Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL4@MBR Rootkit Removal


  • This topic is locked This topic is locked
14 replies to this topic

#1 tsusm

tsusm

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 10 March 2012 - 09:06 PM

Greetings bleepers... and thanks in advance!

I need help removing a rootkit GMER has identified as TDL4@MBR. Google search matches are redirecting to other pages in Firefox, and Firefox and multiple other programs are hanging when I try to save, open, or import files. Also, within a few minutes of every boot-up, I always receive a message saying "Host Process for Windows Services has stopped working". Here are the problem details provided in the window that pops up:

Problem signature:
Problem Event Name: APPCRASH
Application Name: svchost.exe
Application Version: 6.0.6001.18000
Application Timestamp: 47918b89
Fault Module Name: ntdll.dll
Fault Module Version: 6.0.6001.18538
Fault Module Timestamp: 4cb733dc
Exception Code: c0000005
Exception Offset: 00059cce
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 1033
Additional Information 1: 0e02
Additional Information 2: b21b56b606e7544720668ce364087082
Additional Information 3: 0e02
Additional Information 4: b21b56b606e7544720668ce364087082

I believe it's the only infection on the computer--nightly AVG scans and weekly Malwarebytes scans haven't found anything more.

Please let me know if you need more details!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_17
Run by acarva1 at 18:36:29 on 2012-03-10
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\NTR global\NTRconnect\NTRconnect.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Windows\system32\WUDFHost.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Logitech\SetPointP\LBTWiz.exe
C:\Acer\Empowering Technology\SysMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe
C:\Users\acarva1\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\HP\HP Software Update\HPWUCli.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\RUNDLL32.EXE
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\acarva1\Documents\Application Setup Files\dds.scr
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://en.us.acer.yahoo.com
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Acer Tour Reminder]
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Zune Launcher] "k:\!new files!\programs\zune\ZuneLauncher.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [Acer Empowering Technology Monitor] c:\acer\empowering technology\SysMonitor.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dplaysvr] c:\windows\system32\config\systemprofile\appdata\local\dplaysvr.exe
dRun: [<NO NAME>]
dRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
dRun: [dplaysvr] c:\windows\system32\config\systemprofile\appdata\local\dplaysvr.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Winamp Search - c:\programdata\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
Trusted Zone: txstate.edu\ibis.sap
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E0D1139C-2D11-472C-8B77-0DBC6551E80F} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Hosts: 94.63.147.16 www.google.com
Hosts: 94.63.147.17 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\acarva1\appdata\roaming\mozilla\firefox\profiles\3nknrta9.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com
FF - component: c:\program files\avg\avg10\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPFxViewer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\openoffice.org 3\program\npsoplugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\acarva1\appdata\local\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll
FF - plugin: c:\users\acarva1\appdata\roaming\mozilla\firefox\profiles\3nknrta9.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? fssfltr;fssfltr
R? fsssvc;Windows Live Family Safety Service
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter
R? LHidEqd;Logitech SetPoint Unifying KMDF HID Filter
R? MSSQLServerADHelper100;SQL Active Directory Helper Service
R? RsFx0103;RsFx0103 Driver
R? SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS)
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? Acer HomeMedia Connect Service;Acer HomeMedia Connect Service
S? ALSysIO;ALSysIO
S? AVGIDSAgent;AVGIDSAgent
S? AVGIDSDriver;AVGIDSDriver
S? AVGIDSEH;AVGIDSEH
S? AVGIDSFilter;AVGIDSFilter
S? AVGIDSShim;AVGIDSShim
S? Avgldx86;AVG AVI Loader Driver
S? Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield
S? Avgrkx86;AVG Anti-Rootkit Driver
S? Avgtdix;AVG TDI Driver
S? avgwd;AVG WatchDog
S? cpuz135;cpuz135
S? MEMSWEEP2;MEMSWEEP2
S? ntrconnect;ntrconnect
S? RVIEGVST;VSC VST Engine
.
=============== Created Last 30 ================
.
2012-03-10 18:34:38 -------- d-----w- c:\program files\Sophos
2012-02-18 02:15:32 -------- d-----w- c:\users\acarva1\appdata\local\Solid State Networks
2012-02-13 10:49:30 -------- d-----w- c:\program files\iPod
2012-02-13 10:49:22 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2012-03-05 21:06:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 18:38:22.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 PM

Posted 10 March 2012 - 09:19 PM

Hi,

Please do the following:
Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System is found then ensure Delete is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)




NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 tsusm

tsusm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 10 March 2012 - 09:41 PM

The TDSSKiller report is posted below. The program found an object called "TDSS File System". Should I run a second scan and mark that for deletion as well?

