Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Hijackthis log


  • This topic is locked This topic is locked
13 replies to this topic

#1 Davros68x

Davros68x

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 28 February 2012 - 06:23 AM

Hello and thanks in advance for your help,

A friend of mine who calls me everytime there's something wrong with his PC (something which happens a little too regularly) has clicked on a link in an email puporting to be from YouTube which retook him here...

hxxttp://www.adm-ahtuba.astranet.ru/foodstuffs.html

...from where I'm pretty sure he's picked up some malware.

He can no longer access Google or make Google searches via his Toolbar - he just gets a page no found response. He's running WindowsXP.

He wasn't getting anything showing up on AVG scans (although he uninstalled AVG and then reinstalled it before calling me in his own attempt to remedy the situation - as well as trrying things like Spybot and MalwareBytes), but these two results came up on AVG recently...

"Malware";"Unknown";"F:\DOCUMENTS AND SETTINGS\PAUL\LOCAL SETTINGS\APPLICATION DATA\KFUMCXYN.EXE";"N/A";"13/02/2012, 18:27:19"

"Infection";"Trojan horse Dropper.Generic5.AHEH";"F:\Documents and Settings\Paul\Local Settings\Application Data\uyssitg.exe";"N/A";"15/02/2012, 09:00:36"


Here's the contents of the Hijackthis log file - any assistance greatly appreciated.

Cheers,

Dave



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 18:57:16, on 08/02/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\PROGRA~1\AVG\AVG2012\avgrsx.exe
F:\Program Files\AVG\AVG2012\avgcsrvx.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
F:\Program Files\AVG\AVG2012\avgwdsvc.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\RunDLL32.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Canon\MyPrinter\BJMyPrt.exe
F:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
F:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
F:\Program Files\AVG\AVG2012\avgtray.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\REALTEK RTL8185 Wireless LAN Driver and Utility\RtWLan.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Trusteer\Rapport\bin\RapportService.exe
F:\Program Files\AVG\AVG2012\avgui.exe
F:\Program Files\AVG\AVG2012\avgscanx.exe
F:\Program Files\AVG\AVG2012\avgcsrvx.exe
F:\WINDOWS\system32\msiexec.exe
F:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] F:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CanonSolutionMenu] F:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] F:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "F:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "F:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] F:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [Adobe ARM] "F:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "F:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1202660629-1417001333-839522115-1005\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: REALTEK RTL8185 Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://F:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1311199921984
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - F:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - F:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - F:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - F:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - F:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - F:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - F:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe

--
End of file - 7199 bytes

Edited by nasdaq, 02 March 2012 - 09:54 AM.
Link obfuscated


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 02 March 2012 - 09:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

Please just paste the contents of the DDS.txt log in your next post.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know if the problem persists.

#3 Davros68x

Davros68x
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 05 March 2012 - 10:32 AM

Hello Nasdaq,

Thanks ever so much for your help - it was a rainy day in London tyesterday so I thought it'd be an ideal opprtunitry to have a crack at sorting out my mates PC.

1. I ran DDS scr but whilst it seemed to finish what it was doing, it didn't create any logs or give me an option to do so - in fact, the PC locked and I couldn't open or close any files/programs and had to turn the PC on/off via the power.

2. I ran ComboFix and had much the same problem - I left it for a good half hour but nothing was happening and once again he PC locked and I couldn't open or close any files/programs and had to turn the PC on/off via the power.

However, when the machine turned back on the issue seems to have been resolved becuse I can now access Google and make successful searches from Google.

3. I ran Security Check and it appeared to do everything it should, producing the following results...

Results of screen317's Security Check version 0.99.31
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

