TechSpot

Svchost hogging resources ... internet searches being redirected

Solved
By jgf
Jun 5, 2011
Topic Status:
Not open for further replies.
  1. System is Vista Home Premium 32, SP2; AV is Avira for full time protection, supplemented by weekly scans with MSE, Malwarebytes, and Spybot. Installed Ad-Aware today, after over three hours just to scan my C drive I stopped it; though it did find three items. After reading a thread on a similar problem, I d/l'd and ran combofix (safe mode w/network, all programs closed); but did nothing with it beyond that.

    Both problems appeared simultaneously a few days ago. Clicking on any result from a web search will briefly get the correct URL in the status bar, it is quickly replaced by the likes of "exclusivephonedeals.com" or "bigyellowdirectory.com". Fortunately my browser is set to not allow redirects; if I click on the search result several times I eventually get the correct page.

    The second, and more serious, problem is that something persistently opens a new system svchost running 16-18 LAN services which quickly consumes 90% CPU and 150-400meg memory. If left unattended this rapidly overheats the CPU and the system restarts. So now I'm running task manager constantly so I can keep an eye on the cpu monitor in the system tray. This occurs whether I'm online or not, doesn't matter if I physically disconnect the cable. Also occurs in safe mode, though there only three of the LAN items appear in the offending svchost: ikeext, profsvc, and winmgmt. (As I type this I had to "end process" the svchost, using 80% cpu and 450meg memory.)

    //////////////////////////

    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-05 04:50:50
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000009b Hitachi_ rev.V5CO
    Running: twk7oxr4.exe; Driver: C:\Users\KHRODK~1\AppData\Local\Temp\pxldapow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 MBR read error
    Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84E2C1F8
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 dvd43llh.sys (dvd43llh.sys/RIF)
    Device \Driver\atapi \Device\Ide\IdePort0 84E2C1F8
    Device \Driver\atapi \Device\Ide\IdePort0 dvd43llh.sys (dvd43llh.sys/RIF)
    Device \Driver\atapi \Device\Ide\IdePort1 84E2C1F8
    Device \Driver\atapi \Device\Ide\IdePort1 dvd43llh.sys (dvd43llh.sys/RIF)
    Device \FileSystem\Ntfs \Ntfs 84E2F1F8

    AttachedDevice \Driver\tdx \Device\Tcp pctgntdi.sys

    Device \Device\0000009d -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725040VLA#4&2019003&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
  2. jgf

    jgf TS Rookie Topic Starter Posts: 31

    .
    DDS (Ver_2011-06-03.01) - NTFSx86
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_22
    Run by Khrod Kat at 4:58:36 on 2011-06-05
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1116 [GMT -4:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\dvd43\DVD43_Tray.exe
    C:\Program Files\Microsoft IntelliType Pro\itype.exe
    C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\PC Tools Firewall Plus\FWService.exe
    C:\WINDOWS\System32\Ctxfihlp.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\DriveGLEAM\drivegleam.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
    J:\misc\GPU-Z.0.4.2.exe
    J:\Paint Shop Pro 8\MB-Ruler\MB-Ruler.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\System32\alg.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\SYSTEM32\CTXFISPI.EXE
    C:\Windows\Explorer.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.dogpile.com/
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T5246
    BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
    TB: {71576546-354D-41C9-AAE8-31F2EC22BF0D} - No File
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [DriveGLEAM] "c:\program files\drivegleam\drivegleam.exe" /STARTUP
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [AtiTrayTools] "c:\program files\ray adams\ati tray tools\atitray.exe"
    mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
    mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
    mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
    mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.24 msi master overclocking arena 2009 edition\RivaTunerWrapper.exe" /S
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [CTxfiHlp] CTXFIHLP.EXE
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    dRun: [DevconDefaultDB] c:\windows\system32\READREG /SILENT /FAIL=1
    StartupFolder: c:\users\khrodk~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\mb-ruler.lnk - j:\paint shop pro 8\mb-ruler\MB-Ruler.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gpu-z.lnk - j:\misc\GPU-Z.0.4.2.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mb-ruler.lnk - j:\paint shop pro 8\mb-ruler\MB-Ruler.exe
    uPolicies-explorer: TaskbarNoThumbnail = 1 (0x1)
    uPolicies-explorer: HideSCABattery = 0 (0x0)
    uPolicies-explorer: HideSCANetwork = 0 (0x0)
    uPolicies-explorer: HideSCAVolume = 0 (0x0)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.7.16.dll/206
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: bcsims.com\gpltd
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
    DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15116/CTPID.cab
    TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
    TCP: Interfaces\{D134D271-3206-4109-89F4-3A2CD7808D2C} : DhcpNameServer = 192.168.0.1 192.168.0.1
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\khrod kat\appdata\roaming\mozilla\firefox\profiles\nq6fx598.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.dogpile.com/
    FF - component: c:\users\khrod kat\appdata\roaming\mozilla\firefox\profiles\nq6fx598.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
    FF - component: c:\users\khrod kat\appdata\roaming\mozilla\firefox\profiles\nq6fx598.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\users\khrod kat\appdata\roaming\mozilla\firefox\profiles\nq6fx598.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
    FF - Ext: WeatherBug: {3EC9C995-8072-4fc0-953E-4F30620D17F3} - %profile%\extensions\{3EC9C995-8072-4fc0-953E-4F30620D17F3}
    FF - Ext: FireShot: {0b457cAA-602d-484a-8fe7-c1d894a011ba} - %profile%\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
    FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
    FF - Ext: Fast Youtube Downloader: fastYoutubeDownloader@yevgenyandrov.net - %profile%\extensions\fastYoutubeDownloader@yevgenyandrov.net
    FF - Ext: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - %profile%\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
    FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
    FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 atitray;atitray;c:\program files\ray adams\ati tray tools\atitray.sys [2011-3-27 20384]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
    R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-1-30 233136]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-11-25 172032]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-12 136360]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-12 269480]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-12 61960]
    R2 dvdmmg;dvdmmg;c:\windows\system32\drivers\dvdmmg.sys [2007-9-6 5504]
    R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2010-3-25 21504]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
    R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2010-1-30 88040]
    R2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2010-1-30 818432]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-26 1153368]
    R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-5-4 5550592]
    R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-11-25 176128]
    R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
    R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
    R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [2009-9-15 38248]
    R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-1-30 70664]
    R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2010-1-30 58816]
    R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-1-30 115216]
    R3 rxpvbus;Reality XP Avionics Bus Driver;c:\windows\system32\drivers\rxpvbus.sys [2005-11-4 44032]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S3 ARLGIFXTP;ARLGIFXTP;c:\users\khrodk~1\appdata\local\temp\arlgifxtp.exe --> c:\users\khrodk~1\appdata\local\temp\ARLGIFXTP.exe [?]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-4-26 84832]
    S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2011-5-25 79360]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2011-5-25 79360]
    S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-5-5 171096]
    S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-5-5 1324120]
    S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-5-5 72792]
    S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [2009-2-19 30984]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-5-25 2151128]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 43392]
    S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\netr73.sys [2006-12-29 247808]
    S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
    S3 papycpu;papycpu;c:\windows\system32\drivers\papycpu.sys [2009-2-24 1984]
    S3 SaiHFF04;SaiHFF04;c:\windows\system32\drivers\SaiHFF04.sys [2007-1-30 126344]
    S3 SaiIFF04;Immersion's HID USB Driver (FF04);c:\windows\system32\drivers\SaiIFF04.sys [2007-1-30 16256]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 VZOTLKSYW;VZOTLKSYW;c:\users\khrodk~1\appdata\local\temp\vzotlksyw.exe --> c:\users\khrodk~1\appdata\local\temp\VZOTLKSYW.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-06-05 08:21:38 16432 ----a-w- c:\windows\system32\lsdelete.exe
    2011-06-05 04:32:38 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-06-05 04:32:35 -------- d-----w- c:\users\khrod kat\appdata\local\temp
    2011-06-05 04:21:07 98816 ----a-w- c:\windows\sed.exe
    2011-06-05 04:21:07 518144 ----a-w- c:\windows\SWREG.exe
    2011-06-05 04:21:07 256512 ----a-w- c:\windows\PEV.exe
    2011-06-05 04:21:07 208896 ----a-w- c:\windows\MBR.exe
    2011-06-05 03:59:51 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-06-05 03:54:32 -------- d-----w- c:\program files\Lavasoft
    2011-06-03 12:31:30 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{05f44ba6-b9c3-4c92-a4f1-8650533e0ed1}\mpengine.dll
    2011-05-31 13:42:50 -------- d-----w- c:\users\khrod kat\appdata\local\DestinationFinder
    2011-05-31 13:02:28 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
    2011-05-31 13:02:28 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
    2011-05-31 13:00:28 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2011-05-28 09:59:38 -------- d-----w- c:\users\khrod kat\appdata\roaming\runic games
    2011-05-28 09:41:19 -------- d-----w- c:\program files\common files\Datalode
    2011-05-25 09:18:25 53248 ------w- c:\windows\Ctregrun.exe
    2011-05-25 07:26:39 -------- d-----w- c:\program files\common files\Creative Labs Shared
    2011-05-25 07:26:00 102400 ----a-w- c:\windows\system32\cttele32.dll
    2011-05-25 07:24:25 -------- d-----w- c:\windows\system32\Data
    2011-05-25 07:24:11 22691984 ----a-w- c:\windows\system32\AppSetup.exe
    2011-05-24 12:45:03 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
    2011-05-23 05:08:03 -------- d-----w- c:\programdata\PopCap Games
    2011-05-14 16:16:20 -------- d-----w- c:\program files\ATI Technologies
    2011-05-14 16:16:18 -------- d-----w- c:\program files\ATI
    2011-05-14 16:15:36 -------- d-----w- C:\ATI
    2011-05-06 16:44:11 -------- d-----w- c:\users\khrod kat\appdata\roaming\atitray
    2011-05-06 16:25:44 -------- d-----w- c:\program files\Ray Adams
    2011-05-06 15:06:02 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2011-05-06 15:06:02 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2011-05-06 15:05:30 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    .
    ==================== Find3M ====================
    .
    2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-25 07:25:52 445016 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-05-25 07:25:52 109144 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-05-12 23:08:30 737280 ----a-w- c:\windows\iun6002.exe
    2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: Hitachi_ rev.V5CO -> Harddisk0\DR0 ->
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x854624D0]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x854687f0]; MOV EAX, [0x8546886c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x8205311B] -> \Device\Harddisk0\DR0[0x8538A0C8]
    3 CLASSPNP[0x885A08B3] -> nt!IofCallDriver[0x8205311B] -> [0x84ED1E00]
    5 acpi[0x826E86BC] -> nt!IofCallDriver[0x8205311B] -> [0x84ED87E8]
    \Driver\nvstor32[0x84FEEB48] -> IRP_MJ_CREATE -> 0x854624D0
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
    detected disk devices:
    \Device\0000009d -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725040VLA#4&2019003&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    sectors 781422766 (+7): user != kernel
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 4:59:51.06 ===============



