Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.exe error


  • This topic is locked This topic is locked
14 replies to this topic

#1 paganw

paganw

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 01 April 2012 - 06:59 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Owner at 21:05:14 on 2012-03-27
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.88 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: AVG Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINNT\system32\svchost.exe -k WudfServiceGroup
C:\WINNT\System32\svchost.exe -k NetworkService
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\System32\svchost.exe -k HPZ12
C:\WINNT\System32\svchost.exe -k imgsvc
c:\WINNT\system32\ZuneBusEnum.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\svchost.exe -k HTTPFilter
C:\WINNT\System32\svchost.exe -k netsvcs
C:\Program Files\Windows NT\Accessories\wordpad.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://search.live.com
uStart Page = hxxp://www.auconnection.net/dallas/library.asp
uSearch Bar = hxxp://search.live.com/sphome.aspx
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uSearchURL,(Default) = hxxp://search.conduit.com/Results.aspx?q=%s&meta=all&hl=fr&gl=fr&SelfSearch=1&SearchSourceOrigin=1&ctid=CT1472949
mSearchAssistant = hxxp://search.live.com/sphome.aspx
uURLSearchHooks: H - No File
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1d09a743-00ed-4713-bcc4-32d590d1087a} - XBTB06829 Class
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {b999e1d5-a1bf-4e4f-a41b-077aa1fbd2ea} - c:\winnt\system32\ddcYqnLc.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
{2318c2b1-4965-11d4-9b18-009027a5cd4f}
TB: {B771FEA3-2A05-4C21-B1E2-55551A97D520} - No File
TB: {719D74AB-1AF9-43A1-8C62-D8750628D93E} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\companion\modules\messmod2\v4\yhexbmes.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\winnt\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
mRun: [MSConfig] c:\winnt\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [dplaysvr] %APPDATA%\dplaysvr.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dPolicies-explorer: NoDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: TVShortcutCAB - hxxp://att.mobitv.com/TVShortcut.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://www.stonyfield.com/coupons/scriptX/smsx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {18C3FD15-74F6-4280-9C98-3590C966B7B8} - hxxp://www.worldwinner.com/games/v46/skillgam/skillgam.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v46/shared/FunGamesLoader.cab
DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} - hxxp://www.arcadetown.com/swf/waterbugs/r64loader.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.87.cab
DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1281003192329
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281003168813
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Pepsi/Coupons.cab
DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - hxxp://www.worldwinner.com/games/v57/cubis/cubis.cab
DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} - hxxp://www.worldwinner.com/games/v45/sol/sol.cab
DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/serialharvest/gwCID.CAB
DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab72888.cab
DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} - hxxp://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
DPF: {A91FB93D-7561-4524-8484-5C27C8FA8D42} - hxxp://www.worldwinner.com/games/v48/luxor/luxor.cab
DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - hxxp://www.worldwinner.com/games/v40/hangman/hangman.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - hxxp://www.worldwinner.com/games/v42/paint/paint.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - hxxp://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: C_2CHT - C_2CHT.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: pushow16.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winnt\system32\WPDShServiceObj.dll
Hosts: 87.229.126.55 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\winnt\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKslec66d890;MpKslec66d890;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{31a6890e-e354-40da-8cfd-09bcbeade4c3}\MpKslec66d890.sys [2012-3-26 29904]
S0 auubqlx;auubqlx;c:\winnt\system32\drivers\tfvqvrdv.sys --> c:\winnt\system32\drivers\tfvqvrdv.sys [?]
S3 MBAMProtector;MBAMProtector;c:\winnt\system32\drivers\mbam.sys [2012-3-24 20464]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 WlanUIG;2Wire 802.11g USB Driver;c:\winnt\system32\drivers\WlanUIG.sys [2007-10-8 347648]
S4 MBAMService;MBAMService;c:\program files\mam\mbamservice.exe [2012-3-24 652360]
.
=============== Created Last 30 ================
.
2012-03-26 10:35:13 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{31a6890e-e354-40da-8cfd-09bcbeade4c3}\MpKslec66d890.sys
2012-03-25 11:43:27 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{31a6890e-e354-40da-8cfd-09bcbeade4c3}\offreg.dll
2012-03-25 10:46:23 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{31a6890e-e354-40da-8cfd-09bcbeade4c3}\MpKsl6a70fd22.sys
2012-03-25 10:12:34 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{31a6890e-e354-40da-8cfd-09bcbeade4c3}\mpengine.dll
2012-03-25 10:12:24 237072 ------w- c:\winnt\system32\MpSigStub.exe
2012-03-25 06:33:12 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-25 05:31:44 144384 ------w- c:\winnt\system32\drivers\hdaudbus.sys
2012-03-25 05:31:43 10240 ------w- c:\winnt\system32\drivers\sffp_mmc.sys
2012-03-25 05:30:21 19569 ----a-w- c:\winnt\005146_.tmp
2012-03-25 05:15:46 -------- dc----w- C:\4640d920a79ac83657fb169d29863a
2012-03-24 13:51:06 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2012-03-24 13:50:53 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-03-24 13:50:52 20464 ----a-w- c:\winnt\system32\drivers\mbam.sys
2012-03-24 13:50:52 -------- d-----w- c:\program files\MAM
2012-03-24 13:37:26 -------- d-----w- c:\documents and settings\all users\application data\SUPERSetup
2012-03-23 23:21:38 -------- d--h--w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2012-03-23 23:20:18 -------- d--h--w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-03-21 08:55:56 -------- d-sh--w- C:\found.000
.
==================== Find3M ====================
.
2007-11-08 11:11:06 774144 ----a-w- c:\program files\RngInterstitial.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1200BB-53DWA0 rev.15.05R15 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8644F49F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86456740]; MOV EAX, [0x864568b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E1397] -> \Device\Harddisk0\DR0[0x8675C718]
3 CLASSPNP[0xF774FFD7] -> nt!IofCallDriver[0x804E1397] -> \Device\00000073[0x8675EF18]
5 ACPI[0xF76B6620] -> nt!IofCallDriver[0x804E1397] -> [0x86790D98]
\Driver\atapi[0x864A2BC0] -> IRP_MJ_CREATE -> 0x8644F49F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8644F2C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:10:04.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 01 April 2012 - 11:48 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 paganw

paganw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 03 April 2012 - 04:13 AM

I downloaded ComboFix on my laptop, saved it to a flash drive and transferred it to the PC with a problem. That computer is XP and I got the following message: This machine does not have the 'Microsoft Windows recovery console' installed. Alternatively, an existing installation of the recovery console may be present but requires updating. Without it, Combofix shall not attempt the fixing of some serous infections. Click 'Yes' to have ComboFix download/install it. NOTE: this requires an active internet connection.

I clicked yes to have ComboFix download/install it but I got a message that said: You do not appear to be connected to the internet. Kindly connect before clicking ok. The computer thinks it's connected, the router thinks it's connected; but I have not been able to connect to the internet on that PC since running the scans suggested in my first post. What should I do if that computer does not have access to the internet? I checked to see if I had my original Windows disc but couldn't find it and couldn't find a suggestion about downloading 'Microsoft Windows recovery console' that didn't involve 6 floppy disks; that PC has a working floppy drive, but the computer with internet access does not.

Thank you

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 03 April 2012 - 05:07 AM

hello

Go ahead and run it we will deal with all of that later


GRINGO
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 paganw

paganw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 03 April 2012 - 05:54 AM

I ran it; here are my results:

ComboFix 12-04-01.03 - Owner 04/03/2012 4:10:04.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.495.229 [GMT -5:00]
Running from: E:\ComboFix.exe
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Application Data\TEMP
C:\Documents and Settings\Owner\Application Data\Local
C:\Documents and Settings\Owner\Application Data\Local\Temp\DDM\Settings\settings.ddi
C:\Documents and Settings\Owner\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Post_Install_RB_HiQ_en.divx.ddp
C:\Documents and Settings\Owner\System
C:\Documents and Settings\Owner\System\win_qs7.jqx
C:\Documents and Settings\Owner\WINDOWS
C:\install.exe
C:\Program Files\DomPlayer
C:\Program Files\kazaa\my shared folder\Dynomite v1.2 Full Crack.exe
C:\WINNT\cdmxtras
C:\WINNT\system32\cLnqYcdd.ini
C:\WINNT\system32\cLnqYcdd.ini2


((((((((((((((((((((((((( Files Created from 2012-03-03 to 2012-04-03 )))))))))))))))))))))))))))))))


