TechSpot

Multiple Virus warning allows popping up

Solved
By atcdav
Oct 29, 2010
  1. We have multiple threat popping up. Even while AVG is runnng the scan alerts pop up. I went throuth the intitial 8 steps. I cannot update MBAM, I get an error message, but I was able to download and run the latest verison. Log will follow. Gmer freezes. DDS freezes. Should I try them in safe mode?
     
  2. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Welcome aboard [​IMG]

    Post as many logs as you can.
    There are some extra instruction for GMER, if you read our manual carefully.
     
  3. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    Thank you

    The computer had repeated BSOD with nvatabus.sys message. I removed my IDE drivers and it now boots. The browser is hijacked, I cannot post to this website directly from that computer.

    here a couple logs:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/29/2010 8:18:26 PM
    mbam-log-2010-10-29 (20-18-26).txt

    Scan type: Quick scan
    Objects scanned: 126108
    Time elapsed: 5 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.73,93.188.166.108 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1e5879db-b7c0-4122-b6f9-90a5804e2daf}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.73,93.188.166.108 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\ANDREW\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.



    DDS (Ver_10-10-21.02) - NTFSx86
    Run by ANDREW at 20:46:29.15 on Fri 10/29/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1540 [GMT -5:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\FSRremoS.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\ANDREW\Desktop\16rcmzhc.exe
    C:\Documents and Settings\ANDREW\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [doouw] c:\documents and settings\andrew\doouw.exe /t
    uRun: [ASH24SXZ9S] c:\docume~1\andrew\locals~1\temp\Yvj.exe
    uRun: [natpad] c:\documents and settings\andrew\natpad\natpad.exe
    uRun: [neuakeb] c:\documents and settings\andrew\neuakeb.exe /Z
    uRun: [nlwis] c:\documents and settings\andrew\nlwis.exe /W
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
    mRun: [Mouse Suite 98 Daemon] ICO.EXE
    mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
    mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [\\DAVE-C2D\EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiada.exe /p37 "\\dave-c2d\EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
    mRun: [EPSON Stylus CX4800 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O5 "LPT1:" /M "Stylus CX4800"
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [Auto EPSON Stylus CX4800 Series on DAVE-C2D] c:\windows\system32\spool\drivers\w32x86\3\e_fatiada.exe /p43 "auto epson stylus cx4800 series on dave-c2d" /o37 "\\dave-c2d\EPSON Stylus CX4800 Series" /M "Stylus CX4800"
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1250889773483
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1250972942765
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: avgrsstarter - avgrsstx.dll
    Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\andrew\applic~1\mozilla\firefox\profiles\fevsl91k.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101067100&s=
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.selectedEngine - Google
    FF - user.js: browser.search.order.1 - Google
    FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101067100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================


    ==================== Find3M ====================


    ============= FINISH: 21:00:47.14 ===============
     
  4. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    GMER: I tried in safemode, no luck. It just give hourglass symbol forever ( over 30 minutes) task manager shows it running but zero cpu usage?? When I run the program, it automaticallt starts a scan, I am nt able to select anything, rootkit not any choices fromthe right side. It does show the files being scan initially but soon that also dissappears
     
  5. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    I'd like to also see Attach.txt part of DDS log.

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    =====================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  6. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    what is attach.txt part of DDS? I dont understand that
     
  7. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    DDS creates two logs: DDS.txt and Attach.txt
    You posted only DDS.txt
     
  8. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    I dont see that, maybe I stopped the program too soon. Would it have popped up on its own, because I never saw it
     
  9. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    We'll get that info little bit later.
    For now, run both tools from my previous reply.
     
  10. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    TDS found stuff and just as i was getting the report I got a BSOD STOP: 0x00000003. A process or thread crucial to system operation has unexpedectedly exited or been terminated. I am trying again in safe mode
     
  11. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Simply, re-run it.
     
