1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

svchost.exe high cpu usage & system freezes up

Discussion in 'Virus & Other Malware Removal' started by Actuarial, Nov 9, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. Actuarial

    Actuarial Thread Starter

    Joined:
    Nov 9, 2011
    Messages:
    40
    Hi, I recently got one of my company's old PC's, and HP d530 with XP Prof (& i installed SP 3). Here's a summary of the things i've done since getting it last week: IE 8, AVG 2012 Free, Zone Alarm free firewall, Open Office 3, Firefox, all the windows updates available, Java, 7-Zip, Adobe Flash, Adobe Reader X. I also ran CCleaner as part of my attempt to solve the problems described below.

    There have been a couple issues that i've seemingly fixed, such as it asking me to reactivate XP (good thing the sticker with the key is still on the tower), AVG not recognizing the license (or something similar... had to reinstall). There are also 21 updates that keep failing to install for some reason. I've also tried the "patches" that are supposed to fix the common svchost.exe usage problem (WindowsXP-KB927891-v3-x86-ENU, & windowsupdateagent30-x86), but i get an error message telling me they're unnecessary b/c my current SP is more recent.

    The main issue at this point is frequent freezes, seeming coinciding with svchost.exe using the majority, if not all, of my CPU Usage capacity, usually when I'm using either Firefox or IE. The first thing to freeze up is always bottom taskbar & start menu. I can usually still type things in my browser, open desktop folders, etc for a little while when this happens, but when i drag my cursor over the taskbar, i just see an "i-beam" cursor... can't actually select anything like the start menu, quicklaunch icons, etc. i also cannot open the task manager (ctrl+alt+del will make it "think" for a bit, and then do nothing). after awhile, i can still see the mouse moving around, but can't even do anything on the desktop or in any applications that are open. at this point, i just need to manually reboot. thanks in advance for any help. here are the requested logs:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:00:24 PM, on 11/9/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\AVG\AVG2012\avgemcx.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
    O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
    O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    --
    End of file - 5233 bytes



    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Saleshp530 at 20:07:06 on 2011-11-09
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1143.540 [GMT -5:00]
    .
    AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: ZoneAlarm Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\AVG\AVG2012\avgemcx.exe
    C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZone.dll
    TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
    mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
    mRun: [SetRefresh] c:\program files\compaq\setrefresh\\SetRefresh.exe
    mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    Trusted Zone: microsoft.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{EAA6C7BB-2F30-4C1A-8CCE-FC10E8EA2088} : DhcpNameServer = 192.168.1.1
    Notify: igfxcui - igfxsrvc.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\saleshp530\application data\mozilla\firefox\profiles\h5b72xtp.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Security Customized Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=2&q=
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-11-5 532224]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
    R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-2-15 26872]
    R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-2-15 488952]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
    .
    =============== Created Last 30 ================
    .
    2011-11-10 00:56:12 388096 ----a-r- c:\documents and settings\saleshp530\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2011-11-10 00:56:12 -------- d-----w- c:\program files\Trend Micro
    2011-11-09 01:36:31 -------- d--h--w- C:\$AVG
    2011-11-07 01:31:38 -------- d-----w- c:\windows\system32\NtmsData
    2011-11-06 22:57:20 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-11-06 22:19:18 -------- d-----w- c:\program files\CCleaner
    2011-11-06 17:18:30 -------- d-----w- c:\windows\ie8updates
    2011-11-06 15:00:27 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2011-11-06 14:59:20 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2011-11-06 14:59:16 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2011-11-06 14:57:52 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-11-06 14:57:23 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2011-11-06 14:57:05 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-11-06 14:57:04 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-11-06 14:57:03 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-11-06 14:57:02 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-11-06 14:57:02 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-11-06 14:57:01 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-11-06 14:53:53 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    2011-11-06 14:53:29 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2011-11-06 04:46:20 -------- d-----w- c:\windows\pss
    2011-11-06 04:01:48 -------- d-----w- c:\documents and settings\saleshp530\local settings\application data\Adobe
    2011-11-06 00:20:25 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-06 00:11:54 -------- d-----w- c:\windows\system32\appmgmt
    2011-11-05 18:46:24 -------- d-----w- C:\Shaun
    2011-11-05 18:03:38 -------- d-----w- c:\windows\system32\scripting
    2011-11-05 18:03:38 -------- d-----w- c:\windows\l2schemas
    2011-11-05 18:03:37 -------- d-----w- c:\windows\system32\en
    2011-11-05 18:03:36 -------- d-----w- c:\windows\system32\bits
    2011-11-05 17:50:55 -------- d-----w- c:\windows\network diagnostic
    2011-11-05 17:30:42 -------- d-----w- c:\documents and settings\saleshp530\application data\CheckPoint
    2011-11-05 17:30:11 0 ------w- c:\windows\system32\ConduitEngine.tmp
    2011-11-05 17:30:11 -------- d-----w- c:\documents and settings\saleshp530\local settings\application data\ZoneAlarm_Security
    2011-11-05 17:30:09 -------- d-----w- c:\documents and settings\saleshp530\local settings\application data\Temp
    2011-11-05 17:30:09 -------- d-----w- c:\documents and settings\saleshp530\local settings\application data\Conduit
    2011-11-05 17:30:08 -------- d-----w- c:\program files\ZoneAlarm_Security
    2011-11-05 17:29:49 -------- d-----w- c:\program files\CheckPoint
    2011-11-05 17:29:26 1238528 ----a-w- c:\windows\system32\zpeng25.dll
    2011-11-05 17:29:26 -------- d-----w- c:\windows\system32\ZoneLabs
    2011-11-05 17:24:43 -------- d-----w- c:\program files\Zone Labs
    2011-11-05 17:23:14 -------- d-----w- c:\windows\Internet Logs
    2011-11-05 16:35:05 -------- d-----w- c:\documents and settings\saleshp530\local settings\application data\Mozilla
    2011-11-05 16:24:31 -------- d-----w- c:\documents and settings\saleshp530\application data\AVG2012
    2011-11-05 16:22:54 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2011-11-05 16:22:51 221184 ------w- c:\windows\system32\wmpns.dll
    2011-11-05 16:22:05 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
    2011-11-05 16:21:22 -------- d-----w- c:\program files\AVG
    2011-11-05 16:19:02 -------- d-----w- c:\windows\ServicePackFiles
    2011-11-05 16:17:21 21504 ------w- c:\windows\system32\drivers\hidserv.dll
    2011-11-05 16:16:09 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-11-05 16:00:22 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
    2011-11-05 15:47:49 -------- d-----w- c:\documents and settings\saleshp530\application data\OpenOffice.org
    2011-11-05 15:45:59 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2011-11-05 15:45:17 -------- d-----w- c:\program files\OpenOffice.org 3
    2011-11-05 15:44:56 73728 ------w- c:\windows\system32\javacpl.cpl
    2011-11-05 15:44:56 472808 ------w- c:\windows\system32\deployJava1.dll
    2011-11-05 15:43:57 5120 ------w- c:\windows\system32\xpsp4res.dll
    2011-11-05 15:43:57 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
    2011-11-05 15:43:24 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-11-05 15:43:19 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2011-11-05 15:43:16 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2011-11-05 15:42:51 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
    2011-11-05 15:42:51 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
    2011-11-05 15:42:04 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
    2011-11-05 15:34:05 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
    2011-11-05 15:32:39 -------- d-sh--w- c:\documents and settings\saleshp530\PrivacIE
    2011-11-05 15:31:23 -------- d-sh--w- c:\documents and settings\saleshp530\IETldCache
    2011-11-05 15:29:35 -------- dc-h--w- c:\windows\ie8
    2011-11-05 15:21:03 -------- d-----w- c:\windows\system32\PreInstall
    2011-11-05 15:21:02 26144 ------w- c:\windows\system32\spupdsvc.exe
    2011-11-05 15:21:01 -------- d--h--w- c:\windows\$hf_mig$
    2011-11-05 15:06:53 -------- d-sh--w- c:\documents and settings\saleshp530\UserData
    2011-11-05 15:06:32 -------- d-----w- c:\windows\system32\SoftwareDistribution
    2011-11-05 14:55:00 12160 -c----w- c:\windows\system32\dllcache\mouhid.sys
    2011-11-05 14:55:00 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
    2011-11-05 14:54:57 21504 ----a-w- c:\windows\system32\hidserv.dll
    2011-11-05 14:54:53 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
    .
    ==================== Find3M ====================
    .
    2011-10-07 10:23:48 230608 ------w- c:\windows\system32\drivers\avgldx86.sys
    2011-10-04 10:21:42 16720 ------w- c:\windows\system32\drivers\AVGIDSShim.sys
    2011-09-26 16:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-13 10:30:10 32592 ------w- c:\windows\system32\drivers\avgrkx86.sys
    2011-09-07 16:20:06 44 ------w- c:\windows\system32\msssc.dll
    2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56:39 385024 ------w- c:\windows\system32\html.iec
    2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD400BB-60JKA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8764349F]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8764a728]; MOV EAX, [0x8764a89c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x87F84AB8]
    3 CLASSPNP[0xBA0E8FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000005c[0x87FE15E0]
    5 ACPI[0xBA05F620] -> nt!IofCallDriver[0x804E37D5] -> [0x87F5B940]
    \Driver\atapi[0x87C819B0] -> IRP_MJ_CREATE -> 0x8764349F
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x876432C6
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 20:09:05.18 ===============



