Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zeroaccess rootkit?


  • This topic is locked This topic is locked
28 replies to this topic

#1 LMoseley

LMoseley

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 09 February 2012 - 07:35 PM

Posting here on instructions from narenxp, based on his evaluation of my TDSSKiller, GMER and aswMBR logs and his conclusion that I have the zeroaccess rootkit.

Original post & logs: http://www.bleepingcomputer.com/forums/topic441931.html

Thanks for any help...

============

The situation

The computer is an older Dell running WinXP Prof SP3 with all WindowsUpdates installed. Everything was running fine until she opened an attachment on a spoofed e-mail from her “mom.” The immediate symptoms: VERY slow to boot up and shut down (up to 5 minutes each way). Programs work OK. Browser works. Clicking links, including Google links, randomly went to the intended site OR redirected to abnow.com or mediashifting.com. System restore appeared to work: SR program ran, allowed picking a restore date, rebooted, then showed a failure message. Trying different dates didn’t change the outcome. AUTORUNS shows no obvious problems. HOSTS file contents is normal (set by Spybot S&D, lots of 128.0.0.1 entries).

The machine was on my bench today at noon, and Norton AV ran at its scheduled time, It reported deleting Trojan.Maljava, Trogan.Gen and Suspicious.Mystic. After a (SLOW) reboot, Norton’s AutoProtect started showing multiple deletions of Trojan.Gen.2 and Trojan.Zeroaccess, sometimes one at a time and sometimes in batches, one right after another.

Current situation: The computer boots normally to a normal desktop, but is still very slow to boot and shutdown. Programs run as expected. Internet Explorer runs, but cannot connect to the internet. The computer cannot see, or be seen by, other computers on the home local network. ON bootup, Norton AV complains that the TCP/IP is not working. Using “netsh int ip reset” had no effect.


ADDITIONAL INFORMATION:

On bootup, I get this message from Norton (which is set to monitor e-mail). Clicking the link doesn’t work.

Posted Image

On shutdown, I often (but not always) get a message that appears for just a couple of seconds about not being able to shutdown _TPAWIA automatically. (A Googlesearch says that this is related to a Kodak camera driver, which she does have installed, so this is probably nothing.)

Even though the network and internet are down on that machine, the USB does work, so I can copy programs and save results via thumb drive.


================================================================================================================


DEFOGGER LOG
defogger _disable by jpshortstuff (23.02.10.1)
Log created at 17:53 on 09/02/2012 (Denise)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-


================================================================================================================


DDS LOG
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Denise at 17:58:41 on 2012-02-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.196 [GMT -5:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FreeBar\FreeBar.exe
svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\tomtom\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\PROGRA~1\BXNEWF~1\bxExpHelper.exe
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: bxNewFolder: {51c8bca8-2524-4523-bf09-738c4eebfc58} - c:\progra~1\bxnewf~1\BXNEWF~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [FreeBar] "c:\program files\freebar\FreeBar.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [pdfFactory Pro Dispatcher v3] "c:\windows\system32\spool\drivers\w32x86\3\fppdis3a.exe" /source=HKLM
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodaks~1.lnk - c:\program files\kodak\kodak software updater\7288971\program\Kodak Software Updater.exe
IE: &GoogleSearch - c:\search\search.htm
IE: &Search - c:\search\search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289710413734
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289774304515
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2009-6-14 339328]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2009-6-14 55168]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2009-8-3 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2009-8-3 169320]
R2 PD91Agent;PD91Agent;c:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-12-31 693512]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2009-9-1 1966008]
R2 TomTomHOMEService;TomTomHOMEService;d:\tomtom\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-8 106104]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120207.005\naveng.sys [2012-2-8 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120207.005\navex15.sys [2012-2-8 1576312]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-11 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-11 136176]
S3 PD91Engine;PD91Engine;c:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-12-31 910600]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2009-9-1 116664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
txtfile="c:\program files\jgsoft\editpadpro6\EditPadPro.exe" "%1"
.
=============== Created Last 30 ================
.
2012-02-08 04:59:25 -------- d-----w- C:\ERDNT
2012-01-26 18:56:12 0 --sha-w- c:\windows\system32\dds_log_trash.cmd
2012-01-26 18:54:06 -------- d-sh--w- c:\documents and settings\denise\local settings\application data\6f7b94cc
.
==================== Find3M ====================
.
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
.
============= FINISH: 17:59:42.01 ===============


================================================================================================================


GMER LOG


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-09 19:06:39
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-75MSA3 rev.10.01E04
Running: 42ob93uj.exe; Driver: C:\DOCUME~1\Denise\LOCALS~1\Temp\kxddaaod.sys


---- System - GMER 1.0.15 ----

SSDT 863B22F0 ZwAlertResumeThread
SSDT 862E3C00 ZwAlertThread
SSDT 863CFD78 ZwAllocateVirtualMemory
SSDT 8640C5F8 ZwConnectPort
SSDT 86321700 ZwCreateMutant
SSDT 8640BCB0 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA9D8B690]
SSDT 863E6638 ZwFreeVirtualMemory
SSDT 863DADD8 ZwImpersonateAnonymousToken
SSDT 86528F50 ZwImpersonateThread
SSDT 8647D8B0 ZwMapViewOfSection
SSDT 862FCB58 ZwOpenEvent
SSDT 863D0E00 ZwOpenProcessToken
SSDT 863E56B0 ZwOpenThreadToken
SSDT 864B44A8 ZwQueryValueKey
SSDT 86346138 ZwResumeThread
SSDT 863E43E8 ZwSetContextThread
SSDT 863E5AF0 ZwSetInformationProcess
SSDT 863E33F8 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA9D8B8E0]
SSDT 8619FE10 ZwSuspendProcess
SSDT 86422AB0 ZwSuspendThread
SSDT 863D23E8 ZwTerminateProcess
SSDT 862FF408 ZwTerminateThread
SSDT 863E5F40 ZwUnmapViewOfSection
SSDT 863CF938 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F38 805047D4 4 Bytes [E8, 43, 3E, 86]
.text ntkrnlpa.exe!ZwCallbackReturn + 2FE8 80504884 8 Bytes CALL 88D685AC
init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xA9E4BA00]
? C:\DOCUME~1\Denise\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB1096$\1870369996 0 bytes
File C:\WINDOWS\$NtUninstallKB1096$\1870369996\L 0 bytes
File C:\WINDOWS\$NtUninstallKB1096$\1870369996\U 0 bytes
File C:\WINDOWS\$NtUninstallKB1096$\3970510170 0 bytes

---- EOF - GMER 1.0.15 ----

Edited by LMoseley, 10 February 2012 - 08:46 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 10 February 2012 - 02:37 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 10 February 2012 - 01:35 PM

Thanks, Gringo.

ComboFix ran successfully, rebooted once with a message of rootkit activity. Because the machine does not have internet connectivity, the Restore Console could not be installed.