     
  12. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    I just ran TDS in safemode. it found the dame stuff, It is rebooting and i will try to post the log
     
  13. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    2010/10/29 22:26:36.0546 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49
    2010/10/29 22:26:36.0546 ================================================================================
    2010/10/29 22:26:36.0546 SystemInfo:
    2010/10/29 22:26:36.0546
    2010/10/29 22:26:36.0546 OS Version: 5.1.2600 ServicePack: 3.0
    2010/10/29 22:26:36.0546 Product type: Workstation
    2010/10/29 22:26:36.0546 ComputerName: ANDREWS_PC
    2010/10/29 22:26:36.0546 UserName: ANDREW
    2010/10/29 22:26:36.0546 Windows directory: C:\WINDOWS
    2010/10/29 22:26:36.0546 System windows directory: C:\WINDOWS
    2010/10/29 22:26:36.0546 Processor architecture: Intel x86
    2010/10/29 22:26:36.0546 Number of processors: 2
    2010/10/29 22:26:36.0546 Page size: 0x1000
    2010/10/29 22:26:36.0546 Boot type: Safe boot
    2010/10/29 22:26:36.0546 ================================================================================
    2010/10/29 22:26:36.0890 Initialize success
    2010/10/29 22:26:38.0531 ================================================================================
    2010/10/29 22:26:38.0531 Scan started
    2010/10/29 22:26:38.0531 Mode: Manual;
    2010/10/29 22:26:38.0531 ================================================================================
    2010/10/29 22:26:39.0984 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/10/29 22:26:40.0109 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/10/29 22:26:40.0296 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/10/29 22:26:40.0406 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/10/29 22:26:40.0906 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
    2010/10/29 22:26:41.0125 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/10/29 22:26:41.0531 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/10/29 22:26:41.0625 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/10/29 22:26:41.0843 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/10/29 22:26:41.0953 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/10/29 22:26:42.0109 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys
    2010/10/29 22:26:42.0218 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys
    2010/10/29 22:26:42.0343 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys
    2010/10/29 22:26:42.0531 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/10/29 22:26:42.0703 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
    2010/10/29 22:26:42.0796 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/10/29 22:26:42.0906 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2010/10/29 22:26:43.0078 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/10/29 22:26:43.0187 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/10/29 22:26:43.0296 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/10/29 22:26:43.0921 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/10/29 22:26:44.0140 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/10/29 22:26:44.0312 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/10/29 22:26:44.0406 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/10/29 22:26:44.0546 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/10/29 22:26:45.0015 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/10/29 22:26:45.0406 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/10/29 22:26:45.0531 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2010/10/29 22:26:45.0687 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/10/29 22:26:45.0765 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2010/10/29 22:26:45.0875 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/10/29 22:26:45.0984 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/10/29 22:26:46.0109 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/10/29 22:26:46.0218 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2010/10/29 22:26:46.0296 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/10/29 22:26:46.0421 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/10/29 22:26:46.0734 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/10/29 22:26:47.0062 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/10/29 22:26:47.0171 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/10/29 22:26:47.0484 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/10/29 22:26:47.0593 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/10/29 22:26:47.0750 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/10/29 22:26:47.0875 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/10/29 22:26:47.0984 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/10/29 22:26:48.0093 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
    2010/10/29 22:26:48.0187 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/10/29 22:26:48.0281 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
    2010/10/29 22:26:48.0406 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/10/29 22:26:48.0500 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/10/29 22:26:48.0593 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/10/29 22:26:48.0718 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/10/29 22:26:48.0828 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/10/29 22:26:48.0921 L8042mou (8a5993705add14352c9a279fa8338334) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
    2010/10/29 22:26:49.0156 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
    2010/10/29 22:26:49.0281 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
    2010/10/29 22:26:49.0375 LMouKE (9837e55673818ecd8febb47f7f77521a) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
    2010/10/29 22:26:49.0484 LUsbFilt (77030525cd86a93f1af34fa9b96d33ce) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
    2010/10/29 22:26:49.0796 LVcKap (8113133ec42dd6c566908008ce913edd) C:\WINDOWS\system32\DRIVERS\LVcKap.sys
    2010/10/29 22:26:50.0312 LVMVDrv (0dd5b8af4917a2821047450195c511b3) C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys
    2010/10/29 22:26:50.0625 LVPr2Mon (406b1d186f75b4b4832d6237859e1b00) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
    2010/10/29 22:26:50.0781 LVUSBSta (be5e104be263921d6842c555db6a5c23) C:\WINDOWS\system32\drivers\LVUSBSta.sys