2012-03-26 10:26:35 . 2012-03-26 10:26:35 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth
2012-03-25 10:12:24 . 2012-01-31 12:44:05 237072 ------w- C:\WINNT\system32\MpSigStub.exe
2012-03-25 06:33:41 . 2012-03-25 06:33:41 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\PCHealth
2012-03-25 05:31:44 . 2008-04-14 03:06:06 144384 ------w- C:\WINNT\system32\drivers\hdaudbus.sys
2012-03-25 05:31:43 . 2008-04-14 05:10:50 10240 ------w- C:\WINNT\system32\drivers\sffp_mmc.sys
2012-03-25 05:30:21 . 2006-12-29 05:31:32 19569 ----a-w- C:\WINNT\005146_.tmp
2012-03-25 05:15:46 . 2012-03-25 05:17:52 -------- dc----w- C:\4640d920a79ac83657fb169d29863a
2012-03-24 16:13:09 . 2012-03-24 16:13:09 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Identities
2012-03-24 15:36:17 . 2008-04-14 10:42:08 26624 ----a-w- C:\Documents and Settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2012-03-24 13:51:06 . 2012-03-24 13:51:06 -------- d-----w- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2012-03-24 13:50:53 . 2012-03-24 13:50:53 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-03-24 13:50:52 . 2012-03-24 13:50:59 -------- d-----w- C:\Program Files\MAM
2012-03-24 13:50:52 . 2011-12-10 20:24:06 20464 ----a-w- C:\WINNT\system32\drivers\mbam.sys
2012-03-24 13:37:26 . 2012-03-24 13:37:26 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERSetup
2012-03-24 06:55:36 . 2012-03-24 06:55:36 664 ----a-w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\d3d9caps.tmp
2012-03-23 23:51:05 . 2012-03-23 23:51:05 -------- d--h--w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
2012-03-23 23:51:04 . 2012-03-23 23:51:05 -------- d--h--w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
2012-03-23 23:21:38 . 2012-03-23 23:21:38 -------- d--h--w- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2012-03-23 23:20:18 . 2012-03-23 23:20:18 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-23 05:21:39 . 2012-03-23 05:21:39 -------- d--h--w- C:\WINNT\system32\config\systemprofile\Application Data\Yahoo!
2012-03-23 05:20:35 . 2012-03-23 05:25:35 -------- d--h--w- C:\WINNT\system32\config\systemprofile\Application Data\HPAppData
2012-03-22 23:19:47 . 2012-03-23 07:07:33 -------- d--h--w- C:\Documents and Settings\Administrator
2012-03-21 08:55:56 . 2012-03-21 08:55:56 -------- d-----w- C:\found.000
2012-03-20 21:31:37 . 2012-03-20 21:31:37 -------- d--h--w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Identities
2012-03-20 04:20:52 . 2012-03-20 08:10:40 -------- d--h--w- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
2012-03-17 09:34:22 . 2012-03-17 09:34:22 -------- d--h--w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Temp
2012-03-14 21:27:05 . 2012-03-14 21:27:05 -------- d-sh--w- C:\Documents and Settings\NetworkService\UserData
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-11-08 11:11:06 . 2007-11-08 11:11:33 774144 ----a-w- C:\Program Files\RngInterstitial.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 06:01:00 437160]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SBBD.exe \Device\HarddiskVolume1\WINNT\system32\SBFC.dat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^2Wire Wireless Client.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\2Wire Wireless Client.lnk
backup=C:\WINNT\pss\2Wire Wireless Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINNT\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINNT\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iFinger 2.1.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iFinger 2.1.lnk
backup=C:\WINNT\pss\iFinger 2.1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINNT\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINNT\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^eFax Live Menu 3.4.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\eFax Live Menu 3.4.lnk
backup=C:\WINNT\pss\eFax Live Menu 3.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^eFax Tray Menu 3.4.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\eFax Tray Menu 3.4.lnk
backup=C:\WINNT\pss\eFax Tray Menu 3.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^FriendFinder Messenger.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\FriendFinder Messenger.lnk
backup=C:\WINNT\pss\FriendFinder Messenger.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk
backup=C:\WINNT\pss\OpenOffice.org 1.1.4.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PowerReg SchedulerV2.exe
backup=C:\WINNT\pss\PowerReg SchedulerV2.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=C:\WINNT\pss\Vongo Tray.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2SWZKN82R5K47C
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device cache manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dsi
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hid_start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINNT\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vmtuner

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37:53 843712 ---ha-w- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 17:09:58 63712 ---ha-w- C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-11-10 18:49:36 35736 ---ha-w- C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2007-03-01 16:37:52 2321600 ---ha-r- C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-02 05:25:58 59240 ---ha-w- C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42:18 15360 ----a-w- C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
2004-06-11 14:24:16 249856 -c-ha-w- C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-12-08 19:17:46 1226608 ---ha-w- C:\Program Files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]
2003-06-25 02:33:00 303180 -c-ha-w- C:\Program Files\Gateway Utilities\GWInkMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-27 03:56:09 136176 ---hatw- C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2003-07-10 09:13:16 114688 -c--a-w- C:\WINNT\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 03:17:32 49152 ---ha-w- C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2003-07-28 14:43:44 188416 ----a-w- C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 22:31:16 80896 ---ha-w- C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-07-10 09:25:52 155648 -c--a-w- C:\WINNT\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-08-11 22:30:30 81920 ---ha-w- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-01-16 23:22:12 421736 ---ha-w- C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2006-10-05 16:51:04 2242120 ----a-w- C:\WINNT\kdx\khost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-01-13 19:53:18 460872 ----a-w- C:\Program Files\MAM\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2003-06-07 11:32:32 50688 -c-ha-w- C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2003-12-12 23:55:06 53248 -c-ha-w- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2003-12-12 23:55:06 118784 -c-ha-w- C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42:30 1695232 --sh--w- C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-07-09 09:50:42 155648 -c--a-r- C:\WINNT\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
2004-04-14 01:45:30 290905 ----a-w- C:\WINNT\system32\PRISMSVR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17:42 421888 ---ha-w- C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\starzd]
2004-11-05 11:43:06 32768 -c--a-w- C:\Program Files\Real\RealPlayer\starz\starzd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 10:00:36 132496 ---ha-w- C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Teach Me]
2004-02-07 07:35:14 1061376 ---ha-w- C:\Program Files\Debre\Teach Me\TeachMe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2005-05-27 10:32:00 180269 -c-ha-w- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 23:43:18 4670704 ----a-w- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
2007-10-26 21:42:48 509224 ----a-w- C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2008-04-30 00:56:20 158624 ----a-w- c:\Program Files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINNT\\kdx\\khost.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\WINNT\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"C:\\WINNT\\system32\\msiexec.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"41697:TCP"= 41697:TCP:tcp emule
"7061:UDP"= 7061:UDP:udp emule
"37067:TCP"= 37067:TCP:*:Disabled:bittorrent
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 MpKsl8a2350bd;MpKsl8a2350bd;\??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{31A6890E-E354-40DA-8CFD-09BCBEADE4C3}\MpKsl8a2350bd.sys --> c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{31A6890E-E354-40DA-8CFD-09BCBEADE4C3}\MpKsl8a2350bd.sys [?]
S0 auubqlx;auubqlx;C:\WINNT\system32\drivers\tfvqvrdv.sys --> C:\WINNT\system32\drivers\tfvqvrdv.sys [?]
S3 MBAMProtector;MBAMProtector;C:\WINNT\system32\drivers\mbam.sys [3/24/2012 8:50:52 AM 20464]
S3 SASENUM;SASENUM;\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS --> C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 WlanUIG;2Wire 802.11g USB Driver;C:\WINNT\system32\drivers\WlanUIG.sys [10/8/2007 7:48:06 PM 347648]
S4 MBAMService;MBAMService;C:\Program Files\MAM\mbamservice.exe [3/24/2012 8:50:53 AM 652360]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MPKSL8A2350BD

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

Contents of the 'Scheduled Tasks' folder

2012-04-03 C:\WINNT\Tasks\GoogleUpdateTaskUserS-1-5-21-229251845-1399500245-1938766618-1003Core.job
- C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 03:56:13 . 2011-06-27 03:56:09]

2012-04-03 C:\WINNT\Tasks\GoogleUpdateTaskUserS-1-5-21-229251845-1399500245-1938766618-1003UA.job
- C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-27 03:56:13 . 2011-06-27 03:56:09]

2011-05-25 C:\WINNT\Tasks\prismDowngrade.job
- C:\Program Files\NCH Software\Prism\prism.exe [2010-12-14 08:47:12 . 2010-12-14 08:47:12]

2011-02-19 C:\WINNT\Tasks\prismShakeIcon.job
- C:\Program Files\NCH Software\Prism\prism.exe [2010-12-14 08:47:12 . 2010-12-14 08:47:12]


------- Supplementary Scan -------

uStart Page = hxxp://www.auconnection.net/dallas/library.asp
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/yme/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uSearchURL,(Default) = hxxp://search.conduit.com/Results.aspx?q=%s&meta=all&hl=fr&gl=fr&SelfSearch=1&SearchSourceOrigin=1&ctid=CT1472949
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
DPF: TVShortcutCAB - hxxp://att.mobitv.com/TVShortcut.CAB
DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125B84} - hxxp://www.arcadetown.com/swf/waterbugs/r64loader.cab

