also @ TechSpot: Microsoft wants Xbox to be the entertainment hub for all your devices

TechSpot

TechSpot News Products Downloads Forums

[Solved] Need help with system check virus removal

Discussion in 'Virus and Malware Removal' started by hmMurdock914, Jan 1, 2012.

Page 1 of 3

hmMurdock914 Newcomer, in training

My computer is infected with the System Check virus and I could use some major help getting rid of it. Everything in my drive folders are blank so I can't even get Malwarebytes to run. I'm running xp and am ready to throw my tower out the window. If you could help and let me know what you need from me, drinks are on me.

hmMurdock914, Jan 1, 2012

#1
Broni Malware Annihilator
Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================================

See if you have same issue in Safe Mode.
Broni, Jan 1, 2012

#2
hmMurdock914 Newcomer, in training

I figured out a way to get malware running. I'm scanning right now and will post the results when it is finished.

hmMurdock914, Jan 1, 2012

#3
Broni Malware Annihilator

Cool ......

Broni, Jan 1, 2012

#4
hmMurdock914 Newcomer, in training

I tried running the DDS scan but it would freeze up after 15 min and I would have to restart but here are the Malware and the GMER.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.01.04

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 7.0.5730.11
Owner :: COMPUTER2007 [administrator]

1/1/2012 8:39:34 PM
mbam-log-2012-01-01 (20-39-34).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System |
Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 303321
Time elapsed: 2 hour(s), 18 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 8
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel
(PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and
repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp
(PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and
repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer
(PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and
repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs
(PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and
repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun
(PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and
repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch
(PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and
repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop
(PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired
successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr
(PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and
repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Documents and Settings\All Users\Application
Data\3YZtDSp2OTCtkw.exe (Trojan.FakeAlert) -> Quarantined and deleted
successfully.
C:\Documents and Settings\All Users\Application Data\gyjAEPulVY.exe
(Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application
Data\Sun\Java\Deployment\cache\6.0\14\4939ec0e-67988555
(Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\4SWPN.exe
(Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\nt4YFu8.exe
(Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume
Information\_restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1010\A0062349.exe
(Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-02 00:28:56
Windows 5.1.2600 Service Pack 2
Running: iugpicv2.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pglirfoc.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1
771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2
285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0
1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0
C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0
0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh
0xF7 0x08 0xB7 0x91 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0
0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh
0xBD 0xCF 0x30 0xD0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh
0x1B 0x63 0x50 0x1F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
(not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0
C:\Program Files\DAEMON Tools
Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0
0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh
0xF7 0x08 0xB7 0x91 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
(not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0
0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh
0xBD 0xCF 0x30 0xD0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
(not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh
0x1B 0x63 0x50 0x1F ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB43484$\3514005679
0 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\@
2048 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\bckfg.tmp
911 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\cfg.ini
199 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\Desktop.ini
4608 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\keywords
143 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\kwrd.dll
223744 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\L
0 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\L\hypzzmjp
74752 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\lsflt7.ver
5176 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\U
0 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\U\00000001.@
2048 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\U\00000002.@
224768 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\U\00000004.@
1024 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\U\80000000.@
11264 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\U\80000004.@
12800 bytes
File C:\WINDOWS\$NtUninstallKB43484$\3514005679\U\80000032.@
77312 bytes
File C:\WINDOWS\$NtUninstallKB43484$\4133149318
0 bytes

---- EOF - GMER 1.0.15 ----

hmMurdock914, Jan 2, 2012

#5
Broni Malware Annihilator
Please disable "word wrap" in Notepad because your logs are hard to read.

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

===========================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Broni, Jan 2, 2012

#6
hmMurdock914 Newcomer, in training

Below is the awsMBR report. I tried running combo fix multiple times and it would make the registry back up and get to the point where it would say scan is running it should take ten minutes. This screen would run with a blinking cursor for 2 hours and then the cursor would stop blinking and my comp would freeze up. I used rkill with combofix and tried it in safe mode. Every time it would freeze up and the computer would stop responding.

aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
Run date: 2012-01-02 01:38:38
-----------------------------
01:38:38.484 OS Version: Windows 5.1.2600 Service Pack 2
01:38:38.484 Number of processors: 1 586 0x207
01:38:38.500 ComputerName: COMPUTER2007 UserName: Owner
01:38:39.812 Initialze error 0 - driver not loaded
02:07:25.093 AVAST engine defs: 12010101
02:11:21.734 Service scanning
02:11:23.062 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
02:11:23.921 Modules scanning
02:11:23.921 Disk 0 trace - called modules:
02:11:23.937
02:11:25.578 AVAST engine scan C:\WINDOWS
02:11:34.250 AVAST engine scan C:\WINDOWS\system32
02:14:17.671 AVAST engine scan C:\WINDOWS\system32\drivers
02:14:27.031 File: C:\WINDOWS\system32\drivers\ipsec.sys **INFECTED** Win32:Aluroot-B [Rtk]
02:14:51.093 AVAST engine scan C:\Documents and Settings\Owner
02:21:38.406 AVAST engine scan C:\Documents and Settings\All Users
02:22:31.328 Scan finished successfully
02:32:00.312 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"

hmMurdock914, Jan 2, 2012

#7
Broni Malware Annihilator
Download TDSSKiller and save it to your desktop.

Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
Broni, Jan 2, 2012

#8
hmMurdock914 Newcomer, in training

I tried running the program in normal and in safe mode and I can not get it to start up. Any suggestions? I also tried renaming it before I put it on my desktop.

hmMurdock914, Jan 2, 2012

#9
Broni Malware Annihilator
Download Bootkit Remover to your Desktop.

Unzip downloaded file to your Desktop.

Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).

It will show a Black screen with some data on it.

Right click on the screen and click Select All.

Press CTRL+C

Open a Notepad and press CTRL+V

Post the output back here.

==========================================================

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

Double click on downloaded file to run it.

When the tool opens click Yes to disclaimer.

Press Scan button.

It will produce a log (FRST.txt) on your desktop.

Please copy and paste it to your reply.
Broni, Jan 2, 2012

#10
hmMurdock914 Newcomer, in training

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 01/02/2012 at 22:44:53.
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

--- ATTENTION ---

Windows was configured to use a proxy! Proxy settings have been removed.

The Proxy Server that was configured is:

If this was a valid setting, please double-click on the rk-proxy.reg file on your desktop and allow the data to be merged to restore your proxy settings.

Rkill completed on 01/02/2012 at 22:46:09.

hmMurdock914, Jan 2, 2012

#11
Broni Malware Annihilator

Please re-read my previous reply.

Broni, Jan 2, 2012

#12
hmMurdock914 Newcomer, in training

Sorry about that here is what the bootkit remover reported:

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]

Done;
Press any key to quit...

hmMurdock914, Jan 3, 2012

#13
hmMurdock914 Newcomer, in training

I know you are probably busy helping everyone but just wanted to make sure what I should do next thanks again for all your help

hmMurdock914, Jan 4, 2012

#14
Broni Malware Annihilator

Instead of bumping read my replies CAREFULLY.
I'm still waiting for Farbar Recovery Scan Tool log.