AVG 2012
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner
Java™ 6 Update 26
Java version out of date!
Adobe Flash Player 10.3.181.34 Flash Player out of Date!
Adobe Reader X (10.1.2)
Mozilla Firefox (5.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgemc.exe
``````````End of Log```````````` <br style="mso-special-character:line-break"> <br style="mso-special-character:line-break">
If there's something else I should be doing just let me know and I'll give it a go, but on the basis that it seems to be fixed I'll say thank you very mnuch for your help - it's very much appreciated.

Regards,

Dave

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 05 March 2012 - 10:35 AM

Lets check further.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#5 Davros68x

Davros68x
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 05 March 2012 - 02:40 PM

Hi again Nasdaq,

OK, I had my mate run the TDSSKiller but he quarantined any problem files rather than following your instructions (sorry, I thought he'd be capable of doing at least taht much without me). I told him to run it again and that'd why there are two TDSSKiller*.txt files.

Here's the first one he did...



18:10:04.0328 3060 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
18:10:04.0531 3060 ============================================================
18:10:04.0531 3060 Current date / time: 2012/03/05 18:10:04.0531
18:10:04.0531 3060 SystemInfo:
18:10:04.0531 3060
18:10:04.0531 3060 OS Version: 5.1.2600 ServicePack: 3.0
18:10:04.0531 3060 Product type: Workstation
18:10:04.0531 3060 ComputerName: PAULSPC
18:10:04.0531 3060 UserName: Paul
18:10:04.0531 3060 Windows directory: F:\WINDOWS
18:10:04.0531 3060 System windows directory: F:\WINDOWS
18:10:04.0531 3060 Processor architecture: Intel x86
18:10:04.0531 3060 Number of processors: 1
18:10:04.0531 3060 Page size: 0x1000
18:10:04.0531 3060 Boot type: Normal boot
18:10:04.0531 3060 ============================================================
18:10:06.0796 3060 Drive \Device\Harddisk0\DR0 - Size: 0x9494AD400 (37.15 Gb), SectorSize: 0x200, Cylinders: 0x12F0, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:10:06.0812 3060 Drive \Device\Harddisk1\DR1 - Size: 0x25432CDE00 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:10:06.0828 3060 Drive \Device\Harddisk2\DR5 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:10:14.0640 3060 \Device\Harddisk0\DR0:
18:10:14.0656 3060 MBR used
18:10:14.0656 3060 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A852C1
18:10:14.0656 3060 \Device\Harddisk1\DR1:
18:10:14.0671 3060 MBR used
18:10:14.0671 3060 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x61A7927
18:10:14.0687 3060 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x61A79A5, BlocksNum 0xC86D25B
18:10:14.0687 3060 \Device\Harddisk2\DR5:
18:10:14.0687 3060 MBR used
18:10:14.0687 3060 \Device\Harddisk2\DR5\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74709843
18:10:14.0812 3060 Initialize success
18:10:14.0812 3060 ============================================================
18:10:18.0687 1672 ============================================================
18:10:18.0687 1672 Scan started
18:10:18.0687 1672 Mode: Manual;
18:10:18.0687 1672 ============================================================
18:10:19.0000 1672 Abiosdsk - ok
18:10:19.0031 1672 abp480n5 - ok
18:10:19.0046 1672 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) F:\WINDOWS\system32\DRIVERS\ACPI.sys
18:10:19.0046 1672 Suspicious file (Forged): F:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
18:10:19.0062 1672 ACPI ( Virus.Win32.Rloader.a ) - infected
18:10:19.0062 1672 ACPI - detected Virus.Win32.Rloader.a (0)
18:10:19.0078 1672 ACPIEC (9859c0f6936e723e4892d7141b1327d5) F:\WINDOWS\system32\drivers\ACPIEC.sys
18:10:19.0078 1672 ACPIEC - ok
18:10:19.0093 1672 adpu160m - ok
18:10:19.0125 1672 aec (8bed39e3c35d6a489438b8141717a557) F:\WINDOWS\system32\drivers\aec.sys
18:10:19.0140 1672 aec - ok
18:10:19.0218 1672 AegisP (58a8273918eef2bf9204b12ed171513a) F:\WINDOWS\system32\DRIVERS\AegisP.sys
18:10:19.0234 1672 AegisP - ok
18:10:19.0281 1672 AFD (1e44bc1e83d8fd2305f8d452db109cf9) F:\WINDOWS\System32\drivers\afd.sys
18:10:19.0296 1672 AFD - ok
18:10:19.0328 1672 Aha154x - ok
18:10:19.0343 1672 aic78u2 - ok
18:10:19.0359 1672 aic78xx - ok
18:10:19.0390 1672 AliIde - ok
18:10:19.0406 1672 amsint - ok
18:10:19.0437 1672 asc - ok
18:10:19.0468 1672 asc3350p - ok
18:10:19.0468 1672 asc3550 - ok
18:10:19.0531 1672 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) F:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:10:19.0546 1672 AsyncMac - ok
18:10:19.0578 1672 atapi (9f3a2f5aa6875c72bf062c712cfa2674) F:\WINDOWS\system32\DRIVERS\atapi.sys
18:10:19.0578 1672 atapi - ok
18:10:19.0593 1672 Atdisk - ok
18:10:19.0625 1672 Atmarpc (9916c1225104ba14794209cfa8012159) F:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:10:19.0625 1672 Atmarpc - ok
18:10:19.0656 1672 audstub (d9f724aa26c010a217c97606b160ed68) F:\WINDOWS\system32\DRIVERS\audstub.sys
18:10:19.0656 1672 audstub - ok
18:10:19.0718 1672 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) F:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
18:10:19.0718 1672 AVGIDSDriver - ok
18:10:19.0750 1672 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) F:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
18:10:19.0765 1672 AVGIDSEH - ok
18:10:19.0781 1672 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) F:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
18:10:19.0781 1672 AVGIDSFilter - ok
18:10:19.0796 1672 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) F:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
18:10:19.0796 1672 AVGIDSShim - ok
18:10:19.0828 1672 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) F:\WINDOWS\system32\DRIVERS\avgldx86.sys
18:10:19.0828 1672 Avgldx86 - ok
18:10:19.0890 1672 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) F:\WINDOWS\system32\DRIVERS\avgmfx86.sys
18:10:19.0890 1672 Avgmfx86 - ok
18:10:19.0937 1672 Avgrkx86 (f2038ed7284b79dcef581468121192a9) F:\WINDOWS\system32\DRIVERS\avgrkx86.sys
18:10:20.0015 1672 Avgrkx86 - ok
18:10:20.0046 1672 Beep (da1f27d85e0d1525f6621372e7b685e9) F:\WINDOWS\system32\drivers\Beep.sys
18:10:20.0046 1672 Beep - ok
18:10:20.0093 1672 catchme - ok
18:10:20.0140 1672 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) F:\WINDOWS\system32\drivers\cbidf2k.sys
18:10:20.0156 1672 cbidf2k - ok
18:10:20.0171 1672 cd20xrnt - ok
18:10:20.0203 1672 Cdaudio (c1b486a7658353d33a10cc15211a873b) F:\WINDOWS\system32\drivers\Cdaudio.sys
18:10:20.0203 1672 Cdaudio - ok
18:10:20.0234 1672 Cdfs (c885b02847f5d2fd45a24e219ed93b32) F:\WINDOWS\system32\drivers\Cdfs.sys
18:10:20.0234 1672 Cdfs - ok
18:10:20.0250 1672 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) F:\WINDOWS\system32\DRIVERS\cdrom.sys
18:10:20.0265 1672 Cdrom - ok
18:10:20.0265 1672 Changer - ok
18:10:20.0296 1672 CmdIde - ok
18:10:20.0312 1672 Cpqarray - ok
18:10:20.0328 1672 dac2w2k - ok
18:10:20.0343 1672 dac960nt - ok
18:10:20.0375 1672 Disk (044452051f3e02e7963599fc8f4f3e25) F:\WINDOWS\system32\DRIVERS\disk.sys
18:10:20.0390 1672 Disk - ok
18:10:20.0421 1672 dmboot (d992fe1274bde0f84ad826acae022a41) F:\WINDOWS\system32\drivers\dmboot.sys
18:10:20.0437 1672 dmboot - ok
18:10:20.0484 1672 dmio (7c824cf7bbde77d95c08005717a95f6f) F:\WINDOWS\system32\drivers\dmio.sys
18:10:20.0500 1672 dmio - ok
18:10:20.0562 1672 dmload (e9317282a63ca4d188c0df5e09c6ac5f) F:\WINDOWS\system32\drivers\dmload.sys
18:10:20.0578 1672 dmload - ok
18:10:20.0609 1672 DMusic (8a208dfcf89792a484e76c40e5f50b45) F:\WINDOWS\system32\drivers\DMusic.sys
18:10:20.0625 1672 DMusic - ok
18:10:20.0640 1672 dpti2o - ok
18:10:20.0671 1672 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) F:\WINDOWS\system32\drivers\drmkaud.sys
18:10:20.0671 1672 drmkaud - ok
18:10:20.0750 1672 Fastfat (38d332a6d56af32635675f132548343e) F:\WINDOWS\system32\drivers\Fastfat.sys
18:10:20.0750 1672 Fastfat - ok
18:10:20.0796 1672 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) F:\WINDOWS\system32\DRIVERS\fdc.sys
18:10:20.0796 1672 Fdc - ok
18:10:20.0812 1672 Fips (d45926117eb9fa946a6af572fbe1caa3) F:\WINDOWS\system32\drivers\Fips.sys
18:10:20.0812 1672 Fips - ok
18:10:20.0843 1672 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) F:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:10:20.0843 1672 Flpydisk - ok
18:10:20.0859 1672 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) F:\WINDOWS\system32\drivers\fltmgr.sys