    2010/10/29 22:26:50.0890 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/10/29 22:26:51.0031 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/10/29 22:26:51.0125 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/10/29 22:26:51.0218 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/10/29 22:26:51.0312 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/10/29 22:26:51.0500 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/10/29 22:26:51.0687 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/10/29 22:26:51.0843 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/10/29 22:26:51.0953 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/10/29 22:26:52.0062 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/10/29 22:26:52.0140 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/10/29 22:26:52.0234 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/10/29 22:26:52.0343 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2010/10/29 22:26:52.0437 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/10/29 22:26:52.0546 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2010/10/29 22:26:52.0687 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/10/29 22:26:52.0796 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2010/10/29 22:26:52.0890 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/10/29 22:26:53.0062 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/10/29 22:26:53.0156 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/10/29 22:26:53.0265 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/10/29 22:26:53.0359 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/10/29 22:26:53.0453 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/10/29 22:26:53.0640 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/10/29 22:26:53.0734 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/10/29 22:26:53.0906 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/10/29 22:26:54.0078 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/10/29 22:26:54.0921 nv (3712d332633b853101ab786380c969ec) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/10/29 22:26:55.0796 nvax (f3d3015e52f2732042197d4edcaac2cb) C:\WINDOWS\system32\drivers\nvax.sys
    2010/10/29 22:26:55.0906 NVENETFD (720cc533eecb65553bd86b139ca04433) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
    2010/10/29 22:26:56.0015 nvnetbus (5f9f545cc5904dd8765f84ee1d056406) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
    2010/10/29 22:26:56.0140 nvnforce (6d6fd2b7035d415621acaf1e555c8b90) C:\WINDOWS\system32\drivers\nvapu.sys
    2010/10/29 22:26:56.0296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/10/29 22:26:56.0390 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/10/29 22:26:56.0515 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/10/29 22:26:56.0656 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2010/10/29 22:26:56.0734 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/10/29 22:26:56.0843 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/10/29 22:26:56.0937 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/10/29 22:26:57.0125 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/10/29 22:26:57.0234 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/10/29 22:26:57.0359 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
    2010/10/29 22:26:57.0812 pelmouse (e541a80cdffd6077c761b4578efc0450) C:\WINDOWS\system32\DRIVERS\pelmouse.sys
    2010/10/29 22:26:57.0906 pelusblf (ec8e8f0c1a7f6ecd69d58af8566d7632) C:\WINDOWS\system32\DRIVERS\pelusblf.sys
    2010/10/29 22:26:58.0015 pepifilter (d30eda6e1ab3c8c82f2ca085ab79040a) C:\WINDOWS\system32\DRIVERS\lv302af.sys
    2010/10/29 22:26:58.0515 PID_PEPI (0da6c5e0c8da6cebe52daacfe7ae9de6) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
    2010/10/29 22:26:58.0765 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/10/29 22:26:58.0843 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2010/10/29 22:26:58.0953 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/10/29 22:26:59.0046 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/10/29 22:26:59.0578 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/10/29 22:26:59.0687 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
    2010/10/29 22:26:59.0781 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/10/29 22:26:59.0875 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/10/29 22:26:59.0968 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/10/29 22:27:00.0093 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/10/29 22:27:00.0203 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/10/29 22:27:00.0312 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/10/29 22:27:00.0437 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/10/29 22:27:00.0562 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/10/29 22:27:00.0765 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/10/29 22:27:00.0890 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/10/29 22:27:00.0984 Serial (4a75e12c3336e56aabaf52810f053dd5) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/10/29 22:27:01.0000 Serial - detected Rootkit.Win32.TDSS.tdl3 (0)
    2010/10/29 22:27:01.0125 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/10/29 22:27:01.0328 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2010/10/29 22:27:01.0531 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/10/29 22:27:01.0656 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys
    2010/10/29 22:27:01.0796 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/10/29 22:27:01.0937 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2010/10/29 22:27:02.0046 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/10/29 22:27:02.0140 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/10/29 22:27:02.0609 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/10/29 22:27:02.0781 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/10/29 22:27:02.0875 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/10/29 22:27:02.0968 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/10/29 22:27:03.0062 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/10/29 22:27:03.0312 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/10/29 22:27:03.0609 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/10/29 22:27:03.0781 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2010/10/29 22:27:03.0906 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2010/10/29 22:27:04.0000 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/10/29 22:27:04.0109 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/10/29 22:27:04.0187 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/10/29 22:27:04.0296 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2010/10/29 22:27:04.0406 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/10/29 22:27:04.0500 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/10/29 22:27:04.0593 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/10/29 22:27:04.0781 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/10/29 22:27:04.0890 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/10/29 22:27:05.0046 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    2010/10/29 22:27:05.0234 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/10/29 22:27:05.0468 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2010/10/29 22:27:05.0578 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/10/29 22:27:05.0703 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/10/29 22:27:05.0750 Suspicious service (NoAccess): xflcewca
    2010/10/29 22:27:05.0890 xflcewca (9427eddfdcbb1d040ed66a63d1d2cd4b) C:\WINDOWS\system32\drivers\xflcewca.sys
    2010/10/29 22:27:05.0890 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\xflcewca.sys. md5: 9427eddfdcbb1d040ed66a63d1d2cd4b
    2010/10/29 22:27:05.0921 xflcewca - detected Locked service (1)
    2010/10/29 22:27:06.0031 yukonwxp (bac4e920c920168c302c90c0f37740f6) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
    2010/10/29 22:27:06.0500 ================================================================================
    2010/10/29 22:27:06.0500 Scan finished
    2010/10/29 22:27:06.0500 ================================================================================
    2010/10/29 22:27:06.0531 Detected object count: 2
    2010/10/29 22:27:13.0703 Serial (4a75e12c3336e56aabaf52810f053dd5) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/10/29 22:27:16.0281 Backup copy found, using it..
     
