Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected XP antivirus 2012 removed now no Internet and more infection.


  • This topic is locked This topic is locked
22 replies to this topic

#1 WhiskeyCop

WhiskeyCop

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 24 December 2011 - 11:45 AM

Began as windows Xp antivirus 2012 issue
Followed general guidelines for removal
FixNCR
Rill
Malwarebytes
Reboot
There were some issues that remained and after reading a few posts I ran TDSSKiller

All seemed to be going well, but I continued to get alerts from Avira so I thought it would be in my best interest to switch AV since Avira was obviously not doing a good job. I downloaded AVG Free and installed. On installation I received an alert from my Spyware Guard alerting me to a BHO change and I remembered that I should have shut down SG during the installation. Since I could see that the BHO was from AVG I clicked to allow the BHO and the computer locked up and would not complete the AVG installation. I rebooted only to find some disturbing new nasty.

I now have a program that is starting on boot to windows. It is a blank 
program screen about 3x3 square. No words, no title. Only an icon that looks like a square with yellow red and blue squares in it.  Along with this, none of my programs will allow an Internet connection.

Windows firewall settings cannot be displayed because the associated service is not running. Do you want to start the windows firewall Internet connection sharing service. Yes
Windows cannot start the ICS service

Have seen redirects that start with testendonline and findfast before, when I had Internet connection.

I have logs from dds and gmer but have no way of getting them posted from the infected PC at this time, until I can get some sort of Internet connectivity.

I am almost certain some of my IP info has been reset or changed.

Thank you.

*edit copied logs to usb and updated post on another computer*

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by (redacted) at 1:59:08 on 2011-12-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1367 [GMT -6:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wyse\PocketCloud Windows Companion\PocketCloudService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Wyse\PocketCloud Windows Companion\WyseBrowser.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Programs\Eraser\eraser.exe
C:\Program Files\AirVideoServer\AirVideoServer.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\(redacted)\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Programs\SpywareGuard\sgmain.exe
C:\Programs\SpywareGuard\sgbhp.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\programs\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\programs\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No File
uRun: [SpybotSD TeaTimer] c:\programs\spybot - search & destroy\TeaTimer.exe
uRun: [Eraser] c:\programs\eraser\eraser.exe -hide
uRun: [AirVideoServer] c:\program files\airvideoserver\AirVideoServer.exe
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PocketCloud Location] c:\program files\wyse\pocketcloud windows companion\WyseBrowser.exe
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\(redacted)\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\itunes.lnk - c:\program files\itunes\iTunes.exe
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\spywar~1.lnk - c:\programs\spywareguard\sgmain.exe
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\programs\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.bmhcc.org/dana-cached/setup/JuniperSetupSP1.cab
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{EE3D8277-8686-4376-81CF-30873D79C1A9} : DhcpNameServer = 10.0.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\programs\spywareguard\spywareguard.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\(redacted)\application data\mozilla\firefox\profiles\kp0tg4ga.default\
FF - plugin: c:\documents and settings\(redacted)\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [2009-8-11 902592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-12-12 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-12-12 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-12-12 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-11 74640]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 WysePocketCloud;Wyse PocketCloud;c:\program files\wyse\pocketcloud windows companion\PocketCloudService.exe [2011-3-24 83968]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-11-13 19056]
S2 AudioSrv32;Windows Audio ;c:\windows\system32\kbdfi32.exe --> c:\windows\system32\kbdfi32.exe [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-15 136176]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-12 12672]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-12-19 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-15 136176]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]
.
=============== Created Last 30 ================
.
2011-12-24 04:50:05 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-12-24 04:49:46 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-24 04:49:46 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-12-24 04:49:19 -------- d-----w- c:\program files\AVG
2011-12-24 04:47:27 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-12-20 01:08:51 18560 ----a-w- c:\windows\system32\drivers\FlyUsb.sys
2011-12-19 23:57:56 -------- d-----w- c:\windows\F9D59E62845F49A28B75DDB00661673C.TMP
2011-12-19 23:47:28 -------- d-----w- c:\program files\LeapFrog
2011-12-19 23:47:28 -------- d-----w- c:\documents and settings\all users\application data\Leapfrog
2011-12-18 07:43:42 -------- d-----w- c:\program files\iPod
2011-12-18 07:43:40 -------- d-----w- c:\program files\iTunes
2011-12-13 05:00:03 -------- d-----w- c:\documents and settings\(redacted)\application data\Avira
2011-12-13 04:54:30 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-12-13 04:54:29 -------- d-----w- c:\program files\Avira
2011-12-13 04:54:29 -------- d-----w- c:\documents and settings\all users\application data\Avira
.
==================== Find3M ====================
.
2011-12-21 17:29:20 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-10-24 00:39:24 680624 ----a-w- c:\windows\system32\Toyota Sponsafier 4.scr
2011-10-19 22:56:50 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-19 04:23:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 12:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 12:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-25 16:39:45 398760 ----a-r- c:\windows\system32\cpnprt2.cid
.
============= FINISH: 2:00:11.68 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-24 10:27:23
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD10 rev.05.0
Running: gmer.exe; Driver: C:\DOCUME~1\(redacted)\LOCALS~1\Temp\fxtdipod.sys


---- System - GMER 1.0.15 ----

SSDT B872574C ZwClose
SSDT B8725706 ZwCreateKey
SSDT B8725756 ZwCreateSection
SSDT B87256FC ZwCreateThread
SSDT B872570B ZwDeleteKey
SSDT B8725715 ZwDeleteValueKey
SSDT B8725747 ZwDuplicateObject
SSDT B872571A ZwLoadKey
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xACED5F3C]
SSDT B87256ED ZwOpenThread
SSDT B872576F ZwQueryValueKey
SSDT B8725724 ZwReplaceKey
SSDT B8725760 ZwRequestWaitReplyPort
SSDT B872571F ZwRestoreKey
SSDT B872575B ZwSetContextThread
SSDT B8725765 ZwSetSecurityObject
SSDT B8725710 ZwSetValueKey
SSDT B872576A ZwSystemDebugControl
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xACED5FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xACED6080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xACED611C]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6281380, 0x3DF545, 0xE8000020]
? C:\DOCUME~1\(redacted)\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\PeerBlock\peerblock.exe[4056] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 004314E0 C:\Program Files\PeerBlock\peerblock.exe (PeerBlock/PeerBlock, LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\atapi \Device\Ide\IdePort0 dvd43llh.sys (dvd43llh.sys/RIF)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 dvd43llh.sys (dvd43llh.sys/RIF)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB29965$\2766590443 0 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\bckfg.tmp 814 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\keywords 131 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\L 0 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\L\eheknimp 138496 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U 0 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U\80000032.@ 97792 bytes
File C:\WINDOWS\$NtUninstallKB29965$\3323087063 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by WhiskeyCop, 24 December 2011 - 05:06 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:58 PM