18:10:20.0875 1672 FltMgr - ok
18:10:20.0921 1672 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) F:\WINDOWS\system32\drivers\Fs_Rec.sys
18:10:20.0921 1672 Fs_Rec - ok
18:10:20.0953 1672 Ftdisk (6ac26732762483366c3969c9e4d2259d) F:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:10:20.0953 1672 Ftdisk - ok
18:10:21.0015 1672 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) F:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
18:10:21.0015 1672 GEARAspiWDM - ok
18:10:21.0046 1672 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) F:\WINDOWS\system32\DRIVERS\msgpc.sys
18:10:21.0046 1672 Gpc - ok
18:10:21.0062 1672 HDAudBus (573c7d0a32852b48f3058cfd8026f511) F:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:10:21.0078 1672 HDAudBus - ok
18:10:21.0109 1672 hidusb (ccf82c5ec8a7326c3066de870c06daf1) F:\WINDOWS\system32\DRIVERS\hidusb.sys
18:10:21.0171 1672 hidusb - ok
18:10:21.0203 1672 hpn - ok
18:10:21.0234 1672 HTTP (f80a415ef82cd06ffaf0d971528ead38) F:\WINDOWS\system32\Drivers\HTTP.sys
18:10:21.0250 1672 HTTP - ok
18:10:21.0281 1672 i2omgmt - ok
18:10:21.0296 1672 i2omp - ok
18:10:21.0328 1672 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) F:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:10:21.0328 1672 i8042prt - ok
18:10:21.0343 1672 Imapi (083a052659f5310dd8b6a6cb05edcf8e) F:\WINDOWS\system32\DRIVERS\imapi.sys
18:10:21.0343 1672 Imapi - ok
18:10:21.0359 1672 ini910u - ok
18:10:21.0484 1672 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) F:\WINDOWS\system32\drivers\RtkHDAud.sys
18:10:21.0593 1672 IntcAzAudAddService - ok
18:10:21.0640 1672 IntelIde - ok
18:10:21.0687 1672 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) F:\WINDOWS\system32\drivers\ip6fw.sys
18:10:21.0687 1672 Ip6Fw - ok
18:10:21.0718 1672 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) F:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:10:21.0718 1672 IpFilterDriver - ok
18:10:21.0734 1672 IpInIp (b87ab476dcf76e72010632b5550955f5) F:\WINDOWS\system32\DRIVERS\ipinip.sys
18:10:21.0734 1672 IpInIp - ok
18:10:21.0765 1672 IpNat (cc748ea12c6effde940ee98098bf96bb) F:\WINDOWS\system32\DRIVERS\ipnat.sys
18:10:21.0765 1672 IpNat - ok
18:10:21.0796 1672 IPSec (23c74d75e36e7158768dd63d92789a91) F:\WINDOWS\system32\DRIVERS\ipsec.sys
18:10:21.0796 1672 IPSec - ok
18:10:21.0859 1672 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) F:\WINDOWS\system32\DRIVERS\irenum.sys
18:10:21.0937 1672 IRENUM - ok
18:10:21.0968 1672 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) F:\WINDOWS\system32\DRIVERS\isapnp.sys
18:10:21.0968 1672 isapnp - ok
18:10:21.0984 1672 Kbdclass (463c1ec80cd17420a542b7f36a36f128) F:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:10:21.0984 1672 Kbdclass - ok
18:10:22.0015 1672 kmixer (692bcf44383d056aed41b045a323d378) F:\WINDOWS\system32\drivers\kmixer.sys
18:10:22.0031 1672 kmixer - ok
18:10:22.0078 1672 KSecDD (b467646c54cc746128904e1654c750c1) F:\WINDOWS\system32\drivers\KSecDD.sys
18:10:22.0078 1672 KSecDD - ok
18:10:22.0093 1672 lbrtfdc - ok
18:10:22.0140 1672 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) F:\WINDOWS\system32\drivers\mnmdd.sys
18:10:22.0140 1672 mnmdd - ok
18:10:22.0171 1672 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) F:\WINDOWS\system32\drivers\Modem.sys
18:10:22.0203 1672 Modem - ok
18:10:22.0218 1672 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) F:\WINDOWS\system32\DRIVERS\mouclass.sys
18:10:22.0265 1672 Mouclass - ok
18:10:22.0296 1672 mouhid (b1c303e17fb9d46e87a98e4ba6769685) F:\WINDOWS\system32\DRIVERS\mouhid.sys
18:10:22.0296 1672 mouhid - ok
18:10:22.0328 1672 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) F:\WINDOWS\system32\drivers\MountMgr.sys
18:10:22.0328 1672 MountMgr - ok
18:10:22.0359 1672 mraid35x - ok
18:10:22.0375 1672 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) F:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:10:22.0375 1672 MRxDAV - ok
18:10:22.0406 1672 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) F:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:10:22.0421 1672 MRxSmb - ok
18:10:22.0468 1672 Msfs (c941ea2454ba8350021d774daf0f1027) F:\WINDOWS\system32\drivers\Msfs.sys
18:10:22.0468 1672 Msfs - ok
18:10:22.0500 1672 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) F:\WINDOWS\system32\drivers\MSKSSRV.sys
18:10:22.0500 1672 MSKSSRV - ok
18:10:22.0562 1672 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) F:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:10:22.0625 1672 MSPCLOCK - ok
18:10:22.0656 1672 MSPQM (bad59648ba099da4a17680b39730cb3d) F:\WINDOWS\system32\drivers\MSPQM.sys
18:10:22.0671 1672 MSPQM - ok
18:10:22.0718 1672 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) F:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:10:22.0734 1672 mssmbios - ok
18:10:22.0750 1672 Mup (de6a75f5c270e756c5508d94b6cf68f5) F:\WINDOWS\system32\drivers\Mup.sys
18:10:22.0781 1672 Mup - ok
18:10:22.0812 1672 NDIS (1df7f42665c94b825322fae71721130d) F:\WINDOWS\system32\drivers\NDIS.sys
18:10:22.0828 1672 NDIS - ok
18:10:22.0875 1672 NdisTapi (0109c4f3850dfbab279542515386ae22) F:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:10:22.0890 1672 NdisTapi - ok
18:10:22.0921 1672 Ndisuio (f927a4434c5028758a842943ef1a3849) F:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:10:22.0921 1672 Ndisuio - ok
18:10:22.0921 1672 NdisWan (edc1531a49c80614b2cfda43ca8659ab) F:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:10:22.0937 1672 NdisWan - ok
18:10:22.0968 1672 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) F:\WINDOWS\system32\drivers\NDProxy.sys
18:10:22.0968 1672 NDProxy - ok
18:10:23.0000 1672 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) F:\WINDOWS\system32\DRIVERS\netbios.sys
18:10:23.0000 1672 NetBIOS - ok
18:10:23.0046 1672 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) F:\WINDOWS\system32\DRIVERS\netbt.sys
18:10:23.0062 1672 NetBT - ok
18:10:23.0109 1672 Npfs (3182d64ae053d6fb034f44b6def8034a) F:\WINDOWS\system32\drivers\Npfs.sys
18:10:23.0109 1672 Npfs - ok
18:10:23.0140 1672 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) F:\WINDOWS\system32\drivers\Ntfs.sys
18:10:23.0156 1672 Ntfs - ok
18:10:23.0203 1672 Null (73c1e1f395918bc2c6dd67af7591a3ad) F:\WINDOWS\system32\drivers\Null.sys
18:10:23.0203 1672 Null - ok
18:10:23.0515 1672 nv (8b2c874897ea498da012284e12f9db2b) F:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:10:23.0812 1672 nv - ok
18:10:23.0890 1672 NVENETFD (7d275ecda4628318912f6c945d5cf963) F:\WINDOWS\system32\DRIVERS\NVENETFD.sys
18:10:23.0890 1672 NVENETFD - ok
18:10:23.0921 1672 nvnetbus (b64aacefad2be5bff5353fe681253c67) F:\WINDOWS\system32\DRIVERS\nvnetbus.sys
18:10:23.0937 1672 nvnetbus - ok
18:10:23.0968 1672 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) F:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:10:23.0984 1672 NwlnkFlt - ok
18:10:24.0000 1672 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) F:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:10:24.0000 1672 NwlnkFwd - ok
18:10:24.0031 1672 Parport (5575faf8f97ce5e713d108c2a58d7c7c) F:\WINDOWS\system32\DRIVERS\parport.sys
18:10:24.0046 1672 Parport - ok
18:10:24.0078 1672 PartMgr (beb3ba25197665d82ec7065b724171c6) F:\WINDOWS\system32\drivers\PartMgr.sys
18:10:24.0125 1672 PartMgr - ok
18:10:24.0171 1672 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) F:\WINDOWS\system32\drivers\ParVdm.sys
18:10:24.0187 1672 ParVdm - ok
18:10:24.0203 1672 PCI (a219903ccf74233761d92bef471a07b1) F:\WINDOWS\system32\DRIVERS\pci.sys
18:10:24.0203 1672 PCI - ok
18:10:24.0218 1672 PCIDump - ok
18:10:24.0234 1672 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) F:\WINDOWS\system32\DRIVERS\pciide.sys
18:10:24.0234 1672 PCIIde - ok
18:10:24.0265 1672 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) F:\WINDOWS\system32\drivers\Pcmcia.sys
18:10:24.0281 1672 Pcmcia - ok
18:10:24.0312 1672 PDCOMP - ok
18:10:24.0328 1672 PDFRAME - ok
18:10:24.0343 1672 PDRELI - ok
18:10:24.0359 1672 PDRFRAME - ok
18:10:24.0453 1672 perc2 - ok
18:10:24.0468 1672 perc2hib - ok
18:10:24.0546 1672 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) F:\WINDOWS\system32\DRIVERS\raspptp.sys
18:10:24.0593 1672 PptpMiniport - ok
18:10:24.0625 1672 Processor (a32bebaf723557681bfc6bd93e98bd26) F:\WINDOWS\system32\DRIVERS\processr.sys
18:10:24.0625 1672 Processor - ok
18:10:24.0656 1672 PSched (09298ec810b07e5d582cb3a3f9255424) F:\WINDOWS\system32\DRIVERS\psched.sys
18:10:24.0656 1672 PSched - ok