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{8A4E1972-8F42-4B50-AA71-29DCA9F336BC} - (no file)
BHO-{B999E1D5-A1BF-4E4F-A41B-077AA1FBD2EA} - C:\WINNT\system32\ddcYqnLc.dll
HKU-Default-Run-dplaysvr - C:\Documents and Settings\Owner\Application Data\dplaysvr.exe
Notify-C_2CHT - C_2CHT.dll
MSConfigStartUp-AVG8_TRAY - C:\PROGRA~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-avgnt - C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
MSConfigStartUp-BearShare - C:\Program Files\BearShare\BearShare.exe
MSConfigStartUp-BM13839b69 - C:\WINNT\system32\ahlcehag.dll
MSConfigStartUp-bQBDimwbRmHtD - C:\Documents and Settings\All Users\Application Data\bQBDimwbRmHtD.exe
MSConfigStartUp-CanonMyPrinter - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
MSConfigStartUp-CanonSolutionMenu - C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe
MSConfigStartUp-Consumer Input - C:\Program Files\Consumer Input\ConsumerInput.exe
MSConfigStartUp-Consumer Input Update - C:\Program Files\Consumer Input\ConsumerInputUa.exe
MSConfigStartUp-DivX Download Manager - C:\Program Files\DivX\DivX Plus Web Player\DDmService.exe
MSConfigStartUp-dplaysvr - C:\Documents and Settings\Owner\Application Data\dplaysvr.exe
MSConfigStartUp-HP Component Manager - C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
MSConfigStartUp-iCall Internet Phone - C:\Program Files\iCall\iCall.exe
MSConfigStartUp-ICQ Net - C:\WINNT\winlogon.exe
MSConfigStartUp-ISUSPM Startup - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
MSConfigStartUp-LightScribe Control Panel - C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
MSConfigStartUp-msnmsgr - C:\Program Files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-nvchost - C:\WINNT\winlogon.exe
MSConfigStartUp-osCheck - C:\PROGRA~1\Symantec\osCheck.exe
MSConfigStartUp-raschap - C:\WINNT\system32\raschap.exe
MSConfigStartUp-rSkVSbFvavfCaY - C:\Documents and Settings\All Users\Application Data\rSkVSbFvavfCaY.exe
MSConfigStartUp-saap - c:\progra~1\twister\partner\saap.exe
MSConfigStartUp-Share-to-Web Namespace Daemon - C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
MSConfigStartUp-Skype - C:\Program Files\Skype\Phone\Skype.exe
MSConfigStartUp-sp - C:\sp.exe
MSConfigStartUp-SpyHunter Security Suite - C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
MSConfigStartUp-SSC_UserPrompt - C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
MSConfigStartUp-svkbqxsb - C:\WINNT\svkbqxsb.exe
MSConfigStartUp-Symantec NetDriver Monitor - C:\PROGRA~1\SYMNET~1\SNDMon.exe
MSConfigStartUp-Trickler - c:\winnt\temp\adware\fsg_4203a.exe
MSConfigStartUp-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-wcmdmgr - C:\WINNT\wt\updater\wcmdmgrl.exe
MSConfigStartUp-WhenUSave - C:\Program Files\Save\Save.exe
MSConfigStartUp-WINDOWS SYSTEM - ninfoie.exe
MSConfigStartUp-WT GameChannel - C:\Program Files\WildTangent\Apps\GameChannel.exe
MSConfigStartUp-ymetray - C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe
MSConfigStartUp-YSearchProtection - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
AddRemove-Invader - C:\Program Files\Foreign Language\Invader\DeIsL1.isu
AddRemove-iWinArcade - C:\Program Files\iWin Games\Uninstall.exe

#6 paganw

paganw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 03 April 2012 - 05:58 AM

Still have the same svchost.exe problem & no internet connection.

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 03 April 2012 - 10:02 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

Lets check your internet connection

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure all the boxes are checked
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 paganw

paganw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 04 April 2012 - 06:01 AM

Greetings

I want you to run these next,

Gringo


Ok, but I figured I should mention this first.

In between my posting the log and getting your response my internet started working again so I ran ComboFix with internet so I could download the Recovery Console. It was nearly completely done; I got a message that said it was preparing my log and it would be available momentarily. But instead of the log opening, a program called Internet Security opened instead. It looked like one of those fake HDD rogue programs so I didn't click on anything in it or in any of its pop-up warnings but it launched the scan anyway; disabled everything that could scan it or shut it done by claiming what I tried to open was infected with some 32/worm (or something) so access the program was denied. it did that with task manager, malwarebytes, SUPERAntispyware, AVG, MSconfig, GER, ComboFix, & Regedit; I finally just had to pull the plug out of the back of the PC, plug it back in, turn it back on, and press F8 until Safe Mode came up.

I just wanted to make sure I didn't need to anything else to get rid that infection before I ran the other programs you wanted, in case that malware might interfere with them.

Thanks

Btw, I have internet access now; unfortunately that makes the svchost.exe problem worse (even in Safe Mode with networking the memory usage by just that process is over 200,000 kbs in less than 10 minutes). That made me think of something; your directions for ComboFix said to close any open programs; I did but I had to launch task manager several times to shut down the problem svchost.exe process so my computer wouldn't run out of memory. Could doing that have caused the problem that caused the Internet Security thing?

#9 paganw

paganw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 04 April 2012 - 06:48 AM

Malwarebytes got rid of Internet Security so I ran TDSSKiller.

Log:

06:19:50.0921 1768 TDSS rootkit removing tool 2.7.25.0 Apr 3 2012 13:42:32
06:19:50.0937 1768 ============================================================
06:19:50.0937 1768 Current date / time: 2012/04/04 06:19:50.0937
06:19:50.0937 1768 SystemInfo:
06:19:50.0937 1768
06:19:50.0937 1768 OS Version: 5.1.2600 ServicePack: 3.0
06:19:50.0937 1768 Product type: Workstation
06:19:50.0953 1768 ComputerName: DESKTOP
06:19:50.0953 1768 UserName: Owner
06:19:50.0953 1768 Windows directory: C:\WINNT
06:19:50.0953 1768 System windows directory: C:\WINNT
06:19:50.0953 1768 Processor architecture: Intel x86
06:19:50.0953 1768 Number of processors: 2
06:19:50.0953 1768 Page size: 0x1000
06:19:50.0953 1768 Boot type: Normal boot
06:19:50.0953 1768 ============================================================
06:19:53.0203 1768 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
06:19:53.0203 1768 Drive \Device\Harddisk1\DR2 - Size: 0x79100000 (1.89 Gb), SectorSize: 0x200, Cylinders: 0xF6, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
06:19:53.0203 1768 \Device\Harddisk0\DR0:
06:19:53.0203 1768 MBR used
06:19:53.0203 1768 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xDF93782
06:19:53.0203 1768 \Device\Harddisk1\DR2:
06:19:53.0203 1768 MBR used
06:19:53.0203 1768 \Device\Harddisk1\DR2\Partition0: MBR, Type 0xE, StartLBA 0x1F80, BlocksNum 0x3C6880
06:19:53.0281 1768 Initialize success
06:19:53.0281 1768 ============================================================
06:20:08.0468 0372 ============================================================
06:20:08.0468 0372 Scan started
06:20:08.0468 0372 Mode: Manual;
06:20:08.0468 0372 ============================================================
06:20:08.0812 0372 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
06:20:08.0859 0372 !SASCORE - ok
06:20:09.0156 0372 Abiosdsk - ok
06:20:09.0390 0372 abp480n5 - ok
06:20:09.0843 0372 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINNT\system32\drivers\ac97intc.sys
06:20:09.0859 0372 ac97intc - ok
06:20:10.0218 0372 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINNT\system32\DRIVERS\ACPI.sys
06:20:10.0265 0372 ACPI - ok
06:20:10.0593 0372 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINNT\system32\drivers\ACPIEC.sys
06:20:10.0593 0372 ACPIEC - ok
06:20:11.0046 0372 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINNT\system32\DRIVERS\adpu160m.sys
06:20:11.0078 0372 adpu160m - ok
06:20:11.0390 0372 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINNT\system32\drivers\aeaudio.sys
06:20:11.0390 0372 aeaudio - ok
06:20:11.0875 0372 aec (8bed39e3c35d6a489438b8141717a557) C:\WINNT\system32\drivers\aec.sys
06:20:11.0921 0372 aec - ok
06:20:12.0265 0372 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINNT\System32\drivers\afd.sys
06:20:12.0296 0372 AFD - ok
06:20:12.0781 0372 AFS2K (b34b1ab0a7690a0e2301fec6d17b2fc1) C:\WINNT\system32\drivers\AFS2K.sys
06:20:12.0812 0372 AFS2K - ok
06:20:13.0125 0372 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINNT\system32\DRIVERS\agp440.sys
06:20:13.0125 0372 agp440 - ok
06:20:13.0421 0372 Aha154x - ok
06:20:13.0828 0372 aic78u2 - ok
06:20:14.0078 0372 aic78xx - ok
06:20:14.0390 0372 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINNT\system32\alrsvc.dll
06:20:14.0421 0372 Alerter - ok
06:20:14.0859 0372 ALG (8c515081584a38aa007909cd02020b3d) C:\WINNT\System32\alg.exe
06:20:14.0875 0372 ALG - ok
06:20:15.0171 0372 AliIde - ok
06:20:15.0406 0372 amsint - ok
06:20:15.0765 0372 AppMgmt - ok
06:20:16.0046 0372 asc - ok
06:20:16.0296 0372 asc3350p - ok
06:20:16.0531 0372 asc3550 - ok
06:20:16.0812 0372 aspnet_state (d33c507942299753868204cc7642fa27) C:\WINNT\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
06:20:16.0859 0372 aspnet_state - ok
06:20:17.0187 0372 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINNT\system32\DRIVERS\asyncmac.sys
06:20:17.0187 0372 AsyncMac - ok
06:20:17.0515 0372 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINNT\system32\DRIVERS\atapi.sys
06:20:17.0515 0372 atapi - ok
06:20:17.0921 0372 Atdisk - ok
06:20:18.0234 0372 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINNT\system32\DRIVERS\atmarpc.sys
06:20:18.0250 0372 Atmarpc - ok
06:20:18.0531 0372 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINNT\System32\audiosrv.dll
06:20:18.0546 0372 AudioSrv - ok
06:20:19.0031 0372 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINNT\system32\DRIVERS\audstub.sys
06:20:19.0031 0372 audstub - ok
06:20:19.0312 0372 auubqlx - ok
06:20:19.0765 0372 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINNT\system32\drivers\Beep.sys
06:20:19.0812 0372 Beep - ok
06:20:20.0328 0372 BITS (574738f61fca2935f5265dc4e5691314) C:\WINNT\system32\qmgr.dll
06:20:20.0859 0372 BITS - ok
06:20:21.0093 0372 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
06:20:21.0250 0372 Bonjour Service - ok
06:20:21.0562 0372 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINNT\System32\browser.dll
06:20:21.0593 0372 Browser - ok
06:20:22.0093 0372 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINNT\system32\drivers\BVRPMPR5.SYS
06:20:22.0109 0372 BVRPMPR5 - ok
06:20:22.0203 0372 catchme - ok
06:20:22.0500 0372 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINNT\system32\drivers\cbidf2k.sys
06:20:22.0515 0372 cbidf2k - ok
06:20:22.0937 0372 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINNT\system32\DRIVERS\CCDECODE.sys
06:20:22.0953 0372 CCDECODE - ok
06:20:23.0203 0372 cd20xrnt - ok
06:20:23.0484 0372 CdaD10BA (841cefab8228ee691705d059e7f21c47) C:\WINNT\System32\drivers\CdaD10BA.SYS
06:20:23.0484 0372 CdaD10BA - ok
06:20:23.0875 0372 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINNT\system32\drivers\Cdaudio.sys
06:20:23.0875 0372 Cdaudio - ok
06:20:24.0234 0372 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINNT\system32\drivers\Cdfs.sys
06:20:24.0250 0372 Cdfs - ok
06:20:24.0562 0372 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINNT\system32\DRIVERS\cdrom.sys
06:20:24.0578 0372 Cdrom - ok
06:20:24.0984 0372 Changer - ok
06:20:25.0250 0372 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINNT\system32\cisvc.exe
06:20:25.0250 0372 CiSvc - ok
06:20:25.0546 0372 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINNT\system32\clipsrv.exe
06:20:25.0562 0372 ClipSrv - ok
06:20:25.0890 0372 clr_optimization_v2.0.50727_32 (3c4d595e7f9b747325aef28b4adcaae5) C:\WINNT\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
06:20:26.0062 0372 clr_optimization_v2.0.50727_32 - ok
06:20:26.0359 0372 CmdIde - ok
06:20:26.0593 0372 COMSysApp - ok
06:20:26.0953 0372 Cpqarray - ok
06:20:27.0250 0372 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINNT\System32\cryptsvc.dll
06:20:27.0281 0372 CryptSvc - ok
06:20:27.0562 0372 dac2w2k - ok
06:20:27.0906 0372 dac960nt - ok
06:20:28.0343 0372 DcomLaunch (2589fe6015a316c0f5d5112b4da7b509) C:\WINNT\system32\rpcss.dll
06:20:28.0468 0372 DcomLaunch - ok
06:20:28.0921 0372 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINNT\System32\dhcpcsvc.dll
06:20:28.0953 0372 Dhcp - ok
06:20:29.0343 0372 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINNT\system32\DRIVERS\disk.sys
06:20:29.0359 0372 Disk - ok
06:20:29.0796 0372 dmadmin - ok
06:20:30.0375 0372 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINNT\system32\drivers\dmboot.sys
06:20:30.0750 0372 dmboot - ok
06:20:31.0218 0372 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINNT\system32\drivers\dmio.sys
06:20:31.0265 0372 dmio - ok
06:20:31.0562 0372 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINNT\system32\drivers\dmload.sys
06:20:31.0562 0372 dmload - ok
06:20:31.0968 0372 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINNT\System32\dmserver.dll
06:20:31.0984 0372 dmserver - ok
06:20:32.0359 0372 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINNT\system32\drivers\DMusic.sys
06:20:32.0375 0372 DMusic - ok
06:20:32.0765 0372 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINNT\System32\dnsrslvr.dll
06:20:32.0781 0372 Dnscache - ok
06:20:33.0125 0372 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINNT\System32\dot3svc.dll
06:20:33.0171 0372 Dot3svc - ok
06:20:33.0468 0372 dpti2o - ok
06:20:33.0843 0372 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINNT\system32\drivers\drmkaud.sys
06:20:33.0843 0372 drmkaud - ok
06:20:34.0203 0372 E100B (98b46b331404a951cabad8b4877e1276) C:\WINNT\system32\DRIVERS\e100b325.sys
06:20:34.0234 0372 E100B - ok
06:20:34.0500 0372 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINNT\System32\eapsvc.dll
06:20:34.0515 0372 EapHost - ok
06:20:34.0937 0372 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINNT\System32\ersvc.dll
06:20:34.0937 0372 ERSvc - ok
06:20:35.0296 0372 Eventlog (0e776ed5f7cc9f94299e70461b7b8185) C:\WINNT\system32\services.exe
06:20:35.0328 0372 Eventlog - ok
06:20:35.0812 0372 EventSystem (19a799805b24990867b00c120d300c3a) C:\WINNT\System32\es.dll
06:20:35.0875 0372 EventSystem - ok
06:20:36.0296 0372 Fastfat (38d332a6d56af32635675f132548343e) C:\WINNT\system32\drivers\Fastfat.sys
06:20:36.0343 0372 Fastfat - ok
06:20:36.0765 0372 FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINNT\System32\shsvcs.dll
06:20:36.0812 0372 FastUserSwitchingCompatibility - ok
06:20:37.0125 0372 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINNT\system32\DRIVERS\fdc.sys
06:20:37.0125 0372 Fdc - ok
06:20:37.0453 0372 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINNT\system32\drivers\Fips.sys
06:20:37.0468 0372 Fips - ok
06:20:37.0875 0372 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINNT\system32\DRIVERS\flpydisk.sys
06:20:37.0875 0372 Flpydisk - ok
06:20:38.0203 0372 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINNT\system32\drivers\fltmgr.sys
06:20:38.0234 0372 FltMgr - ok
06:20:38.0515 0372 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINNT\system32\drivers\Fs_Rec.sys
06:20:38.0515 0372 Fs_Rec - ok
06:20:38.0937 0372 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINNT\system32\DRIVERS\ftdisk.sys
06:20:38.0968 0372 Ftdisk - ok
06:20:39.0281 0372 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINNT\system32\DRIVERS\GEARAspiWDM.sys
