Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP freezes while starting


  • Please log in to reply
13 replies to this topic

#1 rbrav

rbrav

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 December 2011 - 10:22 PM

Hello. I am running Windows XP Service Pack 2. A few days ago, "XP Internet Security 2012" snuck through Malwarebytes. I got rid of it after Googling the solution, but ever since, Windows freezes a little after starting up. MBAM and ESET NOD32 (the only things I have checked under msconfig > Startup) load just fine, but far as I can tell, as soon as it tries to get the wireless going, it won't progress. The Windows wireless icon appears in the taskbar, but not the Linksys one, and I'm in hourglass eternity as soon as I click on anything. I tried uninstalling my Linksys utility, but this didn't fix the problem. (I then reinstalled it.) If I go into Safe Mode and attempt a System Restore, the restore fails, but this action gets Windows to load everything properly. Once I am actually able to use Windows, the wireless and everything else works just fine.

Scans with MBAM, NOD32, GMER, and TDSSKiller recently found a number of various problems on my system, but those all appear to have been cleared successfully. Still, this startup problem persists. Any help would be much appreciated!

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:58 PM

Posted 17 December 2011 - 10:54 PM

Hello.

I'm going to move this topic to Am I Infected so that we can make sure we've gotten rid of all the malware.

Could you please post the logs from MBAM, NOD32, GMER, and TDSSKiller?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 rbrav

rbrav
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 17 December 2011 - 10:59 PM

Thank you for helping! I will generate those logs and post them as soon as I can.

#4 rbrav

rbrav
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 18 December 2011 - 06:33 PM

OK, here are the logs for GMER, MBAM, NOD32, and TDSSKiller. I included a DDS log just in case.

GMER:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-18 13:17:54
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD5000AAKS-75A7B0 rev.01.03B01
Running: wsgdtuds.exe; Driver: C:\DOCUME~1\Raul\LOCALS~1\Temp\pxtdrpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xB090E610]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xB090EC10]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xB090E730]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xB090E4B0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xB090E570]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xB090E6D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xB090E790]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xB090E690]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xB090E650]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xB090E7D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xB090E510]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xB090E590]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xB090E4D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xB090E5D0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xB090E750]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8F78000, 0x19DA46, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[512] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 00]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \FileSystem\Fastfat \Fat AD467C8A

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{1A68D668-6DF3-702D-2A0852A803C1488D}\{D6F2E9CD-48BA-CDDC-BEA31B576464FCAF}\{421B9E29-5D23-2966-C9D7C1E976BC0884}
Reg HKLM\SOFTWARE\Classes\CLSID\{1A68D668-6DF3-702D-2A0852A803C1488D}\{D6F2E9CD-48BA-CDDC-BEA31B576464FCAF}\{421B9E29-5D23-2966-C9D7C1E976BC0884}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{4233ADD3-CD31-D295-804BA870321FDEF4}\{F4A8E5F3-7E68-2DD0-FA9D328203A7D1A7}\{07380252-9142-5EC5-94F639FC4AE64832}
Reg HKLM\SOFTWARE\Classes\CLSID\{4233ADD3-CD31-D295-804BA870321FDEF4}\{F4A8E5F3-7E68-2DD0-FA9D328203A7D1A7}\{07380252-9142-5EC5-94F639FC4AE64832}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{90C9B227-00E9-ED2B-D8335C00663422E2}\{BA143829-6513-6AB3-17B76E63BBBF825B}\{B7811D8F-B091-6828-D848878685722533}
Reg HKLM\SOFTWARE\Classes\CLSID\{90C9B227-00E9-ED2B-D8335C00663422E2}\{BA143829-6513-6AB3-17B76E63BBBF825B}\{B7811D8F-B091-6828-D848878685722533}@1D1OWFM6WKF6TLM3S2BGKKUUDG1 0x01 0x00 0x01 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{9D7D745F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}
Reg HKLM\SOFTWARE\Classes\CLSID\{9D7D745F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}@{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1 0x01 0x00 0x01 0x00 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3F507BD4-1BB6-F30C-4FA0-5FAD97E430ED}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{549A87FB-CC1A-F28E-CAE0-63100BF8FC50}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{549A87FB-CC1A-F28E-CAE0-63100BF8FC50}@iakbfnphkfpijbheno 0x69 0x61 0x65 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{549A87FB-CC1A-F28E-CAE0-63100BF8FC50}@hamnpmchknicckbc 0x69 0x61 0x65 0x67 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB65467$\1435845764 0 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535 0 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\bckfg.tmp 852 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\keywords 165 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\L 0 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\L\odetmngk 454016 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\U 0 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB65467$\2327606535\U\80000032.@ 98304 bytes

---- EOF - GMER 1.0.15 ----


MBAM:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8389

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

12/18/2011 5:53:23 PM
mbam-log-2011-12-18 (17-53-22).txt

Scan type: Full scan (C:\|)
Objects scanned: 389239
Time elapsed: 2 hour(s), 12 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


NOD32:

Scan Log
Version of virus signature database: 6720 (20111217)
Date: 12/18/2011 Time: 12:36:58 AM
Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\
C:\hiberfil.sys - error opening [4]
C:\pagefile.sys - error opening [4]
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe » INNO » files.info - unsupported option
C:\Documents and Settings\Raul\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_002191 » GZIP » f_002191 - archive damaged
C:\Documents and Settings\Raul\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_0023af » GZIP » f_0023af - archive damaged
C:\Documents and Settings\Raul\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_002443 » GZIP » f_002443 - archive damaged
C:\Documents and Settings\Raul\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx » DBX - is OK (internal scanning not performed)
C:\Documents and Settings\Raul\Local Settings\Application Data\Mozilla\Firefox\Profiles\8qkrb4sr.default\Cache\0\12\71A3Fd01 » GZIP » 71A3Fd01 - archive damaged
C:\Documents and Settings\Raul\Local Settings\Application Data\Mozilla\Firefox\Profiles\8qkrb4sr.default\Cache\1\2D\2D542d01 » GZIP » 2D542d01 - archive damaged
C:\Documents and Settings\Raul\Local Settings\Application Data\Mozilla\Firefox\Profiles\8qkrb4sr.default\Cache\2\15\25306d01 » GZIP » 25306d01 - archive damaged
C:\Documents and Settings\Raul\Local Settings\Application Data\Mozilla\Firefox\Profiles\8qkrb4sr.default\Cache\4\4E\E15A2d01 » GZIP » E15A2d01 - archive damaged
C:\Documents and Settings\Raul\Local Settings\Application Data\Mozilla\Firefox\Profiles\8qkrb4sr.default\Cache\4\8D\5086Ad01 » GZIP » 5086Ad01 - archive damaged
C:\Documents and Settings\Raul\Local Settings\Application Data\Mozilla\Firefox\Profiles\8qkrb4sr.default\Cache\6\92\DCE7Ed01 » GZIP » DCE7Ed01 - archive damaged
C:\Documents and Settings\Raul\Local Settings\Application Data\Mozilla\Firefox\Profiles\8qkrb4sr.default\Cache\E\DD\7EF59d01 » GZIP » 7EF59d01 - archive damaged
C:\Documents and Settings\Raul\Local Settings\Application Data\Mozilla\Firefox\Profiles\8qkrb4sr.default\Cache\F\D3\877BAd01 » GZIP » 877BAd01 - archive damaged
C:\Documents and Settings\Raul\Local Settings\Temp\jar_cache862325431106457724.tmp » ZIP » com/webct/platform/tools/dragndrop/common/DndApplet.java - archive damaged - the file could not be extracted.
C:\Documents and Settings\Raul\Local Settings\Temp\jar_cache862325431106457724.tmp » ZIP » - archive damaged
C:\Documents and Settings\Raul\Local Settings\Temp\jar_cache8895831607775272739.tmp » ZIP » com/webct/platform/framework/util/applet/Cookies.class - archive damaged - the file could not be extracted.
C:\Documents and Settings\Raul\Local Settings\Temp\jar_cache8895831607775272739.tmp » ZIP » - archive damaged
C:\Documents and Settings\Raul\Local Settings\Temp\wecerr.txt » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » PROCESS_LIBRARY.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » HIRING_REQUISITION_CUSTOMIZED.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » HIRING_REQUISITION.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » TRACK_ISSUES.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » POLICIES.FDT » MIME - is OK (internal scanning not performed)
C:\Program Files\FaxTools\olregist.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Spotify\spotify.exe » ZIP » - archive damaged
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1049\A0193575.exe » INNO » files.info - unsupported option
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1051\A0194503.exe » AUTOIT » E:\Installers\AutoIt Projects\office 2007\_Files\Enterprise.WW\EnterWW.cab - archive damaged
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1051\A0194507.exe » AUTOIT » E:\Installers\AutoIt Projects\office 2007\_Files\Enterprise.WW\EnterWW.cab - archive damaged
Number of scanned objects: 476274
Number of threats found: 0
Time of completion: 2:05:15 AM Total scanning time: 5297 sec (01:28:17)

Notes:
[4] Object cannot be opened. It may be in use by another application or operating system.


TDSSKiller:

00:29:03.0234 0476 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
00:29:03.0546 0476 ============================================================
00:29:03.0546 0476 Current date / time: 2011/12/18 00:29:03.0546
00:29:03.0546 0476 SystemInfo:
00:29:03.0546 0476
00:29:03.0546 0476 OS Version: 5.1.2600 ServicePack: 2.0
00:29:03.0546 0476 Product type: Workstation
00:29:03.0546 0476 ComputerName: RSG
00:29:03.0546 0476 UserName: Raul
00:29:03.0546 0476 Windows directory: C:\WINDOWS
00:29:03.0546 0476 System windows directory: C:\WINDOWS
00:29:03.0546 0476 Processor architecture: Intel x86
00:29:03.0546 0476 Number of processors: 4
00:29:03.0546 0476 Page size: 0x1000
00:29:03.0546 0476 Boot type: Normal boot
00:29:03.0546 0476 ============================================================
00:29:04.0671 0476 Initialize success
00:29:16.0156 1772 ============================================================
00:29:16.0156 1772 Scan started
00:29:16.0156 1772 Mode: Manual;
00:29:16.0156 1772 ============================================================
00:29:16.0921 1772 Abiosdsk - ok
00:29:16.0968 1772 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
00:29:16.0968 1772 abp480n5 - ok
00:29:17.0015 1772 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
00:29:17.0015 1772 ACPI - ok
00:29:17.0046 1772 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
00:29:17.0062 1772 ACPIEC - ok
00:29:17.0078 1772 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
00:29:17.0078 1772 adpu160m - ok
00:29:17.0093 1772 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
00:29:17.0093 1772 aec - ok
00:29:17.0125 1772 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
00:29:17.0125 1772 AFD - ok
00:29:17.0125 1772 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
00:29:17.0125 1772 agp440 - ok
00:29:17.0125 1772 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
00:29:17.0125 1772 agpCPQ - ok
00:29:17.0140 1772 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
00:29:17.0140 1772 Aha154x - ok
00:29:17.0140 1772 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
00:29:17.0140 1772 aic78u2 - ok
00:29:17.0156 1772 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
00:29:17.0156 1772 aic78xx - ok
00:29:17.0171 1772 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
00:29:17.0187 1772 AliIde - ok
00:29:17.0203 1772 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
00:29:17.0203 1772 alim1541 - ok
00:29:17.0218 1772 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
00:29:17.0218 1772 amdagp - ok
00:29:17.0234 1772 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
00:29:17.0250 1772 amsint - ok
00:29:17.0250 1772 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
00:29:17.0281 1772 asc - ok
00:29:17.0296 1772 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
00:29:17.0296 1772 asc3350p - ok
00:29:17.0296 1772 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
00:29:17.0296 1772 asc3550 - ok
00:29:17.0312 1772 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
00:29:17.0312 1772 AsyncMac - ok
00:29:17.0328 1772 atapi (40caace7f2e7668148a1d45cf91e1131) C:\WINDOWS\system32\DRIVERS\atapi.sys
00:29:17.0328 1772 atapi - ok
00:29:17.0328 1772 Atdisk - ok
00:29:17.0437 1772 ati2mtag (3b23691e9eef04de3364d9271371bbde) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
00:29:17.0484 1772 ati2mtag - ok
00:29:17.0500 1772 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
00:29:17.0515 1772 Atmarpc - ok
00:29:17.0531 1772 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
00:29:17.0546 1772 audstub - ok
00:29:17.0578 1772 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
00:29:17.0593 1772 BANTExt - ok
00:29:17.0625 1772 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
00:29:17.0640 1772 Beep - ok
00:29:17.0656 1772 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
00:29:17.0671 1772 cbidf - ok
00:29:17.0687 1772 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
00:29:17.0687 1772 cbidf2k - ok
00:29:17.0687 1772 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
00:29:17.0703 1772 cd20xrnt - ok
00:29:17.0718 1772 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
00:29:17.0734 1772 Cdaudio - ok
00:29:17.0750 1772 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
00:29:17.0765 1772 Cdfs - ok
00:29:17.0765 1772 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
00:29:17.0812 1772 Cdrom - ok
00:29:17.0812 1772 Changer - ok
00:29:17.0828 1772 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
00:29:17.0843 1772 CmdIde - ok
00:29:17.0859 1772 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
00:29:17.0875 1772 Cpqarray - ok
00:29:17.0984 1772 CrystalSysInfo (f054744f67576a01139885173392502b) C:\Program Files\MediaCoder\SysInfo.sys
00:29:18.0000 1772 CrystalSysInfo - ok
00:29:18.0046 1772 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
00:29:18.0062 1772 dac2w2k - ok
00:29:18.0062 1772 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
00:29:18.0078 1772 dac960nt - ok
00:29:18.0125 1772 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
00:29:18.0140 1772 Disk - ok
00:29:18.0203 1772 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
00:29:18.0234 1772 dmboot - ok
00:29:18.0234 1772 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
00:29:18.0250 1772 dmio - ok
00:29:18.0265 1772 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
00:29:18.0281 1772 dmload - ok
00:29:18.0328 1772 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
00:29:18.0328 1772 DMusic - ok
00:29:18.0328 1772 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
00:29:18.0343 1772 dpti2o - ok
00:29:18.0375 1772 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
00:29:18.0390 1772 drmkaud - ok
00:29:18.0421 1772 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
00:29:18.0453 1772 E100B - ok
00:29:18.0468 1772 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
00:29:18.0500 1772 e1express - ok
00:29:18.0531 1772 eamon (1ceb779239965000b8f6adee17d4515b) C:\WINDOWS\system32\DRIVERS\eamon.sys
00:29:18.0546 1772 eamon - ok
00:29:18.0562 1772 ehdrv (7d300a43a7bd8769e0f901bf9e1ae367) C:\WINDOWS\system32\DRIVERS\ehdrv.sys
00:29:18.0578 1772 ehdrv - ok
00:29:18.0609 1772 epfwtdir (ecd5f68e32ff5c6a728eb03dc892ae7f) C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
00:29:18.0656 1772 epfwtdir - ok
00:29:18.0671 1772 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
00:29:18.0703 1772 Fastfat - ok
00:29:18.0718 1772 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
00:29:18.0734 1772 Fdc - ok
00:29:18.0734 1772 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
00:29:18.0734 1772 Fips - ok
00:29:18.0750 1772 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
00:29:18.0765 1772 Flpydisk - ok
00:29:18.0781 1772 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
00:29:18.0812 1772 FltMgr - ok
00:29:18.0812 1772 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
00:29:18.0828 1772 Fs_Rec - ok
00:29:18.0828 1772 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
00:29:18.0843 1772 Ftdisk - ok
00:29:18.0875 1772 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
00:29:18.0890 1772 GEARAspiWDM - ok
00:29:18.0890 1772 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
00:29:18.0906 1772 Gpc - ok
00:29:18.0937 1772 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
00:29:18.0937 1772 HDAudBus - ok
00:29:18.0968 1772 hid8101 (aca060cdde6824c352f67b143130af7a) C:\WINDOWS\system32\drivers\hid8101.SYS
00:29:19.0000 1772 hid8101 - ok
00:29:19.0046 1772 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
00:29:19.0062 1772 HidUsb - ok
00:29:19.0078 1772 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
00:29:19.0093 1772 hpn - ok
00:29:19.0093 1772 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
00:29:19.0109 1772 HTTP - ok
00:29:19.0125 1772 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
00:29:19.0140 1772 i2omgmt - ok
00:29:19.0140 1772 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
00:29:19.0156 1772 i2omp - ok
00:29:19.0171 1772 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
00:29:19.0187 1772 i8042prt - ok
00:29:19.0187 1772 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\drivers\iaStor.sys
00:29:19.0203 1772 iaStor - ok
00:29:19.0203 1772 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
00:29:19.0218 1772 Imapi - ok
00:29:19.0234 1772 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
00:29:19.0250 1772 ini910u - ok
00:29:19.0375 1772 IntcAzAudAddService (17bbbabb21f86b650b2626045a9d016c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
00:29:19.0453 1772 IntcAzAudAddService - ok
00:29:19.0468 1772 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
00:29:19.0484 1772 IntelIde - ok
00:29:19.0500 1772 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
00:29:19.0515 1772 intelppm - ok
00:29:19.0531 1772 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
00:29:19.0546 1772 Ip6Fw - ok
00:29:19.0562 1772 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
00:29:19.0562 1772 IpFilterDriver - ok
00:29:19.0562 1772 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
00:29:19.0578 1772 IpInIp - ok
00:29:19.0625 1772 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
00:29:19.0640 1772 IpNat - ok
00:29:19.0640 1772 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
00:29:19.0656 1772 IPSec - ok
00:29:19.0671 1772 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
00:29:19.0687 1772 IRENUM - ok
00:29:19.0687 1772 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
00:29:19.0703 1772 isapnp - ok
00:29:19.0734 1772 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
00:29:19.0765 1772 Kbdclass - ok
00:29:19.0781 1772 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
00:29:19.0796 1772 kbdhid - ok
00:29:19.0828 1772 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
00:29:19.0843 1772 kmixer - ok
00:29:19.0875 1772 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
00:29:19.0890 1772 KSecDD - ok
00:29:19.0890 1772 Lbd - ok
00:29:19.0906 1772 lbrtfdc - ok
00:29:19.0921 1772 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
00:29:19.0921 1772 MBAMProtector - ok
00:29:19.0937 1772 mcdbus - ok
00:29:19.0953 1772 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
00:29:19.0968 1772 mnmdd - ok
00:29:20.0000 1772 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
00:29:20.0015 1772 Modem - ok
00:29:20.0015 1772 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
00:29:20.0031 1772 Mouclass - ok
00:29:20.0062 1772 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
00:29:20.0078 1772 mouhid - ok
00:29:20.0078 1772 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
00:29:20.0093 1772 MountMgr - ok
00:29:20.0109 1772 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
00:29:20.0125 1772 mraid35x - ok
00:29:20.0156 1772 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
00:29:20.0171 1772 MREMP50 - ok
00:29:20.0171 1772 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
00:29:20.0171 1772 MRESP50 - ok