18:10:24.0671 1672 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) F:\WINDOWS\system32\DRIVERS\ptilink.sys
18:10:24.0671 1672 Ptilink - ok
18:10:24.0687 1672 ql1080 - ok
18:10:24.0687 1672 Ql10wnt - ok
18:10:24.0703 1672 ql12160 - ok
18:10:24.0718 1672 ql1240 - ok
18:10:24.0734 1672 ql1280 - ok
18:10:24.0812 1672 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) F:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_34302.sys
18:10:24.0812 1672 RapportCerberus_34302 - ok
18:10:24.0875 1672 RapportEI (34992b59780a8a227a9eb54c97dc4608) F:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
18:10:24.0875 1672 RapportEI - ok
18:10:24.0890 1672 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) f:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys
18:10:24.0890 1672 RapportIaso - ok
18:10:24.0953 1672 RapportKELL (a231b5552148ade82ed3dfba25919b75) F:\WINDOWS\system32\Drivers\RapportKELL.sys
18:10:24.0953 1672 RapportKELL - ok
18:10:24.0984 1672 RapportPG (060f8e34707d68178a564935ce4546eb) F:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
18:10:24.0984 1672 RapportPG - ok
18:10:25.0031 1672 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) F:\WINDOWS\system32\DRIVERS\rasacd.sys
18:10:25.0031 1672 RasAcd - ok
18:10:25.0093 1672 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) F:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:10:25.0109 1672 Rasl2tp - ok
18:10:25.0140 1672 RasPppoe (5bc962f2654137c9909c3d4603587dee) F:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:10:25.0171 1672 RasPppoe - ok
18:10:25.0203 1672 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) F:\WINDOWS\system32\DRIVERS\raspti.sys
18:10:25.0203 1672 Raspti - ok
18:10:25.0250 1672 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) F:\WINDOWS\system32\DRIVERS\rdbss.sys
18:10:25.0250 1672 Rdbss - ok
18:10:25.0265 1672 RDPCDD (4912d5b403614ce99c28420f75353332) F:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:10:25.0265 1672 RDPCDD - ok
18:10:25.0328 1672 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) F:\WINDOWS\system32\drivers\RDPWD.sys
18:10:25.0328 1672 RDPWD - ok
18:10:25.0359 1672 redbook (f828dd7e1419b6653894a8f97a0094c5) F:\WINDOWS\system32\DRIVERS\redbook.sys
18:10:25.0359 1672 redbook - ok
18:10:25.0406 1672 RimUsb (4f4a4c09cc5be58a76cac1c337e004e6) F:\WINDOWS\system32\Drivers\RimUsb.sys
18:10:25.0468 1672 RimUsb - ok
18:10:25.0562 1672 RimVSerPort (3a5633ad615e2b15291bd0b1b97ccd8a) F:\WINDOWS\system32\DRIVERS\RimSerial.sys
18:10:25.0562 1672 RimVSerPort - ok
18:10:25.0609 1672 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) F:\WINDOWS\system32\Drivers\RootMdm.sys
18:10:25.0609 1672 ROOTMODEM - ok
18:10:25.0671 1672 rtl8185 (bed02b1eacf81f0392bc71ffcd94eee6) F:\WINDOWS\system32\DRIVERS\rtl8185.sys
18:10:25.0671 1672 rtl8185 - ok
18:10:25.0734 1672 SBRE - ok
18:10:25.0781 1672 Secdrv (90a3935d05b494a5a39d37e71f09a677) F:\WINDOWS\system32\DRIVERS\secdrv.sys
18:10:25.0843 1672 Secdrv - ok
18:10:25.0890 1672 serenum (0f29512ccd6bead730039fb4bd2c85ce) F:\WINDOWS\system32\DRIVERS\serenum.sys
18:10:25.0890 1672 serenum - ok
18:10:25.0906 1672 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) F:\WINDOWS\system32\DRIVERS\serial.sys
18:10:25.0906 1672 Serial - ok
18:10:25.0953 1672 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) F:\WINDOWS\system32\drivers\Sfloppy.sys
18:10:25.0953 1672 Sfloppy - ok
18:10:25.0984 1672 Simbad - ok
18:10:26.0031 1672 SjyPkt (3d7ef286e806f9bd9339aa52e28dcd67) F:\WINDOWS\System32\Drivers\SjyPkt.sys
18:10:26.0046 1672 SjyPkt - ok
18:10:26.0109 1672 Sparrow - ok
18:10:26.0140 1672 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) F:\WINDOWS\system32\drivers\splitter.sys
18:10:26.0156 1672 splitter - ok
18:10:26.0187 1672 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) F:\WINDOWS\system32\DRIVERS\sr.sys
18:10:26.0203 1672 sr - ok
18:10:26.0234 1672 Srv (47ddfc2f003f7f9f0592c6874962a2e7) F:\WINDOWS\system32\DRIVERS\srv.sys
18:10:26.0250 1672 Srv - ok
18:10:26.0281 1672 swenum (3941d127aef12e93addf6fe6ee027e0f) F:\WINDOWS\system32\DRIVERS\swenum.sys
18:10:26.0281 1672 swenum - ok
18:10:26.0328 1672 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) F:\WINDOWS\system32\drivers\swmidi.sys
18:10:26.0328 1672 swmidi - ok
18:10:26.0359 1672 symc810 - ok
18:10:26.0359 1672 symc8xx - ok
18:10:26.0375 1672 sym_hi - ok
18:10:26.0390 1672 sym_u3 - ok
18:10:26.0406 1672 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) F:\WINDOWS\system32\drivers\sysaudio.sys
18:10:26.0406 1672 sysaudio - ok
18:10:26.0453 1672 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) F:\WINDOWS\system32\DRIVERS\tcpip.sys
18:10:26.0468 1672 Tcpip - ok
18:10:26.0484 1672 TDPIPE (6471a66807f5e104e4885f5b67349397) F:\WINDOWS\system32\drivers\TDPIPE.sys
18:10:26.0484 1672 TDPIPE - ok
18:10:26.0546 1672 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) F:\WINDOWS\system32\drivers\TDTCP.sys
18:10:26.0562 1672 TDTCP - ok
18:10:26.0609 1672 TermDD (88155247177638048422893737429d9e) F:\WINDOWS\system32\DRIVERS\termdd.sys
18:10:26.0609 1672 TermDD - ok
18:10:26.0640 1672 TosIde - ok
18:10:26.0671 1672 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) F:\WINDOWS\system32\drivers\Udfs.sys
18:10:26.0671 1672 Udfs - ok
18:10:26.0687 1672 ultra - ok
18:10:26.0718 1672 Update (402ddc88356b1bac0ee3dd1580c76a31) F:\WINDOWS\system32\DRIVERS\update.sys
18:10:26.0718 1672 Update - ok
18:10:26.0796 1672 USBAAPL (83cafcb53201bbac04d822f32438e244) F:\WINDOWS\system32\Drivers\usbaapl.sys
18:10:26.0812 1672 USBAAPL - ok
18:10:26.0843 1672 usbccgp (173f317ce0db8e21322e71b7e60a27e8) F:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:10:26.0843 1672 usbccgp - ok
18:10:26.0875 1672 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) F:\WINDOWS\system32\DRIVERS\usbehci.sys
18:10:26.0890 1672 usbehci - ok
18:10:26.0937 1672 usbhub (1ab3cdde553b6e064d2e754efe20285c) F:\WINDOWS\system32\DRIVERS\usbhub.sys
18:10:26.0937 1672 usbhub - ok
18:10:26.0953 1672 usbohci (0daecce65366ea32b162f85f07c6753b) F:\WINDOWS\system32\DRIVERS\usbohci.sys
18:10:26.0953 1672 usbohci - ok
18:10:26.0968 1672 usbprint (a717c8721046828520c9edf31288fc00) F:\WINDOWS\system32\DRIVERS\usbprint.sys
18:10:26.0968 1672 usbprint - ok
18:10:27.0000 1672 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) F:\WINDOWS\system32\DRIVERS\usbscan.sys
18:10:27.0000 1672 usbscan - ok
18:10:27.0015 1672 usbstor (a32426d9b14a089eaa1d922e0c5801a9) F:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:10:27.0031 1672 usbstor - ok
18:10:27.0046 1672 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) F:\WINDOWS\System32\drivers\vga.sys
18:10:27.0046 1672 VgaSave - ok
18:10:27.0062 1672 ViaIde - ok
18:10:27.0093 1672 VolSnap (4c8fcb5cc53aab716d810740fe59d025) F:\WINDOWS\system32\drivers\VolSnap.sys
18:10:27.0093 1672 VolSnap - ok
18:10:27.0156 1672 Wanarp (e20b95baedb550f32dd489265c1da1f6) F:\WINDOWS\system32\DRIVERS\wanarp.sys
18:10:27.0156 1672 Wanarp - ok
18:10:27.0203 1672 Wdf01000 (d918617b46457b9ac28027722e30f647) F:\WINDOWS\system32\Drivers\wdf01000.sys
18:10:27.0218 1672 Wdf01000 - ok
18:10:27.0250 1672 WDICA - ok
18:10:27.0265 1672 wdmaud (6768acf64b18196494413695f0c3a00f) F:\WINDOWS\system32\drivers\wdmaud.sys
18:10:27.0265 1672 wdmaud - ok
18:10:27.0390 1672 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) F:\WINDOWS\System32\drivers\ws2ifsl.sys
18:10:27.0406 1672 WS2IFSL - ok
18:10:27.0500 1672 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:10:27.0625 1672 \Device\Harddisk0\DR0 - ok
18:10:27.0640 1672 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
18:10:27.0640 1672 \Device\Harddisk1\DR1 - ok
18:10:27.0687 1672 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR5
18:10:28.0156 1672 \Device\Harddisk2\DR5 - ok
18:10:28.0156 1672 Boot (0x1200) (76cbfd33d4c2e32423736149d8de1546) \Device\Harddisk0\DR0\Partition0
18:10:28.0171 1672 \Device\Harddisk0\DR0\Partition0 - ok
18:10:28.0171 1672 Boot (0x1200) (e18d1bef23a6b666302697d9f098df6b) \Device\Harddisk1\DR1\Partition0
18:10:28.0171 1672 \Device\Harddisk1\DR1\Partition0 - ok
18:10:28.0187 1672 Boot (0x1200) (1e0b2d947a41f8c3420a4523ea50b3a2) \Device\Harddisk1\DR1\Partition1
18:10:28.0187 1672 \Device\Harddisk1\DR1\Partition1 - ok
18:10:28.0203 1672 Boot (0x1200) (f55078df5ffb4d1cc2922c6214e153e6) \Device\Harddisk2\DR5\Partition0
18:10:28.0218 1672 \Device\Harddisk2\DR5\Partition0 - ok
18:10:28.0218 1672 ============================================================
18:10:28.0218 1672 Scan finished