  14. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Good :)

    MBRCheck now, please.
     
  15. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000003d

    Kernel Drivers (total 134):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xB85A8000 \WINDOWS\system32\KDCOM.DLL
    0xB84B8000 \WINDOWS\system32\BOOTVID.dll
    0xB7F95000 klmdb.sys
    0xB7F67000 ACPI.sys
    0xB85AA000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
    0xB7F56000 pci.sys
    0xB80A8000 isapnp.sys
    0xB80B8000 ohci1394.sys
    0xB80C8000 \WINDOWS\System32\DRIVERS\1394BUS.SYS
    0xB7E97000 xflcewca.sys
    0xB8670000 pciide.sys
    0xB8328000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
    0xB80D8000 MountMgr.sys
    0xB7E78000 ftdisk.sys
    0xB85AC000 dmload.sys
    0xB7E52000 dmio.sys
    0xB8330000 PartMgr.sys
    0xB80E8000 VolSnap.sys
    0xB7E3A000 atapi.sys
    0xB80F8000 disk.sys
    0xB8108000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xB7E1A000 fltmgr.sys
    0xB7E03000 KSecDD.sys
    0xB7D76000 Ntfs.sys
    0xB7D49000 NDIS.sys
    0xB7D2F000 Mup.sys
    0xB8318000 \SystemRoot\system32\DRIVERS\AmdK8.sys
    0xB8408000 \SystemRoot\System32\DRIVERS\usbohci.sys
    0xB7533000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
    0xB8410000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB75E7000 \SystemRoot\system32\drivers\nvax.sys
    0xB75D7000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xB75C7000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xB75B7000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xB7510000 \SystemRoot\System32\DRIVERS\ks.sys
    0xB75A7000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xB74D9000 \SystemRoot\System32\DRIVERS\yk51x86.sys
    0xB857C000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
    0xB7499000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
    0xB7466000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
    0xB6D50000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB6D3C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB8418000 \SystemRoot\System32\DRIVERS\fdc.sys
    0xB7597000 \SystemRoot\System32\DRIVERS\serial.sys
    0xB8580000 \SystemRoot\System32\DRIVERS\serenum.sys
    0xB8420000 \SystemRoot\System32\DRIVERS\irsir.sys
    0xB8584000 \SystemRoot\System32\DRIVERS\irenum.sys
    0xB7577000 \SystemRoot\system32\DRIVERS\L8042mou.Sys
    0xB6CE8000 \SystemRoot\system32\DRIVERS\LMouKE.Sys
    0xB8428000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xB8793000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xB8438000 \SystemRoot\System32\DRIVERS\rasirda.sys
    0xB8440000 \SystemRoot\System32\DRIVERS\TDI.SYS
    0xB8178000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xB8590000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xB6CB5000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xB8188000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xB8198000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xB6CA4000 \SystemRoot\System32\DRIVERS\psched.sys
    0xB81A8000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xB8448000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xB8450000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xB81B8000 \SystemRoot\System32\Drivers\pcouffin.sys
    0xB6C74000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xB81C8000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xB8458000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xB85E6000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xB6C16000 \SystemRoot\System32\DRIVERS\update.sys
    0xB7D0B000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xB81D8000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB81E8000 \SystemRoot\System32\DRIVERS\usbhub.sys
    0xB85EA000 \SystemRoot\System32\DRIVERS\USBD.SYS
    0xB6B88000 \SystemRoot\system32\drivers\nvapu.sys
    0xB6B64000 \SystemRoot\system32\drivers\portcls.sys
    0xB8208000 \SystemRoot\system32\drivers\drmk.sys
    0xB6A82000 \SystemRoot\system32\drivers\nvmcp.sys
    0xB6A71000 \SystemRoot\system32\drivers\nvarm.sys
    0xB8468000 \SystemRoot\System32\DRIVERS\flpydisk.sys
    0xB8600000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xB8783000 \SystemRoot\System32\Drivers\Null.SYS
    0xB8602000 \SystemRoot\System32\Drivers\Beep.SYS
    0xB8258000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xB8480000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
    0xB8488000 \SystemRoot\System32\drivers\vga.sys
    0xB8604000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xB8606000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xB8490000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xB8498000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB854C000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xB485E000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xB4805000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xB47CB000 \SystemRoot\System32\Drivers\avgtdix.sys
