Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trend ChipawayVirus Infection


  • This topic is locked This topic is locked
25 replies to this topic

#1 fraser06

fraser06

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 29 January 2012 - 06:09 PM

Hi. I've just registered with you. I would be grateful for any help. I seem to have caught a serious virus, similar to one you have featured on this site. I have read your forums. But my scenario does not quite match the others. So I wanted to check with you before following your previous advice. I will try to give you as much relevant information as I can. Sorry for the length of this.
My PC = Tower Desktop PC - AMD Athlon XP 1900+ (1.6Ghz) - 100GB IDE (7200 rpm) Hard drive - 768MB DDR (I think) - Windows XP Service Pack 3 - Microsoft Office - Microsoft Internet Explorer.
Yesterday, with Internet Explorer open, possibly several tabs, plus Windows Explorer open, a virus seemed to take over my PC. Several things happened rapidly. I may have missed everything that happened, and I may have got the order of events wrong. Anyway, a dialog box suddenly opened on the screen, saying that it was carrying out a system check/diagnostic check etc. This did not look genuine. I think the dialog box was headed "System Check". The PC then seemed to rapidly start to fail. Whilst it was gradually failing, I observed the following: message: "WINDOWS DELAYED WRITE FAILED - Failed to save all the components of the file \\System32\\000057f6. The file is corrupted or unreadable. This error may be caused by a PC hardware problem". This message kept appearing many times, each time with a different alphanumeric after "System32\\". The fake looking "System Check" dialog box remained. I could not close it. I could not open Task Manager to try to shut it down that way. My PC rapidly slowed down. I pressed START and All Programs. There was a new Program there called "System Check". I had not knowingly downloaded it. Windows Explorer was still open at this point. But when I tried to open folders to check my data, all Program folders and Documents folders displayed no files in them. Only one documents folder belonging to one of the computer's users still had file names visible in it, but I never got a chance to try to open them. When I again pressed START and All Programs I got the message "EMPTY". I then right clicked on Drive C in Windows Explorer to check its properties. At this point the disc was still showing itself to be 85% full, as it had been before this problem. Another message: "RAM memory is extremely low. This problem may cause system failure". Another message: "FILE INDEXATION PROCESS FAILED - Indexation process failure may cause: i File may become unreadable, i Files + documents can be lost, i Operation System may slow down dramatically. To prevent possible damage to this PC, follow the recommendations. Recommendations: It's highly recommended to run file integrity checker now and resolve this issue" Unfortunately, I simply did not know if this message, or the other messages, was genuine. Whilst the message seemed perfectly plausable, I was not sure about the fonts and graphics. Also, I did not know how to do what it was recommending anyway. Another message: "Hard drive clusters are partly damaged. Segment load (or lead?) failure". Another message with small prefix yellow triangle symbol with exclamation mark inside it: "Windows OS can't detect a free hard drive space. Hard drive error". Another message, also with yellow triangle: "CRITICAL ERROR - Hard drive critical error. Start a system diagnostics..." I missed the rest of the message, as it got superseded by one of the other messages.. By this stage I could not acess programs or utilities to do anything about this. After trying to inspect the state of things, and pondering what to do next, I left the PC for a while. When I returned, the Windows screen had gone. Now there was a black screen, with a large orange or red dialog box. It contained the text that has been reported to you before: "Trend ChipawayVirus has detected a boot virus on your hard disk. The operating system is not supported by ChipawayVirus. Press <Enter> for more information (recommended) <C> to continue booting "Complete Virus Protection for the Enterprise" Trend Micro http://www.antivirus.com". At the bottom a little icon with a smily face jumps from left to right along a dottted line. When it reaches each end the phrase "TCAV On Guard!" flashes. This is how my PC remains. Because more than one of these messagews was in my opinion fake, I did not follow the instructions of any of them, afraid that I might make matters worse. So at present I cannot do anything. When others had this problem, they seemed to still be able to access Windows. Before I start to follow any recommendations, I would like to know if I should switch off the PC entirely first, or press its Reset button, restart in Safe Mode or other Mode before attempting the recommended fixes, if Windows will even start at all. I have been meticulous over virtually 10 years using this PC to maintain an antivirus software, For the last few years I have used Norton Internet Security, and I had never had a virus that wasn't dealt with effectively straight away by the antivirus software. Unfortunately, recent extreme workload caused me for the very first time to let my Norton Virus Updates Subscription lapse and not renew it. Clearly this must have allowed the malicious content in. Needless to say I have a sick feeling in my stomach, and am preparing myself for the worst. I urgently need my PC back in use, but obviously hold on to a faint hope that some documents might be recoverable. My PC was preloaded with Windows software at the factory, but they provided me with some sort of recovery disks to reload Windows etc. Thank you in advance!

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 PM

Posted 03 February 2012 - 10:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

What you are describing sure looks like the Remove System Fix infection.

Navigate to this page and if you consider this is the issue please proceed as suggested.
http://www.bleepingcomputer.com/virus-removal/remove-system-fix
Make sure you read the complete page before proceeding.

When cone please let me see the following DDS log.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.


If you feel that it's not quite the issue then please just post the DDS log for my review and let me know what issues you have having with this computer.

#3 fraser06

fraser06
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 08 February 2012 - 08:00 AM

nasdaq
Thanks for replying. But i've been checking the forum on my smartphone + someone else's pc several times each day and saw no replies listed. Also there were no notifications in my account and no notification emails received. I've only just seen your reply now! Can you please confirm then that this post is still live and has not been closed. And if it has, what is the quickesy way to get it back live. I am now desparate to sort the problem out. I've read loads on your website. But i don't know how to do what you've asked, because i cannot start windows at all, and it seems that i need windows running to download the software and run the scans. Ths is what i've done. I switched off the pc then restarted, i kept pressing f8 to try to get to safe mode. But firstly the screen with those optiins listed did not appear, just a black screen saying somrthing like windows xp home edition. Then a split second later, the red trend chipawayvirus dialog box appeared, preventing windows from starting and preventing me from accessng anything. So i went on the avg.com website, using another computer, and created their rescue cd, as an actual cd. I then managed to start my infected pc from the cd, but not windows, then did an internet update of their virus database, then ran a full scan of the hard drive with their cd based virus scan. It identified up to 16 infected files, various, including trojans. I chose the recommended option to RENAME all the files listed. I then ended the process. I then tried to restart the pc. But again the trend chipaway virus message box opened, preventing windows from opening. I don't know what to try next. I have read other web sites' forums suggesting going into the bios at startup to disable the trend boot virus checker to allow windows to at least start. I could follow your instruction then. But is this safe? Is there a better way? I have a Product Recovery CD provided by the pc manufacturer when bught in 2001. Could i use that in any way to try to boot windows withiut reformatting, or losing my data files? (I would have contacted the manufacturer, but they closed down.) I have read that runnung original recovery disks in a pc which has since been updated with Service Pack 1, 2 and 3 might cause problems. Any truth in this.? I just need to find a way to get windows started and start the rest of the cleaning process you have recommended. I don't have access to another comouter this week. I have find that i can now access the internet on my pc using the avg cd, which enables text based internet access. But it looks like a DOS screen and is very difficult to use this text based method, and i am not sure yet if it allows downloads. So i am sending this message via smartphone. Grateful for any advice.