06:20:39.0281 0372 GEARAspiWDM - ok
06:20:39.0359 0372 getPlusHelper - ok
06:20:39.0796 0372 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINNT\system32\DRIVERS\msgpc.sys
06:20:39.0812 0372 Gpc - ok
06:20:39.0953 0372 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINNT\PCHealth\HelpCtr\Binaries\pchsvc.dll
06:20:39.0953 0372 helpsvc - ok
06:20:40.0265 0372 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINNT\System32\hidserv.dll
06:20:40.0281 0372 HidServ - ok
06:20:40.0593 0372 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINNT\system32\DRIVERS\hidusb.sys
06:20:40.0593 0372 HidUsb - ok
06:20:40.0984 0372 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINNT\System32\kmsvc.dll
06:20:41.0015 0372 hkmsvc - ok
06:20:41.0359 0372 hpn - ok
06:20:41.0593 0372 hpqcxs08 (b14328cfeeb6b736be44c2c9db3b162c) C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
06:20:41.0781 0372 hpqcxs08 - ok
06:20:42.0015 0372 hpqddsvc (df446ba625cc441617843e87798ce048) C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
06:20:42.0062 0372 hpqddsvc - ok
06:20:42.0437 0372 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINNT\system32\DRIVERS\HPZid412.sys
06:20:42.0453 0372 HPZid412 - ok
06:20:42.0890 0372 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINNT\system32\DRIVERS\HPZipr12.sys
06:20:42.0921 0372 HPZipr12 - ok
06:20:43.0453 0372 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINNT\system32\DRIVERS\HPZius12.sys
06:20:43.0468 0372 HPZius12 - ok
06:20:44.0281 0372 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINNT\system32\Drivers\HTTP.sys
06:20:44.0437 0372 HTTP - ok
06:20:45.0015 0372 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINNT\System32\w3ssl.dll
06:20:45.0031 0372 HTTPFilter - ok
06:20:45.0500 0372 i2omgmt - ok
06:20:46.0031 0372 i2omp - ok
06:20:46.0796 0372 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINNT\system32\DRIVERS\i8042prt.sys
06:20:46.0828 0372 i8042prt - ok
06:20:47.0375 0372 ialm (50d909fdaf6df35b04c6b6a4bcb6d675) C:\WINNT\system32\DRIVERS\ialmnt5.sys
06:20:47.0390 0372 ialm - ok
06:20:47.0937 0372 iaStor (50b56e7de809be4b8f4d24b3f0381520) C:\WINNT\system32\DRIVERS\iaStor.sys
06:20:48.0015 0372 iaStor - ok
06:20:48.0171 0372 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
06:20:48.0187 0372 IDriverT - ok
06:20:48.0531 0372 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINNT\system32\DRIVERS\imapi.sys
06:20:48.0546 0372 Imapi - ok
06:20:48.0968 0372 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINNT\system32\imapi.exe
06:20:49.0015 0372 ImapiService - ok
06:20:49.0343 0372 ini910u - ok
06:20:49.0984 0372 IntelC51 (dd476200776d9bd8b693ad733d33cdfd) C:\WINNT\system32\DRIVERS\IntelC51.sys
06:20:50.0203 0372 IntelC51 - ok
06:20:50.0765 0372 IntelC52 (633ce6c73add83b2cbd3d121978d74c4) C:\WINNT\system32\DRIVERS\IntelC52.sys
06:20:50.0859 0372 IntelC52 - ok
06:20:51.0171 0372 IntelC53 (ddc319760dfc9f898682599f4ae025ea) C:\WINNT\system32\DRIVERS\IntelC53.sys
06:20:51.0171 0372 IntelC53 - ok
06:20:51.0531 0372 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINNT\system32\DRIVERS\intelide.sys
06:20:51.0531 0372 IntelIde - ok
06:20:51.0968 0372 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINNT\system32\DRIVERS\intelppm.sys
06:20:51.0968 0372 intelppm - ok
06:20:52.0265 0372 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINNT\system32\drivers\ip6fw.sys
06:20:52.0281 0372 ip6fw - ok
06:20:52.0562 0372 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINNT\system32\DRIVERS\ipfltdrv.sys
06:20:52.0578 0372 IpFilterDriver - ok
06:20:53.0000 0372 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINNT\system32\DRIVERS\ipinip.sys
06:20:53.0000 0372 IpInIp - ok
06:20:53.0359 0372 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINNT\system32\DRIVERS\ipnat.sys
06:20:53.0406 0372 IpNat - ok
06:20:53.0890 0372 iPod Service (49918803b661367023bf325cf602afdc) C:\Program Files\iPod\bin\iPodService.exe
06:20:54.0140 0372 iPod Service - ok
06:20:54.0484 0372 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINNT\system32\DRIVERS\ipsec.sys
06:20:54.0500 0372 IPSec - ok
06:20:54.0937 0372 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINNT\system32\DRIVERS\irenum.sys
06:20:54.0953 0372 IRENUM - ok
06:20:55.0265 0372 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINNT\system32\DRIVERS\isapnp.sys
06:20:55.0281 0372 isapnp - ok
06:20:55.0562 0372 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINNT\system32\DRIVERS\kbdclass.sys
06:20:55.0562 0372 Kbdclass - ok
06:20:56.0000 0372 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINNT\system32\DRIVERS\kbdhid.sys
06:20:56.0015 0372 kbdhid - ok
06:20:56.0359 0372 kmixer (692bcf44383d056aed41b045a323d378) C:\WINNT\system32\drivers\kmixer.sys
06:20:56.0406 0372 kmixer - ok
06:20:56.0875 0372 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINNT\system32\drivers\KSecDD.sys
06:20:56.0906 0372 KSecDD - ok
06:20:57.0187 0372 lanmanserver (f385f4b02c535bffe1d70cab80838123) C:\WINNT\System32\srvsvc.dll
06:20:57.0218 0372 lanmanserver - ok
06:20:57.0546 0372 lanmanworkstation (1b67b632786fef1c1bbaef46c2f3f2e6) C:\WINNT\System32\wkssvc.dll
06:20:57.0640 0372 lanmanworkstation - ok
06:20:58.0046 0372 lbrtfdc - ok
06:20:58.0328 0372 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINNT\System32\lmhsvc.dll
06:20:58.0328 0372 LmHosts - ok
06:20:58.0750 0372 Machnm32 (fd65bef5ff8275711d9a56f0b8bb43f1) C:\WINNT\System32\Machnm32.sys
06:20:58.0750 0372 Machnm32 - ok
06:20:59.0109 0372 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINNT\system32\drivers\mbam.sys
06:20:59.0109 0372 MBAMProtector - ok
06:20:59.0437 0372 MBAMService (056b19651bd7b7ce5f89a3ac46dbdc08) C:\Program Files\MAM\mbamservice.exe
06:20:59.0750 0372 MBAMService - ok
06:21:00.0109 0372 MBAMSwissArmy (0db7527db188c7d967a37bb51bbf3963) C:\WINNT\system32\drivers\mbamswissarmy.sys
06:21:00.0109 0372 MBAMSwissArmy - ok
06:21:00.0437 0372 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\WINNT\system32\drivers\MCSTRM.sys
06:21:00.0437 0372 MCSTRM - ok
06:21:00.0859 0372 MDC8021X (d7010580bf4e45d5e793a1fe75758c69) C:\WINNT\system32\DRIVERS\mdc8021x.sys
06:21:00.0859 0372 MDC8021X - ok
06:21:01.0171 0372 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINNT\System32\msgsvc.dll
06:21:01.0171 0372 Messenger - ok
06:21:01.0515 0372 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINNT\system32\drivers\mnmdd.sys
06:21:01.0515 0372 mnmdd - ok
06:21:01.0906 0372 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINNT\System32\mnmsrvc.exe
06:21:01.0921 0372 mnmsrvc - ok
06:21:02.0281 0372 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINNT\system32\drivers\Modem.sys
06:21:02.0281 0372 Modem - ok
06:21:02.0593 0372 mohfilt (b23378126af4e02dc691e9f5880f2acd) C:\WINNT\system32\DRIVERS\mohfilt.sys
06:21:02.0593 0372 mohfilt - ok
06:21:03.0031 0372 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINNT\system32\DRIVERS\mouclass.sys
06:21:03.0031 0372 Mouclass - ok
06:21:03.0343 0372 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINNT\system32\DRIVERS\mouhid.sys
06:21:03.0359 0372 mouhid - ok
06:21:03.0765 0372 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINNT\system32\drivers\MountMgr.sys
06:21:03.0781 0372 MountMgr - ok
06:21:03.0859 0372 MpKsl8a2350bd - ok
06:21:04.0250 0372 MR97310_USB_DUAL_CAMERA (1aae79a4176a957bf2bb679812f04655) C:\WINNT\system32\DRIVERS\mr97310c.sys
06:21:04.0281 0372 MR97310_USB_DUAL_CAMERA - ok
06:21:04.0546 0372 mraid35x - ok
06:21:04.0984 0372 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINNT\system32\DRIVERS\mrxdav.sys
06:21:05.0062 0372 MRxDAV - ok
06:21:05.0500 0372 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINNT\system32\DRIVERS\mrxsmb.sys
06:21:05.0718 0372 MRxSmb - ok
06:21:06.0031 0372 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINNT\System32\msdtc.exe
06:21:06.0046 0372 MSDTC - ok
06:21:06.0421 0372 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINNT\system32\drivers\Msfs.sys
06:21:06.0421 0372 Msfs - ok
06:21:06.0812 0372 MSIServer - ok
06:21:07.0093 0372 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINNT\system32\drivers\MSKSSRV.sys
06:21:07.0109 0372 MSKSSRV - ok
06:21:07.0406 0372 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINNT\system32\drivers\MSPCLOCK.sys
06:21:07.0406 0372 MSPCLOCK - ok
06:21:07.0828 0372 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINNT\system32\drivers\MSPQM.sys
06:21:07.0828 0372 MSPQM - ok
06:21:08.0156 0372 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINNT\system32\DRIVERS\mssmbios.sys
06:21:08.0156 0372 mssmbios - ok
06:21:08.0468 0372 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINNT\system32\drivers\MSTEE.sys
06:21:08.0468 0372 MSTEE - ok
06:21:08.0906 0372 Mtlmnt5 (c53775780148884ac87c455489a0c070) C:\WINNT\system32\DRIVERS\Mtlmnt5.sys
06:21:08.0953 0372 Mtlmnt5 - ok
06:21:09.0765 0372 Mtlstrm (54886a652bf5685192141df304e923fd) C:\WINNT\system32\DRIVERS\Mtlstrm.sys
06:21:10.0187 0372 Mtlstrm - ok
06:21:10.0515 0372 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINNT\system32\drivers\Mup.sys
06:21:10.0546 0372 Mup - ok
06:21:10.0968 0372 MxlW2k (88f57a15b786bf2af9458f7903768085) C:\WINNT\system32\drivers\MxlW2k.sys
06:21:10.0984 0372 MxlW2k - ok
06:21:11.0328 0372 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINNT\system32\DRIVERS\NABTSFEC.sys
06:21:11.0359 0372 NABTSFEC - ok
06:21:11.0906 0372 napagent (0102140028fad045756796e1c685d695) C:\WINNT\System32\qagentrt.dll
06:21:11.0984 0372 napagent - ok
06:21:12.0375 0372 NDIS (1df7f42665c94b825322fae71721130d) C:\WINNT\system32\drivers\NDIS.sys
06:21:12.0421 0372 NDIS - ok
06:21:12.0828 0372 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINNT\system32\DRIVERS\NdisIP.sys
06:21:12.0843 0372 NdisIP - ok
06:21:13.0140 0372 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINNT\system32\DRIVERS\ndistapi.sys
06:21:13.0140 0372 NdisTapi - ok
06:21:13.0484 0372 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINNT\system32\DRIVERS\ndisuio.sys
06:21:13.0484 0372 Ndisuio - ok
06:21:13.0921 0372 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINNT\system32\DRIVERS\ndiswan.sys