---------------------------------------------------------------

COMBOFIX LOG

ComboFix 12-02-10.01 - Denise 02/10/2012 12:56:59.1.2 - x86
Running from: f:\trojan tools\ComboFix\ComboFix-2012-02.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Denise\Local Settings\Application Data\6f7b94cc\U
c:\documents and settings\Denise\Local Settings\Application Data\6f7b94cc\U\000000c0.@
c:\documents and settings\Denise\Local Settings\Application Data\6f7b94cc\U\000000cb.@
c:\documents and settings\Denise\Local Settings\Application Data\6f7b94cc\U\000000cf.@
c:\documents and settings\Denise\Local Settings\Application Data\6f7b94cc\U\800000c0.$
c:\documents and settings\Denise\WINDOWS
c:\windows\$NtUninstallKB1096$\24845701
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\system32\{95808DC4-FA4A-4c74-92FE-5B863F82066B}.dll
c:\windows\system32\3c1807pd.dll
c:\windows\system32\3compxe.dll
c:\windows\system32\3dkeybd.dll
c:\windows\system32\a016mdfl.dll
c:\windows\system32\A4S2600.dll
c:\windows\system32\aavmker4.dll
c:\windows\system32\aawservice.dll
c:\windows\system32\abp480n5.dll
c:\windows\system32\acdpowerservice.dll
c:\windows\system32\acedrv05.dll
c:\windows\system32\acrsch2svc.dll
c:\windows\system32\acsvc.dll
c:\windows\system32\addfiltr.dll
c:\windows\system32\admservice.dll
c:\windows\system32\ADSMService.dll
c:\windows\system32\adsservice.dll
c:\windows\system32\AEADIFilters.dll
c:\windows\system32\AeLookupSvc.dll
c:\windows\system32\Afc.dll
c:\windows\system32\afd.dll
c:\windows\system32\AffinegyService.dll
c:\windows\system32\agnfilt.dll
c:\windows\system32\alcaudsl.dll
c:\windows\system32\alcxsens.dll
c:\windows\system32\alcxwdm.dll
c:\windows\system32\alertservice.dll
c:\windows\system32\amdk7.dll
c:\windows\system32\AMDPCI.dll
c:\windows\system32\amusbprt.dll
c:\windows\system32\AN983.dll
c:\windows\system32\anio.dll
c:\windows\system32\arcltsrv.dll
c:\windows\system32\arp1394.dll
c:\windows\system32\as32svc.dll
c:\windows\system32\AsDsm.dll
c:\windows\system32\ASFWHide.dll
c:\windows\system32\AsIO.dll
c:\windows\system32\askernel.dll
c:\windows\system32\AsuhfivrO.dll
c:\windows\system32\asusgsb.dll
c:\windows\system32\asyncmac.dll
c:\windows\system32\ati2mtag.dll
c:\windows\system32\atikmdag.dll
c:\windows\system32\atimpab.dll
c:\windows\system32\atinrvxx.dll
c:\windows\system32\ATKFUSService.dll
c:\windows\system32\ATNT40K.dll
c:\windows\system32\avc.dll
c:\windows\system32\avcgbfl.dll
c:\windows\system32\avg7core.dll
c:\windows\system32\avg7updsvc.dll
c:\windows\system32\avgntflt.dll
c:\windows\system32\awhost32.dll
c:\windows\system32\awlegacy.dll
c:\windows\system32\backupexecnamingservice.dll
c:\windows\system32\bantext.dll
c:\windows\system32\Bcim.dll
c:\windows\system32\BCM42RLY.dll
c:\windows\system32\bcm4sbxp.dll
c:\windows\system32\BCMModem.dll
c:\windows\system32\BCMTPM.dll
c:\windows\system32\bdfsfltr.dll
c:\windows\system32\bdpredir.dll
c:\windows\system32\bdselfpr.dll
c:\windows\system32\bdss.dll
c:\windows\system32\blueletscoaudio.dll
c:\windows\system32\BRCMDECO.dll
c:\windows\system32\brmfbags.dll
c:\windows\system32\BsHelpCS.dll
c:\windows\system32\bt3cusb.dll
c:\windows\system32\btnetfilter.dll
c:\windows\system32\bwcsrv.dll
c:\windows\system32\c-dillasrv.dll
c:\windows\system32\ca-messagequeuing.dll
c:\windows\system32\cachemanxp.dll
c:\windows\system32\camdrl.dll
c:\windows\system32\CAMFLT.dll
c:\windows\system32\ccispwdsvc.dll
c:\windows\system32\CdaC15BA.dll
c:\windows\system32\cdfs.dll
c:\windows\system32\cdmservice.dll
c:\windows\system32\cdr4_xp.dll
c:\windows\system32\cdudf_xp.dll
c:\windows\system32\CE3.dll
c:\windows\system32\cics.region2.dll
c:\windows\system32\cidaemon.dll
c:\windows\system32\cimnotify.dll
c:\windows\system32\client32.dll
c:\windows\system32\cmdmon.dll
c:\windows\system32\cmuda.dll
c:\windows\system32\cmudau.dll
c:\windows\system32\CoachAud.dll
c:\windows\system32\com0com.dll
c:\windows\system32\contentindex.dll
c:\windows\system32\cpqarry2.dll
c:\windows\system32\cpqfcalm.dll
c:\windows\system32\cq_mem.dll
c:\windows\system32\cqmgstor.dll
c:\windows\system32\crystalaps.dll
c:\windows\system32\crystaloutputfileserver.dll
c:\windows\system32\cs429x.dll
c:\windows\system32\csctl50.dll
c:\windows\system32\CTAUDFX.DLL.dll
c:\windows\system32\CTMFLT.dll
c:\windows\system32\ctusfsyn.dll
c:\windows\system32\curtainssyssvc.dll
c:\windows\system32\cvintdrv.dll
c:\windows\system32\CVPNDRVA.dll
c:\windows\system32\cxlpt.dll
c:\windows\system32\CXTUNE.dll
c:\windows\system32\cyberpowerups.dll
c:\windows\system32\dac960nt.dll
c:\windows\system32\datunidr.dll
c:\windows\system32\db2jds.dll
c:\windows\system32\DCamUSBEMPIA.dll
c:\windows\system32\DCamUSBSQTECH.dll
c:\windows\system32\DcCam.dll
c:\windows\system32\dds_log_trash.cmd
c:\windows\system32\Defrag32.dll
c:\windows\system32\defragfs.dll
c:\windows\system32\DgiVecp.dll
c:\windows\system32\DirectUpdate.dll
c:\windows\system32\dkeysync.dll
c:\windows\system32\dktknsrv.dll
c:\windows\system32\dlbx_device.dll
c:\windows\system32\dlpwd.dll
c:\windows\system32\dmboot.dll
c:\windows\system32\DMICall.dll
c:\windows\system32\DNE.dll
c:\windows\system32\dns4meclient.dll
c:\windows\system32\dnscache.dll
c:\windows\system32\dnsexit.dll
c:\windows\system32\dot4usb.dll
c:\windows\system32\DritekPortIO.dll
c:\windows\system32\dsNcAdpt.dll
c:\windows\system32\dsncservice.dll
c:\windows\system32\DumaNT.dll
c:\windows\system32\DVDRC.dll
c:\windows\system32\e1express.dll
c:\windows\system32\eabusb.dll
c:\windows\system32\EACSys.dll
c:\windows\system32\eaphost.dll
c:\windows\system32\eeyeevnt.dll
c:\windows\system32\elagopro.dll
c:\windows\system32\elbydelay.dll
c:\windows\system32\emproxy.dll
c:\windows\system32\EMSCR.dll
c:\windows\system32\enxpsvr.dll
c:\windows\system32\epfw.dll
c:\windows\system32\Epfwndis.dll
c:\windows\system32\epoxusdm.dll
c:\windows\system32\epsonstatusagent2.dll
c:\windows\system32\ET5Drv.dll
c:\windows\system32\evteng.dll
c:\windows\system32\Exportit.dll
c:\windows\system32\F700iat.dll
c:\windows\system32\F700iob.dll
c:\windows\system32\fasttx2k.dll
c:\windows\system32\fastuserswitchingcompatibility.dll
c:\windows\system32\filechecker.dll
c:\windows\system32\fingrd32.dll
c:\windows\system32\FireHook.dll
c:\windows\system32\FireTDI.dll
c:\windows\system32\fsdfwd.dll
c:\windows\system32\fsks.dll
c:\windows\system32\fssfltr.dll
c:\windows\system32\ftpqueue.dll
c:\windows\system32\GBDevice.dll
c:\windows\system32\gdihook5.dll
c:\windows\system32\ggsemc.dll
c:\windows\system32\ghaio.dll
c:\windows\system32\GoBack2K.dll
c:\windows\system32\GTSCSER.dll
c:\windows\system32\hclinetd.dll
c:\windows\system32\hidbatt.dll
c:\windows\system32\Hotkey.dll
c:\windows\system32\houdiniserver.dll
c:\windows\system32\hpgate.dll
c:\windows\system32\hpn.dll
c:\windows\system32\hpqcxs08.dll
c:\windows\system32\hpqddsvc.dll
c:\windows\system32\hpzid412.dll
c:\windows\system32\hsf_dp.dll
c:\windows\system32\HssDrv.dll
c:\windows\system32\HssSrv.dll
c:\windows\system32\HssTrayService.dll
c:\windows\system32\HWSCtrl.dll
c:\windows\system32\i2omp.dll
c:\windows\system32\iaimfp0.dll
c:\windows\system32\iaimfp1.dll
c:\windows\system32\iaimtv2.dll
c:\windows\system32\iam.dll
c:\windows\system32\ibmcicstransactiongateway.dll
c:\windows\system32\ibmpmsvc.dll
c:\windows\system32\ibmsmbus.dll
c:\windows\system32\igfx.dll
c:\windows\system32\inorpc.dll
c:\windows\system32\inort.dll
c:\windows\system32\intcazaudaddservice.dll
c:\windows\system32\IntuitUpdateService.dll
c:\windows\system32\ipssvc.dll
c:\windows\system32\irsir.dll
c:\windows\system32\isdrv120.dll
c:\windows\system32\isdrv122.dll
c:\windows\system32\iSMBIOS.dll
c:\windows\system32\issimon.dll
c:\windows\system32\ivscheduler.dll
c:\windows\system32\ixiaendpoint.dll
c:\windows\system32\JRAID.dll
c:\windows\system32\jukebox3.dll
c:\windows\system32\k750mdfl.dll
c:\windows\system32\k750mdm.dll
c:\windows\system32\kbdhid.dll
c:\windows\system32\kbstuff.dll
c:\windows\system32\keriomailserver.dll
c:\windows\system32\KLOGNT.dll
c:\windows\system32\KMWDFilter.dll
c:\windows\system32\kraidsvc.dll
c:\windows\system32\lgsnd_filter.dll
c:\windows\system32\lhidusb.dll
c:\windows\system32\license.dll
c:\windows\system32\lkclassads.dll
c:\windows\system32\lktimesync.dll
c:\windows\system32\lmimaint.dll
c:\windows\system32\logonsvcid.dll
c:\windows\system32\lsdiorw.dll
c:\windows\system32\LUsbFilt.dll
c:\windows\system32\LVPrcMon.dll
c:\windows\system32\lvusbsta.dll
c:\windows\system32\lwwlicenseservice.dll
c:\windows\system32\lxbx_device.dll
c:\windows\system32\lxcc_device.dll
c:\windows\system32\lxce_device.dll
c:\windows\system32\lxcr_device.dll
c:\windows\system32\lxdj_device.dll
c:\windows\system32\lxrsii1s.dll
c:\windows\system32\M3AD.dll
c:\windows\system32\ma763004.dll
c:\windows\system32\MA8032M.dll
c:\windows\system32\Maplom.dll
c:\windows\system32\MaRdPnp.dll
c:\windows\system32\marvinbus.dll
c:\windows\system32\matlabserver.dll
c:\windows\system32\MaxtorFrontPanel1.dll
c:\windows\system32\mcods.dll
c:\windows\system32\mcproxy.dll
c:\windows\system32\mediamaxxlservice.dll
c:\windows\system32\MegaSR.dll
c:\windows\system32\merakcontrol.dll
c:\windows\system32\mf.dll
c:\windows\system32\mfcom.dll
c:\windows\system32\mfesmfk.dll
c:\windows\system32\mhn.dll
c:\windows\system32\mi-raysat_3dsMax2008_32.dll
c:\windows\system32\MobilityService.dll
c:\windows\system32\mpe.dll