20:27:43.0322 4592 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
20:27:44.0998 4592 ============================================================
20:27:44.0998 4592 Current date / time: 2012/03/10 20:27:44.0998
20:27:44.0998 4592 SystemInfo:
20:27:44.0998 4592
20:27:44.0998 4592 OS Version: 6.0.6001 ServicePack: 1.0
20:27:44.0998 4592 Product type: Workstation
20:27:44.0998 4592 ComputerName: AC-PC
20:27:44.0999 4592 UserName: acarva1
20:27:44.0999 4592 Windows directory: C:\Windows
20:27:44.0999 4592 System windows directory: C:\Windows
20:27:44.0999 4592 Processor architecture: Intel x86
20:27:44.0999 4592 Number of processors: 2
20:27:44.0999 4592 Page size: 0x1000
20:27:44.0999 4592 Boot type: Normal boot
20:27:44.0999 4592 ============================================================
20:27:46.0163 4592 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
20:27:46.0213 4592 Drive \Device\Harddisk4\DR4 - Size: 0x78400000 (1.88 Gb), SectorSize: 0x200, Cylinders: 0xF5, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
20:27:46.0218 4592 Drive \Device\Harddisk5\DR5 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
20:27:53.0857 4592 Drive \Device\Harddisk6\DR6 - Size: 0x1E98D1A00 (7.65 Gb), SectorSize: 0x200, Cylinders: 0x3E6, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
20:27:53.0858 4592 \Device\Harddisk0\DR0:
20:27:53.0858 4592 MBR used
20:27:53.0858 4592 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x6, StartLBA 0x1384C7A, BlocksNum 0xDF646B5
20:27:53.0858 4592 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xF2E932F, BlocksNum 0xDEDB252
20:27:53.0858 4592 \Device\Harddisk4\DR4:
20:27:53.0862 4592 MBR used
20:27:53.0862 4592 \Device\Harddisk4\DR4\Partition0: MBR, Type 0x6, StartLBA 0x2F, BlocksNum 0x3C1FD1
20:27:53.0862 4592 \Device\Harddisk5\DR5:
20:27:53.0862 4592 MBR used
20:27:53.0862 4592 \Device\Harddisk5\DR5\Partition0: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0x74705982
20:27:53.0863 4592 \Device\Harddisk6\DR6:
20:27:53.0863 4592 MBR used
20:27:53.0863 4592 \Device\Harddisk6\DR6\Partition0: MBR, Type 0xB, StartLBA 0x3A, BlocksNum 0xF4656B
20:27:53.0935 4592 Initialize success
20:27:53.0935 4592 ============================================================
20:28:13.0672 6232 ============================================================
20:28:13.0672 6232 Scan started
20:28:13.0672 6232 Mode: Manual; TDLFS;
20:28:13.0672 6232 ============================================================
20:28:14.0585 6232 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
20:28:14.0591 6232 ACPI - ok
20:28:14.0631 6232 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
20:28:14.0640 6232 adp94xx - ok
20:28:14.0708 6232 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
20:28:14.0714 6232 adpahci - ok
20:28:14.0739 6232 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
20:28:14.0742 6232 adpu160m - ok
20:28:14.0767 6232 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
20:28:14.0771 6232 adpu320 - ok
20:28:14.0883 6232 AFD (48eb99503533c27ac6135648e5474457) C:\Windows\system32\drivers\afd.sys
20:28:14.0889 6232 AFD - ok
20:28:14.0946 6232 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
20:28:14.0949 6232 agp440 - ok
20:28:15.0029 6232 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
20:28:15.0033 6232 aic78xx - ok
20:28:15.0058 6232 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
20:28:15.0061 6232 aliide - ok
20:28:15.0467 6232 ALSysIO - ok
20:28:15.0553 6232 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
20:28:15.0556 6232 amdagp - ok
20:28:15.0576 6232 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
20:28:15.0580 6232 amdide - ok
20:28:15.0600 6232 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
20:28:15.0603 6232 AmdK7 - ok
20:28:15.0636 6232 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
20:28:15.0640 6232 AmdK8 - ok
20:28:15.0753 6232 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
20:28:15.0756 6232 arc - ok
20:28:15.0791 6232 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
20:28:15.0794 6232 arcsas - ok
20:28:15.0980 6232 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
20:28:15.0986 6232 AsyncMac - ok
20:28:16.0119 6232 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
20:28:16.0120 6232 atapi - ok
20:28:16.0721 6232 atikmdag (3f785fe4b890ebc17e1f4df684da060d) C:\Windows\system32\DRIVERS\atikmdag.sys
20:28:16.0826 6232 atikmdag - ok
20:28:17.0175 6232 AtiPcie (a356e45e8432432c06981ea63a1e0fe8) C:\Windows\system32\DRIVERS\AtiPcie.sys
20:28:17.0200 6232 AtiPcie - ok
20:28:17.0348 6232 AVGIDSDriver (4cbb56fbc9c0cbc517e6e3a6889ebddc) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
20:28:17.0355 6232 AVGIDSDriver - ok
20:28:17.0377 6232 AVGIDSEH (459bce188232e2fe6152423efef65d76) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
20:28:17.0379 6232 AVGIDSEH - ok
20:28:17.0415 6232 AVGIDSFilter (91d9abe7e88eac7c167cba4ed4d983bf) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
20:28:17.0416 6232 AVGIDSFilter - ok
20:28:17.0660 6232 AVGIDSShim (3fc2714e185c04308215d46730d41a94) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
20:28:17.0680 6232 AVGIDSShim - ok
20:28:17.0784 6232 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\Windows\system32\DRIVERS\avgldx86.sys
20:28:17.0811 6232 Avgldx86 - ok
20:28:17.0851 6232 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\Windows\system32\DRIVERS\avgmfx86.sys
20:28:17.0853 6232 Avgmfx86 - ok
20:28:17.0954 6232 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\Windows\system32\DRIVERS\avgrkx86.sys
20:28:17.0956 6232 Avgrkx86 - ok
20:28:18.0087 6232 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\Windows\system32\DRIVERS\avgtdix.sys
20:28:18.0106 6232 Avgtdix - ok
20:28:18.0276 6232 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
20:28:18.0291 6232 Beep - ok
20:28:18.0333 6232 blbdrive - ok
20:28:18.0586 6232 bowser (8153396d5551276227fa146900f734e6) C:\Windows\system32\DRIVERS\bowser.sys
20:28:18.0596 6232 bowser - ok
20:28:18.0780 6232 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
20:28:18.0782 6232 BrFiltLo - ok
20:28:18.0997 6232 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
20:28:19.0023 6232 BrFiltUp - ok
20:28:19.0206 6232 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
20:28:19.0209 6232 Brserid - ok
20:28:19.0299 6232 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
20:28:19.0315 6232 BrSerWdm - ok
20:28:19.0340 6232 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
20:28:19.0343 6232 BrUsbMdm - ok
20:28:19.0359 6232 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
20:28:19.0362 6232 BrUsbSer - ok
20:28:19.0412 6232 BthEnum (da7b195275bda7f8fcf79b40e0f45dde) C:\Windows\system32\DRIVERS\BthEnum.sys
20:28:19.0414 6232 BthEnum - ok
20:28:19.0518 6232 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
20:28:19.0534 6232 BTHMODEM - ok