06:21:13.0937 0372 NdisWan - ok
06:21:14.0250 0372 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINNT\system32\drivers\NDProxy.sys
06:21:14.0265 0372 NDProxy - ok
06:21:14.0359 0372 Nero BackItUp Scheduler 4.0 - ok
06:21:14.0796 0372 Net Driver HPZ12 (51c6d8bfbd4ea5b62a1ba7f4469250d3) C:\WINNT\system32\HPZinw12.dll
06:21:14.0812 0372 Net Driver HPZ12 - ok
06:21:15.0140 0372 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINNT\system32\DRIVERS\netbios.sys
06:21:15.0140 0372 NetBIOS - ok
06:21:15.0515 0372 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINNT\system32\DRIVERS\netbt.sys
06:21:15.0562 0372 NetBT - ok
06:21:15.0984 0372 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINNT\system32\netdde.exe
06:21:16.0015 0372 NetDDE - ok
06:21:16.0062 0372 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINNT\system32\netdde.exe
06:21:16.0062 0372 NetDDEdsdm - ok
06:21:16.0437 0372 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINNT\system32\lsass.exe
06:21:16.0437 0372 Netlogon - ok
06:21:16.0937 0372 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINNT\System32\netman.dll
06:21:17.0000 0372 Netman - ok
06:21:17.0187 0372 NetSvc (737351f39fef765234037770abdd72bd) C:\Program Files\Intel\NCS\Sync\NetSvc.exe
06:21:17.0218 0372 NetSvc - ok
06:21:17.0593 0372 Nla (b4138e99236f0f57d4cf49bae98a0746) C:\WINNT\System32\mswsock.dll
06:21:17.0781 0372 Nla - ok
06:21:18.0093 0372 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINNT\system32\drivers\Npfs.sys
06:21:18.0109 0372 Npfs - ok
06:21:18.0687 0372 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINNT\system32\drivers\Ntfs.sys
06:21:18.0890 0372 Ntfs - ok
06:21:19.0171 0372 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINNT\System32\lsass.exe
06:21:19.0171 0372 NtLmSsp - ok
06:21:19.0796 0372 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINNT\system32\ntmssvc.dll
06:21:19.0937 0372 NtmsSvc - ok
06:21:20.0312 0372 NtMtlFax (576b34ceae5b7e5d9fd2775e93b3db53) C:\WINNT\system32\DRIVERS\NtMtlFax.sys
06:21:20.0375 0372 NtMtlFax - ok
06:21:20.0765 0372 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINNT\system32\drivers\Null.sys
06:21:20.0765 0372 Null - ok
06:21:21.0828 0372 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINNT\system32\DRIVERS\nv4_mini.sys
06:21:22.0437 0372 nv - ok
06:21:22.0859 0372 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINNT\system32\DRIVERS\nwlnkflt.sys
06:21:22.0875 0372 NwlnkFlt - ok
06:21:23.0171 0372 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINNT\system32\DRIVERS\nwlnkfwd.sys
06:21:23.0187 0372 NwlnkFwd - ok
06:21:23.0515 0372 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINNT\system32\DRIVERS\parport.sys
06:21:23.0546 0372 Parport - ok
06:21:23.0953 0372 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINNT\system32\drivers\PartMgr.sys
06:21:23.0968 0372 PartMgr - ok
06:21:24.0250 0372 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINNT\system32\drivers\ParVdm.sys
06:21:24.0250 0372 ParVdm - ok
06:21:24.0578 0372 PCI (a219903ccf74233761d92bef471a07b1) C:\WINNT\system32\DRIVERS\pci.sys
06:21:24.0656 0372 PCI - ok
06:21:24.0984 0372 PCIDump - ok
06:21:25.0250 0372 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINNT\system32\DRIVERS\pciide.sys
06:21:25.0250 0372 PCIIde - ok
06:21:25.0640 0372 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINNT\system32\drivers\Pcmcia.sys
06:21:25.0750 0372 Pcmcia - ok
06:21:26.0046 0372 PDCOMP - ok
06:21:26.0296 0372 PDFRAME - ok
06:21:26.0578 0372 PDRELI - ok
06:21:26.0968 0372 PDRFRAME - ok
06:21:27.0203 0372 perc2 - ok
06:21:27.0437 0372 perc2hib - ok
06:21:27.0906 0372 PlugPlay (0e776ed5f7cc9f94299e70461b7b8185) C:\WINNT\system32\services.exe
06:21:27.0906 0372 PlugPlay - ok
06:21:28.0234 0372 Pml Driver HPZ12 (79834aa2fbf9fe81eebb229024f6f7fc) C:\WINNT\system32\HPZipm12.dll
06:21:28.0265 0372 Pml Driver HPZ12 - ok
06:21:28.0593 0372 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINNT\system32\lsass.exe
06:21:28.0593 0372 PolicyAgent - ok
06:21:29.0031 0372 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINNT\system32\DRIVERS\raspptp.sys
06:21:29.0046 0372 PptpMiniport - ok
06:21:29.0359 0372 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINNT\system32\DRIVERS\processr.sys
06:21:29.0375 0372 Processor - ok
06:21:29.0796 0372 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINNT\system32\lsass.exe
06:21:29.0796 0372 ProtectedStorage - ok
06:21:30.0125 0372 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINNT\system32\DRIVERS\psched.sys
06:21:30.0140 0372 PSched - ok
06:21:30.0421 0372 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINNT\system32\DRIVERS\ptilink.sys
06:21:30.0421 0372 Ptilink - ok
06:21:30.0859 0372 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINNT\system32\Drivers\PxHelp20.sys
06:21:30.0875 0372 PxHelp20 - ok
06:21:31.0125 0372 ql1080 - ok
06:21:31.0375 0372 Ql10wnt - ok
06:21:31.0609 0372 ql12160 - ok
06:21:31.0984 0372 ql1240 - ok
06:21:32.0234 0372 ql1280 - ok
06:21:32.0500 0372 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINNT\system32\DRIVERS\rasacd.sys
06:21:32.0500 0372 RasAcd - ok
06:21:32.0984 0372 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINNT\System32\rasauto.dll
06:21:33.0015 0372 RasAuto - ok
06:21:33.0359 0372 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINNT\system32\DRIVERS\rasl2tp.sys
06:21:33.0375 0372 Rasl2tp - ok
06:21:33.0843 0372 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINNT\System32\rasmans.dll
06:21:33.0906 0372 RasMan - ok
06:21:34.0234 0372 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINNT\system32\DRIVERS\raspppoe.sys
06:21:34.0250 0372 RasPppoe - ok
06:21:34.0515 0372 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINNT\system32\DRIVERS\raspti.sys
06:21:34.0531 0372 Raspti - ok
06:21:35.0000 0372 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINNT\system32\DRIVERS\rdbss.sys
06:21:35.0046 0372 Rdbss - ok
06:21:35.0359 0372 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINNT\system32\DRIVERS\RDPCDD.sys
06:21:35.0359 0372 RDPCDD - ok
06:21:35.0843 0372 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINNT\system32\drivers\RDPWD.sys
06:21:35.0890 0372 RDPWD - ok
06:21:36.0234 0372 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINNT\system32\sessmgr.exe
06:21:36.0281 0372 RDSessMgr - ok
06:21:36.0593 0372 RecAgent (e9aaa0092d74a9d371659c4c38882e12) C:\WINNT\System32\DRIVERS\RecAgent.sys
06:21:36.0593 0372 RecAgent - ok
06:21:37.0062 0372 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINNT\system32\DRIVERS\redbook.sys
06:21:37.0078 0372 redbook - ok
06:21:37.0375 0372 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINNT\System32\mprdim.dll
06:21:37.0390 0372 RemoteAccess - ok
06:21:37.0828 0372 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINNT\System32\locator.exe
06:21:37.0843 0372 RpcLocator - ok
06:21:38.0296 0372 RpcSs (2589fe6015a316c0f5d5112b4da7b509) C:\WINNT\System32\rpcss.dll
06:21:38.0312 0372 RpcSs - ok
06:21:38.0765 0372 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINNT\System32\rsvp.exe
06:21:38.0796 0372 RSVP - ok
06:21:38.0906 0372 SABProcEnum - ok
06:21:39.0234 0372 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINNT\system32\lsass.exe
06:21:39.0234 0372 SamSs - ok
06:21:39.0375 0372 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
06:21:39.0375 0372 SASDIFSV - ok
06:21:39.0421 0372 SASENUM - ok
06:21:39.0484 0372 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
06:21:39.0515 0372 SASKUTIL - ok
06:21:39.0968 0372 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINNT\System32\SCardSvr.exe
06:21:40.0000 0372 SCardSvr - ok
06:21:40.0390 0372 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINNT\system32\schedsvc.dll
06:21:40.0437 0372 Schedule - ok
06:21:40.0890 0372 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINNT\system32\DRIVERS\secdrv.sys
06:21:40.0890 0372 Secdrv - ok
06:21:41.0203 0372 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINNT\System32\seclogon.dll
06:21:41.0218 0372 seclogon - ok
06:21:41.0531 0372 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINNT\system32\sens.dll
06:21:41.0531 0372 SENS - ok
06:21:42.0046 0372 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINNT\system32\DRIVERS\serenum.sys
06:21:42.0046 0372 serenum - ok
06:21:42.0375 0372 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINNT\system32\DRIVERS\serial.sys
06:21:42.0390 0372 Serial - ok
06:21:42.0781 0372 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINNT\system32\drivers\Sfloppy.sys
06:21:42.0796 0372 Sfloppy - ok
06:21:43.0187 0372 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINNT\System32\ipnathlp.dll
06:21:43.0296 0372 SharedAccess - ok
06:21:43.0750 0372 ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINNT\System32\shsvcs.dll
06:21:43.0750 0372 ShellHWDetection - ok
06:21:44.0046 0372 Simbad - ok
06:21:44.0375 0372 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINNT\system32\DRIVERS\SLIP.sys
06:21:44.0375 0372 SLIP - ok
06:21:44.0906 0372 Slntamr (2c1779c0feb1f4a6033600305eba623a) C:\WINNT\system32\DRIVERS\slntamr.sys
06:21:45.0046 0372 Slntamr - ok
06:21:45.0406 0372 SlNtHal (f9b8e30e82ee95cf3e1d3e495599b99c) C:\WINNT\system32\DRIVERS\Slnthal.sys
06:21:45.0437 0372 SlNtHal - ok
06:21:45.0859 0372 SlWdmSup (3b4a3b282f62fe5d75127d22b26909ed) C:\WINNT\system32\DRIVERS\SlWdmSup.sys
06:21:45.0859 0372 SlWdmSup - ok
06:21:46.0375 0372 smwdm (eba50c8f7efd8178e8c4bde6b74e744c) C:\WINNT\system32\drivers\smwdm.sys
06:21:46.0531 0372 smwdm - ok
06:21:46.0906 0372 Sparrow - ok
06:21:47.0218 0372 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINNT\system32\drivers\splitter.sys
06:21:47.0218 0372 splitter - ok
06:21:47.0500 0372 Spooler (d8e14a61acc1d4a6cd0d38aebac7fa3b) C:\WINNT\system32\spoolsv.exe
06:21:47.0531 0372 Spooler - ok
06:21:47.0984 0372 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINNT\system32\DRIVERS\sr.sys
06:21:48.0000 0372 sr - ok
06:21:48.0359 0372 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINNT\system32\srsvc.dll
06:21:48.0421 0372 srservice - ok
