also @ TechSpot: iTunes 11.0.3 delivers revamped MiniPlayer, security fixes

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

[A] WinXP security 2012 virus: eliminated, but now Windows Update doesn't work

Discussion in 'Virus and Malware Removal' started by Bobbyrae, Jan 13, 2012.

Page 1 of 2

Bobbyrae Newcomer, in training Posts: 22
I looked at other threads here regarding that virus and have followed some of the instructions and have outputs from various scanners...

First, I had to boot into safe mode with a console window, where I could get AVG antivirus to run. That found 8 infections:

Avira AntiVir Personal
Report file date: Thursday, January 12, 2012 19:52

Scanning for 3019400 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Save mode

Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-49426e41
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-24461839
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-6bbb7397
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-74a2f8ff
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-1ad45421
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-6ecff47f
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\59\6b62f07b-6b424f34
[0] Archive type: ZIP
--> morale.class
[DETECTION] Contains recognition pattern of the EXP/2011-3544.AJ exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\60\5abff83c-1ebc27be
[0] Archive type: ZIP
--> xmltree/umbro.class
[DETECTION] Contains recognition pattern of the EXP/2010-0840.AW exploit
Begin scan in 'D:\'
Begin scan in 'E:\'

Then I got back into Windows in a normal mode and was able to run MalwareBytes to find another infection:

Registry Values Detected: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Run|Smad (Trojan.Agent) -> Data: "C:\Documents and Settings\Rion\Local Settings\Application Data\SanctionedMedia\Smad\Smad.exe" -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCR\.exe| (Hijacked.exeFile) -> Bad: (mdaw) Good: (exefile) -> Quarantined and repaired successfully.

Note that the full log files are attached and I am only dumping in the parts about infections.

Then I ran FSS, which didn't give any problems. And Then I finally ran ESET, which oddly did find 3 infections, but they were all in the same temp directory, so I have deleted the named files.

While the system seems to operating just as it did before, there is ONE NOTABLE exception, and that is that Windows Update does not work. It became clear because the problem started with that red shield down in the system tray telling me that I was "at risk", and I am still in that position, but only because update will not work.

I went into the registry and found that the service for WinUpdate had been removed, found the reg entry online and entered it back in there. I also added in some entries for LEGACY_WUAUSERV, but am still at a point where it will not run. I have improved things to the point where Windows THINKS update is set and will not complain, but the service will not actually start. I get the following message:

By bobbyrae at 2012-01-13

Now, I have checked and doubled-checked, and triple-checked the spelling of the strings in the registery and cannot see any problems, so I think there may be another entry that got messed up or perhaps another DLL is involved and got deleted?

Here's what I added:

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv
Class Name: <NO CLASS>
Last Write Time: 1/13/2012 - 11:08 AM
Value 0
Name: DisplayName
Type: REG_SZ
Data: Automatic Update Service
Value 1
Name: ImagePath
Type: REG_EXPAND_SZ
Data: %SystemRoot%\System32\svchost.exe -k netsvcs
Value 2
Name: Description
Type: REG_SZ
Data: Retreives Updates From Microsoft Automatically as needed
Value 3
Name: ObjectName
Type: REG_SZ
Data: LocalSystem
Value 4
Name: ErrorControl
Type: REG_DWORD
Data: 0x1
Value 5
Name: Start
Type: REG_DWORD
Data: 0x2
Value 6
Name: Type
Type: REG_DWORD
Data: 0x20
Value 7
Name: RT_ServiceSidType
Type: REG_DWORD
Data: 0x1
Value 8
Name: PreshutdownTimeout
Type: REG_DWORD
Data: 0x36ee80
Value 9
Name: DelayedAutoStart
Type: REG_DWORD
Data: 0x1

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters
Class Name: <NO CLASS>
Last Write Time: 1/13/2012 - 8:42 AM
Value 0
Name: ServiceDll
Type: REG_SZ
Data: %SYSTEMROOT%\system32\wuauserv.dll

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security
Class Name: <NO CLASS>
Last Write Time: 1/13/2012 - 6:21 AM
Value 0
Name: Security
Type: REG_BINARY
Data:
00000000 01 00 14 80 90 00 00 00 - 9c 00 00 00 14 00 00 00 ................
.....
000000a0 00 00 00 05 12 00 00 00 - ........

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Enum
Class Name: <NO CLASS>
Last Write Time: 1/13/2012 - 11:08 AM
Value 0
Name: 0
Type: REG_SZ
Data: Root\LEGACY_WUAUSERV\0000
Value 1
Name: Count
Type: REG_DWORD
Data: 0x1
Value 2
Name: NextInstance
Type: REG_DWORD
Data: 0x1
Attached Files:
- AVSCAN-20120112.txt
  
  File size:
  
  21.7 KB
  
  Views:
  
  1
- mbam-log-2012-01-12.txt
  
  File size:
  
  2.4 KB
  
  Views:
  
  0
- FSS1.txt
  
  File size:
  
  2.3 KB
  
  Views:
  
  0
- eset.txt
  
  File size:
  
  345 bytes
  
  Views:
  
  0
Bobbyrae, Jan 13, 2012

#1
Bobbyrae Newcomer, in training Posts: 22

forgot to mention...

I also ran RKILL....

It didn't stop any processes.