18:10:28.0218 1672 ============================================================
18:10:28.0250 1620 Detected object count: 1
18:10:28.0250 1620 Actual detected object count: 1
18:10:51.0843 1620 F:\WINDOWS\system32\DRIVERS\ACPI.sys - copied to quarantine
18:10:51.0843 1620 ACPI ( Virus.Win32.Rloader.a ) - User select action: Quarantine
18:13:24.0484 3932 Deinitialize success



and here's the second...


18:21:03.0859 3584 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
18:21:04.0000 3584 ============================================================
18:21:04.0000 3584 Current date / time: 2012/03/05 18:21:04.0000
18:21:04.0000 3584 SystemInfo:
18:21:04.0000 3584
18:21:04.0000 3584 OS Version: 5.1.2600 ServicePack: 3.0
18:21:04.0000 3584 Product type: Workstation
18:21:04.0000 3584 ComputerName: PAULSPC
18:21:04.0000 3584 UserName: Paul
18:21:04.0000 3584 Windows directory: F:\WINDOWS
18:21:04.0000 3584 System windows directory: F:\WINDOWS
18:21:04.0000 3584 Processor architecture: Intel x86
18:21:04.0000 3584 Number of processors: 1
18:21:04.0000 3584 Page size: 0x1000
18:21:04.0000 3584 Boot type: Normal boot
18:21:04.0000 3584 ============================================================
18:21:05.0812 3584 Drive \Device\Harddisk0\DR0 - Size: 0x9494AD400 (37.15 Gb), SectorSize: 0x200, Cylinders: 0x12F0, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:21:05.0812 3584 Drive \Device\Harddisk1\DR1 - Size: 0x25432CDE00 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:21:05.0828 3584 Drive \Device\Harddisk2\DR5 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:21:05.0828 3584 \Device\Harddisk0\DR0:
18:21:05.0828 3584 MBR used
18:21:05.0828 3584 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A852C1
18:21:05.0828 3584 \Device\Harddisk1\DR1:
18:21:05.0828 3584 MBR used
18:21:05.0828 3584 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x61A7927
18:21:05.0859 3584 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x61A79A5, BlocksNum 0xC86D25B
18:21:05.0859 3584 \Device\Harddisk2\DR5:
18:21:05.0859 3584 MBR used
18:21:05.0859 3584 \Device\Harddisk2\DR5\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74709843
18:21:05.0984 3584 Initialize success
18:21:05.0984 3584 ============================================================
18:21:08.0500 2592 ============================================================
18:21:08.0500 2592 Scan started
18:21:08.0500 2592 Mode: Manual;
18:21:08.0500 2592 ============================================================
18:21:09.0234 2592 Abiosdsk - ok
18:21:09.0250 2592 abp480n5 - ok
18:21:09.0281 2592 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) F:\WINDOWS\system32\DRIVERS\ACPI.sys
18:21:09.0281 2592 Suspicious file (Forged): F:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
18:21:09.0281 2592 ACPI ( Virus.Win32.Rloader.a ) - infected
18:21:09.0281 2592 ACPI - detected Virus.Win32.Rloader.a (0)
18:21:09.0312 2592 ACPIEC (9859c0f6936e723e4892d7141b1327d5) F:\WINDOWS\system32\drivers\ACPIEC.sys
18:21:09.0312 2592 ACPIEC - ok
18:21:09.0312 2592 adpu160m - ok
18:21:09.0359 2592 aec (8bed39e3c35d6a489438b8141717a557) F:\WINDOWS\system32\drivers\aec.sys
18:21:09.0359 2592 aec - ok
18:21:09.0406 2592 AegisP (58a8273918eef2bf9204b12ed171513a) F:\WINDOWS\system32\DRIVERS\AegisP.sys
18:21:09.0406 2592 AegisP - ok
18:21:09.0453 2592 AFD (1e44bc1e83d8fd2305f8d452db109cf9) F:\WINDOWS\System32\drivers\afd.sys
18:21:09.0453 2592 AFD - ok
18:21:09.0468 2592 Aha154x - ok
18:21:09.0468 2592 aic78u2 - ok
18:21:09.0484 2592 aic78xx - ok
18:21:09.0500 2592 AliIde - ok
18:21:09.0515 2592 amsint - ok
18:21:09.0546 2592 asc - ok
18:21:09.0562 2592 asc3350p - ok
18:21:09.0578 2592 asc3550 - ok
18:21:09.0609 2592 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) F:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:21:09.0609 2592 AsyncMac - ok
18:21:09.0656 2592 atapi (9f3a2f5aa6875c72bf062c712cfa2674) F:\WINDOWS\system32\DRIVERS\atapi.sys
18:21:09.0656 2592 atapi - ok
18:21:09.0671 2592 Atdisk - ok
18:21:09.0703 2592 Atmarpc (9916c1225104ba14794209cfa8012159) F:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:21:09.0703 2592 Atmarpc - ok
18:21:09.0734 2592 audstub (d9f724aa26c010a217c97606b160ed68) F:\WINDOWS\system32\DRIVERS\audstub.sys
18:21:09.0734 2592 audstub - ok
18:21:09.0781 2592 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) F:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
18:21:09.0781 2592 AVGIDSDriver - ok
18:21:09.0828 2592 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) F:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
18:21:09.0828 2592 AVGIDSEH - ok
18:21:09.0843 2592 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) F:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
18:21:09.0843 2592 AVGIDSFilter - ok
18:21:09.0875 2592 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) F:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
18:21:09.0875 2592 AVGIDSShim - ok
18:21:09.0890 2592 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) F:\WINDOWS\system32\DRIVERS\avgldx86.sys
18:21:09.0890 2592 Avgldx86 - ok
18:21:09.0921 2592 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) F:\WINDOWS\system32\DRIVERS\avgmfx86.sys
18:21:09.0921 2592 Avgmfx86 - ok
18:21:09.0937 2592 Avgrkx86 (f2038ed7284b79dcef581468121192a9) F:\WINDOWS\system32\DRIVERS\avgrkx86.sys
18:21:09.0937 2592 Avgrkx86 - ok
18:21:09.0968 2592 Beep (da1f27d85e0d1525f6621372e7b685e9) F:\WINDOWS\system32\drivers\Beep.sys
18:21:09.0968 2592 Beep - ok
18:21:10.0046 2592 catchme - ok
18:21:10.0093 2592 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) F:\WINDOWS\system32\drivers\cbidf2k.sys
18:21:10.0093 2592 cbidf2k - ok
18:21:10.0109 2592 cd20xrnt - ok
18:21:10.0140 2592 Cdaudio (c1b486a7658353d33a10cc15211a873b) F:\WINDOWS\system32\drivers\Cdaudio.sys
18:21:10.0140 2592 Cdaudio - ok
18:21:10.0171 2592 Cdfs (c885b02847f5d2fd45a24e219ed93b32) F:\WINDOWS\system32\drivers\Cdfs.sys
18:21:10.0171 2592 Cdfs - ok
18:21:10.0203 2592 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) F:\WINDOWS\system32\DRIVERS\cdrom.sys
18:21:10.0203 2592 Cdrom - ok
18:21:10.0234 2592 Changer - ok
18:21:10.0265 2592 CmdIde - ok
18:21:10.0281 2592 Cpqarray - ok
18:21:10.0296 2592 dac2w2k - ok
18:21:10.0312 2592 dac960nt - ok
18:21:10.0328 2592 Disk (044452051f3e02e7963599fc8f4f3e25) F:\WINDOWS\system32\DRIVERS\disk.sys
18:21:10.0328 2592 Disk - ok
18:21:10.0375 2592 dmboot (d992fe1274bde0f84ad826acae022a41) F:\WINDOWS\system32\drivers\dmboot.sys
18:21:10.0375 2592 dmboot - ok
18:21:10.0406 2592 dmio (7c824cf7bbde77d95c08005717a95f6f) F:\WINDOWS\system32\drivers\dmio.sys
18:21:10.0406 2592 dmio - ok
18:21:10.0437 2592 dmload (e9317282a63ca4d188c0df5e09c6ac5f) F:\WINDOWS\system32\drivers\dmload.sys
18:21:10.0437 2592 dmload - ok
18:21:10.0484 2592 DMusic (8a208dfcf89792a484e76c40e5f50b45) F:\WINDOWS\system32\drivers\DMusic.sys
18:21:10.0484 2592 DMusic - ok
18:21:10.0515 2592 dpti2o - ok
18:21:10.0531 2592 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) F:\WINDOWS\system32\drivers\drmkaud.sys
18:21:10.0531 2592 drmkaud - ok
18:21:10.0593 2592 Fastfat (38d332a6d56af32635675f132548343e) F:\WINDOWS\system32\drivers\Fastfat.sys
18:21:10.0609 2592 Fastfat - ok
18:21:10.0640 2592 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) F:\WINDOWS\system32\DRIVERS\fdc.sys
18:21:10.0640 2592 Fdc - ok
18:21:10.0656 2592 Fips (d45926117eb9fa946a6af572fbe1caa3) F:\WINDOWS\system32\drivers\Fips.sys
18:21:10.0656 2592 Fips - ok
18:21:10.0671 2592 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) F:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:21:10.0671 2592 Flpydisk - ok
18:21:10.0734 2592 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) F:\WINDOWS\system32\drivers\fltmgr.sys
18:21:10.0734 2592 FltMgr - ok
18:21:10.0796 2592 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) F:\WINDOWS\system32\drivers\Fs_Rec.sys
18:21:10.0796 2592 Fs_Rec - ok
18:21:10.0812 2592 Ftdisk (6ac26732762483366c3969c9e4d2259d) F:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:21:10.0828 2592 Ftdisk - ok
18:21:10.0859 2592 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) F:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
18:21:10.0859 2592 GEARAspiWDM - ok
18:21:10.0875 2592 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) F:\WINDOWS\system32\DRIVERS\msgpc.sys
18:21:10.0875 2592 Gpc - ok
18:21:10.0906 2592 HDAudBus (573c7d0a32852b48f3058cfd8026f511) F:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:21:10.0906 2592 HDAudBus - ok
