Inactive Infected XP PC, very slow, BSOD

Status
Not open for further replies.

quattttro

Posts: 7   +0
Appreciate any help or suggestions. BSOD of the 0x0000008E and 0x000000C2 (bad_pool_caller) variety. Can't install service pack or anti-virus without BSOD. I managed to get SP3 installed, somehow, however. I left a full-scan of Malwarebytes going overnight, after 14 hours I cancelled it, however 40 further infections removed. Here are the logs:


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7882

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

10/5/2011 8:30:57 PM
mbam-log-2011-10-05 (20-30-48).txt

Scan type: Quick scan
Objects scanned: 199476
Time elapsed: 13 minute(s), 6 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
c:\program files\HP\hp software update\hpwuschd2.exe (Backdoor.IRCBot) -> 1056 -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gupdate1ca655ebe40a31e (Trojan.PatchLoad) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE (Trojan.PatchLoad) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE (Backdoor.IRCBot) -> Value: HPWUSCHD2.EXE -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\SYSTEM32\TCTRLIOHOOK.EXE (Backdoor.IRCBot) -> Value: TCTRLIOHOOK.EXE -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\SYSTEM32\ZOOMINGHOOK.EXE (Backdoor.IRCBot) -> Value: ZOOMINGHOOK.EXE -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Trojan.Downloader) -> Bad: (Explorer.exe) Good: () -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\HP\hp software update\hpwuschd2.exe (Backdoor.IRCBot) -> No action taken.
c:\WINDOWS\system32\explorer.exe (Trojan.Downloader) -> No action taken.
c:\program files\Google\Update\googleupdate.exe (Trojan.PatchLoad) -> No action taken.
c:\WINDOWS\system32\B5RY8.com (Backdoor.IRCBot) -> No action taken.
c:\WINDOWS\system32\tctrliohook.exe (Backdoor.IRCBot) -> No action taken.
c:\WINDOWS\system32\zoominghook.exe (Backdoor.IRCBot) -> No action taken.
c:\WINDOWS\system32\TPSMain.exe (Backdoor.IRCBot) -> No action taken.
c:\documents and settings\ERegan\application data\Adobe\shed\thr1.chm (Malware.Trace) -> No action taken.
c:\documents and settings\ERegan\application data\Adobe\plugs\mmc206.exe (Trojan.Agent.Gen) -> No action taken.
c:\documents and settings\ERegan\application data\Adobe\plugs\mmc234.exe (Trojan.Agent.Gen) -> No action taken.
c:\documents and settings\ERegan\application data\Adobe\plugs\mmc605418953.txt (Trojan.Agent.Gen) -> No action taken.




GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-06 11:48:41
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK8026GAX rev.PA000U
Running: e8fz6uh6.exe; Driver: C:\DOCUME~1\ERegan\LOCALS~1\Temp\pgldypog.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- System - GMER 1.0.15 ----

SSDT hdsector.sys ZwQueryDirectoryFile [0xF78AC776] <-- ROOTKIT !!!

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A9E231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A9E231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A9E231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A9E231B

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\hdsector.sys (*** hidden *** ) [BOOT] hdsector <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by ERegan at 11:52:13 on 2011-10-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1382 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\explorer.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uWinlogon: Shell=c:\documents and settings\eregan\local settings\application data\af48e02d\X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: PDFCreator Toolbar Helper: {c451c08a-ec37-45df-aaad-18b51ab5e837} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PDFCreator Toolbar: {31cf9ebe-5755-4a1d-ac25-2834d952d9b4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Zinio DLM] c:\program files\zinio\ZinioDeliveryManager.exe /autostart
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ZoomingHook] ZoomingHook.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TCtryIOHook] TCtrlIOHook.exe
mRun: [SVPWUTIL] c:\program files\toshiba\windows utilities\SVPWUTIL.exe SVPwUTIL
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HWSetup] c:\program files\toshiba\toshiba applet\HWSetup.exe hwSetUP
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://www.caworkroom.com/qp2.cab
DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} - hxxps://secure.logmeinrescue.com/Customer/x86/RescueDownloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9DF47B4E-B7ED-46E1-BFB9-B336DCB87375} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft.AntiSpyware.ShellExecuteHook.1: {9ef34ff2-3396-4527-9d27-04c8c1c67806} - c:\program files\microsoft antispyware\shellextension.dll
.
============= SERVICES / DRIVERS ===============
.
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2007-6-11 3712]
R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304]
R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVENG.sys [2010-10-18 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101018.002\NAVEX15.sys [2010-10-18 1371184]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
=============== Created Last 30 ================
.
2011-10-06 00:42:44 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2011-10-06 00:34:18 -------- d-----w- C:\0b9aea05172f7ac64bd71ba5
2011-10-05 23:56:30 -------- d-----w- C:\ee8a00c41ba25e0314d56809315046
2011-10-05 23:44:23 -------- d-----w- C:\eec52521b27bd034ede6058fa8f7c1
2011-10-05 23:16:59 -------- d-sha-r- C:\cmdcons
2011-10-05 23:15:44 113152 ----a-w- c:\documents and settings\all users\application data\psfhjvPh.exe
2011-10-05 23:14:42 -------- d-s---w- C:\ComboFix
2011-10-05 22:25:18 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-10-05 22:22:14 98816 ----a-w- c:\windows\sed.exe
2011-10-05 22:22:14 518144 ----a-w- c:\windows\SWREG.exe
2011-10-05 22:22:14 256000 ----a-w- c:\windows\PEV.exe
2011-10-05 22:22:14 208896 ----a-w- c:\windows\MBR.exe
2011-10-05 21:41:28 -------- d-----w- c:\windows\EHome
2011-10-05 21:06:24 -------- d-----w- C:\51523192b69ef106e2d8
2011-10-05 20:16:35 -------- d-----w- c:\program files\WhoCrashed
2011-10-05 18:58:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-05 18:58:32 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-10-05 18:39:35 -------- d-----w- c:\documents and settings\eregan\application data\Malwarebytes
2011-10-05 18:39:20 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-10-05 18:39:17 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-05 18:39:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-04 05:00:43 -------- d-sh--w- c:\documents and settings\eregan\IECompatCache
2011-10-04 01:01:49 147456 ----a-w- c:\windows\system32\B5RY8.com
2011-10-04 00:50:35 -------- d-sh--w- c:\documents and settings\eregan\local settings\application data\af48e02d
.
==================== Find3M ====================
.
2011-10-04 01:01:47 147460 ------w- c:\windows\system32\TCtrlIOHook.exe
2011-10-04 01:01:46 147460 ------w- c:\windows\system32\ZoomingHook.exe
2011-10-04 01:01:46 147460 ------w- c:\windows\system32\TPSMain.exe
2011-07-18 23:10:17 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-12 15:20:54 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-07-12 15:20:54 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-07-12 15:20:54 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-07-12 15:20:54 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8026GAX rev.PA000U -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A9E24D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a9e87d0]; MOV EAX, [0x8a9e884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x8A9CFAB8]
3 CLASSPNP[0xF7667FD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\0000007a[0x8A9B1F18]
5 ACPI[0xF750E620] -> nt!IofCallDriver[0x804E37C5] -> [0x8AA0A940]
\Driver\atapi[0x8A9DF850] -> IRP_MJ_CREATE -> 0x8A9E24D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [SI], CH; JL 0x2d; JNZ 0x3b; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A9E231B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:55:45.89 ===============