c:\windows\system32\mraid35x.dll
c:\windows\system32\mrobeservice.dll
c:\windows\system32\msftpsvc.dll
c:\windows\system32\msgsrvservice.dll
c:\windows\system32\msiserver.dll
c:\windows\system32\mssql$microsoftbcm.dll
c:\windows\system32\mssql$microsoftsmlbiz.dll
c:\windows\system32\mssql$pinnaclesys.dll
c:\windows\system32\mssqlserveradhelper.dll
c:\windows\system32\msvsmon90.dll
c:\windows\system32\mvdcodec.dll
c:\windows\system32\mwspollserver.dll
c:\windows\system32\mxserver.dll
c:\windows\system32\n558.dll
c:\windows\system32\napagent.dll
c:\windows\system32\nchssvad.dll
c:\windows\system32\netbios.dll
c:\windows\system32\netdde.dll
c:\windows\system32\NETGEAR_MA111.dll
c:\windows\system32\NETw4v32.dll
c:\windows\system32\nimdbgk.dll
c:\windows\system32\nisvcloc.dll
c:\windows\system32\nmap.dll
c:\windows\system32\nmwcdcj.dll
c:\windows\system32\noipducservice.dll
c:\windows\system32\npptnt2.dll
c:\windows\system32\nscirda.dll
c:\windows\system32\ntgrip.dll
c:\windows\system32\ntservice1.dll
c:\windows\system32\nv4.dll
c:\windows\system32\nvata.dll
c:\windows\system32\nvatabus.dll
c:\windows\system32\nvgts.dll
c:\windows\system32\NvNdis.dll
c:\windows\system32\NVNET.dll
c:\windows\system32\nvstor32.dll
c:\windows\system32\nvstor64.dll
c:\windows\system32\NWFILTER.dll
c:\windows\system32\nwlnkflt.dll
c:\windows\system32\nwlnkfwd.dll
c:\windows\system32\NWSNS.dll
c:\windows\system32\NWUSBModem.dll
c:\windows\system32\NWUSBPort.dll
c:\windows\system32\odysseyIM3.dll
c:\windows\system32\OEM02Vfx.dll
c:\windows\system32\olapserver.dll
c:\windows\system32\om518p.dll
c:\windows\system32\openvpnservice.dll
c:\windows\system32\oracle_load_balancer_60_server-forms6ip14.dll
c:\windows\system32\oracleorahome811cmadmin.dll
c:\windows\system32\oracleorahomemanagementserver.dll
c:\windows\system32\orbmediaservice.dll
c:\windows\system32\outpostfirewall.dll
c:\windows\system32\ovepstatusengine.dll
c:\windows\system32\ovt519.dll
c:\windows\system32\p17xfilt.dll
c:\windows\system32\paamsrv.dll
c:\windows\system32\pae_avs.dll
c:\windows\system32\parallel.dll
c:\windows\system32\partmgr.dll
c:\windows\system32\passthru.dll
c:\windows\system32\PBADRV.dll
c:\windows\system32\pca.dll
c:\windows\system32\pcampr5.dll
c:\windows\system32\PCASp50.dll
c:\windows\system32\pclepci.dll
c:\windows\system32\pcnet.dll
c:\windows\system32\PDExchange.dll
c:\windows\system32\pdlndint.dll
c:\windows\system32\pdlnshay.dll
c:\windows\system32\pdscheduler.dll
c:\windows\system32\penrendezvous.dll
c:\windows\system32\personalsecuredriveservice.dll
c:\windows\system32\pilogsrv.dll
c:\windows\system32\pimsgss.dll
c:\windows\system32\pinetmgr.dll
c:\windows\system32\pmj151la.dll
c:\windows\system32\PolarUSB.dll
c:\windows\system32\policyagent.dll
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\prevxdriver.dll
c:\windows\system32\prism_a02.dll
c:\windows\system32\protectedstorage.dll
c:\windows\system32\PSI_SVC_2.dll
c:\windows\system32\ptserial.dll
c:\windows\system32\qcdonner.dll
c:\windows\system32\ql2100.dll
c:\windows\system32\qserver.dll
c:\windows\system32\radiosvr.dll
c:\windows\system32\raysatxsi5_0server.dll
c:\windows\system32\rdpcdd.dll
c:\windows\system32\regspy.dll
c:\windows\system32\relational.dll
c:\windows\system32\remoteregistry.dll
c:\windows\system32\REVO.dll
c:\windows\system32\RimSerPort.dll
c:\windows\system32\rimvserport.dll
c:\windows\system32\RioS30.dll
c:\windows\system32\RivaTuner32.dll
c:\windows\system32\rkhdrv31.dll
c:\windows\system32\RMSvc.dll
c:\windows\system32\rootmodem.dll
c:\windows\system32\roxliveshare.dll
c:\windows\system32\roxmediadb9.dll
c:\windows\system32\roxupnpserver.dll
c:\windows\system32\rp32service.dll
c:\windows\system32\rpcsvr4x.dll
c:\windows\system32\rpsupdaterr.dll
c:\windows\system32\RSAFAL.dll
c:\windows\system32\rt2500.dll
c:\windows\system32\rtl8185.dll
c:\windows\system32\RushTopDevice.dll
c:\windows\system32\s116mdm.dll
c:\windows\system32\s116obex.dll
c:\windows\system32\s116unic.dll
c:\windows\system32\S3GIGP.dll
c:\windows\system32\s716mdfl.dll
c:\windows\system32\s7oppitx.dll
c:\windows\system32\SaiNtHid.dll
c:\windows\system32\sansaservice.dll
c:\windows\system32\ScFBPNT2.dll
c:\windows\system32\screadspool.dll
c:\windows\system32\sdbus.dll
c:\windows\system32\sdcoreservice.dll
c:\windows\system32\sdhelper.dll
c:\windows\system32\SE27obex.dll
c:\windows\system32\SE2Bobex.dll
c:\windows\system32\SE2Dobex.dll
c:\windows\system32\SE2Emdm.dll
c:\windows\system32\se44unic.dll
c:\windows\system32\se45obex.dll
c:\windows\system32\se59mgmt.dll
c:\windows\system32\SeaPort.dll
c:\windows\system32\SecureStorageService.dll
c:\windows\system32\SenFiltService.dll
c:\windows\system32\sentinelprotectionserver.dll
c:\windows\system32\ser2plms.dll
c:\windows\system32\serial.dll
c:\windows\system32\serialkeys.dll
c:\windows\system32\sermouse.dll
c:\windows\system32\service.dll
c:\windows\system32\SetupNT.dll
c:\windows\system32\sfhlp02.dll
c:\windows\system32\sfilter.dll
c:\windows\system32\sfloppy.dll
c:\windows\system32\Si3114r5.dll
c:\windows\system32\sis162u.dll
c:\windows\system32\siswlsvc.dll
c:\windows\system32\sit_prt.dll
c:\windows\system32\slapd-config52.dll
c:\windows\system32\slee_503_service.dll
c:\windows\system32\smartlinkservice.dll
c:\windows\system32\SMCB000.dll
c:\windows\system32\SMPLSCSI.dll
c:\windows\system32\snapman.dll
c:\windows\system32\SNC.dll
c:\windows\system32\SNDO763.dll
c:\windows\system32\snmptrapdservice.dll
c:\windows\system32\SNP2UVC.dll
c:\windows\system32\snpstd.dll
c:\windows\system32\sonypvs1.dll
c:\windows\system32\sprtsvc_smartagent.dll
c:\windows\system32\SQLBrowser.dll
c:\windows\system32\SQTECH9080.dll
c:\windows\system32\SRTSPL.dll
c:\windows\system32\SSHDRV61.dll
c:\windows\system32\ssrtln.dll
c:\windows\system32\ssscsisv.dll
c:\windows\system32\sthda.dll
c:\windows\system32\stirusb.dll
c:\windows\system32\Stltrk2k.dll
c:\windows\system32\StMp3Rec.dll
c:\windows\system32\STV680m.dll
c:\windows\system32\Subsonic.dll
c:\windows\system32\SunkFilt.dll
c:\windows\system32\SunkFilt39.dll
c:\windows\system32\Sus2pl.dll
c:\windows\system32\SymIMMP.dll
c:\windows\system32\symredrv.dll
c:\windows\system32\symtdi.dll
c:\windows\system32\sysaudio.dll
c:\windows\system32\tap0901.dll
c:\windows\system32\tapeware.dll
c:\windows\system32\tb2launch.dll
c:\windows\system32\tbaspi.dll
c:\windows\system32\tcsd_win32.exe.dll
c:\windows\system32\tdcmdpst.dll
c:\windows\system32\tdpipe.dll
c:\windows\system32\tdsmapi.dll
c:\windows\system32\tfsndrct.dll
c:\windows\system32\tfsnpool.dll
c:\windows\system32\tfsnudfa.dll
c:\windows\system32\tgsrvc_smartagent.dll
c:\windows\system32\themes.dll
c:\windows\system32\thkeys.dll
c:\windows\system32\thotkey.dll
c:\windows\system32\tiwlnsvc.dll
c:\windows\system32\tm_cfw.dll
c:\windows\system32\tmcomm.dll
c:\windows\system32\tmesrv3.dll
c:\windows\system32\tosrfhid.dll
c:\windows\system32\tpsrv.dll
c:\windows\system32\TPwSav.dll
c:\windows\system32\transarcafsdaemon.dll
c:\windows\system32\trioservice.dll
c:\windows\system32\tsdhd.dll
c:\windows\system32\tsmapip.dll
c:\windows\system32\TuneUp.Defrag.dll
c:\windows\system32\TUWinStylerThemeSvc.dll
c:\windows\system32\tvichw32.dll
c:\windows\system32\uisp.dll
c:\windows\system32\uleadburninghelper.dll
c:\windows\system32\unlockerdriver5.dll
c:\windows\system32\USB11LDR.dll
c:\windows\system32\USBAAPL.dll
c:\windows\system32\usbaudio.dll
c:\windows\system32\USBDongle.dll
c:\windows\system32\usbio.dll
c:\windows\system32\usbscan.dll
c:\windows\system32\usrbridg.dll
c:\windows\system32\V0070VID.dll
c:\windows\system32\vaiomediaplatform-musicserver-appserver.dll
c:\windows\system32\VAIOMediaPlatform-MusicServer-UPnP.dll
c:\windows\system32\vaiomediaplatform-photoserver-appserver.dll
c:\windows\system32\VAIOMediaPlatform-VideoServer-UPnP.dll
c:\windows\system32\VCAM.dll
c:\windows\system32\vcomm.dll
c:\windows\system32\vetfddnt.dll
c:\windows\system32\vgasave.dll
c:\windows\system32\VHidMinidrv.dll
c:\windows\system32\Video3D.dll
c:\windows\system32\VirtualCam.dll
c:\windows\system32\VMAUDIO.dll
c:\windows\system32\vmkbd.dll
c:\windows\system32\vmnetadapter.dll
c:\windows\system32\vmnetuserif.dll
c:\windows\system32\vmx86.dll
c:\windows\system32\volsnap.dll
c:\windows\system32\vrfwsvc.dll
c:\windows\system32\vrservice.dll
c:\windows\system32\vsbus.dll
c:\windows\system32\vss.dll
c:\windows\system32\vxd.dll
c:\windows\system32\W700mdfl.dll
c:\windows\system32\w800obex.dll
c:\windows\system32\WaveEnrollmentService.dll
c:\windows\system32\Wbutton.dll
c:\windows\system32\wdelmgr20.dll
c:\windows\system32\wdica.dll
c:\windows\system32\webfilter.dll
c:\windows\system32\webrootenterpriseupdateservice.dll
c:\windows\system32\webrootspysweeperservice.dll
c:\windows\system32\wg3n.dll
c:\windows\system32\wg5n.dll
c:\windows\system32\WIBUKEY.dll
c:\windows\system32\winpower.dll
c:\windows\system32\winpowermonitor.dll
c:\windows\system32\winsshd.dll
c:\windows\system32\wintab32.dll
c:\windows\system32\WINUSB.dll
c:\windows\system32\WISTechVIDCAP.dll
c:\windows\system32\WmBEnum.dll
c:\windows\system32\wmiaprpl.dll
c:\windows\system32\wudfpf.dll
c:\windows\system32\wuolservice.dll
c:\windows\system32\wwsecsvc.dll
c:\windows\system32\x10nets.dll
c:\windows\system32\XFX_program.dll
c:\windows\system32\xusb21.dll
c:\windows\system32\ZD1211BU(ZyDAS).dll
c:\windows\system32\ZDCNDIS5.dll
