TechSpot

"Hard drive clusters are partly damaged" message

Inactive
By khastings
Dec 27, 2011
  1. Good afternoon. I have seen many threads posted related to this "hard drive clusters are partly damaged" fake error message and am currently in the 5-step process. I've never posted on this website before, but I believe I am supposed to start a new thread in order to post the logs to it. I have AVG Anti-Virus Free Edition 2012 and although it appears to have scanned, I can't get it to update.

    So here goes, and thank you!
    Karen
  2. khastings

    khastings TS Rookie Topic Starter Posts: 36

    MBAM Log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122405

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/27/2011 1:06:56 PM
    mbam-log-2011-12-27 (13-06-56).txt

    Scan type: Quick scan
    Objects scanned: 185408
    Time elapsed: 2 minute(s), 50 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 7
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  3. khastings

    khastings TS Rookie Topic Starter Posts: 36

    GMER Log

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-12-27 13:15:15
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD800JD-60LSA0 rev.07.01D07
    Running: jpkqur93.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fxtdypow.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----
  4. khastings

    khastings TS Rookie Topic Starter Posts: 36

    Problems encountered

    Hi - I couldn't temporarily disable AVG protection, says "An error occurred when saving the configuration. Connection is off-line." But I am online.
    Also, can't find how to disable script blocking protection, can't run DDS as a result. Sorry this isn't going so smoothly...
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot Karen. These rogue programs are doing a number on a lot of people.

    About AVG. Their author didn't leave any way for AVG to be disabled to run some of the scans. You will have to uninstall it temporarily to run Combofix and I'll give you a program to do that. So let's go this route:
    (be sure to put one of the temporary AV on the system)

    Download AppRemover and save to the desktop
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      [​IMG]
    5. Click on Next after choice has been made
    6. Check the AVG program you want to uninstall
    7. After uninstall shows complete, follow online prompts to Exit the program.

    Temporary AV: Use one:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast Free Version
    =============================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =======================================
    it is important that you do not delete any files from your Temp folder or use any temp file cleaners.
    ================================
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options
      menu appears, using your up/down arrows to reach it and then press ENTER.
    =======================================
    This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer
    • Access Internet Options through Tools> Connections tab
    • Click on the Lan Settings at the bottom
    • Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
    • Then click on OK> and OK again to close Internet Options.
    ========================================
    To end the processes that belong to the rogue program:
    Please click on RKill
    • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
    • Double click on the iExplore.exe icon
    • Please be patient- it may take a bit.
    • The black Window will close when through and you can continue.
    Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
    =======================================
    Do not reboot your computer after running RKilll as the malware programs will start again.
    ================================
    4. This malware frequently comes with the TDSS rootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    5. Update and rescan with Malwarebytes:
    • Select Perform Full Scan on the Scanner tab
    • Click on the Scan button.
    • When scan has finished, you will see this image:
      [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheck Word Wrap before copying the log to paste in your next reply.
    ==============================
    If the desktop background is black or if the theme has been removed:
    Correct Display Changes if needed:
    For Windows XP: Click on Start> Control Panel> Display> change theme and/or background if needed.
    For Windows Vista or Windows 7: Click on Start> Control Panel> Appearance & Personalization> Select Change Theme or Change Desktop Background
    =====================================
    You can now reboot back into Normal Mode
    ====================================
    If you seem to be missing icons, program, files, etc., go ahead and run the following:
    1. Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.
    ====================================
    Summary to help you get through:
    Run App Remover for AVG- put temp. AV on system
    Run Combofix
    Boot into Safe Mode
    Stop Proxy
    Stop malware process>>RKill
    Run TDSS
    Do a Full scan Mbam
    --------------------
    If you have the black screen display problem, fix that,
    If you have hidden processes, run unhide.
    ==================================
    After I check these logs, I may have you go back and run DDS.
    ======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  6. khastings

    khastings TS Rookie Topic Starter Posts: 36

    ComboFix issue

    Hello Bobbye,

    A couple of issues, I used the AppRemover and removed AVG, rebooted as it requested, but ComboFix is telling me it is still running. I searched "avg" on the C drive and there are all kinds of folders and some .exe files with avg in the names. I went to Add/Remove Programs and AVG is not listed. What do I do? One of those files is in the Temp folder and I know I am not supposed to delete anything out of the temp folder.

    ComboFix did state that it will continue to run for malware check and appeared to be doing so, but it was an hour and no results yet. Any advice before I press on? Thank you.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Give Combofix a chance to finish and see if the logs is generated. AVG is a real pain! Can you tell me what file is in the temp folder?

    You can try running the App Remover again. Or you can use the AVG Uninstall>

    AVG Remover eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc.
    Note:
    • AVG user settings will be removed.
    • Virus Vault contents will be removed.
    • All other items related to AVG installation and use will be removed.
    • You will be asked during the removal procedure to restart your computer. Please do so.
    • Make sure there is no open work in process prior to launching AVG Remover.
    Use the appropriate download for your system for the AVG Remover: AVG Remover:32bit
    AVG Remover:64 bit
  8. khastings

    khastings TS Rookie Topic Starter Posts: 36

    AVG File

    it is avginfo.id, it was still searching for those filenames when I posted, the folders are still there too.
    the AVGremover didn't seem to work either, didn't request I reboot. Can I delete all the files and folders I can find, empty the Recycle Bin, then try ComboFix again?
  9. khastings

    khastings TS Rookie Topic Starter Posts: 36

    ComboFix frozen

    Good morning! I installed then uninstalled AVG and that worked, all set there. However, ComboFix ran all night and no response. I rebooted and re-ran ComboFix, and there was an update so it is now updated, but it has been 3 hours. Shall I let it run for a particular length of time? Thank you! Karen
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Karen, regarding instructions for these:
    Summary to help you get through:
    Run App Remover for AVG- put temp. AV on system>> Skip for now
    Run Combofix>>Skip for now

    Begin with the following:
    Boot into Safe Mode
    Stop Proxy
    Stop malware process>>RKill
    Run TDSS
    Do a Full scan Mbam
    ====================================
    I'll have you go back and try Combofix after we get some of the bad entries out.
  11. khastings

    khastings TS Rookie Topic Starter Posts: 36

    TDSS quarantine

    Hello! I did everything but after quarantining the rootkit threat found by TDSS, I rebooted (though it didn't ask me to), then it wouldn't let me update Malwarebytes' database. I did TDSS again and it still finds the rootkit threat. How do I delete the threat, the quarantine doesn't seem to work?
    Thanks, Karen
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I need to see the logs Karen.
  13. khastings

    khastings TS Rookie Topic Starter Posts: 36

    RKill Log

    Sorry about that, here is the RKill log:

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 12/28/2011 at 16:31:59.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 12/28/2011 at 16:32:04.
  14. khastings

    khastings TS Rookie Topic Starter Posts: 36

    TDSS Log

    and the TDSS Log:

    21:39:01.0625 0272 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
    21:39:02.0140 0272 ============================================================
    21:39:02.0140 0272 Current date / time: 2011/12/28 21:39:02.0140
    21:39:02.0140 0272 SystemInfo:
    21:39:02.0140 0272
    21:39:02.0140 0272 OS Version: 5.1.2600 ServicePack: 3.0
    21:39:02.0140 0272 Product type: Workstation
    21:39:02.0140 0272 ComputerName: MARTY
    21:39:02.0140 0272 UserName: Administrator
    21:39:02.0140 0272 Windows directory: C:\WINDOWS
    21:39:02.0140 0272 System windows directory: C:\WINDOWS
    21:39:02.0140 0272 Processor architecture: Intel x86
    21:39:02.0140 0272 Number of processors: 2
    21:39:02.0140 0272 Page size: 0x1000
    21:39:02.0140 0272 Boot type: Safe boot with network
    21:39:02.0140 0272 ============================================================
    21:39:06.0140 0272 Initialize success
    21:39:07.0812 0368 ============================================================
    21:39:07.0812 0368 Scan started
    21:39:07.0812 0368 Mode: Manual;
    21:39:07.0812 0368 ============================================================
    21:39:12.0031 0368 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
    21:39:12.0031 0368 Aavmker4 - ok
    21:39:12.0062 0368 Abiosdsk - ok
    21:39:12.0125 0368 abp480n5 - ok
    21:39:12.0234 0368 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
    21:39:12.0250 0368 ac97intc - ok
    21:39:12.0531 0368 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    21:39:12.0546 0368 ACPI - ok
    21:39:12.0703 0368 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    21:39:12.0718 0368 ACPIEC - ok
    21:39:13.0140 0368 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    21:39:13.0156 0368 adpu160m - ok
    21:39:13.0359 0368 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
    21:39:13.0421 0368 adpu320 - ok
    21:39:14.0000 0368 aeaudio (3cb6ae5435987b1f8c83fd2730479878) C:\WINDOWS\system32\drivers\aeaudio.sys
    21:39:14.0046 0368 aeaudio - ok
    21:39:14.0687 0368 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    21:39:14.0734 0368 aec - ok
    21:39:15.0468 0368 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
    21:39:15.0593 0368 AFD - ok
    21:39:16.0093 0368 Aha154x - ok
    21:39:16.0687 0368 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    21:39:16.0703 0368 aic78u2 - ok
    21:39:17.0265 0368 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    21:39:17.0281 0368 aic78xx - ok
    21:39:17.0703 0368 AliIde - ok
    21:39:18.0250 0368 amsint - ok
    21:39:18.0578 0368 Andbus (3e59df4984fbd6800d6621480b38a34e) C:\WINDOWS\system32\DRIVERS\lgandbus.sys
    21:39:18.0593 0368 Andbus - ok
    21:39:18.0671 0368 AndDiag (8e0bf6f3b2c9c292bc7ce0de727cdd56) C:\WINDOWS\system32\DRIVERS\lganddiag.sys
    21:39:18.0687 0368 AndDiag - ok
    21:39:19.0171 0368 AndGps (1d2c90e25483363d54b652898bbc8f2a) C:\WINDOWS\system32\DRIVERS\lgandgps.sys
    21:39:19.0171 0368 AndGps - ok
    21:39:19.0546 0368 ANDModem (b1b06a95da2cac7fa19832c60c348c85) C:\WINDOWS\system32\DRIVERS\lgandmodem.sys
    21:39:19.0546 0368 ANDModem - ok
    21:39:19.0953 0368 asc - ok
    21:39:20.0343 0368 asc3350p - ok
    21:39:20.0390 0368 asc3550 - ok
    21:39:20.0500 0368 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    21:39:20.0500 0368 aswFsBlk - ok
    21:39:20.0921 0368 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
    21:39:20.0921 0368 aswMon2 - ok
    21:39:21.0640 0368 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
    21:39:21.0640 0368 aswRdr - ok
    21:39:21.0812 0368 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
    21:39:21.0968 0368 aswSnx - ok
    21:39:22.0484 0368 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
    21:39:22.0500 0368 aswSP - ok
    21:39:22.0562 0368 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
    21:39:22.0562 0368 aswTdi - ok
    21:39:22.0640 0368 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    21:39:22.0656 0368 AsyncMac - ok
    21:39:22.0734 0368 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    21:39:22.0734 0368 atapi - ok
    21:39:23.0234 0368 Atdisk - ok
    21:39:23.0484 0368 ati2mtag (92e6e84d152d2acc44936c1c89ff26c4) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    21:39:23.0703 0368 ati2mtag - ok
    21:39:24.0078 0368 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    21:39:24.0093 0368 Atmarpc - ok
    21:39:24.0234 0368 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    21:39:24.0265 0368 audstub - ok
    21:39:24.0640 0368 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    21:39:24.0671 0368 b57w2k - ok
    21:39:25.0140 0368 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    21:39:25.0156 0368 Beep - ok
    21:39:25.0234 0368 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    21:39:25.0250 0368 cbidf2k - ok
    21:39:25.0375 0368 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    21:39:25.0390 0368 CCDECODE - ok
    21:39:25.0437 0368 cd20xrnt - ok
    21:39:25.0562 0368 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    21:39:25.0578 0368 Cdaudio - ok
    21:39:25.0921 0368 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    21:39:25.0921 0368 Cdfs - ok
    21:39:26.0062 0368 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    21:39:26.0078 0368 Cdrom - ok
    21:39:26.0218 0368 Changer - ok
    21:39:26.0312 0368 CmdIde - ok
    21:39:26.0468 0368 Cpqarray - ok
    21:39:26.0562 0368 dac2w2k - ok
    21:39:26.0625 0368 dac960nt - ok
    21:39:26.0734 0368 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    21:39:26.0750 0368 Disk - ok
    21:39:27.0234 0368 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    21:39:27.0312 0368 dmboot - ok
    21:39:27.0390 0368 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    21:39:27.0390 0368 dmio - ok
    21:39:27.0468 0368 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    21:39:27.0484 0368 dmload - ok
    21:39:27.0656 0368 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    21:39:27.0671 0368 DMusic - ok
    21:39:28.0046 0368 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    21:39:28.0046 0368 dpti2o - ok
    21:39:28.0437 0368 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    21:39:28.0468 0368 drmkaud - ok
    21:39:28.0531 0368 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    21:39:28.0546 0368 E100B - ok
    21:39:28.0656 0368 e1express (00192f0c612591d585594e9467e6ca8b) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
    21:39:28.0687 0368 e1express - ok
    21:39:28.0890 0368 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    21:39:28.0937 0368 Fastfat - ok
    21:39:29.0296 0368 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    21:39:29.0328 0368 Fdc - ok
    21:39:29.0406 0368 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    21:39:29.0437 0368 Fips - ok
    21:39:29.0531 0368 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    21:39:29.0531 0368 Flpydisk - ok
    21:39:29.0937 0368 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    21:39:29.0968 0368 FltMgr - ok
    21:39:30.0203 0368 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    21:39:30.0218 0368 Fs_Rec - ok
    21:39:30.0328 0368 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    21:39:30.0328 0368 Ftdisk - ok
    21:39:30.0484 0368 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    21:39:30.0500 0368 GEARAspiWDM - ok
    21:39:31.0078 0368 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    21:39:31.0093 0368 Gpc - ok
    21:39:31.0453 0368 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    21:39:31.0484 0368 HDAudBus - ok
    21:39:31.0546 0368 HECI (d0fc694df051bc65946db616f20d1168) C:\WINDOWS\system32\DRIVERS\HECI.sys
    21:39:31.0562 0368 HECI - ok
    21:39:31.0640 0368 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    21:39:31.0640 0368 HidUsb - ok
    21:39:31.0671 0368 hpn - ok
    21:39:32.0046 0368 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    21:39:32.0078 0368 HTTP - ok
    21:39:32.0281 0368 i2omgmt - ok
    21:39:32.0312 0368 i2omp - ok
    21:39:32.0421 0368 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    21:39:32.0437 0368 i8042prt - ok
    21:39:32.0765 0368 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
    21:39:32.0812 0368 i81x - ok
    21:39:33.0031 0368 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
    21:39:33.0046 0368 iAimFP0 - ok
    21:39:33.0156 0368 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
    21:39:33.0171 0368 iAimFP1 - ok
    21:39:33.0468 0368 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
    21:39:33.0484 0368 iAimFP2 - ok
    21:39:33.0625 0368 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
    21:39:33.0656 0368 iAimFP3 - ok
    21:39:33.0890 0368 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
    21:39:33.0921 0368 iAimFP4 - ok
    21:39:34.0359 0368 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
    21:39:34.0375 0368 iAimFP5 - ok
    21:39:34.0750 0368 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
    21:39:34.0765 0368 iAimFP6 - ok
    21:39:34.0937 0368 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
    21:39:34.0937 0368 iAimFP7 - ok
    21:39:35.0203 0368 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
    21:39:35.0203 0368 iAimTV0 - ok
    21:39:35.0609 0368 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
    21:39:35.0609 0368 iAimTV1 - ok
    21:39:36.0000 0368 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
    21:39:36.0015 0368 iAimTV3 - ok
    21:39:36.0515 0368 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
    21:39:36.0515 0368 iAimTV4 - ok
    21:39:36.0703 0368 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
    21:39:36.0718 0368 iAimTV5 - ok
    21:39:37.0312 0368 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
    21:39:37.0312 0368 iAimTV6 - ok
    21:39:38.0421 0368 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    21:39:39.0375 0368 ialm - ok
    21:39:40.0015 0368 iaStor (019cf5f31c67030841233c545a0e217a) C:\WINDOWS\system32\DRIVERS\iaStor.sys
    21:39:40.0046 0368 iaStor - ok
    21:39:40.0437 0368 IFXTPM (f67554da27d5b55efcb6c7cb4818fbfd) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
    21:39:40.0453 0368 IFXTPM - ok
    21:39:40.0593 0368 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    21:39:40.0593 0368 Imapi - ok
    21:39:41.0078 0368 ini910u - ok
    21:39:42.0921 0368 IntcAzAudAddService (418fe3a08346ccca61bc9a04457f46cf) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    21:39:44.0890 0368 IntcAzAudAddService - ok
    21:39:45.0453 0368 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    21:39:45.0484 0368 IntelIde - ok
    21:39:45.0578 0368 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    21:39:45.0625 0368 intelppm - ok
    21:39:45.0921 0368 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    21:39:45.0937 0368 Ip6Fw - ok
    21:39:46.0343 0368 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    21:39:46.0359 0368 IpFilterDriver - ok
    21:39:46.0484 0368 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    21:39:46.0484 0368 IpInIp - ok
    21:39:46.0562 0368 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    21:39:46.0593 0368 IpNat - ok
    21:39:46.0843 0368 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    21:39:46.0968 0368 IPSec - ok
    21:39:47.0296 0368 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    21:39:47.0312 0368 IRENUM - ok
    21:39:47.0359 0368 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    21:39:47.0375 0368 isapnp - ok
    21:39:47.0500 0368 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    21:39:47.0515 0368 Kbdclass - ok
    21:39:47.0609 0368 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    21:39:47.0640 0368 kbdhid - ok
    21:39:48.0140 0368 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    21:39:48.0281 0368 kmixer - ok
    21:39:48.0718 0368 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    21:39:48.0781 0368 KSecDD - ok
    21:39:48.0890 0368 Lavasoft Kernexplorer - ok
    21:39:49.0171 0368 lbrtfdc - ok
    21:39:49.0671 0368 lmimirr - ok
    21:39:50.0046 0368 mferkdk - ok
    21:39:50.0531 0368 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    21:39:50.0546 0368 mnmdd - ok
    21:39:50.0703 0368 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    21:39:50.0703 0368 Modem - ok
    21:39:50.0796 0368 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    21:39:50.0828 0368 Mouclass - ok
    21:39:51.0140 0368 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    21:39:51.0171 0368 mouhid - ok
    21:39:51.0656 0368 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    21:39:51.0671 0368 MountMgr - ok
    21:39:52.0078 0368 mraid35x - ok
    21:39:52.0296 0368 MREMP50 - ok
    21:39:52.0453 0368 MREMPR5 - ok
    21:39:52.0562 0368 MRENDIS5 - ok
    21:39:52.0640 0368 MRESP50 - ok
    21:39:53.0031 0368 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    21:39:53.0062 0368 MRxDAV - ok
    21:39:53.0296 0368 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    21:39:53.0343 0368 MRxSmb - ok
    21:39:53.0437 0368 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    21:39:53.0453 0368 Msfs - ok
    21:39:53.0500 0368 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    21:39:53.0515 0368 MSKSSRV - ok
    21:39:53.0812 0368 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    21:39:53.0828 0368 MSPCLOCK - ok
    21:39:53.0890 0368 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    21:39:53.0890 0368 MSPQM - ok
    21:39:54.0015 0368 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    21:39:54.0015 0368 mssmbios - ok
    21:39:54.0078 0368 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    21:39:54.0093 0368 MSTEE - ok
    21:39:54.0156 0368 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    21:39:54.0171 0368 Mup - ok
    21:39:54.0250 0368 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    21:39:54.0265 0368 NABTSFEC - ok
    21:39:54.0343 0368 NAL (1e59aaed42a5e3a5ed86ec403f9c0776) C:\WINDOWS\system32\Drivers\iqvw32.sys
    21:39:54.0343 0368 NAL - ok
    21:39:54.0703 0368 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    21:39:54.0718 0368 NDIS - ok
    21:39:54.0796 0368 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    21:39:54.0812 0368 NdisIP - ok
    21:39:54.0921 0368 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    21:39:54.0937 0368 NdisTapi - ok
    21:39:55.0000 0368 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    21:39:55.0000 0368 Ndisuio - ok
    21:39:55.0062 0368 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    21:39:55.0093 0368 NdisWan - ok
    21:39:55.0156 0368 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    21:39:55.0156 0368 NDProxy - ok
    21:39:55.0250 0368 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    21:39:55.0250 0368 NetBIOS - ok
    21:39:55.0781 0368 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    21:39:55.0843 0368 NetBT - ok
    21:39:56.0093 0368 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    21:39:56.0093 0368 Npfs - ok
    21:39:56.0625 0368 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    21:39:56.0796 0368 Ntfs - ok
    21:39:57.0078 0368 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    21:39:57.0093 0368 Null - ok
    21:39:57.0203 0368 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    21:39:57.0218 0368 NwlnkFlt - ok
    21:39:57.0390 0368 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    21:39:57.0390 0368 NwlnkFwd - ok
    21:39:57.0484 0368 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
    21:39:57.0500 0368 P3 - ok
    21:39:57.0562 0368 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    21:39:57.0578 0368 Parport - ok
    21:39:57.0687 0368 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    21:39:57.0703 0368 PartMgr - ok
    21:39:58.0031 0368 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    21:39:58.0093 0368 ParVdm - ok
    21:39:58.0515 0368 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    21:39:58.0531 0368 PCI - ok
    21:39:58.0609 0368 PCIDump - ok
    21:39:58.0656 0368 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    21:39:58.0671 0368 PCIIde - ok
    21:39:58.0718 0368 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    21:39:58.0750 0368 Pcmcia - ok
    21:39:59.0156 0368 PDCOMP - ok
    21:39:59.0625 0368 PDFRAME - ok
    21:40:00.0062 0368 PDRELI - ok
    21:40:00.0500 0368 PDRFRAME - ok
    21:40:00.0890 0368 perc2 - ok
    21:40:01.0265 0368 perc2hib - ok
    21:40:01.0718 0368 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    21:40:01.0734 0368 PptpMiniport - ok
    21:40:02.0156 0368 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    21:40:02.0203 0368 PSched - ok
    21:40:02.0718 0368 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    21:40:02.0750 0368 Ptilink - ok
    21:40:03.0171 0368 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    21:40:03.0187 0368 PxHelp20 - ok
    21:40:03.0343 0368 ql1080 - ok
    21:40:03.0437 0368 Ql10wnt - ok
    21:40:03.0609 0368 ql12160 - ok
    21:40:04.0328 0368 ql1240 - ok
    21:40:05.0062 0368 ql1280 - ok
    21:40:05.0703 0368 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    21:40:05.0718 0368 RasAcd - ok
    21:40:06.0281 0368 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    21:40:06.0312 0368 Rasl2tp - ok
    21:40:06.0921 0368 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    21:40:06.0937 0368 RasPppoe - ok
    21:40:07.0406 0368 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    21:40:07.0453 0368 Raspti - ok
    21:40:07.0687 0368 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    21:40:07.0750 0368 Rdbss - ok
    21:40:08.0281 0368 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    21:40:08.0281 0368 RDPCDD - ok
    21:40:08.0875 0368 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    21:40:08.0968 0368 rdpdr - ok
    21:40:09.0468 0368 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    21:40:09.0515 0368 RDPWD - ok
    21:40:09.0812 0368 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    21:40:09.0875 0368 redbook - ok
    21:40:10.0546 0368 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    21:40:10.0562 0368 Secdrv - ok
    21:40:11.0140 0368 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    21:40:11.0171 0368 serenum - ok
    21:40:11.0703 0368 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    21:40:11.0734 0368 Serial - ok
    21:40:11.0875 0368 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    21:40:11.0875 0368 Sfloppy - ok
    21:40:12.0000 0368 Simbad - ok
    21:40:12.0109 0368 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    21:40:12.0109 0368 SLIP - ok
    21:40:12.0531 0368 smwdm (86d17b6760dd2b09e932ff101714e0dc) C:\WINDOWS\system32\drivers\smwdm.sys
    21:40:12.0640 0368 smwdm - ok
    21:40:12.0828 0368 Sparrow - ok
    21:40:12.0984 0368 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    21:40:13.0015 0368 splitter - ok
    21:40:13.0390 0368 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    21:40:13.0437 0368 sr - ok
    21:40:13.0578 0368 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    21:40:13.0625 0368 Srv - ok
    21:40:13.0671 0368 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    21:40:13.0671 0368 streamip - ok
    21:40:13.0796 0368 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    21:40:13.0812 0368 swenum - ok
    21:40:14.0125 0368 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    21:40:14.0140 0368 swmidi - ok
    21:40:14.0578 0368 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    21:40:14.0593 0368 symc810 - ok
    21:40:15.0187 0368 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    21:40:15.0203 0368 symc8xx - ok
    21:40:15.0390 0368 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
    21:40:15.0421 0368 Symmpi - ok
    21:40:15.0578 0368 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    21:40:15.0593 0368 sym_hi - ok
    21:40:15.0703 0368 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    21:40:15.0718 0368 sym_u3 - ok
    21:40:16.0171 0368 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    21:40:16.0171 0368 sysaudio - ok
    21:40:16.0468 0368 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    21:40:16.0515 0368 Tcpip - ok
    21:40:17.0000 0368 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    21:40:17.0031 0368 TDPIPE - ok
    21:40:17.0421 0368 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    21:40:17.0453 0368 TDTCP - ok
    21:40:17.0593 0368 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    21:40:17.0625 0368 TermDD - ok
    21:40:17.0796 0368 TosIde - ok
    21:40:17.0937 0368 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    21:40:17.0937 0368 Udfs - ok
    21:40:18.0203 0368 ultra - ok
    21:40:18.0359 0368 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
    21:40:18.0375 0368 USBAAPL - ok
    21:40:18.0625 0368 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    21:40:18.0656 0368 usbaudio - ok
    21:40:18.0953 0368 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    21:40:18.0984 0368 usbccgp - ok
    21:40:19.0390 0368 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    21:40:19.0421 0368 usbehci - ok
    21:40:19.0671 0368 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    21:40:19.0718 0368 usbhub - ok
    21:40:20.0171 0368 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    21:40:20.0203 0368 usbprint - ok
    21:40:20.0375 0368 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    21:40:20.0406 0368 USBSTOR - ok
    21:40:20.0562 0368 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    21:40:20.0578 0368 usbuhci - ok
    21:40:20.0718 0368 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    21:40:20.0734 0368 usbvideo - ok
    21:40:21.0125 0368 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    21:40:21.0125 0368 VgaSave - ok
    21:40:21.0250 0368 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    21:40:21.0265 0368 ViaIde - ok
    21:40:21.0359 0368 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    21:40:21.0375 0368 VolSnap - ok
    21:40:21.0468 0368 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    21:40:21.0484 0368 Wanarp - ok
    21:40:21.0562 0368 WDICA - ok
    21:40:22.0171 0368 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    21:40:22.0234 0368 wdmaud - ok
    21:40:22.0687 0368 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    21:40:22.0703 0368 WmiAcpi - ok
    21:40:23.0468 0368 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    21:40:23.0500 0368 WS2IFSL - ok
    21:40:24.0156 0368 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    21:40:24.0187 0368 WSTCODEC - ok
    21:40:24.0515 0368 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    21:40:24.0531 0368 WudfPf - ok
    21:40:24.0640 0368 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    21:40:24.0640 0368 WudfRd - ok
    21:40:24.0750 0368 MBR (0x1B8) (4f02a8d4048a138c450ed7f867eb0144) \Device\Harddisk0\DR0
    21:40:24.0875 0368 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
    21:40:24.0875 0368 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
    21:40:24.0921 0368 Boot (0x1200) (5dce6ed2ad9d67a06de72d409e21a2ba) \Device\Harddisk0\DR0\Partition0
    21:40:24.0921 0368 \Device\Harddisk0\DR0\Partition0 - ok
    21:40:24.0953 0368 Boot (0x1200) (254f515a0246b66cb1433240ce3b570c) \Device\Harddisk0\DR0\Partition1
    21:40:24.0968 0368 \Device\Harddisk0\DR0\Partition1 - ok
    21:40:24.0968 0368 ============================================================
    21:40:24.0968 0368 Scan finished
    21:40:24.0968 0368 ============================================================
    21:40:25.0015 0360 Detected object count: 1
    21:40:25.0015 0360 Actual detected object count: 1
    21:40:32.0171 0360 \Device\Harddisk0\DR0 - copied to quarantine
    21:40:34.0687 0360 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
    21:40:34.0703 0360 \Device\Harddisk0\DR0\TDLFS\vbr - copied to quarantine
    21:40:34.0703 0360 \Device\Harddisk0\DR0\TDLFS\bid - copied to quarantine
    21:40:34.0703 0360 \Device\Harddisk0\DR0\TDLFS\affid - copied to quarantine
    21:40:34.0703 0360 \Device\Harddisk0\DR0\TDLFS\boot - copied to quarantine
    21:40:34.0718 0360 \Device\Harddisk0\DR0\TDLFS\cmd32 - copied to quarantine
    21:40:34.0781 0360 \Device\Harddisk0\DR0\TDLFS\cmd64 - copied to quarantine
    21:40:34.0968 0360 \Device\Harddisk0\DR0\TDLFS\dbg32 - copied to quarantine
    21:40:35.0000 0360 \Device\Harddisk0\DR0\TDLFS\dbg64 - copied to quarantine
    21:40:35.0046 0360 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
    21:40:35.0093 0360 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
    21:40:35.0156 0360 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
    21:40:35.0203 0360 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
    21:40:35.0234 0360 \Device\Harddisk0\DR0\TDLFS\main - copied to quarantine
    21:40:35.0296 0360 \Device\Harddisk0\DR0\TDLFS\subid - copied to quarantine
    21:40:35.0296 0360 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Quarantine
  15. khastings

    khastings TS Rookie Topic Starter Posts: 36

    Malwarebytes' Log

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122405

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 8.0.6001.18702

    12/28/2011 11:25:52 PM
    mbam-log-2011-12-28 (23-25-52).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 243392
    Time elapsed: 21 minute(s), 50 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 6
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please go ahead and run the following:

    Please download MBRCheck and save to your desktop
    • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      [o] Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      [o] Found non-standard or infected MBR.
      [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Paste this log to your next message.
    ================================================
    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Then go back and download Combofix again and try the scan.
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • Follow the additional Combofix instructions in Reply #5
  17. khastings

    khastings TS Rookie Topic Starter Posts: 36

    MBRCheck Log

    Good morning! Here is the MBRCheck Log:
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 99):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x80700000 \WINDOWS\system32\hal.dll
    0xF7987000 \WINDOWS\system32\KDCOM.DLL
    0xF7897000 \WINDOWS\system32\BOOTVID.dll
    0xF75A8000 ACPI.sys
    0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF7597000 pci.sys
    0xF75F7000 isapnp.sys
    0xF7A4F000 pciide.sys
    0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF798B000 intelide.sys
    0xF7607000 MountMgr.sys
    0xF74D8000 ftdisk.sys
    0xF798D000 dmload.sys
    0xF74B2000 dmio.sys
    0xF770F000 PartMgr.sys
    0xF7617000 VolSnap.sys
    0xF749A000 atapi.sys
    0xF7627000 disk.sys
    0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF747A000 fltmgr.sys
    0xF7468000 sr.sys
    0xF7647000 PxHelp20.sys
    0xF7451000 KSecDD.sys
    0xF7B52000 Ntfs.sys
    0xF7424000 NDIS.sys
    0xF740A000 Mup.sys
    0xBA749000 iaStor.sys
    0xBA6B1000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xBA687000 \SystemRoot\system32\DRIVERS\b57xp32.sys
    0xF774F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xBA663000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7757000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF7767000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF776F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF777F000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF7677000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF7687000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF7697000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xBA5A0000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF7797000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xF7927000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xF76A7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF792F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xBA589000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF76B7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF76C7000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF77B7000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xBA550000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF76D7000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF77C7000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF77D7000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xBA4D0000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF76E7000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7995000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xBA721000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF76F7000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7577000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF799B000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF799F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7A96000 \SystemRoot\System32\Drivers\Null.SYS
    0xF79A3000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF77FF000 \SystemRoot\System32\drivers\vga.sys
    0xBA3F4000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0xF79A7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF780F000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF781F000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xBA6E9000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xBA3C1000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xBA368000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xBA342000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xBA31A000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF775F000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xBA2F8000 \SystemRoot\System32\drivers\afd.sys
    0xF7547000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xBA2A5000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xBA235000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF77A7000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xF77BF000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xF7527000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xBA571000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF7517000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xBA540000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xBA569000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xBA561000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xBA21D000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF79B1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xBA4C0000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA518000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7A70000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBFF50000 \SystemRoot\System32\framebuf.dll
    0xBF012000 \SystemRoot\System32\ATMFD.DLL
    0xB9CFD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB9A4B000 \SystemRoot\system32\DRIVERS\srv.sys
    0xF7817000 \SystemRoot\System32\Drivers\TDTCP.SYS
    0xB9820000 \SystemRoot\System32\Drivers\RDPWD.SYS
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 19):
    0 System Idle Process
    4 System
    520 C:\WINDOWS\system32\smss.exe
    568 csrss.exe
    592 C:\WINDOWS\system32\winlogon.exe
    636 C:\WINDOWS\system32\services.exe
    648 C:\WINDOWS\system32\lsass.exe
    808 C:\WINDOWS\system32\svchost.exe
    876 svchost.exe
    1056 C:\WINDOWS\system32\svchost.exe
    1084 svchost.exe
    1240 svchost.exe
    1780 C:\WINDOWS\explorer.exe
    244 C:\Program Files\Internet Explorer\iexplore.exe
    328 C:\Program Files\Internet Explorer\iexplore.exe
    416 C:\WINDOWS\system32\ctfmon.exe
    1584 C:\WINDOWS\system32\igfxsrvc.exe
    1756 C:\WINDOWS\system32\notepad.exe
    284 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000010`2102cc00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD800JD-60LSA0, Rev: 07.01D07

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Hewlett-Packard MBR code detected
    SHA1: 6DE5B7C1EEAFBE901B2807597A84F9F19604E031


    Done!
  18. khastings

    khastings TS Rookie Topic Starter Posts: 36

    ComboFix not working

    Hi Bobbye,
    ComboFix ran for 4 hours with no results. Do you have any suggestions as to why?
    Thanks, Karen
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    MBR is okay.
    ======================================
    NOTE: If, for some reason, Combofix refuses to run, try one of the following:
    1. Run Combofix from Safe Mode.
    2. Delete Combofix file, download fresh one, but rename combofix.exe to
    friday.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    -------------------------------------
    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
    There are 3 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following>>>>.

    Please download exeHelper by Raktor and save it to your desktop.
    • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
    • A black window should pop up, press any key to close once the fix is completed.
    • A log file called exehelperlog.txt will be created and should open at the end of the scan)
    • A copy of that log will also be saved in the directory where you ran exeHelper.com
    • Copy and paste the contents of exehelperlog.txt in your next reply.

    Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

    Rkill instructions
    Once you've gotten one of them to run
    • immediately double click on friday.exe to run
    • If normal mode still doesn't work, run BOTH tools from safe mode.

    In you have done #2, please post BOTH logs, rKill and Combofix.
    ===========================================
    New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
  20. khastings

    khastings TS Rookie Topic Starter Posts: 36

    RKill Log; ComboFix still doesn't run

    Hello Bobbye,
    I ran everything in your latest post in Safe Mode.

    Here is the RKill log from tonight:
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 12/30/2011 at 18:38:44.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 12/30/2011 at 18:38:48.

    ComboFix doesn't complete its run, I tried both ways (usual way, and the file rename to friday.exe).

    Here is the Exehelper log:

    exeHelper by Raktor
    Build 20100414
    Run at 18:39:38 on 12/30/11
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    Thank you so much. Happy New Year to you! Karen
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Happy New Year, Karen.

    Please update and run a new Mbam Full Scan in Normal Mode
  22. khastings

    khastings TS Rookie Topic Starter Posts: 36

    MBAM Full Scan in Normal Mode

    Hi Bobbye!

    Thank you for all of your help. A concern I have is that I still can't update Malwarebytes' database, it gives me the error:

    "An error has occurred. Please report this error code to our support team.
    PROGRAM_ERROR_UPDATING (5. 0. CreateFile)
    Access is denied."

    Should I unstall and reinstall to fix this do you think?

    Here is the MBAM log:

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122405

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/2/2012 7:30:49 PM
    mbam-log-2012-01-02 (19-30-49).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 242129
    Time elapsed: 32 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Karen, here's the scoop on the 3 Malwarebytes scans:
    1. Malwarebytes' Anti-Malware 1.51.2.1300> Normal Mode
    Database version: 911122405
    12/27/2011 1:06:56 PM
    mbam-log-2011-12-27 (13-06-56).txt
    Scan type: Quick scan
    Objects scanned: 185408
    Registry Data Items Infected: 7>>
    Hijcked Start Menu:
    No Desktop
    No ControlPanel
    No MyComputer
    No Help
    No MyDocs
    No Run
    No Search
    --------------------------------------------
    2. Malwarebytes' Anti-Malware 1.51.2.1300> (Safe Mode)
    Database version: 911122405
    Windows 5.1.2600 Service Pack 3
    12/28/2011 11:25:52 PM
    Scan type: Full scan (C:\|)
    Objects scanned: 243392
    Registry Data Items Infected: 6
    Shows all Hijacked Start Menu processes except for No Desktop which was restored when you ran the Unhide program
    ---------------------------------
    >> that's because you were in Safe Mode. It appears you were in just plain Safe Mode and not in Safe Mode with Networking as instructed.

    TDSSKiller: Removed the rootkit processes
    21:40:25.0015 0360 Detected object count: 1
    21:40:25.0015 0360 Actual detected object count: 1
    21:40:35.0296 0360 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Quarantine

    3. Malwarebytes' Anti-Malware 1.51.2.1300> Normal Mode
    Database version: 911122405
    1/2/2012 7:30:49 PM
    mbam-log-2012-01-02 (19-30-49).txt
    Clean!
    --------------------------------------
    Safe Mode: Loads the minimum set of device drivers. User specific startup programs do not run.
    Safe Mode with Networking: Includes the services and drivers needed for network connectivity.Enables logging on to the network, logon scripts, security, and Group Policy settings.
    ============================================
    Do you now have the desktop with icons? Do you now have the My Computer, the Control Panel, your Docs,, the Run, Help and Search functions? If not, what are you missing?

    You did not tell me which features in particular you were experiencing regarding the particular malware so I need to know if you are having any remaining problem other than problem with Mbam.
    --------------------------------------------
    You "should" be able to run both Mbam and Combofix with their updates now. Some of our replies were made at the same time, so let remove these 2 programs now then download both new and scan. Both should be done in Normal mode:

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Then download new Combofix from the link in my directions and run the scan.
    -----------------------------------
    Uninstall Malwarebytes using Add/Remove Programs, then use Windows Explorer to access Computer> Local Drive> Programs> do a right click> Delete on the Mbam folder.
    Download and install new Mbam with this link:HERE Be sure you're logged into the Administrative Account. Go to my directions again for the full scan.

    I don't think the "access is denied" is a permissions issue, but if you get than with the new download, let me know and we'll fix it.
  24. khastings

    khastings TS Rookie Topic Starter Posts: 36

    Hi Bobbye,
    If I restarted in Safe Mode (without Networking) I did it in error, I apologize. Now when I turn the computer on, the screen goes black though the power indicator is lit. I have to hit the off switch then again to turn it on but it only stays on for about 15 seconds. I can't get the information you need nor uninstall and reinstall the programs and run them. I'll have to try to connect my other screen to proceed, I will try that in the next few hours. Thank you for your patience.
    Karen
  25. khastings

    khastings TS Rookie Topic Starter Posts: 36

    Status & ComboFix info.

    Good morning,
    I am in Normal Mode and uninstalled then reinstalled ComboFix, and I turned off Avast. It still says it is blocking something with regards to ComboFix (a few different things, goes by quick, one is pev something). Then after the black ComboFix screen closes, I get the error: "Warning!! Do not run ComboFix in Compatibility Mode. Doing so may damage the machine." I never get the blue ComboFix screen.
    What I see as still an issue is that the files (i.e. shortcuts on the desktop) are still hidden, and I would believe that there is still a problem because I can't run ComboFix and can't update MBAM. Now my screen goes blank, had to switch screens with another computer. I am not however getting the same error messages in Normal Mode that I was before due to the virus, so we're getting somewhere which is great!
    I'm going to uninstall then reinstall MBAM and run again, will post the results.
    Thanks, Karen


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.