    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-11-09 20:15:11
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-60JKA0 rev.05.01C05
    Running: n46x38k8.exe; Driver: C:\DOCUME~1\SALESH~1\LOCALS~1\Temp\kwayrfow.sys

    ---- Disk sectors - GMER 1.0.15 ----
    Disk \Device\Harddisk0\DR0 [email protected] code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
    ---- Devices - GMER 1.0.15 ----
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 876432C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 876432C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 876432C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 876432C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 876432C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-12 876432C6
    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    ---- EOF - GMER 1.0.15 ----
     

    Attached Files:

  2. Actuarial

    Actuarial Thread Starter

    Joined:
    Nov 9, 2011
    Messages:
    40
  3. Actuarial

    Actuarial Thread Starter

    Joined:
    Nov 9, 2011
    Messages:
    40
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
  5. Actuarial

    Actuarial Thread Starter

    Joined:
    Nov 9, 2011
    Messages:
    40
    Hi Cookiegal, I ran it, and it cured 1 item... then it told me to reboot, but i wasn't sure if it was done running before it rebooted, so i ran it again after reboot, and it found nothing wrong. i'm assuming the log you want to see it the hijackthis log, so it's pasted below. Thanks.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:08:39 PM, on 11/12/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\AVG\AVG2012\avgemcx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
    O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
    O4 - HKLM\..\Run: [ZoneAlarm Installer] "C:\Program Files\CheckPoint\Install\Launcher.exe" "C:\Program Files\CheckPoint\Install\Install.exe" /r download /c "C:\Program Files\CheckPoint\Install\Install.xml" /l /w
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    --
    End of file - 4516 bytes
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
    No it's the TDSSKiller log I wanted to see. It should be at C:\TDSSKiller.**********log.txt (the stars represent the version number and date). Please post that log.
     
  7. Actuarial

    Actuarial Thread Starter

    Joined:
    Nov 9, 2011
    Messages:
    40
    oh sorry, didn't see a log pop up on the screen or get saved to my desktop (where the application was saved), so i didn't realize it created one. here's the log from the first run (with the cure). thanks.