    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-03.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 2/6/2008 3:20:17 PM
    System Uptime: 6/5/2011 4:45:50 AM (0 hours ago)
    .
    Motherboard: Gateway | | MCP61SM2MA
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2200/201mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 69 GiB total, 3.657 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 4.513 GiB free.
    E: is CDROM (CDFS)
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    J: is FIXED (NTFS) - 146 GiB total, 59.989 GiB free.
    L: is FIXED (NTFS) - 146 GiB total, 17.94 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: USB CF Reader
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#920321111113&1#
    Manufacturer: Generic
    Name: USB CF Reader
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_CF_READER&REV_1.01#920321111113&1#
    Service: WUDFRd
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: USB MS Reader
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#920321111113&3#
    Manufacturer: Generic
    Name: USB MS Reader
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_MS_READER&REV_1.03#920321111113&3#
    Service: WUDFRd
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: USB SD Reader
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SD_READER&REV_1.00#920321111113&0#
    Manufacturer: Generic
    Name: USB SD Reader
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SD_READER&REV_1.00#920321111113&0#
    Service: WUDFRd
    .
    Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Description: USB SM Reader
    Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SM_READER&REV_1.02#920321111113&2#
    Manufacturer: Generic
    Name: USB SM Reader
    PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&1&STORAGE#VOLUME#1&19F7E59C&0&_??_USBSTOR#DISK&VEN_GENERIC&PROD_USB_SM_READER&REV_1.02#920321111113&2#
    Service: WUDFRd
    .
    ==== System Restore Points ===================
    .
    RP1312: 6/1/2011 8:31:33 AM - Windows Update
    RP1313: 6/2/2011 8:31:04 AM - Windows Update
    RP1314: 6/3/2011 8:31:04 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    .
    µTorrent
    ActiveSky Version 6 and ActiveSky Graphics
    Ad-Aware
    Adobe Audition 1.0
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    aerosoft's - New Spanish Airports - FS2004
    aerosoft's - Pro Flight Emulator Deluxe
    Aircraft Container SDK
    Allway Sync version 10.3.8
    ALMS 2009 GT2 MOD v1.2 for GTR2
    Amnesia - The Dark Descent
    Apple Application Support
    Apple Software Update
    Applian FLV Player
    Application Mover
    ArcSoft VideoImpression 2
    Ashampoo Burning Studio 6
    Astroburn Lite
    ATI Catalyst Install Manager
    AV DVD Player Morpher
    Avira AntiVir Personal - Free Antivirus
    AVS DVD Copy version 4.1.1
    AVS DVD Player version 2.4
    AVS Update Manager 1.0
    AVS Video Converter 6
    AVS4YOU Software Navigator 1.3
    Bejeweled 2 Deluxe 1.0
    BitComet 1.17
    BlindWrite 6
    Brazil Megapack 05/2008 FS2004 v1.0
    CCleaner (remove only)
    CD Recovery Toolbox Free 1.1
    Chessmaster 7000
    Core Temp version 0.99.8
    CR-Software's - German Landmarks FS2004
    Creative ALchemy
    Creative Audio Control Panel
    Creative Console Launcher
    Creative MediaSource 5
    Creative Smart Recorder
    Creative Software AutoUpdate
    Creative Sound Blaster Properties
    Creative System Information
    Creative WaveStudio 7
    Curtiss-Wright AT-32 Condor for FSX or FS2004
    D-Fend Reloaded 0.9.1 (deinstall)
    DDS Converter 2.1
    DDS Thumbnail Viewer
    Deus Ex
    Digital Media Reader
    DriveGLEAM V1.08
    Driver Sweeper 2.1.0
    DVD Decrypter (Remove Only)
    DVD Shrink 3.2
    DVD43 v4.6.0
    DVDFab 7.0.4.0 (15/04/2010)
    eMachines Recovery Center Installer
    erLT
    Farm Frenzy 3 American Pie
    Farm Frenzy 2
    feelThere Florida Landings 1.0
    Flight Simulator 2004 Special Effects SDK
    Flight Simulator 2004 Traffic Toolbox SDK
    Flight Simulator 2004 Weather Themes SDK
    FlightSim Manager
    FormatFactory 2.50
    Fraps
    Free Easy Burner V 3.8
    FS Panel Studio for FSX Build 20207
    FS Real Time v1.64
    FSRepaint
    Game Booster
    GARMIN 400 Series Trainer
    German Landmarks FS2004
    Ground Environment Professional
    GT Legends 1.1.0.0
    GTR 2 1.0.0.0
    GTR2 Championship Manager
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    ImgBurn
    Insectoid 1.02
    ISO Recorder
    IsoBuster 2.0
    Jasc Paint Shop Pro 8
    Jasc Paint Shop Pro 8.10 Update Patch
    Java Auto Updater
    Java(TM) 6 Update 22
    Java(TM) SE Runtime Environment 6 Update 1
    JGoodies JDiskReport 1.3.2
    Legendary 707
    Lockheed Orion 9 for FSX or FS2004
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Media Player Classic - Home Cinema v1.5.0.2827
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Baseline Security Analyzer 2.1
    Microsoft Flight Simulator 2004 A Century of Flight
    Microsoft IntelliPoint 8.0
    Microsoft IntelliType Pro 7.1
    Microsoft Office 97, Professional Edition
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft Windows Media Video 9 VCM
    Microsoft WSE 2.0 SP3 Runtime
    Morrowind
    Moscow Global Scenery - Version 1.2
    Mozilla Firefox (3.6.17)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    No One Lives Forever
    NoteTab Light (Remove only)
    NVIDIA DDS Utilities
    NVIDIA Photoshop Plug-ins
    Object Fix Zip
    OneTouch Version 3.0
    OpenAL
    PC Tools Firewall Plus 6.0
    PicNic
    Player
    Power2Go 5.0
    Prompt Media Player 2.1
    Ptolemy
    Python 2.4.1
    Python 2.5.4
    Python 2.6 comtypes-0.6.2
    Python 2.6 psyco-1.6
    Python 2.6 pywin32-214
    Python 2.6.5
    QuickTime
    Railroad Tycoon II - Platinum
    Ray Adams ATI Tray Tools
    Real Environment Xtreme FS2004
    Rename Us 3.03
    Richard Burns Rally
    RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition
    RunAlyzer
    SceneryConfigEditor v1.0.5 (remove only)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Sierra Utilities
    SimCity 2000® Special Edition
    Simmer's Sky - Japanese Airports vol.1
    Simmer's Sky - Japanese Airports vol.2
    Simmer's Sky - Japanese Airports vol.3
    Simmer's Sky - Japanese Airports vol.4
    Simmer's Sky - Japanese Airports vol.5
    Simmer's Sky - Japanese Airports vol.6
    Simmer's Sky - Japanese Airports vol.7
    Simmer's Sky - Japanese Airports vol.8
    Simmer's Sky - Japanese Airports vol.9
    SolSuite 2010 v10.1
    Sonar Screensaver 1.00
    Spare Backup
    Spybot - Search & Destroy
    StreamTransport version: 1.0.2.2041
    Super Flight Planner 3.0.3
    System47 Screen Saver
    TES Construction Set
    TextCrawler 1.1.4
    Thumbplug TGA
    TorchED
    Torchlight
    TUGZip 3.4
    UK SRTM Terrain Mesh Scenery for FS2004
    Ultimate Terrain - Canada & Alaska
    Ultimate Terrain - Europe
    Ultimate Terrain - USA
    UltimateDefrag V1 FREE Public Domain Version
    Unlocker 1.8.8
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    URL Snooper v2.28.01
    VcrSaver
    Virtual City
    Vista Visual Master
    WinBMD
    Windows Media Player Firefox Plugin
    WinPcap 4.1.1
    WinRAR archiver
    Works Upgrade
    World of Warcraft FREE Trial
    WSGT by RMT for GTR2
    wxPython 2.5.3.1 (ansi) for Python 2.4
    wxPython 2.8.0.1 (ansi) for Python 2.5
    wxPython 2.8.11.0 (ansi) for Python 2.6
    X-treme King Air B200 v.2.0.1
    XQDC X-Setup Pro 9.2.100
    XviD MPEG4 Video Codec (remove only)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/5/2011 4:51:36 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.64 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    6/5/2011 4:48:31 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    6/5/2011 4:48:06 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    6/5/2011 4:48:06 AM, Error: Service Control Manager [7000] - The NVR0FLASHDev service failed to start due to the following error: The system cannot find the file specified.
    6/5/2011 4:46:35 AM, Error: EventLog [6008] - The previous system shutdown at 4:44:01 AM on 6/5/2011 was unexpected.
    6/5/2011 4:41:39 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running.
    6/5/2011 4:41:38 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    6/5/2011 12:30:20 AM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
    6/5/2011 12:30:12 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    6/5/2011 12:21:11 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
    6/5/2011 12:18:36 AM, Error: Service Control Manager [7034] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 3 time(s).
    6/5/2011 12:16:22 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    6/5/2011 12:16:22 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    6/5/2011 12:16:22 AM, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    6/5/2011 12:16:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    6/5/2011 12:02:49 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    6/5/2011 12:02:47 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atitray avipbb i8042prt MpFilter spldr sptd ssmdrv Wanarpv6
    6/5/2011 12:02:47 AM, Error: Service Control Manager [7019] - The Print Spooler service depends on a service in a group which starts later. Change the order in the service dependency tree to ensure that all services required to start this service are starting before this service is started.
    6/5/2011 12:02:47 AM, Error: Service Control Manager [7018] - Detected circular dependencies auto-starting services. Check the service dependency tree.
    6/5/2011 12:02:47 AM, Error: Service Control Manager [7001] - The Creative Audio Service service depends on the Windows Audio service which failed to start because of the following error: The dependency service or group failed to start.
    6/5/2011 12:02:47 AM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    6/5/2011 12:02:41 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
    6/5/2011 12:02:41 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    6/5/2011 12:01:49 AM, Error: sptd [4] - Driver detected an internal error in its data structures for .
    6/4/2011 9:59:06 AM, Error: srv [2020] - The server was unable to allocate from the system paged pool because the pool was empty.
    6/4/2011 9:36:39 AM, Error: srv [2018] - The server was unable to allocate from the system paged pool because the server reached the configured limit for paged pool allocations.
    6/4/2011 9:35:18 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 68.75.23.77 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    6/4/2011 8:04:28 AM, Error: EventLog [6008] - The previous system shutdown at 8:02:55 AM on 6/4/2011 was unexpected.
    6/4/2011 8:01:03 AM, Error: Microsoft-Windows-Kernel-General [6] - An I/O operation initiated by the Registry failed unrecoverably.The Registry could not flush hive (file): '\SystemRoot\System32\Config\SOFTWARE'.
    6/4/2011 8:00:45 AM, Error: Microsoft-Windows-Kernel-General [6] - An I/O operation initiated by the Registry failed unrecoverably.The Registry could not flush hive (file): '\??\C:\Users\Khrod Kat\ntuser.dat'.
    6/4/2011 5:15:32 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 68.75.20.26 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    6/4/2011 5:13:04 AM, Error: Microsoft-Windows-SharedAccess_NAT [34001] - The ICS_IPV6 failed to configure IPv6 stack.
    6/4/2011 5:09:46 AM, Error: EventLog [6008] - The previous system shutdown at 5:07:41 AM on 6/4/2011 was unexpected.
    6/4/2011 11:41:00 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.105.1184.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6903.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    6/4/2011 11:30:33 PM, Error: EventLog [6008] - The previous system shutdown at 11:27:18 PM on 6/4/2011 was unexpected.
    6/3/2011 3:15:30 PM, Error: EventLog [6008] - The previous system shutdown at 3:10:29 PM on 6/3/2011 was unexpected.
    5/31/2011 3:56:29 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 99.168.75.182 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    5/29/2011 7:48:06 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 68.75.17.211 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    5/29/2011 12:39:42 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 68.75.16.42 for the Network Card with network address 001C2569346F has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
  3. jgf

    jgf TS Rookie Topic Starter Posts: 31

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6773

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    6/5/2011 4:35:29 AM
    mbam-log-2011-06-05 (04-35-29).txt

    Scan type: Quick scan
    Objects scanned: 149040
    Time elapsed: 4 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    ////////////////////////////
    I know you didn't ask, but here is the Ad-Aware log.
    /////////////////////////
    AdAware log deleted by Bobbye. Not requested.
  4. jgf

    jgf TS Rookie Topic Starter Posts: 31

    Addendum: in my own plodding way, I noticed the "Warning: possible TDL3 rootkit infection !" message, researched it, and applied the Kaspersky fix from the bleepingcomputer site. It detected the rootkit and said it cured it. Whether that is part, or all, of the problem remains to be seen. Either way I'd be interested in anything of note you may gleam from that mass of logs I dumped here (90% of which is completely unintelligible to me).
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No, I didn't. Please observe the following:
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    =========================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ==============================================
    If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ========================================
    Please get your security down to one antivirus, one firewall (two or more antimalware programs). It is important when you use a suite to be aware of what''s in it.
    ================================
    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent and BitComet for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
    --------------------------------
    If you decide not to uninstall these file sharing programs, please disable them and do not use them while we are cleaning.
  6. jgf

    jgf TS Rookie Topic Starter Posts: 31

    The TDSkiller is what I ran from Kaspersky, it supposedly found and cured a TDL4 rootkit. (This may have been the trouble. Have been using the computer since starting this thread and the offending svchost hasn't reared its ugly head, nor have I experienced more than the usual amount of websearch redirects.)

    Avira is the only active AV software on the system; the others are run on demand.

    Am aware of the risks of P2P software and, on the rare occasions I use it, only use torrents from a specific source. (uTorrent hasn't been used for at least a year, BitComet perhaps once a month.) FWIW, all downloads, whether from a torrent source or from Microsoft, go to a separate partition where they're hit with all my antimalware programs before I even access a readme.