20:28:19.0595 6232 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
20:28:19.0609 6232 BthPan - ok
20:28:19.0684 6232 BTHPORT (73d53f8e90550ba81e2cf44a0873b410) C:\Windows\system32\Drivers\BTHport.sys
20:28:19.0689 6232 BTHPORT - ok
20:28:19.0751 6232 BTHUSB (32045a4bb143bbc5bab1298c4e9e309a) C:\Windows\system32\Drivers\BTHUSB.sys
20:28:19.0753 6232 BTHUSB - ok
20:28:19.0871 6232 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
20:28:19.0894 6232 cdfs - ok
20:28:20.0148 6232 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
20:28:20.0171 6232 cdrom - ok
20:28:20.0354 6232 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
20:28:20.0372 6232 circlass - ok
20:28:20.0525 6232 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
20:28:20.0530 6232 CLFS - ok
20:28:20.0681 6232 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
20:28:20.0696 6232 cmdide - ok
20:28:20.0796 6232 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
20:28:20.0798 6232 Compbatt - ok
20:28:21.0125 6232 cpuz135 (c2eb4539a4f6ab6edd01bdc191619975) C:\Windows\system32\drivers\cpuz135_x32.sys
20:28:21.0134 6232 cpuz135 - ok
20:28:21.0344 6232 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
20:28:21.0350 6232 crcdisk - ok
20:28:21.0404 6232 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
20:28:21.0407 6232 Crusoe - ok
20:28:21.0533 6232 DfsC (a3e9fa213f443ac77c7746119d13feec) C:\Windows\system32\Drivers\dfsc.sys
20:28:21.0535 6232 DfsC - ok
20:28:21.0651 6232 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
20:28:21.0684 6232 disk - ok
20:28:21.0808 6232 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
20:28:21.0820 6232 Dot4 - ok
20:28:22.0016 6232 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
20:28:22.0032 6232 Dot4Print - ok
20:28:22.0155 6232 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
20:28:22.0158 6232 dot4usb - ok
20:28:22.0270 6232 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
20:28:22.0284 6232 drmkaud - ok
20:28:22.0489 6232 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
20:28:22.0505 6232 DXGKrnl - ok
20:28:22.0779 6232 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
20:28:22.0783 6232 E1G60 - ok
20:28:23.0133 6232 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
20:28:23.0146 6232 Ecache - ok
20:28:23.0275 6232 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
20:28:23.0296 6232 elxstor - ok
20:28:23.0418 6232 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
20:28:23.0425 6232 exfat - ok
20:28:23.0620 6232 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
20:28:23.0639 6232 fastfat - ok
20:28:23.0809 6232 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
20:28:23.0810 6232 fdc - ok
20:28:23.0892 6232 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
20:28:23.0895 6232 FileInfo - ok
20:28:24.0194 6232 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
20:28:24.0205 6232 Filetrace - ok
20:28:24.0558 6232 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
20:28:24.0560 6232 flpydisk - ok
20:28:24.0750 6232 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
20:28:24.0755 6232 FltMgr - ok
20:28:25.0092 6232 fssfltr (491e9d9a26a745f6ae7d570849f4bd87) C:\Windows\system32\DRIVERS\fssfltr.sys
20:28:25.0118 6232 fssfltr - ok
20:28:25.0398 6232 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
20:28:25.0414 6232 Fs_Rec - ok
20:28:25.0599 6232 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
20:28:25.0633 6232 gagp30kx - ok
20:28:25.0737 6232 GearAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\drivers\gearaspiwdm.sys
20:28:25.0758 6232 GearAspiWDM - ok
20:28:25.0956 6232 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
20:28:25.0964 6232 HdAudAddService - ok
20:28:26.0014 6232 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
20:28:26.0017 6232 HDAudBus - ok
20:28:26.0150 6232 HidBth (204c3b1846e9cbaaef88b8e1f86782f8) C:\Windows\system32\DRIVERS\hidbth.sys
20:28:26.0170 6232 HidBth - ok
20:28:26.0450 6232 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
20:28:26.0465 6232 HidIr - ok
20:28:26.0752 6232 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
20:28:26.0754 6232 HidUsb - ok
20:28:27.0051 6232 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
20:28:27.0077 6232 HpCISSs - ok
20:28:27.0331 6232 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
20:28:27.0352 6232 HTTP - ok
20:28:27.0638 6232 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
20:28:27.0640 6232 i2omp - ok
20:28:27.0763 6232 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
20:28:27.0784 6232 i8042prt - ok
20:28:27.0949 6232 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
20:28:27.0959 6232 iaStorV - ok
20:28:28.0264 6232 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
20:28:28.0277 6232 iirsp - ok
20:28:28.0567 6232 int15 (c6e5276c00ebdeb096bb5ef4b797d1b6) C:\Windows\system32\drivers\int15.sys
20:28:28.0588 6232 int15 - ok
20:28:28.0824 6232 IntcAzAudAddService (2bd6633db50a98534aa3262e0f9f5a14) C:\Windows\system32\drivers\RTKVHDA.sys
20:28:28.0855 6232 IntcAzAudAddService - ok
20:28:28.0932 6232 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
20:28:28.0944 6232 intelide - ok
20:28:28.0970 6232 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
20:28:28.0972 6232 intelppm - ok
20:28:29.0024 6232 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
20:28:29.0043 6232 IpFilterDriver - ok
20:28:29.0085 6232 IpInIp - ok
20:28:29.0178 6232 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
20:28:29.0201 6232 IPMIDRV - ok
20:28:29.0410 6232 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
20:28:29.0428 6232 IPNAT - ok
20:28:29.0744 6232 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
20:28:29.0773 6232 IRENUM - ok
20:28:29.0999 6232 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
20:28:30.0001 6232 isapnp - ok
20:28:30.0116 6232 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
20:28:30.0122 6232 iScsiPrt - ok
20:28:30.0167 6232 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
20:28:30.0170 6232 iteatapi - ok
20:28:30.0336 6232 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
20:28:30.0370 6232 iteraid - ok
20:28:30.0551 6232 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
20:28:30.0553 6232 kbdclass - ok
20:28:30.0574 6232 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
20:28:30.0576 6232 kbdhid - ok
20:28:30.0720 6232 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
20:28:30.0741 6232 KSecDD - ok
20:28:30.0899 6232 L8042Kbd (79d1dbfec599ec47244af7b06ae2a04e) C:\Windows\system32\DRIVERS\L8042Kbd.sys
20:28:30.0902 6232 L8042Kbd - ok
20:28:30.0948 6232 L8042mou (55a473dd71b68ec0b5fe372aef24a83d) C:\Windows\system32\DRIVERS\L8042mou.Sys
20:28:30.0953 6232 L8042mou - ok
20:28:31.0074 6232 LEqdUsb (eee5a87ec378c9ad7ce91073fbd63465) C:\Windows\system32\Drivers\LEqdUsb.Sys
20:28:31.0076 6232 LEqdUsb - ok
20:28:31.0111 6232 LHidEqd (62663b385087f5977d8ebd1fdc67b639) C:\Windows\system32\Drivers\LHidEqd.Sys