Posted 30 December 2011 - 11:50 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434323 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 30 December 2011 - 06:18 PM

seems to be related to afd.sys because that is what Avira keeps quarantining.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.0.0
Run by (redacted) at 12:54:03 on 2011-12-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1451 [GMT -6:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\AirVideoServer\AirVideoServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wyse\PocketCloud Windows Companion\PocketCloudService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
.
============== Pseudo HJT Report ===============
.
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\programs\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\programs\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: {4A1C6093-14F9-44D7-860E-5D265CFCA9D9} - No File
uRun: [SpybotSD TeaTimer] c:\programs\spybot - search & destroy\TeaTimer.exe
uRun: [Eraser] c:\programs\eraser\eraser.exe -hide
uRun: [AirVideoServer] c:\program files\airvideoserver\AirVideoServer.exe
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PocketCloud Location] c:\program files\wyse\pocketcloud windows companion\WyseBrowser.exe
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\(redacted)\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\itunes.lnk - c:\program files\itunes\iTunes.exe
StartupFolder: c:\docume~1\(redacted)\startm~1\programs\startup\spywar~1.lnk - c:\programs\spywareguard\sgmain.exe
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\programs\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.bmhcc.org/dana-cached/setup/JuniperSetupSP1.cab
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{EE3D8277-8686-4376-81CF-30873D79C1A9} : DhcpNameServer = 10.0.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\programs\spywareguard\spywareguard.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\(redacted)\application data\mozilla\firefox\profiles\kp0tg4ga.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\(redacted)\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [2009-8-11 902592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-12-12 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-12-12 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-12-12 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-11 74640]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 WysePocketCloud;Wyse PocketCloud;c:\program files\wyse\pocketcloud windows companion\PocketCloudService.exe [2011-3-24 83968]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S2 AudioSrv32;Windows Audio ;c:\windows\system32\kbdfi32.exe --> c:\windows\system32\kbdfi32.exe [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-15 136176]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-8-12 12672]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2011-12-19 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-15 136176]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 yeddef;YEDDEF driver;c:\windows\system32\drivers\yeddef.sys --> c:\windows\system32\drivers\yeddef.sys [?]
.
=============== Created Last 30 ================
.
2011-12-26 05:01:11 -------- d-----w- c:\windows\pss
2011-12-24 04:50:05 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-12-24 04:49:46 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-24 04:49:46 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-12-24 04:49:19 -------- d-----w- c:\program files\AVG
2011-12-24 04:47:27 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-12-20 01:08:51 18560 ----a-w- c:\windows\system32\drivers\FlyUsb.sys
2011-12-19 23:57:56 -------- d-----w- c:\windows\F9D59E62845F49A28B75DDB00661673C.TMP
2011-12-19 23:47:28 -------- d-----w- c:\program files\LeapFrog
2011-12-19 23:47:28 -------- d-----w- c:\documents and settings\all users\application data\Leapfrog
2011-12-18 07:43:42 -------- d-----w- c:\program files\iPod
2011-12-18 07:43:40 -------- d-----w- c:\program files\iTunes
2011-12-13 05:00:03 -------- d-----w- c:\documents and settings\(redacted)\application data\Avira
2011-12-13 04:54:30 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-12-13 04:54:29 -------- d-----w- c:\program files\Avira
2011-12-13 04:54:29 -------- d-----w- c:\documents and settings\all users\application data\Avira
.
==================== Find3M ====================
.
2011-12-21 17:29:20 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-10-24 00:39:24 680624 ----a-w- c:\windows\system32\Toyota Sponsafier 4.scr
2011-10-19 22:56:50 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-19 04:23:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 12:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 12:21:42 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
.
============= FINISH: 12:54:52.90 ===============


************************************************************************************************


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-30 16:17:29
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD10 rev.05.0
Running: gmer.exe; Driver: C:\DOCUME~1\Robinson\LOCALS~1\Temp\fxtdipod.sys


---- System - GMER 1.0.15 ----

SSDT B87479F4 ZwClose
SSDT B87479AE ZwCreateKey
SSDT B87479FE ZwCreateSection
SSDT B87479A4 ZwCreateThread
SSDT B87479B3 ZwDeleteKey
SSDT B87479BD ZwDeleteValueKey
SSDT B87479EF ZwDuplicateObject
SSDT B87479C2 ZwLoadKey
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xAC787F3C]
SSDT B8747995 ZwOpenThread
SSDT B8747A17 ZwQueryValueKey
SSDT B87479CC ZwReplaceKey
SSDT B8747A08 ZwRequestWaitReplyPort
SSDT B87479C7 ZwRestoreKey
SSDT B8747A03 ZwSetContextThread
SSDT B8747A0D ZwSetSecurityObject
SSDT B87479B8 ZwSetValueKey
SSDT B8747A12 ZwSystemDebugControl
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xAC787FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xAC788080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xAC78811C]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6281380, 0x3DF545, 0xE8000020]
? C:\DOCUME~1\Robinson\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\atapi \Device\Ide\IdePort0 dvd43llh.sys (dvd43llh.sys/RIF)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 dvd43llh.sys (dvd43llh.sys/RIF)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB29965$\2766590443 0 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\bckfg.tmp 814 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\cfg.ini 208 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\keywords 131 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\L 0 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\L\eheknimp 138496 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U 0 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U\00000001.@ 1536 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB29965$\2766590443\U\80000032.@ 97792 bytes
File C:\WINDOWS\$NtUninstallKB29965$\3323087063 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:58 PM

Posted 30 December 2011 - 08:40 PM

Hi

Please run the following:

(note: this program will run from USB but will not install the recovery console on the first run due to no connection > just "OK" through so it runs)

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 31 December 2011 - 01:17 PM

Ran combofix from desktop. Alerted that Avira was active but was not. Advised "you are infected with rootkit.zeroaccess! it has inserted itself into the tcp/ip stack" Combofix restarted and went through all of the stages. The "unknown" blank program is still running on startup. Attached a image of the program.

Thank you very much for your help as I have been without internet for over a week.