    Will do the ESET scan later this evening and get back to you.
  7. jgf

    jgf TS Rookie Topic Starter Posts: 31

    ComboFix 11-06-04.02 - Khrod Kat 06/05/2011 0:23.1.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1503 [GMT -4:00]
    Running from: c:\users\Khrod Kat\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\defender.exe
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    c:\users\Khrod Kat\AppData\Roaming\inst.exe
    c:\users\Khrod Kat\Documents\reg_bkp.reg
    c:\windows\system\idapi32.dll
    c:\windows\system\msvbvm60.dll
    c:\windows\system32\SCLabel.ocx
    c:\windows\system32\spool\prtprocs\w32x86\Ppbiproc.dll
    c:\windows\Update.bat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-05 to 2011-06-05 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-05 04:30 . 2011-06-05 04:30 -------- d-----w- c:\users\Khrod Kat\AppData\Local\temp
    2011-06-05 04:12 . 2011-06-05 04:20 -------- d-----w- C:\32788R22FWJFW
    2011-06-05 03:59 . 2011-06-05 03:59 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-06-05 03:54 . 2011-06-05 03:54 -------- d-----w- c:\programdata\Lavasoft
    2011-06-05 03:54 . 2011-06-05 03:54 -------- d-----w- c:\program files\Lavasoft
    2011-06-03 12:31 . 2011-05-09 20:46 6962000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{05F44BA6-B9C3-4C92-A4F1-8650533E0ED1}\mpengine.dll
    2011-05-31 13:42 . 2011-05-31 13:42 -------- d-----w- c:\users\Khrod Kat\AppData\Local\DestinationFinder
    2011-05-31 13:02 . 2009-07-14 17:45 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
    2011-05-31 13:02 . 2009-07-14 17:45 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
    2011-05-31 13:00 . 2011-05-31 13:00 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2011-05-28 09:59 . 2011-05-28 09:59 -------- d-----w- c:\users\Khrod Kat\AppData\Roaming\runic games
    2011-05-28 09:41 . 2011-05-28 09:41 -------- d-----w- c:\program files\Common Files\Datalode
    2011-05-25 09:18 . 2006-10-06 18:17 53248 ------w- c:\windows\Ctregrun.exe
    2011-05-25 07:26 . 2011-05-25 07:26 -------- d-----w- c:\program files\Common Files\Creative Labs Shared
    2011-05-25 07:26 . 2008-02-04 14:27 102400 ----a-w- c:\windows\system32\cttele32.dll
    2011-05-25 07:24 . 2011-05-25 07:25 -------- d-----w- c:\windows\system32\Data
    2011-05-25 07:24 . 2009-05-18 18:34 22691984 ----a-w- c:\windows\system32\AppSetup.exe
    2011-05-24 12:45 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
    2011-05-23 05:08 . 2011-05-26 09:15 -------- d-----w- c:\programdata\PopCap Games
    2011-05-14 16:16 . 2011-05-14 16:16 -------- d-----w- c:\program files\ATI Technologies
    2011-05-14 16:16 . 2011-05-14 18:30 -------- d-----w- c:\program files\ATI
    2011-05-14 16:15 . 2011-05-14 16:15 -------- d-----w- C:\ATI
    2011-05-06 16:44 . 2011-05-06 16:44 -------- d-----w- c:\users\Khrod Kat\AppData\Roaming\atitray
    2011-05-06 16:25 . 2011-05-06 16:25 -------- d-----w- c:\program files\Ray Adams
    2011-05-06 15:06 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2011-05-06 15:06 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2011-05-06 15:05 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-29 13:11 . 2010-01-04 07:09 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-29 13:11 . 2010-01-04 07:09 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-25 07:25 . 2010-04-13 08:19 445016 ----a-w- c:\windows\system32\wrap_oal.dll
    2011-05-25 07:25 . 2010-04-13 08:19 109144 ----a-w- c:\windows\system32\OpenAL32.dll
    2011-05-12 23:08 . 2009-06-24 06:56 737280 ----a-w- c:\windows\iun6002.exe
    2011-05-09 20:46 . 2010-05-06 00:43 6962000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-04-03 09:23 . 2010-05-12 13:31 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-03-10 17:03 . 2011-04-21 08:50 1162240 ----a-w- c:\windows\system32\mfc42u.dll
    2011-03-10 17:03 . 2011-04-21 08:50 1136640 ----a-w- c:\windows\system32\mfc42.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "DriveGLEAM"="c:\program files\DriveGLEAM\drivegleam.exe" [2009-10-23 86560]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "AtiTrayTools"="c:\program files\Ray Adams\ATI Tray Tools\atitray.exe" [2011-03-27 929280]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2009-10-24 827904]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
    "00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
    "UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-01-06 281768]
    "RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe" [2009-08-22 24576]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "CTxfiHlp"="CTXFIHLP.EXE" [2010-05-05 25600]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 1797488]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DevconDefaultDB"="c:\windows\system32\READREG" [X]
    .
    c:\users\Khrod Kat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    MB-Ruler.lnk - j:\paint shop pro 8\MB-Ruler\MB-Ruler.exe [2009-3-29 1729536]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    GPU-Z.lnk - j:\misc\GPU-Z.0.4.2.exe [2010-5-15 521568]
    MB-Ruler.lnk - j:\paint shop pro 8\MB-Ruler\MB-Ruler.exe [2009-3-29 1729536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "TaskbarNoThumbnail"= 1 (0x1)
    "HideSCABattery"= 0 (0x0)
    "HideSCANetwork"= 0 (0x0)
    "HideSCAVolume"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
    2010-05-05 23:56 25600 ----a-w- c:\windows\System32\Ctxfihlp.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
    2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
    2002-09-24 13:21 86016 ----a-w- c:\program files\Visioneer OneTouch\OneTouchMon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RivaTuner]
    2009-08-22 18:25 24576 ----a-w- c:\program files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTunerWrapper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
    2007-09-14 00:22 5252936 ----a-w- c:\program files\Spare Backup\SpareBackup.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
    2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "ehTray.exe"=c:\windows\ehome\ehTray.exe
    "SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "EVGAPrecision"="c:\program files\EVGA Precision\EVGAPrecisionWrapper.exe" /s
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    "AntiSpywareOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3867056976-849016701-749785769-1000]
    "EnableNotificationsRef"=dword:00000001
    .
    R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-03-03 691696]
    R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [2011-03-27 20384]
    R1 MpKsl0f70f70a;MpKsl0f70f70a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{952C9FE2-9A5C-48BD-9199-4EDE1505C3CA}\MpKsl0f70f70a.sys [x]
    R1 MpKsl103ede34;MpKsl103ede34;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{01B9831C-72E7-48C1-9915-F4CC1013D5E6}\MpKsl103ede34.sys [x]
    R1 MpKsl1e1f2bc1;MpKsl1e1f2bc1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C4A23112-7ACC-4A6E-B018-B7509526E591}\MpKsl1e1f2bc1.sys [x]
    R1 MpKsl1ee6ef91;MpKsl1ee6ef91;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AECCA0F-562A-42E2-9FE7-F8085C6A8A95}\MpKsl1ee6ef91.sys [x]
    R1 MpKsl2d4ba727;MpKsl2d4ba727;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{952C9FE2-9A5C-48BD-9199-4EDE1505C3CA}\MpKsl2d4ba727.sys [x]
    R1 MpKsl3b8d7755;MpKsl3b8d7755;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{07DD9922-8C20-47ED-B9DC-43D7EE33E988}\MpKsl3b8d7755.sys [x]
    R1 MpKsl3cf75429;MpKsl3cf75429;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DEB3B208-9C6A-495B-8F03-6F71490D24FE}\MpKsl3cf75429.sys [x]
    R1 MpKsl43f62011;MpKsl43f62011;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AECCA0F-562A-42E2-9FE7-F8085C6A8A95}\MpKsl43f62011.sys [x]
    R1 MpKsl4b5ebc92;MpKsl4b5ebc92;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{77387393-FF56-4D04-B075-D1B686C7D2F3}\MpKsl4b5ebc92.sys [x]
    R1 MpKsl58842128;MpKsl58842128;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DEB3B208-9C6A-495B-8F03-6F71490D24FE}\MpKsl58842128.sys [x]
    R1 MpKsl5b2b60ca;MpKsl5b2b60ca;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8E8D3056-3418-4F22-A4E8-45F3AC0E6EFD}\MpKsl5b2b60ca.sys [x]
    R1 MpKsl5ddde673;MpKsl5ddde673;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0A6590A4-02EF-4645-8FD9-7B749D27F641}\MpKsl5ddde673.sys [x]
    R1 MpKsl6134ecdc;MpKsl6134ecdc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CF0D3EC4-CEC2-4970-B234-1EE163D110B6}\MpKsl6134ecdc.sys [x]
    R1 MpKsl718d1d64;MpKsl718d1d64;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C4A23112-7ACC-4A6E-B018-B7509526E591}\MpKsl718d1d64.sys [x]
    R1 MpKsl8ec72540;MpKsl8ec72540;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{517DD5B7-A9CA-4D71-94F0-CB5DDD2E3A8A}\MpKsl8ec72540.sys [x]
    R1 MpKsl9c1f60a1;MpKsl9c1f60a1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B5A497F2-2210-4991-B750-A7CDC84BD29C}\MpKsl9c1f60a1.sys [x]
    R1 MpKsla21e8826;MpKsla21e8826;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EB33FFD9-5B96-4DF1-B3C5-5353D9246D1C}\MpKsla21e8826.sys [x]
    R1 MpKslab3c7881;MpKslab3c7881;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F21A05D4-AF4A-4988-8C62-DF5EB8E3BEAC}\MpKslab3c7881.sys [x]
    R1 MpKslbc6dab23;MpKslbc6dab23;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8AECCA0F-562A-42E2-9FE7-F8085C6A8A95}\MpKslbc6dab23.sys [x]
    R1 MpKslca39f714;MpKslca39f714;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8E8D3056-3418-4F22-A4E8-45F3AC0E6EFD}\MpKslca39f714.sys [x]
    R1 MpKsld100c05f;MpKsld100c05f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A557C83D-2243-45EB-8AE0-636F69F67062}\MpKsld100c05f.sys [x]
    R1 MpKsld2b27410;MpKsld2b27410;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F21A05D4-AF4A-4988-8C62-DF5EB8E3BEAC}\MpKsld2b27410.sys [x]
    R1 MpKslde1ece80;MpKslde1ece80;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ADB9C3EA-CAEF-49FA-83C5-C87C591A7FC1}\MpKslde1ece80.sys [x]
    R1 MpKslf38ff5f5;MpKslf38ff5f5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EC2E3395-A7BD-4883-A55B-D1753305677C}\MpKslf38ff5f5.sys [x]
    R1 MpKslf5f3803f;MpKslf5f3803f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A81245E9-066A-43F0-9D0E-165C3443761B}\MpKslf5f3803f.sys [x]
    R1 MpKslf824e5d5;MpKslf824e5d5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7FD14708-1216-4D3F-8C6A-04932F0C80B9}\MpKslf824e5d5.sys [x]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-05 172032]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-05-13 136360]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 dvdmmg;dvdmmg;c:\windows\system32\drivers\dvdmmg.sys [2007-09-06 5504]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-05-25 2151128]
    R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
    R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2009-11-23 88040]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    R3 ALSysIO;ALSysIO;c:\users\KHRODK~1\AppData\Local\Temp\ALSysIO.sys [x]
    R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-05-05 5550592]
    R3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-05-05 176128]
    R3 ARLGIFXTP;ARLGIFXTP;c:\users\KHRODK~1\AppData\Local\Temp\ARLGIFXTP.exe [x]
    R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
    R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2011-05-25 79360]
    R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2011-05-25 79360]
    R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [2010-05-06 171096]
    R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [2010-05-06 171096]
    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [2010-05-06 1324120]
    R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [2010-05-06 1324120]
    R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [2010-05-06 72792]
    R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [2010-05-06 72792]
    R3 DisplayLinkUsbPort;DisplayLink USB Device; [x]
    R3 GPU-Z;GPU-Z;c:\users\KHRODK~1\AppData\Local\Temp\GPU-Z.sys [x]
    R3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\DRIVERS\imhidusb.sys [2002-12-04 30984]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
    R3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr73.sys [2006-12-29 247808]
    R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
    R3 papycpu;papycpu; [x]
    R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-01-12 70664]
    R3 pctplfw;pctplfw;c:\windows\System32\drivers\pctplfw.sys [2010-01-13 115216]
    R3 SaiHFF04;SaiHFF04;c:\windows\system32\DRIVERS\SaiHFF04.sys [2007-01-30 126344]
    R3 SaiIFF04;Immersion's HID USB Driver (FF04);c:\windows\system32\DRIVERS\SaiIFF04.sys [2007-01-30 16256]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    R4 VZOTLKSYW;VZOTLKSYW;c:\users\KHRODK~1\AppData\Local\Temp\VZOTLKSYW.exe [x]
    S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2010-01-07 233136]
    S3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclock.sys [2009-09-15 38248]
    S3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [2010-01-07 58816]
    S3 rxpvbus;Reality XP Avionics Bus Driver;c:\windows\system32\DRIVERS\rxpvbus.sys [2005-11-04 44032]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-05-25 06:00]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.dogpile.com/
    mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T5246
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Trusted Zone: bcsims.com\gpltd
    TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
    FF - ProfilePath - c:\users\Khrod Kat\AppData\Roaming\Mozilla\Firefox\Profiles\nq6fx598.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.dogpile.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
    FF - Ext: WeatherBug: {3EC9C995-8072-4fc0-953E-4F30620D17F3} - %profile%\extensions\{3EC9C995-8072-4fc0-953E-4F30620D17F3}
    FF - Ext: FireShot: {0b457cAA-602d-484a-8fe7-c1d894a011ba} - %profile%\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
    FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}
    FF - Ext: Fast Youtube Downloader: fastYoutubeDownloader@yevgenyandrov.net - %profile%\extensions\fastYoutubeDownloader@yevgenyandrov.net
    FF - Ext: CacheViewer: {71328583-3CA7-4809-B4BA-570A85818FBB} - %profile%\extensions\{71328583-3CA7-4809-B4BA-570A85818FBB}
    FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: FlashGot: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34} - %profile%\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}
    FF - Ext: IE View: {6e84150a-d526-41f1-a480-a67d3fed910d} - %profile%\extensions\{6e84150a-d526-41f1-a480-a67d3fed910d}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
    MSConfigStartUp-Bionix Wallpaper - j:\misc\bionix\Bionix Wallpaper.exe
    MSConfigStartUp-EVGAPrecision - c:\program files\EVGA Precision\EVGAPrecisionWrapper.exe
    MSConfigStartUp-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
    MSConfigStartUp-UpdReg - c:\windows\UpdReg.EXE
    AddRemove-PaperPort 7.02 - c:\program files\ScanSoft\PaperPort\Config\DeIsL1.isu
    AddRemove-Rarewings.com Stearman Hammond Y-1s - c:\users\Khrod Kat\Desktop\_fs9_hold\_tmp\Aircraft\Uninstal.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-05 00:30
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    CTxfiHlp = CTXFIHLP.EXE?
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.0.6002 Disk: Hitachi_ rev.V5CO -> Harddisk0\DR0 ->
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x853F04D0]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x853f67f0]; MOV EAX, [0x853f686c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x8204811B] -> \Device\Harddisk0\DR0[0x8532C780]
    3 CLASSPNP[0x885A78B3] -> nt!IofCallDriver[0x8204811B] -> [0x85267700]
    5 acpi[0x826F06BC] -> nt!IofCallDriver[0x8204811B] -> [0x84E5F470]
    \Driver\nvstor32[0x853C7D28] -> IRP_MJ_CREATE -> 0x853F04D0
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
    detected disk devices:
    \Device\0000009c -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725040VLA#4&2019003&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    sectors 781422766 (+7): user != kernel
    Warning: possible TDL3 rootkit infection !
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3867056976-849016701-749785769-1000\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick]
    @DACL=(02 0000)
    .
    [HKEY_USERS\S-1-5-21-3867056976-849016701-749785769-1000\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm]
    @DACL=(02 0000)
    "wheel"=dword:00000001
    DUMPHIVE0.003 (REGF)
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    Completion time: 2011-06-05 00:32:33
    ComboFix-quarantined-files.txt 2011-06-05 04:32
    .
    Pre-Run: 4,476,948,480 bytes free
    Post-Run: 4,428,873,728 bytes free
    .
    - - End Of File - - CA54C3A05E5C7F1ADC47793E21325337
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The only "demand" that would be okay would be something like the Eset Online Virus scanner. Neither of these should be used as "on Demand" scanner. Please remove one of them.

    You are also running PC Tools Firewall Plus Since MSE has a firewall, that means you are also running 2 firewalls. Please remove one of them.
    =============================
    Please remove the TDSSKiller you currently have. Since it still appears that there is a rootkit on the system, I would like you to download and scan again from the link I left in Reply #5.

    I have some script written to be run in Combofix, but I will wait until I get the Eset logs and the new logs from TDSSKiller.
  9. jgf

    jgf TS Rookie Topic Starter Posts: 31

    MSE has no firewall that I've found in any of the tabs or docs. It is installed but real time protection is turned off, same for Malwarebytes and Spybot. They are in the context menu so can be called if desired, but Avira is the only active AV program running. Once a week Avira does a full scan, then is disabled while the others get their turn, enabled one at a time, to also do a full scan. This system has served me well for three years on this computer and for five years prior on my XP computer.
  10. jgf

    jgf TS Rookie Topic Starter Posts: 31

    BTW, d/l'd TDSKiller again, ran it; it squawked about there being a new version, so I let it go off in the ether and d/l yet another.

    2011/06/07 13:38:31.0132 6180 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48
    2011/06/07 13:38:32.0006 6180 ================================================================================
    2011/06/07 13:38:32.0006 6180 SystemInfo:
    2011/06/07 13:38:32.0006 6180
    2011/06/07 13:38:32.0006 6180 OS Version: 6.0.6002 ServicePack: 2.0
    2011/06/07 13:38:32.0006 6180 Product type: Workstation
    2011/06/07 13:38:32.0006 6180 ComputerName: POS
    2011/06/07 13:38:32.0006 6180 UserName: Khrod Kat
    2011/06/07 13:38:32.0006 6180 Windows directory: C:\Windows
    2011/06/07 13:38:32.0006 6180 System windows directory: C:\Windows
    2011/06/07 13:38:32.0006 6180 Processor architecture: Intel x86
    2011/06/07 13:38:32.0006 6180 Number of processors: 2
    2011/06/07 13:38:32.0006 6180 Page size: 0x1000
    2011/06/07 13:38:32.0006 6180 Boot type: Normal boot
    2011/06/07 13:38:32.0006 6180 ================================================================================
    2011/06/07 13:38:32.0583 6180 Initialize success
    2011/06/07 13:38:36.0327 6268 ================================================================================
    2011/06/07 13:38:36.0327 6268 Scan started
    2011/06/07 13:38:36.0327 6268 Mode: Manual;
    2011/06/07 13:38:36.0327 6268 ================================================================================
    2011/06/07 13:38:36.0717 6268 ac97intc (4b56caafed0b0b996341d74ce0e76565) C:\Windows\system32\drivers\ac97intc.sys
    2011/06/07 13:38:36.0795 6268 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
    2011/06/07 13:38:36.0857 6268 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
    2011/06/07 13:38:36.0920 6268 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
    2011/06/07 13:38:37.0076 6268 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
    2011/06/07 13:38:37.0107 6268 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
    2011/06/07 13:38:37.0201 6268 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\Windows\system32\drivers\Afc.sys
    2011/06/07 13:38:37.0247 6268 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
    2011/06/07 13:38:37.0357 6268 AgereSoftModem (2e3abaacbf547abbb5e73a504a56d05a) C:\Windows\system32\DRIVERS\AGRSM.sys
    2011/06/07 13:38:37.0497 6268 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
    2011/06/07 13:38:37.0544 6268 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
    2011/06/07 13:38:37.0575 6268 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
    2011/06/07 13:38:37.0762 6268 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
    2011/06/07 13:38:37.0778 6268 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
    2011/06/07 13:38:37.0825 6268 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
    2011/06/07 13:38:37.0871 6268 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
    2011/06/07 13:38:38.0027 6268 amdkmdag (19529728442d4794b96d1b8a9a63eca1) C:\Windows\system32\DRIVERS\atikmdag.sys
    2011/06/07 13:38:38.0199 6268 amdkmdap (b44737ff566b5888d15fdb66849f34e5) C:\Windows\system32\DRIVERS\atikmpag.sys
    2011/06/07 13:38:38.0324 6268 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
    2011/06/07 13:38:38.0417 6268 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
    2011/06/07 13:38:38.0480 6268 ASPI (e54e27976e2c5a6465d44c10b1d87ac0) C:\Windows\System32\DRIVERS\ASPI32.sys
    2011/06/07 13:38:38.0527 6268 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
    2011/06/07 13:38:38.0558 6268 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
    2011/06/07 13:38:38.0698 6268 AtiHdmiService (d7672d90ef03d0e2efdb02df5045a359) C:\Windows\system32\drivers\AtiHdmi.sys
    2011/06/07 13:38:38.0792 6268 atitray (6cceb2cb70eaf24df999ebf1dea67ea9) C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
    2011/06/07 13:38:38.0870 6268 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\Windows\system32\DRIVERS\avgntflt.sys
    2011/06/07 13:38:38.0963 6268 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\Windows\system32\DRIVERS\avipbb.sys
    2011/06/07 13:38:39.0010 6268 bcm4sbxp (08015d34f6fdd0b355805bad978497c3) C:\Windows\system32\DRIVERS\bcm4sbxp.sys
    2011/06/07 13:38:39.0073 6268 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
    2011/06/07 13:38:39.0151 6268 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
    2011/06/07 13:38:39.0244 6268 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
    2011/06/07 13:38:39.0275 6268 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
    2011/06/07 13:38:39.0322 6268 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
    2011/06/07 13:38:39.0353 6268 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
    2011/06/07 13:38:39.0369 6268 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
    2011/06/07 13:38:39.0400 6268 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
    2011/06/07 13:38:39.0431 6268 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
    2011/06/07 13:38:39.0525 6268 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
    2011/06/07 13:38:39.0634 6268 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
    2011/06/07 13:38:39.0681 6268 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
    2011/06/07 13:38:39.0728 6268 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
    2011/06/07 13:38:39.0790 6268 CmBatt (0fed59edb4a83ff17f1778827b88ab1a) C:\Windows\system32\DRIVERS\CmBatt.sys
    2011/06/07 13:38:39.0821 6268 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
    2011/06/07 13:38:39.0946 6268 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
    2011/06/07 13:38:39.0977 6268 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
    2011/06/07 13:38:40.0040 6268 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
    2011/06/07 13:38:40.0118 6268 CT20XUT (b9106942eb5dd0e034ab40a9d48d056e) C:\Windows\system32\drivers\CT20XUT.SYS
    2011/06/07 13:38:40.0243 6268 CT20XUT.SYS (b9106942eb5dd0e034ab40a9d48d056e) C:\Windows\System32\drivers\CT20XUT.SYS
    2011/06/07 13:38:40.0289 6268 ctac32k (f2b1d0a3d21bd0d9f46457cbcec1a0e9) C:\Windows\system32\drivers\ctac32k.sys
    2011/06/07 13:38:40.0336 6268 ctaud2k (44f60a5e3c3a8a6bba4c280948ea6095) C:\Windows\system32\drivers\ctaud2k.sys
    2011/06/07 13:38:40.0430 6268 ctdvda2k (8cbe82d6bbf206e144f22cb33fab1f2c) C:\Windows\system32\drivers\ctdvda2k.sys
    2011/06/07 13:38:40.0711 6268 CTEXFIFX (4ae083d16ac9fc9bdf98498f93426226) C:\Windows\system32\drivers\CTEXFIFX.SYS
    2011/06/07 13:38:40.0789 6268 CTEXFIFX.SYS (4ae083d16ac9fc9bdf98498f93426226) C:\Windows\System32\drivers\CTEXFIFX.SYS
    2011/06/07 13:38:40.0820 6268 CTHWIUT (b610bfe02f9fc0cb0b1cde3ec4c13ffa) C:\Windows\system32\drivers\CTHWIUT.SYS
    2011/06/07 13:38:40.0867 6268 CTHWIUT.SYS (b610bfe02f9fc0cb0b1cde3ec4c13ffa) C:\Windows\System32\drivers\CTHWIUT.SYS
    2011/06/07 13:38:40.0898 6268 ctprxy2k (f0f19a13c948e5289601e354b08e0941) C:\Windows\system32\drivers\ctprxy2k.sys
    2011/06/07 13:38:40.0991 6268 ctsfm2k (c7b2c36a6203a5f3d0a378fd78c5ddd6) C:\Windows\system32\drivers\ctsfm2k.sys
    2011/06/07 13:38:41.0054 6268 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
    2011/06/07 13:38:41.0132 6268 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
    2011/06/07 13:38:41.0241 6268 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
    2011/06/07 13:38:41.0350 6268 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\Windows\system32\DRIVERS\dvd43llh.sys
    2011/06/07 13:38:41.0397 6268 dvdmmg (a29d99d10e57ece72b551d788c7d885b) C:\Windows\system32\drivers\dvdmmg.sys
    2011/06/07 13:38:41.0553 6268 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
    2011/06/07 13:38:41.0647 6268 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
    2011/06/07 13:38:41.0740 6268 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
    2011/06/07 13:38:41.0803 6268 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
    2011/06/07 13:38:41.0865 6268 emupia (fb2d6d4d14ae801f5267b0368fc0cb0c) C:\Windows\system32\drivers\emupia2k.sys
    2011/06/07 13:38:41.0927 6268 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
    2011/06/07 13:38:42.0037 6268 ezplay (73e701e0fa4d2fc7d22efceff276c50a) C:\Windows\system32\Drivers\ezplay.sys
    2011/06/07 13:38:42.0068 6268 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
    2011/06/07 13:38:42.0115 6268 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
    2011/06/07 13:38:42.0208 6268 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
    2011/06/07 13:38:42.0255 6268 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
    2011/06/07 13:38:42.0317 6268 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
    2011/06/07 13:38:42.0364 6268 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
    2011/06/07 13:38:42.0442 6268 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
    2011/06/07 13:38:42.0505 6268 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
    2011/06/07 13:38:42.0707 6268 ha20x2k (7ff1ced1201c169a783b0e81cc561fba) C:\Windows\system32\drivers\ha20x2k.sys
    2011/06/07 13:38:42.0770 6268 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
    2011/06/07 13:38:42.0832 6268 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
    2011/06/07 13:38:42.0879 6268 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
    2011/06/07 13:38:42.0941 6268 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
    2011/06/07 13:38:42.0988 6268 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
    2011/06/07 13:38:43.0019 6268 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
    2011/06/07 13:38:43.0066 6268 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
    2011/06/07 13:38:43.0113 6268 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
    2011/06/07 13:38:43.0160 6268 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
    2011/06/07 13:38:43.0238 6268 ialm (8318e04a6455ced1020bcc5039b62cfa) C:\Windows\system32\DRIVERS\ialmnt5.sys
    2011/06/07 13:38:43.0331 6268 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
    2011/06/07 13:38:43.0363 6268 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
    2011/06/07 13:38:43.0425 6268 imhidusb (0836f03aa73ee78f1c884c4e9211aa72) C:\Windows\system32\DRIVERS\imhidusb.sys
    2011/06/07 13:38:43.0487 6268 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
    2011/06/07 13:38:43.0519 6268 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
    2011/06/07 13:38:43.0565 6268 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
    2011/06/07 13:38:43.0628 6268 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
    2011/06/07 13:38:43.0721 6268 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
    2011/06/07 13:38:43.0768 6268 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
    2011/06/07 13:38:43.0815 6268 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
    2011/06/07 13:38:43.0862 6268 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
    2011/06/07 13:38:43.0893 6268 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
    2011/06/07 13:38:43.0971 6268 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
    2011/06/07 13:38:44.0018 6268 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
    2011/06/07 13:38:44.0049 6268 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
    2011/06/07 13:38:44.0111 6268 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
    2011/06/07 13:38:44.0174 6268 L8042Kbd (0c6e346cde730cf1356dd69ad6e9bc42) C:\Windows\system32\DRIVERS\L8042Kbd.sys
    2011/06/07 13:38:44.0283 6268 L8042mou (8a5993705add14352c9a279fa8338334) C:\Windows\system32\DRIVERS\L8042mou.Sys
    2011/06/07 13:38:44.0377 6268 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\Windows\system32\DRIVERS\LHidFilt.Sys
    2011/06/07 13:38:44.0408 6268 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
    2011/06/07 13:38:44.0470 6268 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\Windows\system32\DRIVERS\LMouFilt.Sys
    2011/06/07 13:38:44.0564 6268 LMouKE (9837e55673818ecd8febb47f7f77521a) C:\Windows\system32\DRIVERS\LMouKE.Sys
    2011/06/07 13:38:44.0611 6268 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
    2011/06/07 13:38:44.0642 6268 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
    2011/06/07 13:38:44.0673 6268 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
    2011/06/07 13:38:44.0720 6268 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
    2011/06/07 13:38:44.0767 6268 LUsbFilt (77030525cd86a93f1af34fa9b96d33ce) C:\Windows\system32\Drivers\LUsbFilt.Sys
    2011/06/07 13:38:44.0798 6268 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
    2011/06/07 13:38:44.0907 6268 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
    2011/06/07 13:38:44.0938 6268 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
    2011/06/07 13:38:44.0985 6268 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
    2011/06/07 13:38:45.0016 6268 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
    2011/06/07 13:38:45.0063 6268 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
    2011/06/07 13:38:45.0125 6268 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\Windows\system32\DRIVERS\MpFilter.sys
    2011/06/07 13:38:45.0219 6268 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
    2011/06/07 13:38:45.0874 6268 MpNWMon (f32e2d6a1640a469a9ed4f1929a4a861) C:\Windows\system32\DRIVERS\MpNWMon.sys
    2011/06/07 13:38:45.0921 6268 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
    2011/06/07 13:38:45.0983 6268 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
    2011/06/07 13:38:46.0015 6268 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
    2011/06/07 13:38:46.0077 6268 mrxsmb (5fe5cf325f5b02ebc60832d3440cb414) C:\Windows\system32\DRIVERS\mrxsmb.sys
    2011/06/07 13:38:46.0155 6268 mrxsmb10 (30b9c769446af379a2afb72b0392604d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
    2011/06/07 13:38:46.0217 6268 mrxsmb20 (fea239b3ec4877e2b7e23204af589ddf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
    2011/06/07 13:38:46.0233 6268 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
    2011/06/07 13:38:46.0264 6268 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
    2011/06/07 13:38:46.0327 6268 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
    2011/06/07 13:38:46.0373 6268 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
    2011/06/07 13:38:46.0420 6268 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
    2011/06/07 13:38:46.0529 6268 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
    2011/06/07 13:38:46.0545 6268 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
    2011/06/07 13:38:46.0607 6268 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
    2011/06/07 13:38:46.0639 6268 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
    2011/06/07 13:38:46.0670 6268 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
    2011/06/07 13:38:46.0701 6268 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
    2011/06/07 13:38:46.0748 6268 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
    2011/06/07 13:38:46.0857 6268 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
    2011/06/07 13:38:46.0919 6268 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
    2011/06/07 13:38:46.0951 6268 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
    2011/06/07 13:38:46.0982 6268 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
    2011/06/07 13:38:47.0029 6268 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
    2011/06/07 13:38:47.0044 6268 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
    2011/06/07 13:38:47.0153 6268 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
    2011/06/07 13:38:47.0231 6268 netr73 (2dd6bb85c8bdae6116565ab5beca4f7c) C:\Windows\system32\DRIVERS\netr73.sys
    2011/06/07 13:38:47.0325 6268 NETw2v32 (6e9edc1020b319e7676387b8cdf2398c) C:\Windows\system32\DRIVERS\NETw2v32.sys
    2011/06/07 13:38:47.0450 6268 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
    2011/06/07 13:38:47.0512 6268 NisDrv (17e2c08c5ecfbe94a7c67b1c275ee9d9) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
    2011/06/07 13:38:47.0575 6268 NPF (b9730495e0cf674680121e34bd95a73b) C:\Windows\system32\drivers\npf.sys
    2011/06/07 13:38:47.0606 6268 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
    2011/06/07 13:38:47.0668 6268 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
    2011/06/07 13:38:47.0777 6268 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
    2011/06/07 13:38:47.0840 6268 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
    2011/06/07 13:38:47.0887 6268 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
    2011/06/07 13:38:47.0933 6268 NVENETFD (1efec38a852ab35883bfff3427b92b3f) C:\Windows\system32\DRIVERS\nvmfdx32.sys
    2011/06/07 13:38:47.0965 6268 NVNET (1efec38a852ab35883bfff3427b92b3f) C:\Windows\system32\DRIVERS\nvmfdx32.sys
    2011/06/07 13:38:48.0105 6268 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
    2011/06/07 13:38:48.0136 6268 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
    2011/06/07 13:38:48.0167 6268 nvstor32 (8ee374b6fb3cb2bb8d70395218b464a5) C:\Windows\system32\DRIVERS\nvstor32.sys
    2011/06/07 13:38:48.0230 6268 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
    2011/06/07 13:38:48.0308 6268 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
    2011/06/07 13:38:48.0355 6268 ossrv (ac5bf1a610effaae9cfc48cb53483f08) C:\Windows\system32\drivers\ctoss2k.sys
    2011/06/07 13:38:48.0401 6268 papycpu (2f886a56d520f872e7e4ba9423a9b07b) C:\Windows\system32\drivers\papycpu.sys
    2011/06/07 13:38:48.0511 6268 papycpu2 (b2fce3df242eaaa317fa2e4946d26a03) C:\Windows\System32\DRIVERS\papycpu2.sys
    2011/06/07 13:38:48.0542 6268 papyjoy (f7a2e22cad3843cd8e4648ae61e7cc06) C:\Windows\System32\DRIVERS\papyjoy.sys
    2011/06/07 13:38:48.0589 6268 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
    2011/06/07 13:38:48.0635 6268 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
    2011/06/07 13:38:48.0667 6268 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
    2011/06/07 13:38:48.0698 6268 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
    2011/06/07 13:38:48.0729 6268 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
    2011/06/07 13:38:48.0776 6268 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\DRIVERS\pcmcia.sys
    2011/06/07 13:38:48.0885 6268 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\Windows\system32\Drivers\pcouffin.sys
    2011/06/07 13:38:48.0932 6268 PCTAppEvent (cc174f32cc9c18ea3109c4b0fc2ca8df) C:\Windows\system32\drivers\PCTAppEvent.sys
    2011/06/07 13:38:48.0979 6268 PCTFW-PacketFilter (4a7ef973fcd9c6cad6040ebb61262a5c) C:\Windows\system32\drivers\pctNdis-PacketFilter.sys
    2011/06/07 13:38:49.0010 6268 pctgntdi (39e8623f9f29dbc9e053a696d85f8ac6) C:\WINDOWS\System32\drivers\pctgntdi.sys