20:28:31.0116 6232 LHidEqd - ok
20:28:31.0184 6232 LHidFilt (318b3d608fbec44b7e0c23bf759dced5) C:\Windows\system32\DRIVERS\LHidFilt.Sys
20:28:31.0186 6232 LHidFilt - ok
20:28:31.0271 6232 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
20:28:31.0298 6232 lltdio - ok
20:28:31.0372 6232 LMouFilt (84af069d219df3c43dc6792b2bbd7bed) C:\Windows\system32\DRIVERS\LMouFilt.Sys
20:28:31.0374 6232 LMouFilt - ok
20:28:31.0444 6232 LMouKE (c734b8ba039e5cad9687d8885cbeaea3) C:\Windows\system32\DRIVERS\LMouKE.Sys
20:28:31.0450 6232 LMouKE - ok
20:28:31.0505 6232 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
20:28:31.0516 6232 LSI_FC - ok
20:28:31.0560 6232 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
20:28:31.0564 6232 LSI_SAS - ok
20:28:31.0586 6232 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
20:28:31.0590 6232 LSI_SCSI - ok
20:28:31.0681 6232 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
20:28:31.0684 6232 luafv - ok
20:28:31.0793 6232 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\Windows\system32\Drivers\LVPr2Mon.sys
20:28:31.0801 6232 LVPr2Mon - ok
20:28:31.0903 6232 LVRS (87ecce893d8aec5a9337b917742d339c) C:\Windows\system32\DRIVERS\lvrs.sys
20:28:31.0919 6232 LVRS - ok
20:28:32.0004 6232 LVUSBSta (5f987fc1aad215ec2c60cf07719b1cce) C:\Windows\system32\drivers\LVUSBSta.sys
20:28:32.0006 6232 LVUSBSta - ok
20:28:32.0091 6232 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
20:28:32.0093 6232 megasas - ok
20:28:32.0195 6232 MEMSWEEP2 - ok
20:28:32.0391 6232 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
20:28:32.0393 6232 Modem - ok
20:28:32.0583 6232 MODEMCSA (cbb59c41f19efea1a000793e08070a62) C:\Windows\system32\drivers\MODEMCSA.sys
20:28:32.0609 6232 MODEMCSA - ok
20:28:32.0801 6232 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
20:28:32.0803 6232 monitor - ok
20:28:32.0850 6232 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
20:28:32.0852 6232 mouclass - ok
20:28:32.0872 6232 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
20:28:32.0874 6232 mouhid - ok
20:28:32.0937 6232 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
20:28:32.0940 6232 MountMgr - ok
20:28:33.0016 6232 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
20:28:33.0019 6232 mpio - ok
20:28:33.0063 6232 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
20:28:33.0081 6232 mpsdrv - ok
20:28:33.0313 6232 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
20:28:33.0340 6232 Mraid35x - ok
20:28:33.0506 6232 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
20:28:33.0523 6232 MRxDAV - ok
20:28:33.0718 6232 mrxsmb (5734a0f2be7e495f7d3ed6efd4b9f5a1) C:\Windows\system32\DRIVERS\mrxsmb.sys
20:28:33.0777 6232 mrxsmb - ok
20:28:34.0113 6232 mrxsmb10 (6b5fa5adfacac9dbbe0991f4566d7d55) C:\Windows\system32\DRIVERS\mrxsmb10.sys
20:28:34.0132 6232 mrxsmb10 - ok
20:28:34.0218 6232 mrxsmb20 (5c80d8159181c7abf1b14ba703b01e0b) C:\Windows\system32\DRIVERS\mrxsmb20.sys
20:28:34.0224 6232 mrxsmb20 - ok
20:28:34.0251 6232 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
20:28:34.0253 6232 msahci - ok
20:28:34.0281 6232 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
20:28:34.0284 6232 msdsm - ok
20:28:34.0361 6232 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
20:28:34.0363 6232 Msfs - ok
20:28:34.0450 6232 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
20:28:34.0452 6232 msisadrv - ok
20:28:34.0499 6232 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
20:28:34.0513 6232 MSKSSRV - ok
20:28:34.0543 6232 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
20:28:34.0545 6232 MSPCLOCK - ok
20:28:34.0777 6232 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
20:28:34.0779 6232 MSPQM - ok
20:28:34.0869 6232 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
20:28:34.0873 6232 MsRPC - ok
20:28:35.0256 6232 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
20:28:35.0278 6232 mssmbios - ok
20:28:35.0387 6232 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
20:28:35.0408 6232 MSTEE - ok
20:28:35.0563 6232 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
20:28:35.0584 6232 Mup - ok
20:28:35.0723 6232 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
20:28:35.0756 6232 NativeWifiP - ok
20:28:36.0113 6232 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
20:28:36.0133 6232 NDIS - ok
20:28:36.0219 6232 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
20:28:36.0221 6232 NdisTapi - ok
20:28:36.0253 6232 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
20:28:36.0266 6232 Ndisuio - ok
20:28:36.0446 6232 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
20:28:36.0480 6232 NdisWan - ok
20:28:36.0616 6232 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
20:28:36.0637 6232 NDProxy - ok
20:28:36.0754 6232 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
20:28:36.0756 6232 NetBIOS - ok
20:28:37.0059 6232 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
20:28:37.0067 6232 netbt - ok
20:28:37.0405 6232 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
20:28:37.0414 6232 nfrd960 - ok
20:28:37.0523 6232 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
20:28:37.0538 6232 Npfs - ok
20:28:37.0657 6232 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
20:28:37.0673 6232 nsiproxy - ok
20:28:37.0841 6232 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
20:28:37.0858 6232 Ntfs - ok
20:28:37.0907 6232 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
20:28:37.0909 6232 NTIDrvr - ok
20:28:38.0168 6232 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
20:28:38.0202 6232 ntrigdigi - ok
20:28:38.0307 6232 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
20:28:38.0324 6232 Null - ok
20:28:38.0371 6232 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
20:28:38.0374 6232 nvraid - ok
20:28:38.0392 6232 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
20:28:38.0395 6232 nvstor - ok
20:28:38.0488 6232 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
20:28:38.0492 6232 nv_agp - ok
20:28:38.0507 6232 NwlnkFlt - ok
20:28:38.0550 6232 NwlnkFwd - ok
20:28:38.0654 6232 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
20:28:38.0680 6232 ohci1394 - ok
20:28:38.0760 6232 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
20:28:38.0763 6232 Parport - ok
20:28:38.0870 6232 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
20:28:38.0884 6232 partmgr - ok
20:28:39.0015 6232 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
20:28:39.0031 6232 Parvdm - ok
20:28:39.0338 6232 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
20:28:39.0354 6232 pci - ok
20:28:39.0419 6232 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
20:28:39.0421 6232 pciide - ok
20:28:39.0490 6232 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
20:28:39.0495 6232 pcmcia - ok
20:28:39.0573 6232 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