#4 fraser06

fraser06
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 08 February 2012 - 08:20 AM

nasdaq
Thanks for replying. But i've been checking the forum on my smartphone + someone else's pc several times each day and saw no replies listed. Also there were no notifications in my account and no notification emails received. I've only just seen your reply now! Can you please confirm then that this post is still live and has not been closed. And if it has, what is the quickesy way to get it back live. I am now desparate to sort the problem out. I've read loads on your website. But i don't know how to do what you've asked, because i cannot start windows at all, and it seems that i need windows running to download the software and run the scans. Ths is what i've done. I switched off the pc then restarted, i kept pressing f8 to try to get to safe mode. But firstly the screen with those optiins listed did not appear, just a black screen saying somrthing like windows xp home edition. Then a split second later, the red trend chipawayvirus dialog box appeared, preventing windows from starting and preventing me from accessng anything. So i went on the avg.com website, using another computer, and created their rescue cd, as an actual cd. I then managed to start my infected pc from the cd, but not windows, then did an internet update of their virus database, then ran a full scan of the hard drive with their cd based virus scan. It identified up to 16 infected files, various, including trojans. I chose the recommended option to RENAME all the files listed. I then ended the process. I then tried to restart the pc. But again the trend chipaway virus message box opened, preventing windows from opening. I don't know what to try next. I have read other web sites' forums suggesting going into the bios at startup to disable the trend boot virus checker to allow windows to at least start. I could follow your instruction then. But is this safe? Is there a better way? I have a Product Recovery CD provided by the pc manufacturer when bught in 2001. Could i use that in any way to try to boot windows withiut reformatting, or losing my data files? (I would have contacted the manufacturer, but they closed down.) I have read that runnung original recovery disks in a pc which has since been updated with Service Pack 1, 2 and 3 might cause problems. Any truth in this.? I just need to find a way to get windows started and start the rest of the cleaning process you have recommended. I don't have access to another comouter this week. I have find that i can now access the internet on my pc using the avg cd, which enables text based internet access. But it looks like a DOS screen and is very difficult to use this text based method, and i am not sure yet if it allows downloads. So i am sending this message via smartphone. Grateful for any advice.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 PM

Posted 08 February 2012 - 11:07 AM

To topic is still open and I will get any message you send to it.

This is the infection we are talking about.

http://www.bleepingcomputer.com/virus-removal/remove-system-fix

I have find that i can now access the internet on my pc using the avg cd, which enables text based internet access.

Can you view the article?

Can you download some of the suggested programs in Safe Mode?

Is the CD or Flash drive working in safe mode?

#6 fraser06

fraser06
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 08 February 2012 - 12:23 PM

nasdaq,
Hi. No, i cannot start windows in safe mode. But this afternoon i noticed that one of the avg rescue cd menus had the option 'start windows from hard disk'. I don't know why this should be any diferent from just starting windows without the cd in, but i tried it anyway, and windows started in nrmal mode. There was no option to select safe mode. I even managed to then log in to windows. All my desktop icons had disappeared. Pressing start and Programs still indicates Empty. But also showing on the Taskbar were 2 new items: an icon i've never seen before and separately the name ''Sytem Check'', the thing that installed itself on my pc last week. Also, my taskbar icons for Outlook and Internet Explorer appeared. I next closed down windows and attempted to Restart Windows. As it restarted i kept pressing F8 to get to the options screen for Safe Mode with networking. But instead of this screen opening, the Trend ChipawayVirus dialog box message opened, preventing me from doing anything further. It seems then that i might be able to open internet explorer in windows normal mode, in order to download the material you've recommended. That seems the only way at peesent. But is this recommended, or is there another way to open windows in safe mode with networking instead?

#7 fraser06

fraser06
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 08 February 2012 - 12:39 PM

nasdaq, i meant to mention that, yes, this does seem like the system fix virus you called it, though it looks identical to the system check virus your website has featured. Aee they one and the same thing? Also i do not understand the Trend Chipawayvirus message. Is it a genuine message reportung a virus or boot virus, is it a completely fake message included by the system fix virus, or is it a genuine message from the bios virus checker, but deliberately falsely triggered by the system fix virus?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 PM

Posted 09 February 2012 - 08:56 AM

Also i do not understand the Trend Chipawayvirus message. Is it a genuine message reportung a virus or boot virus, is it a completely fake message included by the system fix virus.


It's probably a message from the infection. But it's not the issue now. We need to get that computer running.


The infection you are trying to remove will not allow you to download files on the infected computer.

So using a good computer download these tools to a CD or Flash drive.

RKill Download Link

TDSSKiller.zip

Malwarebytes Anti-Malware

Unhide.exe

Copy the files to the desktop of the infected computer.

===

Now run these files in the following order:

Execute the RKill program.
Vista and Win7 users need to right click and choose Run as Admin
===

DO NOT RESTART THE COMPUTER.

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
===

Double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

This may take sometime, please let if finish.
===

If you can restart the computer normally and connect to the internet if possibly.
You can do the following if you can connect in Safe mode with Internet connectivity.
If you are unable to run this tool skip this for now. Move to the other tool.

  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

If you have an internet access please run this tool.

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.



Please post the DSS, TDSSkiller and the MBAM logs.

Let me know of the remaining problems with this computer.

#9 fraser06

fraser06
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 09 February 2012 - 02:05 PM

nasdaq,
Thanks for the info. Good news. After a few more attempts, i've managed now to start windows in safe mode with networking. Also, without doing anything yet, my desktop icons have reappeared and my program files and My Documents files have also reappeared. However, in My Programs, System Check is sitting there.When i hover the mouse over it, there are 2 items listed under it, the System Check file to open it, and an Uninstall file. I obviously would like to get rid of it, but i'm not touching it at the moment in case the Uninstall is a fake or trap. When i looked for System Check in Control Panel Remove Programs, it was not listed. Anyway, i am now working through the instructions for removal of System Fix/Check, as i can open Safe mode with networking now. I think this is going to take quite a while, so I'll get back to you in the next day or two when i've completed the steps and can send you the logs you need. Are you open at weekends or do you restart on monday?

#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 PM

Posted 10 February 2012 - 09:19 AM

Good work.

However, in My Programs, System Check is sitting there.When i hover the mouse over it, there are 2 items listed under it, the System Check file to open it, and an Uninstall file.


You can wait until your computer is clean and then right click on the icon/program and delete it.
===

When you can submit the Malwarebytes and the DDS logs.

After reviewing them I will possibly get you to run other tools.