    18:51:30.0031 3896 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
    18:51:30.0171 3896 ============================================================
    18:51:30.0171 3896 Current date / time: 2011/11/12 18:51:30.0171
    18:51:30.0171 3896 SystemInfo:
    18:51:30.0171 3896
    18:51:30.0171 3896 OS Version: 5.1.2600 ServicePack: 3.0
    18:51:30.0171 3896 Product type: Workstation
    18:51:30.0171 3896 ComputerName: SALES530-0AEDD9
    18:51:30.0171 3896 UserName: Saleshp530
    18:51:30.0171 3896 Windows directory: C:\WINDOWS
    18:51:30.0171 3896 System windows directory: C:\WINDOWS
    18:51:30.0171 3896 Processor architecture: Intel x86
    18:51:30.0171 3896 Number of processors: 1
    18:51:30.0171 3896 Page size: 0x1000
    18:51:30.0171 3896 Boot type: Normal boot
    18:51:30.0171 3896 ============================================================
    18:51:35.0468 3896 Initialize success
    18:52:16.0453 3316 ============================================================
    18:52:16.0453 3316 Scan started
    18:52:16.0453 3316 Mode: Manual;
    18:52:16.0453 3316 ============================================================
    18:52:17.0421 3316 Abiosdsk - ok
    18:52:17.0468 3316 abp480n5 - ok
    18:52:17.0515 3316 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    18:52:17.0515 3316 ACPI - ok
    18:52:17.0671 3316 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    18:52:17.0921 3316 ACPIEC - ok
    18:52:18.0046 3316 adpu160m - ok
    18:52:18.0109 3316 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
    18:52:18.0109 3316 aeaudio - ok
    18:52:18.0281 3316 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    18:52:18.0281 3316 aec - ok
    18:52:18.0359 3316 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    18:52:18.0390 3316 AFD - ok
    18:52:18.0484 3316 Aha154x - ok
    18:52:18.0531 3316 aic78u2 - ok
    18:52:18.0562 3316 aic78xx - ok
    18:52:18.0671 3316 AliIde - ok
    18:52:18.0796 3316 amsint - ok
    18:52:18.0828 3316 asc - ok
    18:52:18.0859 3316 asc3350p - ok
    18:52:18.0875 3316 asc3550 - ok
    18:52:18.0921 3316 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    18:52:18.0921 3316 AsyncMac - ok
    18:52:19.0078 3316 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    18:52:19.0078 3316 atapi - ok
    18:52:19.0171 3316 Atdisk - ok
    18:52:19.0250 3316 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    18:52:19.0250 3316 Atmarpc - ok
    18:52:19.0437 3316 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    18:52:19.0437 3316 audstub - ok
    18:52:19.0609 3316 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
    18:52:19.0609 3316 AVGIDSDriver - ok
    18:52:19.0765 3316 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
    18:52:19.0781 3316 AVGIDSEH - ok
    18:52:19.0812 3316 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
    18:52:19.0812 3316 AVGIDSFilter - ok
    18:52:19.0968 3316 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
    18:52:19.0968 3316 AVGIDSShim - ok
    18:52:20.0046 3316 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
    18:52:20.0062 3316 Avgldx86 - ok
    18:52:20.0218 3316 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
    18:52:20.0218 3316 Avgmfx86 - ok
    18:52:20.0265 3316 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
    18:52:20.0265 3316 Avgrkx86 - ok
    18:52:20.0468 3316 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
    18:52:20.0500 3316 Avgtdix - ok
    18:52:20.0656 3316 b57w2k (5175e788bcd1cb7345ab21f3e14369d2) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    18:52:20.0656 3316 b57w2k - ok
    18:52:20.0828 3316 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    18:52:20.0828 3316 Beep - ok
    18:52:20.0859 3316 Blfp (9b53d428de0a2566a03499d7aa48dec4) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
    18:52:20.0875 3316 Blfp - ok
    18:52:21.0031 3316 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    18:52:21.0062 3316 cbidf2k - ok
    18:52:21.0171 3316 cd20xrnt - ok
    18:52:21.0234 3316 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    18:52:21.0281 3316 Cdaudio - ok
    18:52:21.0468 3316 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    18:52:21.0468 3316 Cdfs - ok
    18:52:21.0625 3316 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    18:52:21.0625 3316 Cdrom - ok
    18:52:21.0750 3316 Changer - ok
    18:52:21.0781 3316 CmdIde - ok
    18:52:21.0812 3316 Cpqarray - ok
    18:52:21.0843 3316 dac2w2k - ok
    18:52:21.0859 3316 dac960nt - ok
    18:52:21.0906 3316 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    18:52:21.0906 3316 Disk - ok
    18:52:22.0062 3316 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    18:52:22.0093 3316 dmboot - ok
    18:52:22.0234 3316 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    18:52:22.0250 3316 dmio - ok
    18:52:22.0281 3316 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    18:52:22.0281 3316 dmload - ok
    18:52:22.0421 3316 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    18:52:22.0421 3316 DMusic - ok
    18:52:22.0453 3316 dpti2o - ok
    18:52:22.0609 3316 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    18:52:22.0609 3316 drmkaud - ok
    18:52:22.0671 3316 E1000 (3044851b3c5286a908a6a4d1166328aa) C:\WINDOWS\system32\DRIVERS\e1000325.sys
    18:52:22.0671 3316 E1000 - ok
    18:52:22.0843 3316 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    18:52:22.0843 3316 Fastfat - ok
    18:52:23.0000 3316 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    18:52:23.0000 3316 Fdc - ok
    18:52:23.0031 3316 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    18:52:23.0031 3316 Fips - ok
    18:52:23.0187 3316 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    18:52:23.0187 3316 Flpydisk - ok
    18:52:23.0218 3316 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    18:52:23.0218 3316 FltMgr - ok
    18:52:23.0375 3316 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    18:52:23.0375 3316 Fs_Rec - ok
    18:52:23.0437 3316 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    18:52:23.0437 3316 Ftdisk - ok
    18:52:23.0562 3316 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    18:52:23.0562 3316 Gpc - ok
    18:52:23.0671 3316 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    18:52:23.0671 3316 HidUsb - ok
    18:52:23.0734 3316 hpn - ok
    18:52:23.0843 3316 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
    18:52:23.0875 3316 HTTP - ok
    18:52:24.0000 3316 i2omgmt - ok
    18:52:24.0015 3316 i2omp - ok
    18:52:24.0078 3316 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    18:52:24.0078 3316 i8042prt - ok
    18:52:24.0234 3316 ialm (1406d6ef4436aee970efe13193123965) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    18:52:24.0234 3316 ialm - ok
    18:52:24.0296 3316 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    18:52:24.0296 3316 Imapi - ok
    18:52:24.0421 3316 ini910u - ok
    18:52:24.0484 3316 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    18:52:24.0484 3316 IntelIde - ok
    18:52:24.0640 3316 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    18:52:24.0656 3316 intelppm - ok
    18:52:24.0703 3316 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    18:52:24.0703 3316 Ip6Fw - ok
    18:52:24.0843 3316 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    18:52:24.0843 3316 IpFilterDriver - ok
    18:52:24.0968 3316 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    18:52:24.0968 3316 IpInIp - ok
    18:52:25.0046 3316 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    18:52:25.0062 3316 IpNat - ok
    18:52:25.0171 3316 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    18:52:25.0187 3316 IPSec - ok
    18:52:25.0250 3316 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    18:52:25.0250 3316 IRENUM - ok
    18:52:25.0390 3316 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    18:52:25.0390 3316 isapnp - ok
    18:52:25.0421 3316 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    18:52:25.0421 3316 Kbdclass - ok
    18:52:25.0578 3316 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    18:52:25.0593 3316 kmixer - ok
    18:52:25.0750 3316 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    18:52:25.0750 3316 KSecDD - ok
    18:52:25.0765 3316 lbrtfdc - ok
    18:52:25.0953 3316 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    18:52:25.0953 3316 mnmdd - ok
    18:52:26.0000 3316 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    18:52:26.0156 3316 Modem - ok
    18:52:26.0296 3316 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    18:52:26.0296 3316 Mouclass - ok
    18:52:26.0343 3316 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    18:52:26.0343 3316 mouhid - ok
    18:52:26.0515 3316 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    18:52:26.0515 3316 MountMgr - ok
    18:52:26.0640 3316 mraid35x - ok
    18:52:26.0703 3316 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    18:52:26.0703 3316 MRxDAV - ok
    18:52:26.0875 3316 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    18:52:26.0890 3316 MRxSmb - ok