.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/18/2006 10:28:43 PM
System Uptime: 10/6/2011 11:41:30 AM (0 hours ago)
.
Motherboard: TOSHIBA | | EBQ10
Processor: Intel(R) Pentium(R) M processor 1.73GHz | U1 | 1728/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 44.736 GiB free.
D: is CDROM (CDFS)
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 10/5/2011 9:20:24 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Reader 7.1.0
ALPS Touch Pad Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
BlackBerry Desktop Software 4.2.2
Bonjour
BufferChm
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities ZoomBrowser EX
CD/DVD Drive Acoustic Silencer
Compatibility Pack for the 2007 Office system
Corel GuideMenu
Critical Update for Windows Media Player 11 (KB959772)
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DVD-RAM Driver
eSupportQFolder
FrostWire 4.21.5
Google Earth
Google Update Helper
GuideMenu
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Deskjet 5400 series
HP Imaging Device Functions 5.0
HP Photosmart Essential
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
HP Update
HPDeskjet5400Series
HPProductAssistant
IMapViewer 1.1.0(05051801)
Intel(R) Graphics Media Accelerator Driver for Mobile
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
InterVideo WinDVD SE
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0
Java Auto Updater
Java(TM) 6 Update 21
KhalSetup
LiveUpdate 1.80 (Symantec Corporation)
Logitech SetPoint
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft AntiSpyware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office File Validation Add-In
Microsoft Office PowerPoint Viewer 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft XML Parser
MobileMe Control Panel
Move Networks Media Player for Internet Explorer
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PDFCreator
PDFCreator Toolbar
Picasa 3
QuickTime
QuickTime for Windows (32-bit)
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Roxio Media Manager
Safari
SD Secure Module
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
SolutionCenter
Sonic DLA
Sonic RecordNow!
Spybot - Search & Destroy
Status
Symantec AntiVirus Client
TOSHIBA Accessibility
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Fn-esse
TOSHIBA Hardware Setup
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
Toshiba Tbiosdrv Driver
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
TouchPad On/Off Utility
TrayApp
TWV UAM
Ulead DVD MovieFactory SE
Unload
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Utility Common Driver
WebFldrs XP
WebReg
WhoCrashed 3.02
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows NT Messaging
Windows XP Service Pack 3
WinZip
.
==== Event Viewer Messages From Past Week ========
.
10/6/2011 9:16:41 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: General access denied error
10/6/2011 8:16:53 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: General access denied error
10/6/2011 7:16:45 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: General access denied error
10/6/2011 6:16:47 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: General access denied error
10/6/2011 5:16:50 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: General access denied error
10/6/2011 4:16:42 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: General access denied error
10/6/2011 3:30:50 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: General access denied error
10/6/2011 2:16:47 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: General access denied error
10/6/2011 12:16:47 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: General access denied error
10/6/2011 11:43:02 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
10/6/2011 11:16:51 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: General access denied error
10/6/2011 10:16:59 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: General access denied error
10/6/2011 1:16:45 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: General access denied error
10/5/2011 9:24:52 PM, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/5/2011 9:24:51 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
10/5/2011 9:24:11 PM, error: Service Control Manager [7005] - The LoadUserProfile call failed with the following error: Access is denied.
10/5/2011 9:22:21 PM, error: Service Control Manager [7022] - The Windows Firewall/Internet Connection Sharing (ICS) service hung on starting.
10/5/2011 8:08:43 PM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070641: Update for Microsoft Office 2003 (KB949074).
10/5/2011 8:06:50 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
10/5/2011 7:50:35 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
10/5/2011 7:12:01 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service gupdate1ca655ebe40a31e with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
10/5/2011 7:10:12 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
10/5/2011 7:02:55 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/5/2011 7:02:54 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
10/5/2011 6:17:05 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 80564272, parameter3 b9dcdc68, parameter4 00000000.
10/5/2011 5:57:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
10/5/2011 4:05:56 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 80564272, parameter3 a08b5c68, parameter4 00000000.
10/5/2011 3:09:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/5/2011 2:51:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