#11 fraser06

fraser06
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 14 February 2012 - 02:51 PM

nasdaq,
Hi, things seem to be going well. No more Trend ChipawayVirus dialog box at startup. Program and My Documents files seem to be accessible. I have run RKill and Tdds killer and also malwarebytes. A number of viruses were found and dealt with, mainly trojans. I have started Unhide just in case certain files are still hidden. But it is taking ages and my pc seems to be running very slowly. I thought about cancelling and restarting this but have decided to leave it running for now. But whilst it is running so slowly i cannot access anything. This message is via my phone. So please bear with me. As soon as i can get back into it, i will start to retrieve the logs to send you.

#12 fraser06

fraser06
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 17 February 2012 - 01:37 PM

Nasdaq,

Hi, latest situation. I have run RKill, TDDSKiller and Malwarebytes, which all seemed to run OK in Safe Mode. I then ran Unhide.exe. but even though I had downloaded it to my desktop in Safe Mode with Networking, when I openeed Windows to run it, it could not be found anywhere. So I had to reopen Windows in Normal Mode, then run it from the desktop, where it was visible. I started the scan then went to bed. This morning, I found a blank black screen, as if Windows had closed down. No controls were accessible. So I restarted the PC. Everything seemed fine. So I do not know if Unhide.exe ran properly or not.

I now enclose, pasted below, the logs from TDDSKIller, Malwarebytes and DDS. I would be grateful for your view on things so far. I could not find the initial DDS report to paste it into this post, so I had to run DDS again then copy + paste that in whilst its report was still open.

I am just about to reactivate the built in Firewall in Windows XP. Then I will run Secunia PSI, as recommended. Then I will be buying Norton Internet Security 2012. Buying new versions seems to be cheaper than resubscribing for another year!

There is one thing I can still see, though not directly related to this recent attack. When I use Internet Explorer, I see 'About.com' appearing every time I go to a new website. I also see something like 'Click.com' an awful lot. Aren't these adware or spyware programs? And how can I get rid of them? Norton did not do it, nor did the recent software listed above. And even though I always had Pop ups and Banners blocked by Norton, it did not work, so every page I open is full of pop up ads, including animations, which seriously slow down the loading of pages down a lot.

RunKill Log Report:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 08/02/2012 at 19:12:55.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 08/02/2012 at 19:14:13.



TDDSKiller Scan Log Report:

19:42:52.0945 1756 TDSS rootkit removing tool 2.7.10.0 Feb 7 2012 15:14:46
19:42:54.0958 1756 ============================================================
19:42:54.0958 1756 Current date / time: 2012/02/08 19:42:54.0958
19:42:54.0958 1756 SystemInfo:
19:42:54.0958 1756
19:42:54.0958 1756 OS Version: 5.1.2600 ServicePack: 3.0
19:42:54.0958 1756 Product type: Workstation
19:42:54.0958 1756 ComputerName: RICHARDMORGANS
19:42:54.0958 1756 UserName: Richard
19:42:54.0958 1756 Windows directory: C:\WINDOWS
19:42:54.0958 1756 System windows directory: C:\WINDOWS
19:42:54.0958 1756 Processor architecture: Intel x86
19:42:54.0958 1756 Number of processors: 1
19:42:54.0958 1756 Page size: 0x1000
19:42:54.0958 1756 Boot type: Safe boot with network
19:42:54.0958 1756 ============================================================
19:42:59.0665 1756 Drive \Device\Harddisk0\DR0 - Size: 0x174A446000 (93.16 Gb), SectorSize: 0x200, Cylinders: 0x2F81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:42:59.0745 1756 \Device\Harddisk0\DR0:
19:42:59.0745 1756 MBR used
19:42:59.0745 1756 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xBA4CF41
19:42:59.0905 1756 Initialize success
19:42:59.0905 1756 ============================================================
19:43:56.0056 1144 ============================================================
19:43:56.0056 1144 Scan started
19:43:56.0056 1144 Mode: Manual;
19:43:56.0056 1144 ============================================================
19:43:57.0818 1144 Abiosdsk - ok
19:43:58.0159 1144 abp480n5 - ok
19:43:58.0599 1144 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:43:58.0669 1144 ACPI - ok
19:43:59.0090 1144 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:43:59.0100 1144 ACPIEC - ok
19:43:59.0430 1144 adpu160m - ok
19:43:59.0881 1144 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:43:59.0941 1144 aec - ok
19:44:00.0392 1144 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
19:44:00.0442 1144 AFD - ok
19:44:00.0863 1144 Aha154x - ok
19:44:01.0193 1144 aic78u2 - ok
19:44:01.0523 1144 aic78xx - ok
19:44:01.0904 1144 AliIde - ok
19:44:02.0275 1144 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
19:44:02.0295 1144 AmdK7 - ok
19:44:02.0615 1144 amsint - ok
19:44:03.0056 1144 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:44:03.0086 1144 Arp1394 - ok
19:44:03.0406 1144 asc - ok
19:44:03.0747 1144 asc3350p - ok
19:44:04.0077 1144 asc3550 - ok
19:44:04.0528 1144 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:44:04.0538 1144 AsyncMac - ok
19:44:04.0918 1144 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:44:04.0918 1144 atapi - ok
19:44:05.0259 1144 Atdisk - ok
19:44:05.0639 1144 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:44:05.0669 1144 Atmarpc - ok
19:44:06.0130 1144 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:44:06.0130 1144 audstub - ok
19:44:06.0561 1144 BCSWAP (b31a2d4728eb124c8ff6d6e190a0171b) C:\WINDOWS\system32\drivers\BCSWAP.sys
19:44:06.0591 1144 BCSWAP - ok
19:44:07.0021 1144 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:44:07.0031 1144 Beep - ok
19:44:07.0512 1144 BHDrvx86 (925a191c8c06124426c63ceb2ea93085) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20110419.001\BHDrvx86.sys
19:44:07.0823 1144 BHDrvx86 - ok
19:44:08.0343 1144 Cardex (04e1c782cf14b7282ebc633b0fd3ed16) C:\WINDOWS\system32\drivers\TBPANEL.SYS
19:44:08.0353 1144 Cardex - ok
19:44:08.0764 1144 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:44:08.0764 1144 cbidf2k - ok
19:44:09.0385 1144 ccHP (1fa1c0e73eca849bed29a47c508f7f17) C:\WINDOWS\system32\drivers\NIS\1109000.00C\ccHPx86.sys
19:44:09.0565 1144 ccHP - ok
19:44:10.0026 1144 cd20xrnt - ok
19:44:10.0426 1144 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:44:10.0436 1144 Cdaudio - ok
19:44:10.0827 1144 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:44:10.0847 1144 Cdfs - ok
19:44:11.0247 1144 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:44:11.0278 1144 Cdrom - ok
19:44:11.0588 1144 Changer - ok
19:44:12.0029 1144 CmdIde - ok
19:44:12.0449 1144 Cpqarray - ok
19:44:13.0100 1144 ctac32k (ed34d4579950eb9eb6b25bba1b80d2c4) C:\WINDOWS\system32\drivers\ctac32k.sys
19:44:13.0330 1144 ctac32k - ok
19:44:13.0811 1144 ctaud2k (c358e39fa61572287d79108d37f3e28b) C:\WINDOWS\system32\drivers\ctaud2k.sys
19:44:13.0941 1144 ctaud2k - ok
19:44:14.0442 1144 ctdvda2k (18779d6877a2f4ff2f23193fee44b095) C:\WINDOWS\system32\drivers\ctdvda2k.sys
19:44:14.0562 1144 ctdvda2k - ok
19:44:15.0003 1144 ctprxy2k (a07820a06bfdbffa1d207c7778205a4d) C:\WINDOWS\system32\drivers\ctprxy2k.sys
19:44:15.0013 1144 ctprxy2k - ok
19:44:15.0444 1144 ctsfm2k (d29b3eeb5155a06b94f8d75c126a9c0c) C:\WINDOWS\system32\drivers\ctsfm2k.sys
19:44:15.0494 1144 ctsfm2k - ok
19:44:15.0874 1144 dac2w2k - ok
19:44:16.0225 1144 dac960nt - ok
19:44:16.0665 1144 dfg (96c25c84d31f3569e579baa434a85174) C:\WINDOWS\system32\DRIVERS\dfg.sys
19:44:16.0675 1144 dfg - ok
19:44:17.0156 1144 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:44:17.0176 1144 Disk - ok
19:44:17.0897 1144 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:44:18.0228 1144 dmboot - ok
19:44:18.0698 1144 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:44:18.0758 1144 dmio - ok
19:44:19.0199 1144 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:44:19.0199 1144 dmload - ok
19:44:19.0630 1144 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:44:19.0650 1144 DMusic - ok
19:44:20.0020 1144 dpti2o - ok
19:44:20.0391 1144 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:44:20.0411 1144 drmkaud - ok
19:44:20.0741 1144 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
19:44:20.0911 1144 eeCtrl - ok
19:44:21.0492 1144 emupia (39fbced3e762b85846b3da494fcd33fe) C:\WINDOWS\system32\drivers\emupia2k.sys
19:44:21.0542 1144 emupia - ok
19:44:21.0833 1144 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
19:44:21.0873 1144 EraserUtilRebootDrv - ok
19:44:22.0484 1144 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:44:22.0534 1144 Fastfat - ok
19:44:22.0924 1144 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:44:22.0934 1144 Fdc - ok
19:44:23.0375 1144 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:44:23.0395 1144 Fips - ok
19:44:23.0745 1144 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:44:23.0755 1144 Flpydisk - ok
19:44:24.0196 1144 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:44:24.0246 1144 FltMgr - ok
19:44:24.0667 1144 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:44:24.0677 1144 Fs_Rec - ok
19:44:25.0077 1144 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:44:25.0147 1144 Ftdisk - ok
19:44:25.0488 1144 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
19:44:25.0498 1144 gameenum - ok
19:44:25.0848 1144 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
19:44:25.0848 1144 GEARAspiWDM - ok
19:44:26.0239 1144 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:44:26.0249 1144 Gpc - ok
19:44:27.0060 1144 ha10kx2k (848f9033ad1c2c6f7ee7e65c2daf45f1) C:\WINDOWS\system32\drivers\ha10kx2k.sys
19:44:27.0381 1144 ha10kx2k - ok
19:44:27.0821 1144 hap16v2k (d2fe992041527ef54e438a3fc82d3b23) C:\WINDOWS\system32\drivers\hap16v2k.sys
19:44:27.0871 1144 hap16v2k - ok
19:44:28.0282 1144 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:44:28.0282 1144 HidUsb - ok
19:44:28.0632 1144 hpn - ok
19:44:28.0963 1144 hpt3xx - ok
19:44:29.0414 1144 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:44:29.0504 1144 HTTP - ok
19:44:29.0854 1144 i2omgmt - ok
19:44:30.0195 1144 i2omp - ok
19:44:30.0565 1144 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:44:30.0585 1144 i8042prt - ok
19:44:30.0906 1144 IDSxpx86 (50fa4c70534cf3b5c17ec83debe07afd) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20110420.001\IDSxpx86.sys
19:44:31.0036 1144 IDSxpx86 - ok
19:44:31.0487 1144 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\Imapi.sys
19:44:31.0507 1144 Imapi - ok
19:44:31.0877 1144 ini910u - ok
19:44:32.0238 1144 IntelIde - ok
19:44:32.0618 1144 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:44:32.0628 1144 ip6fw - ok
19:44:32.0989 1144 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:44:33.0009 1144 IpFilterDriver - ok
19:44:33.0359 1144 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:44:33.0369 1144 IpInIp - ok
19:44:33.0790 1144 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:44:33.0860 1144 IpNat - ok
19:44:34.0371 1144 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:44:34.0401 1144 IPSec - ok
19:44:34.0801 1144 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:44:34.0801 1144 IRENUM - ok