Bobbyrae, Jan 13, 2012

#2
Broni Malware Annihilator Posts: 39,189 +175
Welcome aboard

Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
Broni, Jan 13, 2012

#3
Bobbyrae Newcomer, in training Posts: 22

Here are some logs

Avira scan results:

Avira AntiVir Personal
Report file date: Thursday, January 12, 2012 19:52

Scanning for 3019400 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Save mode
Username : Rion
Computer name : RIONXP

Version information:
BUILD.DAT : 9.0.0.429 21701 Bytes 10/6/2010 10:04:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/19/2009 17:07:00
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 19:58:26
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 20:35:50
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 19:58:54
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 17:07:00
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 23:30:20
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 08:08:28
VBASE003.VDF : 7.11.19.171 2048 Bytes 12/20/2011 08:08:28
VBASE004.VDF : 7.11.19.172 2048 Bytes 12/20/2011 08:08:28
VBASE005.VDF : 7.11.19.173 2048 Bytes 12/20/2011 08:08:28
VBASE006.VDF : 7.11.19.174 2048 Bytes 12/20/2011 08:08:28
VBASE007.VDF : 7.11.19.175 2048 Bytes 12/20/2011 08:08:28
VBASE008.VDF : 7.11.19.176 2048 Bytes 12/20/2011 08:08:28
VBASE009.VDF : 7.11.19.177 2048 Bytes 12/20/2011 08:08:30
VBASE010.VDF : 7.11.19.178 2048 Bytes 12/20/2011 08:08:30
VBASE011.VDF : 7.11.19.179 2048 Bytes 12/20/2011 08:08:30
VBASE012.VDF : 7.11.19.180 2048 Bytes 12/20/2011 08:08:30
VBASE013.VDF : 7.11.19.217 182784 Bytes 12/22/2011 08:08:30
VBASE014.VDF : 7.11.19.255 148480 Bytes 12/24/2011 08:08:30
VBASE015.VDF : 7.11.20.29 164352 Bytes 12/27/2011 08:08:32
VBASE016.VDF : 7.11.20.70 180224 Bytes 12/29/2011 08:08:32
VBASE017.VDF : 7.11.20.102 240640 Bytes 1/2/2012 08:08:34
VBASE018.VDF : 7.11.20.103 2048 Bytes 1/2/2012 08:08:34
VBASE019.VDF : 7.11.20.104 2048 Bytes 1/2/2012 08:08:34
VBASE020.VDF : 7.11.20.105 2048 Bytes 1/2/2012 08:08:34
VBASE021.VDF : 7.11.20.106 2048 Bytes 1/2/2012 08:08:34
VBASE022.VDF : 7.11.20.107 2048 Bytes 1/2/2012 08:08:34
VBASE023.VDF : 7.11.20.108 2048 Bytes 1/2/2012 08:08:34
VBASE024.VDF : 7.11.20.109 2048 Bytes 1/2/2012 08:08:34
VBASE025.VDF : 7.11.20.110 2048 Bytes 1/2/2012 08:08:34
VBASE026.VDF : 7.11.20.111 2048 Bytes 1/2/2012 08:08:34
VBASE027.VDF : 7.11.20.112 2048 Bytes 1/2/2012 08:08:34
VBASE028.VDF : 7.11.20.113 2048 Bytes 1/2/2012 08:08:36
VBASE029.VDF : 7.11.20.114 2048 Bytes 1/2/2012 08:08:36
VBASE030.VDF : 7.11.20.115 2048 Bytes 1/2/2012 08:08:36
VBASE031.VDF : 7.11.20.137 157696 Bytes 1/4/2012 08:08:36
Engineversion : 8.2.8.18
AEVDF.DLL : 8.1.2.2 106868 Bytes 1/4/2012 08:08:56
AESCRIPT.DLL : 8.1.3.95 479612 Bytes 1/4/2012 08:08:54
AESCN.DLL : 8.1.7.2 127349 Bytes 1/12/2011 23:30:20
AESBX.DLL : 8.2.4.5 434549 Bytes 1/4/2012 08:08:58
AERDL.DLL : 8.1.9.15 639348 Bytes 9/10/2011 05:52:58
AEPACK.DLL : 8.2.15.1 770423 Bytes 1/4/2012 08:08:52
AEOFFICE.DLL : 8.1.2.25 201084 Bytes 1/4/2012 08:08:48
AEHEUR.DLL : 8.1.3.14 4260216 Bytes 1/4/2012 08:08:46
AEHELP.DLL : 8.1.18.0 254327 Bytes 1/4/2012 08:08:38
AEGEN.DLL : 8.1.5.17 405877 Bytes 1/4/2012 08:08:38
AEEMU.DLL : 8.1.3.0 393589 Bytes 1/12/2011 23:30:20
AECORE.DLL : 8.1.24.3 201079 Bytes 1/4/2012 08:08:36
AEBB.DLL : 8.1.1.0 53618 Bytes 6/20/2010 01:03:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 17:48:00
AVPREF.DLL : 9.0.3.0 44289 Bytes 11/19/2009 17:07:00
AVREP.DLL : 10.0.0.9 174120 Bytes 6/10/2011 15:00:22
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 19:32:10
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/25/2009 00:05:42
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 19:37:10
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/29/2009 00:03:50
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 17:21:34
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 19:32:12
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/16/2009 00:40:00
RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/19/2009 17:07:00

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, E:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: -DIAL,-ADSPY,-ADWARE,-BDC,-HIDDENEXT,-PHISH,

Start of the scan: Thursday, January 12, 2012 19:52

Starting search for hidden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'cmd.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
11 processes with 11 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!
Master boot sector HD4
[INFO] No virus was found!
Master boot sector HD5
[INFO] No virus was found!
Master boot sector HD6
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '65' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-49426e41
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-24461839
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-6bbb7397
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-74a2f8ff
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-1ad45421
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-6ecff47f
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\59\6b62f07b-6b424f34
[0] Archive type: ZIP
--> morale.class
[DETECTION] Contains recognition pattern of the EXP/2011-3544.AJ exploit
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\60\5abff83c-1ebc27be
[0] Archive type: ZIP
--> xmltree/umbro.class
[DETECTION] Contains recognition pattern of the EXP/2010-0840.AW exploit
Begin scan in 'D:\'
Begin scan in 'E:\'

Beginning disinfection:
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-49426e41
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
[NOTE] The file was moved to '4f71b8fd.qua'!
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-24461839
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
[NOTE] The file was moved to '4e71ac36.qua'!
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-6bbb7397
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
[NOTE] The file was moved to '4cfe0ede.qua'!
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-74a2f8ff
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
[NOTE] The file was moved to '4ce10516.qua'!
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-1ad45421
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
[NOTE] The file was moved to '4ce07d4e.qua'!
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\3\2fb8ab03-6ecff47f
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452.CE exploit
[NOTE] The file was moved to '4ce37586.qua'!
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\59\6b62f07b-6b424f34
[NOTE] The file was moved to '4f45b8f9.qua'!
C:\Documents and Settings\Rion\Application Data\Sun\Java\Deployment\cache\6.0\60\5abff83c-1ebc27be
[NOTE] The file was moved to '4f71b8f8.qua'!