c:\windows\system32\zdeviceservice.dll
c:\windows\system32\zebrmdfl.dll
c:\windows\system32\zebrmdmc.dll
c:\windows\system32\zendcoreapache.dll
c:\windows\system32\zmxpzip.dll
c:\windows\system32\zpjobq.dll
c:\windows\system32\ZSMC211.dll
c:\windows\system32\ZTEusbnmea.dll
.
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\system32\dllcache\afd.sys
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\system32\dllcache\netbt.sys
.
c:\windows\system32\drivers\cdrom.sys . . . is missing!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.afd
-------\Service_.cdrom
-------\Service_.ipsec
-------\Service_.mrxsmb
-------\Service_.netbt
-------\Service_.redbook
-------\Service_.serial
-------\Legacy_WscNetDr
-------\Service_WscNetDr
.
.
((((((((((((((((((((((((( Files Created from 2012-01-10 to 2012-02-10 )))))))))))))))))))))))))))))))
.
.
2012-02-10 18:04 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-02-10 18:04 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-10 18:04 . 2008-04-14 12:00 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-02-10 18:04 . 2008-04-14 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-08 04:59 . 2012-02-08 04:59 -------- d-----w- C:\ERDNT
2012-01-26 18:54 . 2012-02-10 18:04 -------- d-sh--w- c:\documents and settings\Denise\Local Settings\Application Data\6f7b94cc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-14 12:00 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-04-14 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-04-14 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys
.
[7] 2008-04-14 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ipsec.sys
.
c:\windows\System32\drivers\ipsec.sys ... is missing !!
c:\windows\System32\drivers\ipsec.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeBar"="c:\program files\FreeBar\FreeBar.exe" [2008-01-28 237568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2009-05-07 606208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-08-03 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-09-01 125368]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-07 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-07 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-07 94208]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-05-30 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2011-08-22 09:39 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"= c:\\WINDOWS\\SYSTEM32\\mmc.exe
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_3_3.EXE"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Microsoft IntelliPoint\\dpupdchk.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [12/31/2008 1:12 PM 693512]
R2 TomTomHOMEService;TomTomHOMEService;d:\tomtom\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 4:38 AM 92008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/8/2012 12:50 AM 106104]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 10:54 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 10:54 PM 136176]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [12/31/2008 1:12 PM 910600]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/1/2009 1:15 PM 116664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AFD
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WscNetDr
tmmbd
hsfhwbs2
sstpsvc
IFP700
acmservice
kl1
ELmou
websensepolicyserver
sbpci
symantecantibotwatcher
sentinel
akshasp
vaiomediaplatform-photoserver-appserver
prodrv06
alcan5wn
slapd-data52
lockmgr
rasirda
gmer
Defrag32
savscan
iaimtv0
pop3d32
HSFHWALI
crystalaps
bwmservice
pinetmgr
nicconfigsvc
wmp54gssvc
w200mdfl
antivirservice
npapimon
SE2Eobex
ixiaendpoint
uleadburninghelper
MMRTKRNL
nmwcd
SMPLSCSI
Xyz777b
btwdndis
Via4in1
lxcj_device
wlancfg
CoachUsb
VAIOMediaPlatform-PhotoServer-UPnP
PhilCam8116
nwlnknb
BCMTPM
elaunidr
bcftdi
websensecamreportserver
tmesrv3
MxlW2k
pdlnebas
nfmservice
nicser_wmp11
S7oppilx
CVirtA
ctprxy2k
datunidr
LXARScan
SE2Dbus
rimvserport
rca
epson_pm_rpcv4_01
automate5
cwcpsvc20
webcompserver
proxyserverservice
allegro
meraksmtp
PXRDDriver
VICESYS
curtainssyssvc
RDID1007
a016obex
NVTCP
arhidfltr
mcafeeframework
ADIDTSFiltService
webrootenterpriseupdateservice
SMCB000
mvdcodec
sfman
vmnetbridge
oracleorahomemanagementserver
elnkupdateservice
U81xmdm
pcandis5
ctac32k
aawservice
AcronisOSSReinstallSvc
AKSIFDH
ppa3
rfcomm
hpqwmiex
vsbus
vmnetuserif
pdlndqll
riomsc
iftpsvc
bdfsdrv
P17xfi
rspndr
nvpvrmon
EAWDMFD
mcdetect.exe
ispwdsvc
zenos1
cics.region2
client32
incdpass
s116bus
mssql$microsoftbcm
smrt
Ndisipo
NWHOST
sqlagent$sony_mediamgr
TryAndDecideService
SE27mdm
smserial
wsearch
odserv
owstimer
filterservice
eskerlicensecontrol
magictuneengine
AFGMp50
rpcapd
Evian
WaveEnrollmentService
sfvfs02
se44bus
pdlndint
CA561
USB11LDR
LPCFilter
pavreport
swupdtmr
s117nd5
megamonitorsrv
mirrorv3
se44mdm
d-link_st3402
oracleformsserver-forms60server-oraform
inotask
teefer
AEADIFilters
LUsbKbd
brmfbags
ehstart
cacheserver
purgeieservice
rpaservice
s125mgmt
symmpi
a8djusb
sbiesvc
tosrfnds
rt2500
genregistrar
tmtdi
pcctlcom
vxsvc
axsaki
SNP2STD
s117mdm
bcm43xx
hpzid412
viagfx
a016bus
caisafe
nimcdldu
JiaoIO
sonicstagemonitoring
nmwcdc
vmnetdhcp
msgsrvservice
dxdebug
EKECioCtl
superproserver
qmofiltr
lwwlicenseservice
CTEDSPSY.DLL
z800mdfl
proxyhostdriver
ibmasrex
snpstd
dot4ufd
LPDSVC
g400
usbvideo
se59mdm
mnsframework
XFX_program
autocomplete
mcdbus
Alpham1
Epiusb
db2ntsecserver
Ld51ocnucsnp
roxupnpserver
tng-dtmg
sonicatheaterinstallerservice
atinrvxx
U3sHlpDr
pdlnslea
omniusb
TuneUp.ProgramStatisticsSvc
Si3132r5
slpmonx
nmservice
ctusfsyn
rpcnet
A88xEnc
tfsnboio
w200bus
buslogic
se44obex
ANC
paamsrv
bthidenum
U81xmgmt
symwsc
mcp
protectionservice
djsnetcn
Atmuni
wps
Wuser32
dnserver32
lvupdtio
lxrsii1s
FiltUSBEMPIA
EMATCORE
wacommousefilter
websenserealtimeanalyzer
wtwservice
emclisrv
MaVctrl
F700iat
omniinet
LRMINIPORT
msk80service
ser2pl
dkeysync
TdmService
SE2Bbus
ISAMSvc
LEX_AS_NIC_SERVICE_YNOS
smcirda
navap
rnadirectory
netwg311
BLKWGU(Belkin)
fcprintservice
nsysaudm
AEAudioService
fa_scheduler
ipsraidn
se58bus
mclserviceatl
pxfhserd
ltxred
ntrtscan
avhook
ISODrive
vusbbus
AtiPcie
CSDriver
rpsupdaterr
oraclesnmppeerencapsulator
haspnt
avp
SRTSP
toddsrv
fssfltr
s117mgmt
sit_mdm
BsHelpCS
trufos
kerbkey
UsbDiag
pivotmou
pcscnsrv
pavagente
MREMP50
pdlnshay
epoxusdm
basic2
snac
COMMONFX.DLL
ALABULK
NVNET
afs2k
NdisFilt
oracleorahomedatagatherer
CTEAPSFX.DLL
nfsds
BRGSp50
wlancig
GTF32BUS
mdc8021x
pdlnsv25
SE26mdfl
VRADFIL
nlsvc
wfxsvc
NIPALK
samfilt
SSHDRV61
NetTcpActivator
askernel
ilicensesvc
dpc_srv_webcast
EntDrv51
STV680
ultra66
pnrouter
netdetect
btwusb
pcx1nd5
cccredmgr
SeratoUsb
bdselfpr
SE2Cmdm
MA-620
s125mdm
acdservice
BVRPMPR5
sf
ppmoucls
se45mgmt
SE26obex
APLMp50
A4S2600
lgsnd_filter
scsiaccess
rimmptsk
tng-dts
BCM43XV
procmon10
mxnic
sentinelprotectionserver
imonitor
pae_1394
MSIRCOMM
arrayssl_vpn_service3,0,1,9
CTAudSvcService
ipahelper.exe
pdlndoem
appnnode
gdihook5
slabbus
se45nd5
cdrbsdrv
s217nd5
cypresslink
hpzius12
PolarUSB
utilman
raidmsvr
lemsgt
smbusp
EPSON_EB_RPCV4_01
psasrv
lvhidsvc
WmVirHid
tga
F700iob
stylexphelper
lhidusb
sprtsvc_smartagent
se58mdm
clnt_clientman
clcapsvc
clmtomcatstartersvc
IntuitUpdateService
palmusbd
ctmmfilt
resourcemanagermail
mpservice
dptrackerd
pptchpad
STV680m
slee_503_service
radclock
ZD1211BU(ZyDAS)
dlcg_device
btwmodem
caboagp
avg7updsvc
WSIMD
lxcd_device
KMW_SYS
prism_a02
pdlnepkt
RIOUNIV
axskbus
QPSched
imagesrv
AMDPCI
NCPro
bb-run
hwpsgt
Memctl
cmigameport
erecoveryservice
RTHDMIAzAudService
zpcollector
Ncrc710
rassstp
U81xbus
videoacceleratorengine
HIDSwvd
firesvc
ScFBPNT3
freebsd
mldserv
tvalz
CXAVXBAR
jsdaemon
snmptrapdservice
ldlcserv
RR2Mjpeg
fsaa
wpsscannersvc
hsvcmod
ezplay
bantext
se2Cnd5
QV2KUX
quickbooksdb
qconsvc
StkScan
MagicTune
maxbackserviceint
NeroMediaHomeService.4
SQLAgent$ABBEYIIOFFLINE
retroexplauncher
prohlp02
iksysflt
sysplant
usbmate
cpsvc
pcdrndisuio
eelogsvc
mvwebserver
clientservice
mqdmmdm
scan
BcmSqlStartupSvc
fuj02b1
cpqarry2
iaimfp4
CnxTrLan
ssrvc
SWNC8U51
ownershipprotocol
lmouflt2
edspport
a016mdfl
qfcoresvc
usb20l
zpsc
sgeclient
viaagp1
sit_flt
mrobeservice
atksgt
E1000
omniserv
w800mdm
om518p
AsIO
timounter
MpFilter
k56
avgfwsrv
tunmp
nocashio
Si3114r5
IJPLMSVC
PD0620VID
S3GIGP
pinger
usbatapi2000
mpfp
agentsrv
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-12 03:53]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-12 03:53]
.
2012-02-10 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &GoogleSearch - c:\search\search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadPro6\EditPadPro.exe" "%1"
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-65247884.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-10 13:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB1096$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(504)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
- - - - - - - > 'explorer.exe'(2752)
c:\windows\system32\WININET.dll
c:\docume~1\Denise\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\brss01a.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Citrix\GoToMyPC\g2svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2012-02-10 13:17:20 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-10 18:17
.
Pre-Run: 14,446,804,992 bytes free
Post-Run: 14,296,326,144 bytes free
.
- - End Of File - - 9487CF7EA20459539CF31ECE3735CF9A