    18:52:27.0031 3316 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    18:52:27.0031 3316 Msfs - ok
    18:52:27.0078 3316 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    18:52:27.0078 3316 MSKSSRV - ok
    18:52:27.0234 3316 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    18:52:27.0234 3316 MSPCLOCK - ok
    18:52:27.0296 3316 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    18:52:27.0296 3316 MSPQM - ok
    18:52:27.0437 3316 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    18:52:27.0437 3316 mssmbios - ok
    18:52:27.0484 3316 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    18:52:27.0500 3316 Mup - ok
    18:52:27.0625 3316 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    18:52:27.0625 3316 NDIS - ok
    18:52:27.0765 3316 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    18:52:27.0765 3316 NdisTapi - ok
    18:52:27.0828 3316 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    18:52:27.0828 3316 Ndisuio - ok
    18:52:27.0968 3316 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    18:52:27.0968 3316 NdisWan - ok
    18:52:28.0015 3316 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    18:52:28.0015 3316 NDProxy - ok
    18:52:28.0171 3316 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    18:52:28.0171 3316 NetBIOS - ok
    18:52:28.0328 3316 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    18:52:28.0328 3316 NetBT - ok
    18:52:28.0500 3316 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    18:52:28.0515 3316 Npfs - ok
    18:52:28.0562 3316 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    18:52:28.0593 3316 Ntfs - ok
    18:52:28.0750 3316 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
    18:52:28.0750 3316 NuidFltr - ok
    18:52:28.0796 3316 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    18:52:28.0812 3316 Null - ok
    18:52:28.0953 3316 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    18:52:28.0953 3316 NwlnkFlt - ok
    18:52:29.0015 3316 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    18:52:29.0015 3316 NwlnkFwd - ok
    18:52:29.0140 3316 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    18:52:29.0140 3316 Parport - ok
    18:52:29.0296 3316 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    18:52:29.0296 3316 PartMgr - ok
    18:52:29.0359 3316 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    18:52:29.0359 3316 ParVdm - ok
    18:52:29.0500 3316 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    18:52:29.0531 3316 PCI - ok
    18:52:29.0562 3316 PCIDump - ok
    18:52:29.0703 3316 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    18:52:29.0703 3316 PCIIde - ok
    18:52:29.0765 3316 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    18:52:29.0812 3316 Pcmcia - ok
    18:52:29.0937 3316 PDCOMP - ok
    18:52:29.0968 3316 PDFRAME - ok
    18:52:29.0984 3316 PDRELI - ok
    18:52:30.0000 3316 PDRFRAME - ok
    18:52:30.0015 3316 perc2 - ok
    18:52:30.0031 3316 perc2hib - ok
    18:52:30.0109 3316 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    18:52:30.0109 3316 PptpMiniport - ok
    18:52:30.0265 3316 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    18:52:30.0265 3316 PSched - ok
    18:52:30.0343 3316 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    18:52:30.0343 3316 Ptilink - ok
    18:52:30.0453 3316 ql1080 - ok
    18:52:30.0609 3316 Ql10wnt - ok
    18:52:30.0703 3316 ql12160 - ok
    18:52:30.0765 3316 ql1240 - ok
    18:52:30.0859 3316 ql1280 - ok
    18:52:30.0937 3316 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    18:52:30.0953 3316 RasAcd - ok
    18:52:31.0093 3316 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    18:52:31.0093 3316 Rasl2tp - ok
    18:52:31.0125 3316 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    18:52:31.0125 3316 RasPppoe - ok
    18:52:31.0281 3316 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    18:52:31.0281 3316 Raspti - ok
    18:52:31.0390 3316 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    18:52:31.0406 3316 Rdbss - ok
    18:52:31.0500 3316 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    18:52:31.0500 3316 RDPCDD - ok
    18:52:31.0671 3316 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    18:52:31.0671 3316 rdpdr - ok
    18:52:31.0843 3316 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    18:52:31.0843 3316 RDPWD - ok
    18:52:31.0984 3316 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    18:52:31.0984 3316 redbook - ok
    18:52:32.0140 3316 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    18:52:32.0140 3316 Secdrv - ok
    18:52:32.0234 3316 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    18:52:32.0234 3316 serenum - ok
    18:52:32.0343 3316 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    18:52:32.0359 3316 Serial - ok
    18:52:32.0421 3316 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    18:52:32.0484 3316 Sfloppy - ok
    18:52:32.0609 3316 Simbad - ok
    18:52:32.0703 3316 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
    18:52:32.0734 3316 smwdm - ok
    18:52:32.0828 3316 Sparrow - ok
    18:52:32.0906 3316 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    18:52:32.0906 3316 splitter - ok
    18:52:33.0015 3316 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    18:52:33.0031 3316 sr - ok
    18:52:33.0140 3316 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    18:52:33.0171 3316 Srv - ok
    18:52:33.0328 3316 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    18:52:33.0328 3316 swenum - ok
    18:52:33.0375 3316 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    18:52:33.0375 3316 swmidi - ok
    18:52:33.0515 3316 symc810 - ok
    18:52:33.0531 3316 symc8xx - ok
    18:52:33.0546 3316 sym_hi - ok
    18:52:33.0562 3316 sym_u3 - ok
    18:52:33.0625 3316 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    18:52:33.0640 3316 sysaudio - ok
    18:52:33.0781 3316 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    18:52:33.0796 3316 Tcpip - ok
    18:52:33.0937 3316 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    18:52:34.0015 3316 TDPIPE - ok
    18:52:34.0156 3316 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    18:52:34.0203 3316 TDTCP - ok
    18:52:34.0343 3316 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    18:52:34.0359 3316 TermDD - ok
    18:52:34.0390 3316 TosIde - ok
    18:52:34.0546 3316 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    18:52:34.0609 3316 Udfs - ok
    18:52:34.0734 3316 ultra - ok
    18:52:34.0796 3316 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    18:52:34.0812 3316 Update - ok
    18:52:34.0968 3316 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    18:52:34.0968 3316 usbehci - ok
    18:52:35.0015 3316 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    18:52:35.0031 3316 usbhub - ok
    18:52:35.0171 3316 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    18:52:35.0171 3316 USBSTOR - ok
    18:52:35.0218 3316 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    18:52:35.0218 3316 usbuhci - ok
    18:52:35.0359 3316 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    18:52:35.0359 3316 VgaSave - ok
    18:52:35.0390 3316 ViaIde - ok
    18:52:35.0421 3316 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    18:52:35.0421 3316 VolSnap - ok
    18:52:35.0578 3316 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    18:52:35.0593 3316 Wanarp - ok
    18:52:35.0734 3316 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    18:52:35.0765 3316 Wdf01000 - ok
    18:52:35.0875 3316 WDICA - ok
    18:52:35.0937 3316 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    18:52:35.0937 3316 wdmaud - ok
    18:52:36.0156 3316 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
    18:52:36.0156 3316 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
    18:52:36.0312 3316 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
    18:52:36.0312 3316 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
    18:52:36.0343 3316 MBR (0x1B8) (b0b17de2470979f6aa7d36e451109b01) \Device\Harddisk0\DR0
    18:52:36.0343 3316 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
    18:52:36.0343 3316 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
    18:52:36.0343 3316 Boot (0x1200) (17773c5b0d92ef2130d8e0b17345be53) \Device\Harddisk0\DR0\Partition0
    18:52:36.0343 3316 \Device\Harddisk0\DR0\Partition0 - ok
    18:52:36.0343 3316 ============================================================
    18:52:36.0343 3316 Scan finished
    18:52:36.0343 3316 ============================================================
    18:52:36.0375 1768 Detected object count: 1
    18:52:36.0375 1768 Actual detected object count: 1
    18:52:51.0796 1768 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
    18:52:51.0796 1768 \Device\Harddisk0\DR0 - ok
    18:52:51.0796 1768 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
    18:53:00.0468 3764 Deinitialize success
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  9. Actuarial