20:28:39.0587 6232 PEAUTH - ok
20:28:39.0733 6232 pepifilter (b20f958b207e6aaac5f70d04dd2c30d8) C:\Windows\system32\DRIVERS\lv302af.sys
20:28:39.0753 6232 pepifilter - ok
20:28:40.0185 6232 PID_PEPI (dd184d9adfe2a8a21741dbdfe9e22f5c) C:\Windows\system32\DRIVERS\LV302V32.SYS
20:28:40.0331 6232 PID_PEPI - ok
20:28:40.0655 6232 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
20:28:40.0670 6232 PptpMiniport - ok
20:28:40.0786 6232 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
20:28:40.0789 6232 Processor - ok
20:28:40.0833 6232 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
20:28:40.0836 6232 PSched - ok
20:28:41.0141 6232 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
20:28:41.0167 6232 PxHelp20 - ok
20:28:41.0455 6232 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
20:28:41.0500 6232 ql2300 - ok
20:28:41.0584 6232 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
20:28:41.0603 6232 ql40xx - ok
20:28:41.0694 6232 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
20:28:41.0712 6232 QWAVEdrv - ok
20:28:41.0839 6232 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
20:28:41.0855 6232 RasAcd - ok
20:28:42.0103 6232 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
20:28:42.0123 6232 Rasl2tp - ok
20:28:42.0207 6232 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
20:28:42.0210 6232 RasPppoe - ok
20:28:42.0257 6232 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
20:28:42.0273 6232 RasSstp - ok
20:28:42.0320 6232 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
20:28:42.0326 6232 rdbss - ok
20:28:42.0475 6232 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
20:28:42.0493 6232 RDPCDD - ok
20:28:42.0754 6232 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
20:28:42.0759 6232 rdpdr - ok
20:28:42.0886 6232 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
20:28:42.0899 6232 RDPENCDD - ok
20:28:43.0017 6232 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
20:28:43.0023 6232 RDPWD - ok
20:28:43.0292 6232 RFCOMM (34cc78c06587718c2ad6d3aa83b1f072) C:\Windows\system32\DRIVERS\rfcomm.sys
20:28:43.0309 6232 RFCOMM - ok
20:28:43.0540 6232 RimUsb - ok
20:28:43.0615 6232 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
20:28:43.0637 6232 RimVSerPort - ok
20:28:43.0787 6232 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
20:28:43.0789 6232 ROOTMODEM - ok
20:28:44.0195 6232 RsFx0103 (fd692c6ffade58f7c4c3c3c9a0ec35bd) C:\Windows\system32\DRIVERS\RsFx0103.sys
20:28:44.0229 6232 RsFx0103 - ok
20:28:44.0317 6232 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
20:28:44.0331 6232 rspndr - ok
20:28:44.0468 6232 RVIEG01 (93f66faea8bf047d4242ac85aada403d) C:\Program Files\Roland\Virtual Sound Canvas DXi\RVIEg01.sys
20:28:44.0492 6232 RVIEG01 - ok
20:28:44.0529 6232 RVIEGVST (3c74d9fdb1d9831ec932e89f3d874f00) C:\Program Files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys
20:28:44.0541 6232 RVIEGVST - ok
20:28:44.0757 6232 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
20:28:44.0760 6232 sbp2port - ok
20:28:44.0930 6232 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
20:28:44.0932 6232 secdrv - ok
20:28:45.0130 6232 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
20:28:45.0157 6232 Serenum - ok
20:28:45.0414 6232 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
20:28:45.0418 6232 Serial - ok
20:28:45.0506 6232 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
20:28:45.0509 6232 sermouse - ok
20:28:45.0722 6232 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
20:28:45.0757 6232 sffdisk - ok
20:28:45.0957 6232 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
20:28:45.0983 6232 sffp_mmc - ok
20:28:46.0276 6232 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
20:28:46.0302 6232 sffp_sd - ok
20:28:46.0532 6232 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
20:28:46.0543 6232 sfloppy - ok
20:28:46.0786 6232 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
20:28:46.0789 6232 sisagp - ok
20:28:46.0842 6232 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
20:28:46.0845 6232 SiSRaid2 - ok
20:28:47.0192 6232 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
20:28:47.0226 6232 SiSRaid4 - ok
20:28:47.0470 6232 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
20:28:47.0486 6232 Smb - ok
20:28:47.0767 6232 smserial (d9bfd2298f5cf116d8eaae3b02dcee2e) C:\Windows\system32\DRIVERS\smserial.sys
20:28:47.0783 6232 smserial - ok
20:28:47.0925 6232 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
20:28:47.0927 6232 spldr - ok
20:28:48.0296 6232 srv (2252aef839b1093d16761189f45af885) C:\Windows\system32\DRIVERS\srv.sys
20:28:48.0330 6232 srv - ok
20:28:48.0538 6232 srv2 (b7ff59408034119476b00a81bb53d5d1) C:\Windows\system32\DRIVERS\srv2.sys
20:28:48.0542 6232 srv2 - ok
20:28:48.0631 6232 srvnet (2accc9b12af02030f531e6cca6f8b76e) C:\Windows\system32\DRIVERS\srvnet.sys
20:28:48.0637 6232 srvnet - ok
20:28:48.0737 6232 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
20:28:48.0739 6232 swenum - ok
20:28:48.0890 6232 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
20:28:48.0893 6232 Symc8xx - ok
20:28:49.0018 6232 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
20:28:49.0033 6232 Sym_hi - ok
20:28:49.0133 6232 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
20:28:49.0149 6232 Sym_u3 - ok
20:28:49.0278 6232 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys
20:28:49.0294 6232 Tcpip - ok
20:28:49.0332 6232 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys
20:28:49.0342 6232 Tcpip6 - ok
20:28:49.0566 6232 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
20:28:49.0578 6232 tcpipreg - ok
20:28:49.0719 6232 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
20:28:49.0736 6232 TDPIPE - ok
20:28:49.0798 6232 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
20:28:49.0811 6232 TDTCP - ok
20:28:50.0086 6232 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
20:28:50.0096 6232 tdx - ok
20:28:50.0397 6232 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
20:28:50.0407 6232 TermDD - ok
20:28:50.0593 6232 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
20:28:50.0607 6232 tssecsrv - ok
20:28:50.0719 6232 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
20:28:50.0754 6232 tunmp - ok
20:28:50.0922 6232 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
20:28:50.0925 6232 tunnel - ok
20:28:51.0114 6232 tvicport (97dd70feca64fb4f63de7bb7e66a80b1) C:\Windows\system32\drivers\tvicport.sys
20:28:51.0126 6232 tvicport - ok
20:28:51.0250 6232 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
20:28:51.0275 6232 uagp35 - ok
20:28:51.0430 6232 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
20:28:51.0452 6232 udfs - ok
20:28:51.0731 6232 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
20:28:51.0742 6232 uliagpkx - ok
20:28:51.0897 6232 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
20:28:51.0902 6232 uliahci - ok
