TechSpot

Glacial-like slowness and missing programs

By NomenOblitum
Nov 23, 2011
  1. Problems started yesterday morning.

    Turned off computer in morning after overnight scan (it found tracking cookies).

    When computer was turned back on, it was much slower to start up than normally and was was slow to open programs or web pages (as slow or slower than when it is scanning or updating).

    Had difficulty in opening Task Manager and could not disable the internet connection before I gave up and turned off the computer.

    Spouse turned it on later and had the same sorts of issues; horribly slow, not able to disable the internet connection except by physically unplugging, very slow in opening Task Manager, hung up during a Restart, etc.

    Spouse did notice that something was causing a svchost.exe SYSTEM file to have high CPU and Mem Useage numbers in the Task Manager when it finally opened.

    I came back later and checked the Task Manager and noticed a process that I did not recognize (looked like one of those random letter strings, started with a C) and I stopped the process. That brought up a red warning box from McAfee.

    The computer is still performing poorly, getting hung up on Restarts, etc.
    It also appears that some things are missing; for example, I can't find Paint or the Character Map.

    Thank you for any assistance you can provide.
     
  2. NomenOblitum

    NomenOblitum TS Rookie Topic Starter Posts: 29

    Malwarebytes

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8222

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/23/2011 2:46:14 AM
    mbam-log-2011-11-23 (02-46-13).txt

    Scan type: Quick scan
    Objects scanned: 212558
    Time elapsed: 1 hour(s), 27 minute(s), 10 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CMHxHbrYhPJ.exe (Trojan.FakeAlert) -> Value: CMHxHbrYhPJ.exe -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\all users\application data\cmhxhbryhpj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\downloads\loopy-setup.exe (Adware.Onlinegames) -> Quarantined and deleted successfully.
    c:\WINDOWS\Temp\37.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\WINDOWS\Temp\3A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
     
  3. NomenOblitum

    NomenOblitum TS Rookie Topic Starter Posts: 29

    Gmer

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-11-23 12:00:35
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380011A rev.8.16
    Running: ubohpjlg.exe; Driver: C:\DOCUME~1\All\LOCALS~1\Temp\fglirpow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF8508210]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF8508224]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF8508250]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF85082A6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF85081FC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF85081D4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF85081E8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF850823A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF850827C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF8508266]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF85082D0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF85082BC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF8508290]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 823D12C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 823D12C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 823D12C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 823D12C6

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp nnrnstdi.SYS (NNRNSTDI helper driver/The Nielsen Company)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----
     
  4. NomenOblitum

    NomenOblitum TS Rookie Topic Starter Posts: 29

    DDS

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Run by All at 12:04:02 on 2011-11-23
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.224 [GMT -5:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Kodak\AiO\center\KodakSvc.exe
    C:\Program Files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\NetRatingsNetSight\NetSight\NielsenUpdate.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
    C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\NetRatingsNetSight\NetSight\NielsenOnline.exe
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
    C:\Program Files\AIM7\aim.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\MSOffice\Office\FINDFAST.EXE
    C:\Rocky's Games\Register\Remind32.exe
    C:\Rocky's Games\RegisterSOD\Remind32.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
    C:\Documents and Settings\All\Local Settings\Application Data\Google\Update\1.3.21.79\GoogleCrashHandler.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
    C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\notepad.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110512194215.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
    TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
    uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
    uRun: [Aim] "c:\program files\aim7\aim.exe" /d locale=en-US
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\all\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
    mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [Conime] %windir%\system32\conime.exe
    mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
    mRun: [NielsenOnline] c:\program files\netratingsnetsight\netsight\NielsenOnline.exe
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    StartupFolder: c:\docume~1\all\startm~1\programs\startup\3doreg~1.lnk - c:\rocky's games\register\Remind32.exe
    StartupFolder: c:\docume~1\all\startm~1\programs\startup\forget~1.lnk - c:\cacard\FMREMIND.EXE
    StartupFolder: c:\docume~1\all\startm~1\programs\startup\h3thes~1.lnk - c:\rocky's games\registersod\Remind32.exe
    StartupFolder: c:\docume~1\all\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.4\program\quickstart.exe
    StartupFolder: c:\docume~1\all\startm~1\programs\startup\openof~2.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\documents and settings\all\start menu\programs\startup\PowerReg Scheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\msoffice\office\FASTBOOT.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\msoffice\office\FINDFAST.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~3.lnk - c:\msoffice\office\MSOFFICE.EXE
    dPolicies-explorer: NoDesktop = 1 (0x1)
    dPolicies-system: DisableTaskMgr = 1 (0x1)
    IE: &AOL Toolbar Search
    IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
    IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {F4430FE8-2638-42e5-B849-800749B94EED} - c:\program files\partygaming.net\partypokernet\RunPF.exe
    IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    TCP: Interfaces\{3B20A143-C8EA-496C-8ECD-09490828DAC7} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\all\application data\mozilla\firefox\profiles\s3v46o9y.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://hamptonroads.cox.net/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - component: c:\program files\netratingsnetsight\netsight\meter8\ffaddon\components\nsgkff36_meter8.dll
    FF - plugin: c:\documents and settings\all\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\documents and settings\all\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\NPPGWrap.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Feed Filter: facebookfilter@chocolatesoftware.com - %profile%\extensions\facebookfilter@chocolatesoftware.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Nielsen: {D908A1CC-54B4-4af9-9BB4-964F5BD3CDB7} - c:\program files\netratingsnetsight\netsight\meter7\FFAddon
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-6 387480]
    R0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys [2009-9-18 24192]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-1-20 84200]
    R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [2009-9-18 15360]
    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKDiscovery.exe [2008-10-10 274432]
    R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\aio\center\KodakSvc.exe [2008-12-1 28672]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-7-6 94880]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-20 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-20 271480]
    R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-1-20 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-1-20 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-1-20 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-1-20 141792]
    R2 NielsenUpdate;Nielsen Update;c:\program files\netratingsnetsight\netsight\NielsenUpdate.exe [2011-1-27 303936]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-1-20 56064]
    R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [2009-9-18 9088]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-6 153280]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-1-20 314088]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-1-20 88736]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-21 135664]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-21 135664]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-6 52320]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-1-20 88736]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-1-20 84488]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-6 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-6 40552]
    S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [2009-9-18 9088]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
    .
    =============== Created Last 30 ================
    .
    .
    ==================== Find3M ====================
    .
    2011-11-16 12:36:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST380011A rev.8.16 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x823D149F]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x823d8728]; MOV EAX, [0x823d889c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x83345AB8]
    3 CLASSPNP[0xF86D7FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x82ABA640]
    \Driver\atapi[0x825B8F38] -> IRP_MJ_CREATE -> 0x823D149F
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x823D12C6
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 12:07:02.82 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 4/7/2006 10:46:59 PM
    System Uptime: 11/23/2011 8:05:05 AM (4 hours ago)
    .
    Motherboard: Dell Computer Corp. | | 0WF887
    Processor: Intel(R) Celeron(R) CPU 2.53GHz | Microprocessor | 2527/533mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 53 GiB total, 21.236 GiB free.
    D: is FIXED (NTFS) - 19 GiB total, 18.536 GiB free.
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) PRO/100 VE Network Connection
    Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01D51028&REV_02\4&1C660DD6&0&40F0
    Manufacturer: Intel
    Name: Intel(R) PRO/100 VE Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_01D51028&REV_02\4&1C660DD6&0&40F0
    Service: E100B
    .
    ==== System Restore Points ===================
    .
    RP1491: 9/18/2011 1:25:39 AM - Software Distribution Service 3.0
    RP1492: 9/19/2011 12:07:57 AM - Software Distribution Service 3.0
    RP1493: 9/19/2011 2:25:27 AM - Software Distribution Service 3.0
    RP1494: 9/20/2011 3:00:52 AM - Software Distribution Service 3.0
    RP1495: 9/20/2011 3:12:41 AM - Software Distribution Service 3.0
    RP1496: 9/21/2011 3:00:59 AM - Software Distribution Service 3.0
    RP1497: 9/21/2011 5:14:43 AM - Software Distribution Service 3.0
    RP1498: 9/22/2011 1:03:44 AM - Software Distribution Service 3.0
    RP1499: 9/23/2011 3:01:00 AM - Software Distribution Service 3.0
    RP1500: 9/23/2011 11:30:44 PM - Software Distribution Service 3.0
    RP1501: 9/25/2011 3:00:46 AM - Software Distribution Service 3.0
    RP1502: 9/25/2011 3:12:59 AM - Software Distribution Service 3.0
    RP1503: 9/26/2011 3:00:41 AM - Software Distribution Service 3.0
    RP1504: 9/27/2011 3:00:38 AM - Software Distribution Service 3.0
    RP1505: 9/28/2011 3:00:47 AM - Software Distribution Service 3.0
    RP1506: 9/28/2011 6:42:28 AM - Software Distribution Service 3.0
    RP1507: 9/29/2011 3:00:41 AM - Software Distribution Service 3.0
    RP1508: 9/30/2011 3:05:13 AM - Software Distribution Service 3.0
    RP1509: 10/1/2011 1:34:10 AM - Software Distribution Service 3.0
    RP1510: 10/2/2011 1:47:00 AM - System Checkpoint
    RP1511: 10/2/2011 3:00:33 AM - Software Distribution Service 3.0
    RP1512: 10/3/2011 3:00:45 AM - Software Distribution Service 3.0
    RP1513: 10/3/2011 3:33:52 AM - Software Distribution Service 3.0
    RP1514: 10/4/2011 1:55:01 AM - Software Distribution Service 3.0
    RP1515: 10/5/2011 2:14:54 AM - System Checkpoint
    RP1516: 10/5/2011 3:00:43 AM - Software Distribution Service 3.0
    RP1517: 10/5/2011 11:57:21 PM - Software Distribution Service 3.0
    RP1518: 10/7/2011 3:07:03 AM - Software Distribution Service 3.0
    RP1519: 10/8/2011 12:48:17 AM - Software Distribution Service 3.0
    RP1520: 10/9/2011 2:18:35 AM - Software Distribution Service 3.0
    RP1521: 10/10/2011 2:46:26 AM - Software Distribution Service 3.0
    RP1522: 10/11/2011 2:26:39 AM - Software Distribution Service 3.0
    RP1523: 10/12/2011 2:04:16 AM - Software Distribution Service 3.0
    RP1524: 10/13/2011 1:36:14 AM - Software Distribution Service 3.0
    RP1525: 10/14/2011 3:00:50 AM - Software Distribution Service 3.0
    RP1526: 10/14/2011 11:29:16 AM - Software Distribution Service 3.0
    RP1527: 10/15/2011 1:18:54 PM - System Checkpoint
    RP1528: 10/16/2011 3:00:47 AM - Software Distribution Service 3.0
    RP1529: 10/17/2011 3:01:54 AM - Software Distribution Service 3.0
    RP1530: 10/17/2011 4:09:24 AM - Software Distribution Service 3.0
    RP1531: 10/18/2011 12:39:29 AM - Software Distribution Service 3.0
    RP1532: 10/19/2011 1:03:54 AM - System Checkpoint
    RP1533: 10/19/2011 1:25:03 AM - Software Distribution Service 3.0
    RP1534: 10/20/2011 12:55:30 AM - Software Distribution Service 3.0
    RP1535: 10/21/2011 3:00:50 AM - Software Distribution Service 3.0
    RP1536: 10/22/2011 1:57:53 AM - Software Distribution Service 3.0
    RP1537: 10/23/2011 12:45:34 AM - Software Distribution Service 3.0
    RP1538: 10/23/2011 10:12:00 PM - Software Distribution Service 3.0
    RP1539: 10/24/2011 11:02:11 PM - System Checkpoint
    RP1540: 10/26/2011 10:20:16 AM - System Checkpoint
    RP1541: 10/28/2011 6:25:44 AM - System Checkpoint
    RP1542: 10/29/2011 8:04:06 PM - System Checkpoint
    RP1543: 10/30/2011 8:36:39 PM - System Checkpoint
    RP1544: 10/31/2011 8:40:39 PM - System Checkpoint
    RP1545: 11/1/2011 8:45:44 PM - System Checkpoint
    RP1546: 11/3/2011 12:12:53 AM - System Checkpoint
    RP1547: 11/4/2011 1:17:12 AM - System Checkpoint
    RP1548: 11/5/2011 8:50:46 AM - System Checkpoint
    RP1549: 11/6/2011 1:50:36 PM - System Checkpoint
    RP1550: 11/7/2011 8:52:04 PM - System Checkpoint
    RP1551: 11/8/2011 8:54:34 PM - System Checkpoint
    RP1552: 11/10/2011 2:10:42 AM - System Checkpoint
    RP1553: 11/10/2011 3:00:22 AM - Software Distribution Service 3.0
    RP1554: 11/11/2011 3:32:46 AM - System Checkpoint
    RP1555: 11/11/2011 10:30:06 AM - Software Distribution Service 3.0
    RP1556: 11/13/2011 4:20:52 PM - System Checkpoint
    RP1557: 11/15/2011 12:49:56 AM - System Checkpoint
    RP1558: 11/17/2011 10:59:30 PM - System Checkpoint
    RP1559: 11/19/2011 9:07:14 PM - System Checkpoint
    RP1560: 11/21/2011 4:13:47 AM - System Checkpoint
    RP1561: 11/22/2011 6:08:49 AM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    Heroes of Might and Magic(TM) III Armageddon's Blade
    ABBYY FineReader 5.0 Sprint Plus
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Flash Player 11 ActiveX
    Adobe Reader X (10.1.1)
    Aepryus Graph 1.0
    AIM 7
    AIM Toolbar 5.0
    aiofw
    aioprnt
    aioscnnr
    Amazon MP3 Downloader 1.0.5
    AOL Instant Messenger
    AOLIcon
    ArcSoft PhotoImpression
    BadgeManager Plus
    Bonjour
    Camouflage
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon Camera Window DC_DV 5 for ZoomBrowser EX
    Canon Camera Window DC_DV 6 for ZoomBrowser EX
    Canon Camera Window MC 6 for ZoomBrowser EX
    Canon G.726 WMP-Decoder
    Canon MovieEdit Task for ZoomBrowser EX
    Canon RAW Image Task for ZoomBrowser EX
    Canon RemoteCapture Task for ZoomBrowser EX
    Canon Utilities EOS Utility
    Canon Utilities PhotoStitch
    Canon Utilities ZoomBrowser EX
    center
    Cipher Classics
    Conexant D850 56K V.9x DFVc Modem
    Corel Photo Album 6
    Critical Update for Windows Media Player 11 (KB959772)
    Crypto Box
    CrypTool 1.4.30
    Dell CinePlayer
    Dell Digital Jukebox Driver
    Dell Driver Reset Tool
    Dell Support Center
    Dell System Restore
    DellSupport
    Digital Content Portal
    Digital Line Detect
    Download Updater (AOL LLC)
    DROD: Journey to Rooted Hold Demo 2.0.16
    EducateU
    EKS Baker Street
    EKS Crocotile
    EKS Descartes Enigma
    EKS Descartes Rainbow
    EKS Dinner With Moriarty
    EKS Fermat's Fences
    EKS Flipitile
    EKS Greek Squares
    EKS Inspector Lestrade
    EKS Knarly Branches
    EKS Knarly Combs
    EKS Knarly Gridlock
    EKS Knarly Hexes
    EKS Knarly Jigs
    EKS Knarly Mazes
    EKS Knarly Works
    EKS Latin Squares
    EKS Lunatile 1.0
    EKS Mrs. Hudson
    EKS Occam's Quilt
    EKS Scotland Yard
    EKS Sherlock 5.0
    EKS Solitile 5.1
    EKS Watson's Map
    ELIcon
    EPSON Copy Utility
    EPSON EIC CX5400
    EPSON Photo Print
    EPSON Printer Software
    EPSON Scan
    EPSON Smart Panel
    ESET Online Scanner v3
    Games Interactive
    GIMP 2.6.6
    Google Chrome
    Google Earth
    Google Update Helper
    Google Updater
    GoToMeeting 4.8.0.723
    GTK+ 2.10.13 runtime environment
    Heroes of Might and Magic II
    Heroes of Might and Magic® III The Shadow of Death(TM)
    Hexip
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    iGridd
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet for Wired Connections
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 23
    KODAK All-in-One Printer Software
    ksDIP
    Learn2 Player (Uninstall Only)
    LEGO Digital Designer
    LiveUpdate 2.6 (Symantec Corporation)
    LOOPical demo version 0.902
    Loopy Puzzle
    Malwarebytes' Anti-Malware version 1.51.2.1300
    McAfee SecurityCenter
    MCU
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2572067)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Access 2003 Runtime
    Microsoft Office PowerPoint Viewer 2003
    Microsoft Office Professional
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Mini Golf Master 2
    mIRC
    Modem Helper
    Mozilla Firefox (3.6.24)
    MSN
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Musicmatch® Jukebox
    NetWaiting
    Nielsen Online
    OpenOffice.org 2.4
    OpenOffice.org 3.1
    Paint Shop Pro Shareware Version 3.12 - 32 Bit
    PartyPoker.net
    PathPix demo version 0.993
    Pizzicato 3.2.2
    PokerStars.net
    PreReq
    PrismaPix demo version 0.991
    Puzzle Master
    Python 2.7.1
    QuickTime
    RealPlayer Basic
    reversudoku version 1.0
    Roxio DLA
    Roxio RecordNow Audio
    Roxio RecordNow Copy
    Roxio RecordNow Data
    ScanToWeb
    Search Assist
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    Senegal Checkers v1.0
    Simple Sudoku 4.1
    Sonic Activation Module
    Sonic Update Manager
    SUManager Plus
    The Golden Jigsaw 1.0
    TroopManager Plus
    Unity Web Player
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    URL Assistant
    Wal-Mart Music Downloads Store
    WebFldrs XP
    WIDI Recognition System Pro 3.3 (remove only)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 10
    Windows Media Player 11
    Windows XP Service Pack 3
    WordPerfect Office 12
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    11/23/2011 8:10:44 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Software Updater service to connect.
    11/23/2011 8:06:24 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
    11/23/2011 3:52:04 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    11/23/2011 3:49:58 AM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 14 time(s).
    11/23/2011 3:49:58 AM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 14 time(s).
    11/23/2011 3:45:07 AM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
    11/23/2011 3:41:59 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McShield service to connect.
    11/23/2011 3:41:59 AM, error: Service Control Manager [7000] - The McShield service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/23/2011 10:32:22 AM, error: Service Control Manager [7034] - The Telephony service terminated unexpectedly. It has done this 4 time(s).
    11/23/2011 10:32:22 AM, error: Service Control Manager [7034] - The System Event Notification service terminated unexpectedly. It has done this 4 time(s).
    11/23/2011 10:32:22 AM, error: Service Control Manager [7034] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 4 time(s).
    11/23/2011 10:32:22 AM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 4 time(s).
    11/23/2011 10:32:22 AM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 4 time(s).
    11/23/2011 10:21:16 AM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 3 time(s).
    11/23/2011 10:21:16 AM, error: Service Control Manager [7034] - The Help and Support service terminated unexpectedly. It has done this 3 time(s).
    11/23/2011 10:21:16 AM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 3 time(s).
    11/22/2011 8:34:34 PM, error: Service Control Manager [7034] - The Network Location Awareness (NLA) service terminated unexpectedly. It has done this 8 time(s).
    11/22/2011 8:34:34 PM, error: Service Control Manager [7034] - The COM+ Event System service terminated unexpectedly. It has done this 8 time(s).
    11/22/2011 8:34:34 PM, error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    11/22/2011 6:09:14 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/22/2011 6:08:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
    11/22/2011 6:07:16 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Yahoo! Updater service to connect.
    11/22/2011 6:07:16 PM, error: Service Control Manager [7000] - The Yahoo! Updater service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    11/22/2011 5:28:57 PM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    .
    ==== End Of File ===========================
     
  5. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =============================================================

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  6. NomenOblitum

    NomenOblitum TS Rookie Topic Starter Posts: 29

    TDSSKiller

    22:15:27.0421 4052 TDSS rootkit removing tool 2.6.20.0 Nov 22 2011 12:05:55
    22:15:29.0406 4052 ============================================================
    22:15:29.0406 4052 Current date / time: 2011/11/23 22:15:29.0406
    22:15:29.0406 4052 SystemInfo:
    22:15:29.0406 4052
    22:15:29.0406 4052 OS Version: 5.1.2600 ServicePack: 3.0
    22:15:29.0406 4052 Product type: Workstation
    22:15:29.0406 4052 ComputerName: KITTY-KITTY
    22:15:29.0406 4052 UserName: All
    22:15:29.0406 4052 Windows directory: C:\WINDOWS
    22:15:29.0406 4052 System windows directory: C:\WINDOWS
    22:15:29.0406 4052 Processor architecture: Intel x86
    22:15:29.0406 4052 Number of processors: 1
    22:15:29.0406 4052 Page size: 0x1000
    22:15:29.0406 4052 Boot type: Normal boot
    22:15:29.0406 4052 ============================================================
    22:15:33.0625 4052 Initialize success
    22:15:51.0625 3448 ============================================================
    22:15:51.0625 3448 Scan started
    22:15:51.0625 3448 Mode: Manual;
    22:15:51.0625 3448 ============================================================
    22:15:53.0937 3448 Abiosdsk - ok
    22:15:54.0031 3448 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    22:15:54.0031 3448 abp480n5 - ok
    22:15:54.0296 3448 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    22:15:54.0312 3448 ACPI - ok
    22:15:54.0484 3448 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    22:15:54.0484 3448 ACPIEC - ok
    22:15:54.0781 3448 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    22:15:54.0781 3448 adpu160m - ok
    22:15:54.0875 3448 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    22:15:54.0890 3448 aec - ok
    22:15:55.0031 3448 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    22:15:55.0031 3448 AFD - ok
    22:15:55.0125 3448 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    22:15:55.0125 3448 agp440 - ok
    22:15:55.0296 3448 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    22:15:55.0296 3448 agpCPQ - ok
    22:15:55.0515 3448 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    22:15:55.0515 3448 Aha154x - ok
    22:15:55.0640 3448 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    22:15:55.0875 3448 aic78u2 - ok
    22:15:56.0031 3448 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    22:15:56.0031 3448 aic78xx - ok
    22:15:56.0187 3448 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    22:15:56.0187 3448 AliIde - ok
    22:15:56.0281 3448 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    22:15:56.0281 3448 alim1541 - ok
    22:15:56.0484 3448 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    22:15:56.0484 3448 amdagp - ok
    22:15:56.0578 3448 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    22:15:56.0734 3448 amsint - ok
    22:15:56.0906 3448 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    22:15:56.0906 3448 asc - ok
    22:15:57.0031 3448 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    22:15:57.0046 3448 asc3350p - ok
    22:15:57.0171 3448 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    22:15:57.0171 3448 asc3550 - ok
    22:15:57.0312 3448 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
    22:15:57.0437 3448 ASCTRM - ok
    22:15:57.0609 3448 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    22:15:57.0609 3448 AsyncMac - ok
    22:15:57.0703 3448 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    22:15:57.0718 3448 atapi - ok
    22:15:57.0843 3448 Atdisk - ok
    22:15:57.0921 3448 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    22:15:57.0921 3448 Atmarpc - ok
    22:15:58.0093 3448 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    22:15:58.0093 3448 audstub - ok
    22:15:58.0250 3448 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    22:15:58.0250 3448 Beep - ok
    22:15:58.0328 3448 bvrp_pci - ok
    22:15:58.0390 3448 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    22:15:58.0390 3448 cbidf - ok
    22:15:58.0484 3448 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    22:15:58.0484 3448 cbidf2k - ok
    22:15:58.0671 3448 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    22:15:58.0812 3448 cd20xrnt - ok
    22:15:58.0937 3448 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    22:15:58.0937 3448 Cdaudio - ok
    22:15:59.0015 3448 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    22:15:59.0015 3448 Cdfs - ok
    22:15:59.0156 3448 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    22:15:59.0171 3448 Cdrom - ok
    22:15:59.0250 3448 cfwids (7fd604cd7a7a0ff8975af61bdf64c577) C:\WINDOWS\system32\drivers\cfwids.sys
    22:15:59.0250 3448 cfwids - ok
    22:15:59.0390 3448 Changer - ok
    22:15:59.0500 3448 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    22:15:59.0500 3448 CmdIde - ok
    22:15:59.0703 3448 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    22:15:59.0703 3448 Cpqarray - ok
    22:15:59.0796 3448 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    22:15:59.0812 3448 dac2w2k - ok
    22:15:59.0890 3448 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    22:15:59.0890 3448 dac960nt - ok
    22:16:00.0000 3448 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    22:16:00.0000 3448 Disk - ok
    22:16:00.0156 3448 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
    22:16:00.0171 3448 DLABOIOM - ok
    22:16:00.0328 3448 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
    22:16:00.0359 3448 DLACDBHM - ok
    22:16:00.0484 3448 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
    22:16:00.0515 3448 DLADResN - ok
    22:16:00.0671 3448 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
    22:16:00.0671 3448 DLAIFS_M - ok
    22:16:00.0828 3448 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
    22:16:00.0843 3448 DLAOPIOM - ok
    22:16:01.0000 3448 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
    22:16:01.0000 3448 DLAPoolM - ok
    22:16:01.0156 3448 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
    22:16:01.0156 3448 DLARTL_N - ok
    22:16:01.0281 3448 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
    22:16:01.0296 3448 DLAUDFAM - ok
    22:16:01.0453 3448 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
    22:16:01.0453 3448 DLAUDF_M - ok
    22:16:01.0671 3448 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    22:16:01.0718 3448 dmboot - ok
    22:16:01.0812 3448 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    22:16:01.0843 3448 dmio - ok
    22:16:01.0984 3448 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    22:16:01.0984 3448 dmload - ok
    22:16:02.0078 3448 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    22:16:02.0078 3448 DMusic - ok
    22:16:02.0250 3448 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    22:16:02.0250 3448 dpti2o - ok
    22:16:02.0343 3448 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    22:16:02.0359 3448 drmkaud - ok
    22:16:02.0515 3448 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
    22:16:02.0531 3448 DRVMCDB - ok
    22:16:02.0734 3448 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
    22:16:02.0734 3448 DRVNDDM - ok
    22:16:02.0890 3448 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
    22:16:02.0906 3448 DSproct - ok
    22:16:03.0031 3448 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
    22:16:03.0046 3448 dsunidrv - ok
    22:16:03.0140 3448 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    22:16:03.0140 3448 E100B - ok
    22:16:03.0312 3448 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    22:16:03.0312 3448 Fastfat - ok
    22:16:03.0390 3448 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    22:16:03.0390 3448 Fdc - ok
    22:16:03.0484 3448 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    22:16:03.0484 3448 Fips - ok
    22:16:03.0687 3448 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    22:16:03.0687 3448 Flpydisk - ok
    22:16:03.0765 3448 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    22:16:03.0765 3448 FltMgr - ok
    22:16:03.0906 3448 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    22:16:03.0906 3448 Fs_Rec - ok
    22:16:04.0015 3448 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    22:16:04.0015 3448 Ftdisk - ok
    22:16:04.0140 3448 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    22:16:04.0156 3448 Gpc - ok
    22:16:04.0281 3448 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    22:16:04.0281 3448 HidUsb - ok
    22:16:04.0500 3448 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    22:16:04.0703 3448 hpn - ok
    22:16:04.0859 3448 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
    22:16:04.0875 3448 HSFHWBS2 - ok
    22:16:04.0953 3448 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    22:16:05.0156 3448 HSF_DP - ok
    22:16:05.0312 3448 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    22:16:05.0328 3448 HTTP - ok
    22:16:05.0484 3448 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    22:16:05.0484 3448 i2omgmt - ok
    22:16:05.0671 3448 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    22:16:05.0671 3448 i2omp - ok
    22:16:05.0765 3448 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    22:16:05.0765 3448 i8042prt - ok
    22:16:05.0937 3448 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    22:16:05.0968 3448 ialm - ok
    22:16:06.0140 3448 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    22:16:06.0156 3448 Imapi - ok
    22:16:06.0312 3448 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    22:16:06.0328 3448 ini910u - ok
    22:16:06.0500 3448 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    22:16:06.0500 3448 IntelIde - ok
    22:16:06.0562 3448 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    22:16:06.0609 3448 intelppm - ok
    22:16:06.0765 3448 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    22:16:06.0765 3448 Ip6Fw - ok
    22:16:06.0859 3448 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    22:16:06.0859 3448 IpFilterDriver - ok
    22:16:06.0937 3448 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    22:16:06.0968 3448 IpInIp - ok
    22:16:07.0125 3448 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    22:16:07.0125 3448 IpNat - ok
    22:16:07.0203 3448 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    22:16:07.0203 3448 IPSec - ok
    22:16:07.0359 3448 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    22:16:07.0375 3448 IRENUM - ok
    22:16:07.0578 3448 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    22:16:07.0578 3448 isapnp - ok
    22:16:07.0750 3448 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    22:16:07.0796 3448 Kbdclass - ok
    22:16:07.0937 3448 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    22:16:07.0937 3448 kbdhid - ok
    22:16:08.0015 3448 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    22:16:08.0015 3448 kmixer - ok
    22:16:08.0171 3448 km_filter (62c44c9bbc531a88b26108476d093e7a) C:\WINDOWS\system32\drivers\km_filter.sys
    22:16:08.0171 3448 km_filter - ok
    22:16:08.0281 3448 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    22:16:08.0281 3448 KSecDD - ok
    22:16:08.0328 3448 lbrtfdc - ok
    22:16:08.0484 3448 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    22:16:08.0484 3448 mdmxsdk - ok
    22:16:08.0656 3448 mfeapfk (113445fc6a858ef453cded5b0a0df665) C:\WINDOWS\system32\drivers\mfeapfk.sys
    22:16:08.0890 3448 mfeapfk - ok
    22:16:09.0031 3448 mfeavfk (dbf6e1b388d5c070d438c61adb990c30) C:\WINDOWS\system32\drivers\mfeavfk.sys
    22:16:09.0125 3448 mfeavfk - ok
    22:16:09.0171 3448 mfeavfk01 - ok
    22:16:09.0250 3448 mfebopk (a528b15e330edb83ea649be318d841d5) C:\WINDOWS\system32\drivers\mfebopk.sys
    22:16:09.0250 3448 mfebopk - ok
    22:16:09.0406 3448 mfefirek (c7da1b8003c89acedaa13768f7a1c622) C:\WINDOWS\system32\drivers\mfefirek.sys
    22:16:09.0421 3448 mfefirek - ok
    22:16:09.0531 3448 mfehidk (5e9679bb2fc4fa38ec8ca906c47acd46) C:\WINDOWS\system32\drivers\mfehidk.sys
    22:16:09.0546 3448 mfehidk - ok
    22:16:09.0718 3448 mfendisk (b1728195877b18ce63cf0cd00b2871eb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
    22:16:09.0718 3448 mfendisk - ok
    22:16:09.0734 3448 mfendiskmp (b1728195877b18ce63cf0cd00b2871eb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
    22:16:09.0734 3448 mfendiskmp - ok
    22:16:09.0828 3448 mferkdet (ce1711f7c3f72f6762abd241dcfd5ee1) C:\WINDOWS\system32\drivers\mferkdet.sys
    22:16:10.0031 3448 mferkdet - ok
    22:16:10.0203 3448 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
    22:16:10.0421 3448 mferkdk - ok
    22:16:10.0546 3448 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
    22:16:10.0546 3448 mfesmfk - ok
    22:16:10.0656 3448 mfetdi2k (25e12c68b49a64ffc873603dfd578236) C:\WINDOWS\system32\drivers\mfetdi2k.sys
    22:16:10.0656 3448 mfetdi2k - ok
    22:16:10.0828 3448 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    22:16:10.0828 3448 mnmdd - ok
    22:16:10.0968 3448 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    22:16:10.0968 3448 Modem - ok
    22:16:11.0125 3448 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    22:16:11.0265 3448 MODEMCSA - ok
    22:16:11.0421 3448 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    22:16:11.0421 3448 Mouclass - ok
    22:16:11.0515 3448 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    22:16:11.0531 3448 mouhid - ok
    22:16:11.0687 3448 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    22:16:11.0687 3448 MountMgr - ok
    22:16:11.0859 3448 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    22:16:11.0859 3448 mraid35x - ok
    22:16:12.0015 3448 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    22:16:12.0031 3448 MRxDAV - ok
    22:16:12.0125 3448 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    22:16:12.0140 3448 MRxSmb - ok
    22:16:12.0296 3448 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    22:16:12.0296 3448 Msfs - ok
    22:16:12.0375 3448 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    22:16:12.0375 3448 MSKSSRV - ok
    22:16:12.0453 3448 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    22:16:12.0468 3448 MSPCLOCK - ok
    22:16:12.0562 3448 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    22:16:12.0562 3448 MSPQM - ok
    22:16:12.0718 3448 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    22:16:12.0718 3448 mssmbios - ok
    22:16:12.0843 3448 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    22:16:12.0843 3448 Mup - ok
    22:16:12.0937 3448 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    22:16:12.0937 3448 NDIS - ok
    22:16:13.0078 3448 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    22:16:13.0078 3448 NdisTapi - ok
    22:16:13.0156 3448 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    22:16:13.0156 3448 Ndisuio - ok
    22:16:13.0312 3448 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    22:16:13.0312 3448 NdisWan - ok
    22:16:13.0406 3448 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    22:16:13.0406 3448 NDProxy - ok
    22:16:13.0562 3448 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    22:16:13.0562 3448 NetBIOS - ok
    22:16:13.0671 3448 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    22:16:13.0671 3448 NetBT - ok
    22:16:13.0796 3448 NielGfx (dc810d3a9c6ffa0d265776b72fe82cd1) C:\WINDOWS\system32\drivers\nielgfx.sys
    22:16:13.0812 3448 NielGfx - ok
    22:16:13.0984 3448 nielprt (7cd1343788a92427f273ad5cc8bc272b) C:\WINDOWS\system32\DRIVERS\nielprt.sys
    22:16:13.0984 3448 nielprt - ok
    22:16:14.0078 3448 nnrnstdi (d80caada791e39dc2d4e7d6a9c6da7e0) C:\WINDOWS\system32\drivers\nnrnstdi.sys
    22:16:14.0078 3448 nnrnstdi - ok
    22:16:14.0250 3448 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    22:16:14.0265 3448 Npfs - ok
    22:16:14.0343 3448 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    22:16:14.0375 3448 Ntfs - ok
    22:16:14.0515 3448 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    22:16:14.0515 3448 Null - ok
    22:16:14.0640 3448 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    22:16:14.0687 3448 nv - ok
    22:16:14.0781 3448 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    22:16:14.0796 3448 NwlnkFlt - ok
    22:16:15.0000 3448 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    22:16:15.0000 3448 NwlnkFwd - ok
    22:16:15.0109 3448 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    22:16:15.0109 3448 Parport - ok
    22:16:15.0250 3448 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    22:16:15.0250 3448 PartMgr - ok
    22:16:15.0453 3448 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    22:16:15.0453 3448 ParVdm - ok
    22:16:15.0578 3448 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    22:16:15.0578 3448 PCI - ok
    22:16:15.0703 3448 PCIDump - ok
    22:16:15.0843 3448 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    22:16:15.0843 3448 PCIIde - ok
    22:16:15.0984 3448 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    22:16:16.0000 3448 Pcmcia - ok
    22:16:16.0062 3448 PDCOMP - ok
    22:16:16.0140 3448 PDFRAME - ok
    22:16:16.0187 3448 PDRELI - ok
    22:16:16.0218 3448 PDRFRAME - ok
    22:16:16.0281 3448 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    22:16:16.0281 3448 perc2 - ok
    22:16:16.0375 3448 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    22:16:16.0375 3448 perc2hib - ok
    22:16:16.0562 3448 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    22:16:16.0578 3448 PptpMiniport - ok
    22:16:16.0671 3448 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    22:16:16.0671 3448 PSched - ok
    22:16:16.0765 3448 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    22:16:16.0781 3448 Ptilink - ok
    22:16:16.0890 3448 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    22:16:16.0890 3448 PxHelp20 - ok
    22:16:17.0031 3448 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    22:16:17.0031 3448 ql1080 - ok
    22:16:17.0218 3448 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    22:16:17.0234 3448 Ql10wnt - ok
    22:16:17.0312 3448 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    22:16:17.0312 3448 ql12160 - ok
    22:16:17.0390 3448 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    22:16:17.0390 3448 ql1240 - ok
    22:16:17.0500 3448 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    22:16:17.0500 3448 ql1280 - ok
    22:16:17.0578 3448 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    22:16:17.0593 3448 RasAcd - ok
    22:16:17.0703 3448 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    22:16:17.0703 3448 Rasl2tp - ok
    22:16:17.0859 3448 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    22:16:17.0859 3448 RasPppoe - ok
    22:16:18.0046 3448 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    22:16:18.0046 3448 Raspti - ok
    22:16:18.0234 3448 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    22:16:18.0250 3448 Rdbss - ok
    22:16:18.0406 3448 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    22:16:18.0406 3448 RDPCDD - ok
    22:16:18.0531 3448 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    22:16:18.0546 3448 rdpdr - ok
    22:16:18.0703 3448 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    22:16:18.0703 3448 RDPWD - ok
    22:16:18.0796 3448 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    22:16:18.0812 3448 redbook - ok
    22:16:19.0046 3448 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    22:16:19.0046 3448 Secdrv - ok
    22:16:19.0171 3448 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
    22:16:19.0203 3448 senfilt - ok
    22:16:19.0359 3448 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    22:16:19.0359 3448 serenum - ok
    22:16:19.0453 3448 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    22:16:19.0484 3448 Serial - ok
    22:16:19.0671 3448 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    22:16:19.0671 3448 Sfloppy - ok
    22:16:19.0734 3448 Simbad - ok
    22:16:19.0796 3448 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    22:16:19.0796 3448 sisagp - ok
    22:16:19.0984 3448 smwdm (0066ff77aeb4ae70066f7e94d5a6d866) C:\WINDOWS\system32\drivers\smwdm.sys
    22:16:19.0984 3448 smwdm - ok
    22:16:20.0171 3448 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    22:16:20.0187 3448 Sparrow - ok
    22:16:20.0328 3448 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    22:16:20.0328 3448 splitter - ok
    22:16:20.0421 3448 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    22:16:20.0421 3448 sr - ok
    22:16:20.0609 3448 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    22:16:20.0625 3448 Srv - ok
    22:16:20.0796 3448 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    22:16:20.0796 3448 swenum - ok
    22:16:21.0000 3448 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    22:16:21.0000 3448 swmidi - ok
    22:16:21.0156 3448 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    22:16:21.0328 3448 symc810 - ok
    22:16:21.0500 3448 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    22:16:21.0500 3448 symc8xx - ok
    22:16:21.0640 3448 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    22:16:21.0640 3448 sym_hi - ok
    22:16:21.0718 3448 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    22:16:21.0718 3448 sym_u3 - ok
    22:16:21.0812 3448 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    22:16:21.0812 3448 sysaudio - ok
    22:16:22.0015 3448 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    22:16:22.0031 3448 Tcpip - ok
    22:16:22.0187 3448 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    22:16:22.0187 3448 TDPIPE - ok
    22:16:22.0296 3448 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    22:16:22.0296 3448 TDTCP - ok
    22:16:22.0390 3448 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    22:16:22.0390 3448 TermDD - ok
    22:16:22.0515 3448 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    22:16:22.0515 3448 TosIde - ok
    22:16:22.0625 3448 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    22:16:22.0625 3448 Udfs - ok
    22:16:22.0796 3448 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    22:16:22.0796 3448 ultra - ok
    22:16:22.0953 3448 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    22:16:22.0968 3448 Update - ok
    22:16:23.0187 3448 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    22:16:23.0187 3448 usbccgp - ok
    22:16:23.0281 3448 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    22:16:23.0281 3448 usbehci - ok
    22:16:23.0343 3448 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    22:16:23.0359 3448 usbhub - ok
    22:16:23.0421 3448 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    22:16:23.0437 3448 usbprint - ok
    22:16:23.0578 3448 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    22:16:23.0578 3448 usbscan - ok
    22:16:23.0687 3448 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    22:16:23.0687 3448 USBSTOR - ok
    22:16:23.0843 3448 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    22:16:23.0843 3448 usbuhci - ok
    22:16:23.0921 3448 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    22:16:23.0937 3448 VgaSave - ok
    22:16:24.0140 3448 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    22:16:24.0140 3448 viaagp - ok
    22:16:24.0218 3448 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    22:16:24.0218 3448 ViaIde - ok
    22:16:24.0312 3448 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    22:16:24.0312 3448 VolSnap - ok
    22:16:24.0359 3448 vsdatant - ok
    22:16:24.0453 3448 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    22:16:24.0468 3448 Wanarp - ok
    22:16:24.0578 3448 wanatw - ok
    22:16:24.0703 3448 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
    22:16:24.0718 3448 Wdf01000 - ok
    22:16:24.0859 3448 WDICA - ok
    22:16:24.0968 3448 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    22:16:24.0968 3448 wdmaud - ok
    22:16:25.0187 3448 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    22:16:25.0250 3448 winachsf - ok
    22:16:25.0453 3448 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    22:16:25.0453 3448 WS2IFSL - ok
    22:16:25.0562 3448 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    22:16:25.0578 3448 WudfPf - ok
    22:16:25.0765 3448 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    22:16:25.0781 3448 WudfRd - ok
    22:16:25.0859 3448 MBR (0x1B8) (928373674867a2875576c335333e620f) \Device\Harddisk0\DR0
    22:16:25.0875 3448 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
    22:16:25.0875 3448 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
    22:16:25.0906 3448 Boot (0x1200) (1ad9e18daf6cb1c8863bbed46afd1316) \Device\Harddisk0\DR0\Partition0
    22:16:25.0906 3448 \Device\Harddisk0\DR0\Partition0 - ok
    22:16:25.0937 3448 Boot (0x1200) (a277710133d36d0e5d60b2e399fa6fae) \Device\Harddisk0\DR0\Partition1
    22:16:25.0937 3448 \Device\Harddisk0\DR0\Partition1 - ok
    22:16:25.0953 3448 ============================================================
    22:16:25.0953 3448 Scan finished
    22:16:25.0953 3448 ============================================================
    22:16:25.0968 2748 Detected object count: 1
    22:16:25.0968 2748 Actual detected object count: 1
    22:16:49.0953 2748 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
    22:16:49.0953 2748 \Device\Harddisk0\DR0 - ok
    22:16:49.0953 2748 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
    22:17:07.0281 3828 Deinitialize success
     
  7. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Good :)

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
     
  8. NomenOblitum

    NomenOblitum TS Rookie Topic Starter Posts: 29

    Rootkit Unhooker

    As soon as I unchecked the rest and hit OK, the computer went to a blue screen.


    Restarted computer and tried again:

    RkU Version: 3.8.389.593, Type LE (SR2)
    ==============================================
    OS Name: Windows XP
    Version 5.1.2600 (Service Pack 3)
    Number of processors #1
    ==============================================
    >Drivers
    ==============================================
    0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
    0x804D7000 PnpManager 2192768 bytes
    0x804D7000 RAW 2192768 bytes
    0x804D7000 WMIxWDM 2192768 bytes
    0xBF800000 Win32k 1859584 bytes
    0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0xF7B54000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1302528 bytes (Intel Corporation, Intel Graphics Miniport Driver)
    0xF79C6000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
    0xBF077000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw(R) Driver for Intel(R) Graphics Technology)
    0xF77CE000 C:\WINDOWS\system32\drivers\senfilt.sys 733184 bytes (Creative Technology Ltd., Creative WDM Audio Driver)
    0xF791F000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 684032 bytes (Conexant Systems, Inc., HSF_CNXT driver)
    0xF849B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
    0xF861B000 wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
    0xEF22C000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0xF76C5000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
    0xF8555000 mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)
    0xEF372000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
    0xEE4F1000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
    0xF7723000 C:\WINDOWS\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)
    0xBF159000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
    0xEE571000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0xF78A5000 C:\WINDOWS\system32\drivers\smwdm.sys 262144 bytes (Analog Devices, Inc., SoundMAX Integrated Digital Audio )
    0xBF042000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
    0xF7AE8000 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys 212992 bytes (Conexant Systems, Inc., HSF_HWB2 WDM driver)
    0xF86A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
    0xEE88D000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
    0xF846E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
    0xEF29C000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0xEF2E9000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
    0xF78F9000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 155648 bytes (Intel Corporation, Intel(R) PRO/100 Adapter NDIS 5.1 driver)
    0xEF339000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
    0xF776E000 C:\WINDOWS\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
    0xF7881000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0xF7B1C000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0xF7AC5000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
    0xEF2C7000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
    0x806EF000 ACPI_HAL 131840 bytes
    0x806EF000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0xF85C4000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0xF85FC000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
    0xF8454000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
    0xF85E4000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
    0xEEB60000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 98304 bytes (Sonic Solutions, Drive Letter Access Component)
    0xEECA6000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
    0xF8528000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0xF77A3000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0xEEB78000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
    0xEEB4A000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
    0xF853F000 DRVMCDB.SYS 90112 bytes (Sonic Solutions, Device Driver)
    0xED6CB000 C:\WINDOWS\system32\drivers\mfeapfk.sys 90112 bytes (McAfee, Inc., Access Protection Filter Driver)
    0xEE8DD000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
    0xF77BA000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 81920 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)
    0xF78E5000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
    0xF7B40000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
    0xEF3CB000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
    0xEF35F000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 77824 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
    0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
    0xF85B2000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
    0xF8697000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0xF7792000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
    0xF7CF2000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
    0xF8867000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0xF8847000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
    0xF8887000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
    0xF8877000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
    0xEEA52000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
    0xF8907000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
    0xF8747000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
    0xF8897000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0xF8727000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0xF8707000 C:\WINDOWS\System32\Drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
    0xED799000 C:\WINDOWS\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)
    0xEDAE1000 C:\WINDOWS\system32\drivers\mfebopk.sys 49152 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
    0xF88B7000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0xF8767000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
    0xF8857000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
    0xF8717000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
    0xF88A7000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    0xEF0CC000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 40960 bytes (Sonic Solutions, Device Driver Manager)
    0xF86F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
    0xF88E7000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
    0xF88D7000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
    0xEE98A000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
    0xF8737000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
    0xF87E7000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
    0xF8837000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
    0xF88C7000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
    0xF8967000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
    0xF8777000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0xF8A8F000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
    0xF89AF000 C:\WINDOWS\System32\Drivers\nnrnstdi.SYS 32768 bytes (The Nielsen Company, NNRNSTDI helper driver)
    0xF89A7000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
    0xF8A87000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0xF89FF000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Sonic Solutions, Drive Letter Access Component)
    0xF8A97000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
    0xF8AEF000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0xF8977000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0xF8AE7000 C:\WINDOWS\System32\Drivers\DLARTL_N.SYS 24576 bytes (Sonic Solutions, Shared Driver Component)
    0xF8AB7000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
    0xF8ABF000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
    0xF898F000 nielprt.sys 24576 bytes (The Nielsen Company, Nielsen Portcls Patch Driver)
    0xF8A7F000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
    0xF8AF7000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0xF8AD7000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
    0xF8AFF000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
    0xF897F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
    0xF8AA7000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
    0xF8987000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
    0xF8AAF000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
    0xF8A9F000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
    0xF89D7000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
    0xEECDE000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 16384 bytes (Sonic Solutions, Drive Letter Access Component)
    0xF7542000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
    0xF8BB7000 C:\WINDOWS\system32\drivers\MODEMCSA.sys 16384 bytes (Microsoft Corporation, Unimodem CSA Filter)
    0xF8B97000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
    0xEEBB2000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
    0xF8BE3000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
    0xF8B07000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
    0xEECDA000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
    0xF754A000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
    0xF8BC3000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
    0xF8BEB000 C:\WINDOWS\system32\drivers\km_filter.sys 12288 bytes (The Nielsen Company, Audio Filter Driver)
    0xEE291000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
    0xF753E000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
    0xF8BF3000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0xF8BCB000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
    0xF8BDF000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)
    0xF8C33000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows (R) 2000 DDK provider, TR Manager)
    0xF8C45000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
    0xF8C37000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Sonic Solutions, Shared Driver Component)
    0xF8CA9000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Sonic Solutions, Drive Letter Access Component)
    0xF8C39000 C:\WINDOWS\system32\DRIVERS\dsunidrv.sys 8192 bytes (Gteko Ltd., GUniDriver)
    0xF8C9B000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
    0xF8C43000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
    0xF8BFB000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
    0xF8BF7000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
    0xF8C47000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
    0xF8C49000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
    0xF8C3D000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0xF8C41000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    0xF8BF9000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0xF8D04000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
    0xF8DF0000 C:\WINDOWS\System32\DLA\DLADResN.SYS 4096 bytes (Sonic Solutions, Drive Letter Access Component)
    0xF8CC5000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
    0xF8DB4000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
    0xF8CBF000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
    ==============================================
    >Stealth
    ==============================================
     
  9. NomenOblitum

    NomenOblitum TS Rookie Topic Starter Posts: 29

    Experienced a bad Google redirect followed by the following warnings:

    McAfee warning: Trojan Artemis!9AC596449C52

    Google warning: It appears that your computer is infected with software that intercepts your connection to Google and other sites.

    Ran another Malwarebytes quick scan

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8222

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    11/24/2011 2:50:18 AM
    mbam-log-2011-11-24 (02-50-18).txt

    Scan type: Quick scan
    Objects scanned: 198175
    Time elapsed: 28 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\All\local settings\Temp\5606.sys (Heuristics.Shuriken) -> Quarantined and deleted successfully.
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    No worries.
    So far we eliminated the main culprit, a rootkit.

