Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Delayed Write Failed and System Restore - PC Frozen


  • This topic is locked This topic is locked
24 replies to this topic

#1 mat58

mat58

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:17 PM

Posted 08 November 2011 - 12:32 AM

I originally opened up a topic under "Am I infected ? Please see the attached thread for initial information regarding what appears on the screen and other messsages:
http://www.bleepingcomputer.com/forums/topic426816.html/page__p__2467105__fromsearch__1#entry2467105 . Basically, the PC boots into error messages stating "Delayed Write Failed" and a window showing a "System Restore". Other messages include "Windows OS cannot detect free hard drive space" and "file indexation process failed"
This is an old Dell Inspiron 1501 laptop running Windows XP.

Attempting to boot normally or with last known good configuration came up with screen errors and an appearance of no hard disk to do any work from. I could not even do a START - RUN to get anything going.

I booted the PC into SAFE mode and was able to run DDS with no problem. The logs are attached and embedded as requested:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Administrator at 21:18:55 on 2011-11-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.674 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070517
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SUWVpRINfa.exe] c:\documents and settings\all users\application data\SUWVpRINfa.exe
mRun: [kMoUUJmEvJ.exe] c:\documents and settings\all users\application data\kMoUUJmEvJ.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-explorer: NoDesktop = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www.freerealms.com/gamedata/FreeRealmsInstaller.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/63.18/uploader2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.33.7/ttinst.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FC11A119-C2F7-46F4-9E32-937ABA26816E} - file://d:\cdviewer\CdViewer.cab
TCP: DhcpNameServer = 192.168.254.254 192.168.254.254
TCP: Interfaces\{EAA0549B-E81D-44CB-A7BD-74604D35610B} : DhcpNameServer = 192.168.254.254 192.168.254.254
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.terry.000\application data\mozilla\firefox\profiles\81pw5xvs.default\
FF - plugin: c:\progra~1\sonyon~1\npsoe.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: XULRunner: {15CF1C31-D4E1-4F1D-93E8-6C6EF962EF08} - c:\documents and settings\terry benewith\local settings\application data\{15CF1C31-D4E1-4F1D-93E8-6C6EF962EF08}
FF - Ext: XULRunner: {AF6851C2-E77C-4B39-838F-7942F124C4A1} - c:\documents and settings\karen benewith\local settings\application data\{AF6851C2-E77C-4B39-838F-7942F124C4A1}
FF - Ext: XULRunner: {640050AA-C2D1-49EB-A15C-E3A851C10DDB} - c:\documents and settings\abbey benewith\local settings\application data\{640050AA-C2D1-49EB-A15C-E3A851C10DDB}
.
============= SERVICES / DRIVERS ===============
.
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 165648]
S1 MpKsl0f95d951;MpKsl0f95d951;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8bf930de-ee3b-486a-b75a-011a8306b1cc}\mpksl0f95d951.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8bf930de-ee3b-486a-b75a-011a8306b1cc}\MpKsl0f95d951.sys [?]
S1 MpKsl2628fbb7;MpKsl2628fbb7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b144cc26-68fe-40f6-8cc8-8463e3a997a6}\mpksl2628fbb7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b144cc26-68fe-40f6-8cc8-8463e3a997a6}\MpKsl2628fbb7.sys [?]
S1 MpKsl77b050fe;MpKsl77b050fe;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{078729cd-31ba-44c8-91e3-e28488459a4a}\mpksl77b050fe.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{078729cd-31ba-44c8-91e3-e28488459a4a}\MpKsl77b050fe.sys [?]
S1 MpKsl9453d97e;MpKsl9453d97e;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7cebbfc5-360d-423f-bc87-454d2ae88bb7}\MpKsl9453d97e.sys [2011-11-2 28752]
S1 MpKsl984733a8;MpKsl984733a8;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{11ab501a-7832-4c76-bd55-26d7819db8f0}\mpksl984733a8.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{11ab501a-7832-4c76-bd55-26d7819db8f0}\MpKsl984733a8.sys [?]
S1 MpKslceb00a98;MpKslceb00a98;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7cebbfc5-360d-423f-bc87-454d2ae88bb7}\MpKslceb00a98.sys [2011-11-7 28752]
S1 MpKslffa421f0;MpKslffa421f0;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9146f355-ff77-4ad8-851c-49d165d27d06}\mpkslffa421f0.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9146f355-ff77-4ad8-851c-49d165d27d06}\MpKslffa421f0.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-27 135664]
S3 ENDETECT;ENDETECT;\??\d:\release\endetect.sys --> d:\release\ENDETECT.SYS [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-27 135664]
S3 L2XPSR;L2XPSR;\??\d:\release\l2xpsr.sys --> d:\release\L2XPSR.SYS [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 NTSTPL1;NTSTPL1;\??\d:\release\ntstpl1.sys --> d:\release\NTSTPL1.SYS [?]
S3 NTSTPL2;NTSTPL2;\??\d:\release\ntstpl2.sys --> d:\release\NTSTPL2.SYS [?]
S3 TAPBIND;TAPBIND;\??\d:\release\tapbind1.sys --> d:\release\TAPBIND1.SYS [?]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\sync\FreeAgentService.exe [2009-12-18 189736]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-5-17 30192]
.
=============== Created Last 30 ================
.
2011-11-08 04:06:30 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7cebbfc5-360d-423f-bc87-454d2ae88bb7}\MpKslceb00a98.sys
2011-11-08 00:29:11 28752 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7cebbfc5-360d-423f-bc87-454d2ae88bb7}\MpKsl7f5d2179.sys
2011-11-03 05:16:38 0 ----a-w- c:\windows\update.exe
2011-11-03 05:13:54 386544 ---ha-w- c:\documents and settings\all users\application data\kMoUUJmEvJ.exe
2011-11-03 03:01:18 28752 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7cebbfc5-360d-423f-bc87-454d2ae88bb7}\MpKsl9453d97e.sys
2011-11-03 01:52:12 321408 ---ha-w- c:\documents and settings\all users\application data\6DSS92c31Apgjk.exe
2011-10-31 21:12:40 404352 ---ha-w- c:\documents and settings\all users\application data\SUWVpRINfa.exe
2011-10-30 21:59:25 56200 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7cebbfc5-360d-423f-bc87-454d2ae88bb7}\offreg.dll
2011-10-28 02:01:27 7269712 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7cebbfc5-360d-423f-bc87-454d2ae88bb7}\mpengine.dll
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS541612J9SA00 rev.SBDOC74P -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x855EF4C0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x855f68a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x855f6730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8575EAB8]
3 CLASSPNP[0xF76D7FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x85738C58]
\Driver\atapi[0x856ABD78] -> IRP_MJ_CREATE -> 0x855EF4C0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x855EF2E0
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:20:06.51 ===============

I'm receiving an error when I try to attach the "attach.txt" file from the DDS scan. I get a message that I have used 511 of 512K global upload quota. I don't want to post it unless it is requested. Please let me know.


Unfortunately, being in SAFE mode the resolution is so bad that I could not get to the option to save the GMER log. Hopefully the DDS logs will enable us to get something started. I'm sorry I'm unablet to get all of the requested information in this post.

Thank you in advance for your help.