    0xB8268000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xB47A3000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xB4781000 \SystemRoot\System32\drivers\afd.sys
    0xB8278000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xB4756000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xB46E6000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xB8298000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB84A0000 \SystemRoot\System32\Drivers\avgmfx86.sys
    0xB46B2000 \SystemRoot\System32\Drivers\avgldx86.sys
    0xB84A8000 \SystemRoot\System32\DRIVERS\usbccgp.sys
    0xB8570000 \SystemRoot\System32\DRIVERS\hidusb.sys
    0xB82A8000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
    0xB8578000 \SystemRoot\System32\DRIVERS\kbdhid.sys
    0xB84B0000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
    0xB82B8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    0xB460F000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
    0xB6C12000 \SystemRoot\System32\DRIVERS\mouhid.sys
    0xB8340000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
    0xB82D8000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB45A7000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xB860A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB6BEE000 \SystemRoot\System32\drivers\Dxapi.sys
    0xB8388000 \SystemRoot\System32\watchdog.sys
    0xBD000000 \SystemRoot\System32\drivers\dxg.sys
    0xB8764000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBD012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB40C1000 \SystemRoot\System32\DRIVERS\irda.sys
    0xB427B000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xB3CC4000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB3E29000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB45FF000 \SystemRoot\System32\Drivers\TDTCP.SYS
    0xB3A93000 \SystemRoot\System32\Drivers\RDPWD.SYS
    0xB37BE000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xB2B29000 \SystemRoot\System32\DRIVERS\srv.sys
    0xB28FD000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB83F0000 \SystemRoot\system32\DRIVERS\LVPr2Mon.sys
    0xB286C000 \SystemRoot\System32\Drivers\HTTP.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 48):
    0 System Idle Process
    4 System
    644 C:\WINDOWS\system32\smss.exe
    692 csrss.exe
    716 C:\WINDOWS\system32\winlogon.exe
    760 C:\WINDOWS\system32\services.exe
    772 C:\WINDOWS\system32\lsass.exe
    976 C:\WINDOWS\system32\nvsvc32.exe
    1000 C:\WINDOWS\system32\svchost.exe
    1072 svchost.exe
    1172 C:\WINDOWS\system32\svchost.exe
    1272 C:\Program Files\AVG\AVG9\avgchsvx.exe
    1284 C:\Program Files\AVG\AVG9\avgrsx.exe
    1488 svchost.exe
    1532 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    1664 svchost.exe
    184 C:\WINDOWS\explorer.exe
    284 C:\WINDOWS\system32\spoolsv.exe
    316 C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    1144 C:\WINDOWS\system32\rundll32.exe
    1236 C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    1260 C:\WINDOWS\system32\ico.exe
    1256 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    960 C:\Program Files\Logitech\QuickCam\Quickcam.exe
    1504 C:\Program Files\iTunes\iTunesHelper.exe
    1568 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    1736 C:\PROGRA~1\AVG\AVG9\avgtray.exe
    1816 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    2392 C:\WINDOWS\system32\FSRremoS.EXE
    2416 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    2548 C:\WINDOWS\system32\ctfmon.exe
    2608 svchost.exe
    2684 C:\Program Files\Logitech\SetPoint\SetPoint.exe
    2720 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    2816 C:\Program Files\AVG\AVG9\avgwdsvc.exe
    2892 C:\Program Files\Bonjour\mDNSResponder.exe
    2916 C:\Program Files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe
    3112 C:\Program Files\Java\jre6\bin\jqs.exe
    3288 C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    3436 C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    3556 C:\WINDOWS\system32\rundll32.exe
    3736 C:\WINDOWS\system32\svchost.exe
    3832 C:\WINDOWS\system32\wuauclt.exe
    1500 C:\Program Files\AVG\AVG9\avgnsx.exe
    2804 C:\Program Files\iPod\bin\iPodService.exe
    776 C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
    1264 C:\WINDOWS\system32\svchost.exe
    2860 C:\Documents and Settings\ANDREW\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
    \\.\E: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD800AAJS-18TDA1, Rev: 01.00A04
    PhysicalDrive1 Model Number: WDCWD800AAJS-18TDA1, Rev: 01.00A04
    PhysicalDrive2 Model Number: WDCWD400LB-00DNA0, Rev: 77.07W77