20:28:52.0197 6232 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
20:28:52.0217 6232 UlSata - ok
20:28:52.0300 6232 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
20:28:52.0303 6232 ulsata2 - ok
20:28:52.0351 6232 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
20:28:52.0365 6232 umbus - ok
20:28:52.0570 6232 UMPass (88bd96a1baeed33ee8bdf9499c07a841) C:\Windows\system32\DRIVERS\umpass.sys
20:28:52.0581 6232 UMPass - ok
20:28:52.0698 6232 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
20:28:52.0701 6232 USBAAPL - ok
20:28:52.0759 6232 usbaudio (292a25bb75a568ae2c67169ba2c6365a) C:\Windows\system32\drivers\usbaudio.sys
20:28:52.0762 6232 usbaudio - ok
20:28:52.0794 6232 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
20:28:52.0796 6232 usbccgp - ok
20:28:52.0867 6232 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
20:28:52.0871 6232 usbcir - ok
20:28:52.0925 6232 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
20:28:52.0928 6232 usbehci - ok
20:28:52.0951 6232 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
20:28:52.0956 6232 usbhub - ok
20:28:52.0984 6232 usbohci (7bdb7b0e7d45ac0402d78b90789ef47c) C:\Windows\system32\DRIVERS\usbohci.sys
20:28:52.0997 6232 usbohci - ok
20:28:53.0207 6232 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
20:28:53.0219 6232 usbprint - ok
20:28:53.0443 6232 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
20:28:53.0457 6232 usbscan - ok
20:28:53.0493 6232 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
20:28:53.0496 6232 USBSTOR - ok
20:28:53.0584 6232 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
20:28:53.0587 6232 usbuhci - ok
20:28:53.0618 6232 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
20:28:53.0631 6232 vga - ok
20:28:53.0675 6232 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
20:28:53.0677 6232 VgaSave - ok
20:28:53.0709 6232 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
20:28:53.0727 6232 viaagp - ok
20:28:53.0861 6232 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
20:28:53.0864 6232 ViaC7 - ok
20:28:53.0900 6232 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
20:28:53.0903 6232 viaide - ok
20:28:53.0944 6232 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
20:28:53.0961 6232 volmgr - ok
20:28:54.0151 6232 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
20:28:54.0161 6232 volmgrx - ok
20:28:54.0350 6232 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
20:28:54.0355 6232 volsnap - ok
20:28:54.0543 6232 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
20:28:54.0569 6232 vsmraid - ok
20:28:54.0785 6232 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
20:28:54.0801 6232 WacomPen - ok
20:28:54.0869 6232 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
20:28:54.0871 6232 Wanarp - ok
20:28:54.0878 6232 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
20:28:54.0880 6232 Wanarpv6 - ok
20:28:54.0940 6232 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
20:28:54.0942 6232 Wd - ok
20:28:55.0089 6232 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
20:28:55.0111 6232 Wdf01000 - ok
20:28:55.0339 6232 WinUSB (f03110711b17ad31271cb2baf0dbb2b1) C:\Windows\system32\DRIVERS\WinUSB.sys
20:28:55.0357 6232 WinUSB - ok
20:28:55.0402 6232 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
20:28:55.0404 6232 WmiAcpi - ok
20:28:55.0586 6232 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
20:28:55.0599 6232 WpdUsb - ok
20:28:55.0763 6232 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
20:28:55.0788 6232 ws2ifsl - ok
20:28:55.0948 6232 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
20:28:55.0962 6232 WudfPf - ok
20:28:56.0038 6232 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
20:28:56.0042 6232 WUDFRd - ok
20:28:56.0114 6232 XBCD - ok
20:28:56.0189 6232 yukonwlh (04e268adfc81964c49dc0c082d520f7e) C:\Windows\system32\DRIVERS\yk60x86.sys
20:28:56.0196 6232 yukonwlh - ok
20:28:56.0226 6232 zntport (40ac8590cc9006dbb99ffcb37879d4c6) C:\Windows\system32\drivers\zntport.sys
20:28:56.0228 6232 zntport - ok
20:28:56.0279 6232 MBR (0x1B8) (27525412a43c55b0505f8b3fb4b34ea8) \Device\Harddisk0\DR0
20:28:56.0300 6232 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
20:28:56.0300 6232 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
20:28:56.0323 6232 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
20:28:56.0323 6232 \Device\Harddisk0\DR0 - detected TDSS File System (1)
20:28:56.0367 6232 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk4\DR4
20:28:57.0054 6232 \Device\Harddisk4\DR4 - ok
20:28:57.0557 6232 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk5\DR5
20:28:57.0730 6232 \Device\Harddisk5\DR5 - ok
20:28:57.0737 6232 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk6\DR6
20:28:57.0914 6232 \Device\Harddisk6\DR6 - ok
20:28:57.0934 6232 Boot (0x1200) (9c2ce27f663c86901cc810e0a36d6085) \Device\Harddisk0\DR0\Partition0
20:28:57.0935 6232 \Device\Harddisk0\DR0\Partition0 - ok
20:28:57.0958 6232 Boot (0x1200) (5356f78311ee2c32c4dc667cdfa61ccc) \Device\Harddisk0\DR0\Partition1
20:28:57.0959 6232 \Device\Harddisk0\DR0\Partition1 - ok
20:28:57.0973 6232 Boot (0x1200) (b5cb3d8c9c1e89ea9ed3895cb2a893cd) \Device\Harddisk4\DR4\Partition0
20:28:57.0976 6232 \Device\Harddisk4\DR4\Partition0 - ok
20:28:57.0984 6232 Boot (0x1200) (4d9356f865392ea41039f4c9ae0e192f) \Device\Harddisk5\DR5\Partition0
20:28:57.0996 6232 \Device\Harddisk5\DR5\Partition0 - ok
20:28:58.0003 6232 Boot (0x1200) (844f810609b5943996719c1ea1c8d107) \Device\Harddisk6\DR6\Partition0
20:28:58.0005 6232 \Device\Harddisk6\DR6\Partition0 - ok
20:28:58.0008 6232 ============================================================
20:28:58.0008 6232 Scan finished
20:28:58.0008 6232 ============================================================
20:28:58.0032 6612 Detected object count: 2
20:28:58.0032 6612 Actual detected object count: 2
20:31:34.0174 6612 \Device\Harddisk0\DR0\# - copied to quarantine
20:31:34.0175 6612 \Device\Harddisk0\DR0 - copied to quarantine
20:31:34.0195 6612 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
20:31:34.0197 6612 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
20:31:34.0204 6612 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
20:31:34.0206 6612 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
20:31:34.0208 6612 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
20:31:34.0210 6612 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
20:31:34.0218 6612 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
20:31:34.0238 6612 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
20:31:34.0239 6612 \Device\Harddisk0\DR0 - ok
20:31:40.0250 6612 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
20:31:40.0256 6612 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
20:31:40.0256 6612 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
20:31:40.0710 6580 Deinitialize success