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 11 November 2011 - 02:06 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:17 PM

Posted 11 November 2011 - 08:12 AM

Hi Gringo,

I will run ComboFix tonight after work, but I have a quick question: can I run in SAFE mode, as I cannot boot into a normal system without problems.
Thank you for your help.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 11 November 2011 - 10:26 AM

Yes it can be run in safe mode


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:17 PM

Posted 11 November 2011 - 07:05 PM

ComboFix has been running for almost an hour. It did state it needed to install the recovery console about 5 minutes into it. I have an active internet connection, but it has been hanging for over 40 minutes "Connecting to http://download.microsoft.com" I don't want to do anything more without guidance. The hard disk light flickers every few minutes.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 11 November 2011 - 08:42 PM

are you in safe mode with networking?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:17 PM

Posted 11 November 2011 - 08:43 PM

Yes

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 11 November 2011 - 08:51 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:17 PM

Posted 11 November 2011 - 08:59 PM

So I can abort ComboFix ? Just reboot before I download TDSSKiller ? Just want to make sure I don't cause any more damage to the PC. Sorry if I'm overcautious, but I know how ComboFix can cause alot of problems if not run correctly.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 11 November 2011 - 09:03 PM

Hello

if it is not progressing then abort it and run tdsskiller - if it is moving along then leave it


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:17 PM

Posted 11 November 2011 - 09:25 PM

Here is the log:

19:03:23.0078 1644 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
19:03:23.0515 1644 ============================================================
19:03:23.0515 1644 Current date / time: 2011/11/11 19:03:23.0515
19:03:23.0515 1644 SystemInfo:
19:03:23.0515 1644
19:03:23.0515 1644 OS Version: 5.1.2600 ServicePack: 3.0
19:03:23.0515 1644 Product type: Workstation
19:03:23.0515 1644 ComputerName: TERRY
19:03:23.0515 1644 UserName: Administrator
19:03:23.0515 1644 Windows directory: C:\WINDOWS
19:03:23.0515 1644 System windows directory: C:\WINDOWS
19:03:23.0515 1644 Processor architecture: Intel x86
19:03:23.0515 1644 Number of processors: 2
19:03:23.0515 1644 Page size: 0x1000
19:03:23.0515 1644 Boot type: Safe boot with network
19:03:23.0515 1644 ============================================================
19:03:25.0562 1644 Initialize success
19:03:40.0796 2712 ============================================================
19:03:40.0796 2712 Scan started
19:03:40.0796 2712 Mode: Manual;
19:03:40.0796 2712 ============================================================
19:03:50.0359 2712 Abiosdsk - ok
19:03:50.0437 2712 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
19:03:50.0453 2712 abp480n5 - ok
19:03:50.0531 2712 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:03:50.0531 2712 ACPI - ok
19:03:50.0562 2712 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
19:03:50.0562 2712 ACPIEC - ok
19:03:50.0640 2712 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
19:03:50.0640 2712 adpu160m - ok
19:03:50.0859 2712 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:03:50.0875 2712 aec - ok
19:03:50.0937 2712 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
19:03:50.0937 2712 AFD - ok
19:03:51.0000 2712 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
19:03:51.0000 2712 AFS2K - ok
19:03:51.0078 2712 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
19:03:51.0078 2712 agp440 - ok
19:03:51.0265 2712 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
19:03:51.0265 2712 agpCPQ - ok
19:03:51.0375 2712 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
19:03:51.0375 2712 Aha154x - ok
19:03:51.0468 2712 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
19:03:51.0468 2712 aic78u2 - ok
19:03:51.0531 2712 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
19:03:51.0531 2712 aic78xx - ok
19:03:51.0671 2712 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
19:03:51.0671 2712 AliIde - ok
19:03:51.0796 2712 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
19:03:51.0796 2712 alim1541 - ok
19:03:51.0859 2712 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
19:03:51.0859 2712 amdagp - ok
19:03:51.0921 2712 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
19:03:51.0921 2712 AmdK8 - ok
19:03:52.0000 2712 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
19:03:52.0000 2712 amsint - ok
19:03:52.0062 2712 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
19:03:52.0062 2712 APPDRV - ok
19:03:52.0156 2712 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
19:03:52.0156 2712 asc - ok
19:03:52.0234 2712 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
19:03:52.0234 2712 asc3350p - ok
19:03:52.0281 2712 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
19:03:52.0281 2712 asc3550 - ok
19:03:52.0593 2712 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:03:52.0593 2712 AsyncMac - ok
19:03:52.0671 2712 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:03:52.0671 2712 atapi - ok
19:03:52.0703 2712 Atdisk - ok
19:03:52.0890 2712 ati2mtag (e78b73eb84c257d0d940e041742d2699) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
19:03:52.0921 2712 ati2mtag - ok
19:03:53.0140 2712 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:03:53.0140 2712 Atmarpc - ok
19:03:53.0234 2712 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:03:53.0234 2712 audstub - ok
19:03:53.0359 2712 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
19:03:53.0359 2712 BCM43XX - ok
19:03:53.0578 2712 bcm4sbxp (6489310d11971f6ba6c7f49be0baf6e0) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
19:03:53.0578 2712 bcm4sbxp - ok
19:03:53.0671 2712 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:03:53.0671 2712 Beep - ok
19:03:53.0781 2712 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
19:03:53.0781 2712 cbidf - ok
19:03:53.0828 2712 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:03:53.0828 2712 cbidf2k - ok
19:03:53.0906 2712 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
19:03:53.0906 2712 cd20xrnt - ok
19:03:53.0968 2712 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:03:53.0968 2712 Cdaudio - ok
19:03:54.0156 2712 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:03:54.0156 2712 Cdfs - ok
19:03:54.0218 2712 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:03:54.0218 2712 Cdrom - ok
19:03:54.0281 2712 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
19:03:54.0281 2712 cercsr6 - ok
19:03:54.0312 2712 Changer - ok
19:03:54.0500 2712 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
19:03:54.0500 2712 CmBatt - ok
19:03:54.0562 2712 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
19:03:54.0562 2712 CmdIde - ok
19:03:54.0765 2712 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
19:03:54.0765 2712 Compbatt - ok
19:03:54.0921 2712 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
19:03:54.0921 2712 Cpqarray - ok
19:03:55.0015 2712 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
19:03:55.0031 2712 dac2w2k - ok
19:03:55.0062 2712 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
19:03:55.0062 2712 dac960nt - ok
19:03:55.0312 2712 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:03:55.0312 2712 Disk - ok
19:03:55.0390 2712 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
19:03:55.0390 2712 DLABOIOM - ok
19:03:55.0453 2712 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
19:03:55.0453 2712 DLACDBHM - ok
19:03:55.0515 2712 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
19:03:55.0515 2712 DLADResN - ok
19:03:55.0578 2712 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
19:03:55.0578 2712 DLAIFS_M - ok
19:03:55.0625 2712 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
19:03:55.0640 2712 DLAOPIOM - ok
19:03:55.0687 2712 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
19:03:55.0687 2712 DLAPoolM - ok
19:03:55.0750 2712 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
19:03:55.0750 2712 DLARTL_N - ok
19:03:55.0812 2712 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
19:03:55.0812 2712 DLAUDFAM - ok
19:03:55.0875 2712 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
19:03:55.0875 2712 DLAUDF_M - ok
19:03:56.0000 2712 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:03:56.0015 2712 dmboot - ok
19:03:56.0171 2712 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:03:56.0171 2712 dmio - ok
19:03:56.0234 2712 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:03:56.0234 2712 dmload - ok
19:03:56.0343 2712 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:03:56.0343 2712 DMusic - ok
19:03:56.0437 2712 Dot4 HPH11 (a93ae4414505a8095ec4820c4312b5df) C:\WINDOWS\system32\DRIVERS\hphid411.sys
19:03:56.0437 2712 Dot4 HPH11 - ok
19:03:56.0500 2712 Dot4Print HPH11 (4f8681519ea48757148895811f2aa051) C:\WINDOWS\system32\DRIVERS\hphipr11.sys
19:03:56.0500 2712 Dot4Print HPH11 - ok
19:03:56.0656 2712 Dot4Usb HPH11 (c6608b2afb2567f0fa6b4bd8837f1660) C:\WINDOWS\system32\drivers\hphius11.sys
19:03:56.0656 2712 Dot4Usb HPH11 - ok
19:03:56.0718 2712 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
19:03:56.0718 2712 dpti2o - ok
19:03:56.0796 2712 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:03:56.0796 2712 drmkaud - ok
19:03:56.0859 2712 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
19:03:56.0875 2712 DRVMCDB - ok
19:03:56.0906 2712 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
19:03:56.0906 2712 DRVNDDM - ok
19:03:57.0046 2712 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys
19:03:57.0046 2712 DSproct - ok
19:03:57.0265 2712 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
19:03:57.0265 2712 E100B - ok
19:03:57.0328 2712 ENDETECT - ok
19:03:57.0562 2712 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:03:57.0562 2712 Fastfat - ok
19:03:57.0671 2712 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:03:57.0671 2712 Fdc - ok