19:44:35.0242 1144 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:44:35.0262 1144 isapnp - ok
19:44:35.0603 1144 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:44:35.0633 1144 Kbdclass - ok
19:44:35.0963 1144 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:44:35.0973 1144 kbdhid - ok
19:44:36.0414 1144 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:44:36.0474 1144 kmixer - ok
19:44:36.0914 1144 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:44:36.0954 1144 KSecDD - ok
19:44:37.0115 1144 Lavasoft Kernexplorer - ok
19:44:37.0555 1144 lbrtfdc - ok
19:44:38.0236 1144 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:44:38.0236 1144 mnmdd - ok
19:44:38.0677 1144 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:44:38.0687 1144 Modem - ok
19:44:39.0088 1144 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
19:44:39.0088 1144 MODEMCSA - ok
19:44:39.0478 1144 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:44:39.0488 1144 Mouclass - ok
19:44:39.0909 1144 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:44:39.0919 1144 mouhid - ok
19:44:40.0329 1144 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:44:40.0339 1144 MountMgr - ok
19:44:40.0680 1144 mraid35x - ok
19:44:41.0090 1144 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:44:41.0150 1144 MRxDAV - ok
19:44:41.0751 1144 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:44:41.0922 1144 MRxSmb - ok
19:44:42.0362 1144 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:44:42.0362 1144 Msfs - ok
19:44:42.0793 1144 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:44:42.0793 1144 MSKSSRV - ok
19:44:43.0233 1144 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:44:43.0233 1144 MSPCLOCK - ok
19:44:43.0694 1144 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:44:43.0704 1144 MSPQM - ok
19:44:44.0115 1144 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:44:44.0115 1144 mssmbios - ok
19:44:44.0565 1144 Mtlmnt5 (c53775780148884ac87c455489a0c070) C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys
19:44:44.0615 1144 Mtlmnt5 - ok
19:44:45.0477 1144 Mtlstrm (54886a652bf5685192141df304e923fd) C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys
19:44:45.0937 1144 Mtlstrm - ok
19:44:46.0408 1144 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:44:46.0448 1144 Mup - ok
19:44:46.0859 1144 MxlW2k (19dd5c581eef70134ccef87d626f4417) C:\WINDOWS\system32\drivers\MxlW2k.sys
19:44:46.0869 1144 MxlW2k - ok
19:44:47.0249 1144 MXOPSWD (c29f284ff7ab4ed38ce419a9424e52a2) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
19:44:47.0259 1144 MXOPSWD - ok
19:44:47.0480 1144 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20110420.035\NAVENG.SYS
19:44:47.0540 1144 NAVENG - ok
19:44:48.0231 1144 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20110420.035\NAVEX15.SYS
19:44:48.0781 1144 NAVEX15 - ok
19:44:49.0282 1144 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:44:49.0352 1144 NDIS - ok
19:44:49.0763 1144 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:44:49.0763 1144 NdisTapi - ok
19:44:50.0143 1144 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:44:50.0153 1144 Ndisuio - ok
19:44:50.0534 1144 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:44:50.0574 1144 NdisWan - ok
19:44:50.0955 1144 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:44:50.0975 1144 NDProxy - ok
19:44:51.0335 1144 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:44:51.0365 1144 NetBIOS - ok
19:44:51.0816 1144 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:44:51.0876 1144 NetBT - ok
19:44:52.0367 1144 NETMDUSB (986acdece933131288f1957dc359865f) C:\WINDOWS\system32\Drivers\NETMDUSB.sys
19:44:52.0387 1144 NETMDUSB - ok
19:44:52.0857 1144 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:44:52.0877 1144 NIC1394 - ok
19:44:53.0388 1144 nmwcd (cfe3462a9e94a57dcd9676f6b7fe7f67) C:\WINDOWS\system32\drivers\ccdcmb.sys
19:44:53.0388 1144 nmwcd - ok
19:44:53.0819 1144 nmwcdc (8f2a94f991f8c73cec26b4b5620d1edc) C:\WINDOWS\system32\drivers\ccdcmbo.sys
19:44:53.0839 1144 nmwcdc - ok
19:44:54.0239 1144 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:44:54.0249 1144 Npfs - ok
19:44:54.0830 1144 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:44:55.0050 1144 Ntfs - ok
19:44:55.0581 1144 NtMtlFax (576b34ceae5b7e5d9fd2775e93b3db53) C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys
19:44:55.0651 1144 NtMtlFax - ok
19:44:56.0102 1144 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:44:56.0102 1144 Null - ok
19:44:57.0965 1144 nv (ba1b732c1a70cfea0c1b64f2850bf44f) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:44:59.0617 1144 nv - ok
19:45:00.0108 1144 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:45:00.0118 1144 NwlnkFlt - ok
19:45:00.0498 1144 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:45:00.0518 1144 NwlnkFwd - ok
19:45:00.0939 1144 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:45:00.0959 1144 ohci1394 - ok
19:45:01.0480 1144 ossrv (64631723b13cbcc153294347535844be) C:\WINDOWS\system32\drivers\ctoss2k.sys
19:45:01.0550 1144 ossrv - ok
19:45:01.0990 1144 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
19:45:02.0020 1144 Parport - ok
19:45:02.0381 1144 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:45:02.0391 1144 PartMgr - ok
19:45:02.0762 1144 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:45:02.0772 1144 ParVdm - ok
19:45:03.0172 1144 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
19:45:03.0182 1144 pccsmcfd - ok
19:45:03.0603 1144 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:45:03.0633 1144 PCI - ok
19:45:03.0973 1144 PCIDump - ok
19:45:04.0314 1144 PCIIde - ok
19:45:04.0734 1144 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:45:04.0784 1144 Pcmcia - ok
19:45:05.0205 1144 PDCOMP - ok
19:45:05.0546 1144 PDFRAME - ok
19:45:05.0876 1144 PDRELI - ok
19:45:06.0217 1144 PDRFRAME - ok
19:45:06.0597 1144 PenClass (4a108cc9cc0e0605e68cce7021479879) C:\WINDOWS\system32\Drivers\PenClass.sys
19:45:06.0617 1144 PenClass - ok
19:45:06.0968 1144 perc2 - ok
19:45:07.0328 1144 perc2hib - ok
19:45:07.0799 1144 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\system32\drivers\PfModNT.sys
19:45:07.0809 1144 PfModNT - ok
19:45:08.0279 1144 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:45:08.0290 1144 PptpMiniport - ok
19:45:08.0690 1144 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
19:45:08.0710 1144 Processor - ok
19:45:09.0081 1144 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:45:09.0121 1144 PSched - ok
19:45:09.0521 1144 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:45:09.0521 1144 Ptilink - ok
19:45:09.0902 1144 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:45:09.0912 1144 PxHelp20 - ok
19:45:10.0242 1144 ql1080 - ok
19:45:10.0573 1144 Ql10wnt - ok
19:45:10.0913 1144 ql12160 - ok
19:45:11.0244 1144 ql1240 - ok
19:45:11.0594 1144 ql1280 - ok
19:45:11.0965 1144 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:45:11.0965 1144 RasAcd - ok
19:45:12.0385 1144 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:45:12.0405 1144 Rasl2tp - ok
19:45:12.0796 1144 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:45:12.0816 1144 RasPppoe - ok
19:45:13.0227 1144 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:45:13.0237 1144 Raspti - ok
19:45:13.0707 1144 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:45:13.0797 1144 Rdbss - ok
19:45:14.0208 1144 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:45:14.0208 1144 RDPCDD - ok
19:45:14.0669 1144 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
19:45:14.0719 1144 RDPWD - ok
19:45:15.0139 1144 RecAgent (e9aaa0092d74a9d371659c4c38882e12) C:\WINDOWS\system32\DRIVERS\RecAgent.sys
19:45:15.0149 1144 RecAgent - ok
19:45:15.0520 1144 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:45:15.0540 1144 redbook - ok
19:45:16.0071 1144 RTL8023xp (47b8ea4493ebffb3d6a0e06cd03c5aba) C:\WINDOWS\system32\DRIVERS\FA311XP.SYS
19:45:16.0101 1144 RTL8023xp - ok
19:45:16.0581 1144 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
19:45:16.0591 1144 rtl8139 - ok
19:45:17.0092 1144 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:45:17.0102 1144 Secdrv - ok
19:45:17.0553 1144 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
19:45:17.0563 1144 serenum - ok
19:45:17.0973 1144 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
19:45:18.0003 1144 Serial - ok
19:45:18.0514 1144 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:45:18.0514 1144 Sfloppy - ok
19:45:19.0085 1144 Sftfs (44d20201a6c3fe4a634a559f8105f5b4) C:\WINDOWS\system32\DRIVERS\Sftfsxp.sys
19:45:19.0295 1144 Sftfs - ok