    Actuarial Thread Starter

    Joined:
    Nov 9, 2011
    Messages:
    40
    Not sure if this matters, but the method I used for disabling AVG was as stated in their linked page (http://www.bleepingcomputer.com/forums/topic114351.html), so it was just a 15 minute temporary disable. I guess it re-activated during the Combofix run because an AVG "threat" alert window popped up warning about a process named "CF5992.3XE." I didn't vault it, so maybe it didn't mess up the Combofix run. Anyway, here are the 2 logs:

    Combofix:

    ComboFix 11-11-12.04 - Saleshp530 11/12/2011 22:49:37.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1143.807 [GMT -5:00]
    Running from: c:\documents and settings\Saleshp530\Desktop\puppy.exe
    AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\msssc.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-13 00:00 . 2011-11-13 00:00 -------- d-----w- c:\windows\LastGood
    2011-11-12 20:17 . 2011-11-12 20:17 -------- d-----w- c:\windows\Internet Logs
    2011-11-10 12:45 . 2011-11-10 12:45 -------- d-sh--w- c:\documents and settings\Saleshp530\IECompatCache
    2011-11-10 00:56 . 2011-11-10 00:56 388096 ----a-r- c:\documents and settings\Saleshp530\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-11-10 00:56 . 2011-11-10 00:56 -------- d-----w- c:\program files\Trend Micro
    2011-11-09 15:43 . 2011-11-09 15:44 -------- d-----w- c:\documents and settings\Christy
    2011-11-09 03:36 . 2011-11-09 04:01 -------- d-----w- c:\documents and settings\Administrator
    2011-11-09 03:24 . 2011-11-09 03:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-11-09 03:24 . 2011-11-09 03:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
    2011-11-09 01:36 . 2011-11-09 01:36 -------- d-----w- C:\$AVG
    2011-11-07 01:31 . 2011-11-07 04:47 -------- d-----w- c:\windows\system32\NtmsData
    2011-11-06 22:57 . 2011-11-12 22:35 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-11-06 17:16 . 2011-11-06 17:16 -------- d-----w- c:\windows\Sun
    2011-11-06 15:00 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
    2011-11-06 14:59 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
    2011-11-06 14:59 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
    2011-11-06 14:57 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
    2011-11-06 14:57 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2011-11-06 14:57 . 2011-08-22 23:48 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-11-06 14:57 . 2011-08-22 23:48 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-11-06 14:57 . 2011-08-22 23:48 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-11-06 14:57 . 2011-08-22 23:48 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-11-06 14:57 . 2011-08-22 23:48 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-11-06 14:57 . 2011-08-22 23:48 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-11-06 14:53 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
    2011-11-06 14:53 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    2011-11-06 04:06 . 2011-11-06 04:06 -------- d-----w- c:\program files\Common Files\Adobe
    2011-11-06 04:01 . 2011-11-06 04:08 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\Adobe
    2011-11-06 00:56 . 2011-11-06 00:56 -------- d-----w- c:\program files\7-Zip
    2011-11-06 00:20 . 2011-11-10 01:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-11-05 18:46 . 2011-11-10 03:00 -------- d-----w- C:\Shaun
    2011-11-05 18:03 . 2011-11-05 18:03 -------- d-----w- c:\windows\system32\scripting
    2011-11-05 18:03 . 2011-11-05 18:03 -------- d-----w- c:\windows\l2schemas
    2011-11-05 18:03 . 2011-11-05 18:03 -------- d-----w- c:\windows\system32\en
    2011-11-05 18:03 . 2011-11-05 18:03 -------- d-----w- c:\windows\system32\bits
    2011-11-05 17:30 . 2011-11-05 17:30 -------- d-----w- c:\documents and settings\Saleshp530\Application Data\CheckPoint
    2011-11-05 17:30 . 2011-11-12 18:59 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\ZoneAlarm_Security
    2011-11-05 17:30 . 2011-11-05 17:30 0 ------w- c:\windows\system32\ConduitEngine.tmp
    2011-11-05 17:30 . 2011-11-06 04:08 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\Temp
    2011-11-05 17:30 . 2011-11-05 18:26 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\Conduit
    2011-11-05 17:30 . 2011-11-05 17:30 -------- d-----w- c:\program files\ZoneAlarm_Security
    2011-11-05 17:29 . 2011-11-12 20:25 -------- d-----w- c:\program files\CheckPoint
    2011-11-05 16:35 . 2011-11-05 16:35 -------- d-----w- c:\documents and settings\Saleshp530\Local Settings\Application Data\Mozilla
    2011-11-05 16:24 . 2011-11-05 16:24 -------- d-----w- c:\documents and settings\Saleshp530\Application Data\AVG2012
    2011-11-05 16:22 . 2011-11-05 16:22 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-11-05 16:22 . 2008-04-14 00:12 221184 ------w- c:\windows\system32\wmpns.dll
    2011-11-05 16:22 . 2011-11-05 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
    2011-11-05 16:21 . 2011-11-05 16:21 -------- d-----w- c:\program files\AVG
    2011-11-05 16:19 . 2011-11-05 17:56 -------- d-----w- c:\windows\ServicePackFiles
    2011-11-05 16:17 . 2004-08-04 05:56 21504 ------w- c:\windows\system32\drivers\hidserv.dll
    2011-11-05 16:16 . 2011-11-12 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-11-05 16:00 . 2004-08-04 03:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
    2011-11-05 15:47 . 2011-11-05 15:47 -------- d-----w- c:\documents and settings\Saleshp530\Application Data\OpenOffice.org
    2011-11-05 15:45 . 2010-12-09 13:07 2027008 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2011-11-05 15:45 . 2011-11-05 15:45 -------- d-----w- c:\program files\OpenOffice.org 3
    2011-11-05 15:45 . 2011-11-05 15:45 -------- d-----w- c:\program files\Common Files\Java
    2011-11-05 15:44 . 2011-11-05 15:44 73728 ------w- c:\windows\system32\javacpl.cpl
    2011-11-05 15:44 . 2011-11-05 15:44 472808 ------w- c:\windows\system32\deployJava1.dll
    2011-11-05 15:44 . 2011-11-05 15:44 -------- d-----w- c:\program files\Java
    2011-11-05 15:43 . 2011-02-17 12:32 5120 ------w- c:\windows\system32\xpsp4res.dll
    2011-11-05 15:43 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
    2011-11-05 15:43 . 2011-07-15 13:29 456320 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-11-05 15:43 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
    2011-11-05 15:43 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
    2011-11-05 15:42 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
    2011-11-05 15:42 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
    2011-11-05 15:42 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
    2011-11-05 15:34 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
    2011-11-05 15:32 . 2011-11-05 15:32 -------- d-sh--w- c:\documents and settings\Saleshp530\PrivacIE
    2011-11-05 15:31 . 2011-11-05 15:31 -------- d-sh--w- c:\documents and settings\Saleshp530\IETldCache
    2011-11-05 15:29 . 2011-11-05 15:30 -------- dc-h--w- c:\windows\ie8
    2011-11-05 15:21 . 2009-01-07 23:21 26144 ------w- c:\windows\system32\spupdsvc.exe
    2011-11-05 15:21 . 2011-11-10 20:29 -------- d--h--w- c:\windows\$hf_mig$
    2011-11-05 15:06 . 2011-11-12 18:50 -------- d-sh--w- c:\documents and settings\Saleshp530\UserData
    2011-11-05 14:55 . 2001-08-17 18:48 12160 -c----w- c:\windows\system32\dllcache\mouhid.sys
    2011-11-05 14:55 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
    2011-11-05 14:54 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
    2011-11-05 14:54 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-10-07 10:23 . 2011-10-07 10:23 230608 ------w- c:\windows\system32\drivers\avgldx86.sys
    2011-10-04 10:21 . 2011-10-04 10:21 16720 ------w- c:\windows\system32\drivers\AVGIDSShim.sys
    2011-09-26 16:41 . 2011-09-26 16:41 611328 ------w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 16:41 . 2004-08-04 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 16:41 . 2004-08-04 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-13 10:30 . 2011-09-13 10:30 32592 ------w- c:\windows\system32\drivers\avgrkx86.sys
    2011-09-07 16:21 . 2011-09-07 16:21 40960 ------r- c:\documents and settings\Saleshp530\Application Data\Microsoft\Installer\{F5242227-2051-4158-AC42-0F2BAA3CD3D6}\New_Shortcut_S1425_ADB54615A0E240F89C5EFD8513472ED3.exe
    2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-08-22 23:48 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-08-22 11:56 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
    2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-11-12 00:11 . 2011-11-05 16:34 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    2011-03-28 16:22 176936 ------w- c:\program files\ZoneAlarm_Security\prxtbZone.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZone.dll" [2011-03-28 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
    "DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
    "SetRefresh"="c:\program files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-20 525824]
    "AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-10-25 2415456]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2011-06-06 16:55 937920 ------w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
    "c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 12:14 AM 23120]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 5:30 AM 32592]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 5:23 AM 230608]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 12:14 AM 295248]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 5:09 AM 192776]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 12:14 AM 134608]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 12:14 AM 24272]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 5:21 AM 16720]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - 89317684
    *Deregistered* - 89317684
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    Trusted Zone: microsoft.com
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Saleshp530\Application Data\Mozilla\Firefox\Profiles\h5b72xtp.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Security Customized Web Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
    FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=2&q=
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-ZoneAlarm Installer - c:\program files\CheckPoint\Install\Launcher.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-12 23:00
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1052)
    c:\windows\system32\igfxsrvc.dll
    c:\windows\system32\hccutils.DLL
    .
    Completion time: 2011-11-12 23:12:19
    ComboFix-quarantined-files.txt 2011-11-13 04:12
    .
    Pre-Run: 29,572,001,792 bytes free
    Post-Run: 30,634,790,912 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - 0E834832EE18525EF6CFB82AC2EDC36C
    __________________________________________________________________________