10/5/2011 2:38:36 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/5/2011 2:37:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm SerTVOutCtlr SrvcEKIOMngr SrvcSSIOMngr TPwSav
10/5/2011 2:36:23 PM, error: DCOM [10005] - DCOM got error "%1055" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/5/2011 2:28:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the NVIDIA Display Driver Service service to connect.
10/5/2011 2:28:47 PM, error: Service Control Manager [7000] - The NVIDIA Display Driver Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/5/2011 11:37:15 PM, error: Service Control Manager [7023] - The WMI Performance Adapter service terminated with the following error: Unspecified error
10/5/2011 11:16:54 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: General access denied error
10/5/2011 10:16:55 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: General access denied error
10/5/2011 1:15:01 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 80564272, parameter3 9bcc1bf8, parameter4 00000000.
10/4/2011 2:42:45 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Image Acquisition (WIA) service to connect.
10/4/2011 2:42:45 AM, error: Service Control Manager [7001] - The Canon Camera Access Library 8 service depends on the Windows Image Acquisition (WIA) service which failed to start because of the following error: The service did not respond to the start or control request in a timely fashion.
10/4/2011 2:42:45 AM, error: Service Control Manager [7000] - The Windows Image Acquisition (WIA) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/4/2011 2:42:44 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveShare P2P Server 9 service to connect.
10/4/2011 2:42:43 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Upnp Server 9 service to connect.
10/4/2011 2:42:43 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ProtexisLicensing service to connect.
10/4/2011 2:42:43 AM, error: Service Control Manager [7000] - The Pml Driver HPZ12 service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/4/2011 2:42:42 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Pml Driver HPZ12 service to connect.
10/4/2011 2:42:41 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IviRegMgr service to connect.
10/4/2011 2:42:41 AM, error: Service Control Manager [7000] - The IviRegMgr service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/4/2011 2:42:39 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the DVD-RAM_Service service to connect.
10/4/2011 2:42:39 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the DefWatch service to connect.
10/4/2011 2:42:39 AM, error: Service Control Manager [7000] - The DVD-RAM_Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/4/2011 12:48:25 AM, error: DCOM [10000] - Unable to start a DCOM Server: {FFF2D28F-E4EE-44D9-8104-8E71556757F6}. The error: "%5" Happened while starting this command: "C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe" -Embedding
10/4/2011 12:45:46 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000017, parameter2 805e3684, parameter3 9c8297dc, parameter4 00000000.
10/4/2011 12:40:51 AM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
10/4/2011 12:39:19 AM, error: Service Control Manager [7000] - The Java Quick Starter service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/4/2011 12:39:18 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Java Quick Starter service to connect.
10/4/2011 12:39:15 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Apple Mobile Device service to connect.
10/4/2011 12:39:15 AM, error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/3/2011 9:32:26 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
10/3/2011 9:19:33 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service gupdate1ca655ebe40a31e with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
10/3/2011 9:19:32 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate1ca655ebe40a31e) service to connect.
10/3/2011 9:19:32 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate1ca655ebe40a31e) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/3/2011 9:19:03 PM, error: Service Control Manager [7001] - The Canon Camera Access Library 8 service depends on the Windows Image Acquisition (WIA) service which failed to start because of the following error: After starting, the service hung in a start-pending state.
10/3/2011 9:18:29 PM, error: Service Control Manager [7022] - The Windows Image Acquisition (WIA) service hung on starting.
10/3/2011 9:17:30 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Symantec AntiVirus Client service to connect.
10/3/2011 9:17:30 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
10/3/2011 9:17:30 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Machine Debug Manager service to connect.
10/3/2011 9:17:30 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ConfigFree Service service to connect.
10/3/2011 9:17:30 PM, error: Service Control Manager [7000] - The Machine Debug Manager service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/3/2011 9:17:28 PM, error: Service Control Manager [7000] - The Bonjour Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/3/2011 9:17:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Bonjour Service service to connect.
10/3/2011 9:11:30 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'ipsec.sys' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
.
==== End Of File ===========================
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