00:29:20.0218 1772 MRVW245 (d2d7affd7cca5da3a7b1aa70313b75b5) C:\WINDOWS\system32\DRIVERS\MRVW245.sys
00:29:20.0234 1772 MRVW245 - ok
00:29:20.0281 1772 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
00:29:20.0312 1772 MRxDAV - ok
00:29:20.0343 1772 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
00:29:20.0375 1772 MRxSmb - ok
00:29:20.0437 1772 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
00:29:20.0453 1772 Msfs - ok
00:29:20.0500 1772 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
00:29:20.0515 1772 MSKSSRV - ok
00:29:20.0515 1772 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
00:29:20.0531 1772 MSPCLOCK - ok
00:29:20.0546 1772 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
00:29:20.0562 1772 MSPQM - ok
00:29:20.0609 1772 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
00:29:20.0625 1772 mssmbios - ok
00:29:20.0625 1772 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
00:29:20.0640 1772 Mup - ok
00:29:20.0640 1772 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
00:29:20.0656 1772 NDIS - ok
00:29:20.0656 1772 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
00:29:20.0656 1772 NdisTapi - ok
00:29:20.0671 1772 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
00:29:20.0687 1772 Ndisuio - ok
00:29:20.0687 1772 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
00:29:20.0703 1772 NdisWan - ok
00:29:20.0703 1772 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
00:29:20.0718 1772 NDProxy - ok
00:29:20.0734 1772 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
00:29:20.0750 1772 NetBIOS - ok
00:29:20.0765 1772 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
00:29:20.0796 1772 NetBT - ok
00:29:20.0812 1772 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
00:29:20.0828 1772 Npfs - ok
00:29:20.0859 1772 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
00:29:20.0890 1772 Ntfs - ok
00:29:20.0906 1772 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
00:29:20.0921 1772 Null - ok
00:29:20.0984 1772 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
00:29:21.0015 1772 nv - ok
00:29:21.0093 1772 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
00:29:21.0109 1772 NwlnkFlt - ok
00:29:21.0109 1772 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
00:29:21.0125 1772 NwlnkFwd - ok
00:29:21.0187 1772 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
00:29:21.0203 1772 Parport - ok
00:29:21.0203 1772 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
00:29:21.0234 1772 PartMgr - ok
00:29:21.0234 1772 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
00:29:21.0250 1772 ParVdm - ok
00:29:21.0250 1772 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
00:29:21.0265 1772 PCI - ok
00:29:21.0265 1772 PCIDump - ok
00:29:21.0281 1772 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
00:29:21.0296 1772 PCIIde - ok
00:29:21.0296 1772 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
00:29:21.0312 1772 Pcmcia - ok
00:29:21.0312 1772 PDCOMP - ok
00:29:21.0328 1772 PDFRAME - ok
00:29:21.0328 1772 PDRELI - ok
00:29:21.0343 1772 PDRFRAME - ok
00:29:21.0343 1772 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
00:29:21.0359 1772 perc2 - ok
00:29:21.0359 1772 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
00:29:21.0375 1772 perc2hib - ok
00:29:21.0406 1772 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
00:29:21.0421 1772 PptpMiniport - ok
00:29:21.0421 1772 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
00:29:21.0453 1772 PSched - ok
00:29:21.0468 1772 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
00:29:21.0468 1772 Ptilink - ok
00:29:21.0484 1772 PxHelp20 (03e0fe281823ba64b3782f5b38950e73) C:\WINDOWS\system32\Drivers\PxHelp20.sys
00:29:21.0500 1772 PxHelp20 - ok
00:29:21.0515 1772 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
00:29:21.0546 1772 ql1080 - ok
00:29:21.0546 1772 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
00:29:21.0562 1772 Ql10wnt - ok
00:29:21.0593 1772 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
00:29:21.0609 1772 ql12160 - ok
00:29:21.0609 1772 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
00:29:21.0640 1772 ql1240 - ok
00:29:21.0640 1772 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
00:29:21.0656 1772 ql1280 - ok
00:29:21.0671 1772 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
00:29:21.0687 1772 RasAcd - ok
00:29:21.0687 1772 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
00:29:21.0703 1772 Rasl2tp - ok
00:29:21.0718 1772 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
00:29:21.0734 1772 RasPppoe - ok
00:29:21.0734 1772 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
00:29:21.0750 1772 Raspti - ok
00:29:21.0796 1772 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
00:29:21.0843 1772 Rdbss - ok
00:29:21.0859 1772 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
00:29:21.0875 1772 RDPCDD - ok
00:29:21.0906 1772 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
00:29:21.0937 1772 rdpdr - ok
00:29:21.0953 1772 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
00:29:21.0953 1772 RDPWD - ok
00:29:21.0984 1772 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
00:29:22.0000 1772 redbook - ok
00:29:22.0046 1772 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
00:29:22.0062 1772 Secdrv - ok
00:29:22.0062 1772 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
00:29:22.0078 1772 serenum - ok
00:29:22.0093 1772 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
00:29:22.0109 1772 Serial - ok
00:29:22.0140 1772 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
00:29:22.0156 1772 Sfloppy - ok
00:29:22.0156 1772 Simbad - ok
00:29:22.0171 1772 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
00:29:22.0187 1772 sisagp - ok
00:29:22.0187 1772 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
00:29:22.0203 1772 Sparrow - ok
00:29:22.0250 1772 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
00:29:22.0265 1772 splitter - ok
00:29:22.0281 1772 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
00:29:22.0296 1772 sr - ok
00:29:22.0359 1772 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
00:29:22.0375 1772 Srv - ok
00:29:22.0390 1772 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
00:29:22.0406 1772 swenum - ok
00:29:22.0421 1772 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
00:29:22.0437 1772 swmidi - ok
00:29:22.0437 1772 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
00:29:22.0468 1772 symc810 - ok
00:29:22.0468 1772 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
00:29:22.0484 1772 symc8xx - ok
00:29:22.0484 1772 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
00:29:22.0515 1772 sym_hi - ok
00:29:22.0515 1772 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
00:29:22.0531 1772 sym_u3 - ok
00:29:22.0578 1772 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
00:29:22.0578 1772 sysaudio - ok
00:29:22.0609 1772 taphss (0c3b2a9c4bd2dd9a6c2e4084314dd719) C:\WINDOWS\system32\DRIVERS\taphss.sys
00:29:22.0609 1772 taphss - ok
00:29:22.0656 1772 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
00:29:22.0671 1772 Tcpip - ok
00:29:22.0687 1772 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
00:29:22.0703 1772 TDPIPE - ok
00:29:22.0703 1772 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
00:29:22.0718 1772 TDTCP - ok
00:29:22.0734 1772 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
00:29:22.0750 1772 TermDD - ok
00:29:22.0781 1772 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
00:29:22.0796 1772 TosIde - ok
00:29:22.0812 1772 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
00:29:22.0812 1772 Udfs - ok
00:29:22.0828 1772 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
00:29:22.0859 1772 ultra - ok
00:29:22.0890 1772 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
00:29:22.0937 1772 Update - ok
00:29:23.0000 1772 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
00:29:23.0015 1772 usbaudio - ok
00:29:23.0031 1772 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
00:29:23.0046 1772 usbccgp - ok
00:29:23.0078 1772 usbehci (708579b01fed227aadb393cb0c3b4a2c) C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:29:23.0109 1772 usbehci - ok
00:29:23.0109 1772 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:29:23.0125 1772 usbhub - ok
00:29:23.0125 1772 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
00:29:23.0156 1772 usbprint - ok
00:29:23.0171 1772 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
00:29:23.0187 1772 usbscan - ok
00:29:23.0218 1772 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:29:23.0218 1772 USBSTOR - ok
00:29:23.0234 1772 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
00:29:23.0250 1772 usbuhci - ok
00:29:23.0296 1772 usb_rndisx (ae4df3b7d1db9373b08db4ed224e26b6) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
00:29:23.0312 1772 usb_rndisx - ok
00:29:23.0343 1772 VClone (1cdaa48cb2f7744b8d25650e050766a5) C:\WINDOWS\system32\DRIVERS\VClone.sys
00:29:23.0359 1772 VClone - ok
00:29:23.0359 1772 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
00:29:23.0390 1772 VgaSave - ok
00:29:23.0390 1772 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
00:29:23.0421 1772 viaagp - ok
00:29:23.0437 1772 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
00:29:23.0453 1772 ViaIde - ok
00:29:23.0484 1772 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
00:29:23.0500 1772 VolSnap - ok
00:29:23.0515 1772 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:29:23.0546 1772 Wanarp - ok
00:29:23.0546 1772 wanatw - ok
00:29:23.0578 1772 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
00:29:23.0578 1772 Wdf01000 - ok
00:29:23.0593 1772 WDICA - ok
00:29:23.0625 1772 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
00:29:23.0640 1772 wdmaud - ok
00:29:23.0687 1772 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
00:29:23.0687 1772 WinUSB - ok
00:29:23.0703 1772 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\Drivers\wpdusb.sys
00:29:23.0718 1772 WpdUsb - ok
00:29:23.0765 1772 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
00:29:23.0765 1772 WudfPf - ok
00:29:23.0765 1772 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
00:29:23.0765 1772 WudfRd - ok
00:29:23.0828 1772 MBR (0x1B8) (5cb90281d1a59b251f6603134774eec3) \Device\Harddisk0\DR0
00:29:23.0828 1772 \Device\Harddisk0\DR0 - ok
00:29:23.0843 1772 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR4
00:29:23.0843 1772 \Device\Harddisk1\DR4 - ok
00:29:23.0843 1772 Boot (0x1200) (e4dc4a2896c7b59e4021053e903702d2) \Device\Harddisk0\DR0\Partition0
00:29:23.0859 1772 \Device\Harddisk0\DR0\Partition0 - ok
00:29:23.0859 1772 Boot (0x1200) (aba4abbbba63dedaf4f2a967e1d5a9b0) \Device\Harddisk1\DR4\Partition0
00:29:23.0859 1772 \Device\Harddisk1\DR4\Partition0 - ok
00:29:23.0859 1772 ============================================================
00:29:23.0859 1772 Scan finished
00:29:23.0859 1772 ============================================================
00:29:23.0875 3020 Detected object count: 0
00:29:23.0875 3020 Actual detected object count: 0
00:29:35.0468 2344 Deinitialize success


DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Run by Raul at 13:21:28 on 2011-12-18
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2621 [GMT -5:00]
.
AV: ESET NOD32 Antivirus 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dleacoms.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Linksys\WUSB300N\WLService.exe
C:\Program Files\Linksys\WUSB300N\WUSB300N.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080620
uSearch Bar =
uStart Page = https://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080620
uInternet Settings,ProxyOverride = <local>
BHO: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - c:\program files\dell toolbar\toolband.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {DE9C389F-3316-41A7-809B-AA305ED9D922} - No File
TB: Dell Toolbar: {09b71986-2ac5-482d-b6cb-42ea34f4f85b} - c:\program files\dell toolbar\toolband.dll
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: E&xport to Microsoft Excel - c:\progra~1\mi699f~1\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi699f~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{77EC9056-9AA8-433C-ABF2-8C977B430C68} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{89ED57A9-785F-491C-9449-4BD39BACB557} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{C2F6A635-0ED2-4B24-AEC2-3C3675A2C563} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{D8375DFA-FA5D-45A6-B261-E88FA73286D0} : DhcpNameServer = 205.152.37.23 205.152.150.23
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
mASetup: EMORY_IS_VDT_User_Config - c:\program files\citrix\support\ehcusriecfg.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\raul\application data\mozilla\firefox\profiles\8qkrb4sr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\raul\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\raul\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\raul\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-7-29 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-8-18 95896]
R2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe -service --> c:\windows\system32\dleacoms.exe -service [?]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2010-8-12 810144]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-31 366152]
R2 WUSB300NSvc;WUSB300NSvc;c:\program files\linksys\wusb300n\WLService.exe [2011-12-15 53307]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-1-31 22216]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dleaserv.exe [2009-7-1 98984]
S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [2009-5-9 31899]
.
=============== Created Last 30 ================
.
2011-12-17 11:43:59 13568 ----a-w- c:\windows\system32\dllcache\wacompen.sys
2011-12-17 11:42:59 26624 ----a-w- c:\windows\system32\dllcache\umaxu22.dll
2011-12-17 11:41:59 138528 ----a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2011-12-17 11:40:58 106584 ----a-w- c:\windows\system32\dllcache\spdports.dll
2011-12-17 11:39:59 104064 ----a-w- c:\windows\system32\dllcache\sisgrp.sys
2011-12-17 11:38:58 61504 ----a-w- c:\windows\system32\dllcache\s3sav3dm.sys
2011-12-17 11:37:59 9728 ----a-w- c:\windows\system32\dllcache\query.exe
2011-12-17 11:36:58 41984 ----a-w- c:\windows\system32\dllcache\ovui2rc.dll
2011-12-17 11:35:59 65278 ----a-w- c:\windows\system32\dllcache\netflx3.sys
2011-12-17 11:34:59 51328 ----a-w- c:\windows\system32\dllcache\msdv.sys
2011-12-17 11:33:57 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2011-12-17 11:31:40 372824 ----a-w- c:\windows\system32\dllcache\iconf32.dll
2011-12-17 11:30:58 542879 ----a-w- c:\windows\system32\dllcache\hsf_msft.sys
2011-12-17 11:29:59 454912 ----a-w- c:\windows\system32\dllcache\fxusbase.sys
2011-12-17 11:28:59 7296 ----a-w- c:\windows\system32\dllcache\elmsmc.sys
2011-12-17 11:27:59 27648 ----a-w- c:\windows\system32\dllcache\cyyports.dll
2011-12-17 11:26:59 11776 ----a-w- c:\windows\system32\dllcache\bdasup.sys
2011-12-17 11:25:58 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-12-15 23:51:35 516224 ----a-w- c:\windows\system32\Mrvw243.sys
2011-12-15 23:51:35 516224 ----a-w- c:\windows\system32\drivers\Mrvw243.sys
2011-12-15 23:51:35 499456 ----a-w- c:\windows\system32\Mrvw245.sys
2011-12-15 23:51:35 499456 ----a-w- c:\windows\system32\drivers\MRVW245.sys
2011-12-15 23:51:21 -------- d-----w- c:\program files\Linksys
2011-12-13 04:44:07 -------- d-sh--r- C:\cmdcons
2011-12-13 04:44:04 -------- d-----w- c:\windows\setup.pss
2011-12-13 04:43:54 -------- d-----w- c:\windows\setupupd
.
==================== Find3M ====================
.
2011-12-16 03:50:38 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-21 04:24:14 709968 ----a-w- c:\windows\is-GJ48S.exe
.
============= FINISH: 13:22:27.15 ===============