ComboFix 11-12-29.05 - (redacted) 12/31/2011 0:16.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1545 [GMT -6:00]
Running from: c:\documents and settings\(redacted)\Desktop\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\e35tl7nc8o3u
c:\documents and settings\All Users\Application Data\TEMP
c:\program files\Batch Rename .EXE
c:\program files\Batch Rename .EXE\batchrename.exe
c:\program files\Batch Rename .EXE\batchrename.exe.manifest
c:\program files\Batch Rename .EXE\data\base_script.txt
c:\program files\Batch Rename .EXE\license.txt
c:\program files\Batch Rename .EXE\unins000.dat
c:\program files\Batch Rename .EXE\unins000.exe
c:\program files\Batch Rename .EXE\Web\Batch Rename .EXE Home Page.url
c:\program files\Batch Rename .EXE\Web\Order Batch Rename .EXE.url
c:\program files\Batch Rename .EXE\Web\SoftTech InterCorp.url
c:\windows\$NtUninstallKB29965$
c:\windows\$NtUninstallKB29965$\2766590443\@
c:\windows\$NtUninstallKB29965$\2766590443\bckfg.tmp
c:\windows\$NtUninstallKB29965$\2766590443\cfg.ini
c:\windows\$NtUninstallKB29965$\2766590443\Desktop.ini
c:\windows\$NtUninstallKB29965$\2766590443\keywords
c:\windows\$NtUninstallKB29965$\2766590443\kwrd.dll
c:\windows\$NtUninstallKB29965$\2766590443\L\eheknimp
c:\windows\$NtUninstallKB29965$\2766590443\lsflt7.ver
c:\windows\$NtUninstallKB29965$\2766590443\U\00000001.@
c:\windows\$NtUninstallKB29965$\2766590443\U\00000002.@
c:\windows\$NtUninstallKB29965$\2766590443\U\00000004.@
c:\windows\$NtUninstallKB29965$\2766590443\U\80000000.@
c:\windows\$NtUninstallKB29965$\2766590443\U\80000004.@
c:\windows\$NtUninstallKB29965$\2766590443\U\80000032.@
c:\windows\$NtUninstallKB29965$\3323087063
c:\windows\system32\drivers\etc\hosts.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))
.
.
2011-12-24 04:50 . 2011-12-24 05:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-12-24 04:49 . 2011-12-24 04:49 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-24 04:49 . 2011-12-24 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-12-24 04:49 . 2011-12-24 04:49 -------- d-----w- c:\program files\AVG
2011-12-24 04:47 . 2011-12-24 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-12-20 01:08 . 2011-11-12 17:18 18560 ----a-w- c:\windows\system32\drivers\FlyUsb.sys
2011-12-19 23:57 . 2011-12-20 00:00 -------- d-----w- c:\windows\F9D59E62845F49A28B75DDB00661673C.TMP
2011-12-19 23:53 . 2011-12-19 23:53 -------- d-----w- c:\program files\DIFX
2011-12-19 23:47 . 2011-12-19 23:53 -------- d-----w- c:\program files\LeapFrog
2011-12-19 23:47 . 2011-12-19 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Leapfrog
2011-12-19 15:24 . 2011-12-19 15:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-12-18 07:43 . 2011-12-18 07:43 -------- d-----w- c:\program files\iPod
2011-12-18 07:43 . 2011-12-18 07:44 -------- d-----w- c:\program files\iTunes
2011-12-17 04:39 . 2011-12-17 04:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-13 12:53 . 2011-12-13 12:53 -------- d-----w- c:\documents and settings\Avery\Application Data\Avira
2011-12-13 05:34 . 2011-12-13 05:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
2011-12-13 05:00 . 2011-12-13 05:00 -------- d-----w- c:\documents and settings\(redacted)\Application Data\Avira
2011-12-13 04:54 . 2011-12-14 04:55 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-12-13 04:54 . 2011-10-19 22:56 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-12-13 04:54 . 2011-12-13 04:54 -------- d-----w- c:\program files\Avira
2011-12-13 04:54 . 2011-12-13 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-21 17:29 . 2004-08-10 11:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-10-24 00:39 . 2011-10-24 00:39 680624 ----a-w- c:\windows\system32\Toyota Sponsafier 4.scr
2011-10-19 22:56 . 2009-08-12 04:36 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-19 04:23 . 2011-05-21 23:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2009-08-10 06:54 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 12:23 . 2011-10-07 12:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 12:21 . 2011-10-04 12:21 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-11-12 20:00 . 2011-08-20 05:10 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\programs\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Eraser"="c:\programs\Eraser\eraser.exe" [2009-06-10 334224]
"AirVideoServer"="c:\program files\AirVideoServer\AirVideoServer.exe" [2011-05-09 4944984]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"CTHelper"="CTHELPER.EXE" [2005-11-09 16384]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-06-22 4355464]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-23 960568]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-22 377248]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"PocketCloud Location"="c:\program files\Wyse\PocketCloud Windows Companion\WyseBrowser.exe" [2011-03-25 399872]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
.
c:\documents and settings\Avery\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\(redacted)\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\(redacted)\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
iTunes.lnk - c:\program files\iTunes\iTunes.exe [2011-12-8 9777000]
SpywareGuard.lnk - c:\programs\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoNetworkConnections"= 01000000
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Programs\\Azureus\\Azureus.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\(redacted)\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\RemoteDesktopPlus\\Remote Desktop.exe"=
"c:\\Program Files\\Wyse\\PocketCloud Windows Companion\\WyseBrowser.exe"=
"c:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"=
"c:\\Program Files\\AirPort\\APUtil.exe"=
"c:\\Documents and Settings\\(redacted)\\Desktop\\JailBreak\\tinyumbrella-4.32.01.exe"=
"c:\\Program Files\\AirVideoServer\\AirVideoServer.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [8/11/2009 7:58 PM 902592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/12/2011 10:54 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/12/2011 10:54 PM 86224]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 WysePocketCloud;Wyse PocketCloud;c:\program files\Wyse\PocketCloud Windows Companion\PocketCloudService.exe [3/24/2011 7:49 PM 83968]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [11/13/2010 11:24 PM 19056]
S2 AudioSrv32;Windows Audio ;c:\windows\system32\kbdfi32.exe --> c:\windows\system32\kbdfi32.exe [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2011 11:41 PM 136176]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/19/2011 7:08 PM 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2011 11:41 PM 136176]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PBFILTER
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-30 c:\windows\Tasks\AdobeAAMUpdater-1.0-XPS400-Avery.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-21 09:44]
.
2011-12-30 c:\windows\Tasks\AdobeAAMUpdater-1.0-XPS400-(redacted).job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-21 09:44]
.
2011-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-16 05:40]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-16 05:40]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{EE3D8277-8686-4376-81CF-30873D79C1A9}: DhcpNameServer = 10.0.1.1
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\kp0tg4ga.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-05570014.sys
AddRemove-Batch Rename .EXE_is1 - c:\program files\Batch Rename .EXE\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-31 00:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AirVideoServer = c:\program files\AirVideoServer\AirVideoServer.exe?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3968)
c:\windows\system32\WININET.dll
c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\dlcccoms.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\CTHELPER.EXE
c:\windows\system32\CTXFIHLP.EXE
c:\windows\eHome\ehmsas.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\program files\iPod\bin\iPodService.exe
c:\programs\SpywareGuard\sgbhp.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
.
**************************************************************************
.
Completion time: 2011-12-31 00:54:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-31 06:53
ComboFix2.txt 2011-08-28 03:06
.
Pre-Run: 405,895,102,464 bytes free
Post-Run: 406,589,599,744 bytes free
.
- - End Of File - - 36DEF5E1926D82ABB896ADB8F692F29C