====================================================================

Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
Thanks for the help, Broni. Here is the log:


14:49:18.0187 3820 TDSS rootkit removing tool 2.6.5.0 Oct 5 2011 20:52:46
14:49:20.0046 3820 ============================================================
14:49:20.0046 3820 Current date / time: 2011/10/06 14:49:20.0046
14:49:20.0046 3820 SystemInfo:
14:49:20.0046 3820
14:49:20.0046 3820 OS Version: 5.1.2600 ServicePack: 3.0
14:49:20.0046 3820 Product type: Workstation
14:49:20.0046 3820 ComputerName: VP-11
14:49:20.0046 3820 UserName: ERegan
14:49:20.0046 3820 Windows directory: C:\WINDOWS
14:49:20.0046 3820 System windows directory: C:\WINDOWS
14:49:20.0046 3820 Processor architecture: Intel x86
14:49:20.0046 3820 Number of processors: 1
14:49:20.0046 3820 Page size: 0x1000
14:49:20.0046 3820 Boot type: Normal boot
14:49:20.0046 3820 ============================================================
14:49:21.0859 3820 Initialize success
14:49:40.0531 3888 ============================================================
14:49:40.0531 3888 Scan started
14:49:40.0531 3888 Mode: Manual;
14:49:40.0531 3888 ============================================================
14:49:40.0953 3888 Abiosdsk - ok
14:49:40.0968 3888 abp480n5 - ok
14:49:41.0093 3888 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:49:41.0109 3888 ACPI - ok
14:49:41.0156 3888 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
14:49:41.0156 3888 ACPIEC - ok
14:49:41.0171 3888 adpu160m - ok
14:49:41.0296 3888 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:49:41.0296 3888 aec - ok
14:49:41.0312 3888 af48e02d - ok
14:49:41.0375 3888 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
14:49:41.0375 3888 AFD - ok
14:49:41.0500 3888 AgereSoftModem (029e01cb2938bec5af31bf47b6af0159) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
14:49:41.0515 3888 AgereSoftModem - ok
14:49:41.0703 3888 Aha154x - ok
14:49:41.0765 3888 aic78u2 - ok
14:49:41.0812 3888 aic78xx - ok
14:49:42.0078 3888 ALCXWDM (95aa37bec6c72c277c2caeaee736dd2d) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
14:49:42.0125 3888 ALCXWDM - ok
14:49:42.0140 3888 AliIde - ok
14:49:42.0156 3888 amsint - ok
14:49:42.0203 3888 ApfiltrService (3ed81e8b4709d13e5a38db2d8e792b28) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
14:49:42.0218 3888 ApfiltrService - ok
14:49:42.0281 3888 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:49:42.0296 3888 Arp1394 - ok
14:49:42.0312 3888 asc - ok
14:49:42.0328 3888 asc3350p - ok
14:49:42.0343 3888 asc3550 - ok
14:49:42.0421 3888 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:49:42.0421 3888 AsyncMac - ok
14:49:42.0468 3888 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:49:42.0468 3888 atapi - ok
14:49:42.0671 3888 Atdisk - ok
14:49:42.0812 3888 ati2mtag (2fbdfec8cd60cec3d55e615865333033) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
14:49:42.0828 3888 ati2mtag - ok
14:49:42.0921 3888 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:49:42.0921 3888 Atmarpc - ok
14:49:42.0968 3888 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:49:42.0968 3888 audstub - ok
14:49:43.0015 3888 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:49:43.0015 3888 Beep - ok
14:49:43.0187 3888 catchme - ok
14:49:43.0234 3888 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:49:43.0234 3888 cbidf2k - ok
14:49:43.0265 3888 cd20xrnt - ok
14:49:43.0312 3888 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:49:43.0312 3888 Cdaudio - ok
14:49:43.0593 3888 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:49:43.0593 3888 Cdfs - ok
14:49:43.0671 3888 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:49:43.0671 3888 Cdrom - ok
14:49:43.0703 3888 Changer - ok
14:49:43.0734 3888 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:49:43.0734 3888 CmBatt - ok
14:49:43.0796 3888 CmdIde - ok
14:49:43.0843 3888 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:49:43.0859 3888 Compbatt - ok
14:49:43.0875 3888 Cpqarray - ok
14:49:43.0921 3888 CVirtA (cb7d7c0e74adcb7da96d08ec8db86062) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
14:49:43.0921 3888 CVirtA - ok
14:49:43.0937 3888 dac2w2k - ok
14:49:43.0968 3888 dac960nt - ok
14:49:44.0031 3888 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:49:44.0031 3888 Disk - ok
14:49:44.0156 3888 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:49:44.0203 3888 dmboot - ok
14:49:44.0296 3888 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:49:44.0296 3888 dmio - ok
14:49:44.0546 3888 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:49:44.0546 3888 dmload - ok
14:49:44.0609 3888 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:49:44.0609 3888 DMusic - ok
14:49:44.0703 3888 dpti2o - ok
14:49:44.0750 3888 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:49:44.0750 3888 drmkaud - ok
14:49:44.0828 3888 drvmcdb (f41619ae216b51d68dda163805eefaa9) C:\WINDOWS\system32\drivers\drvmcdb.sys
14:49:44.0828 3888 drvmcdb - ok
14:49:44.0859 3888 drvnddm (2ff629c1c443e25d0149b9dfb77e43a8) C:\WINDOWS\system32\drivers\drvnddm.sys
14:49:44.0859 3888 drvnddm - ok
14:49:44.0937 3888 EMSCR (d3d0ef132eb8f7351e0f6e8072e26331) C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
14:49:44.0937 3888 EMSCR - ok
14:49:44.0953 3888 ESDCR (fcf25b9eb1876dbb3efe13baf37b7bf8) C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
14:49:44.0968 3888 ESDCR - ok
14:49:44.0984 3888 ESMCR (7cec9e3a81142ea0294f2abba0b0a846) C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
14:49:44.0984 3888 ESMCR - ok
14:49:45.0078 3888 EUSBMSD (3dc945a9abbfb2ecf268eed276e05fec) C:\WINDOWS\system32\DRIVERS\EUSBMSD.SYS