Broni, Jan 4, 2012

#15
hmMurdock914 Newcomer, in training

Wow. I am an idoit and sorry. Here are the results of the farbar scan:

Scan result of Farbars's Recovery Tool (FRST written by farbar) Version 2.3.2
Ran by Owner at 2012-01-04 18:12:40
Running from C:\Documents and Settings\Owner\Desktop
Service Pack 2 (X86) OS Language: English(US)
Attention: Could not load system hive.
Error: The process cannot access the file because it is being used by another process.
========================== Registry (Whitelisted) =============

HKU\Dad\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime [421888 2010-03-18] (Apple Inc.)
HKU\Dad\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2004-08-12] (Microsoft Corporation)
HKU\Dad\...\Run: [ANT Agent] C:\Program Files\Garmin\ANT Agent\ANT_Agent\ANT Agent.exe [12036968 2011-04-14] (GARMIN Corp.)
HKLM\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell]

================================ Services (Whitelisted) ==================

========================== Drivers (Whitelisted) =============

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-01-04 18:12 - 2012-01-04 18:12 - 0000000 ____D C:\FRST
2012-01-04 18:12 - 2012-01-04 18:11 - 0858478 ____A C:\Documents and Settings\Owner\Desktop\FRST.exe
2012-01-02 23:25 - 2012-01-02 23:57 - 0000706 ____A C:\Documents and Settings\Owner\Desktop\bootkit.txt
2012-01-02 23:24 - 2012-01-04 18:12 - 0038677 ____A C:\Documents and Settings\Owner\Desktop\bootkit_remover_debug_log.txt
2012-01-02 23:23 - 2012-01-02 23:23 - 0044607 ____A C:\Documents and Settings\Owner\Desktop\bootkit_remover.zip
2012-01-02 23:23 - 2011-09-21 18:11 - 0003641 ____A C:\Documents and Settings\Owner\Desktop\readme_ru.txt
2012-01-02 23:23 - 2011-09-21 18:11 - 0003114 ____A C:\Documents and Settings\Owner\Desktop\readme_en.txt
2012-01-02 23:23 - 2011-09-20 03:02 - 0083968 ____A (Esage Lab) C:\Documents and Settings\Owner\Desktop\boot_cleaner.exe
2012-01-02 22:47 - 2012-01-02 22:47 - 0000662 ____A C:\Documents and Settings\Owner\Desktop\rkill.log
2012-01-02 22:46 - 2012-01-02 22:46 - 0000147 ____A C:\Documents and Settings\Owner\Desktop\rk-proxy.reg
2012-01-02 22:44 - 2012-01-02 22:46 - 0000662 ____A C:\rkill.log
2012-01-02 22:41 - 2012-01-02 20:06 - 1578288 ____A (Kaspersky Lab ZAO) C:\Documents and Settings\Owner\Desktop\please.exe
2012-01-02 18:03 - 2012-01-02 18:18 - 0000000 ___SD C:\mikem
2012-01-02 18:00 - 2012-01-02 17:57 - 1008141 ____A C:\Documents and Settings\Owner\Desktop\rkill.com
2012-01-02 18:00 - 2012-01-02 17:29 - 4360898 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\mikem.exe
2012-01-02 12:54 - 2012-01-02 12:50 - 8821856 ____A (OPSWAT, Inc.) C:\Documents and Settings\Owner\Desktop\AppRemover.exe
2012-01-02 03:15 - 2004-08-12 01:00 - 0074752 ____A C:\Windows\System32\Drivers\ipsec.svs
2012-01-02 03:04 - 2012-01-02 03:04 - 0000000 RASHD C:\cmdcons
2012-01-02 03:04 - 2012-01-01 20:15 - 0000211 ____A C:\Boot.bak
2012-01-02 03:04 - 2004-08-03 23:00 - 0260272 _RASH C:\cmldr
2012-01-02 02:57 - 2011-06-26 01:45 - 0256000 ____A C:\Windows\PEV.exe
2012-01-02 02:57 - 2010-11-07 12:20 - 0208896 ____A C:\Windows\MBR.exe
2012-01-02 02:57 - 2009-04-19 23:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-01-02 02:57 - 2000-08-30 19:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-01-02 02:57 - 2000-08-30 19:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-01-02 02:57 - 2000-08-30 19:00 - 0212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2012-01-02 02:57 - 2000-08-30 19:00 - 0098816 ____A C:\Windows\sed.exe
2012-01-02 02:57 - 2000-08-30 19:00 - 0080412 ____A C:\Windows\grep.exe
2012-01-02 02:57 - 2000-08-30 19:00 - 0068096 ____A C:\Windows\zip.exe
2012-01-02 02:56 - 2012-01-02 02:56 - 0000000 ____D C:\Windows\ERDNT
2012-01-02 02:43 - 2012-01-02 02:56 - 0000000 ____D C:\Qoobox
2012-01-02 02:32 - 2012-01-02 02:32 - 0001170 ____A C:\Documents and Settings\Owner\Desktop\aswMBR.txt
2012-01-02 01:36 - 2012-01-02 01:36 - 4702720 ____A (AVAST Software) C:\Documents and Settings\Owner\Desktop\aswMBR.exe
2012-01-02 00:28 - 2012-01-02 00:28 - 0005615 ____A C:\Documents and Settings\Owner\Desktop\glog.log
2012-01-01 20:35 - 2012-01-01 20:35 - 0000686 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-01-01 20:35 - 2012-01-01 20:35 - 0000000 ____D C:\Program Files\****YouVirus
2012-01-01 20:33 - 2012-01-01 20:33 - 10847608 ____A (Malwarebytes Corporation ) C:\Documents and Settings\Owner\Desktop\****YouVirus.exe
2012-01-01 19:41 - 2012-01-01 19:41 - 0000882 ____A C:\Documents and Settings\All Users\Desktop\Re-Enable v2.exe.lnk
2012-01-01 19:41 - 2012-01-01 19:41 - 0000000 ____D C:\Program Files\Tangosoft
2012-01-01 19:39 - 2012-01-01 19:39 - 1093707 ____A (Tangosoft) C:\Documents and Settings\Owner\Desktop\setup.exe
2012-01-01 18:20 - 2012-01-01 18:20 - 0607260 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\dds.scr
2012-01-01 17:13 - 2012-01-01 17:13 - 10847608 ____A (Malwarebytes Corporation ) C:\Documents and Settings\Owner\Desktop\mbam-setup-1.60.0.1800.exe
2012-01-01 17:06 - 2012-01-01 17:06 - 0302592 ____A C:\Documents and Settings\Owner\Desktop\iugpicv2.exe
2011-12-30 15:48 - 2012-01-01 15:12 - 0000408 ___AH C:\Documents and Settings\All Users\Application Data\3YZtDSp2OTCtkw
2011-12-30 15:48 - 2012-01-01 15:12 - 0000312 ___AH C:\Documents and Settings\All Users\Application Data\~3YZtDSp2OTCtkw
2011-12-30 15:48 - 2011-12-30 15:48 - 0000835 ___AH C:\Documents and Settings\Owner\Desktop\System Check.lnk
2011-12-30 15:48 - 2011-12-30 15:48 - 0000224 ___AH C:\Documents and Settings\All Users\Application Data\~3YZtDSp2OTCtkwr
2011-12-30 13:54 - 2011-12-30 13:54 - 0000000 ___HD C:\Documents and Settings\Owner\Local Settings\Application Data\Citrix
2011-12-30 13:52 - 2012-01-02 22:39 - 0019706 ___AH C:\Windows\setupapi.log
2011-12-30 01:13 - 2012-01-02 23:47 - 0536670 ___AH C:\Windows\ntbtlog.txt
2011-12-29 21:56 - 2012-01-04 10:11 - 0078168 ___AH C:\Windows\WindowsUpdate.log
2011-12-29 19:06 - 2011-12-29 19:06 - 0000000 ___HD C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2011-12-29 18:54 - 2011-12-29 18:54 - 0000000 ___HD C:\Program Files\CCleaner
2011-12-29 18:51 - 2011-12-29 18:51 - 3562624 ___AH (Piriform Ltd) C:\Documents and Settings\Owner\Desktop\ccsetup314.exe
2011-12-29 18:30 - 2011-12-29 22:03 - 0000000 ___HD C:\Program Files\SUPERAntiSpyware
2011-12-29 18:30 - 2011-12-29 18:30 - 0000000 ___HD C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-29 18:29 - 2011-12-29 18:29 - 12903112 ___AH (SUPERAntiSpyware.com) C:\Documents and Settings\Owner\Desktop\SUPERAntiSpyware.exe
2011-12-29 18:29 - 2011-12-29 18:29 - 0000000 ___HD C:\Documents and Settings\All Users\Application Data\SUPERSetup
2011-12-28 23:46 - 2002-02-27 14:12 - 0002600 ___AH C:\Documents and Settings\Owner\Desktop\xp_exe_fix.reg
2011-12-28 23:45 - 2011-12-28 23:45 - 0000745 ___AH C:\Documents and Settings\Owner\Desktop\xp_exe_fix.zip
2011-12-28 20:51 - 2011-12-28 20:51 - 0000000 ___HD C:\Documents and Settings\NetworkService\Application Data\Sun
2011-12-28 20:48 - 2011-12-28 20:48 - 0000000 ___HD C:\Documents and Settings\NetworkService\Application Data\Macromedia
2011-12-28 18:52 - 2011-12-28 20:45 - 0014552 __ASH C:\Documents and Settings\Owner\Local Settings\Application Data\5f33275514bwj482
2011-12-28 18:52 - 2011-12-28 20:45 - 0014552 __ASH C:\Documents and Settings\All Users\Application Data\5f33275514bwj482
2011-12-28 15:51 - 2011-12-28 15:51 - 0000000 ___HD C:\Documents and Settings\All Users\Application Data\AIM
2011-12-28 15:50 - 2011-12-28 15:50 - 0000000 ___HD C:\Program Files\Common Files\Software Update Utility
2011-12-28 15:50 - 2011-12-28 15:50 - 0000000 ___HD C:\Program Files\AIM
2011-12-26 01:40 - 2011-12-26 01:39 - 0963976 ___AH (Malwarebytes Corporation) C:\Documents and Settings\Owner\Desktop\mbam.exe
2011-12-26 00:33 - 2011-12-26 01:24 - 0011182 __ASH C:\Documents and Settings\Owner\Local Settings\Application Data\15034475r3r7
2011-12-26 00:33 - 2011-12-26 01:24 - 0011182 __ASH C:\Documents and Settings\All Users\Application Data\15034475r3r7
2011-12-24 09:29 - 2011-12-24 09:29 - 0414368 ___AH (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2011-12-23 11:40 - 2011-12-23 11:40 - 0000000 ___HD C:\Documents and Settings\Owner\Application Data\comcasttb
2011-12-23 11:39 - 2011-12-23 11:42 - 0000000 ___HD C:\Documents and Settings\Owner\Application Data\CallingID
2011-12-23 11:39 - 2011-12-23 11:39 - 0000000 ___HD C:\Program Files\Common Files\scanner
2011-12-23 11:39 - 2011-12-23 11:39 - 0000000 ___HD C:\Program Files\comcasttb
2011-12-23 11:38 - 2011-12-23 11:38 - 0000000 ___HD C:\Program Files\CA