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 PM

Posted 10 March 2012 - 09:56 PM

yes, go ahead and re-run TDSSKiller and delete what it finds

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 tsusm

tsusm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 11 March 2012 - 01:53 AM

Looks like everything is cleared up! Let me know if you'd like to take a look at any additional logs, but all the prior symptoms are gone. Thank you very much!

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 PM

Posted 11 March 2012 - 09:48 AM

Hi, yes, we should complete the usual steps in case there are any leftovers,usually malware requires a variety of tools and more than one step to totally eradicate, so stay with me. If you have not yet run ComboFix please do so and post the resulting tool

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 tsusm

tsusm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 11 March 2012 - 05:54 PM

Sorry for the delay! Here's the ComboFix log:

ComboFix 12-03-10.02 - acarva1 03/10/2012 21:38:02.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3327.1953 [GMT -6:00]
Running from: c:\users\acarva1\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\jestertb.dll
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\system32\AutoRun.inf
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
.
.
2012-03-11 03:53 . 2012-03-11 03:55 -------- d-----w- c:\users\acarva1\AppData\Local\Temp
2012-03-11 03:45 . 2012-03-11 03:45 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-03-11 03:45 . 2012-03-11 03:45 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2012-03-11 03:45 . 2012-03-11 03:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-11 02:31 . 2012-03-11 02:31 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-10 18:34 . 2012-03-10 18:34 -------- d-----w- c:\program files\Sophos
2012-02-18 02:15 . 2012-02-18 02:15 -------- d-----w- c:\users\acarva1\AppData\Local\Solid State Networks
2012-02-13 10:49 . 2012-02-13 10:49 -------- d-----w- c:\program files\iPod
2012-02-13 10:49 . 2012-02-13 10:50 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-05 21:06 . 2011-05-21 00:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-19 22:23 . 2011-12-19 22:23 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-02-18 02:18 . 2011-03-26 13:28 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\acarva1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\acarva1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\acarva1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\acarva1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"Steam"="c:\program files\Steam\Steam.exe" [2011-09-17 1242448]
"Acer Tour Reminder"="" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bluetooth Connection Assistant"="LBTWIZ.EXE -silent" [X]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-02-02 630784]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 4423680]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2008-04-15 326176]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-07-17 231888]
.
c:\users\acarva1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\acarva1\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-4-16 535336]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
PCM Media Sharing.lnk - c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe [2007-4-16 200812]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2007-04-05 266343]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-14 08:09]
.
2012-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ccee0db15fad06.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-15 19:29]
.
2012-03-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-15 19:29]
.
2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{15FC2CBF-BEC0-48FA-AE00-FFA314DC726D}.job
- c:\windows\system32\msfeedssync.exe [2011-08-07 04:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.us.acer.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: txstate.edu\ibis.sap
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\acarva1\AppData\Roaming\Mozilla\Firefox\Profiles\3nknrta9.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-10 21:53
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9724.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(7840)
c:\users\acarva1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
c:\windows\system32\Ati2evxx.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\AVG\AVG2012\avgwdsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\NTR global\NTRconnect\NTRconnect.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Winamp Remote\bin\orbtray.exe
c:\program files\Core Temp\Core Temp.exe
c:\windows\RtHDVCpl.exe
c:\program files\Logitech\SetPointP\LBTWiz.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Winamp Remote\bin\Orb.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
.
**************************************************************************
.
Completion time: 2012-03-10 21:58:51 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-11 03:58
ComboFix2.txt 2012-03-11 03:34
.
Pre-Run: 45,639,864,320 bytes free
Post-Run: 45,424,435,200 bytes free
.
- - End Of File - - 5CA051A4FF8F0EF87ACC55FE94EF2F6A

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 PM

Posted 11 March 2012 - 06:34 PM

Hi

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 tsusm

tsusm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 12 March 2012 - 01:10 PM

Here are the two latest logs! (The ESET scan log is attached)

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.12.01

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
acarva1 :: AC-PC [administrator]

3/12/2012 2:53:18 AM
mbam-log-2012-03-12 (02-53-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 216096
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Attached Files



#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 PM

Posted 12 March 2012 - 02:55 PM

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\acarva1\Documents\Application Setup Files\cnet_BonjourSetup_exe.exe	
C:\Users\acarva1\Documents\Application Setup Files\extractnow.exe	
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3fdbd04c-708f11e6	
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\2781ea0d-40d21ea0	
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\70e83d9f-28f2bb0e	
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\70190024-5aef4343	
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\25bd15e5-1abadce9	
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\be97b6f-113c2799	
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\2ac74c85-3f769093	
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\447b42b7-79c18dee

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.