14:49:45.0078 3888 EUSBMSD - ok
14:49:45.0171 3888 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:49:45.0171 3888 Fastfat - ok
14:49:45.0234 3888 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
14:49:45.0234 3888 Fdc - ok
14:49:45.0468 3888 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:49:45.0468 3888 Fips - ok
14:49:45.0500 3888 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:49:45.0500 3888 Flpydisk - ok
14:49:45.0640 3888 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:49:45.0640 3888 FltMgr - ok
14:49:45.0656 3888 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:49:45.0656 3888 Fs_Rec - ok
14:49:45.0718 3888 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:49:45.0718 3888 Ftdisk - ok
14:49:45.0765 3888 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
14:49:45.0765 3888 GEARAspiWDM - ok
14:49:45.0859 3888 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:49:45.0859 3888 Gpc - ok
14:49:45.0921 3888 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:49:45.0921 3888 HidUsb - ok
14:49:45.0953 3888 hpn - ok
14:49:46.0000 3888 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
14:49:46.0015 3888 HPZid412 - ok
14:49:46.0046 3888 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
14:49:46.0046 3888 HPZipr12 - ok
14:49:46.0078 3888 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
14:49:46.0078 3888 HPZius12 - ok
14:49:46.0171 3888 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:49:46.0171 3888 HTTP - ok
14:49:46.0359 3888 i2omgmt - ok
14:49:46.0390 3888 i2omp - ok
14:49:46.0468 3888 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:49:46.0468 3888 i8042prt - ok
14:49:46.0562 3888 ialm (d4405bd2b6e95efdc8e674ed4032874f) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
14:49:46.0578 3888 ialm - ok
14:49:46.0687 3888 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:49:46.0687 3888 Imapi - ok
14:49:46.0703 3888 ini910u - ok
14:49:46.0765 3888 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:49:46.0765 3888 IntelIde - ok
14:49:46.0796 3888 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:49:46.0796 3888 intelppm - ok
14:49:46.0843 3888 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:49:46.0843 3888 Ip6Fw - ok
14:49:46.0875 3888 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:49:46.0875 3888 IpFilterDriver - ok
14:49:46.0968 3888 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:49:46.0968 3888 IpInIp - ok
14:49:47.0078 3888 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:49:47.0078 3888 IpNat - ok
14:49:47.0343 3888 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:49:47.0343 3888 IPSec - ok
14:49:47.0390 3888 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:49:47.0406 3888 IRENUM - ok
14:49:47.0484 3888 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:49:47.0500 3888 isapnp - ok
14:49:47.0531 3888 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys
14:49:47.0531 3888 Iviaspi - ok
14:49:47.0562 3888 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:49:47.0562 3888 Kbdclass - ok
14:49:47.0640 3888 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:49:47.0656 3888 kmixer - ok
14:49:47.0750 3888 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:49:47.0750 3888 KSecDD - ok
14:49:47.0781 3888 L8042Kbd (0f5ae6805ef05dbbe205e5b196cadf31) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
14:49:47.0781 3888 L8042Kbd - ok
14:49:47.0843 3888 LBeepKE (17638894e150efee66d97bce8f037519) C:\WINDOWS\system32\Drivers\LBeepKE.sys
14:49:47.0843 3888 LBeepKE - ok
14:49:47.0859 3888 lbrtfdc - ok
14:49:47.0890 3888 LHidKe (eaed22460dad9ccd9c9a58c78e717497) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
14:49:47.0890 3888 LHidKe - ok
14:49:47.0937 3888 LMouKE (d1fd76ea56cd653d7b55a0fac96ee416) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
14:49:47.0937 3888 LMouKE - ok
14:49:48.0171 3888 MBAMSwissArmy - ok
14:49:48.0203 3888 meiudf (63351a2b051dfc4e7bb41319c8c1ace4) C:\WINDOWS\system32\Drivers\meiudf.sys
14:49:48.0203 3888 meiudf - ok
14:49:48.0218 3888 MEMSWEEP2 - ok
14:49:48.0296 3888 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:49:48.0296 3888 mnmdd - ok
14:49:48.0359 3888 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:49:48.0359 3888 Modem - ok
14:49:48.0406 3888 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:49:48.0406 3888 Mouclass - ok
14:49:48.0421 3888 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:49:48.0421 3888 mouhid - ok
14:49:48.0531 3888 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:49:48.0531 3888 MountMgr - ok
14:49:48.0593 3888 mraid35x - ok
14:49:48.0687 3888 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:49:48.0687 3888 MRxDAV - ok
14:49:48.0765 3888 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:49:48.0781 3888 MRxSmb - ok
14:49:48.0859 3888 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:49:48.0859 3888 Msfs - ok
14:49:49.0171 3888 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:49:49.0171 3888 MSKSSRV - ok
14:49:49.0234 3888 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:49:49.0234 3888 MSPCLOCK - ok
14:49:49.0296 3888 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:49:49.0296 3888 MSPQM - ok
14:49:49.0343 3888 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:49:49.0343 3888 mssmbios - ok
14:49:49.0437 3888 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
14:49:49.0437 3888 Mup - ok
14:49:49.0531 3888 NAVAP - ok
14:49:49.0546 3888 NAVAPEL - ok
14:49:49.0609 3888 NAVENG - ok
14:49:49.0625 3888 NAVEX15 - ok
14:49:49.0906 3888 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:49:49.0906 3888 NDIS - ok