============ 3 Months Modified Files and Folders ===============

2012-01-04 18:12 - 2012-01-04 18:12 - 0000000 ____D C:\FRST
2012-01-04 18:12 - 2012-01-02 23:24 - 0038677 ____A C:\Documents and Settings\Owner\Desktop\bootkit_remover_debug_log.txt
2012-01-04 18:11 - 2012-01-04 18:12 - 0858478 ____A C:\Documents and Settings\Owner\Desktop\FRST.exe
2012-01-04 10:11 - 2011-12-29 21:56 - 0078168 ___AH C:\Windows\WindowsUpdate.log
2012-01-02 23:58 - 2008-03-12 18:23 - 0000048 ___AH C:\Windows\wiaservc.log
2012-01-02 23:57 - 2012-01-02 23:25 - 0000706 ____A C:\Documents and Settings\Owner\Desktop\bootkit.txt
2012-01-02 23:56 - 2008-03-13 00:35 - 0000062 __ASH C:\Documents and Settings\Owner\Local Settings\desktop.ini
2012-01-02 23:56 - 2008-03-13 00:34 - 0000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2012-01-02 23:56 - 2008-03-13 00:34 - 0000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2012-01-02 23:56 - 2008-03-13 00:34 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-01-02 23:47 - 2011-12-30 01:13 - 0536670 ___AH C:\Windows\ntbtlog.txt
2012-01-02 23:23 - 2012-01-02 23:23 - 0044607 ____A C:\Documents and Settings\Owner\Desktop\bootkit_remover.zip
2012-01-02 22:47 - 2012-01-02 22:47 - 0000662 ____A C:\Documents and Settings\Owner\Desktop\rkill.log
2012-01-02 22:46 - 2012-01-02 22:46 - 0000147 ____A C:\Documents and Settings\Owner\Desktop\rk-proxy.reg
2012-01-02 22:46 - 2012-01-02 22:44 - 0000662 ____A C:\rkill.log
2012-01-02 22:39 - 2011-12-30 13:52 - 0019706 ___AH C:\Windows\setupapi.log
2012-01-02 20:06 - 2012-01-02 22:41 - 1578288 ____A (Kaspersky Lab ZAO) C:\Documents and Settings\Owner\Desktop\please.exe
2012-01-02 18:18 - 2012-01-02 18:03 - 0000000 ___SD C:\mikem
2012-01-02 18:05 - 2008-03-13 00:34 - 0032566 ___AH C:\Windows\SchedLgU.Txt
2012-01-02 17:57 - 2012-01-02 18:00 - 1008141 ____A C:\Documents and Settings\Owner\Desktop\rkill.com
2012-01-02 17:29 - 2012-01-02 18:00 - 4360898 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\mikem.exe
2012-01-02 13:01 - 2008-03-13 00:35 - 0000178 ___SH C:\Documents and Settings\Owner\ntuser.ini
2012-01-02 12:50 - 2012-01-02 12:54 - 8821856 ____A (OPSWAT, Inc.) C:\Documents and Settings\Owner\Desktop\AppRemover.exe
2012-01-02 10:41 - 2008-03-12 18:17 - 0000327 _RASH C:\boot.ini
2012-01-02 03:04 - 2012-01-02 03:04 - 0000000 RASHD C:\cmdcons
2012-01-02 02:56 - 2012-01-02 02:56 - 0000000 ____D C:\Windows\ERDNT
2012-01-02 02:56 - 2012-01-02 02:43 - 0000000 ____D C:\Qoobox
2012-01-02 02:32 - 2012-01-02 02:32 - 0001170 ____A C:\Documents and Settings\Owner\Desktop\aswMBR.txt
2012-01-02 01:36 - 2012-01-02 01:36 - 4702720 ____A (AVAST Software) C:\Documents and Settings\Owner\Desktop\aswMBR.exe
2012-01-02 00:28 - 2012-01-02 00:28 - 0005615 ____A C:\Documents and Settings\Owner\Desktop\glog.log
2012-01-01 23:49 - 2008-12-25 23:47 - 0000664 ____A C:\Windows\System32\d3d9caps.dat
2012-01-01 23:23 - 2008-03-13 00:35 - 0000000 __RHD C:\Documents and Settings\Owner\My Documents
2012-01-01 20:35 - 2012-01-01 20:35 - 0000686 ____A C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-01-01 20:35 - 2012-01-01 20:35 - 0000000 ____D C:\Program Files\****YouVirus
2012-01-01 20:33 - 2012-01-01 20:33 - 10847608 ____A (Malwarebytes Corporation ) C:\Documents and Settings\Owner\Desktop\****YouVirus.exe
2012-01-01 20:15 - 2012-01-02 03:04 - 0000211 ____A C:\Boot.bak
2012-01-01 19:41 - 2012-01-01 19:41 - 0000882 ____A C:\Documents and Settings\All Users\Desktop\Re-Enable v2.exe.lnk
2012-01-01 19:41 - 2012-01-01 19:41 - 0000000 ____D C:\Program Files\Tangosoft
2012-01-01 19:41 - 2008-09-15 14:20 - 0000000 ___HD C:\Config.Msi
2012-01-01 19:39 - 2012-01-01 19:39 - 1093707 ____A (Tangosoft) C:\Documents and Settings\Owner\Desktop\setup.exe
2012-01-01 18:20 - 2012-01-01 18:20 - 0607260 ____R (Swearware) C:\Documents and Settings\Owner\Desktop\dds.scr
2012-01-01 18:17 - 2008-03-13 00:35 - 0000000 __SHD C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files
2012-01-01 17:15 - 2010-05-07 18:04 - 0000000 ___HD C:\Program Files\Malwarebytes' Anti-Malware
2012-01-01 17:13 - 2012-01-01 17:13 - 10847608 ____A (Malwarebytes Corporation ) C:\Documents and Settings\Owner\Desktop\mbam-setup-1.60.0.1800.exe
2012-01-01 17:09 - 2008-03-13 00:35 - 0000000 __SHD C:\Documents and Settings\Owner\Local Settings\History
2012-01-01 17:06 - 2012-01-01 17:06 - 0302592 ____A C:\Documents and Settings\Owner\Desktop\iugpicv2.exe
2012-01-01 15:12 - 2011-12-30 15:48 - 0000408 ___AH C:\Documents and Settings\All Users\Application Data\3YZtDSp2OTCtkw
2012-01-01 15:12 - 2011-12-30 15:48 - 0000312 ___AH C:\Documents and Settings\All Users\Application Data\~3YZtDSp2OTCtkw
2012-01-01 14:38 - 2004-08-12 01:00 - 0002206 ___AH C:\Windows\System32\wpa.dbl
2011-12-30 15:48 - 2011-12-30 15:48 - 0000835 ___AH C:\Documents and Settings\Owner\Desktop\System Check.lnk
2011-12-30 15:48 - 2011-12-30 15:48 - 0000224 ___AH C:\Documents and Settings\All Users\Application Data\~3YZtDSp2OTCtkwr
2011-12-30 15:24 - 2008-03-12 18:19 - 0000000 __RHD C:\Documents and Settings\All Users\Start Menu