19:03:57.0734 2712 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:03:57.0734 2712 Fips - ok
19:03:57.0921 2712 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:03:57.0921 2712 Flpydisk - ok
19:03:58.0000 2712 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:03:58.0000 2712 FltMgr - ok
19:03:58.0125 2712 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:03:58.0125 2712 Fs_Rec - ok
19:03:58.0187 2712 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:03:58.0187 2712 Ftdisk - ok
19:03:58.0250 2712 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
19:03:58.0250 2712 GEARAspiWDM - ok
19:03:58.0453 2712 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:03:58.0453 2712 Gpc - ok
19:03:58.0609 2712 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:03:58.0625 2712 HDAudBus - ok
19:03:58.0734 2712 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:03:58.0734 2712 HidUsb - ok
19:03:58.0828 2712 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
19:03:58.0828 2712 hpn - ok
19:03:59.0062 2712 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
19:03:59.0078 2712 HSF_DPV - ok
19:03:59.0156 2712 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
19:03:59.0156 2712 HSXHWAZL - ok
19:03:59.0218 2712 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:03:59.0234 2712 HTTP - ok
19:03:59.0421 2712 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
19:03:59.0421 2712 i2omgmt - ok
19:03:59.0484 2712 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
19:03:59.0484 2712 i2omp - ok
19:03:59.0546 2712 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:03:59.0546 2712 i8042prt - ok
19:03:59.0671 2712 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:03:59.0671 2712 Imapi - ok
19:03:59.0781 2712 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
19:03:59.0781 2712 ini910u - ok
19:03:59.0968 2712 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
19:03:59.0968 2712 IntelIde - ok
19:04:00.0031 2712 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:04:00.0031 2712 intelppm - ok
19:04:00.0093 2712 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:04:00.0093 2712 Ip6Fw - ok
19:04:00.0156 2712 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:04:00.0156 2712 IpFilterDriver - ok
19:04:00.0359 2712 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:04:00.0359 2712 IpInIp - ok
19:04:00.0437 2712 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:04:00.0437 2712 IpNat - ok
19:04:00.0500 2712 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:04:00.0515 2712 IPSec - ok
19:04:00.0578 2712 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:04:00.0578 2712 IRENUM - ok
19:04:00.0671 2712 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:04:00.0671 2712 isapnp - ok
19:04:00.0828 2712 Iviaspi (5dce7eed60bae992bab7f5ff1ce60641) C:\WINDOWS\system32\drivers\iviaspi.sys
19:04:00.0828 2712 Iviaspi - ok
19:04:00.0921 2712 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:04:00.0937 2712 Kbdclass - ok
19:04:01.0000 2712 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:04:01.0000 2712 kmixer - ok
19:04:01.0046 2712 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:04:01.0046 2712 KSecDD - ok
19:04:01.0093 2712 L2XPSR - ok
19:04:01.0281 2712 lbrtfdc - ok
19:04:01.0484 2712 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
19:04:01.0484 2712 mdmxsdk - ok
19:04:01.0578 2712 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:04:01.0578 2712 mnmdd - ok
19:04:01.0671 2712 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:04:01.0687 2712 Modem - ok
19:04:01.0750 2712 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:04:01.0750 2712 Mouclass - ok
19:04:01.0796 2712 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:04:01.0796 2712 mouhid - ok
19:04:02.0015 2712 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:04:02.0015 2712 MountMgr - ok
19:04:02.0093 2712 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
19:04:02.0093 2712 MpFilter - ok
19:04:02.0281 2712 MpKsl0f95d951 - ok
19:04:02.0343 2712 MpKsl2628fbb7 - ok
19:04:02.0406 2712 MpKsl77b050fe - ok
19:04:02.0453 2712 MpKsl7f5d2179 - ok
19:04:02.0515 2712 MpKsl9453d97e - ok
19:04:02.0578 2712 MpKsl984733a8 - ok
19:04:02.0625 2712 MpKslceb00a98 - ok
19:04:02.0687 2712 MpKslffa421f0 - ok
19:04:02.0765 2712 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
19:04:02.0765 2712 mraid35x - ok
19:04:02.0812 2712 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:04:02.0812 2712 MRxDAV - ok
19:04:02.0921 2712 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:04:02.0921 2712 MRxSmb - ok
19:04:03.0171 2712 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:04:03.0187 2712 Msfs - ok
19:04:03.0281 2712 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:04:03.0281 2712 MSKSSRV - ok
19:04:03.0359 2712 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:04:03.0359 2712 MSPCLOCK - ok
19:04:03.0421 2712 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:04:03.0421 2712 MSPQM - ok
19:04:03.0515 2712 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:04:03.0531 2712 mssmbios - ok
19:04:03.0671 2712 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:04:03.0671 2712 Mup - ok
19:04:03.0796 2712 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:04:03.0796 2712 NDIS - ok
19:04:03.0875 2712 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:04:03.0875 2712 NdisTapi - ok
19:04:03.0953 2712 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:04:03.0953 2712 Ndisuio - ok
19:04:04.0078 2712 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:04:04.0078 2712 NdisWan - ok
19:04:04.0187 2712 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:04:04.0187 2712 NDProxy - ok
19:04:04.0234 2712 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:04:04.0250 2712 NetBIOS - ok
19:04:04.0328 2712 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:04:04.0328 2712 NetBT - ok
19:04:04.0562 2712 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:04:04.0562 2712 Npfs - ok
19:04:04.0671 2712 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:04:04.0687 2712 Ntfs - ok
19:04:04.0765 2712 NTSTPL1 - ok
19:04:04.0828 2712 NTSTPL2 - ok
19:04:05.0046 2712 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:04:05.0046 2712 Null - ok
19:04:05.0156 2712 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:04:05.0203 2712 nv - ok
19:04:05.0390 2712 NWADI (039e60681bb68fd38d18684fd6b9db84) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
19:04:05.0390 2712 NWADI - ok
19:04:05.0468 2712 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:04:05.0468 2712 NwlnkFlt - ok
19:04:05.0515 2712 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:04:05.0515 2712 NwlnkFwd - ok
19:04:05.0593 2712 NWUSBModem (a12b91c592b3cfaedf85f87a624cfb98) C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys
19:04:05.0593 2712 NWUSBModem - ok
19:04:05.0640 2712 NWUSBPort (a12b91c592b3cfaedf85f87a624cfb98) C:\WINDOWS\system32\DRIVERS\nwusbser.sys
19:04:05.0640 2712 NWUSBPort - ok
19:04:05.0906 2712 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
19:04:05.0906 2712 Parport - ok
19:04:05.0984 2712 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:04:05.0984 2712 PartMgr - ok
19:04:06.0031 2712 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:04:06.0031 2712 ParVdm - ok
19:04:06.0078 2712 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:04:06.0078 2712 PCI - ok
19:04:06.0140 2712 PCIDump - ok
19:04:06.0203 2712 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:04:06.0203 2712 PCIIde - ok
19:04:06.0265 2712 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:04:06.0281 2712 Pcmcia - ok
19:04:06.0437 2712 PDCOMP - ok
19:04:06.0484 2712 PDFRAME - ok
19:04:06.0546 2712 PDRELI - ok
19:04:06.0609 2712 PDRFRAME - ok
19:04:06.0703 2712 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
19:04:06.0703 2712 perc2 - ok
19:04:06.0765 2712 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
19:04:06.0765 2712 perc2hib - ok
19:04:07.0046 2712 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:04:07.0046 2712 PptpMiniport - ok
19:04:07.0171 2712 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
19:04:07.0171 2712 Processor - ok
19:04:07.0265 2712 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:04:07.0281 2712 PSched - ok
19:04:07.0375 2712 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:04:07.0375 2712 Ptilink - ok