#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:58 PM

Posted 18 December 2011 - 09:16 PM

Hello.

I went ahead and relocated this topic to our Malware Removal forum so I can get a deeper look at the machine.

Could you please do the following for me?

  • I need to see the MBAM logs that you ran previously (i.e. the ones where something was detected). You can retrieve these from the Logs tab in the MBAM interface.
  • Save it to your desktop.
  • Double click on thePosted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Check the boxes beside LOP Check and Purity Check.
  • Push the Posted Image button.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and paste them into the body of your next reply.

~Blade


In your next reply, please include the following:
Old MBAM Logs
OTL.txt
Attach.txt

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 rbrav

rbrav
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 18 December 2011 - 09:36 PM

Unfortunately, I had previously unchecked the MBAM setting "Automatically save log file after scan completes," meaning no log file was saved. They are not within the interface or in the corresponding Windows folder. Sorry.

The OTL results are attached as files because I got the error message "Your post was too long. Please go back and shorten it a little." when I tried to paste them into the text field.

Attached Files



#7 rbrav

rbrav
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 18 December 2011 - 09:54 PM

Spoke a little too soon, sorry. The full scan logs were not being generated, but I do have logs from when MBAM noticed an issue and then things went south. Here are the relevant ones:

protection-log-2011-12-08:

10:19:42 Raul DETECTION C:\WINDOWS\TEMP\vltupn\setup.exe Trojan.Email QUARANTINE
10:19:42 Raul DETECTION C:\WINDOWS\TEMP\vltupn\setup.exe Trojan.Email DENY


protection-log-2011-12-09:

12:00:00 Raul DETECTION C:\WINDOWS\TEMP\0.5962823853028411.exe Exploit.Drop.4 QUARANTINE
21:07:25 (null) MESSAGE Protection started successfully
22:43:15 (null) MESSAGE Protection started successfully
22:46:56 (null) MESSAGE Protection started successfully
22:50:53 (null) MESSAGE Protection started successfully
23:09:17 (null) MESSAGE Protection started successfully
23:24:40 Raul MESSAGE Protection started successfully
23:24:44 Raul MESSAGE IP Protection started successfully
23:27:13 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:27:16 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:27:22 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:27:34 Raul IP-BLOCK 83.133.124.245 (Type: outgoing)
23:27:37 Raul IP-BLOCK 83.133.124.245 (Type: outgoing)
23:27:43 Raul IP-BLOCK 83.133.124.245 (Type: outgoing)
23:27:55 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:27:58 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:28:04 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:28:16 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:28:19 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:28:25 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:28:38 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:28:41 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:28:47 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:28:59 Raul IP-BLOCK 83.133.124.245 (Type: outgoing)
23:29:02 Raul IP-BLOCK 83.133.124.245 (Type: outgoing)
23:29:08 Raul IP-BLOCK 83.133.124.245 (Type: outgoing)
23:34:03 Raul IP-BLOCK 146.185.250.211 (Type: outgoing)
23:34:06 Raul IP-BLOCK 146.185.250.211 (Type: outgoing)
23:34:12 Raul IP-BLOCK 146.185.250.211 (Type: outgoing)
23:34:24 Raul IP-BLOCK 146.185.250.213 (Type: outgoing)
23:34:27 Raul IP-BLOCK 146.185.250.213 (Type: outgoing)
23:34:33 Raul IP-BLOCK 146.185.250.213 (Type: outgoing)
23:35:06 Raul IP-BLOCK 63.223.106.17 (Type: outgoing)
23:35:09 Raul IP-BLOCK 63.223.106.17 (Type: outgoing)
23:35:15 Raul IP-BLOCK 63.223.106.17 (Type: outgoing)
23:41:28 Raul IP-BLOCK 91.207.60.22 (Type: outgoing)
23:41:31 Raul IP-BLOCK 91.207.60.22 (Type: outgoing)
23:41:37 Raul IP-BLOCK 91.207.60.22 (Type: outgoing)
23:51:40 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:51:43 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:51:49 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:52:01 Raul IP-BLOCK 83.133.124.245 (Type: outgoing)
23:52:04 Raul IP-BLOCK 83.133.124.245 (Type: outgoing)
23:52:10 Raul IP-BLOCK 83.133.124.245 (Type: outgoing)
23:52:22 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:52:25 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:52:31 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:52:43 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:52:46 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:52:52 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:53:04 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:53:07 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:53:13 Raul IP-BLOCK 83.133.125.41 (Type: outgoing)
23:53:25 Raul IP-BLOCK 83.133.124.245 (Type: outgoing)
23:53:28 Raul IP-BLOCK 83.133.124.245 (Type: outgoing)
23:53:34 Raul IP-BLOCK 83.133.124.245 (Type: outgoing)


The logs for the next few days afterward show a whole lot of "IP-BLOCK" messages until I got the problem under apparent control.