2011-12-30 13:59 - 2008-03-13 00:40 - 0184445 ___AH C:\Windows\System32\nvapps.xml
2011-12-30 13:58 - 2008-03-12 18:23 - 0000159 ___AH C:\Windows\wiadebug.log
2011-12-30 13:54 - 2011-12-30 13:54 - 0000000 ___HD C:\Documents and Settings\Owner\Local Settings\Application Data\Citrix
2011-12-30 13:02 - 2004-08-12 01:00 - 0000603 ___AH C:\Windows\win.ini
2011-12-30 13:02 - 2004-08-12 01:00 - 0000227 ___AH C:\Windows\system.ini
2011-12-30 12:38 - 2009-11-24 19:03 - 0000000 __HDC C:\Windows\$NtUninstallKB973687$
2011-12-30 01:23 - 2008-03-13 01:45 - 0000000 ___HD C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2011-12-29 22:03 - 2011-12-29 18:30 - 0000000 ___HD C:\Program Files\SUPERAntiSpyware
2011-12-29 19:06 - 2011-12-29 19:06 - 0000000 ___HD C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2011-12-29 19:01 - 2010-02-05 19:24 - 0000000 ___HD C:\Documents and Settings\Owner\Application Data\FileZilla
2011-12-29 19:01 - 2008-03-13 02:23 - 0000000 ___HD C:\Documents and Settings\Owner\Application Data\BitTorrent
2011-12-29 18:54 - 2011-12-29 18:54 - 0000000 ___HD C:\Program Files\CCleaner
2011-12-29 18:51 - 2011-12-29 18:51 - 3562624 ___AH (Piriform Ltd) C:\Documents and Settings\Owner\Desktop\ccsetup314.exe
2011-12-29 18:30 - 2011-12-29 18:30 - 0000000 ___HD C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-29 18:29 - 2011-12-29 18:29 - 12903112 ___AH (SUPERAntiSpyware.com) C:\Documents and Settings\Owner\Desktop\SUPERAntiSpyware.exe
2011-12-29 18:29 - 2011-12-29 18:29 - 0000000 ___HD C:\Documents and Settings\All Users\Application Data\SUPERSetup
2011-12-29 17:36 - 2008-05-12 09:27 - 0000069 ___AH C:\Windows\NeroDigital.ini
2011-12-29 13:14 - 2008-03-13 04:01 - 0000000 __HDC C:\Windows\$NtUninstallKB935839$
2011-12-28 23:45 - 2011-12-28 23:45 - 0000745 ___AH C:\Documents and Settings\Owner\Desktop\xp_exe_fix.zip
2011-12-28 20:51 - 2011-12-28 20:51 - 0000000 ___HD C:\Documents and Settings\NetworkService\Application Data\Sun
2011-12-28 20:48 - 2011-12-28 20:48 - 0000000 ___HD C:\Documents and Settings\NetworkService\Application Data\Macromedia
2011-12-28 20:45 - 2011-12-28 18:52 - 0014552 __ASH C:\Documents and Settings\Owner\Local Settings\Application Data\5f33275514bwj482
2011-12-28 20:45 - 2011-12-28 18:52 - 0014552 __ASH C:\Documents and Settings\All Users\Application Data\5f33275514bwj482
2011-12-28 18:52 - 2008-03-13 00:35 - 0000000 ___HD C:\Documents and Settings\Owner\Templates
2011-12-28 15:51 - 2011-12-28 15:51 - 0000000 ___HD C:\Documents and Settings\All Users\Application Data\AIM
2011-12-28 15:51 - 2009-10-18 12:12 - 0000000 ___HD C:\Documents and Settings\Owner\Local Settings\Application Data\AIM
2011-12-28 15:51 - 2008-03-13 02:00 - 0001391 ___AH C:\IPH.PH
2011-12-28 15:50 - 2011-12-28 15:50 - 0000000 ___HD C:\Program Files\Common Files\Software Update Utility
2011-12-28 15:50 - 2011-12-28 15:50 - 0000000 ___HD C:\Program Files\AIM
2011-12-27 16:09 - 2008-03-13 04:00 - 0000000 __HDC C:\Windows\$NtUninstallKB944653$
2011-12-26 09:06 - 2008-03-13 00:31 - 0000000 __HDC C:\Windows\$NtServicePackUninstallIDNMitigationAPIs$
2011-12-26 01:39 - 2011-12-26 01:40 - 0963976 ___AH (Malwarebytes Corporation) C:\Documents and Settings\Owner\Desktop\mbam.exe
2011-12-26 01:39 - 2008-03-13 00:29 - 0000000 ___HD C:\Program Files\Mozilla Firefox
2011-12-26 01:24 - 2011-12-26 00:33 - 0011182 __ASH C:\Documents and Settings\Owner\Local Settings\Application Data\15034475r3r7
2011-12-26 01:24 - 2011-12-26 00:33 - 0011182 __ASH C:\Documents and Settings\All Users\Application Data\15034475r3r7
2011-12-24 17:50 - 2008-03-13 03:38 - 0000000 ___HD C:\Documents and Settings\All Users\Application Data\Microsoft Help
2011-12-24 16:02 - 2008-03-13 01:51 - 0107520 ___AH C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-12-24 09:29 - 2011-12-24 09:29 - 0414368 ___AH (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2011-12-23 11:42 - 2011-12-23 11:39 - 0000000 ___HD C:\Documents and Settings\Owner\Application Data\CallingID
2011-12-23 11:40 - 2011-12-23 11:40 - 0000000 ___HD C:\Documents and Settings\Owner\Application Data\comcasttb
2011-12-23 11:39 - 2011-12-23 11:39 - 0000000 ___HD C:\Program Files\Common Files\scanner
2011-12-23 11:39 - 2011-12-23 11:39 - 0000000 ___HD C:\Program Files\comcasttb
2011-12-23 11:38 - 2011-12-23 11:38 - 0000000 ___HD C:\Program Files\CA
2011-12-23 11:38 - 2009-08-09 10:26 - 0000000 ___HD C:\Windows\Downloaded Installations
2011-12-23 11:33 - 2008-03-12 18:19 - 0512960 ___AH C:\Windows\System32\PerfStringBackup.INI
2011-12-23 10:49 - 2009-03-30 14:26 - 0004102 ___AH C:\Windows\System32\lvcoinst.log
2011-12-10 15:24 - 2010-05-07 18:04 - 0020464 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2011-11-26 09:51 - 2008-09-28 19:21 - 0000178 __ASH C:\Documents and Settings\Dad\ntuser.ini
2011-11-26 09:12 - 2010-07-15 19:26 - 0002137 ___AH C:\Documents and Settings\Dad\Desktop\iTunes.lnk
2011-11-26 09:09 - 2008-09-28 19:21 - 0000062 __ASH C:\Documents and Settings\Dad\Local Settings\desktop.ini
2011-11-26 09:08 - 2010-08-31 21:59 - 0000000 ___HD C:\Program Files\Microsoft Silverlight