    Hijackthis:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:21:00 PM, on 11/12/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    C:\Program Files\AVG\AVG2012\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG2012\avgemcx.exe
    C:\Program Files\AVG\AVG2012\avgnsx.exe
    C:\Program Files\AVG\AVG2012\avgrsx.exe
    C:\Program Files\AVG\AVG2012\avgcsrvx.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZone.dll
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\COMPAQ\SetRefresh\\SetRefresh.exe
    O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    --
    End of file - 4328 bytes
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
    Please download Malwarebytes' Anti-Malware from Here.

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
     
  11. Actuarial

    Actuarial Thread Starter

    Joined:
    Nov 9, 2011
    Messages:
    40
    I just had a barrage of attacks, with warning windows repeatedly popping up from AVG and something else called "Privacy Protection" or something like that... which I'd never heard of but it uses the windows security shield as its icon. Anyway, i checked back here after getting through the warnings and just ran the mbam scan. here's the log. thanks again.


    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org
    Database version: 8154
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702
    11/13/2011 3:49:45 PM
    mbam-log-2011-11-13 (15-49-45).txt
    Scan type: Quick scan
    Objects scanned: 187398
    Time elapsed: 9 minute(s), 15 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent.Gen) -> Value: Shell -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    c:\WINDOWS\system32\drivers\cdrom.sys (Trojan.Patched) -> Quarantined and deleted successfully.
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
  13. Actuarial

    Actuarial Thread Starter

    Joined:
    Nov 9, 2011
    Messages:
    40
    i still have tdsskiller installed from the earlier run... is it ok to just run that, or do i need a reinstall?
     
  14. Actuarial

    Actuarial Thread Starter

    Joined:
    Nov 9, 2011
    Messages:
    40
    i just ran the application installed earlier. please let me know if i should reinstall & run again (maybe there are updates?). here's the log:


    16:43:01.0390 2420 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
    16:43:01.0546 2420 ============================================================
    16:43:01.0546 2420 Current date / time: 2011/11/13 16:43:01.0546
    16:43:01.0546 2420 SystemInfo:
    16:43:01.0546 2420
    16:43:01.0546 2420 OS Version: 5.1.2600 ServicePack: 3.0
    16:43:01.0546 2420 Product type: Workstation
    16:43:01.0546 2420 ComputerName: SALES530-0AEDD9
    16:43:01.0546 2420 UserName: Saleshp530
    16:43:01.0546 2420 Windows directory: C:\WINDOWS
    16:43:01.0546 2420 System windows directory: C:\WINDOWS
    16:43:01.0546 2420 Processor architecture: Intel x86
    16:43:01.0546 2420 Number of processors: 1
    16:43:01.0546 2420 Page size: 0x1000
    16:43:01.0546 2420 Boot type: Normal boot
    16:43:01.0546 2420 ============================================================
    16:43:02.0640 2420 Initialize success
    16:43:09.0125 2132 ============================================================
    16:43:09.0125 2132 Scan started
    16:43:09.0125 2132 Mode: Manual;
    16:43:09.0125 2132 ============================================================
    16:43:10.0421 2132 Abiosdsk - ok
    16:43:10.0453 2132 abp480n5 - ok
    16:43:10.0500 2132 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    16:43:10.0500 2132 ACPI - ok
    16:43:10.0671 2132 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    16:43:10.0671 2132 ACPIEC - ok
    16:43:10.0703 2132 adpu160m - ok
    16:43:10.0875 2132 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
    16:43:10.0875 2132 aeaudio - ok
    16:43:11.0031 2132 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    16:43:11.0031 2132 aec - ok
    16:43:11.0203 2132 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    16:43:11.0203 2132 AFD - ok
    16:43:11.0296 2132 Aha154x - ok
    16:43:11.0343 2132 aic78u2 - ok
    16:43:11.0484 2132 aic78xx - ok
    16:43:11.0531 2132 AliIde - ok
    16:43:11.0593 2132 amsint - ok
    16:43:11.0609 2132 asc - ok
    16:43:11.0640 2132 asc3350p - ok
    16:43:11.0656 2132 asc3550 - ok
    16:43:11.0703 2132 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    16:43:11.0703 2132 AsyncMac - ok
    16:43:11.0875 2132 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    16:43:11.0875 2132 atapi - ok
    16:43:12.0000 2132 Atdisk - ok
    16:43:12.0062 2132 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    16:43:12.0062 2132 Atmarpc - ok
    16:43:12.0218 2132 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    16:43:12.0234 2132 audstub - ok
    16:43:12.0296 2132 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
    16:43:12.0296 2132 AVGIDSDriver - ok
    16:43:12.0453 2132 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
    16:43:12.0468 2132 AVGIDSEH - ok
    16:43:12.0562 2132 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
    16:43:12.0562 2132 AVGIDSFilter - ok
    16:43:12.0656 2132 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
    16:43:12.0656 2132 AVGIDSShim - ok
    16:43:12.0828 2132 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
    16:43:12.0843 2132 Avgldx86 - ok
    16:43:13.0015 2132 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
    16:43:13.0015 2132 Avgmfx86 - ok
    16:43:13.0078 2132 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
    16:43:13.0078 2132 Avgrkx86 - ok
    16:43:13.0250 2132 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
    16:43:13.0281 2132 Avgtdix - ok
    16:43:13.0453 2132 b57w2k (5175e788bcd1cb7345ab21f3e14369d2) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    16:43:13.0468 2132 b57w2k - ok
    16:43:13.0640 2132 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    16:43:13.0640 2132 Beep - ok
    16:43:13.0750 2132 Blfp (9b53d428de0a2566a03499d7aa48dec4) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
    16:43:13.0765 2132 Blfp - ok
    16:43:13.0859 2132 catchme - ok
    16:43:14.0000 2132 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    16:43:14.0015 2132 cbidf2k - ok
    16:43:14.0046 2132 cd20xrnt - ok
    16:43:14.0203 2132 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    16:43:14.0203 2132 Cdaudio - ok
    16:43:14.0359 2132 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    16:43:14.0359 2132 Cdfs - ok
    16:43:14.0390 2132 Cdrom - ok
    16:43:14.0515 2132 Changer - ok
    16:43:14.0562 2132 CmdIde - ok
    16:43:14.0593 2132 Cpqarray - ok
    16:43:14.0640 2132 dac2w2k - ok
    16:43:14.0656 2132 dac960nt - ok
    16:43:14.0718 2132 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    16:43:14.0718 2132 Disk - ok
    16:43:14.0890 2132 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    16:43:14.0921 2132 dmboot - ok
    16:43:15.0078 2132 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    16:43:15.0078 2132 dmio - ok
    16:43:15.0250 2132 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    16:43:15.0250 2132 dmload - ok
    16:43:15.0312 2132 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    16:43:15.0312 2132 DMusic - ok
    16:43:15.0437 2132 dpti2o - ok
    16:43:15.0484 2132 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    16:43:15.0484 2132 drmkaud - ok
    16:43:15.0656 2132 E1000 (3044851b3c5286a908a6a4d1166328aa) C:\WINDOWS\system32\DRIVERS\e1000325.sys
    16:43:15.0656 2132 E1000 - ok
    16:43:15.0750 2132 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    16:43:15.0750 2132 Fastfat - ok
    16:43:15.0906 2132 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    16:43:15.0906 2132 Fdc - ok
    16:43:15.0937 2132 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    16:43:15.0937 2132 Fips - ok
    16:43:16.0093 2132 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    16:43:16.0093 2132 Flpydisk - ok
    16:43:16.0140 2132 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    16:43:16.0140 2132 FltMgr - ok
    16:43:16.0296 2132 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    16:43:16.0296 2132 Fs_Rec - ok
    16:43:16.0328 2132 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    16:43:16.0328 2132 Ftdisk - ok
    16:43:16.0484 2132 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    16:43:16.0484 2132 Gpc - ok
    16:43:16.0562 2132 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    16:43:16.0562 2132 HidUsb - ok
    16:43:16.0703 2132 hpn - ok
    16:43:16.0750 2132 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    16:43:16.0781 2132 HTTP - ok
    16:43:16.0937 2132 i2omgmt - ok
    16:43:16.0953 2132 i2omp - ok
    16:43:17.0015 2132 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    16:43:17.0015 2132 i8042prt - ok
    16:43:17.0171 2132 ialm (1406d6ef4436aee970efe13193123965) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    16:43:17.0171 2132 ialm - ok
    16:43:17.0234 2132 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    16:43:17.0234 2132 Imapi - ok
    16:43:17.0421 2132 ini910u - ok
    16:43:17.0609 2132 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    16:43:17.0609 2132 IntelIde - ok
    16:43:17.0687 2132 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    16:43:17.0703 2132 intelppm - ok
    16:43:17.0859 2132 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    16:43:17.0859 2132 Ip6Fw - ok
    16:43:17.0968 2132 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    16:43:17.0984 2132 IpFilterDriver - ok
    16:43:18.0062 2132 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    16:43:18.0062 2132 IpInIp - ok
    16:43:18.0171 2132 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    16:43:18.0171 2132 IpNat - ok
    16:43:18.0250 2132 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    16:43:18.0265 2132 IPSec - ok
    16:43:18.0421 2132 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    16:43:18.0437 2132 IRENUM - ok
    16:43:18.0484 2132 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    16:43:18.0484 2132 isapnp - ok
    16:43:18.0640 2132 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    16:43:18.0640 2132 Kbdclass - ok
    16:43:18.0718 2132 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    16:43:18.0718 2132 kmixer - ok
    16:43:18.0859 2132 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    16:43:18.0859 2132 KSecDD - ok
    16:43:18.0984 2132 lbrtfdc - ok
    16:43:19.0062 2132 MBAMSwissArmy - ok
    16:43:19.0234 2132 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    16:43:19.0234 2132 mnmdd - ok
    16:43:19.0296 2132 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    16:43:19.0296 2132 Modem - ok
    16:43:19.0437 2132 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    16:43:19.0437 2132 Mouclass - ok
    16:43:19.0546 2132 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    16:43:19.0546 2132 mouhid - ok
    16:43:19.0625 2132 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    16:43:19.0625 2132 MountMgr - ok
    16:43:19.0734 2132 mraid35x - ok
    16:43:19.0812 2132 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    16:43:19.0828 2132 MRxDAV - ok
    16:43:20.0000 2132 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    16:43:20.0015 2132 MRxSmb - ok