06:21:48.0953 0372 Srv (5252605079810904e31c332e241cd59b) C:\WINNT\system32\DRIVERS\srv.sys
06:21:49.0046 0372 Srv - ok
06:21:49.0390 0372 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINNT\System32\ssdpsrv.dll
06:21:49.0406 0372 SSDPSRV - ok
06:21:49.0937 0372 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINNT\system32\wiaservc.dll
06:21:50.0031 0372 stisvc - ok
06:21:50.0390 0372 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINNT\system32\DRIVERS\StreamIP.sys
06:21:50.0390 0372 streamip - ok
06:21:50.0812 0372 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINNT\system32\DRIVERS\swenum.sys
06:21:50.0812 0372 swenum - ok
06:21:51.0109 0372 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINNT\system32\drivers\swmidi.sys
06:21:51.0140 0372 swmidi - ok
06:21:51.0421 0372 SwPrv - ok
06:21:51.0781 0372 symc810 - ok
06:21:52.0031 0372 symc8xx - ok
06:21:52.0265 0372 sym_hi - ok
06:21:52.0515 0372 sym_u3 - ok
06:21:52.0921 0372 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINNT\system32\drivers\sysaudio.sys
06:21:52.0937 0372 sysaudio - ok
06:21:53.0281 0372 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINNT\system32\smlogsvc.exe
06:21:53.0312 0372 SysmonLog - ok
06:21:53.0781 0372 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINNT\System32\tapisrv.dll
06:21:53.0859 0372 TapiSrv - ok
06:21:54.0296 0372 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINNT\system32\DRIVERS\tcpip.sys
06:21:54.0406 0372 Tcpip - ok
06:21:54.0828 0372 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINNT\system32\drivers\TDPIPE.sys
06:21:54.0843 0372 TDPIPE - ok
06:21:55.0140 0372 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINNT\system32\drivers\TDTCP.sys
06:21:55.0156 0372 TDTCP - ok
06:21:55.0484 0372 TermDD (88155247177638048422893737429d9e) C:\WINNT\system32\DRIVERS\termdd.sys
06:21:55.0500 0372 TermDD - ok
06:21:55.0968 0372 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINNT\System32\termsrv.dll
06:21:56.0062 0372 TermService - ok
06:21:56.0453 0372 Themes (1926899bf9ffe2602b63074971700412) C:\WINNT\System32\shsvcs.dll
06:21:56.0453 0372 Themes - ok
06:21:56.0875 0372 TosIde - ok
06:21:57.0171 0372 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINNT\system32\trkwks.dll
06:21:57.0203 0372 TrkWks - ok
06:21:57.0562 0372 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINNT\system32\drivers\Udfs.sys
06:21:57.0593 0372 Udfs - ok
06:21:58.0015 0372 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINNT\system32\DRIVERS\ultra.sys
06:21:58.0015 0372 ultra - ok
06:21:58.0468 0372 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINNT\system32\DRIVERS\update.sys
06:21:58.0593 0372 Update - ok
06:21:59.0046 0372 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINNT\System32\upnphost.dll
06:21:59.0109 0372 upnphost - ok
06:21:59.0453 0372 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINNT\System32\ups.exe
06:21:59.0453 0372 UPS - ok
06:21:59.0921 0372 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINNT\system32\DRIVERS\usbccgp.sys
06:21:59.0921 0372 usbccgp - ok
06:22:00.0250 0372 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINNT\system32\DRIVERS\usbehci.sys
06:22:00.0250 0372 usbehci - ok
06:22:00.0625 0372 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINNT\system32\DRIVERS\usbhub.sys
06:22:00.0656 0372 usbhub - ok
06:22:01.0046 0372 usbprint (a717c8721046828520c9edf31288fc00) C:\WINNT\system32\DRIVERS\usbprint.sys
06:22:01.0062 0372 usbprint - ok
06:22:01.0375 0372 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINNT\system32\DRIVERS\usbscan.sys
06:22:01.0375 0372 usbscan - ok
06:22:01.0812 0372 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINNT\system32\DRIVERS\USBSTOR.SYS
06:22:01.0828 0372 USBSTOR - ok
06:22:02.0125 0372 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINNT\system32\DRIVERS\usbuhci.sys
06:22:02.0140 0372 usbuhci - ok
06:22:02.0500 0372 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINNT\System32\drivers\vga.sys
06:22:02.0500 0372 VgaSave - ok
06:22:02.0921 0372 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINNT\system32\DRIVERS\viaide.sys
06:22:02.0937 0372 ViaIde - ok
06:22:03.0250 0372 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINNT\system32\drivers\VolSnap.sys
06:22:03.0265 0372 VolSnap - ok
06:22:03.0562 0372 vovs - ok
06:22:04.0015 0372 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINNT\System32\vssvc.exe
06:22:04.0109 0372 VSS - ok
06:22:04.0468 0372 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINNT\system32\w32time.dll
06:22:04.0531 0372 W32Time - ok
06:22:04.0984 0372 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINNT\system32\DRIVERS\wanarp.sys
06:22:05.0000 0372 Wanarp - ok
06:22:05.0265 0372 wanatw - ok
06:22:05.0828 0372 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINNT\system32\Drivers\wdf01000.sys
06:22:05.0984 0372 Wdf01000 - ok
06:22:06.0265 0372 WDICA - ok
06:22:06.0578 0372 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINNT\system32\drivers\wdmaud.sys
06:22:06.0625 0372 wdmaud - ok
06:22:07.0015 0372 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINNT\System32\webclnt.dll
06:22:07.0046 0372 WebClient - ok
06:22:07.0453 0372 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINNT\system32\wbem\WMIsvc.dll
06:22:07.0500 0372 winmgmt - ok
06:22:08.0062 0372 WlanUIG (01a3d371863250118591fb829eec91ac) C:\WINNT\system32\DRIVERS\WlanUIG.sys
06:22:08.0171 0372 WlanUIG - ok
06:22:08.0468 0372 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINNT\system32\MsPMSNSv.dll
06:22:08.0484 0372 WmdmPmSN - ok
06:22:08.0984 0372 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINNT\System32\wbem\wmiapsrv.exe
06:22:09.0031 0372 WmiApSrv - ok
06:22:09.0375 0372 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINNT\system32\DRIVERS\wpdusb.sys
06:22:09.0390 0372 WpdUsb - ok
06:22:09.0812 0372 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINNT\System32\drivers\ws2ifsl.sys
06:22:09.0828 0372 WS2IFSL - ok
06:22:10.0109 0372 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINNT\system32\DRIVERS\WSTCODEC.SYS
06:22:10.0125 0372 WSTCODEC - ok
06:22:10.0125 0372 wuauserv - ok
06:22:10.0484 0372 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINNT\system32\DRIVERS\WudfPf.sys
06:22:10.0500 0372 WudfPf - ok
06:22:10.0968 0372 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINNT\system32\DRIVERS\wudfrd.sys
06:22:11.0000 0372 WudfRd - ok
06:22:11.0312 0372 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINNT\System32\WUDFSvc.dll
06:22:11.0343 0372 WudfSvc - ok
06:22:11.0937 0372 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINNT\System32\wzcsvc.dll
06:22:12.0078 0372 WZCSVC - ok
06:22:12.0484 0372 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINNT\System32\xmlprov.dll
06:22:12.0671 0372 xmlprov - ok
06:22:13.0093 0372 zumbus (f8b34c0d36164a44d05ce2082b6a9350) C:\WINNT\system32\DRIVERS\zumbus.sys
06:22:13.0109 0372 zumbus - ok
06:22:13.0421 0372 ZuneBusEnum (a2612386460ea7dad56d0dac63b67ab5) c:\WINNT\system32\ZuneBusEnum.exe
06:22:13.0437 0372 ZuneBusEnum - ok
06:22:15.0453 0372 ZuneNetworkSvc (a77aa4a68d9ca0abc71ce39b09f94612) c:\Program Files\Zune\ZuneNss.exe
06:22:17.0296 0372 ZuneNetworkSvc - ok
06:22:17.0796 0372 ZuneWlanCfgSvc (eeb2d99436666ee22d3ebcb835d5bc8b) c:\WINNT\system32\ZuneWlanCfgSvc.exe
06:22:17.0859 0372 ZuneWlanCfgSvc - ok
06:22:18.0265 0372 {6080A529-897E-4629-A488-ABA0C29B635E} (1a301c3c65a3d119803fbac5ab65897f) C:\WINNT\system32\drivers\ialmsbw.sys
06:22:18.0296 0372 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
06:22:18.0750 0372 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (4afee4b1625d5146b16526e48953d7a6) C:\WINNT\system32\drivers\ialmkchw.sys
06:22:18.0765 0372 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
06:22:18.0812 0372 MBR (0x1B8) (faee7e40dfb0440ad2cfc39befa1f4c2) \Device\Harddisk0\DR0
06:22:18.0828 0372 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
06:22:18.0828 0372 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
06:22:18.0828 0372 MBR (0x1B8) (65e858a8a0293be11a920b0bc99d695e) \Device\Harddisk1\DR2
06:22:19.0781 0372 \Device\Harddisk1\DR2 - ok
06:22:19.0796 0372 Boot (0x1200) (5696cf2af37e5486fd0f41533773986b) \Device\Harddisk0\DR0\Partition0
06:22:19.0796 0372 \Device\Harddisk0\DR0\Partition0 - ok
06:22:19.0796 0372 Boot (0x1200) (4613cbb117b037659787784c470f4b8e) \Device\Harddisk1\DR2\Partition0
06:22:19.0812 0372 \Device\Harddisk1\DR2\Partition0 - ok
06:22:19.0812 0372 ============================================================
06:22:19.0812 0372 Scan finished
06:22:19.0812 0372 ============================================================
06:22:19.0828 1976 Detected object count: 1
06:22:19.0828 1976 Actual detected object count: 1
06:22:51.0406 1976 \Device\Harddisk0\DR0\# - copied to quarantine
06:22:51.0406 1976 \Device\Harddisk0\DR0 - copied to quarantine
06:22:53.0187 1976 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
06:22:53.0234 1976 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
06:22:53.0250 1976 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
06:22:53.0250 1976 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
06:22:53.0265 1976 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
06:22:53.0281 1976 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
06:22:53.0281 1976 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
06:22:53.0343 1976 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
06:22:53.0343 1976 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
06:22:53.0343 1976 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
06:22:53.0359 1976 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
06:22:53.0359 1976 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
06:22:53.0359 1976 \Device\Harddisk0\DR0\TDLFS\hpmp - copied to quarantine
06:22:53.0359 1976 \Device\Harddisk0\DR0\TDLFS\ppfp - copied to quarantine
06:22:53.0390 1976 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
06:22:53.0390 1976 \Device\Harddisk0\DR0 - ok
06:22:54.0437 1976 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
06:23:19.0171 1752 Deinitialize success