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe
[2007-02-16 15:25] - [2007-06-13 05:23] - 1033216 ___AH (Microsoft Corporation) 97bd6515465659ff8f3b7be375b2ea87

C:\Windows\System32\winlogon.exe
[2004-08-12 01:00] - [2004-08-12 01:00] - 0502272 ___AH (Microsoft Corporation) 01c3346c241652f43aed8e2149881bfe

C:\Windows\System32\Drivers\volsnap.sys
[2004-08-12 01:00] - [2004-08-12 01:00] - 0052352 ___AH (Microsoft Corporation) ee4660083deba849ff6c485d944b379b

==================== Restore Points (XP) =====================

RP: -> 2012-01-04 12:02 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1027

RP: -> 2012-01-03 11:02 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1026

RP: -> 2012-01-01 19:57 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1023

RP: -> 2012-01-01 19:47 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1022

RP: -> 2012-01-01 19:41 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1021

RP: -> 2012-01-01 19:23 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1020

RP: -> 2012-01-01 19:17 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1019

RP: -> 2012-01-01 19:17 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1018

RP: -> 2012-01-01 15:37 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1017

RP: -> 2012-01-01 14:48 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1016

RP: -> 2012-01-01 14:45 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1015

RP: -> 2012-01-01 14:42 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1014

RP: -> 2011-12-30 13:56 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1013

RP: -> 2011-12-30 13:39 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1012

RP: -> 2011-12-30 00:18 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1011

RP: -> 2011-12-28 00:57 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1009

RP: -> 2011-12-27 00:11 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1008

RP: -> 2011-12-26 00:05 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1007

RP: -> 2011-12-24 17:45 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1006

RP: -> 2011-12-24 09:45 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1005

RP: -> 2011-12-23 11:35 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1004

RP: -> 2011-12-23 08:37 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1003

RP: -> 2011-10-30 11:45 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1002

RP: -> 2011-10-30 10:35 - 028672 _restore{BA89A21E-5935-4F9C-8567-12703A13ABC6}\RP1001

========================= Memory info ======================

Percentage of memory in use: 38%
Total physical RAM: 767 MB
Available physical RAM: 474.98 MB
Total Pagefile: 1877.14 MB
Available Pagefile: 1673.38 MB
Total Virtual: 2047.88 MB
Available Virtual: 1997.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:37.24 GB) (Free:8.3 GB) NTFS
5 Drive m: (New Volume) (Fixed) (Total:372.61 GB) (Free:227.76 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 37 GB 0 B
Disk 1 Online 373 GB 0 B

Partitions of Disk 0:

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 37 GB 32 KB
Partition 2 Unknown 8 MB 37 GB

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 37 GB Healthy Boot

Disk: 0
Partition 2
Type : 17
Hidden: Yes
Active: Yes

There is no volume associated with this partition.

hmMurdock914, Jan 4, 2012

#16
Broni Malware Annihilator

We're dealing here with the newest TDL rootkit.

Be extremely careful and read following manual 5 times if needed.

WARNING!
Proceed with extreme caution!
Deleting wrong partition will result with your computer being unusable.
If you have any doubts, ask.

===========================================================================================

Download gparted-live-0.10.0-3.iso (115.1 MB)

Burn it to a CD: http://neosmart.net/wiki/display/G/Burning+ISO+Images+to+a+CD+or+DVD

Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
Boot off of the newly created Gparted CD.

You should be here:

Press Enter.

By default, "do not touch keymap" is highlighted. Leave this setting alone and just press ENTER:

Choose your language and press ENTER. English is default [33]:

Once again, at this prompt, press ENTER:

You will now be taken to the main GUI screen below:

According to your logs, the partition that you want to delete is the small partition of 8MB.
Click on it to highlight it.
Click the trash can icon to delete and then click Apply.

You should now be here confirming your actions:

Now you should be here:

Is "boot" next to your OS drive?

If "boot" is NOT next to your OS drive under "Flags", right-mouse click the OS drive while in Gparted and select Manage Flags.

In the menu that pops up, place a checkmark in boot like the picture below:

Now double-click the button.

You should receive a small pop up like this:

Choose reboot and then press OK.

Post new Bootkit Remover log.

Broni, Jan 4, 2012

#17
hmMurdock914 Newcomer, in training

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 2 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)

Done;
Press any key to quit...

hmMurdock914, Jan 4, 2012

#18
Broni Malware Annihilator

Well done

Post new aswMBR log and see if TDSSKiller will run now.

Broni, Jan 4, 2012

#19
hmMurdock914 Newcomer, in training

Here are both logs

aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
Run date: 2012-01-04 20:31:38
-----------------------------
20:31:38.000 OS Version: Windows 5.1.2600 Service Pack 2
20:31:38.000 Number of processors: 1 586 0x207
20:31:38.000 ComputerName: COMPUTER2007 UserName: Owner
20:31:38.250 Initialize success
20:31:58.750 AVAST engine download error: 0
20:31:58.750 AVAST engine defs: 12010101
20:32:05.375 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
20:32:05.375 Disk 0 Vendor: WDC_WD400BB-75JHA0 05.01C05 Size: 38146MB BusType: 3
20:32:05.375 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
20:32:05.375 Disk 1 Vendor: ST3400832A 3.03 Size: 381554MB BusType: 3
20:32:05.375 Device \Driver\atapi -> MajorFunction 82fdd1f8
20:32:05.406 Disk 0 MBR read successfully
20:32:05.406 Disk 0 MBR scan
20:32:05.406 Disk 0 Windows XP default MBR code
20:32:05.406 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38138 MB offset 63
20:32:05.406 Disk 0 scanning sectors +78108030
20:32:05.468 Disk 0 scanning C:\WINDOWS\system32\drivers
20:32:12.828 Service scanning
20:32:13.578 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
20:32:14.187 Modules scanning
20:32:21.750 Module: C:\WINDOWS\System32\drivers\dxgthk.sys **SUSPICIOUS**
20:32:23.156 Module: C:\WINDOWS\system32\ntdll.dll **SUSPICIOUS**
20:32:23.171 Disk 0 trace - called modules:
20:32:23.171 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82fdd1f8]<<
20:32:23.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82fcdab8]
20:32:23.187 3 CLASSPNP.SYS[f756ffcf] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x82f12b00]
20:32:23.187 \Driver\atapi[0x82f2c510] -> IRP_MJ_CREATE -> 0x82fdd1f8
20:32:23.546 AVAST engine scan C:\WINDOWS
20:32:29.984 AVAST engine scan C:\WINDOWS\system32
20:34:02.875 AVAST engine scan C:\WINDOWS\system32\drivers
20:34:12.062 AVAST engine scan C:\Documents and Settings\Owner
20:41:00.859 AVAST engine scan C:\Documents and Settings\All Users
20:41:48.828 Scan finished successfully
20:44:04.250 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
20:44:04.265 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR2.txt"

20:44:35.0984 1660 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
20:44:36.0062 1660 ============================================================
20:44:36.0062 1660 Current date / time: 2012/01/04 20:44:36.0062
20:44:36.0062 1660 SystemInfo:
20:44:36.0062 1660
20:44:36.0062 1660 OS Version: 5.1.2600 ServicePack: 2.0
20:44:36.0062 1660 Product type: Workstation
20:44:36.0062 1660 ComputerName: COMPUTER2007
20:44:36.0078 1660 UserName: Owner
20:44:36.0078 1660 Windows directory: C:\WINDOWS
20:44:36.0078 1660 System windows directory: C:\WINDOWS
20:44:36.0078 1660 Processor architecture: Intel x86
20:44:36.0078 1660 Number of processors: 1
20:44:36.0078 1660 Page size: 0x1000
20:44:36.0078 1660 Boot type: Normal boot
20:44:36.0078 1660 ============================================================
20:44:37.0562 1660 Initialize success
20:45:02.0218 0540 ============================================================
20:45:02.0218 0540 Scan started
20:45:02.0218 0540 Mode: Manual;
20:45:02.0218 0540 ============================================================
20:45:02.0718 0540 Abiosdsk - ok
20:45:02.0765 0540 abp480n5 - ok
20:45:02.0828 0540 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:45:02.0843 0540 ACPI - ok
20:45:02.0953 0540 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:45:02.0953 0540 ACPIEC - ok
20:45:03.0000 0540 adpu160m - ok
20:45:03.0125 0540 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
20:45:03.0125 0540 aeaudio - ok
20:45:03.0203 0540 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
20:45:03.0203 0540 aec - ok
20:45:03.0343 0540 AFD (6a0397376853e604de8e1e7a87fc08ac) C:\WINDOWS\System32\drivers\afd.sys
20:45:03.0343 0540 AFD - ok
20:45:03.0406 0540 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
20:45:03.0406 0540 agp440 - ok
20:45:03.0500 0540 Aha154x - ok
20:45:03.0531 0540 aic78u2 - ok
20:45:03.0546 0540 aic78xx - ok
20:45:03.0578 0540 AliIde - ok
20:45:03.0609 0540 amsint - ok
20:45:03.0656 0540 asc - ok
20:45:03.0671 0540 asc3350p - ok
20:45:03.0703 0540 asc3550 - ok
20:45:03.0765 0540 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:45:03.0765 0540 AsyncMac - ok
20:45:03.0875 0540 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:45:03.0875 0540 atapi - ok
20:45:03.0953 0540 Atdisk - ok
20:45:04.0015 0540 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:45:04.0015 0540 Atmarpc - ok
20:45:04.0140 0540 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:45:04.0140 0540 audstub - ok
20:45:04.0171 0540 AvgLdx86 - ok
20:45:04.0250 0540 AvgMfx86 - ok
20:45:04.0328 0540 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:45:04.0328 0540 Beep - ok
20:45:04.0437 0540 catchme - ok
20:45:04.0562 0540 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:45:04.0562 0540 cbidf2k - ok
20:45:04.0640 0540 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:45:04.0640 0540 CCDECODE - ok
20:45:04.0734 0540 cd20xrnt - ok
20:45:04.0812 0540 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:45:04.0812 0540 Cdaudio - ok
20:45:04.0906 0540 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
20:45:04.0906 0540 Cdfs - ok
20:45:04.0984 0540 Cdrom (882b4257e5a5adfb6b5c03e8a02d4bf1) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:45:04.0984 0540 Cdrom - ok
20:45:05.0062 0540 Changer - ok
20:45:05.0140 0540 CmdIde - ok
20:45:05.0218 0540 Cpqarray - ok
20:45:05.0265 0540 dac2w2k - ok
20:45:05.0328 0540 dac960nt - ok
20:45:05.0421 0540 DigiNet (411670143f7b98520e0708f2fa263b9d) C:\WINDOWS\system32\DRIVERS\diginet.sys
20:45:05.0421 0540 DigiNet - ok
20:45:05.0531 0540 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
20:45:05.0531 0540 Disk - ok
20:45:05.0625 0540 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
20:45:05.0640 0540 dmboot - ok
20:45:05.0765 0540 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
20:45:05.0781 0540 dmio - ok
20:45:05.0828 0540 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:45:05.0828 0540 dmload - ok
20:45:05.0953 0540 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
20:45:05.0953 0540 DMusic - ok
20:45:06.0046 0540 dpti2o - ok
20:45:06.0093 0540 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
20:45:06.0093 0540 drmkaud - ok
20:45:06.0234 0540 E100B (98ed0bea10477b0f252cca35eb50f838) C:\WINDOWS\system32\DRIVERS\e100b325.sys
20:45:06.0234 0540 E100B - ok
20:45:06.0312 0540 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
20:45:06.0312 0540 Fastfat - ok
20:45:06.0437 0540 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:45:06.0437 0540 Fdc - ok
20:45:06.0500 0540 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
20:45:06.0500 0540 Fips - ok
20:45:06.0625 0540 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
20:45:06.0625 0540 Flpydisk - ok
20:45:06.0687 0540 FltMgr (5a85cd3d07273e3f6fe72ee9c6431632) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:45:06.0687 0540 FltMgr - ok
20:45:06.0812 0540 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:45:06.0812 0540 Fs_Rec - ok
20:45:06.0875 0540 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:45:06.0890 0540 Ftdisk - ok
20:45:07.0000 0540 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
20:45:07.0000 0540 GEARAspiWDM - ok
20:45:07.0093 0540 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:45:07.0093 0540 Gpc - ok
20:45:07.0187 0540 grmnusb (d956358054e99e6ffac69cd87e893a89) C:\WINDOWS\system32\drivers\grmnusb.sys
20:45:07.0187 0540 grmnusb - ok
20:45:07.0281 0540 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:45:07.0281 0540 hidusb - ok
20:45:07.0359 0540 hpn - ok
20:45:07.0437 0540 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
20:45:07.0453 0540 HSFHWBS2 - ok
20:45:07.0578 0540 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
20:45:07.0609 0540 HSF_DP - ok
20:45:07.0703 0540 HTTP (261bf53e1d1c21f04b4e748a6ed3d055) C:\WINDOWS\system32\Drivers\HTTP.sys
20:45:07.0718 0540 HTTP - ok
20:45:07.0812 0540 i2omgmt - ok
20:45:07.0828 0540 i2omp - ok
20:45:07.0890 0540 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:45:07.0890 0540 i8042prt - ok
20:45:07.0984 0540 Imapi (12c59b8929121ace2f55acc86682cf12) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:45:07.0984 0540 Imapi - ok
20:45:08.0062 0540 ini910u - ok
20:45:08.0156 0540 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
20:45:08.0156 0540 IntelIde - ok
20:45:08.0265 0540 intelppm (db8a1859cf9e48914dcc0a7206d87be5) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:45:08.0265 0540 intelppm - ok
20:45:08.0312 0540 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:45:08.0312 0540 Ip6Fw - ok
20:45:08.0421 0540 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:45:08.0421 0540 IpFilterDriver - ok
20:45:08.0500 0540 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:45:08.0500 0540 IpInIp - ok
20:45:08.0593 0540 IpNat (472c75f85e631f8aa87d21c9fee6238d) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:45:08.0593 0540 IpNat - ok
20:45:08.0671 0540 IPSec (37a4ddd17195f6d65e3a6731c70a103f) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:45:08.0671 0540 IPSec - ok
20:45:08.0796 0540 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:45:08.0796 0540 IRENUM - ok
20:45:08.0875 0540 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:45:08.0890 0540 isapnp - ok
20:45:09.0000 0540 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:45:09.0000 0540 Kbdclass - ok
20:45:09.0046 0540 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:45:09.0046 0540 kbdhid - ok
20:45:09.0140 0540 kmixer (8531438246ce9474e41ee1599904c0c7) C:\WINDOWS\system32\drivers\kmixer.sys
20:45:09.0140 0540 kmixer - ok
20:45:09.0250 0540 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
20:45:09.0250 0540 KSecDD - ok
20:45:09.0328 0540 lbrtfdc - ok
20:45:09.0453 0540 libusb0 (03e12dbfacf1aeb86c553b0db488fb81) C:\WINDOWS\system32\DRIVERS\libusb0.sys
20:45:09.0453 0540 libusb0 - ok
20:45:09.0593 0540 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
20:45:09.0593 0540 mdmxsdk - ok
20:45:09.0671 0540 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
20:45:09.0671 0540 Modem - ok
20:45:09.0781 0540 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
20:45:09.0781 0540 MODEMCSA - ok
20:45:09.0843 0540 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:45:09.0843 0540 Mouclass - ok
20:45:09.0968 0540 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:45:09.0968 0540 mouhid - ok
20:45:10.0031 0540 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
20:45:10.0031 0540 MountMgr - ok
20:45:10.0125 0540 mraid35x - ok
20:45:10.0187 0540 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:45:10.0187 0540 MRxDAV - ok
20:45:10.0328 0540 MRxSmb (3500e756812e716351f2d341ae1d5623) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:45:10.0343 0540 MRxSmb - ok
20:45:10.0484 0540 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
20:45:10.0500 0540 Msfs - ok
20:45:10.0562 0540 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:45:10.0562 0540 MSKSSRV - ok
20:45:10.0687 0540 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:45:10.0687 0540 MSPCLOCK - ok
20:45:10.0750 0540 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
20:45:10.0750 0540 MSPQM - ok
20:45:10.0875 0540 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:45:10.0875 0540 mssmbios - ok
20:45:10.0937 0540 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
20:45:10.0937 0540 MSTEE - ok
20:45:11.0062 0540 Mup (79a9c030299e8cc04f18d0765155d902) C:\WINDOWS\system32\drivers\Mup.sys
20:45:11.0062 0540 Mup - ok
20:45:11.0187 0540 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:45:11.0187 0540 NABTSFEC - ok
20:45:11.0265 0540 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
20:45:11.0265 0540 NDIS - ok
20:45:11.0375 0540 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:45:11.0390 0540 NdisIP - ok
20:45:11.0468 0540 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:45:11.0468 0540 NdisTapi - ok
20:45:11.0593 0540 Ndisuio (77d9bf86b912104c229d4f0d25be3c12) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:45:11.0593 0540 Ndisuio - ok
20:45:11.0625 0540 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:45:11.0625 0540 NdisWan - ok
20:45:11.0750 0540 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
20:45:11.0750 0540 NDProxy - ok
20:45:11.0828 0540 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:45:11.0828 0540 NetBIOS - ok
20:45:11.0937 0540 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:45:11.0937 0540 NetBT - ok
20:45:12.0078 0540 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
20:45:12.0078 0540 Npfs - ok
20:45:12.0171 0540 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
20:45:12.0187 0540 Ntfs - ok
20:45:12.0328 0540 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:45:12.0328 0540 Null - ok
20:45:12.0484 0540 nv (10458bfc0968e7e69d77f292942b27b1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:45:12.0578 0540 nv - ok
20:45:12.0718 0540 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
20:45:12.0718 0540 Parport - ok
20:45:12.0781 0540 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
20:45:12.0781 0540 PartMgr - ok
20:45:12.0859 0540 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:45:12.0859 0540 ParVdm - ok
20:45:12.0937 0540 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
20:45:12.0937 0540 PCI - ok
20:45:13.0031 0540 PCIDump - ok
20:45:13.0093 0540 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
20:45:13.0093 0540 PCIIde - ok
20:45:13.0234 0540 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:45:13.0234 0540 Pcmcia - ok
20:45:13.0312 0540 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
20:45:13.0312 0540 pcouffin - ok
20:45:13.0390 0540 PDCOMP - ok
20:45:13.0437 0540 PDFRAME - ok
20:45:13.0515 0540 PDRELI - ok
20:45:13.0546 0540 PDRFRAME - ok
20:45:13.0578 0540 perc2 - ok
20:45:13.0593 0540 perc2hib - ok
20:45:13.0671 0540 Point32 (08b11f5c60edca255b18cedef8efba2a) C:\WINDOWS\system32\DRIVERS\point32.sys
20:45:13.0671 0540 Point32 - ok
20:45:13.0750 0540 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:45:13.0750 0540 PptpMiniport - ok
20:45:13.0843 0540 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
20:45:13.0843 0540 PSched - ok
20:45:13.0921 0540 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:45:13.0921 0540 Ptilink - ok
20:45:14.0031 0540 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:45:14.0031 0540 PxHelp20 - ok
20:45:14.0140 0540 QCMerced (b607f201293e884f36f9a2ac2c960853) C:\WINDOWS\system32\DRIVERS\LVCM.sys
20:45:14.0156 0540 QCMerced - ok
20:45:14.0218 0540 ql1080 - ok
20:45:14.0250 0540 Ql10wnt - ok
20:45:14.0296 0540 ql12160 - ok
20:45:14.0328 0540 ql1240 - ok
20:45:14.0343 0540 ql1280 - ok
20:45:14.0390 0540 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:45:14.0390 0540 RasAcd - ok
20:45:14.0515 0540 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:45:14.0515 0540 Rasl2tp - ok
20:45:14.0609 0540 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:45:14.0609 0540 RasPppoe - ok
20:45:14.0734 0540 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:45:14.0734 0540 Raspti - ok
20:45:14.0796 0540 Rdbss (b48441a6dc703ee4c36db14ee51a189c) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:45:14.0796 0540 Rdbss - ok
20:45:14.0921 0540 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:45:14.0921 0540 RDPCDD - ok
20:45:14.0968 0540 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:45:14.0984 0540 rdpdr - ok
20:45:15.0062 0540 RDPWD (047bea21274c8a4a233674a76c958c2c) C:\WINDOWS\system32\drivers\RDPWD.sys
20:45:15.0078 0540 RDPWD - ok
20:45:15.0171 0540 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:45:15.0171 0540 redbook - ok
20:45:15.0296 0540 rspndr (0e11b35e972796042044bc27ce13b065) C:\WINDOWS\system32\DRIVERS\rspndr.sys
20:45:15.0296 0540 rspndr - ok
20:45:15.0421 0540 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