19:45:19.0776 1144 Sftplay (0e108d75f8db551669e5eb37cbf5bc02) C:\WINDOWS\system32\DRIVERS\Sftplayxp.sys
19:45:19.0856 1144 Sftplay - ok
19:45:20.0257 1144 Sftredir (65b31b4ba9efeace4dd95ed94051139f) C:\WINDOWS\system32\DRIVERS\Sftredirxp.sys
19:45:20.0267 1144 Sftredir - ok
19:45:20.0637 1144 Sftvol (97604f605310f50dc49a2994c3264a42) C:\WINDOWS\system32\DRIVERS\Sftvolxp.sys
19:45:20.0647 1144 Sftvol - ok
19:45:21.0048 1144 Simbad - ok
19:45:21.0559 1144 Slntamr (2c1779c0feb1f4a6033600305eba623a) C:\WINDOWS\system32\DRIVERS\slntamr.sys
19:45:21.0709 1144 Slntamr - ok
19:45:22.0119 1144 SlNtHal (f9b8e30e82ee95cf3e1d3e495599b99c) C:\WINDOWS\system32\DRIVERS\Slnthal.sys
19:45:22.0149 1144 SlNtHal - ok
19:45:22.0530 1144 SlWdmSup (db56bb2c55723815cf549d7fc50cfceb) C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys
19:45:22.0550 1144 SlWdmSup - ok
19:45:23.0021 1144 Sparrow - ok
19:45:23.0381 1144 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:45:23.0381 1144 splitter - ok
19:45:23.0802 1144 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:45:23.0832 1144 sr - ok
19:45:24.0443 1144 SRTSP (ec5c3c6260f4019b03dfaa03ec8cbf6a) C:\WINDOWS\System32\Drivers\NIS\1109000.00C\SRTSP.SYS
19:45:24.0583 1144 SRTSP - ok
19:45:25.0054 1144 SRTSPX (55d5c37ed41231e3ac2063d16df50840) C:\WINDOWS\system32\drivers\NIS\1109000.00C\SRTSPX.SYS
19:45:25.0074 1144 SRTSPX - ok
19:45:25.0584 1144 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:45:25.0715 1144 Srv - ok
19:45:26.0145 1144 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:45:26.0145 1144 swenum - ok
19:45:26.0506 1144 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:45:26.0526 1144 swmidi - ok
19:45:26.0956 1144 symc810 - ok
19:45:27.0287 1144 symc8xx - ok
19:45:27.0647 1144 SYMDNS - ok
19:45:28.0148 1144 SymDS (56890bf9d9204b93042089d4b45ae671) C:\WINDOWS\system32\drivers\NIS\1109000.00C\SYMDS.SYS
19:45:28.0268 1144 SymDS - ok
19:45:28.0759 1144 SymEFA (10ba64273feff4df0a7ccb0ff3b9b26b) C:\WINDOWS\system32\drivers\NIS\1109000.00C\SYMEFA.SYS
19:45:28.0819 1144 SymEFA - ok
19:45:29.0300 1144 SymEvent (961b48b86f94d4cc8ceb483f8aa89374) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
19:45:29.0350 1144 SymEvent - ok
19:45:29.0720 1144 SYMFW - ok
19:45:30.0081 1144 SYMIDS - ok
19:45:30.0511 1144 SymIRON (dc80fbf0a348e54853ef82eed4e11e35) C:\WINDOWS\system32\drivers\NIS\1109000.00C\Ironx86.SYS
19:45:30.0562 1144 SymIRON - ok
19:45:31.0002 1144 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys
19:45:31.0012 1144 symlcbrd - ok
19:45:31.0343 1144 SYMNDIS - ok
19:45:31.0693 1144 SYMREDRV - ok
19:45:32.0214 1144 SYMTDI (be6de8fbf2df9f13a90b8b6e943871b7) C:\WINDOWS\System32\Drivers\NIS\1109000.00C\SYMTDI.SYS
19:45:32.0224 1144 SYMTDI - ok
19:45:32.0594 1144 sym_hi - ok
19:45:32.0935 1144 sym_u3 - ok
19:45:33.0326 1144 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:45:33.0366 1144 sysaudio - ok
19:45:33.0826 1144 TBPanel (04e1c782cf14b7282ebc633b0fd3ed16) C:\WINDOWS\system32\drivers\TBPanel.sys
19:45:33.0826 1144 TBPanel - ok
19:45:34.0307 1144 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:45:34.0437 1144 Tcpip - ok
19:45:34.0878 1144 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys
19:45:34.0958 1144 Tcpip6 - ok
19:45:35.0318 1144 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:45:35.0318 1144 TDPIPE - ok
19:45:35.0719 1144 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:45:35.0729 1144 TDTCP - ok
19:45:36.0099 1144 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:45:36.0120 1144 TermDD - ok
19:45:36.0500 1144 TosIde - ok
19:45:36.0931 1144 TotRec7 (fcfe17ff1452c963e6b2bb9917cb11e5) C:\WINDOWS\system32\drivers\TotRec7.sys
19:45:36.0981 1144 TotRec7 - ok
19:45:37.0421 1144 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:45:37.0441 1144 Udfs - ok
19:45:37.0802 1144 ultra - ok
19:45:38.0303 1144 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:45:38.0463 1144 Update - ok
19:45:38.0894 1144 upperdev (ec01da44b090d2651fc032c8b9257232) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
19:45:38.0904 1144 upperdev - ok
19:45:39.0334 1144 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\WINDOWS\system32\Drivers\usbaapl.sys
19:45:39.0344 1144 USBAAPL - ok
19:45:39.0795 1144 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:45:39.0815 1144 usbccgp - ok
19:45:40.0185 1144 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:45:40.0205 1144 usbhub - ok
19:45:40.0556 1144 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:45:40.0566 1144 usbprint - ok
19:45:40.0987 1144 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:45:40.0997 1144 usbscan - ok
19:45:41.0427 1144 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
19:45:41.0437 1144 usbser - ok
19:45:41.0878 1144 UsbserFilt (4abd37cfbd710e64f01f9da8710c73f7) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
19:45:41.0888 1144 UsbserFilt - ok
19:45:42.0278 1144 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:45:42.0288 1144 USBSTOR - ok
19:45:42.0649 1144 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:45:42.0669 1144 usbuhci - ok
19:45:43.0019 1144 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:45:43.0029 1144 VgaSave - ok
19:45:43.0390 1144 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
19:45:43.0410 1144 viaagp - ok
19:45:43.0740 1144 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
19:45:43.0761 1144 ViaIde - ok
19:45:44.0091 1144 VIAPFD (d956827780a0b7eae97930116e5649f7) C:\WINDOWS\System32\Drivers\VIAPFD.SYS
19:45:44.0091 1144 VIAPFD - ok
19:45:44.0462 1144 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:45:44.0492 1144 VolSnap - ok
19:45:44.0962 1144 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:45:44.0972 1144 Wanarp - ok
19:45:45.0433 1144 wanusb (d648353f789cfb7abac3e1ac0686e82d) C:\WINDOWS\system32\DRIVERS\gwausb.sys
19:45:45.0533 1144 wanusb - ok
19:45:46.0094 1144 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
19:45:46.0254 1144 Wdf01000 - ok
19:45:46.0645 1144 WDICA - ok
19:45:47.0065 1144 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:45:47.0095 1144 wdmaud - ok
19:45:47.0806 1144 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
19:45:47.0826 1144 WpdUsb - ok
19:45:48.0347 1144 WudfPf (50eb9e21963b4f06fd010d007d54351b) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:45:48.0377 1144 WudfPf - ok
19:45:48.0768 1144 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:45:48.0798 1144 WudfRd - ok
19:45:49.0018 1144 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
19:45:49.0058 1144 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
19:45:49.0058 1144 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
19:45:49.0098 1144 Boot (0x1200) (cd4c06c4ccc5f3525f252d85f01f5b15) \Device\Harddisk0\DR0\Partition0
19:45:49.0108 1144 \Device\Harddisk0\DR0\Partition0 - ok
19:45:49.0128 1144 ============================================================
19:45:49.0128 1144 Scan finished
19:45:49.0128 1144 ============================================================
19:45:49.0198 1628 Detected object count: 1
19:45:49.0198 1628 Actual detected object count: 1
19:48:15.0929 1628 \Device\Harddisk0\DR0\# - copied to quarantine
19:48:15.0929 1628 \Device\Harddisk0\DR0 - copied to quarantine
19:48:16.0039 1628 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
19:48:16.0039 1628 \Device\Harddisk0\DR0\TDLFS\vbr - copied to quarantine
19:48:16.0049 1628 \Device\Harddisk0\DR0\TDLFS\bid - copied to quarantine
19:48:16.0049 1628 \Device\Harddisk0\DR0\TDLFS\affid - copied to quarantine
19:48:16.0110 1628 \Device\Harddisk0\DR0\TDLFS\boot - copied to quarantine
19:48:16.0130 1628 \Device\Harddisk0\DR0\TDLFS\cmd32 - copied to quarantine
19:48:16.0200 1628 \Device\Harddisk0\DR0\TDLFS\cmd64 - copied to quarantine
19:48:16.0200 1628 \Device\Harddisk0\DR0\TDLFS\dbg32 - copied to quarantine
19:48:16.0210 1628 \Device\Harddisk0\DR0\TDLFS\dbg64 - copied to quarantine
19:48:16.0230 1628 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
19:48:16.0250 1628 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
19:48:16.0280 1628 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
19:48:16.0280 1628 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
19:48:16.0290 1628 \Device\Harddisk0\DR0\TDLFS\main - copied to quarantine
19:48:16.0290 1628 \Device\Harddisk0\DR0\TDLFS\subid - copied to quarantine
19:48:16.0340 1628 \Device\Harddisk0\DR0\TDLFS\info - copied to quarantine
19:48:16.0400 1628 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
19:48:16.0400 1628 \Device\Harddisk0\DR0 - ok
19:48:16.0400 1628 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
19:50:25.0295 0900 Deinitialize success