Edited by LMoseley, 10 February 2012 - 01:35 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 10 February 2012 - 03:04 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 10 February 2012 - 06:55 PM

Combofix ran as expected. Could not install Recovery Console.

Partway through the process, this message showed:

Posted Image

After runnng Combofix, the internet still doesn't work. I rebooted again, still no joy. I did not run Combofix a second time.



On bootup, I get a message that the Firewall is turned off. If I go to the Control Panel to turn on the Firewall, I see an error message. I did NOT start the ICS Service, and the firewall remains turned off.

Posted Image



Booting is still very slow, which (she says) started at the same time as the virus hit.



=================================================================================

COMBOFIX LOG

ComboFix 12-02-10.01 - Denise 02/10/2012 18:10:53.2.2 - x86
Running from: c:\documents and settings\Denise\Desktop\ComboFix-2012-02.exe
Command switches used :: c:\documents and settings\Denise\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB1096$
c:\windows\$NtUninstallKB1096$\2972444763
.
c:\windows\system32\drivers\cdrom.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-01-10 to 2012-02-10 )))))))))))))))))))))))))))))))
.
.
2012-02-10 18:04 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-02-10 18:04 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-10 18:04 . 2008-04-14 12:00 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-02-10 18:04 . 2008-04-14 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-08 04:59 . 2012-02-08 04:59 -------- d-----w- C:\ERDNT
2012-01-26 18:54 . 2012-02-10 18:04 -------- d-sh--w- c:\documents and settings\Denise\Local Settings\Application Data\6f7b94cc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-14 12:00 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-04-14 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-04-14 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-10_18.07.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-10 23:22 . 2012-02-10 23:22 16384 c:\windows\Temp\Perflib_Perfdata_840.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeBar"="c:\program files\FreeBar\FreeBar.exe" [2008-01-28 237568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2009-05-07 606208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-08-03 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-09-01 125368]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-07 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-07 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-07 94208]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-05-30 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2011-08-22 09:39 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"= c:\\WINDOWS\\SYSTEM32\\mmc.exe
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_3_3.EXE"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Microsoft IntelliPoint\\dpupdchk.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [12/31/2008 1:12 PM 693512]
R2 TomTomHOMEService;TomTomHOMEService;d:\tomtom\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 4:38 AM 92008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/8/2012 12:50 AM 106104]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 10:54 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 10:54 PM 136176]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [12/31/2008 1:12 PM 910600]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/1/2009 1:15 PM 116664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WscNetDr
tmmbd
hsfhwbs2
sstpsvc
IFP700
acmservice
kl1
ELmou
websensepolicyserver
sbpci
symantecantibotwatcher
sentinel
akshasp
vaiomediaplatform-photoserver-appserver
prodrv06
alcan5wn
slapd-data52
lockmgr
rasirda
gmer
Defrag32
savscan
iaimtv0
pop3d32
HSFHWALI
crystalaps
bwmservice
pinetmgr
nicconfigsvc
wmp54gssvc
w200mdfl
antivirservice
npapimon
SE2Eobex
ixiaendpoint
uleadburninghelper
MMRTKRNL
nmwcd
SMPLSCSI
Xyz777b
btwdndis
Via4in1
lxcj_device
wlancfg
CoachUsb
VAIOMediaPlatform-PhotoServer-UPnP
PhilCam8116
nwlnknb
BCMTPM
elaunidr
bcftdi
websensecamreportserver
tmesrv3
MxlW2k
pdlnebas
nfmservice
nicser_wmp11
S7oppilx
CVirtA
ctprxy2k
datunidr
LXARScan
SE2Dbus
rimvserport
rca
epson_pm_rpcv4_01
automate5
cwcpsvc20
webcompserver
proxyserverservice
allegro
meraksmtp
PXRDDriver
VICESYS
curtainssyssvc
RDID1007
a016obex
NVTCP
arhidfltr
mcafeeframework
ADIDTSFiltService
webrootenterpriseupdateservice
SMCB000
mvdcodec
sfman
vmnetbridge
oracleorahomemanagementserver
elnkupdateservice
U81xmdm
pcandis5
ctac32k
aawservice
AcronisOSSReinstallSvc
AKSIFDH
ppa3
rfcomm
hpqwmiex
vsbus
vmnetuserif
pdlndqll
riomsc
iftpsvc
bdfsdrv
P17xfi
rspndr
nvpvrmon
EAWDMFD
mcdetect.exe
ispwdsvc
zenos1
cics.region2
client32
incdpass
s116bus
mssql$microsoftbcm
smrt
Ndisipo
NWHOST
sqlagent$sony_mediamgr
TryAndDecideService
SE27mdm
smserial
wsearch
odserv
owstimer
filterservice
eskerlicensecontrol
magictuneengine
AFGMp50
rpcapd
Evian
WaveEnrollmentService
sfvfs02
se44bus
pdlndint
CA561
USB11LDR
LPCFilter
pavreport
swupdtmr
s117nd5
megamonitorsrv
mirrorv3
se44mdm
d-link_st3402
oracleformsserver-forms60server-oraform
inotask
teefer
AEADIFilters
LUsbKbd
brmfbags
ehstart
cacheserver
purgeieservice
rpaservice
s125mgmt
symmpi
a8djusb
sbiesvc
tosrfnds
rt2500
genregistrar
tmtdi
pcctlcom
vxsvc
axsaki
SNP2STD
s117mdm
bcm43xx
hpzid412
viagfx
a016bus
caisafe
nimcdldu
JiaoIO
sonicstagemonitoring
nmwcdc
vmnetdhcp
msgsrvservice
dxdebug
EKECioCtl
superproserver
qmofiltr
lwwlicenseservice
CTEDSPSY.DLL
z800mdfl
proxyhostdriver
ibmasrex
snpstd
dot4ufd
LPDSVC
g400
usbvideo
se59mdm
mnsframework
XFX_program
autocomplete
mcdbus
Alpham1
Epiusb
db2ntsecserver
Ld51ocnucsnp
roxupnpserver
tng-dtmg
sonicatheaterinstallerservice
atinrvxx
U3sHlpDr
pdlnslea
omniusb
TuneUp.ProgramStatisticsSvc
Si3132r5
slpmonx
nmservice
ctusfsyn
rpcnet
A88xEnc
tfsnboio
w200bus
buslogic
se44obex
ANC
paamsrv
bthidenum
U81xmgmt
symwsc
mcp
protectionservice
djsnetcn
Atmuni
wps
Wuser32
dnserver32
lvupdtio
lxrsii1s
FiltUSBEMPIA
EMATCORE
wacommousefilter
websenserealtimeanalyzer
wtwservice
emclisrv
MaVctrl
F700iat
omniinet
LRMINIPORT
msk80service
ser2pl
dkeysync
TdmService
SE2Bbus
ISAMSvc
LEX_AS_NIC_SERVICE_YNOS
smcirda
navap
rnadirectory
netwg311
BLKWGU(Belkin)
fcprintservice
nsysaudm
AEAudioService
fa_scheduler
ipsraidn
se58bus
mclserviceatl
pxfhserd
ltxred
ntrtscan
avhook
ISODrive
vusbbus
AtiPcie
CSDriver
rpsupdaterr
oraclesnmppeerencapsulator
haspnt
avp
SRTSP
toddsrv
fssfltr
s117mgmt
sit_mdm
BsHelpCS
trufos
kerbkey
UsbDiag
pivotmou
pcscnsrv
pavagente
MREMP50
pdlnshay
epoxusdm
basic2
snac
COMMONFX.DLL
ALABULK
NVNET
afs2k
NdisFilt
oracleorahomedatagatherer
CTEAPSFX.DLL
nfsds
BRGSp50
wlancig
GTF32BUS
mdc8021x
pdlnsv25
SE26mdfl
VRADFIL
nlsvc
wfxsvc
NIPALK
samfilt
SSHDRV61
NetTcpActivator
askernel
ilicensesvc
dpc_srv_webcast
EntDrv51
STV680
ultra66
pnrouter
netdetect
btwusb
pcx1nd5
cccredmgr
SeratoUsb
bdselfpr
SE2Cmdm
MA-620
s125mdm
acdservice
BVRPMPR5
sf
ppmoucls
se45mgmt
SE26obex
APLMp50
A4S2600
lgsnd_filter
scsiaccess
rimmptsk
tng-dts
BCM43XV
procmon10
mxnic
sentinelprotectionserver
imonitor
pae_1394
MSIRCOMM
arrayssl_vpn_service3,0,1,9
CTAudSvcService
ipahelper.exe
pdlndoem
appnnode
gdihook5
slabbus
se45nd5
cdrbsdrv
s217nd5
cypresslink
hpzius12
PolarUSB
utilman
raidmsvr
lemsgt
smbusp
EPSON_EB_RPCV4_01
psasrv
lvhidsvc
WmVirHid
tga
F700iob
stylexphelper
lhidusb
sprtsvc_smartagent
se58mdm
clnt_clientman
clcapsvc
clmtomcatstartersvc
IntuitUpdateService
palmusbd
ctmmfilt
resourcemanagermail
mpservice
dptrackerd
pptchpad
STV680m
slee_503_service
radclock
ZD1211BU(ZyDAS)
dlcg_device
btwmodem
caboagp
avg7updsvc
WSIMD
lxcd_device
KMW_SYS
prism_a02
pdlnepkt
RIOUNIV
axskbus
QPSched
imagesrv
AMDPCI
NCPro
bb-run
hwpsgt
Memctl
cmigameport
erecoveryservice
RTHDMIAzAudService
zpcollector
Ncrc710
rassstp
U81xbus
videoacceleratorengine
HIDSwvd
firesvc
ScFBPNT3
freebsd
mldserv
tvalz
CXAVXBAR
jsdaemon
snmptrapdservice
ldlcserv
RR2Mjpeg
fsaa
wpsscannersvc
hsvcmod
ezplay
bantext
se2Cnd5
QV2KUX
quickbooksdb
qconsvc
StkScan
MagicTune
maxbackserviceint
NeroMediaHomeService.4
SQLAgent$ABBEYIIOFFLINE
retroexplauncher
prohlp02
iksysflt
sysplant
usbmate
cpsvc
pcdrndisuio
eelogsvc
mvwebserver
clientservice
mqdmmdm
scan
BcmSqlStartupSvc
fuj02b1
cpqarry2
iaimfp4
CnxTrLan
ssrvc
SWNC8U51
ownershipprotocol
lmouflt2
edspport
a016mdfl
qfcoresvc
usb20l
zpsc
sgeclient
viaagp1
sit_flt
mrobeservice
atksgt
E1000
omniserv
w800mdm
om518p
AsIO
timounter
MpFilter
k56
avgfwsrv
tunmp
nocashio
Si3114r5
IJPLMSVC
PD0620VID
S3GIGP
pinger
usbatapi2000
mpfp
agentsrv
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-12 03:53]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-12 03:53]
.
2012-02-10 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &GoogleSearch - c:\search\search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-10 18:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(384)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
- - - - - - - > 'explorer.exe'(1924)
c:\windows\system32\WININET.dll
c:\docume~1\Denise\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\brss01a.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2012-02-10 18:35:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-10 23:35
ComboFix2.txt 2012-02-10 18:17
.
Pre-Run: 14,207,111,168 bytes free
Post-Run: 14,203,858,944 bytes free
.
- - End Of File - - 6CDE3F3FF6F2B7801E3B19643F3BDFA9