Attached Files



#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:58 PM

Posted 31 December 2011 - 02:17 PM

I have been without internet for over a week.

Has your connection been restored now?

Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\windows\F9D59E62845F49A28B75DDB00661673C.TMP

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=-
"NoNetworkConnections"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=00000001
"DisableNotifications"=00000000


ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 31 December 2011 - 05:20 PM

Still no internet, limited or no connectivity. ip addresses are all wrong. Firewall ICS service not starting.


ComboFix 11-12-29.05 - (redacted) 12/31/2011 13:46:26.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1437 [GMT -6:00]
Running from: c:\documents and settings\(redacted)\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\(redacted)\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\F9D59E62845F49A28B75DDB00661673C.TMP
c:\windows\F9D59E62845F49A28B75DDB00661673C.TMP\WiseCustomCalla.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))
.
.
2011-12-24 04:50 . 2011-12-24 05:06 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-12-24 04:49 . 2011-12-24 04:49 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-24 04:49 . 2011-12-24 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-12-24 04:49 . 2011-12-24 04:49 -------- d-----w- c:\program files\AVG
2011-12-24 04:47 . 2011-12-24 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-12-20 01:08 . 2011-11-12 17:18 18560 ----a-w- c:\windows\system32\drivers\FlyUsb.sys
2011-12-19 23:53 . 2011-12-19 23:53 -------- d-----w- c:\program files\DIFX
2011-12-19 23:47 . 2011-12-19 23:53 -------- d-----w- c:\program files\LeapFrog
2011-12-19 23:47 . 2011-12-19 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Leapfrog
2011-12-19 15:24 . 2011-12-19 15:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-12-18 07:43 . 2011-12-18 07:43 -------- d-----w- c:\program files\iPod
2011-12-18 07:43 . 2011-12-18 07:44 -------- d-----w- c:\program files\iTunes
2011-12-17 04:39 . 2011-12-17 04:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-13 12:53 . 2011-12-13 12:53 -------- d-----w- c:\documents and settings\Avery\Application Data\Avira
2011-12-13 05:34 . 2011-12-13 05:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
2011-12-13 05:00 . 2011-12-13 05:00 -------- d-----w- c:\documents and settings\(redacted)\Application Data\Avira
2011-12-13 04:54 . 2011-12-14 04:55 134856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-12-13 04:54 . 2011-10-19 22:56 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-12-13 04:54 . 2011-12-13 04:54 -------- d-----w- c:\program files\Avira
2011-12-13 04:54 . 2011-12-13 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-21 17:29 . 2004-08-10 11:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-10-24 00:39 . 2011-10-24 00:39 680624 ----a-w- c:\windows\system32\Toyota Sponsafier 4.scr
2011-10-19 22:56 . 2009-08-12 04:36 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-10-19 04:23 . 2011-05-21 23:05 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22 . 2009-08-10 06:54 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 12:23 . 2011-10-07 12:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2011-10-04 12:21 . 2011-10-04 12:21 16720 ----a-w- c:\windows\system32\drivers\AVGIDSShim.sys
2011-11-12 20:00 . 2011-08-20 05:10 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-31_06.47.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-31 19:43 . 2011-12-31 19:43 16384 c:\windows\Temp\Perflib_Perfdata_b10.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\(redacted)\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\programs\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Eraser"="c:\programs\Eraser\eraser.exe" [2009-06-10 334224]
"AirVideoServer"="c:\program files\AirVideoServer\AirVideoServer.exe" [2011-05-09 4944984]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"CTHelper"="CTHELPER.EXE" [2005-11-09 16384]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 18944]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-06-22 4355464]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-23 960568]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-06-22 377248]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-24 73728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"PocketCloud Location"="c:\program files\Wyse\PocketCloud Windows Companion\WyseBrowser.exe" [2011-03-25 399872]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-19 258512]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2011-11-12 268640]
.
c:\documents and settings\Avery\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
c:\documents and settings\(redacted)\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\(redacted)\Application Data\Dropbox\bin\Dropbox.exe [2011-5-25 24176560]
iTunes.lnk - c:\program files\iTunes\iTunes.exe [2011-12-8 9777000]
SpywareGuard.lnk - c:\programs\SpywareGuard\sgmain.exe [2003-8-29 360448]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\05570014.sys]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Programs\\Azureus\\Azureus.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\(redacted)\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\RemoteDesktopPlus\\Remote Desktop.exe"=
"c:\\Program Files\\Wyse\\PocketCloud Windows Companion\\WyseBrowser.exe"=
"c:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"=
"c:\\Program Files\\AirPort\\APUtil.exe"=
"c:\\Documents and Settings\\(redacted)\\Desktop\\JailBreak\\tinyumbrella-4.32.01.exe"=
"c:\\Program Files\\AirVideoServer\\AirVideoServer.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LeapFrog\\LeapFrog Connect\\LeapFrogConnect.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [8/11/2009 7:58 PM 902592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [12/12/2011 10:54 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/12/2011 10:54 PM 86224]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 WysePocketCloud;Wyse PocketCloud;c:\program files\Wyse\PocketCloud Windows Companion\PocketCloudService.exe [3/24/2011 7:49 PM 83968]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [11/13/2010 11:24 PM 19056]
S2 AudioSrv32;Windows Audio ;c:\windows\system32\kbdfi32.exe --> c:\windows\system32\kbdfi32.exe [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2011 11:41 PM 136176]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/19/2011 7:08 PM 18560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/15/2011 11:41 PM 136176]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S3 yeddef;YEDDEF driver;c:\windows\system32\Drivers\yeddef.sys --> c:\windows\system32\Drivers\yeddef.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-31 c:\windows\Tasks\AdobeAAMUpdater-1.0-XPS400-Avery.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-21 09:44]
.
2011-12-31 c:\windows\Tasks\AdobeAAMUpdater-1.0-XPS400-(redacted).job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-11-21 09:44]
.
2011-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 17:34]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-16 05:40]
.
2011-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-16 05:40]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 10.0.1.1
TCP: Interfaces\{EE3D8277-8686-4376-81CF-30873D79C1A9}: DhcpNameServer = 10.0.1.1
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - ProfilePath - c:\documents and settings\(redacted)\Application Data\Mozilla\Firefox\Profiles\kp0tg4ga.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-31 13:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
AirVideoServer = c:\program files\AirVideoServer\AirVideoServer.exe?
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-12-31 13:59:57
ComboFix-quarantined-files.txt 2011-12-31 19:59
ComboFix2.txt 2011-12-31 06:54
ComboFix3.txt 2011-08-28 03:06
.
Pre-Run: 406,605,139,968 bytes free
Post-Run: 406,588,727,296 bytes free
.
- - End Of File - - 6A5339FA00E0FA6A7594B0494B758758