Malwarebytes Scan Log Report:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.08.07

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Richard :: RICHARDMORGANS [administrator]

08/02/2012 21:02:39
mbam-log-2012-02-08 (21-02-39).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 512067
Time elapsed: 3 hour(s), 6 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|KndCLIWLJesl.exe (Rogue.Agent.SA) -> Data: C:\Documents and Settings\All Users\Application Data\KndCLIWLJesl.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 3
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 10
C:\Documents and Settings\Richard\Local Settings\Temp\0.7618069387803351.exe_1328467923.arl (Trojan.Agent.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Richard\Local Settings\Temp\148.tmp_1328467923.arl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\08.02.2012_19.42.54\mbr0000\tdlfs0000\tsk0005.dta (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\08.02.2012_19.42.54\mbr0000\tdlfs0000\tsk0006.dta (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\08.02.2012_19.42.54\mbr0000\tdlfs0000\tsk0007.dta (Rootkit.TDSS.64) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\08.02.2012_19.42.54\mbr0000\tdlfs0000\tsk0008.dta (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\08.02.2012_19.42.54\mbr0000\tdlfs0000\tsk0009.dta (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\08.02.2012_19.42.54\mbr0000\tdlfs0000\tsk0010.dta (Rootkit.TDSS.64) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\08.02.2012_19.42.54\mbr0000\tdlfs0000\tsk0012.dta (Rootkit.TDSS.64) -> Quarantined and deleted successfully.
C:\Documents and Settings\Richard\Desktop\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

(end)



DDS Scan Log Report:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Richard at 18:30:47 on 2012-02-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.468 [GMT 0:00]
.
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.co.uk/webhp?rls=ig
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.9.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.9.0.12\IPSBHO.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.9.0.12\coIEPlg.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [UpdReg] c:\windows\Updreg.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [GSICONEXE] gsicon.exe
mRun: [Gainward] c:\program files\xpertvision\TBPanel.exe /A
mRun: [DSLAGENTEXE] dslagent.exe USB
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [lxeamon.exe] "c:\program files\lexmark s300-s400 series\lxeamon.exe"
mRun: [EzPrint] "c:\program files\lexmark s300-s400 series\ezprint.exe"
mRun: [Lexmark S300-S400 Series Fax Server] "c:\program files\lexmark s300-s400 series\fm3032.exe" /s
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\timeleft.lnk - c:\program files\timeleft3\TimeLeft.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\btbroa~1.lnk - c:\program files\bt broadband\help\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
uPolicies-explorer: <NO NAME> =
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {21196042-830F-419f-A594-F9D456A6C29A} - {21196042-830F-419f-A594-F9D456A6C29A} c:\program files\timeleft3\tlintergie.html - c:\program files\timeleft3\tlintergie.html\inprocserver32 does not exist!
Trusted Zone: download.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1305630953245
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_3_1_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553548000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{ADD0D8CF-122A-4369-966E-591CBF7A84A6} : DhcpNameServer = 192.168.1.1 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\richard\application data\mozilla\firefox\profiles\nx4bie68.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\nokia\nokia ovi suite\connectors\bookmarks connector\firefoxextension\components\FirefoxExtension.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: FoxyProxy Standard: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: FoxyProxy Basic: foxyproxy@eric.h.jung - %profile%\extensions\foxyproxy@eric.h.jung
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Firefox Synchronisation Extension: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70} - c:\program files\nokia\nokia ovi suite\connectors\bookmarks connector\FirefoxExtension
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\IPSFFPlgn
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1109000.00c\symds.sys [2011-10-12 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1109000.00c\symefa.sys [2011-10-12 173176]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20110419.001\BHDrvx86.sys [2011-4-19 802936]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1109000.00c\cchpx86.sys [2011-10-12 485512]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1109000.00c\ironx86.sys [2011-10-12 116784]
S2 ccProxy;Symantec Network Proxy;c:\program files\norton internet security\addons\norton addon pack\engine\4.7.0.10\ccproxy.exe [2010-8-10 194424]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
S2 gupdate1c987064a86c0e0;Google Update Service (gupdate1c987064a86c0e0);c:\program files\google\update\GoogleUpdate.exe [2009-2-4 133104]
S2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
S2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [2011-8-27 98984]
S2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.9.0.12\ccsvchst.exe [2011-10-12 126400]
S2 PCPrintLogger;PaperCut Print Logger;c:\program files\papercut print logger\pcpl.exe [2011-6-13 401408]
S2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]
S2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2005-10-16 1246088]
S3 dfg;dfg;c:\windows\system32\drivers\dfg.sys [2011-4-13 23552]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-3-24 102448]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-4 133104]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20110420.001\IDSXpx86.sys [2011-4-21 341944]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20110420.035\NAVENG.SYS [2011-4-21 86136]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\virusdefs\20110420.035\NAVEX15.SYS [2011-4-21 1393144]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [2009-12-2 584680]
S3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [2009-12-2 209512]
S3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-12-2 20584]
S3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [2009-12-2 18280]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
S3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [2009-2-11 128008]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\BCSwap.sys [2002-8-16 83456]
.
=============== Created Last 30 ================
.
2012-02-17 02:54:04 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-02-17 02:54:04 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-14 21:28:34 -------- d-----w- C:\spoolerlogs
2012-02-08 20:56:30 -------- d-----w- c:\documents and settings\richard\application data\Malwarebytes
2012-02-08 20:55:13 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-02-08 20:55:11 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-08 20:55:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-08 19:48:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-29 04:46:33 344832 ----a-w- c:\documents and settings\all users\application data\fjfLuGkxshvH0I.exe_1328467923.arl
2012-01-26 20:26:00 -------- d-----w- C:\Install
.
==================== Find3M ====================
.
2012-01-16 09:29:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 18:31:21.09 ===============