18:21:10.0937 2592 hidusb (ccf82c5ec8a7326c3066de870c06daf1) F:\WINDOWS\system32\DRIVERS\hidusb.sys
18:21:10.0937 2592 hidusb - ok
18:21:10.0953 2592 hpn - ok
18:21:11.0000 2592 HTTP (f80a415ef82cd06ffaf0d971528ead38) F:\WINDOWS\system32\Drivers\HTTP.sys
18:21:11.0000 2592 HTTP - ok
18:21:11.0015 2592 i2omgmt - ok
18:21:11.0031 2592 i2omp - ok
18:21:11.0046 2592 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) F:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:21:11.0046 2592 i8042prt - ok
18:21:11.0078 2592 Imapi (083a052659f5310dd8b6a6cb05edcf8e) F:\WINDOWS\system32\DRIVERS\imapi.sys
18:21:11.0078 2592 Imapi - ok
18:21:11.0093 2592 ini910u - ok
18:21:11.0203 2592 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) F:\WINDOWS\system32\drivers\RtkHDAud.sys
18:21:11.0234 2592 IntcAzAudAddService - ok
18:21:11.0265 2592 IntelIde - ok
18:21:11.0312 2592 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) F:\WINDOWS\system32\drivers\ip6fw.sys
18:21:11.0312 2592 Ip6Fw - ok
18:21:11.0343 2592 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) F:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:21:11.0343 2592 IpFilterDriver - ok
18:21:11.0359 2592 IpInIp (b87ab476dcf76e72010632b5550955f5) F:\WINDOWS\system32\DRIVERS\ipinip.sys
18:21:11.0359 2592 IpInIp - ok
18:21:11.0375 2592 IpNat (cc748ea12c6effde940ee98098bf96bb) F:\WINDOWS\system32\DRIVERS\ipnat.sys
18:21:11.0390 2592 IpNat - ok
18:21:11.0406 2592 IPSec (23c74d75e36e7158768dd63d92789a91) F:\WINDOWS\system32\DRIVERS\ipsec.sys
18:21:11.0406 2592 IPSec - ok
18:21:11.0468 2592 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) F:\WINDOWS\system32\DRIVERS\irenum.sys
18:21:11.0468 2592 IRENUM - ok
18:21:11.0500 2592 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) F:\WINDOWS\system32\DRIVERS\isapnp.sys
18:21:11.0500 2592 isapnp - ok
18:21:11.0515 2592 Kbdclass (463c1ec80cd17420a542b7f36a36f128) F:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:21:11.0515 2592 Kbdclass - ok
18:21:11.0562 2592 kmixer (692bcf44383d056aed41b045a323d378) F:\WINDOWS\system32\drivers\kmixer.sys
18:21:11.0562 2592 kmixer - ok
18:21:11.0593 2592 KSecDD (b467646c54cc746128904e1654c750c1) F:\WINDOWS\system32\drivers\KSecDD.sys
18:21:11.0593 2592 KSecDD - ok
18:21:11.0625 2592 lbrtfdc - ok
18:21:11.0671 2592 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) F:\WINDOWS\system32\drivers\mnmdd.sys
18:21:11.0671 2592 mnmdd - ok
18:21:11.0703 2592 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) F:\WINDOWS\system32\drivers\Modem.sys
18:21:11.0703 2592 Modem - ok
18:21:11.0718 2592 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) F:\WINDOWS\system32\DRIVERS\mouclass.sys
18:21:11.0718 2592 Mouclass - ok
18:21:11.0781 2592 mouhid (b1c303e17fb9d46e87a98e4ba6769685) F:\WINDOWS\system32\DRIVERS\mouhid.sys
18:21:11.0781 2592 mouhid - ok
18:21:11.0812 2592 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) F:\WINDOWS\system32\drivers\MountMgr.sys
18:21:11.0828 2592 MountMgr - ok
18:21:11.0843 2592 mraid35x - ok
18:21:11.0875 2592 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) F:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:21:11.0875 2592 MRxDAV - ok
18:21:11.0906 2592 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) F:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:21:11.0906 2592 MRxSmb - ok
18:21:11.0953 2592 Msfs (c941ea2454ba8350021d774daf0f1027) F:\WINDOWS\system32\drivers\Msfs.sys
18:21:11.0953 2592 Msfs - ok
18:21:11.0984 2592 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) F:\WINDOWS\system32\drivers\MSKSSRV.sys
18:21:11.0984 2592 MSKSSRV - ok
18:21:12.0015 2592 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) F:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:21:12.0015 2592 MSPCLOCK - ok
18:21:12.0062 2592 MSPQM (bad59648ba099da4a17680b39730cb3d) F:\WINDOWS\system32\drivers\MSPQM.sys
18:21:12.0062 2592 MSPQM - ok
18:21:12.0078 2592 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) F:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:21:12.0078 2592 mssmbios - ok
18:21:12.0125 2592 Mup (de6a75f5c270e756c5508d94b6cf68f5) F:\WINDOWS\system32\drivers\Mup.sys
18:21:12.0125 2592 Mup - ok
18:21:12.0156 2592 NDIS (1df7f42665c94b825322fae71721130d) F:\WINDOWS\system32\drivers\NDIS.sys
18:21:12.0156 2592 NDIS - ok
18:21:12.0218 2592 NdisTapi (0109c4f3850dfbab279542515386ae22) F:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:21:12.0218 2592 NdisTapi - ok
18:21:12.0250 2592 Ndisuio (f927a4434c5028758a842943ef1a3849) F:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:21:12.0250 2592 Ndisuio - ok
18:21:12.0281 2592 NdisWan (edc1531a49c80614b2cfda43ca8659ab) F:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:21:12.0281 2592 NdisWan - ok
18:21:12.0296 2592 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) F:\WINDOWS\system32\drivers\NDProxy.sys
18:21:12.0312 2592 NDProxy - ok
18:21:12.0343 2592 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) F:\WINDOWS\system32\DRIVERS\netbios.sys
18:21:12.0343 2592 NetBIOS - ok
18:21:12.0359 2592 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) F:\WINDOWS\system32\DRIVERS\netbt.sys
18:21:12.0359 2592 NetBT - ok
18:21:12.0406 2592 Npfs (3182d64ae053d6fb034f44b6def8034a) F:\WINDOWS\system32\drivers\Npfs.sys
18:21:12.0406 2592 Npfs - ok
18:21:12.0437 2592 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) F:\WINDOWS\system32\drivers\Ntfs.sys
18:21:12.0437 2592 Ntfs - ok
18:21:12.0484 2592 Null (73c1e1f395918bc2c6dd67af7591a3ad) F:\WINDOWS\system32\drivers\Null.sys
18:21:12.0484 2592 Null - ok
18:21:12.0796 2592 nv (8b2c874897ea498da012284e12f9db2b) F:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:21:12.0906 2592 nv - ok
18:21:12.0968 2592 NVENETFD (7d275ecda4628318912f6c945d5cf963) F:\WINDOWS\system32\DRIVERS\NVENETFD.sys
18:21:12.0968 2592 NVENETFD - ok
18:21:13.0000 2592 nvnetbus (b64aacefad2be5bff5353fe681253c67) F:\WINDOWS\system32\DRIVERS\nvnetbus.sys
18:21:13.0015 2592 nvnetbus - ok
18:21:13.0046 2592 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) F:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:21:13.0046 2592 NwlnkFlt - ok
18:21:13.0062 2592 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) F:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:21:13.0062 2592 NwlnkFwd - ok
18:21:13.0109 2592 Parport (5575faf8f97ce5e713d108c2a58d7c7c) F:\WINDOWS\system32\DRIVERS\parport.sys
18:21:13.0109 2592 Parport - ok
18:21:13.0156 2592 PartMgr (beb3ba25197665d82ec7065b724171c6) F:\WINDOWS\system32\drivers\PartMgr.sys
18:21:13.0156 2592 PartMgr - ok
18:21:13.0203 2592 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) F:\WINDOWS\system32\drivers\ParVdm.sys
18:21:13.0203 2592 ParVdm - ok
18:21:13.0218 2592 PCI (a219903ccf74233761d92bef471a07b1) F:\WINDOWS\system32\DRIVERS\pci.sys
18:21:13.0218 2592 PCI - ok
18:21:13.0234 2592 PCIDump - ok
18:21:13.0250 2592 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) F:\WINDOWS\system32\DRIVERS\pciide.sys
18:21:13.0250 2592 PCIIde - ok
18:21:13.0296 2592 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) F:\WINDOWS\system32\drivers\Pcmcia.sys
18:21:13.0312 2592 Pcmcia - ok
18:21:13.0328 2592 PDCOMP - ok
18:21:13.0343 2592 PDFRAME - ok
18:21:13.0343 2592 PDRELI - ok
18:21:13.0359 2592 PDRFRAME - ok
18:21:13.0375 2592 perc2 - ok
18:21:13.0390 2592 perc2hib - ok
18:21:13.0437 2592 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) F:\WINDOWS\system32\DRIVERS\raspptp.sys
18:21:13.0437 2592 PptpMiniport - ok
18:21:13.0453 2592 Processor (a32bebaf723557681bfc6bd93e98bd26) F:\WINDOWS\system32\DRIVERS\processr.sys
18:21:13.0453 2592 Processor - ok
18:21:13.0468 2592 PSched (09298ec810b07e5d582cb3a3f9255424) F:\WINDOWS\system32\DRIVERS\psched.sys
18:21:13.0484 2592 PSched - ok
18:21:13.0515 2592 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) F:\WINDOWS\system32\DRIVERS\ptilink.sys
18:21:13.0515 2592 Ptilink - ok
18:21:13.0531 2592 ql1080 - ok
18:21:13.0546 2592 Ql10wnt - ok
18:21:13.0546 2592 ql12160 - ok
18:21:13.0562 2592 ql1240 - ok
18:21:13.0578 2592 ql1280 - ok
18:21:13.0656 2592 RapportCerberus_34302 (6b6f0a77365667912360ff1d5e984f25) F:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_34302.sys
18:21:13.0656 2592 RapportCerberus_34302 - ok
18:21:13.0703 2592 RapportEI (34992b59780a8a227a9eb54c97dc4608) F:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
18:21:13.0703 2592 RapportEI - ok
18:21:13.0734 2592 RapportIaso (dd3e4610de9252a957c5bd19bdf47ac4) f:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys
18:21:13.0734 2592 RapportIaso - ok