End of the scan: Thursday, January 12, 2012 20:52
Used time: 56:39 Minute(s)

The scan has been done completely.

10996 Scanned directories
437175 Files were scanned
8 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
8 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
437167 Files not concerned
3299 Archives were scanned
0 Warnings
8 Notes

MalwareBytes scan results:

Malwarebytes Anti-Malware (PRO) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.13.01

Windows XP Service Pack 3 x86 FAT32
Internet Explorer 7.0.5730.13
:: RIONXP [administrator]

Protection: Disabled

1/12/2012 8:59:24 PM
mbam-log-2012-01-12 (20-59-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 175641
Time elapsed: 3 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Run|Smad (Trojan.Agent) -> Data: "C:\Documents and Settings\Rion\Local Settings\Application Data\SanctionedMedia\Smad\Smad.exe" -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKCR\.exe| (Hijacked.exeFile) -> Bad: (mdaw) Good: (exefile) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

FSS scan results:

Farbar Service Scanner
Ran by Rion (administrator) on 13-01-2012 at 12:21:44
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Security Center:
============

Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Bridge(9) BridgeMP(8) Gpc(3) IPSec(5) Nbf(10) NetBT(6) PSched(7) Tcpip(4)
0x0B000000050000000100000002000000030000000400000056000000060000000700000008000000090000000A000000
IpSec Tag value is correct.

**** End of log ****

RKill results:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/13/2012 at 12:42:01.
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

Rkill completed on 01/13/2012 at 12:42:08.

ESET scan results:

C:\Documents and Settings\Rion\Local Settings\temp\mwaexosncr.exe a variant of MSIL/Kryptik.L trojan
C:\Documents and Settings\Rion\Local Settings\temp\0.8668838161782961fdrgs.exe Win32/Adware.XPAntiSpyware.AD application
C:\Documents and Settings\Rion\Local Settings\temp\0.943536852582801golda.exe Win32/Adware.XPAntiSpyware.AD application

I have deleted everything in C:\Documents and Settings\Rion\Local Settings\temp. The only problem right now is that the Update Service will not start. If you can give me a way to start it via command line, that would be great.

Thanks a lot!

Bobbyrae, Jan 18, 2012

#4
Bobbyrae Newcomer, in training Posts: 22

just answered my own question!

Bobbyrae said: ↑

If you can give me a way to start it via command line, that would be great.

Thanks a lot!

I just figured out that it would be

C:> net start wuauserv

but it just gives that same error message about not being able to find the file. I don't know which file because we have already verified that wuauserv.dll is there.

Bobbyrae, Jan 18, 2012

#5

Bobbyrae Newcomer, in training Posts: 22

Gmer, D.D.S.

GMER log file:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-18 01:36:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\adpu160m1Port2Path0Target0Lun0 SEAGATE_ rev.0003
Running: uu6swnwt.exe; Driver: C:\DOCUME~1\Rion\LOCALS~1\Temp\uxtdrpog.sys

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF7728A0C]
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6C84360, 0x24BB1D, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

I ran DDS (twice), but it would not complete. I don't know why. MalwareBytes was turned off and so was the browser and everything else. The Console window opened, it seemed to be working. It said max 3 minutes. I waited over 10 minutes, but still no popups. And it was impossible to kill the process or even shut down the computer at that point, so I had to hit the reset button. I think you should warn folks about this!

Thanks!

Bobbyrae, Jan 18, 2012

#6

Broni Malware Annihilator Posts: 39,189 +175
Do NOT any other scans than those I ask for.

Please refrain from running tools or applying updates other than those I suggest.

================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

===============================================================

Download Bootkit Remover to your Desktop.

Unzip downloaded file to your Desktop.

Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).

It will show a Black screen with some data on it.

Right click on the screen and click Select All.

Press CTRL+C

Open a Notepad and press CTRL+V

Post the output back here.
Broni, Jan 18, 2012

#7
Bobbyrae Newcomer, in training Posts: 22

problems with SCSI

Broni,

Regarding the "other" unrequested scans... the latest ones I have posted I believed to be required per the 5 step procedure outlined in this forum. It sounds like we are to do those initially. If not, I misunderstood. But yes, in my very first post I did some extra scans. Sorry.

Now...

aswMBR is running incredibly slowly on my system. It went for *4* hours and still was not done. I stopped it and compared the timestamps to other listings here in the forum and it should take about 1/2 hour. So then I ran bootCleaner and it gave me this message:

which tells me that probably every time I see really slow execution on these programs it is because of something like this. Except that the other programs weren't designed to do the right thing!

So tonight I will start aswMBR before I go to bed and hopefully 8 hours will be enough for it.

Good News: using regsvr32 on my DLL's got windows update service going again.
Bad News: boot_cleaner did find a bootkit on my boot drive. I will post the results tomorrow if I can.

Thanks!

Bobbyrae, Jan 18, 2012

#8
Broni Malware Annihilator Posts: 39,189 +175

No problem

Broni, Jan 19, 2012

#9
Bobbyrae Newcomer, in training Posts: 22

awsMBR

duplicate.....

Bobbyrae, Jan 24, 2012

#10
Bobbyrae Newcomer, in training Posts: 22

awsMBR

I am sorry this took so long, but I have been waiting for a response at the AVAST website support forum. I was hoping for some clue as to make that program work correctly. Since I have NOT gotten any helpful responses, I will just enter the log I got from a partial run. As you can see, it ran for 15 hours and did not complete.

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-19 02:18:03
-----------------------------
02:18:03.984 OS Version: Windows 5.1.2600 Service Pack 3
02:18:03.984 Number of processors: 1 586 0x801
02:18:03.984 ComputerName: RIONXP UserName: Rion
02:18:04.328 Initialize success
02:18:12.093 AVAST engine defs: 12011801
02:18:30.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\adpu160m1Port2Path0Target0Lun0
02:18:30.859 Disk 0 Vendor: SEAGATE_ 0003 Size: 17501MB BusType: 1
02:18:31.375 Disk 1 \Device\Harddisk1\DR1 -> \Device\Scsi\adpu160m1Port2Path0Target1Lun0
02:18:31.375 Disk 1 Vendor: QUANTUM_ UCH0 Size: 8759MB BusType: 1
02:18:31.375 Disk 2 \Device\Harddisk2\DR2 -> \Device\Scsi\adpu160m1Port2Path0Target2Lun0
02:18:31.375 Disk 2 Vendor: FUJITSU_ 0104 Size: 35068MB BusType: 1
02:18:31.375 Device \Driver\adpu160m -> DriverStartIo SCSIPORT.SYS f73c440e
02:18:31.406 Disk 0 MBR read successfully
02:18:31.406 Disk 0 MBR scan
02:18:31.421 Disk 0 Windows XP default MBR code
02:18:31.437 Disk 0 Partition 1 80 (A) 0C FAT32 LBA MSDOS5.0 17492 MB offset 63
02:18:31.453 Disk 0 scanning sectors +35824950
02:18:31.468 Disk 0 scanning C:\WINDOWS\system32\drivers
02:57:49.187 Service scanning
02:57:50.343 Modules scanning
03:32:05.765 Disk 0 trace - called modules:
03:32:05.765 ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll adpu160m.sys
03:32:05.781 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f0e918]
03:32:05.781 3 CLASSPNP.SYS[f750ffd7] -> nt!IofCallDriver -> \Device\Scsi\adpu160m1Port2Path0Target0Lun0[0x86fd6a38]
03:32:06.328 AVAST engine scan C:\WINDOWS
03:44:38.890 AVAST engine scan C:\WINDOWS\system32
16:42:33.781 AVAST engine scan C:\WINDOWS\system32\drivers
17:21:50.796 AVAST engine scan C:\Documents and Settings\Rion
17:38:51.125 Disk 0 MBR has been saved successfully to "C:\MBR.dat"
17:38:51.140 The log file has been saved successfully to "C:\aswMBR.txt"

------------------------------------

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
ATA_Read(): DeviceIoControl() ERROR 1

Size Device Name MBR Status
--------------------------------------------
17 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]

Done;
Press any key to quit...

Bobbyrae, Jan 24, 2012

#11
Broni Malware Annihilator Posts: 39,189 +175

Please download and run ListParts by Farbar (for 32-bit system)

Please download and run ListParts64 by Farbar (for 64-bit system)

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

Broni, Jan 24, 2012

#12
Bobbyrae Newcomer, in training Posts: 22

listParts results

ListParts by Farbar
Ran by Rion on 25-01-2012 at 05:31:11
Windows XP (X86)
Running From: D:\FSS
************************************************************

========================= Memory info ======================

Percentage of memory in use: 45%
Total physical RAM: 1023.48 MB
Available physical RAM: 562.08 MB
Total Pagefile: 929.73 MB
Available Pagefile: 607.62 MB
Total Virtual: 2047.88 MB
Available Virtual: 2003.66 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:17.07 GB) (Free:4.05 GB) FAT32 ==>[Drive with boot components (Windows XP)]
3 Drive d: () (Fixed) (Total:34.24 GB) (Free:15.45 GB) NTFS
4 Drive e: () (Fixed) (Total:8.53 GB) (Free:4.17 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 17 GB 0 B
Disk 1 Online 9 GB 0 B
Disk 2 Online 34 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 17 GB 32 KB

Disk: 0
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C FAT32 Partition 17 GB Healthy System (partition with boot components)

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Extended 9 GB 8033 KB
Partition 2 Logical 9 GB 8064 KB

Disk: 1
Partition 2
Type : 0B
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E FAT32 Partition 9 GB Healthy

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 34 GB 32 KB

Disk: 2
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 D NTFS Partition 34 GB Healthy

****** End Of Log ******

Bobbyrae, Jan 25, 2012

#13
Broni Malware Annihilator Posts: 39,189 +175

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
OK any security prompts.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.

Broni, Jan 25, 2012

#14
Bobbyrae Newcomer, in training Posts: 22

Good News!

The result was:

Backdoor. Tidserv has not been found on your computer.

Or is this bad news? Meaning that there must be some other rootkit?

Thanks again!

Bobbyrae, Jan 25, 2012

#15
Broni Malware Annihilator Posts: 39,189 +175
That's fine. We're just checking....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Broni, Jan 25, 2012

#16
Bobbyrae Newcomer, in training Posts: 22

ComboFix ran but would not complete

As I previously experienced with DDS and awsMBR, CF starts up and seems to be humming along, but then after some time it kinda goes to sleep.

That is, the window is still there, the clock is going, but NOTHING is happening. So I tried it in safe mode and got the same results. Then I made sure that mbamservice was disabled and tried AGAIN in normal mode, but it went for 5 HOURS and then I had to press the reset button. There were some directories and files created, but no log file. It appears that the activity stopped shortly after initiating CF.

So... does this count as "not running" and I should try the renaming approach?

I want you to know this is very frustrating (i.e. cure is worse than the disease!) and if you are convinced I have a virus I would like to know what you are thinking, please.

Bobbyrae, Jan 26, 2012

#17
Broni Malware Annihilator Posts: 39,189 +175
Download TDSSKiller and save it to your desktop.

Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
Broni, Jan 26, 2012

#18
Bobbyrae Newcomer, in training Posts: 22

Are you ignoring my questions?

I asked you a couple of question in my previous post. Did you not notice?

TDSSKILLER found nothing. It did not reboot or ask me any questions. Here is the log:

09:38:09.0984 2176 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
09:38:10.0406 2176 ============================================================
09:38:10.0406 2176 Current date / time: 2012/01/27 09:38:10.0406
09:38:10.0406 2176 SystemInfo:
09:38:10.0406 2176
09:38:10.0406 2176 OS Version: 5.1.2600 ServicePack: 3.0
09:38:10.0406 2176 Product type: Workstation
09:38:10.0406 2176 ComputerName: RIONXP
09:38:10.0406 2176 UserName: Rion
09:38:10.0406 2176 Windows directory: C:\WINDOWS
09:38:10.0406 2176 System windows directory: C:\WINDOWS
09:38:10.0406 2176 Processor architecture: Intel x86
09:38:10.0406 2176 Number of processors: 1
09:38:10.0406 2176 Page size: 0x1000
09:38:10.0406 2176 Boot type: Normal boot
09:38:10.0406 2176 ============================================================
09:38:11.0453 2176 Drive \Device\Harddisk0\DR0 - Size: 0x445DCCC00 (17.09 Gb), SectorSize: 0x200, Cylinders: 0x8B7, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
09:38:11.0468 2176 Drive \Device\Harddisk1\DR1 - Size: 0x223745400 (8.55 Gb), SectorSize: 0x200, Cylinders: 0x45C, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
09:38:11.0468 2176 Drive \Device\Harddisk2\DR2 - Size: 0x88FC1D000 (34.25 Gb), SectorSize: 0x200, Cylinders: 0x1176, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
09:38:11.0515 2176 Initialize success
09:38:23.0031 1672 ============================================================
09:38:23.0031 1672 Scan started
09:38:23.0031 1672 Mode: Manual;
09:38:23.0031 1672 ============================================================
09:38:23.0453 1672 Abiosdsk - ok
09:38:23.0593 1672 abp480n5 - ok
09:38:23.0765 1672 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:38:23.0843 1672 ACPI - ok
09:38:23.0906 1672 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:38:23.0906 1672 ACPIEC - ok
09:38:24.0000 1672 adpu160m (7cc7974b9c504992e08af6dbeeeaf3bf) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
09:38:24.0000 1672 adpu160m - ok
09:38:24.0140 1672 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
09:38:24.0156 1672 aec - ok
09:38:24.0234 1672 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
09:38:24.0437 1672 AFD - ok
09:38:24.0593 1672 Aha154x - ok
09:38:24.0734 1672 aic78u2 - ok
09:38:24.0906 1672 aic78xx - ok
09:38:25.0078 1672 AliIde - ok
09:38:25.0187 1672 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
09:38:25.0187 1672 AmdK7 - ok
09:38:25.0265 1672 AMDPCI - ok
09:38:25.0421 1672 amsint - ok
09:38:25.0515 1672 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
09:38:25.0531 1672 Arp1394 - ok
09:38:25.0671 1672 asc - ok
09:38:25.0843 1672 asc3350p - ok
09:38:26.0000 1672 asc3550 - ok
09:38:26.0171 1672 aslm75 (71356a1370739e25375a1d17b6ae318f) C:\WINDOWS\system32\drivers\aslm75.sys
09:38:26.0171 1672 aslm75 - ok
09:38:26.0265 1672 Aspi32 (835af6b53390729622fb8a937cdc99ce) C:\WINDOWS\system32\drivers\aspi32.sys
09:38:26.0265 1672 Aspi32 - ok
09:38:26.0328 1672 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:38:26.0328 1672 AsyncMac - ok
09:38:26.0406 1672 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
09:38:26.0406 1672 atapi - ok
09:38:26.0562 1672 Atdisk - ok
09:38:26.0640 1672 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:38:26.0640 1672 Atmarpc - ok
09:38:26.0750 1672 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:38:26.0750 1672 audstub - ok
09:38:26.0812 1672 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
09:38:26.0812 1672 avgio - ok
09:38:26.0984 1672 avgntflt (14fe36d8f2c6a2435275338d061a0b66) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
09:38:27.0000 1672 avgntflt - ok
09:38:27.0156 1672 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\WINDOWS\system32\DRIVERS\avipbb.sys
09:38:27.0156 1672 avipbb - ok
09:38:27.0203 1672 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:38:27.0203 1672 Beep - ok
09:38:27.0296 1672 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
09:38:27.0296 1672 Bridge - ok
09:38:27.0312 1672 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
09:38:27.0328 1672 BridgeMP - ok
09:38:27.0453 1672 BsStor (d6d0f3860f022a12e888965f8237cbd9) C:\WINDOWS\system32\DRIVERS\bsstor.sys
09:38:27.0453 1672 BsStor - ok
09:38:27.0500 1672 BsUDF (9fb5b0b0b3a7bbf8ef21831acaea1d35) C:\WINDOWS\system32\drivers\BsUDF.sys
09:38:27.0515 1672 BsUDF - ok
09:38:27.0593 1672 catchme - ok
09:38:27.0640 1672 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:38:27.0640 1672 cbidf2k - ok
09:38:27.0703 1672 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
09:38:27.0703 1672 CCDECODE - ok
09:38:27.0875 1672 cd20xrnt - ok
09:38:27.0921 1672 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:38:27.0921 1672 Cdaudio - ok
09:38:28.0000 1672 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
09:38:28.0000 1672 Cdfs - ok
09:38:28.0078 1672 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:38:28.0078 1672 Cdrom - ok
09:38:28.0125 1672 cglptnt (c8b5858aebb4782ae16533297ef1f9be) C:\totalcmd\cglptnt.sys
09:38:28.0125 1672 cglptnt - ok
09:38:28.0265 1672 Changer - ok
09:38:28.0437 1672 CmdIde - ok
09:38:28.0609 1672 Cpqarray - ok
09:38:28.0765 1672 cpuz134 (75fa19142531cbf490770c2988a7db64) C:\WINDOWS\system32\drivers\cpuz134_x32.sys
09:38:28.0765 1672 cpuz134 - ok
09:38:28.0937 1672 dac2w2k - ok
09:38:29.0093 1672 dac960nt - ok
09:38:29.0234 1672 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys
09:38:29.0234 1672 DgiVecp - ok
09:38:29.0265 1672 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
09:38:29.0265 1672 Disk - ok
09:38:29.0406 1672 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
09:38:29.0484 1672 dmboot - ok
09:38:29.0640 1672 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
09:38:29.0640 1672 dmio - ok
09:38:29.0656 1672 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:38:29.0671 1672 dmload - ok
09:38:29.0765 1672 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
09:38:29.0765 1672 DMusic - ok
09:38:29.0937 1672 dpti2o - ok
09:38:30.0015 1672 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
09:38:30.0015 1672 drmkaud - ok
09:38:30.0156 1672 EIO (1438427631a46b759c0d1cb5f6268fd7) C:\WINDOWS\system32\drivers\EIO.sys
09:38:30.0171 1672 EIO - ok
09:38:30.0328 1672 EL90Xbc (b61eaf446adf55cc0d0d5c5bbd3d1cae) C:\WINDOWS\system32\DRIVERS\el90Xbc5.SYS
09:38:30.0328 1672 EL90Xbc - ok
09:38:30.0406 1672 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
09:38:30.0421 1672 Fastfat - ok
09:38:30.0453 1672 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
09:38:30.0453 1672 Fdc - ok
09:38:30.0546 1672 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
09:38:30.0546 1672 Fips - ok
09:38:30.0625 1672 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
09:38:30.0625 1672 Flpydisk - ok
09:38:30.0750 1672 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
09:38:30.0765 1672 FltMgr - ok
09:38:30.0812 1672 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:38:30.0812 1672 Fs_Rec - ok
09:38:30.0859 1672 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:38:30.0875 1672 Ftdisk - ok
09:38:30.0937 1672 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
09:38:30.0937 1672 gameenum - ok
09:38:31.0015 1672 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:38:31.0015 1672 Gpc - ok
09:38:31.0187 1672 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
09:38:31.0187 1672 HidUsb - ok
09:38:31.0343 1672 hmonitor (b8edd78f9f888cf1b70c9e6c3be4a8e6) C:\WINDOWS\system32\drivers\hmonitor.sys
09:38:31.0343 1672 hmonitor - ok
09:38:31.0500 1672 hpn - ok
09:38:31.0562 1672 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
09:38:31.0562 1672 HTTP - ok
09:38:31.0734 1672 i2omgmt - ok
09:38:31.0890 1672 i2omp - ok
09:38:31.0953 1672 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
09:38:31.0953 1672 i8042prt - ok
09:38:32.0062 1672 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:38:32.0062 1672 Imapi - ok
09:38:32.0234 1672 ini910u - ok
09:38:32.0390 1672 IntelIde - ok
09:38:32.0484 1672 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
09:38:32.0500 1672 ip6fw - ok
09:38:32.0546 1672 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:38:32.0546 1672 IpFilterDriver - ok
09:38:32.0562 1672 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:38:32.0562 1672 IpInIp - ok
09:38:32.0656 1672 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:38:32.0671 1672 IpNat - ok
09:38:32.0750 1672 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:38:32.0750 1672 IPSec - ok
09:38:32.0796 1672 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:38:32.0796 1672 IRENUM - ok
09:38:32.0906 1672 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:38:32.0906 1672 isapnp - ok
09:38:32.0968 1672 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:38:32.0968 1672 Kbdclass - ok
09:38:33.0140 1672 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
09:38:33.0140 1672 kbdhid - ok
09:38:33.0171 1672 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
09:38:33.0187 1672 kmixer - ok
09:38:33.0328 1672 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
09:38:33.0328 1672 KSecDD - ok
09:38:33.0500 1672 lbrtfdc - ok
09:38:33.0687 1672 mbamchameleon (7ffd29fafcde7aaf89b689b6e156d5b0) C:\WINDOWS\system32\drivers\mbamchameleon.sys
09:38:33.0703 1672 mbamchameleon - ok
09:38:33.0750 1672 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
09:38:33.0765 1672 MBAMProtector - ok
09:38:33.0843 1672 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:38:33.0843 1672 mnmdd - ok
09:38:33.0875 1672 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
09:38:33.0875 1672 Modem - ok
09:38:33.0921 1672 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:38:33.0921 1672 Mouclass - ok
09:38:34.0078 1672 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:38:34.0078 1672 mouhid - ok
09:38:34.0140 1672 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
09:38:34.0140 1672 MountMgr - ok
09:38:34.0187 1672 MR97310_USB_DUAL_CAMERA (1aae79a4176a957bf2bb679812f04655) C:\WINDOWS\system32\DRIVERS\mr97310c.sys
09:38:34.0187 1672 MR97310_USB_DUAL_CAMERA - ok
09:38:34.0343 1672 mraid35x - ok
09:38:34.0453 1672 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:38:34.0453 1672 MRxDAV - ok
09:38:34.0531 1672 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:38:34.0531 1672 MRxSmb - ok
09:38:34.0640 1672 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
09:38:34.0640 1672 Msfs - ok
09:38:34.0734 1672 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:38:34.0734 1672 MSKSSRV - ok
09:38:34.0812 1672 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:38:34.0812 1672 MSPCLOCK - ok
09:38:34.0890 1672 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
09:38:34.0890 1672 MSPQM - ok
09:38:35.0000 1672 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:38:35.0000 1672 mssmbios - ok
09:38:35.0078 1672 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
09:38:35.0093 1672 MSTEE - ok
09:38:35.0171 1672 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
09:38:35.0171 1672 ms_mpu401 - ok
09:38:35.0328 1672 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
09:38:35.0343 1672 Mup - ok
09:38:35.0421 1672 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
09:38:35.0421 1672 NABTSFEC - ok
09:38:35.0578 1672 Nbf - ok
09:38:35.0625 1672 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
09:38:35.0671 1672 NDIS - ok
09:38:35.0750 1672 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
09:38:35.0750 1672 NdisIP - ok
09:38:35.0843 1672 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:38:35.0843 1672 NdisTapi - ok
09:38:35.0906 1672 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:38:35.0906 1672 Ndisuio - ok
09:38:35.0953 1672 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:38:35.0953 1672 NdisWan - ok
09:38:36.0031 1672 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
09:38:36.0031 1672 NDProxy - ok
09:38:36.0093 1672 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:38:36.0109 1672 NetBIOS - ok
09:38:36.0218 1672 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:38:36.0218 1672 NetBT - ok
09:38:36.0390 1672 ngrpci (bdfa550022facf2a922213065924f529) C:\WINDOWS\system32\DRIVERS\ngrpci.sys
09:38:36.0390 1672 ngrpci - ok
09:38:36.0437 1672 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
09:38:36.0437 1672 NIC1394 - ok
09:38:36.0593 1672 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
09:38:36.0593 1672 Npfs - ok
09:38:36.0703 1672 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
09:38:36.0734 1672 Ntfs - ok
09:38:36.0781 1672 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:38:36.0781 1672 Null - ok
09:38:37.0109 1672 nv (ba1b732c1a70cfea0c1b64f2850bf44f) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
09:38:37.0234 1672 nv - ok
09:38:37.0281 1672 nvax (fb8595ef3ceb81f0da3f6f211b2df932) C:\WINDOWS\system32\drivers\nvax.sys
09:38:37.0296 1672 nvax - ok
09:38:37.0437 1672 nvcap (9fef02bef7a8d25af5a1915b58ea8216) C:\WINDOWS\system32\DRIVERS\nvcap.sys
09:38:37.0453 1672 nvcap - ok
09:38:37.0562 1672 NVENET (fbe448efa5484a256528e1d02b959bbc) C:\WINDOWS\system32\DRIVERS\NVENET.sys
09:38:37.0562 1672 NVENET - ok
09:38:37.0671 1672 nvnforce (d2315cd3053fc3b4250dc2dbd0ac49e4) C:\WINDOWS\system32\drivers\nvapu.sys
09:38:37.0734 1672 nvnforce - ok
09:38:37.0921 1672 nvTUNEP (1e92265bd0b1e8e04fa56c63c5abf420) C:\WINDOWS\system32\DRIVERS\nvtunep.sys
09:38:37.0921 1672 nvTUNEP - ok
09:38:38.0062 1672 nvtvSND (83e5248921a767dda38173ebd5c7de6d) C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys
09:38:38.0078 1672 nvtvSND - ok
09:38:38.0203 1672 NVXBAR (6f3a4728f6eb3384531b305fc58964f6) C:\WINDOWS\system32\DRIVERS\NVxbar.sys
09:38:38.0218 1672 NVXBAR - ok
09:38:38.0343 1672 nv_agp (db36442c20793c53b4128eb85f9a3d32) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
09:38:38.0343 1672 nv_agp - ok
09:38:38.0390 1672 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:38:38.0390 1672 NwlnkFlt - ok
09:38:38.0437 1672 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:38:38.0437 1672 NwlnkFwd - ok
09:38:38.0515 1672 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
09:38:38.0515 1672 ohci1394 - ok
09:38:38.0562 1672 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
09:38:38.0562 1672 Parport - ok
09:38:38.0625 1672 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
09:38:38.0625 1672 PartMgr - ok
09:38:38.0671 1672 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:38:38.0671 1672 ParVdm - ok
09:38:38.0765 1672 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
09:38:38.0765 1672 PCI - ok
09:38:38.0937 1672 PCIDump - ok
09:38:39.0062 1672 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
09:38:39.0062 1672 PCIIde - ok
09:38:39.0187 1672 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
09:38:39.0203 1672 Pcmcia - ok
09:38:39.0359 1672 PDCOMP - ok
09:38:39.0500 1672 PDFRAME - ok
09:38:39.0656 1672 PDRELI - ok
09:38:39.0796 1672 PDRFRAME - ok
09:38:39.0968 1672 perc2 - ok
09:38:40.0125 1672 perc2hib - ok
09:38:40.0296 1672 pfc (c4aa89518e8a2934eaf503c9587ff157) C:\WINDOWS\system32\drivers\pfc.sys
09:38:40.0296 1672 pfc - ok
09:38:40.0375 1672 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:38:40.0375 1672 PptpMiniport - ok
09:38:40.0406 1672 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
09:38:40.0421 1672 PSched - ok
09:38:40.0453 1672 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:38:40.0453 1672 Ptilink - ok
09:38:40.0625 1672 PxHelp20 (b572ed0c3e6165643fa116af20425a54) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
09:38:40.0625 1672 PxHelp20 - ok
09:38:40.0781 1672 ql1080 - ok
09:38:40.0953 1672 Ql10wnt - ok
09:38:41.0093 1672 ql12160 - ok
09:38:41.0250 1672 ql1240 - ok
09:38:41.0406 1672 ql1280 - ok
09:38:41.0437 1672 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:38:41.0437 1672 RasAcd - ok
09:38:41.0515 1672 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:38:41.0515 1672 Rasl2tp - ok
09:38:41.0578 1672 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:38:41.0578 1672 RasPppoe - ok
09:38:41.0609 1672 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:38:41.0609 1672 Raspti - ok
09:38:41.0671 1672 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:38:41.0687 1672 Rdbss - ok
09:38:41.0718 1672 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:38:41.0718 1672 RDPCDD - ok
09:38:41.0750 1672 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
09:38:41.0750 1672 rdpdr - ok
09:38:41.0859 1672 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
09:38:41.0859 1672 RDPWD - ok
09:38:41.0937 1672 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:38:41.0953 1672 redbook - ok
09:38:42.0015 1672 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
09:38:42.0015 1672 sbp2port - ok
09:38:42.0187 1672 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:38:42.0187 1672 Secdrv - ok
09:38:42.0250 1672 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
09:38:42.0265 1672 serenum - ok
09:38:42.0312 1672 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
09:38:42.0312 1672 Serial - ok
09:38:42.0375 1672 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
09:38:42.0375 1672 Sfloppy - ok
09:38:42.0578 1672 SI3112r (8fd2a1128f8f2fd340c096719ad10246) C:\WINDOWS\system32\DRIVERS\SI3112r.sys
09:38:42.0578 1672 SI3112r - ok
09:38:42.0734 1672 SiFilter (e393a2822fdbb3ec3648fd64e54cdda0) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
09:38:42.0734 1672 SiFilter - ok
09:38:42.0906 1672 Simbad - ok
09:38:42.0937 1672 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
09:38:42.0953 1672 SLIP - ok
09:38:43.0125 1672 Sparrow - ok
09:38:43.0156 1672 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
09:38:43.0156 1672 splitter - ok
09:38:43.0250 1672 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
09:38:43.0250 1672 sr - ok
09:38:43.0375 1672 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
09:38:43.0390 1672 Srv - ok
09:38:43.0562 1672 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
09:38:43.0562 1672 ssmdrv - ok
09:38:43.0640 1672 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
09:38:43.0640 1672 streamip - ok
09:38:43.0750 1672 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:38:43.0750 1672 swenum - ok
09:38:43.0921 1672 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
09:38:43.0921 1672 swmidi - ok
09:38:44.0093 1672 symc810 - ok
09:38:44.0234 1672 symc8xx - ok
09:38:44.0390 1672 sym_hi - ok
09:38:44.0546 1672 sym_u3 - ok
09:38:44.0687 1672 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
09:38:44.0703 1672 sysaudio - ok
09:38:44.0890 1672 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:38:44.0890 1672 Tcpip - ok
09:38:45.0046 1672 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:38:45.0046 1672 TDPIPE - ok
09:38:45.0203 1672 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
09:38:45.0203 1672 TDTCP - ok
09:38:45.0359 1672 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:38:45.0359 1672 TermDD - ok
09:38:45.0515 1672 TosIde - ok
09:38:45.0671 1672 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
09:38:45.0671 1672 Udfs - ok
09:38:45.0828 1672 ultra - ok
09:38:45.0984 1672 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
09:38:46.0000 1672 Update - ok
09:38:46.0187 1672 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:38:46.0187 1672 usbccgp - ok
09:38:46.0281 1672 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:38:46.0281 1672 usbehci - ok
09:38:46.0421 1672 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:38:46.0421 1672 usbhub - ok
09:38:46.0562 1672 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
09:38:46.0562 1672 usbohci - ok
09:38:46.0703 1672 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:38:46.0703 1672 usbprint - ok
09:38:46.0859 1672 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
09:38:46.0859 1672 usbscan - ok
09:38:47.0000 1672 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:38:47.0000 1672 usbstor - ok
09:38:47.0140 1672 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
09:38:47.0140 1672 VgaSave - ok
09:38:47.0312 1672 ViaIde - ok
09:38:47.0453 1672 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
09:38:47.0453 1672 VolSnap - ok
09:38:47.0578 1672 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:38:47.0593 1672 Wanarp - ok
09:38:47.0734 1672 WDICA - ok
09:38:47.0890 1672 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
09:38:47.0890 1672 wdmaud - ok
09:38:48.0000 1672 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
09:38:48.0000 1672 WS2IFSL - ok
09:38:48.0140 1672 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
09:38:48.0140 1672 WSTCODEC - ok
09:38:48.0203 1672 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
09:38:48.0296 1672 \Device\Harddisk0\DR0 - ok
09:38:48.0312 1672 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
09:38:48.0312 1672 \Device\Harddisk1\DR1 - ok
09:38:48.0328 1672 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR2
09:38:48.0328 1672 \Device\Harddisk2\DR2 - ok
09:38:48.0343 1672 Boot (0x1200) (1693b67b2ec4f58521c55f6a9688e66e) \Device\Harddisk0\DR0\Partition0
09:38:48.0343 1672 \Device\Harddisk0\DR0\Partition0 - ok
09:38:48.0343 1672 Boot (0x1200) (eb8cc40d7a608cb96fa68d7a566a5863) \Device\Harddisk1\DR1\Partition0
09:38:48.0343 1672 \Device\Harddisk1\DR1\Partition0 - ok
09:38:48.0359 1672 Boot (0x1200) (fcde296b24aae22d68050477b4aaab6d) \Device\Harddisk2\DR2\Partition0
09:38:48.0359 1672 \Device\Harddisk2\DR2\Partition0 - ok
09:38:48.0375 1672 ============================================================
09:38:48.0375 1672 Scan finished
09:38:48.0375 1672 ============================================================
09:38:48.0390 4080 Detected object count: 0
09:38:48.0390 4080 Actual detected object count: 0

Bobbyrae, Jan 27, 2012

#19
Broni Malware Annihilator Posts: 39,189 +175
I asked you a couple of question in my previous post. Did you not notice?

When I have some answers you'll be first to know.

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
userinit.exe
explorer.exe
volsnap.sys
winlogon.exe
nvraid.sys
consrv.dll
winsrv.dll
svchost.exe
tcpip.sys
netbt.sys
dxgthk.sys
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
Broni, Jan 27, 2012

#20

Page 1 of 2

Topic Status:: Not open for further replies.

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.