql1240 - ok
14:29:33.0124 1356 ql1280 - ok
14:29:33.0390 1356 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:29:33.0390 1356 RasAcd - ok
14:29:33.0640 1356 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:29:33.0655 1356 Rasl2tp - ok
14:29:33.0905 1356 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:29:33.0905 1356 RasPppoe - ok
14:29:34.0218 1356 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:29:34.0218 1356 Raspti - ok
14:29:34.0468 1356 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:29:34.0468 1356 Rdbss - ok
14:29:34.0733 1356 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:29:34.0733 1356 RDPCDD - ok
14:29:35.0015 1356 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:29:35.0015 1356 rdpdr - ok
14:29:35.0265 1356 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
14:29:35.0265 1356 RDPWD - ok
14:29:35.0515 1356 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:29:35.0515 1356 redbook - ok
14:29:35.0812 1356 RTL8023xp (7889e3981e0a5d347e037abd467d53a5) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
14:29:35.0812 1356 RTL8023xp - ok
14:29:36.0062 1356 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
14:29:36.0062 1356 rtl8139 - ok
14:29:36.0202 1356 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
14:29:36.0202 1356 SASDIFSV - ok
14:29:36.0234 1356 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
14:29:36.0234 1356 SASKUTIL - ok
14:29:36.0515 1356 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
14:29:36.0515 1356 sdbus - ok
14:29:36.0656 1356 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:29:36.0656 1356 Secdrv - ok
14:29:36.0843 1356 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
14:29:36.0843 1356 Serial - ok
14:29:37.0124 1356 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:29:37.0124 1356 Sfloppy - ok
14:29:37.0296 1356 Simbad - ok
14:29:37.0437 1356 Sparrow - ok
14:29:37.0703 1356 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:29:37.0703 1356 splitter - ok
14:29:37.0890 1356 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:29:37.0890 1356 sr - ok
14:29:38.0078 1356 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:29:38.0109 1356 Srv - ok
14:29:38.0374 1356 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:29:38.0374 1356 swenum - ok
14:29:38.0531 1356 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:29:38.0531 1356 swmidi - ok
14:29:38.0671 1356 symc810 - ok
14:29:38.0890 1356 symc8xx - ok
14:29:38.0937 1356 sym_hi - ok
14:29:39.0093 1356 sym_u3 - ok
14:29:39.0250 1356 SynTP (f484c77f748729129d5cc9c965d9f701) C:\WINDOWS\system32\DRIVERS\SynTP.sys
14:29:39.0250 1356 SynTP - ok
14:29:39.0500 1356 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:29:39.0500 1356 sysaudio - ok
14:29:39.0812 1356 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:29:39.0828 1356 Tcpip - ok
14:29:40.0062 1356 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:29:40.0062 1356 TDPIPE - ok
14:29:40.0281 1356 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:29:40.0281 1356 TDTCP - ok
14:29:40.0515 1356 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:29:40.0515 1356 TermDD - ok
14:29:40.0781 1356 tifm21 (9179e07503630d6fb2e4162ff0196191) C:\WINDOWS\system32\drivers\tifm21.sys
14:29:40.0781 1356 tifm21 - ok
14:29:41.0015 1356 TosIde - ok
14:29:41.0265 1356 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:29:41.0265 1356 Udfs - ok
14:29:41.0468 1356 ultra - ok
14:29:41.0750 1356 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:29:41.0765 1356 Update - ok
14:29:42.0031 1356 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:29:42.0031 1356 usbehci - ok
14:29:42.0281 1356 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:29:42.0281 1356 usbhub - ok
14:29:42.0531 1356 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
14:29:42.0547 1356 usbohci - ok
14:29:42.0781 1356 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:29:42.0781 1356 usbprint - ok
14:29:42.0969 1356 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:29:42.0969 1356 USBSTOR - ok
14:29:43.0125 1356 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:29:43.0125 1356 VgaSave - ok
14:29:43.0391 1356 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
14:29:43.0391 1356 ViaIde - ok
14:29:43.0578 1356 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:29:43.0578 1356 VolSnap - ok
14:29:43.0734 1356 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:29:43.0734 1356 Wanarp - ok
14:29:44.0000 1356 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
14:29:44.0031 1356 Wdf01000 - ok
14:29:44.0203 1356 WDICA - ok
14:29:44.0453 1356 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:29:44.0469 1356 wdmaud - ok
14:29:44.0750 1356 winachsf (214bc3ad84907ad6ad655ac5465f449a) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
14:29:44.0797 1356 winachsf - ok
14:29:45.0094 1356 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
14:29:45.0094 1356 WmiAcpi - ok
14:29:45.0156 1356 MBR (0x1B8) (5ae5a393505cffd37fe98c4a7922908d) \Device\Harddisk0\DR0
14:29:45.0172 1356 \Device\Harddisk0\DR0 - ok
14:29:45.0188 1356 Boot (0x1200) (b7fef17c2b10c23bdd20673e442f9b3f) \Device\Harddisk0\DR0\Partition0
14:29:45.0188 1356 \Device\Harddisk0\DR0\Partition0 - ok
14:29:45.0234 1356 Boot (0x1200) (beaf6f691601b2b23d16ccb69d03f1e4) \Device\Harddisk0\DR0\Partition1
14:29:45.0234 1356 \Device\Harddisk0\DR0\Partition1 - ok
14:29:45.0234 1356 ============================================================
14:29:45.0234 1356 Scan finished
14:29:45.0234 1356 ============================================================
14:29:45.0266 0564 Detected object count: 0
14:29:45.0266 0564 Actual detected object count: 0