19:04:07.0453 2712 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:04:07.0453 2712 PxHelp20 - ok
19:04:07.0531 2712 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
19:04:07.0531 2712 ql1080 - ok
19:04:07.0750 2712 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
19:04:07.0750 2712 Ql10wnt - ok
19:04:07.0796 2712 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
19:04:07.0796 2712 ql12160 - ok
19:04:07.0859 2712 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
19:04:07.0859 2712 ql1240 - ok
19:04:07.0906 2712 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
19:04:07.0906 2712 ql1280 - ok
19:04:08.0109 2712 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:04:08.0109 2712 RasAcd - ok
19:04:08.0218 2712 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:04:08.0218 2712 Rasl2tp - ok
19:04:08.0281 2712 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:04:08.0281 2712 RasPppoe - ok
19:04:08.0328 2712 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:04:08.0328 2712 Raspti - ok
19:04:08.0406 2712 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:04:08.0421 2712 Rdbss - ok
19:04:08.0453 2712 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:04:08.0453 2712 RDPCDD - ok
19:04:08.0562 2712 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:04:08.0562 2712 rdpdr - ok
19:04:08.0656 2712 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
19:04:08.0656 2712 RDPWD - ok
19:04:08.0859 2712 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:04:08.0859 2712 redbook - ok
19:04:08.0984 2712 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
19:04:08.0984 2712 rimmptsk - ok
19:04:09.0250 2712 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
19:04:09.0250 2712 sdbus - ok
19:04:09.0296 2712 SDDMI2 (8edd7b9e4a4b4c16e2dab9188caa861b) C:\WINDOWS\system32\DDMI2.sys
19:04:09.0296 2712 SDDMI2 - ok
19:04:09.0359 2712 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:04:09.0359 2712 Secdrv - ok
19:04:09.0578 2712 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
19:04:09.0578 2712 serenum - ok
19:04:09.0640 2712 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
19:04:09.0640 2712 Serial - ok
19:04:09.0781 2712 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
19:04:09.0781 2712 sffdisk - ok
19:04:09.0843 2712 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
19:04:09.0843 2712 sffp_sd - ok
19:04:09.0906 2712 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:04:09.0906 2712 Sfloppy - ok
19:04:10.0078 2712 Simbad - ok
19:04:10.0156 2712 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
19:04:10.0171 2712 sisagp - ok
19:04:10.0296 2712 SMNDIS5 (4ef5ea44583c37383c289d4b8c354698) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS
19:04:10.0296 2712 SMNDIS5 - ok
19:04:10.0421 2712 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
19:04:10.0421 2712 SONYPVU1 - ok
19:04:10.0609 2712 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
19:04:10.0609 2712 Sparrow - ok
19:04:10.0671 2712 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:04:10.0671 2712 splitter - ok
19:04:10.0765 2712 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:04:10.0765 2712 sr - ok
19:04:10.0859 2712 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:04:10.0875 2712 Srv - ok
19:04:11.0015 2712 STHDA (8990440e4b2a7ca5a56a1833b03741fd) C:\WINDOWS\system32\drivers\sthda.sys
19:04:11.0046 2712 STHDA - ok
19:04:11.0265 2712 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:04:11.0265 2712 swenum - ok
19:04:11.0328 2712 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:04:11.0343 2712 swmidi - ok
19:04:11.0468 2712 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
19:04:11.0468 2712 symc810 - ok
19:04:11.0515 2712 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
19:04:11.0515 2712 symc8xx - ok
19:04:11.0687 2712 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys
19:04:11.0687 2712 symlcbrd - ok
19:04:11.0750 2712 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
19:04:11.0750 2712 sym_hi - ok
19:04:11.0828 2712 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
19:04:11.0828 2712 sym_u3 - ok
19:04:11.0937 2712 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys
19:04:11.0937 2712 SynTP - ok
19:04:12.0109 2712 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:04:12.0109 2712 sysaudio - ok
19:04:12.0187 2712 TAPBIND - ok
19:04:12.0328 2712 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:04:12.0343 2712 Tcpip - ok
19:04:12.0546 2712 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:04:12.0546 2712 TDPIPE - ok
19:04:12.0625 2712 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:04:12.0625 2712 TDTCP - ok
19:04:12.0687 2712 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:04:12.0703 2712 TermDD - ok
19:04:12.0828 2712 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
19:04:12.0828 2712 TosIde - ok
19:04:13.0078 2712 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:04:13.0078 2712 Udfs - ok
19:04:13.0218 2712 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
19:04:13.0218 2712 ultra - ok
19:04:13.0296 2712 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:04:13.0312 2712 Update - ok
19:04:13.0562 2712 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
19:04:13.0562 2712 USBAAPL - ok
19:04:13.0718 2712 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:04:13.0718 2712 usbccgp - ok
19:04:13.0796 2712 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:04:13.0812 2712 usbehci - ok
19:04:13.0843 2712 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:04:13.0859 2712 usbhub - ok
19:04:14.0015 2712 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
19:04:14.0015 2712 usbohci - ok
19:04:14.0078 2712 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:04:14.0078 2712 usbprint - ok
19:04:14.0140 2712 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:04:14.0140 2712 usbscan - ok
19:04:14.0203 2712 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:04:14.0203 2712 USBSTOR - ok
19:04:14.0265 2712 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:04:14.0265 2712 usbuhci - ok
19:04:14.0328 2712 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:04:14.0328 2712 VgaSave - ok
19:04:14.0468 2712 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
19:04:14.0468 2712 viaagp - ok
19:04:14.0531 2712 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
19:04:14.0531 2712 ViaIde - ok
19:04:14.0609 2712 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:04:14.0609 2712 VolSnap - ok
19:04:14.0781 2712 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:04:14.0781 2712 Wanarp - ok
19:04:14.0843 2712 WDICA - ok
19:04:14.0937 2712 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:04:14.0937 2712 wdmaud - ok
19:04:15.0078 2712 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
19:04:15.0093 2712 winachsf - ok
19:04:15.0546 2712 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
19:04:15.0546 2712 WmiAcpi - ok
19:04:15.0843 2712 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:04:15.0843 2712 WudfPf - ok
19:04:15.0906 2712 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:04:15.0906 2712 WudfRd - ok
19:04:16.0093 2712 MBR (0x1B8) (7c813d1ed418f46302a154e14cf3bdc5) \Device\Harddisk0\DR0
19:04:16.0093 2712 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - infected
19:04:16.0093 2712 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)
19:04:16.0140 2712 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk1\DR6
19:04:16.0390 2712 \Device\Harddisk1\DR6 - ok
19:04:16.0437 2712 Boot (0x1200) (386fc534bb47164b5c0b6aa85af0e848) \Device\Harddisk0\DR0\Partition0
19:04:16.0453 2712 \Device\Harddisk0\DR0\Partition0 - ok
19:04:16.0484 2712 Boot (0x1200) (9345ce4940c65cd641d5a038beab8e5e) \Device\Harddisk1\DR6\Partition0
19:04:16.0484 2712 \Device\Harddisk1\DR6\Partition0 - ok
19:04:16.0515 2712 ============================================================
19:04:16.0515 2712 Scan finished
19:04:16.0515 2712 ============================================================
19:04:16.0593 0300 Detected object count: 1
19:04:16.0593 0300 Actual detected object count: 1
19:05:21.0546 0300 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - will be cured on reboot
19:05:21.0546 0300 \Device\Harddisk0\DR0 - ok
19:05:21.0546 0300 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - User select action: Cure
19:05:39.0640 0472 Deinitialize success