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:58 PM

Posted 31 December 2011 - 05:31 PM

Hi,

Please run the following:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 31 December 2011 - 09:03 PM

Farbar Service Scanner
Ran by (redacted) (administrator) on 31-12-2011 at 19:23:56
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to retrieve start type of afd. The value does not exist.
Checking ImagePath: Attention! Unable to retrieve ImagePath of afd. The value does not exist.
Checking LEGACY_afd: Attention! Unable to open LEGACY_afd\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Avgtdix(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.

**** End of log ****

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:58 PM

Posted 31 December 2011 - 09:34 PM

Hi,

Please do the following:




Press the Windows key +R to open a run box:
copy/paste the following command into the open run box > OK

swreg.exe ACL "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /E /GE:F


Now run the following registry fix:


Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad



This registry fix has been edited as it was created specifically for this user

Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.


Once you have successfully merged the registry fix, then please do the following:

Press the Windows key +R to open a run box:
copy/paste the following command into the open run box > OK

swreg.exe ACL "HKLM\SYSTEM\CurrentControlSet\Enum\Root" /E /RE:F


Reboot and see if you can connect now

Edited by CatByte, 01 January 2012 - 02:04 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 31 December 2011 - 10:24 PM

Good to go on Internet. Was able to start windows firewall. Updated Avira and Malwarebytes. Currently running scan w/ Malwarebytes. That weird blank program did not restart. Do we know what it was?

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:58 PM

Posted 31 December 2011 - 11:17 PM

No idea, you machine was heavily infected

Please run the following programs after you have run Malwarebytes (please post the log as well)


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 31 December 2011 - 11:45 PM

OK, here is the MBAM log, as it was finishing up, Avira alerted to two things.
C:/System Volume Information\_restore{...\A0002266.sys
C:/System Volume Information\_restore{...\A0002276.sys
TR.ZAccess.B Trojan, Move to Quarantine? are these infected system restore points? what to do with them? Would like to know before I proceed with TDSSKiller and ESET as they are still up on the screen. Awaiting reply to proceeed.


Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.31.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
(redacted) :: (redacted) [administrator]

12/31/2011 9:14:48 PM
mbam-log-2011-12-31 (21-14-48).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 275686
Time elapsed: 1 hour(s), 12 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:58 PM

Posted 01 January 2012 - 12:07 AM

hi

Yes, they are located in old restore points, leave them for now, we'll be cleaning them up at the end, they are fine as long as you don't restore the machine to an earlier time.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 WhiskeyCop