    2011/06/07 13:38:49.0057 6268 pctNDIS (8bbe917bc4da64b0ba8db33d4c0e0b7d) C:\Windows\system32\DRIVERS\pctNdis.sys
    2011/06/07 13:38:49.0103 6268 pctplfw (6d74df36716a458619a62dd764fc4f8b) C:\WINDOWS\System32\drivers\pctplfw.sys
    2011/06/07 13:38:49.0213 6268 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
    2011/06/07 13:38:49.0353 6268 Point32 (420336f91eb745811cf130c80ede0653) C:\Windows\system32\DRIVERS\point32.sys
    2011/06/07 13:38:49.0415 6268 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
    2011/06/07 13:38:49.0431 6268 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
    2011/06/07 13:38:49.0493 6268 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
    2011/06/07 13:38:49.0556 6268 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
    2011/06/07 13:38:49.0587 6268 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
    2011/06/07 13:38:49.0649 6268 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
    2011/06/07 13:38:49.0681 6268 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
    2011/06/07 13:38:49.0727 6268 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
    2011/06/07 13:38:49.0759 6268 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
    2011/06/07 13:38:49.0790 6268 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
    2011/06/07 13:38:49.0899 6268 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
    2011/06/07 13:38:49.0930 6268 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
    2011/06/07 13:38:49.0977 6268 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
    2011/06/07 13:38:50.0039 6268 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
    2011/06/07 13:38:50.0086 6268 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
    2011/06/07 13:38:50.0164 6268 RivaTuner32 (c0c8909be3ecc9df8089112bf9be954e) C:\Program Files\RivaTuner v2.24 MSI Master Overclocking Arena 2009 edition\RivaTuner32.sys
    2011/06/07 13:38:50.0258 6268 RMCAST (eec7ee5675294b03e88aa868540007c1) C:\Windows\system32\DRIVERS\RMCAST.sys
    2011/06/07 13:38:50.0320 6268 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
    2011/06/07 13:38:50.0383 6268 rxpvbus (d6b23dfd46a1aee5ca6645fc4591df9b) C:\Windows\system32\DRIVERS\rxpvbus.sys
    2011/06/07 13:38:50.0429 6268 SaiClass (dd3bba364c3b89ccb1fd8fd427c7b37f) C:\Windows\system32\drivers\SaiNtBus.sys
    2011/06/07 13:38:50.0476 6268 SaiHFF04 (a0992e358585f9afe1b801eaf6e611bd) C:\Windows\system32\DRIVERS\SaiHFF04.sys
    2011/06/07 13:38:50.0554 6268 SaiIFF04 (6e0015d8bd138c6b4430d249b55733fa) C:\Windows\system32\DRIVERS\SaiIFF04.sys
    2011/06/07 13:38:50.0585 6268 SaiMini (20a15c1468f8961aa5e62966c38cb9e8) C:\Windows\system32\DRIVERS\SaiMini.sys
    2011/06/07 13:38:50.0601 6268 SaiNtHid (a007103ef0e50fb0e0ed08b511d721d7) C:\Windows\system32\DRIVERS\SaiNtHid.sys
    2011/06/07 13:38:50.0648 6268 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
    2011/06/07 13:38:50.0710 6268 sdbus (4339a2585708c7d9b0c0ce5aad3dd6ff) C:\Windows\system32\DRIVERS\sdbus.sys
    2011/06/07 13:38:50.0741 6268 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
    2011/06/07 13:38:50.0804 6268 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
    2011/06/07 13:38:50.0819 6268 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
    2011/06/07 13:38:50.0851 6268 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
    2011/06/07 13:38:50.0929 6268 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
    2011/06/07 13:38:50.0944 6268 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
    2011/06/07 13:38:50.0975 6268 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
    2011/06/07 13:38:51.0007 6268 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
    2011/06/07 13:38:51.0038 6268 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
    2011/06/07 13:38:51.0053 6268 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
    2011/06/07 13:38:51.0085 6268 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
    2011/06/07 13:38:51.0147 6268 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
    2011/06/07 13:38:51.0225 6268 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
    2011/06/07 13:38:51.0365 6268 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
    2011/06/07 13:38:51.0365 6268 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
    2011/06/07 13:38:51.0365 6268 sptd - detected LockedFile.Multi.Generic (1)
    2011/06/07 13:38:51.0428 6268 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
    2011/06/07 13:38:51.0475 6268 srv2 (a5940ca32ed206f90be9fabdf6e92de4) C:\Windows\system32\DRIVERS\srv2.sys
    2011/06/07 13:38:51.0506 6268 srvnet (37aa1d560d5fa486c4b11c2f276ada61) C:\Windows\system32\DRIVERS\srvnet.sys
    2011/06/07 13:38:51.0553 6268 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
    2011/06/07 13:38:51.0662 6268 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
    2011/06/07 13:38:51.0709 6268 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
    2011/06/07 13:38:51.0787 6268 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
    2011/06/07 13:38:51.0802 6268 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
    2011/06/07 13:38:51.0880 6268 Tcpip (6a10afce0b38371064be41c1fbfd3c6b) C:\Windows\system32\drivers\tcpip.sys
    2011/06/07 13:38:51.0943 6268 Tcpip6 (6a10afce0b38371064be41c1fbfd3c6b) C:\Windows\system32\DRIVERS\tcpip.sys
    2011/06/07 13:38:51.0989 6268 tcpipreg (9bf343f4c878d6ad6922b2c5a4fefe0d) C:\Windows\system32\drivers\tcpipreg.sys
    2011/06/07 13:38:52.0036 6268 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
    2011/06/07 13:38:52.0067 6268 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
    2011/06/07 13:38:52.0161 6268 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
    2011/06/07 13:38:52.0208 6268 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
    2011/06/07 13:38:52.0270 6268 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
    2011/06/07 13:38:52.0317 6268 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
    2011/06/07 13:38:52.0348 6268 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
    2011/06/07 13:38:52.0395 6268 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
    2011/06/07 13:38:52.0442 6268 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
    2011/06/07 13:38:52.0535 6268 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
    2011/06/07 13:38:52.0567 6268 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
    2011/06/07 13:38:52.0598 6268 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
    2011/06/07 13:38:52.0629 6268 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
    2011/06/07 13:38:52.0676 6268 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
    2011/06/07 13:38:52.0754 6268 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
    2011/06/07 13:38:52.0801 6268 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
    2011/06/07 13:38:52.0832 6268 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
    2011/06/07 13:38:52.0957 6268 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
    2011/06/07 13:38:52.0988 6268 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
    2011/06/07 13:38:53.0019 6268 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
    2011/06/07 13:38:53.0050 6268 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
    2011/06/07 13:38:53.0081 6268 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
    2011/06/07 13:38:53.0128 6268 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
    2011/06/07 13:38:53.0206 6268 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
    2011/06/07 13:38:53.0253 6268 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
    2011/06/07 13:38:53.0300 6268 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
    2011/06/07 13:38:53.0347 6268 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
    2011/06/07 13:38:53.0362 6268 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
    2011/06/07 13:38:53.0393 6268 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
    2011/06/07 13:38:53.0425 6268 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
    2011/06/07 13:38:53.0487 6268 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
    2011/06/07 13:38:53.0518 6268 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
    2011/06/07 13:38:53.0565 6268 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
    2011/06/07 13:38:53.0674 6268 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
    2011/06/07 13:38:53.0721 6268 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/06/07 13:38:53.0752 6268 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
    2011/06/07 13:38:53.0783 6268 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
    2011/06/07 13:38:53.0846 6268 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
    2011/06/07 13:38:54.0002 6268 WmFilter (19f9881d8b3484fedb605d0216876898) C:\Windows\system32\drivers\WmFilter.sys
    2011/06/07 13:38:54.0080 6268 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
    2011/06/07 13:38:54.0158 6268 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
    2011/06/07 13:38:54.0251 6268 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
    2011/06/07 13:38:54.0298 6268 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
    2011/06/07 13:38:54.0314 6268 ================================================================================
    2011/06/07 13:38:54.0314 6268 Scan finished
    2011/06/07 13:38:54.0314 6268 ================================================================================
    2011/06/07 13:38:54.0329 6252 Detected object count: 1
    2011/06/07 13:38:54.0329 6252 Actual detected object count: 1
    2011/06/07 13:41:48.0754 6252 HKLM\SYSTEM\ControlSet001\services\sptd - will be deleted after reboot
    2011/06/07 13:41:48.0785 6252 HKLM\SYSTEM\ControlSet003\services\sptd - will be deleted after reboot
    2011/06/07 13:41:48.0785 6252 C:\Windows\system32\Drivers\sptd.sys - will be deleted after reboot
    2011/06/07 13:41:48.0785 6252 LockedFile.Multi.Generic(sptd) - User select action: Delete
    2011/06/07 13:41:57.0630 6172 Deinitialize success