Even though I am going into SAFE mode with networking, I cannot ping external sites. The router is working fine with other computers.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 11 November 2011 - 09:31 PM

Hello


lets try combofix again


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:17 PM

Posted 11 November 2011 - 10:48 PM

Successful ComboFix run. Here is the log:

ComboFix 11-11-11.06 - Administrator 11/11/2011 20:06:10.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.545 [GMT -7:00]
Running from: c:\documents and settings\Administrator.TERRY.000\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Abbey Benewith\Local Settings\Application Data\{640050AA-C2D1-49EB-A15C-E3A851C10DDB}
c:\documents and settings\Abbey Benewith\Local Settings\Application Data\{640050AA-C2D1-49EB-A15C-E3A851C10DDB}\chrome.manifest
c:\documents and settings\Abbey Benewith\Local Settings\Application Data\{640050AA-C2D1-49EB-A15C-E3A851C10DDB}\chrome\content\_cfg.js
c:\documents and settings\Abbey Benewith\Local Settings\Application Data\{640050AA-C2D1-49EB-A15C-E3A851C10DDB}\chrome\content\overlay.xul
c:\documents and settings\Abbey Benewith\Local Settings\Application Data\{640050AA-C2D1-49EB-A15C-E3A851C10DDB}\install.rdf
c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\HBLiteSA
c:\documents and settings\All Users\Application Data\QuestBrwSearch
c:\documents and settings\All Users\Start Menu\Programs\Hotbar
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\About Hotbar.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Hotbar Customer Support Center.lnk
c:\documents and settings\All Users\Start Menu\Programs\Hotbar\Hotbar Uninstall Instructions.lnk
c:\documents and settings\Sarah Benewith\WINDOWS
c:\documents and settings\Terry Benewith\DesktopEditorFKWP1.5.exe
c:\documents and settings\Terry Benewith\DesktopEditorFKWP2.0.exe
c:\documents and settings\Terry Benewith\Desktopfilemanagerclient.exe
c:\documents and settings\Terry Benewith\Desktopfkwp1.5.exe
c:\documents and settings\Terry Benewith\Desktopfkwp2.0.exe
c:\documents and settings\Terry Benewith\Desktopfwebd.exe
c:\documents and settings\Terry Benewith\DesktopFWebdEditor.exe
c:\documents and settings\Terry Benewith\DesktopTrojan.Win32.BlackBird.exe
c:\documents and settings\Terry Benewith\Desktopvirii
c:\documents and settings\Terry Benewith\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe
c:\documents and settings\Terry Benewith\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe
c:\documents and settings\Terry Benewith\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe
c:\documents and settings\Terry Benewith\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe
c:\documents and settings\Terry Benewith\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe
c:\program files\Common
c:\program files\HBLite
c:\program files\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}
c:\program files\Mozilla Firefox\extensions\{D9ADB0A8-7BFB-498D-9880-EE78A81CCFA0}\chrome.manifest
c:\program files\QuestBrwSearch
c:\program files\QuestBrwSearch\uninstall.exe
c:\program files\ShoppingReport2
c:\program files\ShoppingReport2\Uninst.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\explorer(2).exe
c:\windows\guboz._sy
c:\windows\system32\147290796.dat
c:\windows\system32\ctfmon(2).exe
c:\windows\system32\linkinfo(2).dll
c:\windows\system32\usp10(2).dll
c:\windows\system32awtoolb.dll
c:\windows\system32smp
c:\windows\system32smp\msrc.exe
c:\windows\update.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-10-12 to 2011-11-12 )))))))))))))))))))))))))))))))
.
.
2011-11-12 03:17 . 2011-11-12 03:17 -------- d-----w- c:\windows\LastGood
2011-11-12 03:15 . 2011-11-12 03:15 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A91DCDF2-627B-44BD-ADE4-D3D31FDC5B6A}\MpKsld3dbdafe.sys
2011-11-12 03:15 . 2011-11-12 03:15 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A91DCDF2-627B-44BD-ADE4-D3D31FDC5B6A}\offreg.dll
2011-11-12 02:08 . 2011-11-12 02:08 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A91DCDF2-627B-44BD-ADE4-D3D31FDC5B6A}\MpKsl3187c60c.sys
2011-11-11 23:16 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A91DCDF2-627B-44BD-ADE4-D3D31FDC5B6A}\mpengine.dll
2011-11-11 23:14 . 2011-11-11 23:17 -------- d-----w- C:\82f2c0489fcb9051013b4e
2011-11-03 14:58 . 2011-11-03 14:58 -------- d-----w- c:\documents and settings\Cary Benewith\Application Data\Apple Computer
2011-11-03 14:57 . 2011-11-03 14:57 -------- d-sh--w- c:\documents and settings\Cary Benewith\IETldCache
2011-11-03 02:43 . 2011-11-03 02:43 -------- d-----w- c:\documents and settings\Administrator.TERRY.000\Application Data\Yahoo!
2011-11-03 02:29 . 2011-11-03 02:29 -------- d-----w- c:\documents and settings\Abbey Benewith\Application Data\Apple Computer
2011-11-03 02:28 . 2011-11-03 02:28 -------- d-sh--w- c:\documents and settings\Abbey Benewith\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-21 16:00 . 2011-03-19 02:11 7269712 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Abbey Benewith\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-7-12 1273856]
.
c:\documents and settings\Sarah Benewith\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk
backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Terry Benewith^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
path=c:\documents and settings\Terry Benewith\Start Menu\Programs\Startup\FrostWire On Startup.lnk
backup=c:\windows\pss\FrostWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-05-10 15:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-12-19 20:08 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-08-23 21:14 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-08-29 02:57 395776 ----a-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2008-11-04 08:44 435096 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-07-20 01:06 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-11-22 19:49 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
2002-11-22 19:48 348160 ----a-w- c:\windows\system32\hphmon04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-11-22 19:50 49152 ----a-w- c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 22:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-12-18 18:24 197928 ----a-w- c:\program files\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ----a-w- c:\program files\NetWaiting\netwaiting.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 15:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-09-22 16:06 282624 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 18:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-25 19:54 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-09-22 16:47 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
2006-08-09 13:27 36864 ----a-w- c:\program files\Ulead Systems\Ulead VideoStudio SE\uvPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"Pml Driver HPH11"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"MsMpSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"GoogleDesktopManager-051210-111108"=3 (0x3)
"FreeAgentGoNext Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"ADVService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
.
R1 MpKsl3187c60c;MpKsl3187c60c;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A91DCDF2-627B-44BD-ADE4-D3D31FDC5B6A}\MpKsl3187c60c.sys [11/11/2011 7:08 PM 28752]
R1 MpKsld3dbdafe;MpKsld3dbdafe;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A91DCDF2-627B-44BD-ADE4-D3D31FDC5B6A}\MpKsld3dbdafe.sys [11/11/2011 8:15 PM 28752]
S1 MpKsl0f95d951;MpKsl0f95d951;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8BF930DE-EE3B-486A-B75A-011A8306B1CC}\MpKsl0f95d951.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8BF930DE-EE3B-486A-B75A-011A8306B1CC}\MpKsl0f95d951.sys [?]
S1 MpKsl2628fbb7;MpKsl2628fbb7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B144CC26-68FE-40F6-8CC8-8463E3A997A6}\MpKsl2628fbb7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B144CC26-68FE-40F6-8CC8-8463E3A997A6}\MpKsl2628fbb7.sys [?]
S1 MpKsl77b050fe;MpKsl77b050fe;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{078729CD-31BA-44C8-91E3-E28488459A4A}\MpKsl77b050fe.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{078729CD-31BA-44C8-91E3-E28488459A4A}\MpKsl77b050fe.sys [?]
S1 MpKsl9453d97e;MpKsl9453d97e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CEBBFC5-360D-423F-BC87-454D2AE88BB7}\MpKsl9453d97e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CEBBFC5-360D-423F-BC87-454D2AE88BB7}\MpKsl9453d97e.sys [?]
S1 MpKsl984733a8;MpKsl984733a8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{11AB501A-7832-4C76-BD55-26D7819DB8F0}\MpKsl984733a8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{11AB501A-7832-4C76-BD55-26D7819DB8F0}\MpKsl984733a8.sys [?]
S1 MpKslceb00a98;MpKslceb00a98;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CEBBFC5-360D-423F-BC87-454D2AE88BB7}\MpKslceb00a98.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CEBBFC5-360D-423F-BC87-454D2AE88BB7}\MpKslceb00a98.sys [?]
S1 MpKslffa421f0;MpKslffa421f0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9146F355-FF77-4AD8-851C-49D165D27D06}\MpKslffa421f0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9146F355-FF77-4AD8-851C-49D165D27D06}\MpKslffa421f0.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2011 3:02 PM 135664]
S3 ENDETECT;ENDETECT;\??\d:\release\ENDETECT.SYS --> d:\release\ENDETECT.SYS [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2011 3:02 PM 135664]
S3 L2XPSR;L2XPSR;\??\d:\release\L2XPSR.SYS --> d:\release\L2XPSR.SYS [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 NTSTPL1;NTSTPL1;\??\d:\release\NTSTPL1.SYS --> d:\release\NTSTPL1.SYS [?]
S3 NTSTPL2;NTSTPL2;\??\d:\release\NTSTPL2.SYS --> d:\release\NTSTPL2.SYS [?]
S3 TAPBIND;TAPBIND;\??\d:\release\TAPBIND1.SYS --> d:\release\TAPBIND1.SYS [?]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/17/2007 9:03 AM 30192]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLD3DBDAFE
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{08e67388-3086-11dc-9b02-0019b969c6f4}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50f8f152-ba6b-11dc-9c65-0019b969c6f4}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{57f84757-0a57-11dc-9a88-0019b969c6f4}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59385d12-b6a8-11df-a0ce-0019b969c6f4}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5f1829fa-f54e-11dd-9e43-0019b969c6f4}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{810540d0-dad9-11dd-9e24-0019b969c6f4}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c879947-5dcd-11dd-9db5-0019b969c6f4}]
\Shell\Auto\command - Start.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 22:02]
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc7a5ec9c90c14.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 22:02]
.
2011-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 22:02]
.
2011-11-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Terry Benewith\Application Data\Mozilla\Firefox\Profiles\2bcghasj.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: XULRunner: {15CF1C31-D4E1-4F1D-93E8-6C6EF962EF08} - c:\documents and settings\Terry Benewith\Local Settings\Application Data\{15CF1C31-D4E1-4F1D-93E8-6C6EF962EF08}
FF - Ext: XULRunner: {AF6851C2-E77C-4B39-838F-7942F124C4A1} - c:\documents and settings\Karen Benewith\Local Settings\Application Data\{AF6851C2-E77C-4B39-838F-7942F124C4A1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{144A6B24-0EBC-4D89-BF09-A06A718E57B5} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-A0bozCvMHF6X5J - c:\documents and settings\All Users\Application Data\A0bozCvMHF6X5J.exe
MSConfigStartUp-dsfhjkwe - c:\windows\jcbelypq.exe
MSConfigStartUp-DVMedia - d:\\Resource\AutoRerun.exe
MSConfigStartUp-Emohevede - c:\windows\rfowd32.dll
MSConfigStartUp-JWIHjdCounYO - c:\documents and settings\All Users\Application Data\JWIHjdCounYO.exe
MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
MSConfigStartUp-Ntetizi - c:\windows\arohaqevemitedu.dll
AddRemove-QuestBrowse - c:\program files\QuestBrwSearch\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-11 20:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\TEMP\TMP000000694373F00044D60B40 524288 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\MMrusikod*]
"Xhuzo"=hex:42,01,46,03,42,05,45,07,49,09,48,0b,3c,0d,4b,0f,21,11,57,13,27,15,
23,17,2c,19,2c,1b,2a,1d,28,1f,61,21,15,23,61,25,1f,27,6c,29,6c,2b,19,2d,1c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1580)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2011-11-11 20:43:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-12 03:43
.
Pre-Run: 52,509,831,168 bytes free
Post-Run: 52,844,056,576 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 385BDCE22B5CB13114BBF3F235EC3378


I haven't tried to do anything else. When the PC rebooted it booted normally and I was able to log into the first account. No errors occurring like before. I have not done anything else.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:17 PM

Posted 12 November 2011 - 11:25 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::
Extra::

Firefox::
FF - ProfilePath - c:\documents and settings\Terry Benewith\Application Data\Mozilla\Firefox\Profiles\2bcghasj.default\
FFF - Ext: XULRunner: {15CF1C31-D4E1-4F1D-93E8-6C6EF962EF08} - c:\documents and settings\Terry Benewith\Local Settings\Application Data\{15CF1C31-D4E1-4F1D-93E8-6C6EF962EF08}
FF - Ext: XULRunner: {AF6851C2-E77C-4B39-838F-7942F124C4A1} - c:\documents and settings\Karen Benewith\Local Settings\Application Data\{AF6851C2-E77C-4B39-838F-7942F124C4A1}


RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\MMrusikod*]

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 mat58

mat58
  • Topic Starter

  • Members
  • 235 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:06:17 PM

Posted 13 November 2011 - 11:25 AM

Here is the log using the script you provided:

ComboFix 11-11-13.01 - Terry Benewith 11/13/2011 8:55.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.296 [GMT -7:00]
Running from: c:\documents and settings\Terry Benewith\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Terry Benewith\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Karen Benewith\Local Settings\Application Data\{AF6851C2-E77C-4B39-838F-7942F124C4A1}
c:\documents and settings\Karen Benewith\Local Settings\Application Data\{AF6851C2-E77C-4B39-838F-7942F124C4A1}\chrome.manifest
c:\documents and settings\Karen Benewith\Local Settings\Application Data\{AF6851C2-E77C-4B39-838F-7942F124C4A1}\chrome\content\_cfg.js
c:\documents and settings\Karen Benewith\Local Settings\Application Data\{AF6851C2-E77C-4B39-838F-7942F124C4A1}\chrome\content\overlay.xul
c:\documents and settings\Karen Benewith\Local Settings\Application Data\{AF6851C2-E77C-4B39-838F-7942F124C4A1}\install.rdf
c:\documents and settings\Terry Benewith\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\Terry Benewith\Application Data\Adobe\plugs
c:\documents and settings\Terry Benewith\Application Data\ShoppingReport2
c:\windows\bdn.com
c:\windows\iTunesMusic.exe
c:\windows\mssecu.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\bszip.dll
c:\windows\system32akttzn.exe
c:\windows\system32anticipator.dll
c:\windows\system32bdn.com
c:\windows\system32bsva-egihsg52.exe
c:\windows\system32dpcproxy.exe
c:\windows\system32emesx.dll
c:\windows\system32h@tkeysh@@k.dll
c:\windows\system32hoproxy.dll
c:\windows\system32hxiwlgpm.dat
c:\windows\system32hxiwlgpm.exe
c:\windows\system32medup012.dll
c:\windows\system32medup020.dll
c:\windows\system32msnbho.dll
c:\windows\system32mssecu.exe
c:\windows\system32msvchost.exe
c:\windows\system32mwin32.exe
c:\windows\system32netode.exe
c:\windows\system32newsd32.exe
c:\windows\system32ps1.exe
c:\windows\system32psof1.exe
c:\windows\system32psoft1.exe
c:\windows\system32regc64.dll
c:\windows\system32regm64.dll
c:\windows\system32Rundl1.exe
c:\windows\system32sncntr.exe
c:\windows\system32ssurf022.dll
c:\windows\system32ssvchost.com
c:\windows\system32ssvchost.exe
c:\windows\system32sysreq.exe
c:\windows\system32taack.dat
c:\windows\system32taack.exe
c:\windows\system32temp#01.exe
c:\windows\system32thun.dll
c:\windows\system32thun32.dll
c:\windows\system32VBIEWER.OCX
c:\windows\system32vbsys2.dll
c:\windows\system32vcatchpi.dll
c:\windows\system32winlogonpc.exe
c:\windows\system32winsystem.exe
c:\windows\system32WINWGPX.EXE
.
.
((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))
.
.
2011-11-13 16:10 . 2011-11-13 16:10 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E09D4453-B5E3-482A-9832-694660F8AEAE}\MpKslac2922be.sys
2011-11-13 16:09 . 2011-11-13 16:09 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E09D4453-B5E3-482A-9832-694660F8AEAE}\offreg.dll
2011-11-13 15:48 . 2011-11-13 15:48 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E09D4453-B5E3-482A-9832-694660F8AEAE}\MpKsla1fa0832.sys
2011-11-13 15:45 . 2011-10-07 03:48 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E09D4453-B5E3-482A-9832-694660F8AEAE}\mpengine.dll
2011-11-11 23:14 . 2011-11-11 23:17 -------- d-----w- C:\82f2c0489fcb9051013b4e
2011-11-03 14:58 . 2011-11-03 14:58 -------- d-----w- c:\documents and settings\Cary Benewith\Application Data\Apple Computer
2011-11-03 14:57 . 2011-11-03 14:57 -------- d-sh--w- c:\documents and settings\Cary Benewith\IETldCache
2011-11-03 02:43 . 2011-11-03 02:43 -------- d-----w- c:\documents and settings\Administrator.TERRY.000\Application Data\Yahoo!
2011-11-03 02:29 . 2011-11-03 02:29 -------- d-----w- c:\documents and settings\Abbey Benewith\Application Data\Apple Computer
2011-11-03 02:28 . 2011-11-03 02:28 -------- d-sh--w- c:\documents and settings\Abbey Benewith\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-07 03:48 . 2011-03-19 02:11 6668624 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-11-12_03.35.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-13 16:09 . 2011-11-13 16:09 16384 c:\windows\temp\Perflib_Perfdata_4b8.dat
+ 2007-05-23 20:13 . 2011-11-12 03:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-05-23 20:13 . 2011-11-03 11:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-11-13 15:28 . 2011-11-12 03:50 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-10-22 05:04 . 2010-10-22 05:04 51200 c:\windows\SoftwareDistribution\Download\f326fc498c75892f78799689ea398255\wm9l\wmencagt.exe
- 2008-06-26 16:10 . 2008-06-26 16:10 11264 c:\windows\SoftwareDistribution\Download\f326fc498c75892f78799689ea398255\update\custdll.dll
- 2007-07-28 06:11 . 2007-07-28 06:11 16760 c:\windows\SoftwareDistribution\Download\f326fc498c75892f78799689ea398255\spmsg.dll
- 2011-09-25 15:46 . 2010-07-05 13:15 26488 c:\windows\SoftwareDistribution\Download\86e02b9df514f7fcd2b873c29d592eb3\update\spcustom.dll
- 2011-09-25 15:46 . 2010-07-05 13:15 17272 c:\windows\SoftwareDistribution\Download\86e02b9df514f7fcd2b873c29d592eb3\spmsg.dll
- 2010-10-22 05:14 . 2010-10-22 05:14 949760 c:\windows\SoftwareDistribution\Download\f326fc498c75892f78799689ea398255\wm9l\wmex.dll
- 2010-10-22 05:04 . 2010-10-22 05:04 647680 c:\windows\SoftwareDistribution\Download\f326fc498c75892f78799689ea398255\wm9l\wmenc.exe
- 2010-10-22 05:14 . 2010-10-22 05:14 173056 c:\windows\SoftwareDistribution\Download\f326fc498c75892f78799689ea398255\wm9l\wmdevctl.dll
- 2007-07-28 06:11 . 2007-07-28 06:11 382840 c:\windows\SoftwareDistribution\Download\f326fc498c75892f78799689ea398255\update\updspapi.dll
- 2007-07-28 06:11 . 2007-07-28 06:11 755576 c:\windows\SoftwareDistribution\Download\f326fc498c75892f78799689ea398255\update\update.exe
- 2007-07-28 06:11 . 2007-07-28 06:11 231288 c:\windows\SoftwareDistribution\Download\f326fc498c75892f78799689ea398255\spuninst.exe
- 2011-09-25 15:46 . 2010-07-05 13:16 382840 c:\windows\SoftwareDistribution\Download\86e02b9df514f7fcd2b873c29d592eb3\update\updspapi.dll
- 2011-09-25 15:46 . 2010-07-05 13:15 755576 c:\windows\SoftwareDistribution\Download\86e02b9df514f7fcd2b873c29d592eb3\update\update.exe
- 2011-09-25 15:46 . 2010-07-05 13:15 231288 c:\windows\SoftwareDistribution\Download\86e02b9df514f7fcd2b873c29d592eb3\spuninst.exe