Thanks again.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 PM

Posted 17 February 2012 - 02:38 PM

About.com and Click.com is known for popups and tracking cookies.

Install this MVP hosts file and I'm sure most of them will be eliminated.

Download HostsXpert

Tutorial, go here:
http://i28.photobucket.com/albums/c227/tetonbob/emoticons/HostsXpert4.jpg
  • Unzip HostsXpert to it's own folder.
  • Run HostsXpert.exe
  • Click: Make Writable? in the upper left corner.
  • Click: Download
  • Click: MVPs Hosts
  • Click: Replace
  • Click: OK
  • Click: Make ReadOnly
  • Close HostsXpert.
Note: If a custom Hosts file was in place, also edit those entries back in.
*/*
I suggest that you update the new version of the Hosts file, every 6 weeks. I Do.

All you need to know about the hosts file.
http://www.mvps.org/winhelp2002/hosts.htm
===

Please let me know what problem persists.

#14 fraser06

fraser06
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 22 February 2012 - 06:34 PM

Nasdaq,

OK, I am hoping that my PC might be nearly back to how it was. I installed HostXpert and followed its instructions, including replacing my HOSTS file etc. I immediately noticed a reduction in the amount of pop ups that have been appearing in almost every web page I have been opening. But it failed to remove About.Blank. As I select certain webpages, there is a short, or longer, pause, with a message in the Task Bar "Waiting for About.Blank" before the page opens. This is a pain. I have read that About.Blank can run processes in the background and consume processor capacity. I don't know if this is correct. But when I start Windows, there is an initial period of up to about 8 minutes during which my processor is running at over 80% capacity, making it very difficult to open or run things. Then after that time, it either suddently or gradually reduces back down to 2-5%. And often I cannot identify from Task Manager any specific processes which are causing this.

Anyway, I also downloaded and ran Microsoft's Windows Defender overnight. It identified 2 Trojans and an Adware. The first Trojan, "Trojan:Win32/FakeSysdef" was the "System Check" program that seems to have caused all my problems when it infested my PC on 29 January, and has been sitting in my "All Programs" menu (accessed via the START button) ever since. Here is its scan report:

Name Alert Level Action Taken
Trojan:Win32/FakeSysdef Severe Removed

Category:
Trojan

Description:
This program is dangerous and executes commands from an attacker.

Advice:
Remove this software immediately.

Resources:
file:
c:\documents and settings\richard\Start Menu\Programs\system check\Uninstall System Check.lnk

file:
c:\documents and settings\richard\Start Menu\Programs\system check\System Check.lnk

file:
c:\documents and settings\richard\Desktop\system check.lnk

file:
c:\documents and settings\richard\Application Data\microsoft\internet explorer\quick launch\system check.lnk

file:
C:\Documents and Settings\All Users\Application Data\fjfLuGkxshvH0I.exe_1328467923.arl->(UPX)

containerfile:
C:\Documents and Settings\All Users\Application Data\fjfLuGkxshvH0I.exe_1328467923.arl

folder:
c:\documents and settings\richard\Start Menu\Programs\system check\

View more information about this item online


Adware:Win32/OpenCandy Low Removed

Category:
Adware

Description:
This program delivers potentially unwanted advertisements to your computer.

Advice:
Permit this detected item only if you trust the program or the software publisher.

Resources:
file:
C:\Documents and Settings\Alex\My Documents\My Music\MusicnotesSuite.exe->(inno#000108)

containerfile:
C:\Documents and Settings\Alex\My Documents\My Music\MusicnotesSuite.exe

View more information about this item online


Trojan:Win32/Sefnit.AA Severe Removed

Category:
Trojan

Description:
This program is dangerous and executes commands from an attacker.

Advice:
Remove this software immediately.

Resources:
file:
C:\Documents and Settings\Richard\Local Settings\Temp\ms0cfg32.exe_1328467923.arl->(VFS:smiPathMusic.dll)

containerfile:
C:\Documents and Settings\Richard\Local Settings\Temp\ms0cfg32.exe_1328467923.arl

View more information about this item online.



I selected the "Remove" by Windows Defender option for all three items.

To try to get rid of the About.Blank infection, I downloaded a trial version of Emisoft's AntiMalware program. Its full scan failed to identify or remove About.Blank. The only thing it did identify was a Patch.exe file from a music software program I have. I suspect that was a false positive, but deleted it anyway.

Can you recommend any other program that would specifically tackle About.Blank?
Thanks.

#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 PM

Posted 23 February 2012 - 10:39 AM

Clean these.

Go Posted Image > run box and type cmd and hit OK
type
ipconfig /flushdns <-- (The space between g and / is needed)

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit Enter
*/*

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

On a Vista or Windows 7 operating system right click on the fixme.reg file and run as Administrator.

Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

===

Let me know if the about:blank persists.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users