Will be awaiting the next instructions. :)
Thanks,
dawn(zig)

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 06 November 2011 - 02:42 PM

Please run the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:02:14 PM

Posted 06 November 2011 - 03:37 PM

Here you go, CatByte:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-06 15:22:46
-----------------------------
15:22:46.591 OS Version: Windows 5.1.2600 Service Pack 3
15:22:46.591 Number of processors: 1 586 0x2C02
15:22:46.591 ComputerName: PC264411574023 UserName: Grace Lay
15:22:46.935 Initialize success
15:24:22.174 AVAST engine defs: 11110601
15:26:21.102 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:26:21.102 Disk 0 Vendor: WDC_WD600UE-22KVT0 01.03K01 Size: 57231MB BusType: 3
15:26:23.133 Disk 0 MBR read successfully
15:26:23.133 Disk 0 MBR scan
15:26:23.321 Disk 0 unknown MBR code
15:26:23.336 Disk 0 scanning sectors +117210240
15:26:23.368 Disk 0 scanning C:\WINDOWS\system32\drivers
15:26:39.665 Service scanning
15:26:41.353 Modules scanning
15:27:00.510 Disk 0 trace - called modules:
15:27:00.542 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:27:00.557 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x833ceab8]
15:27:00.573 3 CLASSPNP.SYS[f757efd7] -> nt!IofCallDriver -> \Device\00000071[0x8338b4a8]
15:27:00.963 5 ACPI.sys[f7415620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8338b5c0]
15:27:01.338 AVAST engine scan C:\WINDOWS
15:27:05.682 AVAST engine scan C:\WINDOWS\system32
15:29:22.158 AVAST engine scan C:\WINDOWS\system32\drivers
15:29:41.472 AVAST engine scan C:\Documents and Settings\Grace Lay
15:30:29.724 AVAST engine scan C:\Documents and Settings\All Users
15:31:10.867 Scan finished successfully
15:34:42.721 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Grace Lay\Desktop\MBR.dat"
15:34:42.768 The log file has been saved successfully to "C:\Documents and Settings\Grace Lay\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   585bytes   1 downloads


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 06 November 2011 - 03:58 PM

Hi,

Please run the following:

Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIX button,
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:02:14 PM

Posted 06 November 2011 - 04:34 PM

Hi,

Yes, ComboFix can take longer than expected sometimes,

If you have closed down your machine, then delete the copy of combofix that you have on your desktop, and download a fresh copy but rename it to svchost.exe before saving it, then run it.

If it still won't run, then run TDSSKiller first, then give ComboFix another try:


Please download TDSSKiller.zip

  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



#10 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:02:14 PM

Posted 06 November 2011 - 04:36 PM

Hi CatByte,

Ran the scan, fixed MBR, but then forgot to save the log before rebooting... hope that doesn't mess things up!