- 2010-10-22 05:14 . 2010-10-22 05:14 1560576 c:\windows\SoftwareDistribution\Download\f326fc498c75892f78799689ea398255\wm9l\wmenceng.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Abbey Benewith\Start Menu\Programs\Startup\
VZAccess Manager.lnk - c:\program files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe [2007-7-12 1273856]
.
c:\documents and settings\Sarah Benewith\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Amazon Unbox.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Amazon Unbox.lnk
backup=c:\windows\pss\Amazon Unbox.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Terry Benewith^Start Menu^Programs^Startup^FrostWire On Startup.lnk]
path=c:\documents and settings\Terry Benewith\Start Menu\Programs\Startup\FrostWire On Startup.lnk
backup=c:\windows\pss\FrostWire On Startup.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-05-10 15:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2005-12-19 20:08 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2006-08-23 21:14 1032192 ----a-w- c:\program files\Dell\QuickSet\quickset.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2006-08-29 02:57 395776 ----a-w- c:\program files\Dell Support\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 10:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 01:29 49152 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2008-11-04 08:44 435096 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-07-20 01:06 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-11-22 19:49 188416 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
2002-11-22 19:48 348160 ----a-w- c:\windows\system32\hphmon04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-11-22 19:50 49152 ----a-w- c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-03-07 22:33 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-12-18 18:24 197928 ----a-w- c:\program files\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 07:24 20480 ----a-w- c:\program files\NetWaiting\netwaiting.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 15:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-09-22 16:06 282624 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2005-11-10 18:03 36975 ----a-w- c:\program files\Java\jre1.5.0_06\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-25 19:54 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-09-22 16:47 761947 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 21:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
2006-08-09 13:27 36864 ----a-w- c:\program files\Ulead Systems\Ulead VideoStudio SE\uvPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"wltrysvc"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"Pml Driver HPH11"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NICCONFIGSVC"=2 (0x2)
"MsMpSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"GoogleDesktopManager-051210-111108"=3 (0x3)
"FreeAgentGoNext Service"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"ADVService"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
.
R1 MpKsla1fa0832;MpKsla1fa0832;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E09D4453-B5E3-482A-9832-694660F8AEAE}\MpKsla1fa0832.sys [11/13/2011 8:48 AM 28752]
R1 MpKslac2922be;MpKslac2922be;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E09D4453-B5E3-482A-9832-694660F8AEAE}\MpKslac2922be.sys [11/13/2011 9:10 AM 28752]
S1 MpKsl0f95d951;MpKsl0f95d951;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8BF930DE-EE3B-486A-B75A-011A8306B1CC}\MpKsl0f95d951.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8BF930DE-EE3B-486A-B75A-011A8306B1CC}\MpKsl0f95d951.sys [?]
S1 MpKsl2628fbb7;MpKsl2628fbb7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B144CC26-68FE-40F6-8CC8-8463E3A997A6}\MpKsl2628fbb7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B144CC26-68FE-40F6-8CC8-8463E3A997A6}\MpKsl2628fbb7.sys [?]
S1 MpKsl77b050fe;MpKsl77b050fe;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{078729CD-31BA-44C8-91E3-E28488459A4A}\MpKsl77b050fe.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{078729CD-31BA-44C8-91E3-E28488459A4A}\MpKsl77b050fe.sys [?]
S1 MpKsl9453d97e;MpKsl9453d97e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CEBBFC5-360D-423F-BC87-454D2AE88BB7}\MpKsl9453d97e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CEBBFC5-360D-423F-BC87-454D2AE88BB7}\MpKsl9453d97e.sys [?]
S1 MpKsl984733a8;MpKsl984733a8;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{11AB501A-7832-4C76-BD55-26D7819DB8F0}\MpKsl984733a8.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{11AB501A-7832-4C76-BD55-26D7819DB8F0}\MpKsl984733a8.sys [?]
S1 MpKslceb00a98;MpKslceb00a98;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CEBBFC5-360D-423F-BC87-454D2AE88BB7}\MpKslceb00a98.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7CEBBFC5-360D-423F-BC87-454D2AE88BB7}\MpKslceb00a98.sys [?]
S1 MpKslffa421f0;MpKslffa421f0;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9146F355-FF77-4AD8-851C-49D165D27D06}\MpKslffa421f0.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{9146F355-FF77-4AD8-851C-49D165D27D06}\MpKslffa421f0.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2011 3:02 PM 135664]
S3 ENDETECT;ENDETECT;\??\d:\release\ENDETECT.SYS --> d:\release\ENDETECT.SYS [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/27/2011 3:02 PM 135664]
S3 L2XPSR;L2XPSR;\??\d:\release\L2XPSR.SYS --> d:\release\L2XPSR.SYS [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 NTSTPL1;NTSTPL1;\??\d:\release\NTSTPL1.SYS --> d:\release\NTSTPL1.SYS [?]
S3 NTSTPL2;NTSTPL2;\??\d:\release\NTSTPL2.SYS --> d:\release\NTSTPL2.SYS [?]
S3 TAPBIND;TAPBIND;\??\d:\release\TAPBIND1.SYS --> d:\release\TAPBIND1.SYS [?]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [5/17/2007 9:03 AM 30192]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLAC2922BE
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 22:02]
.
2011-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc7a5ec9c90c14.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 22:02]
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-27 22:02]
.
2011-11-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Terry Benewith\Application Data\Mozilla\Firefox\Profiles\2bcghasj.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: XULRunner: {15CF1C31-D4E1-4F1D-93E8-6C6EF962EF08} - c:\documents and settings\Terry Benewith\Local Settings\Application Data\{15CF1C31-D4E1-4F1D-93E8-6C6EF962EF08}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-13 09:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2568)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-11-13 09:18:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-13 16:18
ComboFix2.txt 2011-11-12 03:43
.
Pre-Run: 53,056,053,248 bytes free
Post-Run: 55,643,521,024 bytes free
.
- - End Of File - - E726813804CA38556300DE081AA2E700



PC is looking better. Booting into a normal windows view. I disabled Microsoft Security Essentials before running, but it still said it had discovered the process running. Also, I was prompted for a newer version of ComboFix which I accepted. Hope that didn't cause issue.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users