18:21:13.0843 2592 RapportKELL (a231b5552148ade82ed3dfba25919b75) F:\WINDOWS\system32\Drivers\RapportKELL.sys
18:21:13.0843 2592 RapportKELL - ok
18:21:13.0937 2592 RapportPG (060f8e34707d68178a564935ce4546eb) F:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
18:21:13.0953 2592 RapportPG - ok
18:21:14.0000 2592 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) F:\WINDOWS\system32\DRIVERS\rasacd.sys
18:21:14.0000 2592 RasAcd - ok
18:21:14.0031 2592 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) F:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:21:14.0031 2592 Rasl2tp - ok
18:21:14.0078 2592 RasPppoe (5bc962f2654137c9909c3d4603587dee) F:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:21:14.0078 2592 RasPppoe - ok
18:21:14.0125 2592 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) F:\WINDOWS\system32\DRIVERS\raspti.sys
18:21:14.0125 2592 Raspti - ok
18:21:14.0171 2592 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) F:\WINDOWS\system32\DRIVERS\rdbss.sys
18:21:14.0171 2592 Rdbss - ok
18:21:14.0203 2592 RDPCDD (4912d5b403614ce99c28420f75353332) F:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:21:14.0203 2592 RDPCDD - ok
18:21:14.0234 2592 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) F:\WINDOWS\system32\drivers\RDPWD.sys
18:21:14.0234 2592 RDPWD - ok
18:21:14.0296 2592 redbook (f828dd7e1419b6653894a8f97a0094c5) F:\WINDOWS\system32\DRIVERS\redbook.sys
18:21:14.0312 2592 redbook - ok
18:21:14.0343 2592 RimUsb (4f4a4c09cc5be58a76cac1c337e004e6) F:\WINDOWS\system32\Drivers\RimUsb.sys
18:21:14.0359 2592 RimUsb - ok
18:21:14.0375 2592 RimVSerPort (3a5633ad615e2b15291bd0b1b97ccd8a) F:\WINDOWS\system32\DRIVERS\RimSerial.sys
18:21:14.0375 2592 RimVSerPort - ok
18:21:14.0390 2592 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) F:\WINDOWS\system32\Drivers\RootMdm.sys
18:21:14.0390 2592 ROOTMODEM - ok
18:21:14.0484 2592 rtl8185 (bed02b1eacf81f0392bc71ffcd94eee6) F:\WINDOWS\system32\DRIVERS\rtl8185.sys
18:21:14.0484 2592 rtl8185 - ok
18:21:14.0515 2592 SBRE - ok
18:21:14.0562 2592 Secdrv (90a3935d05b494a5a39d37e71f09a677) F:\WINDOWS\system32\DRIVERS\secdrv.sys
18:21:14.0562 2592 Secdrv - ok
18:21:14.0578 2592 serenum (0f29512ccd6bead730039fb4bd2c85ce) F:\WINDOWS\system32\DRIVERS\serenum.sys
18:21:14.0593 2592 serenum - ok
18:21:14.0625 2592 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) F:\WINDOWS\system32\DRIVERS\serial.sys
18:21:14.0625 2592 Serial - ok
18:21:14.0656 2592 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) F:\WINDOWS\system32\drivers\Sfloppy.sys
18:21:14.0656 2592 Sfloppy - ok
18:21:14.0687 2592 Simbad - ok
18:21:14.0718 2592 SjyPkt (3d7ef286e806f9bd9339aa52e28dcd67) F:\WINDOWS\System32\Drivers\SjyPkt.sys
18:21:14.0718 2592 SjyPkt - ok
18:21:14.0750 2592 Sparrow - ok
18:21:14.0796 2592 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) F:\WINDOWS\system32\drivers\splitter.sys
18:21:14.0796 2592 splitter - ok
18:21:14.0859 2592 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) F:\WINDOWS\system32\DRIVERS\sr.sys
18:21:14.0859 2592 sr - ok
18:21:14.0890 2592 Srv (47ddfc2f003f7f9f0592c6874962a2e7) F:\WINDOWS\system32\DRIVERS\srv.sys
18:21:14.0890 2592 Srv - ok
18:21:14.0921 2592 swenum (3941d127aef12e93addf6fe6ee027e0f) F:\WINDOWS\system32\DRIVERS\swenum.sys
18:21:14.0921 2592 swenum - ok
18:21:14.0968 2592 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) F:\WINDOWS\system32\drivers\swmidi.sys
18:21:14.0968 2592 swmidi - ok
18:21:15.0031 2592 symc810 - ok
18:21:15.0046 2592 symc8xx - ok
18:21:15.0062 2592 sym_hi - ok
18:21:15.0062 2592 sym_u3 - ok
18:21:15.0078 2592 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) F:\WINDOWS\system32\drivers\sysaudio.sys
18:21:15.0078 2592 sysaudio - ok
18:21:15.0125 2592 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) F:\WINDOWS\system32\DRIVERS\tcpip.sys
18:21:15.0140 2592 Tcpip - ok
18:21:15.0187 2592 TDPIPE (6471a66807f5e104e4885f5b67349397) F:\WINDOWS\system32\drivers\TDPIPE.sys
18:21:15.0187 2592 TDPIPE - ok
18:21:15.0203 2592 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) F:\WINDOWS\system32\drivers\TDTCP.sys
18:21:15.0218 2592 TDTCP - ok
18:21:15.0281 2592 TermDD (88155247177638048422893737429d9e) F:\WINDOWS\system32\DRIVERS\termdd.sys
18:21:15.0296 2592 TermDD - ok
18:21:15.0328 2592 TosIde - ok
18:21:15.0359 2592 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) F:\WINDOWS\system32\drivers\Udfs.sys
18:21:15.0359 2592 Udfs - ok
18:21:15.0390 2592 ultra - ok
18:21:15.0421 2592 Update (402ddc88356b1bac0ee3dd1580c76a31) F:\WINDOWS\system32\DRIVERS\update.sys
18:21:15.0437 2592 Update - ok
18:21:15.0484 2592 USBAAPL (83cafcb53201bbac04d822f32438e244) F:\WINDOWS\system32\Drivers\usbaapl.sys
18:21:15.0484 2592 USBAAPL - ok
18:21:15.0531 2592 usbccgp (173f317ce0db8e21322e71b7e60a27e8) F:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:21:15.0531 2592 usbccgp - ok
18:21:15.0562 2592 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) F:\WINDOWS\system32\DRIVERS\usbehci.sys
18:21:15.0562 2592 usbehci - ok
18:21:15.0593 2592 usbhub (1ab3cdde553b6e064d2e754efe20285c) F:\WINDOWS\system32\DRIVERS\usbhub.sys
18:21:15.0593 2592 usbhub - ok
18:21:15.0609 2592 usbohci (0daecce65366ea32b162f85f07c6753b) F:\WINDOWS\system32\DRIVERS\usbohci.sys
18:21:15.0609 2592 usbohci - ok
18:21:15.0625 2592 usbprint (a717c8721046828520c9edf31288fc00) F:\WINDOWS\system32\DRIVERS\usbprint.sys
18:21:15.0625 2592 usbprint - ok
18:21:15.0656 2592 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) F:\WINDOWS\system32\DRIVERS\usbscan.sys
18:21:15.0656 2592 usbscan - ok
18:21:15.0718 2592 usbstor (a32426d9b14a089eaa1d922e0c5801a9) F:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:21:15.0718 2592 usbstor - ok
18:21:15.0734 2592 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) F:\WINDOWS\System32\drivers\vga.sys
18:21:15.0734 2592 VgaSave - ok
18:21:15.0781 2592 ViaIde - ok
18:21:15.0812 2592 VolSnap (4c8fcb5cc53aab716d810740fe59d025) F:\WINDOWS\system32\drivers\VolSnap.sys
18:21:15.0828 2592 VolSnap - ok
18:21:15.0843 2592 Wanarp (e20b95baedb550f32dd489265c1da1f6) F:\WINDOWS\system32\DRIVERS\wanarp.sys
18:21:15.0859 2592 Wanarp - ok
18:21:15.0890 2592 Wdf01000 (d918617b46457b9ac28027722e30f647) F:\WINDOWS\system32\Drivers\wdf01000.sys
18:21:15.0890 2592 Wdf01000 - ok
18:21:15.0953 2592 WDICA - ok
18:21:15.0968 2592 wdmaud (6768acf64b18196494413695f0c3a00f) F:\WINDOWS\system32\drivers\wdmaud.sys
18:21:15.0984 2592 wdmaud - ok
18:21:16.0062 2592 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) F:\WINDOWS\System32\drivers\ws2ifsl.sys
18:21:16.0062 2592 WS2IFSL - ok
18:21:16.0109 2592 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:21:16.0265 2592 \Device\Harddisk0\DR0 - ok
18:21:16.0281 2592 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
18:21:16.0281 2592 \Device\Harddisk1\DR1 - ok
18:21:16.0328 2592 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR5
18:21:16.0796 2592 \Device\Harddisk2\DR5 - ok
18:21:16.0812 2592 Boot (0x1200) (76cbfd33d4c2e32423736149d8de1546) \Device\Harddisk0\DR0\Partition0
18:21:16.0812 2592 \Device\Harddisk0\DR0\Partition0 - ok
18:21:16.0812 2592 Boot (0x1200) (e18d1bef23a6b666302697d9f098df6b) \Device\Harddisk1\DR1\Partition0
18:21:16.0812 2592 \Device\Harddisk1\DR1\Partition0 - ok
18:21:16.0843 2592 Boot (0x1200) (1e0b2d947a41f8c3420a4523ea50b3a2) \Device\Harddisk1\DR1\Partition1
18:21:16.0843 2592 \Device\Harddisk1\DR1\Partition1 - ok
18:21:16.0859 2592 Boot (0x1200) (f55078df5ffb4d1cc2922c6214e153e6) \Device\Harddisk2\DR5\Partition0
18:21:16.0859 2592 \Device\Harddisk2\DR5\Partition0 - ok
18:21:16.0859 2592 ============================================================
18:21:16.0859 2592 Scan finished
18:21:16.0859 2592 ============================================================
18:21:16.0875 1520 Detected object count: 1
18:21:16.0875 1520 Actual detected object count: 1
18:22:14.0937 1520 F:\WINDOWS\system32\DRIVERS\ACPI.sys - copied to quarantine
18:22:16.0375 1520 Backup copy found, using it..
18:22:16.0390 1520 F:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot
18:22:16.0390 1520 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
18:22:27.0343 2212 Deinitialize success



...and here's the aswMBR logfile (which was run after the second run of TSSKiller)...



aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-05 18:14:01
-----------------------------
18:14:01.890 OS Version: Windows 5.1.2600 Service Pack 3
18:14:01.890 Number of processors: 1 586 0x5F02
18:14:01.890 ComputerName: PAULSPC UserName: Paul
18:14:02.593 Initialize success