    Size Device Name MBR Status
    --------------------------------------------
    74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    74 GB \\.\PhysicalDrive1 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    37 GB \\.\PhysicalDrive2 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  16. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Looks good :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  17. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    32788R22FWJFW\n.pif Windows cannot access the specified device, path or file. You may not have appropriate permissions to access them also \iexplore.exe , hidec.exe windoes cannot open nircmd.cfxxe
     
  18. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    I am using firefox(safemode) it safes the file to a download folder. I move it to my desktop. It is not saved direct to the desktop. I am looking at how to fix that. nevermind, I changed where it downloads but it still gives the same errors
     
  19. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Delete your Combofix file, download fresh one, but rename combofix.exe to broni.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe

    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and run exeHelper.

    * Please download exeHelper from Raktor to your desktop.
    * Double-click on exeHelper.com to run the fix.
    * A black window should pop up, press any key to close once the fix is completed.
    * A log file named log.txt will be created in the directory where you ran exeHelper.com
    * Attach the log.txt file to your next message.[/LIST]

    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Now, run broni.exe.

    If still a problem, run ALL three tools from Safe Mode.
     
  20. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    ran rkill and exe.help logs follow. then ran broni.exe and stilled errored. i reran all 3 in safemode. same logs and same combofix error
     
  21. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as ANDREW on 10/29/2010 at 23:14:15.


    Services Stopped:


    Processes terminated by Rkill or while it was running:


    C:\Documents and Settings\ANDREW\Desktop\rkill.com


    Rkill completed on 10/29/2010 at 23:15:31.
     
  22. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    exeHelper by Raktor
    Build 20100414
    Run at 23:15:58 on 10/29/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 23:23:46 on 10/29/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
  23. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    Safemode

    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.
    Ran as ANDREW on 10/29/2010 at 23:21:54.


    Services Stopped:


    Processes terminated by Rkill or while it was running:


    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Documents and Settings\ANDREW\Desktop\rkill.com


    Rkill completed on 10/29/2010 at 23:23:08.
     
  24. atcdav

    atcdav TS Rookie Topic Starter Posts: 72

    Safemode

    exeHelper by Raktor
    Build 20100414
    Run at 23:15:58 on 10/29/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--

    exeHelper by Raktor
    Build 20100414
    Run at 23:23:46 on 10/29/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Checking for bad registry entries...
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
  25. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.