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  11. NomenOblitum

    NomenOblitum TS Rookie Topic Starter Posts: 29

    aswMBR

    Computer behavior note: Have experienced redirects when trying to Google

    ~~~~~~~~~~~~~~~~~~~~~~~~
    Two settings to the left of Scan button not addressed in the directions:
    Trace disk IO calls Check box= on
    AV Scan Drop down = QuickScan

    If those need to be different please notify so that I am rerun scan. Thank you.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-11-25 04:10:35
    -----------------------------
    04:10:35.968 OS Version: Windows 5.1.2600 Service Pack 3
    04:10:35.968 Number of processors: 1 586 0x409
    04:10:35.968 ComputerName: KITTY-KITTY UserName: All
    04:11:08.703 Initialize success
    04:13:07.421 AVAST engine defs: 11112400
    04:13:23.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    04:13:23.750 Disk 0 Vendor: ST380011A 8.16 Size: 76293MB BusType: 3
    04:13:25.890 Disk 0 MBR read successfully
    04:13:25.906 Disk 0 MBR scan
    04:13:26.437 Disk 0 unknown MBR code
    04:13:26.500 Disk 0 scanning sectors +156232125
    04:13:27.718 Disk 0 scanning C:\WINDOWS\system32\drivers
    04:15:20.015 Service scanning
    04:15:24.468 Service ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys **LOCKED** 32
    04:15:29.093 Modules scanning
    04:16:31.750 Disk 0 trace - called modules:
    04:16:31.781 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8273a079]<<
    04:16:31.796 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82fd7ab8]
    04:16:31.859 3 CLASSPNP.SYS[f86d7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82fddd98]
    04:16:34.375 AVAST engine scan C:\WINDOWS
    04:17:40.421 AVAST engine scan C:\WINDOWS\system32
    04:23:30.703 AVAST engine scan C:\WINDOWS\system32\drivers
    04:24:24.984 AVAST engine scan C:\Documents and Settings\All
    05:14:33.812 AVAST engine scan C:\Documents and Settings\All Users
    05:48:03.953 Scan finished successfully
    09:17:58.347 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\All\My Documents\Sherri's Documents\Computer Questions\MBR.dat"
    09:17:58.519 The log file has been saved successfully to "C:\Documents and Settings\All\My Documents\Sherri's Documents\Computer Questions\Nov252011-aswMBR.txt"
     
  12. NomenOblitum

    NomenOblitum TS Rookie Topic Starter Posts: 29

    ComboFix

    ComboFix 11-11-25.01 - All 11/25/2011 9:49.3.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.163 [GMT -5:00]
    Running from: c:\documents and settings\All\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All\g2mdlhlpx.exe
    c:\documents and settings\All\WINDOWS
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-25 to 2011-11-25 )))))))))))))))))))))))))))))))
    .
    .
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-16 12:36 . 2011-06-13 10:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-10-10 14:22 . 2004-08-10 19:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-09-28 07:06 . 2004-08-10 18:50 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-26 15:41 . 2008-07-29 23:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
    2011-09-26 15:41 . 2004-08-10 18:51 220160 ----a-w- c:\windows\system32\oleacc.dll
    2011-09-26 15:41 . 2004-08-10 18:51 20480 ----a-w- c:\windows\system32\oleaccrc.dll
    2011-09-06 13:20 . 2004-08-10 18:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-08-31 22:00 . 2011-02-10 17:56 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2007-04-17 09:43 . 2007-04-17 09:44 159744 ----a-w- c:\program files\mozilla firefox\components\nrigk.dll
    2011-04-14 18:01 . 2011-01-20 18:20 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
    "Aim"="c:\program files\AIM7\aim.exe" [2011-01-05 4321112]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-01 26112]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-04-01 98304]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
    "MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
    "Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-11-17 106496]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
    "Conime"="c:\windows\system32\conime.exe" [2008-04-14 27648]
    "EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-10-22 1310720]
    "NielsenOnline"="c:\program files\NetRatingsNetSight\NetSight\NielsenOnline.exe" [2008-09-04 45056]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    .
    c:\documents and settings\All\Start Menu\Programs\Startup\
    3DO Registration.lnk - c:\rocky's games\Register\Remind32.exe [2006-4-14 67584]
    Forget Me Not Reminders.lnk - c:\cacard\FMREMIND.EXE [2009-5-22 6224]
    H3 The Shadow of Death(TM).lnk - c:\rocky's games\RegisterSOD\Remind32.exe [2006-4-14 67584]
    OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]
    OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
    PowerReg Scheduler.exe [2006-4-24 189952]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-4-1 24576]
    Microsoft Office Fast Start.lnk - c:\msoffice\Office\FASTBOOT.EXE [1996-3-19 14848]
    Microsoft Office Find Fast Indexer.lnk - c:\msoffice\Office\FINDFAST.EXE [1996-3-19 86528]
    Microsoft Office Shortcut Bar.lnk - c:\msoffice\Office\MSOFFICE.EXE [1996-3-19 365056]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\AIM7\\aim.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9322:TCP"= 9322:TCP:EKDiscovery
    "9323:TCP"= 9323:TCP:EKDiscovery
    .
    R0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys [9/18/2009 3:44 PM 24192]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [1/20/2011 1:19 PM 84200]
    R1 nnrnstdi;nnrnstdi;c:\windows\system32\drivers\nnrnstdi.sys [9/18/2009 3:45 PM 15360]
    R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [10/10/2008 8:33 AM 274432]
    R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\Center\KodakSvc.exe [12/1/2008 5:58 PM 28672]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/6/2009 1:56 PM 94880]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [1/20/2011 1:19 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [1/20/2011 1:19 PM 271480]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [1/20/2011 1:19 PM 56064]
    R3 km_filter;km_filter;c:\windows\system32\drivers\km_filter.sys [9/18/2009 3:45 PM 9088]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [1/20/2011 1:19 PM 314088]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [1/20/2011 1:19 PM 88736]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2009 9:50 AM 135664]
    S3 BlackBox;BlackBox SR2; [x]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/21/2009 9:50 AM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [1/20/2011 1:19 PM 88736]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/20/2011 1:19 PM 84488]
    S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys [9/18/2009 3:44 PM 9088]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - ASWMBR
    *Deregistered* - aswMBR
    *Deregistered* - fglirpow
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-25 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-20 21:10]
    .
    2011-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 14:50]
    .
    2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 14:50]
    .
    2011-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3114355953-2725325480-1384795550-1006Core.job
    - c:\documents and settings\All\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-03 14:48]
    .
    2011-11-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3114355953-2725325480-1384795550-1006UA.job
    - c:\documents and settings\All\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-03 14:48]
    .
    2011-11-24 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
    - c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2008-12-01 22:57]
    .
    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: &AOL Toolbar Search
    TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
    FF - ProfilePath - c:\documents and settings\All\Application Data\Mozilla\Firefox\Profiles\s3v46o9y.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://hamptonroads.cox.net/
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Feed Filter: facebookfilter@chocolatesoftware.com - %profile%\extensions\facebookfilter@chocolatesoftware.com
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Nielsen: {D908A1CC-54B4-4af9-9BB4-964F5BD3CDB7} - c:\program files\NetRatingsNetSight\NetSight\meter7\FFAddon
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-25 10:18
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-11-25 10:26:54
    ComboFix-quarantined-files.txt 2011-11-25 15:26
    .
    Pre-Run: 24,188,088,320 bytes free
    Post-Run: 24,372,547,584 bytes free
    .
    - - End Of File - - 9FF5D895644D7F4A9F97A5D6CE720A7D
     
  13. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Still redirected?
    If so which browser?

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  14. NomenOblitum

    NomenOblitum TS Rookie Topic Starter Posts: 29

    No redirects today, yesterday's were with Firefox; I don't think anyone tried any searches with other browsers.

    ~~~~~~~~~~~~~~~~~~~~

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`02738a00
    Boot sector MD5 is: d151c79dcec0bf1ec983bea63558a0ef

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
  15. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Good :)

    Give it a shot. I need to know.

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...