    //////////////
    FWIW, sptd is a "sata pass through driver" apparently left from a Daemon Tools install; don't recall the project, but I never deciphered what I was to do with that software so removed it ages ago.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you for setting me straight on the lack of firewall in MSE. Settings usualy suggest the Windows Firewall being enabled.

    DId you intentionally install a keylogger on the system in 2009?
     
  12. jgf

    jgf TS Rookie Topic Starter Posts: 31

    I don't even know what a keylogger is. Bought this PC from a neighbor in '08, deleted everything but the OS, full malware scans, repartitioned, new vid card, PS (necessary for the vid card), and sound card. (Had I known what a POS Vista would be, I'd also have deleted it in favor of XP Pro.)

    //////////////
    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6427
    # api_version=3.0.2
    # EOSSerial=f27a4def0092804aaeeb9d3daeab7c71
    # end=finished
    # remove_checked=true
    # archives_checked=true
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2011-06-09 10:21:35
    # local_time=2011-06-09 06:21:35 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=1033
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 20450802 20450802 0 0
    # compatibility_mode=1797 16775165 100 94 803797 43993263 2251885 0
    # compatibility_mode=2560 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776574 100 100 33716056 144197291 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=1152143
    # found=10
    # cleaned=10
    # scan_time=25132
    C:\Documents and Settings\All Users\Spybot - Search & Destroy\Recovery\WinAgentws1.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\Khrod Kat\Desktop\frostwire-4.21.5.windows.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\Khrod Kat\Desktop\sdac.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\Khrod Kat\Desktop\zfdc.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\Khrod Kat\Desktop\Knights & Merchants\Knights & Merchants.zip a variant of Win32/Packed.PECrypt32.A application (deleted - quarantined) 00000000000000000000000000000000 C
    C:\Documents and Settings\Khrod Kat\Desktop\_DL\shock\SYSTEMSHOCK-Portable-v1.2.7z Win32/PrcView application (deleted - quarantined) 00000000000000000000000000000000 C
    C:\Program Files\AV DVD Player Morpher\DealioKit1-stub-0.exe Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Qoobox\Quarantine\C\ProgramData\defender.exe.vir a variant of Win32/Kryptik.OSZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\WINDOWS\System32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\72a60c26-35a3f629 a variant of Win32/Kryptik.ORD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    J:\dvd_dl\dvd_player_morpher_aff.exe Win32/Adware.Toolbar.Dealio application (deleted - quarantined) 00000000000000000000000000000000 C


    ////////////////////////

    I can account for most of the items ESET found (after approximately seven hours scanning):
    the item in AV DVD Player Morpher is an optional toolbar install, as is the OpenCandy item in frostwire (never installed, leery of its source; OpenCandy often triggers AV alerts in cnet d/l's); the item in Spybot I assume is their own signature file or a previously quarantined item; the item in Knights&Merchants is curious, Avira also detects it but in VirusTotal Avira was the only one to detect it; and PrcView is a valid program that can be used for nefarious purposes (of no concern here since it supposedly doesn't work on any windows past XP) .

    That leaves: sdac.exe and zfdc.exe (there are no hidden files on this system, these were NOT on the desktop), the former is, according to a quick net search, a Sun Desktop utility about which I know nothing, the latter a disc copy utility I never used (d/l'd to desktop, virus scanned, and moved to a "storage" folder ...deleted weeks ago); the Kryptik items, one in a folder left by Combofix, the other buried several levels in a Sun Java directory, are the unknowns here - neither Avira, Malwarebytes, Spybot, MSE, Ad-Aware, nor a Kaspersky online scan saw those.

    FWIW, since running the TDSKiller I've not experienced the problems which initiated this thread; but since we're already knee deep in this we might as well make certain nothing else is lurking on this system.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    A keyloggger actually logs every key you type. That means passwords, bank information, personaal information> anything typed on the keyboard. The entry I see is:
    c:\windows\iun6002.exe. It was created 2009-06-24 06:56 by Spyware.DsktopSurveil which logs keystrokes, program use, and captures screenshots. It can run in hidden mode.It shows 737280 entries or processes of some kind.

    This is desckibed a "desktop surveliannce." A few people intentionally use a keylogger if for some reason, they need a record of what it typed. The date of the entry is 2009 which means it got on or was put on after you got it from your neighbor.
    =======================================
    Eset entries: Some of the infected files are in the Java cache so it will need to be emptied:
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    ==================================================
    The directions for the Eset scan clearly say
    Uncheck 'Remove found threats'" with a screen shot right above it. Maybe that doesn't make sense to you but there is a reason for it. I would have used a special cleaning program that not only removed those particular files, but associated files and temporary internet.
    ================================================
    You didn't need to explain all the entries in the Eset log. That's my job and I will act on what I see and confirm. I'm not out to pass any judgement on you- just to try to find and remove malware entries. Please be assured that I know what the Qoobox is, that I know what the Sun Java entries are, that I will instruct you based on my best information and judgement.
    ====================================================
    Some sources of infection:
    1. J Drive> What is that?
    2. Delio app which is usually a toolbar.
    3. Frostwire.
    ====================================================
  14. jgf

    jgf TS Rookie Topic Starter Posts: 31

    Didn't mean to second guess procedures here, just thought I might head off some questions and streamline our dialog.

    Looked at the iun6002.exe; it shows a filedate of 5/12/2011 and the popup identifies it as "SUF60Runtime" from "Indigo Rose Corp" (no luck researching that, the first page of results listed half a dozen different sites vending everything from sewing supplies to software ...though one of the software products is an install program, that's certainly suspect to me). From your description I see no need for this, or any, keyloggers on my system. I've renamed the file, give the word and it will disappear.

    I know little of Java so had left its CP settings untouched; but the cache should now be clear.

    Running ESET, I just d/l'd and ran it with default settings.

    On my system, the C drive is a partition just for windows and software that insists on being installed there, D is the Vista recover partition, E is DVD, F G H and I are card readers (only use the one for my camera card, don't even know what the others are for), J and L are partitions containing applications, games, and storage (K is the data stick, when plugged in).

    I've forgotten what application contained the Delio, but I didn't let it install the toolbar.

    Frostwire was never installed; while recommended as a replacement for Limewire, I could never find any reliable information about it ...but did hear of some malicious software using the same name. (FWIW, I'm trying to save the trouble of recording literally hundreds of 45rpm singles into my computer ...these date from my high school years ...when 8-track tapes were still a commercial product.) The file was d/l'd, AV scanned, then stuck in a holding directory while I researched it ...and forgotten. Now deleted.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    ===============================================
    I am trying to assist you in lmaking you aware of malware source and location. It is not necessary for you to explain these entries, I know what they are for or from. I can only go by the entries I see- if I see them, they are on the system. Since the issue has been resolved and since you can acount for all the entries:

    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    -----
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
  16. jgf

    jgf TS Rookie Topic Starter Posts: 31

    My apologies; I thought the more information I provided the easier your job became. For example the fact that Frostwire was never installed but merely d/l'd and kept in a "holding tank".

    Combofix uninstalled and OTC did its thing.

    I am fanatic about restore points, creating them before any installs, updates, or upgrades; and a new one each week after the full av scans. My problem is remembering to remove the older ones before they consume too much HD real estate. But I am now down to the most recent only. Hopefully this system is now clean; compared to others, I can't complain, in twenty years this is only the fourth time anything has gotten past my AV defences. Thank you for the assistance and information; ESET will remain on my system, not active but for a periodic scan.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    What you need to know is that Java puts out frequent updates. They are usually for security, so keeping any old versions on the system are vulnerabilities. Unfortunately, Java hasn't learned how to overwrite the older version, so the user must go into Add/Remove Programs and uninstall it.

    I have a setting recommendation about the Java files:
    Control Panel> Java> Temporary Internet Files> Settings> Uncheck 'Keep temporary files on my computer'> Disc Space> Move the slider all the way to the left so as not to save disc space for these temporary files> Click on OK> Apply> OK

    Being a 'fanantic' about restore points is a good thing! Many don't understand their purpose and importance. I open more logs with "No" restore points than those with them. They are especially important in a malware situation- the system can become so corrupted that sometimes, the only way in is through a restore point. And frankly, a restore point has saved my a.. more than once!

    One user thought that every time the computer started up it was from a restore point! It took many posts to make him understand that restore points are "user invoked", not startup points.

    About Frostwire- again You didn't have to download it. But you did download from Frostwire and got malware with it. Was it worth it?

    If it's not an imposition, I would feel more comfortable letting you go if you did an update and rescanned with Eset Online Virus scanner. I'd like to make sure all the files associated with the malware are gone. Please follow the instructions to Uncheck 'Remove found threats. This is clearly stated in the instructions and you were not told to run it with the default settings.

    If Eset finds any other entries, I'll follow with the removal program and it will be clear to you why we handle it this way.
  18. jgf

    jgf TS Rookie Topic Starter Posts: 31

    Java changes made (the slider had to be moved first since unchecking the option greys out the rest of the page).

    With Frostwire, I was under the impression there'd be no problem with such software as long as I didn't actually run it. Avira cleared this during d/l and it sat forgotten on my HD for weeks, long enough that not only Avira but MSE, Malwarebytes, and Spybot must have scanned it a dozen times, not to mention a Kaspersky online scan.

    No problem running ESET again. Don't know if it will take seven hours this time but will give it the overnight shift.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    FrostWire is a peer-to-peer file sharing program for the Gnutella and BitTorrent protocols. FrostWire is written in Java, and is a fork of LimeWire, another popular Gnutella client.

    frostwire-4.21.5.windows.exe is the executable. This is not the setup, it's the executable on the desktop. How/where did you get the exe file?
    Since you don't intend to use it, consider removing it from the system.
    =================================
    FYI: File Sharing- Some Information:

    Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.


    So although you indicate that you did not actually install Froswire, you did use it and you did get malware.
  20. jgf

    jgf TS Rookie Topic Starter Posts: 31

    Don't recall from where I d/l'd Frostwire. Had been using Limewire, when the feds shut that down everyone got a stream of emails about Frostwire being the "official" replacement; it seemed odd that this "official" replacement had no official website and was available from about a dozen different places. So my d/l sat there untouched while I did more research; seems there is/was an actual Frostwire that was a somewhat slimmed down version of Limewire, unfortunately there also is/was a malicious file of the same name circulating. The entire situation seemed too flakey so I pursued it no further, and forgot about the file (I did not install, run, or even click on it). Things often go unnoticed on my desktop since I have "hide desktop icons" selected (due to arcane graphics problems which no one has been able to solve).

    Am aware of the hazards of torrent files, but deal primarily with a couple of members only sites that have proven quite reliable ...and these are used so seldom I must remember to log in once a month to keep my membership active.
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    A tip to keep track of the Desktop without having the icons display:

    Right click on the Taskbar> Choose Toolbars> Choose Desktop.

    Now of you keep the icons hidden, you will see the word 'Desktop>>' to the left of the Notification Area. Click on the >> and the contents of the desktop will display in a list, top to bottom, in alpha order, with folders first, then files, above the Notification Area. You can left click to Open or right click to Delete (or use any of the other features on the right click context menu.)
    ==============================================
    The system is clean. Let me know if you have any more questions.
  22. jgf

    jgf TS Rookie Topic Starter Posts: 31

    I just use the keyboard windows+E to invoke windows explorer, and there is my desktop listing. (FWIW, the graphics anomaly is in some games the desktop icons, some system tray items, and occasionally the start button, will flicker on the screen while the game is running. Two years of tech forums and emails, even going from a GeForce to an ATi, has produced no solution; so I hide the icons and live with it.).

    Ran ESET again last night, only took three hours this time, and it reported no threats detected. Thanks for all the help and information, hopefully I won't need it again.
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. Stay safe.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.