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:58 PM

Posted 22 December 2011 - 11:37 AM

Hi rbrav, sorry for the delay.

Let's go ahead and get a ComboFix run.

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 rbrav

rbrav
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 22 December 2011 - 06:40 PM

Good call -- it said it found Rootkit.ZeroAccess. Here's the log it generated after restarting my computer:

ComboFix 11-12-22.04 - Raul 12/22/2011 18:13:55.1.4 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3326.2859 [GMT -5:00]
Running from: c:\documents and settings\Raul\Desktop\renamed.exe
AV: ESET NOD32 Antivirus 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Start Menu\Programs\CleanUp
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\Anti-Malware\Malwarebytes' Anti-Malware Help.lnk
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\Anti-Malware\Malwarebytes' Anti-Malware.lnk
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\Anti-Malware\Uninstall Malwarebytes' Anti-Malware.lnk
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\CCleaner\CCleaner Homepage.url
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\CCleaner\CCleaner.lnk
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\CCleaner\Uninstall CCleaner.lnk
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\Free Registry Cleaner\Eusing Free Registry Cleaner on the Web.lnk
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\Free Registry Cleaner\Eusing Free Registry Cleaner.lnk
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\Free Registry Cleaner\Help.lnk
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\Free Registry Cleaner\Uninstall Eusing Free Registry Cleaner.lnk
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\Glary Utilities\Glary Utilities.lnk
c:\documents and settings\All Users\Start Menu\Programs\CleanUp\Glary Utilities\Uninstall Glary Utilities.lnk
c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\documents and settings\Raul\Application Data\inst.exe
c:\documents and settings\Raul\WINDOWS
C:\test.txt
c:\windows\$NtUninstallKB65467$
c:\windows\$NtUninstallKB65467$\1435845764
c:\windows\$NtUninstallKB65467$\2327606535\@
c:\windows\$NtUninstallKB65467$\2327606535\bckfg.tmp
c:\windows\$NtUninstallKB65467$\2327606535\cfg.ini
c:\windows\$NtUninstallKB65467$\2327606535\Desktop.ini
c:\windows\$NtUninstallKB65467$\2327606535\keywords
c:\windows\$NtUninstallKB65467$\2327606535\kwrd.dll
c:\windows\$NtUninstallKB65467$\2327606535\L\odetmngk
c:\windows\$NtUninstallKB65467$\2327606535\lsflt7.ver
c:\windows\$NtUninstallKB65467$\2327606535\U\00000001.@
c:\windows\$NtUninstallKB65467$\2327606535\U\00000002.@
c:\windows\$NtUninstallKB65467$\2327606535\U\00000004.@
c:\windows\$NtUninstallKB65467$\2327606535\U\80000000.@
c:\windows\$NtUninstallKB65467$\2327606535\U\80000004.@
c:\windows\$NtUninstallKB65467$\2327606535\U\80000032.@
c:\windows\system32\oobe\isperror
c:\windows\system32\oobe\isperror\ispcnerr.htm
c:\windows\system32\oobe\isperror\ispdtone.htm
c:\windows\system32\oobe\isperror\isphdshk.htm
c:\windows\system32\oobe\isperror\ispins.htm
c:\windows\system32\oobe\isperror\ispnoanw.htm
c:\windows\system32\oobe\isperror\isppberr.htm
c:\windows\system32\oobe\isperror\ispphbsy.htm
c:\windows\system32\oobe\isperror\ispsbusy.htm
F:\autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-11-22 to 2011-12-22 )))))))))))))))))))))))))))))))
.
.
2011-12-19 23:41 . 2011-12-19 23:41 -------- d-----w- c:\program files\Common Files\Solveig Multimedia
2011-12-19 23:41 . 2011-12-19 23:41 -------- d-----w- c:\program files\Solveig Multimedia
2011-12-18 02:53 . 2011-12-18 02:53 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-17 11:40 . 2001-08-18 03:36 7168 ----a-w- c:\windows\system32\dllcache\EXCH_snprfdll.dll
2011-12-17 11:40 . 2001-08-18 03:36 12288 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2011-12-17 11:39 . 2001-08-18 03:36 26112 ----a-w- c:\windows\system32\dllcache\EXCH_seos.dll
2011-12-17 11:39 . 2001-08-18 03:36 57856 ----a-w- c:\windows\system32\dllcache\EXCH_scripto.dll
2011-12-17 11:38 . 2001-08-18 03:36 23040 ----a-w- c:\windows\system32\dllcache\EXCH_regtrace.exe
2011-12-17 11:36 . 2001-08-18 03:36 38912 ----a-w- c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2011-12-17 11:34 . 2001-08-18 03:36 65536 ----a-w- c:\windows\system32\dllcache\EXCH_mailmsg.dll
2011-12-17 11:28 . 2001-08-17 18:53 7296 ----a-w- c:\windows\system32\dllcache\elmsmc.sys
2011-12-17 11:27 . 2001-08-18 03:36 27648 ----a-w- c:\windows\system32\dllcache\cyyports.dll
2011-12-17 11:26 . 2004-08-04 04:10 11776 ----a-w- c:\windows\system32\dllcache\bdasup.sys
2011-12-17 11:25 . 2004-05-13 05:39 598071 ----a-w- c:\windows\system32\dllcache\fpmmc.dll
2011-12-15 23:51 . 2006-12-07 23:28 516224 ----a-w- c:\windows\system32\Mrvw243.sys
2011-12-15 23:51 . 2006-12-07 23:28 516224 ----a-w- c:\windows\system32\drivers\Mrvw243.sys
2011-12-15 23:51 . 2006-12-07 23:27 499456 ----a-w- c:\windows\system32\Mrvw245.sys
2011-12-15 23:51 . 2006-12-07 23:27 499456 ----a-w- c:\windows\system32\drivers\MRVW245.sys
2011-12-15 23:51 . 2011-12-15 23:55 -------- d-----w- c:\program files\Linksys
2011-12-07 00:29 . 2011-12-07 00:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-16 03:50 . 2004-08-10 16:51 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-02-02 16:28 . 2009-02-02 16:28 13112 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-02-02 16:28 . 2009-02-02 16:28 70456 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-02-02 16:28 . 2009-02-02 16:28 91448 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-02-02 16:28 . 2009-02-02 16:28 21824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-02-02 16:28 . 2009-02-02 16:28 251192 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-02-02 16:28 . 2009-02-02 16:28 31032 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-02-02 16:28 . 2009-02-02 16:28 40248 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2007-06-21 22:39 . 2007-06-21 22:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2008-02-07 23:19 . 2008-02-07 23:19 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-02-07 23:19 . 2008-02-07 23:19 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-02-07 23:19 . 2008-02-07 23:19 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2008-11-06 22:40 . 2008-11-06 22:40 648504 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-02-02 16:28 . 2009-02-02 16:28 23864 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2011-11-10 12:17 . 2011-09-08 22:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Raul\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Raul\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Raul\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Raul\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2010-08-12 2215064]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"QuickTime Task"="c:\program files\QT Lite\qttask.exe" [2009-11-11 417792]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-19 22:42 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48 479232 ----a-w- c:\program files\Google\Gmail Notifier\gnotify.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\WS_FTP\\wsftpgui.exe"=
"c:\\WINDOWS\\system32\\dleacoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\Raul\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\ESET\\ESET NOD32 Antivirus\\egui.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [7/29/2010 12:31 PM 115008]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [8/18/2008 12:27 PM 95896]
R2 dlea_device;dlea_device;c:\windows\system32\dleacoms.exe -service --> c:\windows\system32\dleacoms.exe -service [?]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [8/12/2010 1:16 PM 810144]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/31/2010 5:52 AM 366152]
R2 WUSB300NSvc;WUSB300NSvc;c:\program files\Linksys\WUSB300N\WLService.exe [12/15/2011 6:51 PM 53307]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/31/2010 5:52 AM 22216]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 dleaCATSCustConnectService;dleaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\dleaserv.exe [7/1/2009 8:13 AM 98984]
S3 hid8101;hid8101;c:\windows\system32\drivers\hid8101.sys [5/9/2009 7:11 PM 31899]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\EMORY_IS_VDT_User_Config]
2009-11-12 17:28 62464 ----a-w- c:\program files\Citrix\Support\ehcusriecfg.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-22 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-01-14 17:09]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2131928017-764012446-449137345-1006Core.job
- c:\documents and settings\Raul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-19 02:44]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2131928017-764012446-449137345-1006UA.job
- c:\documents and settings\Raul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-19 02:44]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1080620
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI699F~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Raul\Application Data\Mozilla\Firefox\Profiles\8qkrb4sr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-42823945.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-22 18:30
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2131928017-764012446-449137345-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3F507BD4-1BB6-F30C-4FA0-5FAD97E430ED}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-2131928017-764012446-449137345-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{549A87FB-CC1A-F28E-CAE0-63100BF8FC50}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iakbfnphkfpijbheno"=hex:69,61,65,67,6b,68,68,6f,6d,61,61,6b,63,6d,6f,63,61,67,
00,00
"hamnpmchknicckbc"=hex:69,61,65,67,6b,68,68,6f,6d,61,61,6b,63,6d,6f,63,61,67,
00,00
.
[HKEY_USERS\S-1-5-21-2131928017-764012446-449137345-1006\Software\SecuROM\License information*]
"datasecu"=hex:5a,68,88,f1,49,ee,13,b2,94,1e,d3,41,46,63,f3,26,e2,c5,6d,3a,b1,
6e,e6,ef,c8,53,1e,0e,0f,8f,5b,b1,71,65,c7,07,79,10,26,01,a0,f6,92,27,a3,df,\
"rkeysecu"=hex:c4,fe,20,bb,97,e8,78,aa,1e,96,e4,4a,d7,df,ea,d3
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1A68D668-6DF3-702D-2A0852A803C1488D}\{D6F2E9CD-48BA-CDDC-BEA31B576464FCAF}\{421B9E29-5D23-2966-C9D7C1E976BC0884}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,36,b7,bc,
ab,b8,4f,38,30,39,18,d5,90,fa,3b,04,0a,28,df,ef,29,4b,4a,a1,70,95,79,64,6d,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{4233ADD3-CD31-D295-804BA870321FDEF4}\{F4A8E5F3-7E68-2DD0-FA9D328203A7D1A7}\{07380252-9142-5EC5-94F639FC4AE64832}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{90C9B227-00E9-ED2B-D8335C00663422E2}\{BA143829-6513-6AB3-17B76E63BBBF825B}\{B7811D8F-B091-6828-D848878685722533}*]
"1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9D7D745F-2DA2-E26E-67E2A61C92B5C873}\{869A1319-CB5B-72EF-32E86935B8210920}\{0F637A1B-C125-DB37-203685E7DE12B741}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,36,b7,bc,
ab,b8,4f,38,30,39,18,d5,90,fa,3b,04,0a,28,df,ef,29,4b,4a,a1,70,95,79,64,6d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(1820)
c:\windows\system32\WININET.dll
c:\documents and settings\Raul\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dleacoms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Linksys\WUSB300N\WUSB300N.exe
.
**************************************************************************
.
Completion time: 2011-12-22 18:35:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-22 23:35
.
Pre-Run: 314,272,731,136 bytes free
Post-Run: 315,745,484,800 bytes free
.
- - End Of File - - 9271275373D97CCF5B0093247449EF8B