Anyway, I reran the scan when it restarted:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-06 16:24:51
-----------------------------
16:24:51.296 OS Version: Windows 5.1.2600 Service Pack 3
16:24:51.296 Number of processors: 1 586 0x2C02
16:24:51.296 ComputerName: PC264411574023 UserName: Grace Lay
16:24:51.656 Initialize success
16:26:18.187 AVAST engine defs: 11110601
16:26:23.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:26:23.296 Disk 0 Vendor: WDC_WD600UE-22KVT0 01.03K01 Size: 57231MB BusType: 3
16:26:25.343 Disk 0 MBR read successfully
16:26:25.343 Disk 0 MBR scan
16:26:27.671 Disk 0 Windows XP default MBR code
16:26:27.687 Disk 0 scanning sectors +117210240
16:26:29.546 Disk 0 scanning C:\WINDOWS\system32\drivers
16:27:01.265 Service scanning
16:27:03.109 Modules scanning
16:27:24.296 Disk 0 trace - called modules:
16:27:24.343 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
16:27:24.359 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x833ceab8]
16:27:24.375 3 CLASSPNP.SYS[f757efd7] -> nt!IofCallDriver -> \Device\00000071[0x833d0f18]
16:27:24.750 5 ACPI.sys[f7415620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8338b6d0]
16:27:29.000 AVAST engine scan C:\WINDOWS
16:27:36.906 AVAST engine scan C:\WINDOWS\system32
16:30:07.375 AVAST engine scan C:\WINDOWS\system32\drivers
16:30:27.093 AVAST engine scan C:\Documents and Settings\Grace Lay
16:31:18.453 AVAST engine scan C:\Documents and Settings\All Users
16:31:58.531 Scan finished successfully
16:32:25.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Grace Lay\Desktop\MBR.dat"
16:32:25.562 The log file has been saved successfully to "C:\Documents and Settings\Grace Lay\Desktop\aswMBR.txt"


Also, didn't know if you wanted the MBR zip file or not....

Thanks again! :)

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 06 November 2011 - 04:41 PM

Ok,

That looks better

Let's see if we can get ComboFix to run now.

Please delete the copy you have on your desktop

download a fresh copy, but re-name it to Explorer.exe before saving it > now save it directly to your C:\ drive


Now boot into safe mode and then navigate to your C:\ drive and run it

Give it lot's of time > longer than you think it should take > allow it to reboot the machine if it needs to > reboot into safe mode so that it can produce a log


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:02:14 PM

Posted 06 November 2011 - 04:57 PM

Hi CatByte,

I'm on it (getting combofix going again) however, I do wanna let you know that I'm getting more 'weirdness'. Computerwise: capslock seems to go
on by itself (tho light's not on)--have to hit it a couple times to get it off; also, it wasn't letting me click on single, individual
icons on the desktop: it'd highlight three at a time and not let me open the one I wanted... but now I can, inexplicably.
Within IE: I'm having weird probs posting on here: something's changing my ability to post correctly! Like, right now, the wordwrap isn't working again so I have to hard-return, and each of the last couple times I got back on, the chronological order of posts had changed. They'd been 'oldest first', then
were newest first, now back to oldest first again....
Of course I'm sure it's all part of what we're working on, but I just wanted you to know. :)
Now, on to Combofix.

#13 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:02:14 PM

Posted 06 November 2011 - 06:55 PM

Hi again, CatByte~

Here's the lowdown: did what you asked re: renaming combofix and booting into safe mode.
Had some glitches, however.
I hadn't been able to boot into safe mode before; now, it still sort of 'stops' when it gets to (and forgive me, but my own computer's backslash seems to not work correctly on this board, sigh, so I've used forward slashes...) multi(0)disk(0)rdisk(0)partition(1)/WINDOWS/System32/Drivers/mup.sys and gives a black screen for almost a minute, then to black screen with "Safe Mode" in the corners, then onto the blue Windows screen where you click on the Administrator and on to regular Safe Mode. Not at all what happens on my system (the exact same model/versions as the infected one), which boots into it cleanly and quickly.

Anyway, I ran combofix/explorer, waited almost exactly an hour and verified that mouse was still responsive (it was)--but I made a mistake and clicked on the combofix window and everything locked up.... sorry! :(

Soooooo, I rebooted, tossed out and reinstalled combofix, renaming it 'explore.exe' this time (without the 'r' at the end), rebooted into Safe Mode and am rerunning combofix/explore. It's been about 50 minutes and I don't wanna touch anything for fear of locking it up. I'll wait about another 30 minutes before seeing if it's still responsive....

Just wanted you to know what was going on. :)

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:14 PM

Posted 06 November 2011 - 07:01 PM

Is it going through any stages in the DOS box?

You should be seeing something like this

Posted Image

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 dawnzig

dawnzig
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny Florida
  • Local time:02:14 PM

Posted 06 November 2011 - 07:12 PM

No, it's not.
I get the screen saying "Scanning for infected files... This typically doesn't take more than 10 minutes However, scan times for badly infect machines may easily double" with just a blinking cursor under it. This is what it's done every time....

Edited by dawnzig, 06 November 2011 - 07:12 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users