20:45:15.0421 0540 SASDIFSV - ok
20:45:15.0453 0540 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
20:45:15.0453 0540 SASKUTIL - ok
20:45:15.0578 0540 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:45:15.0578 0540 Secdrv - ok
20:45:15.0656 0540 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:45:15.0656 0540 serenum - ok
20:45:15.0765 0540 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
20:45:15.0781 0540 Serial - ok
20:45:15.0843 0540 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:45:15.0843 0540 Sfloppy - ok
20:45:15.0937 0540 Simbad - ok
20:45:16.0000 0540 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:45:16.0000 0540 SLIP - ok
20:45:16.0156 0540 smwdm (12d9287937366bf1c9ad7007b5407deb) C:\WINDOWS\system32\drivers\smwdm.sys
20:45:16.0171 0540 smwdm - ok
20:45:16.0265 0540 Sparrow - ok
20:45:16.0328 0540 splitter (9bb1dd670cb7505a90fc4e61d4aa8227) C:\WINDOWS\system32\drivers\splitter.sys
20:45:16.0328 0540 splitter - ok
20:45:16.0484 0540 sptd (7f1b7c4d446cd3f926af45b8c48bd593) C:\WINDOWS\system32\Drivers\sptd.sys
20:45:16.0484 0540 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 7f1b7c4d446cd3f926af45b8c48bd593
20:45:16.0500 0540 sptd ( LockedFile.Multi.Generic ) - warning
20:45:16.0500 0540 sptd - detected LockedFile.Multi.Generic (1)
20:45:16.0593 0540 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
20:45:16.0593 0540 sr - ok
20:45:16.0703 0540 Srv (d4af9861c3b6a2163d26dc6b9cf05e2a) C:\WINDOWS\system32\DRIVERS\srv.sys
20:45:16.0718 0540 Srv - ok
20:45:16.0859 0540 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:45:16.0859 0540 streamip - ok
20:45:16.0937 0540 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:45:16.0937 0540 swenum - ok
20:45:17.0015 0540 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
20:45:17.0015 0540 swmidi - ok
20:45:17.0093 0540 symc810 - ok
20:45:17.0140 0540 symc8xx - ok
20:45:17.0187 0540 sym_hi - ok
20:45:17.0250 0540 sym_u3 - ok
20:45:17.0312 0540 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
20:45:17.0312 0540 sysaudio - ok
20:45:17.0453 0540 Tcpip (744e57c99232201ae98c49168b918f48) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:45:17.0468 0540 Tcpip - ok
20:45:17.0593 0540 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:45:17.0593 0540 TDPIPE - ok
20:45:17.0656 0540 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
20:45:17.0671 0540 TDTCP - ok
20:45:17.0765 0540 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:45:17.0765 0540 TermDD - ok
20:45:17.0875 0540 TosIde - ok
20:45:17.0953 0540 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
20:45:17.0953 0540 Udfs - ok
20:45:18.0031 0540 ultra - ok
20:45:18.0093 0540 Update (7b2170ee3d858ce8fbe503904cc9b663) C:\WINDOWS\system32\DRIVERS\update.sys
20:45:18.0109 0540 Update - ok
20:45:18.0250 0540 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
20:45:18.0250 0540 USBAAPL - ok
20:45:18.0343 0540 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
20:45:18.0343 0540 usbaudio - ok
20:45:18.0468 0540 usbbus (d9f3bb7c292f194f3b053ce295754eb8) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
20:45:18.0468 0540 usbbus - ok
20:45:18.0531 0540 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:45:18.0531 0540 usbccgp - ok
20:45:18.0656 0540 UsbDiag (c4f77da649f99fad116ea585376fc164) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
20:45:18.0656 0540 UsbDiag - ok
20:45:18.0718 0540 usbehci (a45ea1550ea4b368c4fba7ca9d056bc9) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:45:18.0718 0540 usbehci - ok
20:45:18.0843 0540 usbhub (6d46b1f89134892a862ac56b00ac11fe) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:45:18.0843 0540 usbhub - ok
20:45:18.0906 0540 USBModem (c0613ce45e617bc671de8ebb1b30d175) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
20:45:18.0906 0540 USBModem - ok
20:45:19.0031 0540 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:45:19.0031 0540 usbprint - ok
20:45:19.0093 0540 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:45:19.0093 0540 USBSTOR - ok
20:45:19.0203 0540 usbuhci (0ee1925590ba1abec14254d54d9870f4) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:45:19.0203 0540 usbuhci - ok
20:45:19.0265 0540 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
20:45:19.0265 0540 VgaSave - ok
20:45:19.0343 0540 ViaIde - ok
20:45:19.0437 0540 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
20:45:19.0437 0540 VolSnap - ok
20:45:19.0578 0540 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:45:19.0578 0540 Wanarp - ok
20:45:19.0656 0540 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
20:45:19.0671 0540 Wdf01000 - ok
20:45:19.0750 0540 WDICA - ok
20:45:19.0828 0540 wdmaud (0bfa8203b8148fb4e54bc212c41ce497) C:\WINDOWS\system32\drivers\wdmaud.sys
20:45:19.0828 0540 wdmaud - ok
20:45:19.0953 0540 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
20:45:19.0984 0540 winachsf - ok
20:45:20.0125 0540 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
20:45:20.0125 0540 WinUSB - ok
20:45:20.0218 0540 WMP11V27 (f7c6cc420c21eb1a73f6a73bfec96f2c) C:\WINDOWS\system32\DRIVERS\WMP11V27.sys
20:45:20.0234 0540 WMP11V27 - ok
20:45:20.0359 0540 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
20:45:20.0359 0540 WpdUsb - ok
20:45:20.0468 0540 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:45:20.0468 0540 WSTCODEC - ok
20:45:20.0609 0540 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:45:20.0609 0540 WudfPf - ok
20:45:20.0687 0540 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:45:20.0703 0540 WudfRd - ok
20:45:20.0812 0540 zumbus (6bfb54f73aae470e9299e66cbc7bb632) C:\WINDOWS\system32\DRIVERS\zumbus.sys
20:45:20.0812 0540 zumbus - ok
20:45:20.0890 0540 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:45:21.0046 0540 \Device\Harddisk0\DR0 - ok
20:45:21.0078 0540 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
20:45:21.0078 0540 \Device\Harddisk1\DR1 - ok
20:45:21.0093 0540 Boot (0x1200) (499de547869951f996f156bed7a209f6) \Device\Harddisk0\DR0\Partition0
20:45:21.0093 0540 \Device\Harddisk0\DR0\Partition0 - ok
20:45:21.0109 0540 Boot (0x1200) (919950ad12d80f1c32c89d55c1047d20) \Device\Harddisk1\DR1\Partition0
20:45:21.0109 0540 \Device\Harddisk1\DR1\Partition0 - ok
20:45:21.0125 0540 ============================================================
20:45:21.0125 0540 Scan finished
20:45:21.0125 0540 ============================================================
20:45:21.0140 1868 Detected object count: 1
20:45:21.0140 1868 Actual detected object count: 1
20:45:49.0406 1868 sptd ( LockedFile.Multi.Generic ) - skipped by user
20:45:49.0406 1868 sptd ( LockedFile.Multi.Generic ) - User select action: Skip

hmMurdock914, Jan 4, 2012

#20

(You must log in or sign up to reply here.)

Page 1 of 3

TechSpot | Technology News and Analysis
Copyright © 1998-2012, TechSpot, Inc.
Forum software by XenForo™
TechSpot is a registered trademark
All Rights Reserved