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 10 February 2012 - 08:19 PM

Hello

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure all the boxes are checked
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 10 February 2012 - 09:23 PM

Farbar ran with no problem.

I have another computer runnnig Win XP Pro SP3 that I can copy the C:\WINDOWS\system32\Drivers\ipsec.sys file from if I need to replace it on the sick computer.


FARBAR LOG

Farbar Service Scanner Version: 10-02-2012
Ran by Denise (administrator) on 10-02-2012 at 21:17:07
Running from "F:\Trojan tools\Farbar Service Scanner"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
The start type of IpSec service is OK.
The ImagePath of IpSec service is OK.
Checking LEGACY_IpSec: Attention! Unable to open LEGACY_IpSec\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\ipsec.sys is missing.
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000
IpSec Tag value is correct.

**** End of log ****

Edited by LMoseley, 10 February 2012 - 09:24 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 10 February 2012 - 09:41 PM

Hello


I want you to reset the DMA you can do this by this script here - Reset DMA

If you have problems when you click on the link try to right click on the link and select "Save Target As" and then save to your desktop.
Once it is on your desktop right click on the file and select "Run"

If you still can't run it then you can go here "Reset DMA" to see what I want to do



SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
ipsec.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Gringo

Edited by gringo_pr, 10 February 2012 - 09:41 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 11 February 2012 - 12:53 AM

ResetDMA: successful

After reboot, the properties (per your referenced post) show both Primary and Secondary IDE Channels are set to "DMA if available"

Note that both the HD and the CDROM are SATA, not PATA, if it makes a difference.

After the reset:
Shutdown time, empty desktop to POST screen at start of reboot, 44 sec.
Bootup time, POST screen to full desktop and HD activity stops, 5 min 40 sec.

===================================================================================================

SYSTEMLOOK LOG

SystemLook 30.07.11 by jpshortstuff
Log created at 00:25 on 11/02/2012 by Denise
Administrator - Elevation successful

========== filefind ==========

Searching for "ipsec.sys"
C:\WINDOWS\system32\dllcache\ipsec.sys --a--c- 75264 bytes [12:00 14/04/2008] [12:00 14/04/2008] 23C74D75E36E7158768DD63D92789A91

-= EOF =-

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 11 February 2012 - 12:58 AM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

FCopy::
C:\WINDOWS\system32\dllcache\ipsec.sys | C:\WINDOWS\system32\Drivers\ipsec.sys


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 11 February 2012 - 02:25 AM

Combofix complained about not being able to download the Recovery Console, but otherwise ran OK when CFScript.txt was dropped on its icon.

After rebooting, the internet is working (yay!) but the Local Area Network is still wonky. The sick machine cannot see other machines on the LAN (same workgroup setting)

==========================================================================

COMBOFIX LOG

ComboFix 12-02-10.01 - Denise 02/11/2012 1:39.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.164 [GMT -5:00]
Running from: c:\documents and settings\Denise\Desktop\ComboFix-2012-02.exe
Command switches used :: c:\documents and settings\Denise\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\cdrom.sys was missing
Restored copy from - c:\system volume information\_restore{B9FA5967-A13D-464E-ACB6-C724BE07CAC5}\RP3\A0000818.sys
.
c:\windows\system32\drivers\Serial.sys was missing
Restored copy from - c:\system volume information\_restore{B9FA5967-A13D-464E-ACB6-C724BE07CAC5}\RP3\A0000914.sys
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\ipsec.sys --> c:\windows\system32\Drivers\ipsec.sys
.
((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
.
.
2012-02-11 06:46 . 2008-04-14 12:00 64512 -c--a-w- c:\windows\system32\dllcache\serial.sys
2012-02-11 06:46 . 2008-04-14 12:00 64512 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-02-11 06:46 . 2012-02-08 15:41 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-02-11 06:46 . 2012-02-08 15:41 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-11 06:39 . 2008-04-14 12:00 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-02-11 06:39 . 2008-04-14 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-02-10 18:04 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-02-10 18:04 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-10 18:04 . 2008-04-14 12:00 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-02-10 18:04 . 2008-04-14 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-08 04:59 . 2012-02-08 04:59 -------- d-----w- C:\ERDNT
2012-01-26 18:54 . 2012-02-10 18:04 -------- d-sh--w- c:\documents and settings\Denise\Local Settings\Application Data\6f7b94cc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-14 12:00 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-04-14 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-04-14 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-10_18.07.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-11 06:48 . 2012-02-11 06:48 16384 c:\windows\Temp\Perflib_Perfdata_4ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeBar"="c:\program files\FreeBar\FreeBar.exe" [2008-01-28 237568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2009-05-07 606208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-08-03 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-09-01 125368]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-07 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-07 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-07 94208]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-05-30 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2011-08-22 09:39 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"= c:\\WINDOWS\\SYSTEM32\\mmc.exe
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_3_3.EXE"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\Program Files\\Microsoft IntelliPoint\\dpupdchk.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 cerc6;cerc6; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-12 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-12 136176]
R3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-12-31 910600]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2009-09-01 116664]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-12-31 693512]
S2 TomTomHOMEService;TomTomHOMEService;d:\tomtom\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-07 106104]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WscNetDr
tmmbd
hsfhwbs2
sstpsvc
IFP700
acmservice
kl1
ELmou
websensepolicyserver
sbpci
symantecantibotwatcher
sentinel
akshasp
vaiomediaplatform-photoserver-appserver
prodrv06
alcan5wn
slapd-data52
lockmgr
rasirda
gmer
Defrag32
savscan
iaimtv0
pop3d32
HSFHWALI
crystalaps
bwmservice
pinetmgr
nicconfigsvc
wmp54gssvc
w200mdfl
antivirservice
npapimon
SE2Eobex
ixiaendpoint
uleadburninghelper
MMRTKRNL
nmwcd
SMPLSCSI
Xyz777b
btwdndis
Via4in1
lxcj_device
wlancfg
CoachUsb
VAIOMediaPlatform-PhotoServer-UPnP
PhilCam8116
nwlnknb
BCMTPM
elaunidr
bcftdi
websensecamreportserver
tmesrv3
MxlW2k
pdlnebas
nfmservice
nicser_wmp11
S7oppilx
CVirtA
ctprxy2k
datunidr
LXARScan
SE2Dbus
rimvserport
rca
epson_pm_rpcv4_01
automate5
cwcpsvc20
webcompserver
proxyserverservice
allegro
meraksmtp
PXRDDriver
VICESYS
curtainssyssvc
RDID1007
a016obex
NVTCP
arhidfltr
mcafeeframework
ADIDTSFiltService
webrootenterpriseupdateservice
SMCB000
mvdcodec
sfman
vmnetbridge
oracleorahomemanagementserver
elnkupdateservice
U81xmdm
pcandis5
ctac32k
aawservice
AcronisOSSReinstallSvc
AKSIFDH
ppa3
rfcomm
hpqwmiex
vsbus
vmnetuserif
pdlndqll
riomsc
iftpsvc
bdfsdrv
P17xfi
rspndr
nvpvrmon
EAWDMFD
mcdetect.exe
ispwdsvc
zenos1
cics.region2
client32
incdpass
s116bus
mssql$microsoftbcm
smrt
Ndisipo
NWHOST
sqlagent$sony_mediamgr
TryAndDecideService
SE27mdm
smserial
wsearch
odserv
owstimer
filterservice
eskerlicensecontrol
magictuneengine
AFGMp50
rpcapd
Evian
WaveEnrollmentService
sfvfs02
se44bus
pdlndint
CA561
USB11LDR
LPCFilter
pavreport
swupdtmr
s117nd5
megamonitorsrv
mirrorv3
se44mdm
d-link_st3402
oracleformsserver-forms60server-oraform
inotask
teefer
AEADIFilters
LUsbKbd
brmfbags
ehstart
cacheserver
purgeieservice
rpaservice
s125mgmt
symmpi
a8djusb
sbiesvc
tosrfnds
rt2500
genregistrar
tmtdi
pcctlcom
vxsvc
axsaki
SNP2STD
s117mdm
bcm43xx
hpzid412
viagfx
a016bus
caisafe
nimcdldu
JiaoIO
sonicstagemonitoring
nmwcdc
vmnetdhcp
msgsrvservice
dxdebug
EKECioCtl
superproserver
qmofiltr
lwwlicenseservice
CTEDSPSY.DLL
z800mdfl
proxyhostdriver
ibmasrex
snpstd
dot4ufd
LPDSVC
g400
usbvideo
se59mdm
mnsframework
XFX_program
autocomplete
mcdbus
Alpham1
Epiusb
db2ntsecserver
Ld51ocnucsnp
roxupnpserver
tng-dtmg
sonicatheaterinstallerservice
atinrvxx
U3sHlpDr
pdlnslea
omniusb
TuneUp.ProgramStatisticsSvc
Si3132r5
slpmonx
nmservice
ctusfsyn
rpcnet
A88xEnc
tfsnboio
w200bus
buslogic
se44obex
ANC
paamsrv
bthidenum
U81xmgmt
symwsc
mcp
protectionservice
djsnetcn
Atmuni
wps
Wuser32
dnserver32
lvupdtio
lxrsii1s
FiltUSBEMPIA
EMATCORE
wacommousefilter
websenserealtimeanalyzer
wtwservice
emclisrv
MaVctrl
F700iat
omniinet
LRMINIPORT
msk80service
ser2pl
dkeysync
TdmService
SE2Bbus
ISAMSvc
LEX_AS_NIC_SERVICE_YNOS
smcirda
navap
rnadirectory
netwg311
BLKWGU(Belkin)
fcprintservice
nsysaudm
AEAudioService
fa_scheduler
ipsraidn
se58bus
mclserviceatl
pxfhserd
ltxred
ntrtscan
avhook
ISODrive
vusbbus
AtiPcie
CSDriver
rpsupdaterr
oraclesnmppeerencapsulator
haspnt
avp
SRTSP
toddsrv
fssfltr
s117mgmt
sit_mdm
BsHelpCS
trufos
kerbkey
UsbDiag
pivotmou
pcscnsrv
pavagente
MREMP50
pdlnshay
epoxusdm
basic2
snac
COMMONFX.DLL
ALABULK
NVNET
afs2k
NdisFilt
oracleorahomedatagatherer
CTEAPSFX.DLL
nfsds
BRGSp50
wlancig
GTF32BUS
mdc8021x
pdlnsv25
SE26mdfl
VRADFIL
nlsvc
wfxsvc
NIPALK
samfilt
SSHDRV61
NetTcpActivator
askernel
ilicensesvc
dpc_srv_webcast
EntDrv51
STV680
ultra66
pnrouter
netdetect
btwusb
pcx1nd5
cccredmgr
SeratoUsb
bdselfpr
SE2Cmdm
MA-620
s125mdm
acdservice
BVRPMPR5
sf
ppmoucls
se45mgmt
SE26obex
APLMp50
A4S2600
lgsnd_filter
scsiaccess
rimmptsk
tng-dts
BCM43XV
procmon10
mxnic
sentinelprotectionserver
imonitor
pae_1394
MSIRCOMM
arrayssl_vpn_service3,0,1,9
CTAudSvcService
ipahelper.exe
pdlndoem
appnnode
gdihook5
slabbus
se45nd5
cdrbsdrv
s217nd5
cypresslink
hpzius12
PolarUSB
utilman
raidmsvr
lemsgt
smbusp
EPSON_EB_RPCV4_01
psasrv
lvhidsvc
WmVirHid
tga
F700iob
stylexphelper
lhidusb
sprtsvc_smartagent
se58mdm
clnt_clientman
clcapsvc
clmtomcatstartersvc
IntuitUpdateService
palmusbd
ctmmfilt
resourcemanagermail
mpservice
dptrackerd
pptchpad
STV680m
slee_503_service
radclock
ZD1211BU(ZyDAS)
dlcg_device
btwmodem
caboagp
avg7updsvc
WSIMD
lxcd_device
KMW_SYS
prism_a02
pdlnepkt
RIOUNIV
axskbus
QPSched
imagesrv
AMDPCI
NCPro
bb-run
hwpsgt
Memctl
cmigameport
erecoveryservice
RTHDMIAzAudService
zpcollector
Ncrc710
rassstp
U81xbus
videoacceleratorengine
HIDSwvd
firesvc
ScFBPNT3
freebsd
mldserv
tvalz
CXAVXBAR
jsdaemon
snmptrapdservice
ldlcserv
RR2Mjpeg
fsaa
wpsscannersvc
hsvcmod
ezplay
bantext
se2Cnd5
QV2KUX
quickbooksdb
qconsvc
StkScan
MagicTune
maxbackserviceint
NeroMediaHomeService.4
SQLAgent$ABBEYIIOFFLINE
retroexplauncher
prohlp02
iksysflt
sysplant
usbmate
cpsvc
pcdrndisuio
eelogsvc
mvwebserver
clientservice
mqdmmdm
scan
BcmSqlStartupSvc
fuj02b1
cpqarry2
iaimfp4
CnxTrLan
ssrvc
SWNC8U51
ownershipprotocol
lmouflt2
edspport
a016mdfl
qfcoresvc
usb20l
zpsc
sgeclient
viaagp1
sit_flt
mrobeservice
atksgt
E1000
omniserv
w800mdm
om518p
AsIO
timounter
MpFilter
k56
avgfwsrv
tunmp
nocashio
Si3114r5
IJPLMSVC
PD0620VID
S3GIGP
pinger
usbatapi2000
mpfp
agentsrv
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-12 03:53]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-12 03:53]
.
2012-02-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &GoogleSearch - c:\search\search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-11 01:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(504)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
- - - - - - - > 'explorer.exe'(2824)
c:\windows\system32\WININET.dll
c:\docume~1\Denise\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\brsvc01a.exe
c:\windows\system32\brss01a.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Citrix\GoToMyPC\g2svc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
.
**************************************************************************
.
Completion time: 2012-02-11 02:08:36 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-11 07:08
ComboFix2.txt 2012-02-10 23:35
ComboFix3.txt 2012-02-10 18:17
.
Pre-Run: 14,209,470,464 bytes free
Post-Run: 14,196,146,176 bytes free
.
- - End Of File - - 1DA917FDCEACD71A17C2E8AEC33D2F4A