18:14:09.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
18:14:09.859 Disk 0 Vendor: ST340016A 3.19 Size: 38036MB BusType: 3
18:14:09.859 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-22
18:14:09.859 Disk 1 Vendor: Hitachi_HDS721616PLA380 P22OABEA Size: 152626MB BusType: 3
18:14:09.875 Disk 0 MBR read successfully
18:14:09.875 Disk 0 MBR scan
18:14:09.875 Disk 0 Windows XP default MBR code
18:14:09.875 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
18:14:09.890 Disk 0 scanning sectors +78140160
18:14:10.328 Disk 0 scanning F:\WINDOWS\system32\drivers
18:14:14.781 Service scanning
18:14:15.109 Service ACPI F:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
18:14:23.296 Modules scanning
18:14:29.562 Disk 0 trace - called modules:
18:14:29.906 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x8a5c38e1]<<
18:14:29.906 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a68cab8]
18:14:29.906 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000066[0x8a6edf18]
18:14:29.906 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-c[0x8a68ed98]
18:14:29.906 Scan finished successfully
18:14:46.625 Disk 0 MBR has been saved successfully to "F:\Documents and Settings\Paul\Desktop\MBR.dat"
18:14:46.625 The log file has been saved successfully to "F:\Documents and Settings\Paul\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-05 18:31:24
-----------------------------
18:31:24.796 OS Version: Windows 5.1.2600 Service Pack 3
18:31:24.796 Number of processors: 1 586 0x5F02
18:31:24.796 ComputerName: PAULSPC UserName: Paul
18:31:24.984 Initialize success
18:31:41.265 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
18:31:41.265 Disk 0 Vendor: ST340016A 3.19 Size: 38036MB BusType: 3
18:31:41.265 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-22
18:31:41.265 Disk 1 Vendor: Hitachi_HDS721616PLA380 P22OABEA Size: 152626MB BusType: 3
18:31:41.281 Disk 0 MBR read successfully
18:31:41.281 Disk 0 MBR scan
18:31:41.281 Disk 0 Windows XP default MBR code
18:31:41.281 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
18:31:41.296 Disk 0 scanning sectors +78140160
18:31:41.750 Disk 0 scanning F:\WINDOWS\system32\drivers
18:31:46.359 Service scanning
18:31:54.718 Modules scanning
18:31:59.625 Disk 0 trace - called modules:
18:31:59.640 ntkrnlpa.exe CLASSPNP.SYS disk.sys tsk6C.tmp hal.dll atapi.sys pciide.sys PCIIDEX.SYS
18:31:59.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6afab8]
18:31:59.968 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000067[0x8a6b4f18]
18:31:59.968 5 tsk6C.tmp[b7f68620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-c[0x8a608d98]
18:31:59.968 Scan finished successfully
18:32:24.593 Disk 0 MBR has been saved successfully to "F:\Documents and Settings\Paul\Desktop\MBR.dat"
18:32:24.593 The log file has been saved successfully to "F:\Documents and Settings\Paul\Desktop\aswMBR.txt"

MBR.dat attached as MBR.zip.

Apologies if this process Attached File  MBR.zip   499bytes   0 downloadsisn't running as smooth as it should and thank you once again for your help.

Cheers,

Dave

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 06 March 2012 - 10:09 AM

Let find out if you have a good copy of ACPI.sys in the computer.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    ACPI.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
===

Try to run ComboFix again.

If unable to get a log Boot to Safe Mode with Internet connection and run the file from Safe Mode.

Post the log if you can.

#7 Davros68x

Davros68x
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 06 March 2012 - 12:11 PM

Hi again,

I emailed your instructions to my mate - he ran System Look and here's the results...

SystemLook 30.07.11 by jpshortstuff
Log created at 15:42 on 06/03/2012 by Paul
Administrator - Elevation successful

========== filefind ==========

Searching for "ACPI.sys"
F:\WINDOWS\$NtServicePackUninstall$\acpi.sys -----c- 187776 bytes [22:05 21/07/2011] [12:00 28/02/2006] A10C7534F7223F4A73A948967D00E69B
F:\WINDOWS\ServicePackFiles\i386\acpi.sys -----c- 187776 bytes [18:36 13/04/2008] [18:36 13/04/2008] 8FD99680A539792A30E97944FDAECF17
F:\WINDOWS\system32\drivers\acpi.sys --a---- 187776 bytes [12:00 28/02/2006] [18:23 05/03/2012] 8FD99680A539792A30E97944FDAECF17

-= EOF =-

...but when he tried running ComboFix he came across the same problemns I did last time - first he turned off AVG and then shutdown Windows Security Centre but he still got error messages about the Malware Protection Centre (any suggestions of what it is or an easy way of turning it off) - he ran it anyway but it locked up the PC and didn't produce a log the same as last time.

I might pop round there in the coming days to see if I have any more luck doing the ComboFix thing but I thought it might be worth sendiong you this in the meantime.

Cheers,

Dave

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 06 March 2012 - 02:00 PM

The only way he may be able to run ComboFix is to remove AVG completely.

Please download the AVG Remover and Save it to your Desktop.
  • Close all programs and double-click avgremover.exe then click Run
  • In Vista/Win7, right-click and choose 'Run as administrator'.
  • Follow the on-screen instructions.
  • Restart your computer if asked.
  • Then delete avgremover.exe from your desktop.
===

Have your friend copy this file in bold.
F:\WINDOWS\ServicePackFiles\i386\acpi.sys

to the C:\ drive. ( to be used as a backup copy)

Next copy the file from C:\drive to the folder below replacing the acpi.sys file.

F:\WINDOWS\system32\drivers\acpi.sys

He may have to do this in SAFE mode.

Should he not be able to do it and he can post a ComboFix log I will write a script to do it.

Keep me posted.

#9 Davros68x

Davros68x
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 06 March 2012 - 02:35 PM

I'll get him to give it a go - one question - should he try running ComboFix before or after the acpi.sys bit?

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 07 March 2012 - 08:51 AM

After.

#11 Davros68x

Davros68x
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 09 March 2012 - 12:56 PM

Hi Nasdaq,

I'm afraid it's still not going to plan.

I went around to my mates place to make the changes myself as he was a worried the reasons things weren't running smoothly was down to him.

I ran the AVG remover, rebooted as instructed, it restarted and restarted the AVG remover but froze soon afterwards. I rebooted and AVG was still in the icons tray although Anti-virus said Driver not Installed and one of the other programme functions was similarly disabled. I tried uninstalling AVG via Control Panel - that came up with an error - so i tried with AVG's uninstall option and finally got rid of AVG.

I then moved the acpi.sys files as instructed - that went well!

I ran ComboFix but as with all the other times it told me that
Malware Protection Centre was running - I rebooted in Safe Mode, tried again and still got the same message. Eventually I thought "I'm past caring" and clicked continue - it froze in the same way it had every other time with the progress bar having moved about halfway across its window and then did nothing - I left it for over an hour (just in case it was still working) before having to reboot the PC via the power button.

I had to return home taht evening but my mate re-installed AVG this morning and the machine is working fine - I guess we just don't know if there are any remnants of the malware on the PC still causing problems.

Apologies if this ones a bit trickier than other problems you deal with and thanks for your continued assistance.

Cheers,

Dave

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 11 March 2012 - 09:30 AM

Sorry for this long dealy. I lost my internet all day yesterday and just got it back.

After replacing the file and reinsalling AVG all that was needed was one or two restart of the computer to reset the registry.

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 26


===

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.10 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#13 Davros68x

Davros68x
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:13 PM

Posted 13 March 2012 - 07:07 AM

Hi Nasdaq,

Many thanks from myself and my friend for your invaluable assistance.

It's much appreciated.

More power to your elbow.

Cheers,

Dave

#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:13 PM

Posted 18 March 2012 - 09:36 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users