    16:43:20.0171 2132 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    16:43:20.0171 2132 Msfs - ok
    16:43:20.0250 2132 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    16:43:20.0250 2132 MSKSSRV - ok
    16:43:20.0390 2132 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    16:43:20.0390 2132 MSPCLOCK - ok
    16:43:20.0437 2132 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    16:43:20.0453 2132 MSPQM - ok
    16:43:20.0593 2132 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    16:43:20.0593 2132 mssmbios - ok
    16:43:20.0765 2132 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    16:43:20.0765 2132 Mup - ok
    16:43:20.0921 2132 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    16:43:20.0937 2132 NDIS - ok
    16:43:21.0078 2132 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    16:43:21.0078 2132 NdisTapi - ok
    16:43:21.0125 2132 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    16:43:21.0140 2132 Ndisuio - ok
    16:43:21.0296 2132 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    16:43:21.0296 2132 NdisWan - ok
    16:43:21.0453 2132 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    16:43:21.0453 2132 NDProxy - ok
    16:43:21.0531 2132 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    16:43:21.0531 2132 NetBIOS - ok
    16:43:21.0703 2132 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    16:43:21.0703 2132 NetBT - ok
    16:43:21.0906 2132 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    16:43:21.0906 2132 Npfs - ok
    16:43:21.0953 2132 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    16:43:21.0984 2132 Ntfs - ok
    16:43:22.0140 2132 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
    16:43:22.0156 2132 NuidFltr - ok
    16:43:22.0203 2132 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    16:43:22.0203 2132 Null - ok
    16:43:22.0375 2132 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    16:43:22.0375 2132 NwlnkFlt - ok
    16:43:22.0421 2132 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    16:43:22.0421 2132 NwlnkFwd - ok
    16:43:22.0593 2132 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    16:43:22.0593 2132 Parport - ok
    16:43:22.0687 2132 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    16:43:22.0703 2132 PartMgr - ok
    16:43:22.0781 2132 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    16:43:22.0781 2132 ParVdm - ok
    16:43:22.0906 2132 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    16:43:22.0921 2132 PCI - ok
    16:43:22.0968 2132 PCIDump - ok
    16:43:23.0140 2132 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    16:43:23.0140 2132 PCIIde - ok
    16:43:23.0203 2132 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    16:43:23.0203 2132 Pcmcia - ok
    16:43:23.0312 2132 PDCOMP - ok
    16:43:23.0375 2132 PDFRAME - ok
    16:43:23.0390 2132 PDRELI - ok
    16:43:23.0406 2132 PDRFRAME - ok
    16:43:23.0421 2132 perc2 - ok
    16:43:23.0453 2132 perc2hib - ok
    16:43:23.0531 2132 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    16:43:23.0531 2132 PptpMiniport - ok
    16:43:23.0656 2132 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    16:43:23.0656 2132 PSched - ok
    16:43:23.0781 2132 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    16:43:23.0781 2132 Ptilink - ok
    16:43:23.0859 2132 ql1080 - ok
    16:43:23.0984 2132 Ql10wnt - ok
    16:43:24.0031 2132 ql12160 - ok
    16:43:24.0046 2132 ql1240 - ok
    16:43:24.0062 2132 ql1280 - ok
    16:43:24.0109 2132 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    16:43:24.0125 2132 RasAcd - ok
    16:43:24.0281 2132 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    16:43:24.0281 2132 Rasl2tp - ok
    16:43:24.0359 2132 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    16:43:24.0359 2132 RasPppoe - ok
    16:43:24.0484 2132 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    16:43:24.0484 2132 Raspti - ok
    16:43:24.0609 2132 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    16:43:24.0609 2132 Rdbss - ok
    16:43:24.0703 2132 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    16:43:24.0703 2132 RDPCDD - ok
    16:43:24.0875 2132 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    16:43:24.0906 2132 rdpdr - ok
    16:43:25.0000 2132 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    16:43:25.0000 2132 RDPWD - ok
    16:43:25.0156 2132 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    16:43:25.0156 2132 redbook - ok
    16:43:25.0359 2132 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    16:43:25.0359 2132 Secdrv - ok
    16:43:25.0515 2132 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    16:43:25.0515 2132 serenum - ok
    16:43:25.0640 2132 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    16:43:25.0640 2132 Serial - ok
    16:43:25.0765 2132 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    16:43:25.0765 2132 Sfloppy - ok
    16:43:25.0921 2132 Simbad - ok
    16:43:26.0000 2132 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
    16:43:26.0031 2132 smwdm - ok
    16:43:26.0171 2132 Sparrow - ok
    16:43:26.0234 2132 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    16:43:26.0234 2132 splitter - ok
    16:43:26.0390 2132 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    16:43:26.0390 2132 sr - ok
    16:43:26.0468 2132 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    16:43:26.0500 2132 Srv - ok
    16:43:26.0625 2132 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    16:43:26.0625 2132 swenum - ok
    16:43:26.0687 2132 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    16:43:26.0687 2132 swmidi - ok
    16:43:26.0796 2132 symc810 - ok
    16:43:26.0812 2132 symc8xx - ok
    16:43:26.0843 2132 sym_hi - ok
    16:43:26.0859 2132 sym_u3 - ok
    16:43:26.0890 2132 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    16:43:26.0890 2132 sysaudio - ok
    16:43:26.0984 2132 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    16:43:27.0000 2132 Tcpip - ok
    16:43:27.0156 2132 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    16:43:27.0156 2132 TDPIPE - ok
    16:43:27.0218 2132 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    16:43:27.0218 2132 TDTCP - ok
    16:43:27.0359 2132 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    16:43:27.0359 2132 TermDD - ok
    16:43:27.0437 2132 TosIde - ok
    16:43:27.0593 2132 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    16:43:27.0593 2132 Udfs - ok
    16:43:27.0687 2132 ultra - ok
    16:43:27.0765 2132 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    16:43:27.0781 2132 Update - ok
    16:43:27.0953 2132 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    16:43:27.0953 2132 usbehci - ok
    16:43:28.0031 2132 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    16:43:28.0031 2132 usbhub - ok
    16:43:28.0187 2132 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    16:43:28.0187 2132 USBSTOR - ok
    16:43:28.0234 2132 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    16:43:28.0234 2132 usbuhci - ok
    16:43:28.0390 2132 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    16:43:28.0390 2132 VgaSave - ok
    16:43:28.0484 2132 ViaIde - ok
    16:43:28.0593 2132 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    16:43:28.0593 2132 VolSnap - ok
    16:43:28.0734 2132 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    16:43:28.0750 2132 Wanarp - ok
    16:43:28.0812 2132 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    16:43:28.0828 2132 Wdf01000 - ok
    16:43:28.0953 2132 WDICA - ok
    16:43:29.0015 2132 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    16:43:29.0015 2132 wdmaud - ok
    16:43:29.0296 2132 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
    16:43:29.0296 2132 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
    16:43:29.0468 2132 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
    16:43:29.0468 2132 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
    16:43:29.0500 2132 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    16:43:29.0640 2132 \Device\Harddisk0\DR0 - ok
    16:43:29.0656 2132 Boot (0x1200) (17773c5b0d92ef2130d8e0b17345be53) \Device\Harddisk0\DR0\Partition0
    16:43:29.0656 2132 \Device\Harddisk0\DR0\Partition0 - ok
    16:43:29.0656 2132 ============================================================
    16:43:29.0656 2132 Scan finished
    16:43:29.0656 2132 ============================================================
    16:43:29.0687 0576 Detected object count: 0
    16:43:29.0687 0576 Actual detected object count: 0
    16:43:42.0296 2416 Deinitialize success
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,889
    First Name:
    Karen
    Please download aswMBR.exe and save it to your desktop.

    Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)

    Click Scan.

    Upon completion of the scan, click Save log then save it to your desktop and post that log in your next reply for review.
    Note - do NOT attempt any Fix yet.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1026210

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice