Inactive Infected with virus, malware, trojans. Need help removing

Status
Not open for further replies.

PaulieBklyn

Posts: 8   +0
I have a client that was riddled with everything under the sun. Virus, Malware, Trojan. Usually Malwarebytes, and a good AV is great but it seems this time it has not FULLY removed all threats. It wont let me execute Hijackthis even after i renamed it
 
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7323

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

7/30/2011 1:31:09 AM
mbam-log-2011-07-30 (01-30-56).txt

Scan type: Quick scan
Objects scanned: 266850
Time elapsed: 2 hour(s), 42 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*fileaudiocache.exe (Trojan.FakeAlert) -> Value: *fileaudiocache.exe -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\fileaudiocache.exe (Trojan.FakeAlert) -> No action taken.
c:\documents and settings\admin\local settings\Temp\srv1004.tmp (Spyware.Passwords) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:18:35 PM, on 7/31/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\dlcxcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell PC Fax\fm3032.exe
C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe
C:\Program Files\Dell Photo AIO Printer 926\memcard.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inbox.com/homepage.aspx?tbid=80074&lng=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Inbox Toolbar - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: HelloWorldBHO - {ABD3B5E1-B268-407B-A150-2641DAB8D898} - C:\Program Files\Common Files\Homepage Protection\HomepageProtection.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O2 - BHO: Inbox Toolbar - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: ShopAtHomeIEHelper - {E8DAAA30-6CAA-4b58-9603-8E54238219E2} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
O2 - BHO: quizulous_v1 - {ea2d5273-28e9-432d-b67d-e21bd698976e} - C:\Program Files\quizulous_v1\prxtbquiz.dll
O2 - BHO: AOL Email Toolbar Loader - {fbea8524-8c72-4208-9d12-7fb73e9926eb} - C:\Program Files\AOL Email Toolbar\aolmailtb.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll
O3 - Toolbar: AOL Email Toolbar - {a3704fa3-dbf6-46b5-b95e-0677dfd39577} - C:\Program Files\AOL Email Toolbar\aolmailtb.dll
O3 - Toolbar: quizulous_v1 Toolbar - {ea2d5273-28e9-432d-b67d-e21bd698976e} - C:\Program Files\quizulous_v1\prxtbquiz.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll
O3 - Toolbar: ShopAtHome.com Toolbar - {98279C38-DE4B-4bcf-93C9-8EC26069D6F4} - C:\Program Files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll
O3 - Toolbar: &Inbox Toolbar - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Dell PC Fax\fm3032.exe" /s
O4 - HKLM\..\Run: [dlcxmon.exe] "C:\Program Files\Dell Photo AIO Printer 926\dlcxmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 926\memcard.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DLCXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [*uipropsrv.exe] "C:\Documents and Settings\All Users\Application Data\uipropsrv.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [centercscauto.exe] "C:\Program Files\centercscauto.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [fileaudiocache.exe] "C:\WINDOWS\system32\fileaudiocache.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [scancabdbg.exe] "C:\Documents and Settings\LocalService\Application Data\scancabdbg.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [uipropsrv.exe] "C:\Documents and Settings\All Users\Application Data\uipropsrv.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Emelobesi] rundll32.exe "C:\WINDOWS\ntctms.dll",Startup (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Emelobesi] rundll32.exe "C:\WINDOWS\ntctms.dll",Startup (User 'Default user')
O8 - Extra context menu item: &AOL Email Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL Email Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://linksyssupport.webex.com/client/T26L10NSP49EP32-linksyssupport/support/ieatgpc.cab
O18 - Protocol: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - C:\PROGRA~1\INBOXT~1\Inbox.dll
O18 - Filter hijack: text/html - {94705f7e-a2bc-4fd9-8b00-18bc6cda044f} - (no file)
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: dlcx_device - - C:\WINDOWS\system32\dlcxcoms.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 12853 bytes


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-07-30 09:44:59
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST980815A rev.3.ADE
Running: hnwqye9i.exe; Driver: C:\DOCUME~1\admin\LOCALS~1\Temp\kgtdrpow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86EBE41F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 86EBE41F

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST980815A_______________________________3.ADE___#5&2c7c2be&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----
 
Problem is i ran it and it takes literally 5 hours to complete. the first scan i did it found 748 problems. I fixe3d the problems it found but required a reboot to complete. The one i just posted it only found 2 problems. Even after a reboot. Sorry about posting the Hijack log. Thought you needed that. My bad
 
No problem, but I need MBAM log from AFTER the fix not before.

Then go ahead with other steps.
 