WhiskeyCop
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:08:58 PM

Posted 01 January 2012 - 01:30 PM

TDSS Log
23:36:52.0091 2416 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
23:36:52.0482 2416 ============================================================
23:36:52.0482 2416 Current date / time: 2011/12/31 23:36:52.0482
23:36:52.0482 2416 SystemInfo:
23:36:52.0482 2416
23:36:52.0482 2416 OS Version: 5.1.2600 ServicePack: 3.0
23:36:52.0482 2416 Product type: Workstation
23:36:52.0482 2416 ComputerName: XPS400
23:36:52.0482 2416 UserName: (redacted)
23:36:52.0482 2416 Windows directory: C:\WINDOWS
23:36:52.0482 2416 System windows directory: C:\WINDOWS
23:36:52.0482 2416 Processor architecture: Intel x86
23:36:52.0482 2416 Number of processors: 2
23:36:52.0482 2416 Page size: 0x1000
23:36:52.0482 2416 Boot type: Normal boot
23:36:52.0482 2416 ============================================================
23:36:52.0841 2416 Initialize success
23:37:14.0763 5572 ============================================================
23:37:14.0763 5572 Scan started
23:37:14.0763 5572 Mode: Manual;
23:37:14.0763 5572 ============================================================
23:37:15.0388 5572 Abiosdsk - ok
23:37:15.0404 5572 abp480n5 - ok
23:37:15.0451 5572 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:37:15.0451 5572 ACPI - ok
23:37:15.0498 5572 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:37:15.0498 5572 ACPIEC - ok
23:37:15.0498 5572 adpu160m - ok
23:37:15.0591 5572 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:37:15.0591 5572 aec - ok
23:37:15.0623 5572 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
23:37:15.0638 5572 AFD - ok
23:37:15.0638 5572 Aha154x - ok
23:37:15.0654 5572 aic78u2 - ok
23:37:15.0654 5572 aic78xx - ok
23:37:15.0669 5572 AliIde - ok
23:37:15.0669 5572 amsint - ok
23:37:15.0716 5572 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
23:37:15.0716 5572 Arp1394 - ok
23:37:15.0716 5572 asc - ok
23:37:15.0732 5572 asc3350p - ok
23:37:15.0732 5572 asc3550 - ok
23:37:15.0763 5572 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\Aspi32.sys
23:37:15.0763 5572 Aspi32 - ok
23:37:15.0794 5572 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:37:15.0794 5572 AsyncMac - ok
23:37:15.0794 5572 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:37:15.0794 5572 atapi - ok
23:37:15.0810 5572 Atdisk - ok
23:37:15.0857 5572 ATIAVPCI (bfa971be38aeeb4b89f4c838079bba02) C:\WINDOWS\system32\DRIVERS\atinavrr.sys
23:37:15.0873 5572 ATIAVPCI - ok
23:37:15.0888 5572 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:37:15.0888 5572 Atmarpc - ok
23:37:15.0919 5572 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:37:15.0919 5572 audstub - ok
23:37:15.0951 5572 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
23:37:15.0951 5572 AVGIDSDriver - ok
23:37:15.0982 5572 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
23:37:15.0982 5572 AVGIDSEH - ok
23:37:15.0998 5572 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
23:37:15.0998 5572 AVGIDSFilter - ok
23:37:16.0013 5572 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
23:37:16.0013 5572 AVGIDSShim - ok
23:37:16.0029 5572 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
23:37:16.0029 5572 Avgldx86 - ok
23:37:16.0044 5572 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
23:37:16.0044 5572 Avgmfx86 - ok
23:37:16.0060 5572 avgntflt (7713e4eb0276702faa08e52a6e23f2a6) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
23:37:16.0060 5572 avgntflt - ok
23:37:16.0076 5572 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
23:37:16.0076 5572 Avgrkx86 - ok
23:37:16.0091 5572 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
23:37:16.0091 5572 Avgtdix - ok
23:37:16.0107 5572 avipbb (475fbb85956534720858ae72010c0a43) C:\WINDOWS\system32\DRIVERS\avipbb.sys
23:37:16.0107 5572 avipbb - ok
23:37:16.0138 5572 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
23:37:16.0138 5572 avkmgr - ok
23:37:16.0185 5572 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:37:16.0185 5572 Beep - ok
23:37:16.0326 5572 catchme - ok
23:37:16.0341 5572 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:37:16.0341 5572 cbidf2k - ok
23:37:16.0357 5572 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
23:37:16.0357 5572 CCDECODE - ok
23:37:16.0357 5572 cd20xrnt - ok
23:37:16.0388 5572 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:37:16.0388 5572 Cdaudio - ok
23:37:16.0435 5572 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:37:16.0435 5572 Cdfs - ok
23:37:16.0451 5572 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:37:16.0451 5572 Cdrom - ok
23:37:16.0498 5572 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
23:37:16.0498 5572 cercsr6 - ok
23:37:16.0498 5572 Changer - ok
23:37:16.0513 5572 CmdIde - ok
23:37:16.0529 5572 Cpqarray - ok
23:37:16.0576 5572 cpuz132 (097a0a4899b759a4f032bd464963b4be) C:\WINDOWS\system32\drivers\cpuz132_x32.sys
23:37:16.0576 5572 cpuz132 - ok
23:37:16.0623 5572 ctac32k (8a9c65ce4fe6e8cb24ce06ba28d951a0) C:\WINDOWS\system32\drivers\ctac32k.sys
23:37:16.0623 5572 ctac32k - ok
23:37:16.0638 5572 ctaud2k (47236971dfb3e03690b98e41665d0924) C:\WINDOWS\system32\drivers\ctaud2k.sys
23:37:16.0654 5572 ctaud2k - ok
23:37:16.0685 5572 ctdvda2k (5a0eeb00b02fc78605aa9d3590b24978) C:\WINDOWS\system32\drivers\ctdvda2k.sys
23:37:16.0685 5572 ctdvda2k - ok
23:37:16.0701 5572 ctprxy2k (2381cf056c15271f6b8dab50ff82cf3a) C:\WINDOWS\system32\drivers\ctprxy2k.sys
23:37:16.0701 5572 ctprxy2k - ok
23:37:16.0716 5572 ctsfm2k (da1c530de86c85a701138b30fb145af3) C:\WINDOWS\system32\drivers\ctsfm2k.sys
23:37:16.0716 5572 ctsfm2k - ok
23:37:16.0716 5572 dac2w2k - ok
23:37:16.0732 5572 dac960nt - ok
23:37:16.0748 5572 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:37:16.0763 5572 Disk - ok
23:37:16.0794 5572 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:37:16.0810 5572 dmboot - ok
23:37:16.0810 5572 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:37:16.0826 5572 dmio - ok
23:37:16.0826 5572 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:37:16.0826 5572 dmload - ok
23:37:16.0873 5572 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:37:16.0873 5572 DMusic - ok
23:37:16.0888 5572 dpti2o - ok
23:37:16.0888 5572 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:37:16.0888 5572 drmkaud - ok
23:37:16.0904 5572 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\WINDOWS\system32\DRIVERS\dvd43llh.sys
23:37:16.0904 5572 dvd43llh - ok
23:37:16.0935 5572 e1express (5b75bbf89d8341f424171df7ad9dc465) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
23:37:16.0935 5572 e1express - ok
23:37:16.0966 5572 emupia (661cf27263f3e0b553be050a42d357db) C:\WINDOWS\system32\drivers\emupia2k.sys
23:37:16.0966 5572 emupia - ok
23:37:16.0998 5572 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:37:16.0998 5572 Fastfat - ok
23:37:17.0013 5572 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:37:17.0013 5572 Fdc - ok
23:37:17.0029 5572 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:37:17.0029 5572 Fips - ok
23:37:17.0076 5572 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:37:17.0076 5572 Flpydisk - ok
23:37:17.0091 5572 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
23:37:17.0091 5572 FltMgr - ok