#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:58 PM

Posted 24 December 2011 - 03:32 AM

How's the computer running now?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 rbrav

rbrav
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 24 December 2011 - 11:07 AM

I didn't want to restart and see how Windows loaded until you suggested I try it. I'm out of town for the holidays, so I will let you know on Tuesday. Thanks!

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:58 PM

Posted 24 December 2011 - 04:44 PM

Thanks for letting me know.

Merry Christmas. :)

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 rbrav

rbrav
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 27 December 2011 - 06:07 PM

I restarted twice, and everything loaded fine both times. Thanks for the great Christmas present! :) If any other problems come up, I will let you know.

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:58 PM

Posted 29 December 2011 - 02:02 PM

Now, let's clean up our mess.
  • Click on Start>Run
  • Now type combofix /Uninstall in the runbox and click OK. Notice the space between the "x" and "/".
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

***************************************************
  • Please double click on the Posted Image icon on your desktop.
  • Click the large button marked Posted Image
***************************************************

Your machine appears to be clean!

If you disabled emulation drivers earlier, you can re-enable them now if you wish:

To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

***************************************************

I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfectionI recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programs in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostsMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.[list=a]
  • Click "Hosts" in the menu
  • Click "Manage Updates" in the submenu
  • Out of the choices available, select at least one of them (I have MVPS Host as my main one)
  • Click "Add Update." After that you will only need to click on the Update button to retrieve updates:
  • Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users