OH man i forgot to mention,Sorry the reason i didn't take action was to print out the report for the client. I did take action and the report i posted to you was AFTER i cleaned what ever MalwareBytes was able to clean
 
I know this wont help but all i have is 2 errors. every time MalwareBytes asks me to reboot i blue screen. then when i go back in it doesn't fix the errors it should have. Does that make sense?
 
Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
2011/08/01 04:36:40.0109 6912 TDSS rootkit removing tool 2.5.13.0 Jul 29 2011 17:24:11
2011/08/01 04:36:40.0687 6912 ================================================================================
2011/08/01 04:36:40.0687 6912 SystemInfo:
2011/08/01 04:36:40.0687 6912
2011/08/01 04:36:40.0687 6912 OS Version: 5.1.2600 ServicePack: 3.0
2011/08/01 04:36:40.0687 6912 Product type: Workstation
2011/08/01 04:36:40.0687 6912 ComputerName: ROBERT
2011/08/01 04:36:40.0687 6912 UserName: admin
2011/08/01 04:36:40.0687 6912 Windows directory: C:\WINDOWS
2011/08/01 04:36:40.0687 6912 System windows directory: C:\WINDOWS
2011/08/01 04:36:40.0687 6912 Processor architecture: Intel x86
2011/08/01 04:36:40.0687 6912 Number of processors: 1
2011/08/01 04:36:40.0687 6912 Page size: 0x1000
2011/08/01 04:36:40.0687 6912 Boot type: Normal boot
2011/08/01 04:36:40.0687 6912 ================================================================================
2011/08/01 04:36:45.0125 6912 Initialize success
2011/08/01 04:36:50.0390 6236 ================================================================================
2011/08/01 04:36:50.0390 6236 Scan started
2011/08/01 04:36:50.0390 6236 Mode: Manual;
2011/08/01 04:36:50.0390 6236 ================================================================================
2011/08/01 04:36:50.0984 6236 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/01 04:36:51.0218 6236 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/08/01 04:36:51.0312 6236 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/08/01 04:36:51.0484 6236 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/08/01 04:36:51.0953 6236 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/08/01 04:36:52.0140 6236 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/01 04:36:52.0234 6236 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/01 04:36:52.0375 6236 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/01 04:36:52.0484 6236 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/01 04:36:52.0609 6236 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/08/01 04:36:52.0812 6236 bcm4sbxp (6489310d11971f6ba6c7f49be0baf6e0) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/08/01 04:36:53.0187 6236 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/01 04:36:53.0281 6236 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/01 04:36:53.0453 6236 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/01 04:36:53.0562 6236 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/01 04:36:53.0656 6236 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/01 04:36:53.0843 6236 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/08/01 04:36:54.0109 6236 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/08/01 04:36:54.0359 6236 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/08/01 04:36:54.0750 6236 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/01 04:36:54.0968 6236 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/01 04:36:55.0140 6236 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/01 04:36:55.0375 6236 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/01 04:36:55.0593 6236 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/01 04:36:55.0906 6236 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/01 04:36:56.0234 6236 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/01 04:36:56.0406 6236 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/08/01 04:36:56.0484 6236 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/01 04:36:56.0625 6236 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/08/01 04:36:56.0843 6236 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/08/01 04:36:56.0937 6236 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/01 04:36:57.0046 6236 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/01 04:36:57.0140 6236 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/01 04:36:57.0375 6236 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/08/01 04:36:57.0609 6236 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/01 04:36:57.0890 6236 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/08/01 04:36:58.0062 6236 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/08/01 04:36:58.0265 6236 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/01 04:36:58.0531 6236 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/01 04:36:58.0656 6236 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/08/01 04:36:58.0953 6236 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/01 04:36:59.0218 6236 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/08/01 04:36:59.0390 6236 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/01 04:36:59.0593 6236 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/08/01 04:36:59.0796 6236 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/01 04:37:00.0046 6236 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/01 04:37:00.0171 6236 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/01 04:37:00.0265 6236 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/01 04:37:00.0453 6236 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/01 04:37:00.0656 6236 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/01 04:37:00.0906 6236 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/01 04:37:01.0078 6236 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/01 04:37:01.0312 6236 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/01 04:37:01.0437 6236 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys
2011/08/01 04:37:01.0828 6236 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/08/01 04:37:02.0000 6236 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/08/01 04:37:02.0078 6236 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/08/01 04:37:02.0203 6236 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/08/01 04:37:02.0421 6236 mfehidk (317997eb32fe039e7881704e596a2ed1) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/08/01 04:37:02.0765 6236 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2011/08/01 04:37:03.0093 6236 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2011/08/01 04:37:03.0234 6236 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/01 04:37:03.0343 6236 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/01 04:37:03.0453 6236 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/01 04:37:03.0531 6236 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/01 04:37:03.0625 6236 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys
2011/08/01 04:37:04.0015 6236 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/01 04:37:04.0140 6236 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/01 04:37:04.0312 6236 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/01 04:37:04.0390 6236 msjfcbk (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\uwtr.sys
2011/08/01 04:37:04.0468 6236 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/01 04:37:04.0625 6236 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/01 04:37:04.0750 6236 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/01 04:37:04.0937 6236 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/01 04:37:05.0156 6236 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/01 04:37:05.0421 6236 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/01 04:37:05.0468 6236 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/01 04:37:05.0640 6236 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/01 04:37:05.0687 6236 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/01 04:37:05.0750 6236 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/01 04:37:05.0921 6236 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/01 04:37:06.0109 6236 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/08/01 04:37:06.0359 6236 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/01 04:37:06.0468 6236 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/01 04:37:06.0656 6236 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/01 04:37:06.0718 6236 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/01 04:37:06.0765 6236 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/01 04:37:06.0953 6236 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/08/01 04:37:07.0156 6236 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/01 04:37:07.0359 6236 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/01 04:37:07.0453 6236 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/01 04:37:07.0640 6236 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/08/01 04:37:07.0765 6236 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/01 04:37:08.0093 6236 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/01 04:37:08.0171 6236 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/01 04:37:08.0453 6236 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/01 04:37:08.0500 6236 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/08/01 04:37:08.0750 6236 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/01 04:37:08.0843 6236 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/01 04:37:08.0953 6236 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/01 04:37:09.0000 6236 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/01 04:37:09.0109 6236 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/01 04:37:09.0171 6236 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/01 04:37:09.0375 6236 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/01 04:37:09.0468 6236 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/01 04:37:09.0875 6236 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/01 04:37:10.0218 6236 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/08/01 04:37:10.0421 6236 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/01 04:37:10.0609 6236 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/01 04:37:10.0718 6236 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/01 04:37:10.0906 6236 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/01 04:37:11.0171 6236 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
2011/08/01 04:37:11.0453 6236 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/01 04:37:11.0625 6236 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/01 04:37:12.0015 6236 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/01 04:37:12.0171 6236 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/01 04:37:12.0312 6236 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/01 04:37:12.0484 6236 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/01 04:37:12.0671 6236 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/01 04:37:12.0937 6236 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/01 04:37:13.0187 6236 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/01 04:37:13.0437 6236 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/01 04:37:13.0562 6236 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/01 04:37:13.0671 6236 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/01 04:37:13.0828 6236 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/08/01 04:37:14.0000 6236 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/01 04:37:14.0156 6236 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/01 04:37:14.0234 6236 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/01 04:37:14.0390 6236 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/08/01 04:37:14.0656 6236 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/01 04:37:14.0859 6236 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/01 04:37:14.0921 6236 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/08/01 04:37:15.0015 6236 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/01 04:37:15.0187 6236 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/08/01 04:37:15.0671 6236 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/01 04:37:15.0765 6236 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/01 04:37:15.0875 6236 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/08/01 04:37:15.0890 6236 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/08/01 04:37:15.0890 6236 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR6
2011/08/01 04:37:15.0906 6236 Boot (0x1200) (a0c7603cec9909abdcf6a3fe927f2805) \Device\Harddisk0\DR0\Partition0
2011/08/01 04:37:15.0921 6236 Boot (0x1200) (3bd49ecd838fa2c1bffed53a43f19926) \Device\Harddisk1\DR6\Partition0
2011/08/01 04:37:15.0921 6236 ================================================================================
2011/08/01 04:37:15.0921 6236 Scan finished
2011/08/01 04:37:15.0921 6236 ================================================================================
2011/08/01 04:37:15.0937 7060 Detected object count: 1
2011/08/01 04:37:15.0937 7060 Actual detected object count: 1
2011/08/01 04:37:31.0812 7060 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/08/01 04:37:31.0812 7060 \Device\Harddisk0\DR0 - ok
2011/08/01 04:37:31.0812 7060 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/08/01 04:37:37.0625 7856 Deinitialize success
 
Just got home from work....I do work :)

1. Update MBAM, run "Quick scan" and post new log.

2. Please download Rootkit Unhooker from one of the following links and save it to your desktop.
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

3. Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

4. Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Status
Not open for further replies.
Back