23:37:17.0123 5572 FlyUsb (8efa9bfc940d9eb9348d9dafb839fe25) C:\WINDOWS\system32\DRIVERS\FlyUsb.sys
23:37:17.0123 5572 FlyUsb - ok
23:37:17.0154 5572 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:37:17.0154 5572 Fs_Rec - ok
23:37:17.0169 5572 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:37:17.0169 5572 Ftdisk - ok
23:37:17.0216 5572 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
23:37:17.0216 5572 GEARAspiWDM - ok
23:37:17.0232 5572 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:37:17.0232 5572 Gpc - ok
23:37:17.0294 5572 ha20x2k (4b1e6b601c6c8c1cced6c945a9f6e83e) C:\WINDOWS\system32\drivers\ha20x2k.sys
23:37:17.0310 5572 ha20x2k - ok
23:37:17.0326 5572 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:37:17.0326 5572 hidusb - ok
23:37:17.0341 5572 hpn - ok
23:37:17.0388 5572 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
23:37:17.0388 5572 HTTP - ok
23:37:17.0388 5572 i2omgmt - ok
23:37:17.0404 5572 i2omp - ok
23:37:17.0404 5572 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
23:37:17.0419 5572 i8042prt - ok
23:37:17.0435 5572 iastor (294110966cedd127629c5be48367c8cf) C:\WINDOWS\system32\DRIVERS\iaStor.sys
23:37:17.0435 5572 iastor - ok
23:37:17.0451 5572 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:37:17.0451 5572 Imapi - ok
23:37:17.0466 5572 ini910u - ok
23:37:17.0466 5572 IntelIde - ok
23:37:17.0482 5572 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:37:17.0482 5572 intelppm - ok
23:37:17.0498 5572 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
23:37:17.0513 5572 Ip6Fw - ok
23:37:17.0529 5572 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:37:17.0529 5572 IpFilterDriver - ok
23:37:17.0560 5572 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:37:17.0560 5572 IpInIp - ok
23:37:17.0560 5572 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:37:17.0576 5572 IpNat - ok
23:37:17.0576 5572 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:37:17.0576 5572 IPSec - ok
23:37:17.0607 5572 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:37:17.0607 5572 IRENUM - ok
23:37:17.0623 5572 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:37:17.0623 5572 isapnp - ok
23:37:17.0638 5572 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:37:17.0638 5572 Kbdclass - ok
23:37:17.0654 5572 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
23:37:17.0654 5572 kbdhid - ok
23:37:17.0701 5572 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:37:17.0701 5572 kmixer - ok
23:37:17.0716 5572 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
23:37:17.0732 5572 KSecDD - ok
23:37:17.0732 5572 lbrtfdc - ok
23:37:17.0779 5572 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
23:37:17.0779 5572 MHNDRV - ok
23:37:17.0794 5572 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:37:17.0794 5572 mnmdd - ok
23:37:17.0810 5572 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:37:17.0810 5572 Modem - ok
23:37:17.0826 5572 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:37:17.0826 5572 Mouclass - ok
23:37:17.0841 5572 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
23:37:17.0841 5572 mouhid - ok
23:37:17.0857 5572 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:37:17.0857 5572 MountMgr - ok
23:37:17.0873 5572 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
23:37:17.0873 5572 MPE - ok
23:37:17.0888 5572 mraid35x - ok
23:37:17.0904 5572 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:37:17.0904 5572 MRxDAV - ok
23:37:17.0935 5572 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:37:17.0935 5572 MRxSmb - ok
23:37:17.0951 5572 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:37:17.0951 5572 Msfs - ok
23:37:17.0982 5572 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:37:17.0982 5572 MSKSSRV - ok
23:37:18.0029 5572 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:37:18.0029 5572 MSPCLOCK - ok
23:37:18.0044 5572 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:37:18.0044 5572 MSPQM - ok
23:37:18.0060 5572 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:37:18.0060 5572 mssmbios - ok
23:37:18.0091 5572 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
23:37:18.0091 5572 MSTEE - ok
23:37:18.0107 5572 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
23:37:18.0107 5572 Mup - ok
23:37:18.0154 5572 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
23:37:18.0154 5572 NABTSFEC - ok
23:37:18.0201 5572 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:37:18.0216 5572 NDIS - ok
23:37:18.0232 5572 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
23:37:18.0232 5572 NdisIP - ok
23:37:18.0263 5572 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:37:18.0263 5572 NdisTapi - ok
23:37:18.0279 5572 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:37:18.0279 5572 Ndisuio - ok
23:37:18.0294 5572 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:37:18.0294 5572 NdisWan - ok
23:37:18.0326 5572 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
23:37:18.0326 5572 NDProxy - ok
23:37:18.0357 5572 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:37:18.0357 5572 NetBIOS - ok
23:37:18.0388 5572 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:37:18.0388 5572 NetBT - ok
23:37:18.0404 5572 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
23:37:18.0404 5572 NIC1394 - ok
23:37:18.0435 5572 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:37:18.0435 5572 Npfs - ok
23:37:18.0435 5572 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:37:18.0451 5572 Ntfs - ok
23:37:18.0482 5572 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:37:18.0482 5572 Null - ok
23:37:18.0669 5572 nv (4f15e1e56703f59c0ac00022162e5308) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
23:37:18.0826 5572 nv - ok
23:37:18.0841 5572 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:37:18.0841 5572 NwlnkFlt - ok
23:37:18.0841 5572 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:37:18.0857 5572 NwlnkFwd - ok
23:37:18.0857 5572 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
23:37:18.0857 5572 ohci1394 - ok
23:37:18.0873 5572 ossrv (99f877a7bb6feb5af1184eafe937c208) C:\WINDOWS\system32\drivers\ctoss2k.sys
23:37:18.0873 5572 ossrv - ok
23:37:18.0904 5572 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
23:37:18.0904 5572 Parport - ok
23:37:18.0904 5572 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:37:18.0919 5572 PartMgr - ok
23:37:18.0935 5572 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:37:18.0935 5572 ParVdm - ok
23:37:18.0951 5572 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:37:18.0951 5572 PCI - ok
23:37:18.0966 5572 PCIDump - ok
23:37:18.0982 5572 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:37:18.0982 5572 PCIIde - ok
23:37:18.0998 5572 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:37:18.0998 5572 Pcmcia - ok
23:37:19.0013 5572 PDCOMP - ok
23:37:19.0013 5572 PDFRAME - ok
23:37:19.0029 5572 PDRELI - ok
23:37:19.0029 5572 PDRFRAME - ok
23:37:19.0044 5572 perc2 - ok
23:37:19.0044 5572 perc2hib - ok
23:37:19.0076 5572 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:37:19.0076 5572 PptpMiniport - ok
23:37:19.0123 5572 PRISM_A02 (9d8f196d9fbb74f8e3ec5cdfd77c90e6) C:\WINDOWS\system32\DRIVERS\WUSBGXP.sys
23:37:19.0123 5572 PRISM_A02 - ok
23:37:19.0138 5572 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:37:19.0138 5572 PSched - ok