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 04 April 2012 - 07:47 AM

that is very good it good rid of the rootkit - I still want to see the aswMBR report



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 paganw

paganw
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 05 April 2012 - 03:51 AM

Ran aswMBR (btw, that one occurrence of svchost.exe still seems to use more memory than the others but not nearly as much as it did before TDSSKiller; before running that I could actually hear when it was time to open taskmanager & shut it down because the computer sounded like it was going to die if I didn't, now it doesn't).

I did have a bit of a problem running this one (it doesn't really show you what it doing or still needs to & most programs don't let you save a log until it's done; it seemed to freeze on a file for like 5 minutes so I assumed it was done so I ran the log). I wasn't sure so I ran it again to be safe & it went past that file.


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-04-04 06:54:03

-----------------------------

06:54:03.281 OS Version: Windows 5.1.2600 Service Pack 3

06:54:03.281 Number of processors: 2 586 0x209

06:54:03.281 ComputerName: DESKTOP UserName: Owner

06:54:04.781 Initialize success

06:57:31.921 AVAST engine defs: 12040400

07:01:37.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

07:01:37.437 Disk 0 Vendor: WDC_WD1200BB-53DWA0 15.05R15 Size: 114473MB BusType: 3

07:01:37.453 Disk 0 MBR read successfully

07:01:37.453 Disk 0 MBR scan

07:01:37.625 Disk 0 Windows XP default MBR code

07:01:37.625 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114470 MB offset 63

07:01:37.640 Disk 0 scanning sectors +234436545

07:01:37.765 Disk 0 scanning C:\WINNT\system32\drivers

07:02:04.625 Service scanning

07:02:46.531 Modules scanning

07:03:12.781 Disk 0 trace - called modules:

07:03:12.796 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys

07:03:12.796 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86762030]

07:03:12.796 3 CLASSPNP.SYS[f774ffd7] -> nt!IofCallDriver -> \Device\00000078[0x86773f18]

07:03:12.796 5 ACPI.sys[f76b6620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86791608]

07:03:14.671 AVAST engine scan C:\WINNT

07:03:38.359 AVAST engine scan C:\WINNT\system32

07:11:42.140 AVAST engine scan C:\WINNT\system32\drivers

07:12:17.468 AVAST engine scan C:\Documents and Settings\Owner

07:21:22.000 Disk 0 MBR has been saved successfully to "E:\MBR.dat"

07:21:22.000 The log file has been saved successfully to "E:\aswMBR.txt"





aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-04-04 07:37:45

-----------------------------

07:37:45.109 OS Version: Windows 5.1.2600 Service Pack 3

07:37:45.109 Number of processors: 2 586 0x209

07:37:45.109 ComputerName: DESKTOP UserName: Owner

07:37:47.468 Initialize success

07:38:28.093 AVAST engine defs: 12040400

07:43:21.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

07:43:21.859 Disk 0 Vendor: WDC_WD1200BB-53DWA0 15.05R15 Size: 114473MB BusType: 3

07:43:21.921 Disk 0 MBR read successfully

07:43:21.937 Disk 0 MBR scan

07:43:22.093 Disk 0 Windows XP default MBR code

07:43:22.109 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114470 MB offset 63

07:43:22.125 Disk 0 scanning sectors +234436545

07:43:22.265 Disk 0 scanning C:\WINNT\system32\drivers

07:43:52.359 Service scanning

07:44:43.921 Modules scanning

07:45:09.281 Disk 0 trace - called modules:

07:45:09.296 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys

07:45:09.312 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86763030]

07:45:09.343 3 CLASSPNP.SYS[f774ffd7] -> nt!IofCallDriver -> \Device\00000077[0x867cdf18]

07:45:09.343 5 ACPI.sys[f76b6620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x867ce3f0]

07:45:11.250 AVAST engine scan C:\WINNT

07:45:36.703 AVAST engine scan C:\WINNT\system32

07:53:26.062 AVAST engine scan C:\WINNT\system32\drivers

07:53:56.984 AVAST engine scan C:\Documents and Settings\Owner

08:04:37.781 AVAST engine scan C:\Documents and Settings\All Users

08:08:29.953 Scan finished successfully

08:12:21.984 Disk 0 MBR has been saved successfully to "E:\MBR.dat"

08:12:22.000 The log file has been saved successfully to "E:\aswMBR.txt"

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 05 April 2012 - 04:58 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 07 April 2012 - 11:30 PM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 11 April 2012 - 05:35 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:18 AM

Posted 13 April 2012 - 11:49 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users