NEXT


Posted Image Your Java is out of date.
Java™ 6 Update 17 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.



NEXT



Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 tsusm

tsusm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 12 March 2012 - 04:09 PM

Here's the latest ComboFix log. Java updated successfully after a restart. The computer is running quite a bit quicker now, booted up in about half the time it was taking a few nights ago!



ComboFix 12-03-10.02 - acarva1 03/12/2012 15:27:34.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3327.1890 [GMT -5:00]
Running from: c:\users\acarva1\Desktop\ComboFix.exe
Command switches used :: c:\users\acarva1\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\acarva1\Documents\Application Setup Files\cnet_BonjourSetup_exe.exe"
"c:\users\acarva1\Documents\Application Setup Files\extractnow.exe"
"c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\3fdbd04c-708f11e6"
"c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\13\2781ea0d-40d21ea0"
"c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\70e83d9f-28f2bb0e"
"c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\36\70190024-5aef4343"
"c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\25bd15e5-1abadce9"
"c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\be97b6f-113c2799"
"c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\5\2ac74c85-3f769093"
"c:\windows\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\55\447b42b7-79c18dee"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-12 to 2012-03-12 )))))))))))))))))))))))))))))))
.
.
2012-03-12 20:36 . 2012-03-12 20:36 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2012-03-12 20:36 . 2012-03-12 20:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-12 08:02 . 2012-03-12 08:02 -------- d-----w- c:\program files\ESET
2012-03-11 06:57 . 2012-03-12 08:39 -------- d-----w- c:\users\acarva1\AppData\Local\Spotify
2012-03-11 06:57 . 2012-03-12 18:59 -------- d-----w- c:\users\acarva1\AppData\Roaming\Spotify
2012-03-11 06:48 . 2012-03-12 20:42 -------- d-----w- c:\users\acarva1\AppData\Local\Temp
2012-03-11 04:03 . 2011-03-03 13:01 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2012-03-11 04:03 . 2011-03-03 14:56 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2012-03-11 02:31 . 2012-03-11 04:01 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-10 18:34 . 2012-03-10 18:34 -------- d-----w- c:\program files\Sophos
2012-02-18 02:15 . 2012-02-18 02:15 -------- d-----w- c:\users\acarva1\AppData\Local\Solid State Networks
2012-02-13 10:49 . 2012-02-13 10:49 -------- d-----w- c:\program files\iPod
2012-02-13 10:49 . 2012-02-13 10:50 -------- d-----w- c:\program files\iTunes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-05 21:06 . 2011-05-21 00:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-19 22:23 . 2011-12-19 22:23 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-02-18 02:18 . 2011-03-26 13:28 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\acarva1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\acarva1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\acarva1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\acarva1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"Steam"="c:\program files\Steam\Steam.exe" [2011-09-17 1242448]
"Acer Tour Reminder"="" [BU]
"Spotify"="c:\users\acarva1\AppData\Roaming\Spotify\Spotify.exe" [2012-03-11 4008112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bluetooth Connection Assistant"="LBTWIZ.EXE -silent" [X]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-02-02 630784]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 4423680]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-10-28 1352272]
"Acer Empowering Technology Monitor"="c:\acer\Empowering Technology\SysMonitor.exe" [2008-04-15 326176]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-07-17 231888]
.
c:\users\acarva1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\acarva1\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-4-16 535336]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
PCM Media Sharing.lnk - c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\PCMMediaSharing.exe [2007-4-16 200812]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2007-04-05 266343]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ALSYSIO
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-14 08:09]
.
2012-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1ccee0db15fad06.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-15 19:29]
.
2012-03-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-15 19:29]
.
2012-03-12 c:\windows\Tasks\User_Feed_Synchronization-{15FC2CBF-BEC0-48FA-AE00-FFA314DC726D}.job
- c:\windows\system32\msfeedssync.exe [2011-08-07 04:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.us.acer.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: txstate.edu\ibis.sap
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\acarva1\AppData\Roaming\Mozilla\Firefox\Profiles\3nknrta9.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-12 15:39
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9724.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3340)
c:\users\acarva1\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
c:\windows\system32\Ati2evxx.exe
c:\acer\Empowering Technology\ePerformance\MemCheck.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\AVG\AVG2012\avgwdsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Winamp Remote\bin\orbtray.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Logitech\SetPointP\LBTWiz.exe
c:\program files\Core Temp\Core Temp.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\NTR global\NTRconnect\NTRconnect.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\AVG\AVG2012\avgemcx.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\windows\system32\WUDFHost.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\program files\AVG\AVG2012\AVGIDSAgent.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Winamp Remote\bin\Orb.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-03-12 15:47:36 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-12 20:47
ComboFix2.txt 2012-03-11 03:58
ComboFix3.txt 2012-03-11 03:34
.
Pre-Run: 38,680,403,968 bytes free
Post-Run: 38,729,809,920 bytes free
.
- - End Of File - - 1997F03A1777AD56B247B8443A467543

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 PM

Posted 12 March 2012 - 04:23 PM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the TDSSKiller, DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 tsusm

tsusm
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 12 March 2012 - 07:45 PM

Thank you so much for all your help!

Before we close out the topic, I should mention that I use Firefox, not IE. Any suggestions or procedures on making Mozilla more secure?

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 PM

Posted 12 March 2012 - 07:57 PM

FireFox has a few add-ons that can enhance security ie: Web of trust, no script etc.

but the default settings are quite secure, as long as you keep your programs up to date and practice good surfing habits, you should be fine.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:04:33 PM

Posted 15 March 2012 - 06:15 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users