23:37:19.0154 5572 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:37:19.0154 5572 Ptilink - ok
23:37:19.0169 5572 PxHelp20 (617accada2e0a0f43ec6030bbac49513) C:\WINDOWS\system32\Drivers\PxHelp20.sys
23:37:19.0169 5572 PxHelp20 - ok
23:37:19.0185 5572 ql1080 - ok
23:37:19.0185 5572 Ql10wnt - ok
23:37:19.0201 5572 ql12160 - ok
23:37:19.0201 5572 ql1240 - ok
23:37:19.0201 5572 ql1280 - ok
23:37:19.0232 5572 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:37:19.0232 5572 RasAcd - ok
23:37:19.0248 5572 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:37:19.0248 5572 Rasl2tp - ok
23:37:19.0248 5572 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:37:19.0263 5572 RasPppoe - ok
23:37:19.0263 5572 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:37:19.0263 5572 Raspti - ok
23:37:19.0279 5572 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:37:19.0279 5572 Rdbss - ok
23:37:19.0294 5572 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:37:19.0294 5572 RDPCDD - ok
23:37:19.0310 5572 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:37:19.0310 5572 rdpdr - ok
23:37:19.0341 5572 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
23:37:19.0341 5572 RDPWD - ok
23:37:19.0357 5572 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:37:19.0357 5572 redbook - ok
23:37:19.0388 5572 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:37:19.0388 5572 Secdrv - ok
23:37:19.0404 5572 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
23:37:19.0404 5572 Serial - ok
23:37:19.0451 5572 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:37:19.0451 5572 Sfloppy - ok
23:37:19.0451 5572 Simbad - ok
23:37:19.0482 5572 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
23:37:19.0482 5572 SLIP - ok
23:37:19.0513 5572 snapman (e60646143eb6b746eb3ab58ef7d5cff7) C:\WINDOWS\system32\DRIVERS\snapman.sys
23:37:19.0513 5572 snapman - ok
23:37:19.0529 5572 Sparrow - ok
23:37:19.0560 5572 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:37:19.0560 5572 splitter - ok
23:37:19.0576 5572 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:37:19.0576 5572 sr - ok
23:37:19.0591 5572 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
23:37:19.0607 5572 Srv - ok
23:37:19.0638 5572 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
23:37:19.0638 5572 ssmdrv - ok
23:37:19.0654 5572 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
23:37:19.0669 5572 streamip - ok
23:37:19.0685 5572 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:37:19.0685 5572 swenum - ok
23:37:19.0685 5572 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:37:19.0701 5572 swmidi - ok
23:37:19.0701 5572 symc810 - ok
23:37:19.0716 5572 symc8xx - ok
23:37:19.0716 5572 sym_hi - ok
23:37:19.0732 5572 sym_u3 - ok
23:37:19.0748 5572 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:37:19.0763 5572 sysaudio - ok
23:37:19.0779 5572 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:37:19.0794 5572 Tcpip - ok
23:37:19.0794 5572 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:37:19.0794 5572 TDPIPE - ok
23:37:19.0841 5572 tdrpman228 (664469f03c955e851c5de58eea233f5a) C:\WINDOWS\system32\DRIVERS\tdrpm228.sys
23:37:19.0857 5572 tdrpman228 - ok
23:37:19.0888 5572 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:37:19.0888 5572 TDTCP - ok
23:37:19.0904 5572 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:37:19.0904 5572 TermDD - ok
23:37:19.0904 5572 tifsfilter (6dcb8ddb481cd3c40fa68593723b4d89) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
23:37:19.0919 5572 tifsfilter - ok
23:37:19.0919 5572 timounter (394fc70b88b7958fa85798bbc76d140a) C:\WINDOWS\system32\DRIVERS\timntr.sys
23:37:19.0935 5572 timounter - ok
23:37:19.0935 5572 TosIde - ok
23:37:19.0966 5572 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
23:37:19.0966 5572 Udfs - ok
23:37:19.0982 5572 ultra - ok
23:37:20.0013 5572 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
23:37:20.0013 5572 Update - ok
23:37:20.0044 5572 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
23:37:20.0044 5572 USBAAPL - ok
23:37:20.0060 5572 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:37:20.0060 5572 usbccgp - ok
23:37:20.0107 5572 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:37:20.0107 5572 usbehci - ok
23:37:20.0123 5572 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:37:20.0123 5572 usbhub - ok
23:37:20.0154 5572 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:37:20.0154 5572 usbprint - ok
23:37:20.0154 5572 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
23:37:20.0169 5572 usbscan - ok
23:37:20.0185 5572 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:37:20.0185 5572 USBSTOR - ok
23:37:20.0232 5572 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:37:20.0232 5572 usbuhci - ok
23:37:20.0248 5572 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
23:37:20.0248 5572 VgaSave - ok
23:37:20.0263 5572 ViaIde - ok
23:37:20.0279 5572 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
23:37:20.0279 5572 VolSnap - ok
23:37:20.0310 5572 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:37:20.0310 5572 Wanarp - ok
23:37:20.0326 5572 WDICA - ok
23:37:20.0357 5572 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
23:37:20.0357 5572 wdmaud - ok
23:37:20.0419 5572 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
23:37:20.0419 5572 WSTCODEC - ok
23:37:20.0451 5572 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
23:37:20.0451 5572 WudfPf - ok
23:37:20.0482 5572 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
23:37:20.0482 5572 WudfRd - ok
23:37:20.0498 5572 yeddef - ok
23:37:20.0513 5572 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
23:37:20.0654 5572 \Device\Harddisk0\DR0 - ok
23:37:20.0654 5572 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
23:37:20.0669 5572 \Device\Harddisk1\DR1 - ok
23:37:20.0669 5572 Boot (0x1200) (4a78e1f5538c49209015cce5fc00d1c5) \Device\Harddisk0\DR0\Partition0
23:37:20.0669 5572 \Device\Harddisk0\DR0\Partition0 - ok
23:37:20.0669 5572 Boot (0x1200) (02dd6e972d9c71c9b123520147d83454) \Device\Harddisk1\DR1\Partition0
23:37:20.0669 5572 \Device\Harddisk1\DR1\Partition0 - ok
23:37:20.0669 5572 ============================================================
23:37:20.0669 5572 Scan finished
23:37:20.0669 5572 ============================================================
23:37:20.0685 3520 Detected object count: 0
23:37:20.0685 3520 Actual detected object count: 0
23:37:50.0935 4624 Deinitialize success


I ran the ESET but do the installer version instead of online because of browser incompatibility. Unticked remove threats, etc. It ran for a very long good while and i went to bed. Woke up to a rebooted computer with no log that I can find or even evidence that the ESET was installed. Nevermind just found it in C;\Programs with log


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=1044d6a65347084c90a386906edabb81
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-08-29 03:37:14
# local_time=2011-08-29 10:37:14 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 2133619 2133619 0 0
# compatibility_mode=1797 16775141 100 100 0 88574300 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=135713
# found=0
# cleaned=0
# scan_time=4099
ESETSmartInstaller@High as downloader log:
all ok




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users