14:49:50.0046 3888 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:49:50.0046 3888 NdisTapi - ok
14:49:50.0125 3888 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:49:50.0125 3888 Ndisuio - ok
14:49:50.0171 3888 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:49:50.0171 3888 NdisWan - ok
14:49:50.0218 3888 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
14:49:50.0218 3888 NDProxy - ok
14:49:50.0281 3888 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:49:50.0281 3888 NetBIOS - ok
14:49:50.0359 3888 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:49:50.0359 3888 NetBT - ok
14:49:50.0421 3888 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
14:49:50.0421 3888 Netdevio - ok
14:49:50.0484 3888 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:49:50.0484 3888 NIC1394 - ok
14:49:50.0718 3888 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:49:50.0718 3888 Npfs - ok
14:49:50.0781 3888 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:49:50.0796 3888 Ntfs - ok
14:49:50.0906 3888 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:49:50.0906 3888 Null - ok
14:49:51.0156 3888 nv (6779625536ffc46f18cce797c327eb3e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:49:51.0218 3888 nv - ok
14:49:51.0453 3888 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:49:51.0453 3888 NwlnkFlt - ok
14:49:51.0468 3888 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:49:51.0484 3888 NwlnkFwd - ok
14:49:51.0546 3888 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:49:51.0546 3888 ohci1394 - ok
14:49:51.0703 3888 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
14:49:51.0703 3888 Parport - ok
14:49:51.0781 3888 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:49:51.0796 3888 PartMgr - ok
14:49:51.0828 3888 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:49:51.0828 3888 ParVdm - ok
14:49:51.0890 3888 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:49:51.0890 3888 PCI - ok
14:49:51.0906 3888 PCIDump - ok
14:49:51.0953 3888 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:49:51.0953 3888 PCIIde - ok
14:49:52.0046 3888 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
14:49:52.0062 3888 Pcmcia - ok
14:49:52.0078 3888 PDCOMP - ok
14:49:52.0093 3888 PDFRAME - ok
14:49:52.0109 3888 PDRELI - ok
14:49:52.0125 3888 PDRFRAME - ok
14:49:52.0140 3888 perc2 - ok
14:49:52.0156 3888 perc2hib - ok
14:49:52.0203 3888 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
14:49:52.0203 3888 Pfc - ok
14:49:52.0437 3888 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:49:52.0437 3888 PptpMiniport - ok
14:49:52.0484 3888 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:49:52.0484 3888 PSched - ok
14:49:52.0625 3888 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:49:52.0625 3888 Ptilink - ok
14:49:52.0671 3888 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:49:52.0671 3888 PxHelp20 - ok
14:49:52.0718 3888 ql1080 - ok
14:49:52.0750 3888 Ql10wnt - ok
14:49:52.0765 3888 ql12160 - ok
14:49:52.0781 3888 ql1240 - ok
14:49:52.0796 3888 ql1280 - ok
14:49:52.0828 3888 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:49:52.0828 3888 RasAcd - ok
14:49:52.0875 3888 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:49:52.0875 3888 Rasl2tp - ok
14:49:52.0921 3888 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:49:52.0921 3888 RasPppoe - ok
14:49:52.0937 3888 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:49:52.0937 3888 Raspti - ok
14:49:53.0046 3888 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:49:53.0062 3888 Rdbss - ok
14:49:53.0109 3888 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:49:53.0109 3888 RDPCDD - ok
14:49:53.0187 3888 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
14:49:53.0187 3888 RDPWD - ok
14:49:53.0281 3888 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:49:53.0281 3888 redbook - ok
14:49:53.0500 3888 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
14:49:53.0500 3888 RimVSerPort - ok
14:49:53.0562 3888 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
14:49:53.0562 3888 ROOTMODEM - ok
14:49:53.0671 3888 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
14:49:53.0671 3888 RTL8023xp - ok
14:49:53.0718 3888 SAVRKBootTasks (e5c587c0668f83e799d1c43bc53e5e37) C:\WINDOWS\system32\SAVRKBootTasks.sys
14:49:53.0750 3888 SAVRKBootTasks - ok
14:49:53.0812 3888 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
14:49:53.0812 3888 sdbus - ok
14:49:53.0875 3888 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:49:53.0875 3888 Secdrv - ok
14:49:53.0937 3888 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
14:49:53.0937 3888 Serial - ok
14:49:53.0968 3888 SerTVOutCtlr (c996c839a3261cab5409c61e5702b620) C:\WINDOWS\system32\drivers\EPIOMngr.sys
14:49:53.0968 3888 SerTVOutCtlr - ok
14:49:54.0015 3888 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:49:54.0031 3888 Sfloppy - ok
14:49:54.0078 3888 Simbad - ok
14:49:54.0109 3888 Sparrow - ok
14:49:54.0156 3888 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:49:54.0156 3888 splitter - ok
14:49:54.0218 3888 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:49:54.0218 3888 sr - ok
14:49:54.0468 3888 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
14:49:54.0468 3888 Srv - ok
14:49:54.0578 3888 SrvcEKIOMngr (3b01a9316255cdd17f9c8e79aa573406) C:\WINDOWS\system32\Drivers\EKIoMngr.sys
14:49:54.0578 3888 SrvcEKIOMngr - ok
14:49:54.0625 3888 SrvcSSIOMngr (79b7af340d55861df1d69e7bac975fcc) C:\WINDOWS\system32\Drivers\SSIoMngr.sys
14:49:54.0625 3888 SrvcSSIOMngr - ok
14:49:54.0671 3888 sscdbhk5 (1cbd1b58a32de97899f5290b05f856db) C:\WINDOWS\system32\drivers\sscdbhk5.sys
14:49:54.0687 3888 sscdbhk5 - ok
14:49:54.0765 3888 ssrtln (7fb07ac152d7a87e66204860002bd9a4) C:\WINDOWS\system32\drivers\ssrtln.sys
14:49:54.0765 3888 ssrtln - ok
14:49:54.0875 3888 StickyMesger - ok
14:49:54.0937 3888 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:49:54.0937 3888 swenum - ok
14:49:55.0000 3888 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:49:55.0015 3888 swmidi - ok
14:49:55.0062 3888 symc810 - ok
14:49:55.0093 3888 symc8xx - ok
14:49:55.0109 3888 sym_hi - ok
14:49:55.0125 3888 sym_u3 - ok
14:49:55.0203 3888 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:49:55.0203 3888 sysaudio - ok
14:49:55.0250 3888 TBiosDrv (1f26d86828039c0b594399f7f2ffef09) C:\WINDOWS\system32\Drivers\Tbiosdrv.sys
14:49:55.0250 3888 TBiosDrv - ok
14:49:55.0500 3888 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:49:55.0500 3888 Tcpip - ok
14:49:55.0609 3888 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:49:55.0609 3888 TDPIPE - ok
14:49:55.0687 3888 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:49:55.0687 3888 TDTCP - ok
14:49:55.0734 3888 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:49:55.0734 3888 TermDD - ok
14:49:55.0796 3888 tfsnboio (2da3ca4022abb0802de7eeda574e78d6) C:\WINDOWS\system32\dla\tfsnboio.sys
14:49:55.0796 3888 tfsnboio - ok
14:49:55.0828 3888 tfsncofs (c8d6928759b77701c21dc90ad61197f2) C:\WINDOWS\system32\dla\tfsncofs.sys
14:49:55.0843 3888 tfsncofs - ok
14:49:55.0859 3888 tfsndrct (bacdef5510fa643683cddca418e49446) C:\WINDOWS\system32\dla\tfsndrct.sys
14:49:55.0859 3888 tfsndrct - ok
14:49:55.0875 3888 tfsndres (3fc9f390fac563c3d3910d540adbd408) C:\WINDOWS\system32\dla\tfsndres.sys
14:49:55.0875 3888 tfsndres - ok
14:49:55.0906 3888 tfsnifs (6aef3ec0b64689536891a9b96e9d7b82) C:\WINDOWS\system32\dla\tfsnifs.sys
14:49:55.0906 3888 tfsnifs - ok
14:49:55.0953 3888 tfsnopio (7239873a72dd456f6e74e6987cdb9687) C:\WINDOWS\system32\dla\tfsnopio.sys
14:49:55.0953 3888 tfsnopio - ok
14:49:55.0968 3888 tfsnpool (b78631e3593ddd76a4a8ba7cb8e32302) C:\WINDOWS\system32\dla\tfsnpool.sys
14:49:55.0968 3888 tfsnpool - ok
14:49:56.0000 3888 tfsnudf (9e8b4abb93e5784fc4e5d3202566cc7a) C:\WINDOWS\system32\dla\tfsnudf.sys
14:49:56.0031 3888 tfsnudf - ok
14:49:56.0078 3888 tfsnudfa (056fa0a11ba4cd688e1e40e48ffee921) C:\WINDOWS\system32\dla\tfsnudfa.sys
14:49:56.0093 3888 tfsnudfa - ok
14:49:56.0109 3888 TosIde - ok
14:49:56.0171 3888 TPwSav (542dd0c0d8a1aa428a8c8d1517edb679) C:\WINDOWS\system32\Drivers\TPwSav.sys
14:49:56.0171 3888 TPwSav - ok
14:49:56.0375 3888 Tvs (7bc87d123f504d161693f672cfe99ec4) C:\WINDOWS\system32\DRIVERS\Tvs.sys
14:49:56.0375 3888 Tvs - ok
14:49:56.0437 3888 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:49:56.0437 3888 Udfs - ok
14:49:56.0515 3888 ultra - ok
14:49:56.0625 3888 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:49:56.0640 3888 Update - ok
14:49:56.0687 3888 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
14:49:56.0687 3888 USBAAPL - ok
14:49:56.0750 3888 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:49:56.0750 3888 usbccgp - ok
14:49:56.0765 3888 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:49:56.0781 3888 usbehci - ok
14:49:56.0859 3888 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:49:56.0859 3888 usbhub - ok
14:49:56.0953 3888 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:49:56.0953 3888 usbprint - ok
14:49:56.0984 3888 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:49:56.0984 3888 usbscan - ok
14:49:57.0234 3888 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:49:57.0234 3888 USBSTOR - ok
14:49:57.0328 3888 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:49:57.0328 3888 usbuhci - ok
14:49:57.0437 3888 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:49:57.0437 3888 VgaSave - ok
14:49:57.0453 3888 ViaIde - ok
14:49:57.0515 3888 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:49:57.0515 3888 VolSnap - ok
14:49:57.0765 3888 w29n51 (c89da341fcc883a3d79dc11727484fc2) C:\WINDOWS\system32\DRIVERS\w29n51.sys
14:49:57.0828 3888 w29n51 - ok
14:49:58.0140 3888 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:49:58.0140 3888 Wanarp - ok
14:49:58.0218 3888 WDICA - ok
14:49:58.0265 3888 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:49:58.0265 3888 wdmaud - ok
14:49:58.0375 3888 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:49:58.0375 3888 WudfPf - ok
14:49:58.0437 3888 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:49:58.0437 3888 WudfRd - ok
14:49:58.0484 3888 MBR (0x1B8) (2a38a2f9deea228d8e1783700ed15448) \Device\Harddisk0\DR0
14:49:58.0484 3888 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - infected
14:49:58.0484 3888 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
14:49:58.0484 3888 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR4
14:49:58.0500 3888 \Device\Harddisk1\DR4 - ok
14:49:58.0500 3888 Boot (0x1200) (e5eced1a9b55285b81e708762ed70007) \Device\Harddisk0\DR0\Partition0
14:49:58.0500 3888 \Device\Harddisk0\DR0\Partition0 - ok
14:49:58.0500 3888 Boot (0x1200) (a5dbc6b2bb2c052ab57592b83b4af2cd) \Device\Harddisk1\DR4\Partition0
14:49:58.0500 3888 \Device\Harddisk1\DR4\Partition0 - ok
14:49:58.0515 3888 ============================================================
14:49:58.0515 3888 Scan finished
14:49:58.0515 3888 ============================================================
14:49:58.0515 3880 Detected object count: 1
14:49:58.0515 3880 Actual detected object count: 1
14:50:13.0734 3880 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - will be cured on reboot
14:50:13.0734 3880 \Device\Harddisk0\DR0 - ok
14:50:13.0734 3880 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - User select action: Cure
14:50:16.0421 3812 Deinitialize success
 