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 11 February 2012 - 03:05 AM

Hello

now that you have internet run combofix once more and let it install the recovery console

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 11 February 2012 - 11:01 AM

Combofix ran, installed Recovery Console.

Update to previous comment: The sick computer does access the internet, but cannot see the local area network at all. When I select My Network Places\Entire Network\Microsoft Windows Network, I cannot see the WORKGROUP or any of the other local computers. However, other computers on the LAN can see the sick computer and access the shared drive.


COMBOFIX LOG

ComboFix 12-02-10.01 - Denise 02/11/2012 10:05:20.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.286 [GMT -5:00]
Running from: c:\documents and settings\Denise\Desktop\ComboFix-2012-02.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Denise\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Denise\Local Settings\Temp\IadHide5.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
.
.
2012-02-11 06:46 . 2008-04-14 12:00 64512 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-02-11 06:46 . 2012-02-08 15:41 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-02-11 06:46 . 2012-02-08 15:41 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-11 06:39 . 2008-04-14 12:00 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-02-11 06:39 . 2008-04-14 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-02-10 18:04 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-02-10 18:04 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-10 18:04 . 2008-04-14 12:00 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-02-10 18:04 . 2008-04-14 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-02-08 04:59 . 2012-02-08 04:59 -------- d-----w- C:\ERDNT
2012-01-26 18:54 . 2012-02-10 18:04 -------- d-sh--w- c:\documents and settings\Denise\Local Settings\Application Data\6f7b94cc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-14 12:00 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-04-14 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-04-14 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-10_18.07.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-11 15:14 . 2012-02-11 15:14 16384 c:\windows\Temp\Perflib_Perfdata_5c0.dat
+ 2012-02-11 06:46 . 2008-04-14 12:00 64512 c:\windows\system32\dllcache\serial.sys
+ 2011-01-14 12:10 . 2011-01-14 12:10 155520 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKWORD6.DLL
+ 2011-01-14 12:10 . 2011-01-14 12:10 140160 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKEXCEL2.DLL
+ 2011-07-21 17:34 . 2011-07-21 17:34 3456000 c:\windows\Installer\5acdb.msp
+ 2011-01-14 12:10 . 2011-01-14 12:10 2395008 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKWORD.DLL
+ 2011-01-14 12:10 . 2011-01-14 12:10 2180992 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKPOWERPOINT.DLL
+ 2011-01-14 12:10 . 2011-01-14 12:10 3443072 c:\windows\Installer\$PatchCache$\Managed\00004109500200000000000000F01FEC\14.0.5130\GKEXCEL.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeBar"="c:\program files\FreeBar\FreeBar.exe" [2008-01-28 237568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"pdfFactory Pro Dispatcher v3"="c:\windows\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" [2009-05-07 606208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-08-03 53096]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2009-09-01 125368]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-07 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-07 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-07 94208]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-05-30 155648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-6-2 180224]
KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-2-13 16423]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2011-08-22 09:39 15216 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"= c:\\WINDOWS\\SYSTEM32\\mmc.exe
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_3_3.EXE"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jucheck.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"c:\\WINDOWS\\system32\\WgaTray.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 PD91Agent;PD91Agent;c:\program files\Raxco\PerfectDisk2008\PD91Agent.exe [12/31/2008 1:12 PM 693512]
R2 TomTomHOMEService;TomTomHOMEService;d:\tomtom\TomTom HOME 2\TomTomHOMEService.exe [8/24/2010 4:38 AM 92008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/8/2012 12:50 AM 106104]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 10:54 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2011 10:54 PM 136176]
S3 PD91Engine;PD91Engine;c:\program files\Raxco\PerfectDisk2008\PD91Engine.exe [12/31/2008 1:12 PM 910600]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/1/2009 1:15 PM 116664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 7:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
WscNetDr
tmmbd
hsfhwbs2
sstpsvc
IFP700
acmservice
kl1
ELmou
websensepolicyserver
sbpci
symantecantibotwatcher
sentinel
akshasp
vaiomediaplatform-photoserver-appserver
prodrv06
alcan5wn
slapd-data52
lockmgr
rasirda
gmer
Defrag32
savscan
iaimtv0
pop3d32
HSFHWALI
crystalaps
bwmservice
pinetmgr
nicconfigsvc
wmp54gssvc
w200mdfl
antivirservice
npapimon
SE2Eobex
ixiaendpoint
uleadburninghelper
MMRTKRNL
nmwcd
SMPLSCSI
Xyz777b
btwdndis
Via4in1
lxcj_device
wlancfg
CoachUsb
VAIOMediaPlatform-PhotoServer-UPnP
PhilCam8116
nwlnknb
BCMTPM
elaunidr
bcftdi
websensecamreportserver
tmesrv3
MxlW2k
pdlnebas
nfmservice
nicser_wmp11
S7oppilx
CVirtA
ctprxy2k
datunidr
LXARScan
SE2Dbus
rimvserport
rca
epson_pm_rpcv4_01
automate5
cwcpsvc20
webcompserver
proxyserverservice
allegro
meraksmtp
PXRDDriver
VICESYS
curtainssyssvc
RDID1007
a016obex
NVTCP
arhidfltr
mcafeeframework
ADIDTSFiltService
webrootenterpriseupdateservice
SMCB000
mvdcodec
sfman
vmnetbridge
oracleorahomemanagementserver
elnkupdateservice
U81xmdm
pcandis5
ctac32k
aawservice
AcronisOSSReinstallSvc
AKSIFDH
ppa3
rfcomm
hpqwmiex
vsbus
vmnetuserif
pdlndqll
riomsc
iftpsvc
bdfsdrv
P17xfi
rspndr
nvpvrmon
EAWDMFD
mcdetect.exe
ispwdsvc
zenos1
cics.region2
client32
incdpass
s116bus
mssql$microsoftbcm
smrt
Ndisipo
NWHOST
sqlagent$sony_mediamgr
TryAndDecideService
SE27mdm
smserial
wsearch
odserv
owstimer
filterservice
eskerlicensecontrol
magictuneengine
AFGMp50
rpcapd
Evian
WaveEnrollmentService
sfvfs02
se44bus
pdlndint
CA561
USB11LDR
LPCFilter
pavreport
swupdtmr
s117nd5
megamonitorsrv
mirrorv3
se44mdm
d-link_st3402
oracleformsserver-forms60server-oraform
inotask
teefer
AEADIFilters
LUsbKbd
brmfbags
ehstart
cacheserver
purgeieservice
rpaservice
s125mgmt
symmpi
a8djusb
sbiesvc
tosrfnds
rt2500
genregistrar
tmtdi
pcctlcom
vxsvc
axsaki
SNP2STD
s117mdm
bcm43xx
hpzid412
viagfx
a016bus
caisafe
nimcdldu
JiaoIO
sonicstagemonitoring
nmwcdc
vmnetdhcp
msgsrvservice
dxdebug
EKECioCtl
superproserver
qmofiltr
lwwlicenseservice
CTEDSPSY.DLL
z800mdfl
proxyhostdriver
ibmasrex
snpstd
dot4ufd
LPDSVC
g400
usbvideo
se59mdm
mnsframework
XFX_program
autocomplete
mcdbus
Alpham1
Epiusb
db2ntsecserver
Ld51ocnucsnp
roxupnpserver
tng-dtmg
sonicatheaterinstallerservice
atinrvxx
U3sHlpDr
pdlnslea
omniusb
TuneUp.ProgramStatisticsSvc
Si3132r5
slpmonx
nmservice
ctusfsyn
rpcnet
A88xEnc
tfsnboio
w200bus
buslogic
se44obex
ANC
paamsrv
bthidenum
U81xmgmt
symwsc
mcp
protectionservice
djsnetcn
Atmuni
wps
Wuser32
dnserver32
lvupdtio
lxrsii1s
FiltUSBEMPIA
EMATCORE
wacommousefilter
websenserealtimeanalyzer
wtwservice
emclisrv
MaVctrl
F700iat
omniinet
LRMINIPORT
msk80service
ser2pl
dkeysync
TdmService
SE2Bbus
ISAMSvc
LEX_AS_NIC_SERVICE_YNOS
smcirda
navap
rnadirectory
netwg311
BLKWGU(Belkin)
fcprintservice
nsysaudm
AEAudioService
fa_scheduler
ipsraidn
se58bus
mclserviceatl
pxfhserd
ltxred
ntrtscan
avhook
ISODrive
vusbbus
AtiPcie
CSDriver
rpsupdaterr
oraclesnmppeerencapsulator
haspnt
avp
SRTSP
toddsrv
fssfltr
s117mgmt
sit_mdm
BsHelpCS
trufos
kerbkey
UsbDiag
pivotmou
pcscnsrv
pavagente
MREMP50
pdlnshay
epoxusdm
basic2
snac
COMMONFX.DLL
ALABULK
NVNET
afs2k
NdisFilt
oracleorahomedatagatherer
CTEAPSFX.DLL
nfsds
BRGSp50
wlancig
GTF32BUS
mdc8021x
pdlnsv25
SE26mdfl
VRADFIL
nlsvc
wfxsvc
NIPALK
samfilt
SSHDRV61
NetTcpActivator
askernel
ilicensesvc
dpc_srv_webcast
EntDrv51
STV680
ultra66
pnrouter
netdetect
btwusb
pcx1nd5
cccredmgr
SeratoUsb
bdselfpr
SE2Cmdm
MA-620
s125mdm
acdservice
BVRPMPR5
sf
ppmoucls
se45mgmt
SE26obex
APLMp50
A4S2600
lgsnd_filter
scsiaccess
rimmptsk
tng-dts
BCM43XV
procmon10
mxnic
sentinelprotectionserver
imonitor
pae_1394
MSIRCOMM
arrayssl_vpn_service3,0,1,9
CTAudSvcService
ipahelper.exe
pdlndoem
appnnode
gdihook5
slabbus
se45nd5
cdrbsdrv
s217nd5
cypresslink
hpzius12
PolarUSB
utilman
raidmsvr
lemsgt
smbusp
EPSON_EB_RPCV4_01
psasrv
lvhidsvc
WmVirHid
tga
F700iob
stylexphelper
lhidusb
sprtsvc_smartagent
se58mdm
clnt_clientman
clcapsvc
clmtomcatstartersvc
IntuitUpdateService
palmusbd
ctmmfilt
resourcemanagermail
mpservice
dptrackerd
pptchpad
STV680m
slee_503_service
radclock
ZD1211BU(ZyDAS)
dlcg_device
btwmodem
caboagp
avg7updsvc
WSIMD
lxcd_device
KMW_SYS
prism_a02
pdlnepkt
RIOUNIV
axskbus
QPSched
imagesrv
AMDPCI
NCPro
bb-run
hwpsgt
Memctl
cmigameport
erecoveryservice
RTHDMIAzAudService
zpcollector
Ncrc710
rassstp
U81xbus
videoacceleratorengine
HIDSwvd
firesvc
ScFBPNT3
freebsd
mldserv
tvalz
CXAVXBAR
jsdaemon
snmptrapdservice
ldlcserv
RR2Mjpeg
fsaa
wpsscannersvc
hsvcmod
ezplay
bantext
se2Cnd5
QV2KUX
quickbooksdb
qconsvc
StkScan
MagicTune
maxbackserviceint
NeroMediaHomeService.4
SQLAgent$ABBEYIIOFFLINE
retroexplauncher
prohlp02
iksysflt
sysplant
usbmate
cpsvc
pcdrndisuio
eelogsvc
mvwebserver
clientservice
mqdmmdm
scan
BcmSqlStartupSvc
fuj02b1
cpqarry2
iaimfp4
CnxTrLan
ssrvc
SWNC8U51
ownershipprotocol
lmouflt2
edspport
a016mdfl
qfcoresvc
usb20l
zpsc
sgeclient
viaagp1
sit_flt
mrobeservice
atksgt
E1000
omniserv
w800mdm
om518p
AsIO
timounter
MpFilter
k56
avgfwsrv
tunmp
nocashio
Si3114r5
IJPLMSVC
PD0620VID
S3GIGP
pinger
usbatapi2000
mpfp
agentsrv
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-12 03:53]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-12 03:53]
.
2012-02-11 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &GoogleSearch - c:\search\search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadPro6\EditPadPro.exe" "%1"
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-11 10:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(504)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll
.
- - - - - - - > 'explorer.exe'(3468)
c:\windows\system32\WININET.dll
c:\docume~1\Denise\LOCALS~1\Temp\IadHide5.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\windows\system32\brss01a.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Citrix\GoToMyPC\g2svc.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-02-11 10:30:30 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-11 15:30
ComboFix2.txt 2012-02-10 23:35
ComboFix3.txt 2012-02-10 18:17
.
Pre-Run: 14,098,288,640 bytes free
Post-Run: 14,071,848,960 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 0AF2702CDBB0E3932C359ACA1A587681

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:34 AM

Posted 11 February 2012 - 12:01 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 LMoseley

LMoseley
  • Topic Starter

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 11 February 2012 - 07:03 PM

TDSSKiller ran with no problem and result NO THREATS FOUND.

aswMBR downloaded the AV defs and ran to completion

=================================================================

18:21:05.0687 1248 TDSS rootkit removing tool 2.7.11.0 Feb 9 2012 10:12:57
18:21:05.0984 1248 ============================================================
18:21:05.0984 1248 Current date / time: 2012/02/11 18:21:05.0984
18:21:05.0984 1248 SystemInfo:
18:21:05.0984 1248
18:21:05.0984 1248 OS Version: 5.1.2600 ServicePack: 3.0
18:21:05.0984 1248 Product type: Workstation
18:21:05.0984 1248 ComputerName: OPTIPLEX-745
18:21:05.0984 1248 UserName: Denise
18:21:05.0984 1248 Windows directory: C:\WINDOWS
18:21:05.0984 1248 System windows directory: C:\WINDOWS
18:21:05.0984 1248 Processor architecture: Intel x86
18:21:05.0984 1248 Number of processors: 2
18:21:05.0984 1248 Page size: 0x1000
18:21:05.0984 1248 Boot type: Normal boot
18:21:05.0984 1248 ============================================================
18:21:08.0593 1248 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:21:08.0593 1248 \Device\Harddisk0\DR0:
18:21:08.0593 1248 MBR used
18:21:08.0593 1248 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x30D7B35
18:21:08.0593 1248 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x30D7B74, BlocksNum 0x642AD0A
18:21:08.0640 1248 Initialize success
18:21:08.0640 1248 ============================================================
18:21:53.0750 1692 ============================================================
18:21:53.0750 1692 Scan started
18:21:53.0750 1692 Mode: Manual;
18:21:53.0750 1692 ============================================================
18:21:54.0218 1692 Abiosdsk - ok
18:21:54.0250 1692 abp480n5 - ok
18:21:54.0296 1692 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:21:54.0296 1692 ACPI - ok
18:21:54.0343 1692 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:21:54.0359 1692 ACPIEC - ok
18:21:54.0437 1692 ADIHdAudAddService (62afc64108bbdb8d3ca32aad559e5af1) C:\WINDOWS\system32\drivers\ADIHdAud.sys
18:21:54.0453 1692 ADIHdAudAddService - ok
18:21:54.0625 1692 adpu160m - ok
18:21:54.0656 1692 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:21:54.0656 1692 aec - ok
18:21:54.0765 1692 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:21:54.0765 1692 AFD - ok
18:21:54.0828 1692 Aha154x - ok
18:21:54.0843 1692 aic78u2 - ok
18:21:54.0859 1692 aic78xx - ok
18:21:54.0859 1692 AliIde - ok
18:21:54.0875 1692 amsint - ok
18:21:54.0890 1692 asc - ok
18:21:54.0906 1692 asc3350p - ok
18:21:54.0906 1692 asc3550 - ok
18:21:54.0953 1692 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:21:54.0968 1692 AsyncMac - ok
18:21:55.0031 1692 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:21:55.0031 1692 atapi - ok
18:21:55.0171 1692 Atdisk - ok
18:21:55.0265 1692 ati2mtag (f5fc6ac1e7bc776871361d463fc86be2) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
18:21:55.0328 1692 ati2mtag - ok
18:21:55.0578 1692 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:21:55.0593 1692 Atmarpc - ok
18:21:55.0625 1692 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:21:55.0625 1692 audstub - ok
18:21:55.0890 1692 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
18:21:55.0890 1692 b57w2k - ok
18:21:55.0984 1692 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:21:55.0984 1692 Beep - ok
18:21:56.0078 1692 BrPar (2fe6d5be0629f706197b30c0aa05de30) C:\WINDOWS\System32\drivers\BrPar.sys
18:21:56.0078 1692 BrPar - ok
18:21:56.0093 1692 catchme - ok
18:21:56.0125 1692 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:21:56.0140 1692 cbidf2k - ok
18:21:56.0296 1692 cd20xrnt - ok
18:21:56.0328 1692 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:21:56.0343 1692 Cdaudio - ok
18:21:56.0390 1692 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:21:56.0406 1692 Cdfs - ok
18:21:56.0484 1692 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:21:56.0500 1692 Cdrom - ok
18:21:56.0546 1692 cerc6 - ok
18:21:56.0546 1692 Changer - ok
18:21:56.0578 1692 CmdIde - ok
18:21:56.0593 1692 Cpqarray - ok
18:21:56.0593 1692 dac2w2k - ok
18:21:56.0609 1692 dac960nt - ok
18:21:56.0640 1692 DefragFS (e08557f41650b505571d50c9247a1e03) C:\WINDOWS\system32\drivers\DefragFS.sys
18:21:56.0656 1692 DefragFS - ok
18:21:56.0750 1692 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:21:56.0765 1692 Disk - ok
18:21:56.0906 1692 DLABMFSM (a53723176d0002feb486eff8e17812f2) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
18:21:56.0921 1692 DLABMFSM - ok
18:21:56.0937 1692 DLABOIOM (d4587063acea776699251e177d719586) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
18:21:56.0937 1692 DLABOIOM - ok
18:21:56.0953 1692 DLACDBHM (5230cdb7e715f3a3b4a882e254cdd35d) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
18:21:56.0968 1692 DLACDBHM - ok
18:21:56.0984 1692 DLADResM (c950c2e7b9ed1a4fc4a2ac7ec044f1d6) C:\WINDOWS\system32\DLA\DLADResM.SYS
18:21:57.0000 1692 DLADResM - ok
18:21:57.0078 1692 DLAIFS_M (24400137e387a24410c52a591f3cfb4d) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
18:21:57.0093 1692 DLAIFS_M - ok
18:21:57.0109 1692 DLAOPIOM (29a303feceb28641ecebdae89eb71c63) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
18:21:57.0109 1692 DLAOPIOM - ok
18:21:57.0125 1692 DLAPoolM (c93e33a22a1ae0c5508f3fb1f6d0a50c) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
18:21:57.0140 1692 DLAPoolM - ok
18:21:57.0140 1692 DLARTL_M (77fe51f0f8d86804cb81f6ef6bfb86dd) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
18:21:57.0156 1692 DLARTL_M - ok
18:21:57.0171 1692 DLAUDFAM (b953498c35a31e5ac98f49adbcf3e627) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
18:21:57.0171 1692 DLAUDFAM - ok
18:21:57.0187 1692 DLAUDF_M (4897704c093c1f59ce58fc65e1e1ef1e) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
18:21:57.0203 1692 DLAUDF_M - ok
18:21:57.0390 1692 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:21:57.0468 1692 dmboot - ok
18:21:57.0718 1692 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:21:57.0734 1692 dmio - ok
18:21:57.0765 1692 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:21:57.0781 1692 dmload - ok
18:21:57.0843 1692 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:21:57.0859 1692 DMusic - ok
18:21:57.0906 1692 dpti2o - ok
18:21:57.0953 1692 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:21:57.0968 1692 drmkaud - ok
18:21:58.0156 1692 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
18:21:58.0171 1692 DRVMCDB - ok
18:21:58.0187 1692 DRVNDDM (ffc371525aa55d1bae18715ebcb8797c) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
18:21:58.0187 1692 DRVNDDM - ok
18:21:58.0328 1692 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
18:21:58.0359 1692 eeCtrl - ok
18:21:58.0390 1692 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
18:21:58.0406 1692 EraserUtilRebootDrv - ok
18:21:58.0640 1692 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:21:58.0671 1692 Fastfat - ok
18:21:58.0734 1692 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
18:21:58.0734 1692 Fdc - ok
18:21:58.0796 1692 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:21:58.0812 1692 Fips - ok
18:21:58.0984 1692 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
18:21:59.0000 1692 Flpydisk - ok
18:21:59.0046 1692 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:21:59.0062 1692 FltMgr - ok
18:21:59.0156 1692 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:21:59.0156 1692 Fs_Rec - ok
18:21:59.0234 1692 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:21:59.0250 1692 Ftdisk - ok
18:21:59.0281 1692 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:21:59.0281 1692 Gpc - ok
18:21:59.0468 1692 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:21:59.0484 1692 HDAudBus - ok
18:21:59.0578 1692 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:21:59.0578 1692 hidusb - ok
18:21:59.0609 1692 hpn - ok
18:21:59.0656 1692 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:21:59.0656 1692 HTTP - ok
18:21:59.0843 1692 i2omgmt - ok
18:21:59.0906 1692 i2omp - ok
18:22:00.0015 1692 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:22:00.0062 1692 i8042prt - ok
18:22:00.0437 1692 ialm (6fcb904910da07c9dc2593d66438fa29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
18:22:00.0500 1692 ialm - ok
18:22:01.0046 1692 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:22:01.0078 1692 Imapi - ok
18:22:01.0421 1692 ini910u - ok
18:22:01.0453 1692 IntelIde - ok
18:22:01.0515 1692 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:22:01.0515 1692 intelppm - ok
18:22:01.0562 1692 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
18:22:01.0562 1692 Ip6Fw - ok
18:22:01.0796 1692 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:22:01.0796 1692 IpFilterDriver - ok
18:22:01.0890 1692 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:22:01.0906 1692 IpInIp - ok
18:22:02.0093 1692 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:22:02.0109 1692 IpNat - ok
18:22:02.0187 1692 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:22:02.0203 1692 IPSec - ok
18:22:02.0296 1692 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:22:02.0296 1692 IRENUM - ok
18:22:02.0375 1692 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:22:02.0390 1692 isapnp - ok
18:22:02.0531 1692 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:22:02.0546 1692 Kbdclass - ok
18:22:02.0625 1692 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:22:02.0640 1692 kbdhid - ok
18:22:02.0828 1692 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:22:02.0828 1692 kmixer - ok
18:22:02.0921 1692 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:22:02.0937 1692 KSecDD - ok
18:22:03.0109 1692 lbrtfdc - ok
18:22:03.0187 1692 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:22:03.0187 1692 mnmdd - ok
18:22:03.0234 1692 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:22:03.0250 1692 Modem - ok
18:22:03.0343 1692 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:22:03.0343 1692 Mouclass - ok
18:22:03.0406 1692 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:22:03.0406 1692 mouhid - ok
18:22:03.0578 1692 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:22:03.0593 1692 MountMgr - ok
18:22:03.0609 1692 mraid35x - ok
18:22:03.0625 1692 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:22:03.0640 1692 MRxDAV - ok
18:22:03.0843 1692 MRxSmb - ok
18:22:03.0906 1692 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:22:03.0921 1692 Msfs - ok
18:22:04.0109 1692 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:22:04.0125 1692 MSKSSRV - ok
18:22:04.0546 1692 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:22:04.0578 1692 MSPCLOCK - ok
18:22:04.0953 1692 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:22:04.0953 1692 MSPQM - ok
18:22:05.0078 1692 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:22:05.0078 1692 mssmbios - ok
18:22:05.0296 1692 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:22:05.0296 1692 Mup - ok
18:22:05.0437 1692 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120210.003\naveng.sys
18:22:05.0453 1692 NAVENG - ok
18:22:05.0531 1692 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120210.003\navex15.sys
18:22:05.0609 1692 NAVEX15 - ok
18:22:05.0875 1692 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:22:05.0906 1692 NDIS - ok
18:22:05.0937 1692 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:22:05.0953 1692 NdisTapi - ok
18:22:06.0046 1692 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:22:06.0046 1692 Ndisuio - ok
18:22:06.0093 1692 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:22:06.0109 1692 NdisWan - ok
18:22:06.0359 1692 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:22:06.0359 1692 NDProxy - ok
18:22:06.0421 1692 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:22:06.0437 1692 NetBIOS - ok
18:22:06.0500 1692 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:22:06.0515 1692 NetBT - ok
18:22:06.0578 1692 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:22:06.0578 1692 Npfs - ok
18:22:06.0812 1692 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:22:06.0843 1692 Ntfs - ok
18:22:06.0921 1692 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:22:06.0921 1692 Null - ok
18:22:07.0031 1692 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:22:07.0031 1692 NwlnkFlt - ok
18:22:07.0250 1692 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:22:07.0265 1692 NwlnkFwd - ok
18:22:07.0328 1692 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:22:07.0343 1692 Parport - ok
18:22:07.0406 1692 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:22:07.0406 1692 PartMgr - ok
18:22:07.0453 1692 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:22:07.0453 1692 ParVdm - ok
18:22:07.0531 1692 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:22:07.0546 1692 PCI - ok
18:22:07.0718 1692 PCIDump - ok
18:22:07.0765 1692 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:22:07.0765 1692 PCIIde - ok
18:22:07.0812 1692 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:22:07.0828 1692 Pcmcia - ok
18:22:07.0890 1692 PDCOMP - ok
18:22:07.0906 1692 PDFRAME - ok
18:22:07.0906 1692 PDRELI - ok
18:22:07.0921 1692 PDRFRAME - ok
18:22:07.0937 1692 perc2 - ok
18:22:07.0937 1692 perc2hib - ok
18:22:08.0000 1692 Point32 (e5582e43e167cf367757d81e9727da2a) C:\WINDOWS\system32\DRIVERS\point32.sys
18:22:08.0000 1692 Point32 - ok
18:22:08.0140 1692 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:22:08.0156 1692 PptpMiniport - ok
18:22:08.0265 1692 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:22:08.0265 1692 PSched - ok
18:22:08.0328 1692 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:22:08.0328 1692 Ptilink - ok
18:22:08.0406 1692 PxHelp20 (0c8da0a8b0d227319c285e0eae65defd) C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:22:08.0406 1692 PxHelp20 - ok
18:22:08.0531 1692 ql1080 - ok
18:22:08.0546 1692 Ql10wnt - ok
18:22:08.0562 1692 ql12160 - ok
18:22:08.0578 1692 ql1240 - ok
18:22:08.0578 1692 ql1280 - ok
18:22:08.0593 1692 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:22:08.0609 1692 RasAcd - ok
18:22:08.0734 1692 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:22:08.0750 1692 Rasl2tp - ok
18:22:08.0796 1692 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:22:08.0796 1692 RasPppoe - ok
18:22:08.0890 1692 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:22:08.0906 1692 Raspti - ok
18:22:09.0015 1692 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:22:09.0031 1692 Rdbss - ok
18:22:09.0093 1692 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:22:09.0093 1692 RDPCDD - ok
18:22:09.0156 1692 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:22:09.0156 1692 rdpdr - ok
18:22:09.0312 1692 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
18:22:09.0328 1692 RDPWD - ok
18:22:09.0468 1692 SAVRT (e768eff5753906272e375282d7a511e0) C:\Program Files\Symantec AntiVirus\savrt.sys
18:22:09.0515 1692 SAVRT - ok
18:22:09.0515 1692 SAVRTPEL (d9d45ad65063e8966acafb1f574c8617) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
18:22:09.0531 1692 SAVRTPEL - ok
18:22:09.0812 1692 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:22:09.0812 1692 Secdrv - ok
18:22:09.0906 1692 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
18:22:09.0937 1692 SenFiltService - ok
18:22:10.0234 1692 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:22:10.0250 1692 serenum - ok
18:22:10.0296 1692 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:22:10.0296 1692 Serial - ok
18:22:10.0343 1692 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:22:10.0343 1692 Sfloppy - ok
18:22:10.0359 1692 Simbad - ok
18:22:10.0375 1692 Sparrow - ok
18:22:10.0500 1692 SPBBCDrv (60053e9c1fc4f6887c296c19cb825244) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
18:22:10.0546 1692 SPBBCDrv - ok
18:22:10.0812 1692 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:22:10.0812 1692 splitter - ok
18:22:10.0859 1692 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:22:10.0875 1692 sr - ok
18:22:10.0953 1692 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:22:10.0968 1692 Srv - ok
18:22:11.0046 1692 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
18:22:11.0062 1692 StillCam - ok
18:22:11.0281 1692 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:22:11.0281 1692 swenum - ok
18:22:11.0343 1692 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:22:11.0359 1692 swmidi - ok
18:22:11.0375 1692 symc810 - ok
18:22:11.0390 1692 symc8xx - ok
18:22:11.0421 1692 SymEvent (c5eafb6a8c73fb26b73ee613c1a5aef6) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
18:22:11.0437 1692 SymEvent - ok
18:22:11.0515 1692 SYMREDRV (4ed314756eb2811a9d4226ed4385d35c) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
18:22:11.0515 1692 SYMREDRV - ok
18:22:11.0718 1692 SYMTDI (4aed788390802b1500e6b05127af3a2e) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
18:22:11.0734 1692 SYMTDI - ok
18:22:11.0796 1692 sym_hi - ok
18:22:11.0812 1692 sym_u3 - ok
18:22:11.0875 1692 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:22:11.0890 1692 sysaudio - ok
18:22:11.0968 1692 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:22:11.0984 1692 Tcpip - ok
18:22:12.0156 1692 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:22:12.0171 1692 TDPIPE - ok
18:22:12.0250 1692 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:22:12.0265 1692 TDTCP - ok
18:22:12.0375 1692 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:22:12.0390 1692 TermDD - ok
18:22:12.0406 1692 TosIde - ok
18:22:12.0437 1692 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
18:22:12.0453 1692 tunmp - ok
18:22:12.0625 1692 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:22:12.0640 1692 Udfs - ok
18:22:12.0703 1692 ultra - ok
18:22:12.0828 1692 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:22:12.0859 1692 Update - ok
18:22:13.0062 1692 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:22:13.0078 1692 usbccgp - ok
18:22:13.0203 1692 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:22:13.0203 1692 usbehci - ok
18:22:13.0234 1692 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:22:13.0234 1692 usbhub - ok
18:22:13.0281 1692 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:22:13.0296 1692 usbprint - ok
18:22:13.0468 1692 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:22:13.0468 1692 usbscan - ok
18:22:13.0593 1692 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:22:13.0609 1692 USBSTOR - ok
18:22:13.0640 1692 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:22:13.0656 1692 usbuhci - ok
18:22:13.0828 1692 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:22:13.0843 1692 VgaSave - ok
18:22:13.0937 1692 ViaIde - ok
18:22:13.0984 1692 vncmirror (3b8f222b23917c041e4da29ccc57e7d0) C:\WINDOWS\system32\DRIVERS\vncmirror.sys
18:22:14.0000 1692 vncmirror - ok
18:22:14.0078 1692 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:22:14.0078 1692 VolSnap - ok
18:22:14.0109 1692 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:22:14.0125 1692 Wanarp - ok
18:22:14.0140 1692 WDICA - ok
18:22:14.0187 1692 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:22:14.0187 1692 wdmaud - ok
18:22:14.0390 1692 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
18:22:14.0406 1692 WS2IFSL - ok
18:22:14.0531 1692 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:22:14.0531 1692 WudfPf - ok
18:22:14.0593 1692 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:22:14.0593 1692 WudfRd - ok
18:22:14.0625 1692 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:22:14.0781 1692 \Device\Harddisk0\DR0 - ok
18:22:14.0781 1692 Boot (0x1200) (80ac0861e1f717d4ed33e82d806c5d07) \Device\Harddisk0\DR0\Partition0
18:22:14.0781 1692 \Device\Harddisk0\DR0\Partition0 - ok
18:22:14.0812 1692 Boot (0x1200) (6def4c3a40a31aaaea192b99dde32f8a) \Device\Harddisk0\DR0\Partition1
18:22:14.0812 1692 \Device\Harddisk0\DR0\Partition1 - ok
18:22:14.0812 1692 ============================================================
18:22:14.0812 1692 Scan finished
18:22:14.0812 1692 ============================================================
18:22:14.0828 3376 Detected object count: 0
18:22:14.0828 3376 Actual detected object count: 0
18:23:19.0421 3304 Deinitialize success

=================================================================




aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-11 18:47:02
-----------------------------
18:47:02.562 OS Version: Windows 5.1.2600 Service Pack 3
18:47:02.562 Number of processors: 2 586 0xF02
18:47:02.562 ComputerName: OPTIPLEX-745 UserName: Denise
18:47:02.734 Initialize success
18:47:10.671 AVAST engine defs: 12021101
18:47:19.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:47:19.437 Disk 0 Vendor: WDC_WD800JD-75MSA3 10.01E04 Size: 76293MB BusType: 3
18:47:19.468 Disk 0 MBR read successfully
18:47:19.468 Disk 0 MBR scan
18:47:19.500 Disk 0 Windows XP default MBR code
18:47:19.500 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 25007 MB offset 63
18:47:19.531 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 51285 MB offset 51215220
18:47:19.531 Disk 0 scanning sectors +156248190
18:47:19.640 Disk 0 scanning C:\WINDOWS\system32\drivers
18:47:28.171 Service scanning
18:47:29.171 Modules scanning
18:47:37.640 Disk 0 trace - called modules:
18:47:37.656 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
18:47:37.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86563ab8]
18:47:37.687 3 CLASSPNP.SYS[f7632fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x865d6d98]
18:47:38.218 AVAST engine scan C:\WINDOWS
18:47:50.828 AVAST engine scan C:\WINDOWS\system32
18:51:00.671 AVAST engine scan C:\WINDOWS\system32\drivers
18:51:13.500 AVAST engine scan C:\Documents and Settings\Denise
18:52:46.562 AVAST engine scan C:\Documents and Settings\All Users
18:54:38.796 Scan finished successfully
18:57:34.343 Disk 0 MBR has been saved successfully to "D:\Junk\Trojan tools\Logs\MBR.dat"
18:57:34.343 The log file has been saved successfully to "D:\Junk\Trojan tools\Logs\aswMBR.txt"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users