thanks again!

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-10-06 16:54:07
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK8026GAX rev.PA000U
Running: e8fz6uh6.exe; Driver: C:\DOCUME~1\ERegan\LOCALS~1\Temp\pgldypog.sys


---- System - GMER 1.0.15 ----

Code ACF235C1 KeFindConfigurationEntry

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
 
Looks good :)

Is the computer doing better?

See if you can update and run Malwarebytes now.
"Quick scan" will be fine.
Post fresh log.
 
Yes, much better. I installed Avira Free and uninstalled an old version of Norton that the owner had installed, before that fresh GMER log. It ran a scan and found 50 odd infections and quarantined them. Sorry for adding an 'unauthorized' step.

Windows Updates are working as is Malwarebytes. I will post a log when the scan is completed.
 
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7888

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/6/2011 5:13:50 PM
mbam-log-2011-10-06 (17-13-50).txt

Scan type: Quick scan
Objects scanned: 200170
Time elapsed: 5 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Good :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
I've tried all your methods for running ComboFix, however, it always stalls (no disk activity) about two minutes after the scan begins. I tried safemode, renaming, and RKILL. Is this a necessary step?
 
Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan:


On completion of the scan click "Save log", save it to your desktop and post in your next reply:


NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
 
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-07 10:23:05
-----------------------------
10:23:05.093 OS Version: Windows 5.1.2600 Service Pack 3
10:23:05.093 Number of processors: 1 586 0xD08
10:23:05.093 ComputerName: VP-11 UserName:
10:23:06.000 Initialize success
10:33:59.218 AVAST engine defs: 11100700
10:34:12.421 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:34:12.421 Disk 0 Vendor: TOSHIBA_MK8026GAX PA000U Size: 76128MB BusType: 3
10:34:14.453 Disk 0 MBR read successfully
10:34:14.453 Disk 0 MBR scan
10:34:14.546 Disk 0 unknown MBR code
10:34:14.546 Disk 0 scanning sectors +155910825
10:34:14.593 Disk 0 scanning C:\WINDOWS\system32\drivers
10:34:33.671 Service scanning
10:34:34.937 Modules scanning
10:34:40.718 Disk 0 trace - called modules:
10:34:40.734 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
10:34:40.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a9ccab8]
10:34:40.734 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\0000007d[0x8aa02a00]
10:34:40.734 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a997d98]
10:34:41.406 AVAST engine scan C:\WINDOWS
10:35:11.500 AVAST engine scan C:\WINDOWS\system32
10:37:49.984 AVAST engine scan C:\WINDOWS\system32\drivers
10:38:09.906 AVAST engine scan C:\Documents and Settings\ERegan
10:41:27.125 AVAST engine scan C:\Documents and Settings\All Users
10:41:57.859 Scan finished successfully
10:43:37.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\ERegan\Desktop\MBR.dat"
10:43:37.968 The log file has been saved successfully to "C:\Documents and Settings\ERegan\Desktop\aswMBR.txt"
 
Make sure Combofix file is located on your desktop
(as my instructions say).

Go Start>Run and paste this command to run Combofix:
"%userprofile%\desktop\ComboFix.exe" /KillAll
Click OK.

If the above doesn't work try this command:
"%userprofile%\desktop\ComboFix.exe" /nombr
Click OK.

If still no go, try both commands in Safe Mode.
 
Status
Not open for further replies.
Back