Inactive Battling PC Peformance and Stability Analysis Report Virus

E

Eric72

Posts: 34   +0
I contracted the PC Performance and Stability Analysis Report Virus yesterday. After extensive searching on the topic, I've read most of the applicable threads in this forum. I've begun the initial 5-step process and am currently running the Malwarebytes program, in "Safe Mode with Networking" (virus prevents any activity in Normal Mode).

Please confirm that I should continue through the initial 5-step process. Should I revert to normal mode after running Malwarebytes?

Thanks a lot for the help!
 
Welcome to TechSpot Eric. It would help to know what problems you're experiencing such as missing programs, file, icons? 'Error' and/or malware alerts?
This infection is classified as a rogue anti-spyware program because it uses false security alerts and fake scan results to try and trick you into thinking that your computer is infected so that you will then purchase it. It scans then goes on to display a variety of fake security alerts and warnings that are designed to make you think your computer has a serious security problem.
Click to expand...
----------------------------------
Please do the following to help you run other programs:

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.

This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer
  • Access Internet Options through Tools> Connections tab
  • Click on the Lan Settings at the bottom
  • Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
  • Then click on OK> and OK again to close Internet Options.
===============================
This malware frequently comes with the TDSS rootkit, so do the following:
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.Save the log and include it in your next reply.
  • A reboot is required after disinfection.
====================================
If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
====================================
Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 3 different versions. If one of them won't run then download and try to run the other one. (Vista and Win7 users need to right click Rkill and choose Run as Administrator)

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
  • Rkill.com
  • Rkill.scr
  • Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
Do not reboot until instructed. as it will start the malware again
==================================
Now try the Malwarebytes scan, after it updates, but this time, on the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

When scan has finished, you will see this image:
scan-finished.jpg

  • Click on OK to close box and continue.
  • Click on the Show Results button.
  • Click on the Remove Selected button to remove all the listed malware.
  • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
========================================
I'd also like you to run the DDS scan and leave the 2 logs.
TDSSKiller
RKill
Malwarebytes Full Scan
2 logs from DDS
 
Thanks a lot, Bobbye.

My initial symptoms included multiple windows with warnings and error messages related to my OS, hard drive, memory, etc; no visible icons on the desktop; no visible programs nested within the Start button; black desktop background.

Since my first post, I have attempted to execute the initial 5-step process in Safe Mode with Networking (unable in normal mode), with the following results:
- Left my current antivirus program (Verizon Internet Security Suite) in place
- Successfully installed and ran Malwarebytes
- Successfully installed and ran GMER
- Successfully installed DDS, but it is unable to finish its scan. I'm not aware of any script blocking I have in place but am unsure how to determine that or turn it off

Following your additional instructions above:
- I installed TDSSKiller, but it will not run - nothing seems to happen when I launch it
- Successfully installed and ran Rkill (from Rkill.com link)
- Reran Malwarebytes (full scan)

Follow this post, I will post the initial Malwarebytes log, the GMER log, and the second Malwarebytes log.

Thanks for any additional guidance.
 
First Malwarebytes log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8068

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/2/2011 9:15:56 AM
mbam-log-2011-11-02 (09-15-56).txt

Scan type: Quick scan
Objects scanned: 275140
Time elapsed: 17 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.BHO.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.BHO (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gasfkyjyxdjbom (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wLFPFmouqaYX.exe (Rogue.FakeAlert) -> Value: wLFPFmouqaYX.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} (Trojan.FakeAlert) -> Value: {E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} (Trojan.FakeAlert) -> Value: {E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D} -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.BHO.1\CLSID\(default) (Adware.DeepDive) -> Value: (default) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.BHO\CLSID\(default) (Adware.DeepDive) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\wlfpfmouqayx.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\1kalmig2kb7fzp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\downloads\europeanairwar-dm[1].exe (Adware.TryMedia) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\gasfkyynepsyav.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gasfkykyxfeojt.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gasfkyttmqsnto.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
 
GMER log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-02 10:29:24
Windows 5.1.2600 Service Pack 3
Running: y3wluwmo.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pwtdapod.sys


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom@imagepath \systemroot\system32\drivers\gasfkyynepsyav.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main@aid 10096
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\connections (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\delete@C:\DOCUME~1\Gunnar\LOCALS~1\Temp\gasfkyipmpdwqjtn.tmp
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\delete@C:\DOCUME~1\Gunnar\LOCALS~1\Temp\gasfkytpfqxrgevp.tmp
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\injector@* gasfkywsp8y.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkyynepsyav.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules@gasfkycmd.dll \systemroot\system32\gasfkybafdkmrv.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules@gasfkylog.dat \systemroot\system32\gasfkyttmqsnto.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules@gasfkywsp.dll \systemroot\system32\gasfkyrpuhatve.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules@gasfky.dat \systemroot\system32\gasfkykyxfeojt.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkyjyxdjbom\modules@gasfkywsp8y.dll \systemroot\system32\gasfkyxfvaiidf.dll

---- EOF - GMER 1.0.15 ----
 
Second Malwarebytes log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8068

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/3/2011 9:54:34 AM
mbam-log-2011-11-03 (09-54-34).txt

Scan type: Full scan (C:\|)
Objects scanned: 515610
Time elapsed: 1 hour(s), 20 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1280\A0131280.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1280\A0131281.exe (Rogue.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP1280\A0131282.exe (Adware.TryMedia) -> Quarantined and deleted successfully.
 
Okay, no new entries in Eset. System Volume is where restore points are kept. These are not active in the system and will be removed at the end of cleaning.
=======================
If you are still 'missing' icons, programs, desktop, etc., run the following: Note: this does not remove the malware- only the attributes that make icons, etc. appear missing.
Download Unhide.exe and save to the desktop.
  • Double-click on Unhide.exe icon to run the program.
  • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
=======================================
I have attempted to execute the initial 5-step process in Safe Mode with Networking (unable in normal mode),
Click to expand...

What happens when you boot into Normal Mode?
=====================================
Let go through the following> if you can do this in Normal Mode, please do so:
Follow this order
Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 3 different versions. If one of them won't run then download and try to run the other one. (Vista and Win7 users need to right click Rkill and choose Run as Administrator)

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
  • Rkill.com
  • Rkill.scr
  • Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.
  • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
  • A black window should pop up, press any key to close once the fix is completed.
  • A log file called exehelperlog.txt will be created and should open at the end of the scan)
  • A copy of that log will also be saved in the directory where you ran exeHelper.com
  • Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).
===============================
Run the TDSSKiller
Run DDS
=================================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
========================================
Are you getting a message about a proxy If yes, do the following:
Reset your browser proxies
  • For Firefox:
    o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
    o Click on the "Network" tab, and then on the "Settings" button.
    o Please make sure that the "No Proxy" option is selected.
  • For Internet Explorer:
    o Open Internet Explorer.
    o Click on "Tools" and then select "Internet Options".
    o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
    o Uncheck "Use a Proxy server for your LAN".
    o Click Ok to close the Local Area Network (LAN) Settings window.
    o Click Ok to close the Internet Options window.
========================================
Anytime you can't run a scan, if you get any message, you need to let me know what it is.
Logs for next reply:
RKill
TDSS Killer
DDS> 2 logs
Combofix
 
When previously launching normal mode, I received an error message stating: "Error loading CTMBHA.DLL Invalid Access to Memory Location". I also had no visible icons in normal mode. Now that I've run Unhide.exe, icons are again visible. I also no longer see the memory access error.

I've completed the following steps:
- Successfully ran Unhide.exe
- Successfully ran Rkill (log to follow)
- Unable to download exeHelper, as if the link did not work
- Successfully ran TDSSKiller (log to follow)
- Launched DDS, but it again hangs up without completing (no error - just freezes up the computer; I did a hard reset after about 30-40 min)
- Successfully downloaded Combofix, but it also hangs up during execution. I gave it an hour on the first run and about 45 min on the second try. Both iterations required a hard reset.
- Noted no browser proxies in place

Thanks again
 
Rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 11/07/2011 at 16:48:47.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 11/07/2011 at 16:48:54.
 
TDSSKiller log:

17:02:54.0062 0888 TDSS rootkit removing tool 2.6.16.0 Nov 7 2011 16:26:51
17:02:54.0781 0888 ============================================================
17:02:54.0796 0888 Current date / time: 2011/11/07 17:02:54.0781
17:02:54.0796 0888 SystemInfo:
17:02:54.0796 0888
17:02:54.0796 0888 OS Version: 5.1.2600 ServicePack: 3.0
17:02:54.0796 0888 Product type: Workstation
17:02:54.0796 0888 ComputerName: OFFICE
17:02:54.0812 0888 UserName: Erik
17:02:54.0812 0888 Windows directory: C:\WINDOWS
17:02:54.0812 0888 System windows directory: C:\WINDOWS
17:02:54.0812 0888 Processor architecture: Intel x86
17:02:54.0812 0888 Number of processors: 2
17:02:54.0812 0888 Page size: 0x1000
17:02:54.0812 0888 Boot type: Normal boot
17:02:54.0812 0888 ============================================================
17:02:55.0734 0888 Initialize success
17:03:45.0171 1652 ============================================================
17:03:45.0171 1652 Scan started
17:03:45.0171 1652 Mode: Manual;
17:03:45.0171 1652 ============================================================
17:03:45.0718 1652 Abiosdsk - ok
17:03:45.0781 1652 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
17:03:45.0890 1652 abp480n5 - ok
17:03:46.0203 1652 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:03:46.0234 1652 ACPI - ok
17:03:46.0390 1652 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
17:03:46.0390 1652 ACPIEC - ok
17:03:46.0546 1652 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
17:03:46.0656 1652 adpu160m - ok
17:03:46.0796 1652 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
17:03:46.0812 1652 aec - ok
17:03:46.0890 1652 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
17:03:47.0015 1652 AegisP - ok
17:03:47.0156 1652 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
17:03:47.0171 1652 AFD - ok
17:03:47.0234 1652 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
17:03:47.0234 1652 agp440 - ok
17:03:47.0265 1652 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
17:03:47.0281 1652 agpCPQ - ok
17:03:47.0312 1652 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
17:03:47.0421 1652 Aha154x - ok
17:03:47.0500 1652 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
17:03:47.0609 1652 aic78u2 - ok
17:03:47.0625 1652 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
17:03:47.0734 1652 aic78xx - ok
17:03:47.0765 1652 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
17:03:47.0875 1652 AliIde - ok
17:03:47.0906 1652 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
17:03:47.0921 1652 alim1541 - ok
17:03:47.0937 1652 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
17:03:47.0937 1652 amdagp - ok
17:03:47.0968 1652 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
17:03:48.0031 1652 amsint - ok
17:03:48.0062 1652 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
17:03:48.0125 1652 asc - ok
17:03:48.0140 1652 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
17:03:48.0218 1652 asc3350p - ok
17:03:48.0234 1652 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
17:03:48.0312 1652 asc3550 - ok
17:03:48.0343 1652 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:03:48.0343 1652 AsyncMac - ok
17:03:48.0375 1652 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:03:48.0375 1652 atapi - ok
17:03:48.0390 1652 Atdisk - ok
17:03:48.0437 1652 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
17:03:48.0609 1652 ati2mtag - ok
17:03:48.0656 1652 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:03:48.0671 1652 Atmarpc - ok
17:03:48.0703 1652 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:03:48.0718 1652 audstub - ok
17:03:48.0750 1652 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:03:48.0765 1652 Beep - ok
17:03:48.0796 1652 bvrp_pci - ok
17:03:48.0828 1652 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
17:03:48.0828 1652 cbidf - ok
17:03:48.0859 1652 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:03:48.0859 1652 cbidf2k - ok
17:03:48.0906 1652 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
17:03:48.0906 1652 CCDECODE - ok
17:03:48.0937 1652 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
17:03:49.0000 1652 cd20xrnt - ok
17:03:49.0015 1652 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:03:49.0031 1652 Cdaudio - ok
17:03:49.0062 1652 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:03:49.0078 1652 Cdfs - ok
17:03:49.0093 1652 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:03:49.0093 1652 Cdrom - ok
17:03:49.0140 1652 cfwids (142e4e00ad91600a2d20692ed52fafc8) C:\WINDOWS\system32\drivers\cfwids.sys
17:03:49.0218 1652 cfwids - ok
17:03:49.0218 1652 Changer - ok
17:03:49.0250 1652 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
17:03:49.0265 1652 CmdIde - ok
17:03:49.0281 1652 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
17:03:49.0296 1652 Cpqarray - ok
17:03:49.0343 1652 ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
17:03:49.0421 1652 ctsfm2k - ok
17:03:49.0437 1652 CTUSFSYN (4ee8822adb764edd28ce44e808097995) C:\WINDOWS\system32\drivers\ctusfsyn.sys
17:03:49.0515 1652 CTUSFSYN - ok
17:03:49.0546 1652 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
17:03:49.0562 1652 dac2w2k - ok
17:03:49.0578 1652 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
17:03:49.0640 1652 dac960nt - ok
17:03:49.0687 1652 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:03:49.0703 1652 Disk - ok
17:03:49.0765 1652 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
17:03:49.0812 1652 dmboot - ok
17:03:49.0812 1652 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
17:03:49.0828 1652 dmio - ok
17:03:49.0843 1652 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:03:49.0843 1652 dmload - ok
17:03:49.0875 1652 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
17:03:49.0875 1652 DMusic - ok
17:03:49.0921 1652 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
17:03:49.0937 1652 dpti2o - ok
17:03:49.0953 1652 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
17:03:49.0953 1652 drmkaud - ok
17:03:50.0000 1652 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
17:03:50.0078 1652 drvmcdb - ok
17:03:50.0093 1652 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
17:03:50.0171 1652 drvnddm - ok
17:03:50.0296 1652 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
17:03:50.0359 1652 DSproct - ok
17:03:50.0406 1652 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
17:03:50.0406 1652 dsunidrv - ok
17:03:50.0437 1652 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
17:03:50.0515 1652 E100B - ok
17:03:50.0562 1652 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:03:50.0578 1652 Fastfat - ok
17:03:50.0609 1652 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
17:03:50.0625 1652 Fdc - ok
17:03:50.0656 1652 FilterService (a75ddc492d2d1d6558ad8003a4adb73a) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
17:03:50.0781 1652 FilterService - ok
17:03:50.0796 1652 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
17:03:50.0812 1652 Fips - ok
17:03:50.0843 1652 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
17:03:50.0859 1652 Flpydisk - ok
17:03:50.0890 1652 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
17:03:50.0890 1652 FltMgr - ok
17:03:50.0906 1652 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:03:50.0921 1652 Fs_Rec - ok
17:03:50.0921 1652 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:03:50.0937 1652 Ftdisk - ok
17:03:50.0968 1652 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
17:03:51.0046 1652 GEARAspiWDM - ok
17:03:51.0078 1652 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:03:51.0078 1652 Gpc - ok
17:03:51.0109 1652 GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS
17:03:51.0171 1652 GTNDIS5 - ok
17:03:51.0234 1652 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
17:03:51.0250 1652 HDAudBus - ok
17:03:51.0281 1652 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:03:51.0281 1652 HidUsb - ok
17:03:51.0312 1652 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
17:03:51.0375 1652 hpn - ok
17:03:51.0406 1652 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
17:03:51.0484 1652 HPZid412 - ok
17:03:51.0500 1652 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
17:03:51.0562 1652 HPZipr12 - ok
17:03:51.0593 1652 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
17:03:51.0656 1652 HPZius12 - ok
17:03:51.0703 1652 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
17:03:51.0765 1652 HSFHWBS2 - ok
17:03:51.0812 1652 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
17:03:51.0906 1652 HSF_DP - ok
17:03:51.0953 1652 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
17:03:51.0968 1652 HTTP - ok
17:03:52.0000 1652 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
17:03:52.0015 1652 i2omgmt - ok
17:03:52.0031 1652 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
17:03:52.0031 1652 i2omp - ok
17:03:52.0046 1652 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:03:52.0062 1652 i8042prt - ok
17:03:52.0093 1652 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:03:52.0093 1652 Imapi - ok
17:03:52.0140 1652 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
17:03:52.0203 1652 ini910u - ok
17:03:52.0250 1652 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
17:03:52.0250 1652 IntelIde - ok
17:03:52.0296 1652 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:03:52.0296 1652 intelppm - ok
17:03:52.0328 1652 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
17:03:52.0328 1652 Ip6Fw - ok
17:03:52.0359 1652 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:03:52.0375 1652 IpFilterDriver - ok
17:03:52.0406 1652 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:03:52.0406 1652 IpInIp - ok
17:03:52.0437 1652 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:03:52.0437 1652 IpNat - ok
17:03:52.0468 1652 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:03:52.0468 1652 IPSec - ok
17:03:52.0500 1652 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:03:52.0500 1652 IRENUM - ok
17:03:52.0531 1652 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:03:52.0531 1652 isapnp - ok
17:03:52.0546 1652 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:03:52.0546 1652 Kbdclass - ok
17:03:52.0562 1652 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:03:52.0562 1652 kbdhid - ok
17:03:52.0593 1652 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
17:03:52.0593 1652 kmixer - ok
17:03:52.0640 1652 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
17:03:52.0640 1652 KSecDD - ok
17:03:52.0734 1652 lac97inf - ok
17:03:52.0750 1652 lbrtfdc - ok
17:03:52.0796 1652 LVPr2Mon (c57c48fb9ae3efb9848af594e3123a63) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
17:03:52.0937 1652 LVPr2Mon - ok
17:03:52.0968 1652 LVRS (87ecce893d8aec5a9337b917742d339c) C:\WINDOWS\system32\DRIVERS\lvrs.sys
17:03:53.0109 1652 LVRS - ok
17:03:53.0312 1652 LVUVC (291f69b3dda0f033d2490c5ba5179f7c) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
17:03:53.0640 1652 LVUVC - ok
17:03:53.0640 1652 MBAMSwissArmy - ok
17:03:53.0718 1652 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
17:03:53.0781 1652 mdmxsdk - ok
17:03:53.0875 1652 mfeapfk (c373a719d704d12f5a4503f6f10239ff) C:\WINDOWS\system32\drivers\mfeapfk.sys
17:03:53.0968 1652 mfeapfk - ok
17:03:54.0156 1652 mfeavfk (851ad52871b62457152a8acaff0c632d) C:\WINDOWS\system32\drivers\mfeavfk.sys
17:03:54.0421 1652 mfeavfk - ok
17:03:54.0687 1652 mfeavfk01 - ok
17:03:54.0890 1652 mfebopk (5b9ffb027669a8ac30aac0b4996bc603) C:\WINDOWS\system32\drivers\mfebopk.sys
17:03:54.0984 1652 mfebopk - ok
17:03:55.0031 1652 mfefirek (2cabe72e53365834cb9969dde47bd690) C:\WINDOWS\system32\drivers\mfefirek.sys
17:03:55.0125 1652 mfefirek - ok
17:03:55.0171 1652 mfehidk (46db8f041e928bdc17b8daba249a2148) C:\WINDOWS\system32\drivers\mfehidk.sys
17:03:55.0343 1652 mfehidk - ok
17:03:55.0375 1652 mfendisk (348e3db31cf458adaa3798fb8af659c3) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
17:03:55.0453 1652 mfendisk - ok
17:03:55.0468 1652 mfendiskmp (348e3db31cf458adaa3798fb8af659c3) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
17:03:55.0468 1652 mfendiskmp - ok
17:03:55.0500 1652 mferkdet (316fd7c31cd57ca793fb10912aeeb2d2) C:\WINDOWS\system32\drivers\mferkdet.sys
17:03:55.0578 1652 mferkdet - ok
17:03:55.0625 1652 mfetdi2k (2026fe7c9e6b26ffeb08cd89c6326b91) C:\WINDOWS\system32\drivers\mfetdi2k.sys
17:03:55.0703 1652 mfetdi2k - ok
17:03:55.0750 1652 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
17:03:55.0875 1652 MHNDRV - ok
17:03:55.0890 1652 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:03:55.0890 1652 mnmdd - ok
17:03:55.0937 1652 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
17:03:55.0937 1652 Modem - ok
17:03:55.0953 1652 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
17:03:56.0031 1652 MODEMCSA - ok
17:03:56.0062 1652 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:03:56.0078 1652 Mouclass - ok
17:03:56.0109 1652 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:03:56.0109 1652 mouhid - ok
17:03:56.0156 1652 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:03:56.0156 1652 MountMgr - ok
17:03:56.0187 1652 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
17:03:56.0250 1652 mraid35x - ok
17:03:56.0359 1652 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
17:03:56.0421 1652 MREMP50 - ok
17:03:56.0421 1652 MREMPR5 - ok
17:03:56.0421 1652 MRENDIS5 - ok
17:03:56.0453 1652 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
17:03:56.0515 1652 MRESP50 - ok
17:03:56.0593 1652 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:03:56.0609 1652 MRxDAV - ok
17:03:56.0671 1652 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:03:56.0687 1652 MRxSmb - ok
17:03:56.0765 1652 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:03:56.0781 1652 Msfs - ok
17:03:56.0843 1652 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:03:56.0843 1652 MSKSSRV - ok
17:03:56.0906 1652 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:03:56.0906 1652 MSPCLOCK - ok
17:03:56.0953 1652 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
17:03:56.0968 1652 MSPQM - ok
17:03:57.0000 1652 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:03:57.0015 1652 mssmbios - ok
17:03:57.0046 1652 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
17:03:57.0062 1652 MSTEE - ok
17:03:57.0109 1652 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
17:03:57.0109 1652 Mup - ok
17:03:57.0171 1652 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
17:03:57.0171 1652 NABTSFEC - ok
17:03:57.0218 1652 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
17:03:57.0234 1652 NDIS - ok
17:03:57.0281 1652 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
17:03:57.0281 1652 NdisIP - ok
17:03:57.0328 1652 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:03:57.0328 1652 NdisTapi - ok
17:03:57.0375 1652 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:03:57.0375 1652 Ndisuio - ok
17:03:57.0421 1652 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:03:57.0421 1652 NdisWan - ok
17:03:57.0468 1652 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
17:03:57.0468 1652 NDProxy - ok
17:03:57.0515 1652 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:03:57.0515 1652 NetBIOS - ok
17:03:57.0562 1652 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:03:57.0562 1652 NetBT - ok
17:03:57.0625 1652 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:03:57.0625 1652 Npfs - ok
17:03:57.0703 1652 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:03:57.0718 1652 Ntfs - ok
17:03:57.0781 1652 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:03:57.0796 1652 Null - ok
17:03:57.0890 1652 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
17:03:57.0968 1652 nv - ok
17:03:58.0031 1652 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:03:58.0031 1652 NwlnkFlt - ok
17:03:58.0078 1652 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:03:58.0078 1652 NwlnkFwd - ok
17:03:58.0171 1652 ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
17:03:58.0234 1652 ossrv - ok
17:03:58.0328 1652 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
17:03:58.0328 1652 Parport - ok
17:03:58.0375 1652 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:03:58.0375 1652 PartMgr - ok
17:03:58.0421 1652 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:03:58.0421 1652 ParVdm - ok
17:03:58.0468 1652 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
17:03:58.0468 1652 PCI - ok
17:03:58.0500 1652 PCIDump - ok
17:03:58.0531 1652 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:03:58.0546 1652 PCIIde - ok
17:03:58.0609 1652 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
17:03:58.0609 1652 Pcmcia - ok
17:03:58.0656 1652 PDCOMP - ok
17:03:58.0687 1652 PDFRAME - ok
17:03:58.0718 1652 PDRELI - ok
17:03:58.0750 1652 PDRFRAME - ok
17:03:58.0796 1652 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
17:03:58.0859 1652 perc2 - ok
17:03:58.0921 1652 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
17:03:58.0937 1652 perc2hib - ok
17:03:59.0015 1652 PfModNT (d9ed17ac15720096a9f92ff4ea587b09) C:\WINDOWS\system32\drivers\PfModNT.sys
17:03:59.0093 1652 PfModNT - ok
17:03:59.0171 1652 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:03:59.0187 1652 PptpMiniport - ok
17:03:59.0218 1652 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:03:59.0234 1652 PSched - ok
17:03:59.0296 1652 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:03:59.0296 1652 Ptilink - ok
17:03:59.0328 1652 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:03:59.0343 1652 PxHelp20 - ok
17:03:59.0375 1652 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
17:03:59.0390 1652 ql1080 - ok
17:03:59.0453 1652 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
17:03:59.0468 1652 Ql10wnt - ok
17:03:59.0515 1652 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
17:03:59.0531 1652 ql12160 - ok
17:03:59.0578 1652 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
17:03:59.0578 1652 ql1240 - ok
17:03:59.0625 1652 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
17:03:59.0640 1652 ql1280 - ok
17:03:59.0703 1652 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:03:59.0703 1652 RasAcd - ok
17:03:59.0781 1652 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:03:59.0781 1652 Rasl2tp - ok
17:03:59.0812 1652 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:03:59.0828 1652 RasPppoe - ok
17:03:59.0890 1652 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:03:59.0890 1652 Raspti - ok
17:03:59.0921 1652 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:03:59.0937 1652 Rdbss - ok
17:03:59.0968 1652 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:03:59.0984 1652 RDPCDD - ok
17:04:00.0015 1652 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:04:00.0015 1652 rdpdr - ok
17:04:00.0062 1652 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
17:04:00.0078 1652 RDPWD - ok
17:04:00.0125 1652 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:04:00.0125 1652 redbook - ok
17:04:00.0234 1652 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:04:00.0250 1652 Secdrv - ok
17:04:00.0312 1652 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:04:00.0328 1652 serenum - ok
17:04:00.0375 1652 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
17:04:00.0375 1652 Serial - ok
17:04:00.0421 1652 sfdrv01 (9e7dee11fd5a4355941a45f13c0ed59a) C:\WINDOWS\system32\drivers\sfdrv01.sys
17:04:00.0484 1652 sfdrv01 - ok
17:04:00.0531 1652 sfhlp02 (ecefb59d2206d281e6d317af0ea0d8bd) C:\WINDOWS\system32\drivers\sfhlp02.sys
17:04:00.0593 1652 sfhlp02 - ok
17:04:00.0640 1652 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:04:00.0656 1652 Sfloppy - ok
17:04:00.0750 1652 sigfilt (6bd3976b881888ac9a0ed3eb94e7fd38) C:\WINDOWS\system32\drivers\sigfilt.sys
17:04:00.0859 1652 sigfilt - ok
17:04:00.0890 1652 Simbad - ok
17:04:00.0953 1652 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
17:04:00.0968 1652 sisagp - ok
17:04:01.0015 1652 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
17:04:01.0031 1652 SLIP - ok
17:04:01.0078 1652 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
17:04:01.0093 1652 Sparrow - ok
17:04:01.0140 1652 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
17:04:01.0140 1652 splitter - ok
17:04:01.0187 1652 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
17:04:01.0203 1652 sr - ok
17:04:01.0265 1652 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
17:04:01.0265 1652 Srv - ok
17:04:01.0328 1652 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
17:04:01.0390 1652 sscdbhk5 - ok
17:04:01.0437 1652 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
17:04:01.0500 1652 ssrtln - ok
17:04:01.0578 1652 STHDA (b95480c92c4c9c311be47b8a1ad73770) C:\WINDOWS\system32\drivers\sthda.sys
17:04:01.0640 1652 STHDA - ok
17:04:01.0718 1652 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
17:04:01.0718 1652 streamip - ok
17:04:01.0765 1652 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:04:01.0781 1652 swenum - ok
17:04:01.0812 1652 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
17:04:01.0812 1652 swmidi - ok
17:04:01.0875 1652 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
17:04:01.0937 1652 symc810 - ok
17:04:01.0984 1652 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
17:04:02.0062 1652 symc8xx - ok
17:04:02.0109 1652 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
17:04:02.0125 1652 sym_hi - ok
17:04:02.0171 1652 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
17:04:02.0250 1652 sym_u3 - ok
17:04:02.0328 1652 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
17:04:02.0328 1652 sysaudio - ok
17:04:02.0406 1652 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:04:02.0421 1652 Tcpip - ok
17:04:02.0468 1652 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:04:02.0484 1652 TDPIPE - ok
17:04:02.0531 1652 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:04:02.0531 1652 TDTCP - ok
17:04:02.0578 1652 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:04:02.0578 1652 TermDD - ok
17:04:02.0656 1652 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
17:04:02.0718 1652 tfsnboio - ok
17:04:02.0765 1652 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
17:04:02.0843 1652 tfsncofs - ok
17:04:02.0875 1652 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
17:04:02.0953 1652 tfsndrct - ok
17:04:02.0984 1652 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
17:04:03.0046 1652 tfsndres - ok
17:04:03.0078 1652 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
17:04:03.0156 1652 tfsnifs - ok
17:04:03.0187 1652 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
17:04:03.0265 1652 tfsnopio - ok
17:04:03.0312 1652 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
17:04:03.0375 1652 tfsnpool - ok
17:04:03.0406 1652 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
17:04:03.0484 1652 tfsnudf - ok
17:04:03.0531 1652 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
17:04:03.0609 1652 tfsnudfa - ok
17:04:03.0671 1652 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
17:04:03.0671 1652 TosIde - ok
17:04:03.0765 1652 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:04:03.0765 1652 Udfs - ok
17:04:03.0828 1652 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
17:04:03.0890 1652 ultra - ok
17:04:03.0968 1652 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
17:04:03.0984 1652 Update - ok
17:04:04.0078 1652 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
17:04:04.0203 1652 USBAAPL - ok
17:04:04.0281 1652 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
17:04:04.0281 1652 usbaudio - ok
17:04:04.0343 1652 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:04:04.0343 1652 usbccgp - ok
17:04:04.0406 1652 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:04:04.0421 1652 usbehci - ok
17:04:04.0468 1652 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:04:04.0468 1652 usbhub - ok
17:04:04.0515 1652 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:04:04.0531 1652 usbprint - ok
17:04:04.0578 1652 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:04:04.0593 1652 usbscan - ok
17:04:04.0640 1652 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:04:04.0640 1652 USBSTOR - ok
17:04:04.0671 1652 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:04:04.0687 1652 usbuhci - ok
17:04:04.0734 1652 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
17:04:04.0734 1652 usbvideo - ok
17:04:04.0796 1652 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
17:04:04.0796 1652 USB_RNDIS - ok
17:04:04.0828 1652 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:04:04.0843 1652 VgaSave - ok
17:04:04.0921 1652 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
17:04:04.0921 1652 viaagp - ok
17:04:04.0984 1652 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
17:04:04.0984 1652 ViaIde - ok
17:04:05.0031 1652 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
17:04:05.0031 1652 VolSnap - ok
17:04:05.0093 1652 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:04:05.0093 1652 Wanarp - ok
17:04:05.0125 1652 wanatw - ok
17:04:05.0156 1652 WDICA - ok
17:04:05.0203 1652 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
17:04:05.0218 1652 wdmaud - ok
17:04:05.0296 1652 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
17:04:05.0328 1652 winachsf - ok
17:04:05.0453 1652 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
17:04:05.0453 1652 WpdUsb - ok
17:04:05.0500 1652 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
17:04:05.0500 1652 WS2IFSL - ok
17:04:05.0562 1652 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
17:04:05.0562 1652 WSTCODEC - ok
17:04:05.0640 1652 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:04:05.0656 1652 WudfPf - ok
17:04:05.0703 1652 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
17:04:05.0703 1652 WudfRd - ok
17:04:05.0750 1652 MBR (0x1B8) (5cb90281d1a59b251f6603134774eec3) \Device\Harddisk0\DR0
17:04:05.0781 1652 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
17:04:05.0781 1652 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
17:04:05.0796 1652 Boot (0x1200) (1cb2e22ca6693b69d4566505529aa405) \Device\Harddisk0\DR0\Partition0
17:04:05.0796 1652 \Device\Harddisk0\DR0\Partition0 - ok
17:04:05.0796 1652 ============================================================
17:04:05.0796 1652 Scan finished
17:04:05.0796 1652 ============================================================
17:04:05.0828 3312 Detected object count: 1
17:04:05.0828 3312 Actual detected object count: 1
17:05:16.0484 3312 \Device\Harddisk0\DR0 - copied to quarantine
17:05:16.0562 3312 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
17:05:16.0593 3312 \Device\Harddisk0\DR0\TDLFS\vbr - copied to quarantine
17:05:16.0609 3312 \Device\Harddisk0\DR0\TDLFS\bid - copied to quarantine
17:05:16.0625 3312 \Device\Harddisk0\DR0\TDLFS\affid - copied to quarantine
17:05:16.0625 3312 \Device\Harddisk0\DR0\TDLFS\boot - copied to quarantine
17:05:16.0640 3312 \Device\Harddisk0\DR0\TDLFS\cmd32 - copied to quarantine
17:05:16.0703 3312 \Device\Harddisk0\DR0\TDLFS\cmd64 - copied to quarantine
17:05:16.0781 3312 \Device\Harddisk0\DR0\TDLFS\dbg32 - copied to quarantine
17:05:16.0828 3312 \Device\Harddisk0\DR0\TDLFS\dbg64 - copied to quarantine
17:05:16.0890 3312 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
17:05:17.0875 3312 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
17:05:17.0953 3312 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
17:05:18.0234 3312 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
17:05:18.0312 3312 \Device\Harddisk0\DR0\TDLFS\subid - copied to quarantine
17:05:18.0328 3312 \Device\Harddisk0\DR0\TDLFS\info - copied to quarantine
17:05:18.0359 3312 \Device\Harddisk0\DR0\TDLFS\main - copied to quarantine
17:05:18.0375 3312 \Device\Harddisk0\DR0\TDLFS\mainfb.script - copied to quarantine
17:05:18.0468 3312 \Device\Harddisk0\DR0\TDLFS\com32 - copied to quarantine
17:05:18.0562 3312 \Device\Harddisk0\DR0\TDLFS\bbr232 - copied to quarantine
17:05:18.0640 3312 \Device\Harddisk0\DR0\TDLFS\serf_conf - copied to quarantine
17:05:18.0750 3312 \Device\Harddisk0\DR0\TDLFS\bbr_conf - copied to quarantine
17:05:18.0812 3312 \Device\Harddisk0\DR0\TDLFS\serf332 - copied to quarantine
17:05:18.0968 3312 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Quarantine
 
ctmbha.dll is a Creative Filter AudioControlMB Module, related to Creative Audigy line of sound cards.Manufacturer: Creative Technology Ltd. With that type of message on startup, the process needing this can be remove from the Startup menu.
=====================================
It's important that you follow below in order given:

NOTE: If, for some reason, Combofix refuses to run, try one of the following:
1. Run Combofix from Safe Mode.
2. Delete Combofix file, download fresh one, but rename combofix.exe to
friday.exe BEFORE saving it to your desktop.
Do NOT run it yet.
-------------------------------------
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 3 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
  • Rkill.com
  • Rkill.scr
  • Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.
  • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
  • A black window should pop up, press any key to close once the fix is completed.
  • A log file called exehelperlog.txt will be created and should open at the end of the scan)
  • A copy of that log will also be saved in the directory where you ran exeHelper.com
  • Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

Rkill instructions
Once you've gotten one of them to run
  • immediately double click on friday.exe to run
  • If normal mode still doesn't work, run BOTH tools from safe mode.

In you have done #2, please post BOTH logs, rKill and Combofix.
===================================
You should be able to run DDS now.
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

We're going to have to look into your security- try to prevent the assortment of malware! I'll have you do a Bootkit scan after these.
 
I'm still having some trouble running Combofix, despite several different attempts. In each case, I let it run for about an hour - one case for over two to ensure that I wasn't killing it too early. It consistently hangs up after the prompt saying that it should only take 10-20 minutes. In each case, I notice that the clock in the lower right of the screen freezes at the time of hang-up, up to five minutes after I've launched it.

Also, Rkill did not produce a log every time I ran it, although I did always see the black DOS window flash briefly - did it still run properly in those cases?

Here are the additional steps I've taken...

In Normal Mode:
- Ran Rkill, no log
- Ran Exehelper
- Ran Combofix but it hung up

Rebooted into Safe Mode:
- Ran Rkill.com, no log
- Ran Rkill.scr, no log
- Ran Rkill.exe, log produced
- Ran Exehelper
- Ran Combofix - it hung up

Rebooted in Safe Mode:
- Ran Rkill, no log
- Ran Exehelper
- Ran Combofix as "Friday.exe" according to the instructions, but it still got hung up

Rebooted in Safe Mode:
- Ran Rkill, no log
- Ran Exehelper
- Ran DDS - it locked up

Rebooted in Safe Mode:
- Ran Rkill, no log
- Ran Exehelper
- Ran ESET, log produced

Following this post, I'll post the single Rkill log, the Exehelper log, and the ESET log

Again, I appreciate the help!
 
Rkill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 11/09/2011 at 12:41:00.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Administrator\Desktop\rkill.scr
C:\Documents and Settings\Administrator\Desktop\rkill.exe


Rkill completed on 11/09/2011 at 12:42:15.
 
Exehelper log:

exeHelper by Raktor
Build 20100414
Run at 11:19:24 on 11/09/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 12:43:42 on 11/09/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 14:25:42 on 11/09/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

exeHelper by Raktor
Build 20100414
Run at 14:40:12 on 11/09/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
 
ESET log:

C:\Program Files\FoxTabAudioConverter\AudioConverter.exe a variant of Win32/InstallCore.A application
C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Kryptik.UWS trojan
C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmasco.V trojan
C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0007.dta a variant of Win32/Olmasco.O trojan
C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmasco.V trojan
C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0010.dta Win32/Olmasco.U trojan
C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0015.dta a variant of Win32/Kryptik.UWS trojan
C:\TDSSKiller_Quarantine\07.11.2011_17.02.54\mbr0000\tdlfs0000\tsk0016.dta a variant of Win32/Kryptik.UWS trojan
Operating memory a variant of Win32/Olmasco.Q trojan
 
Bobbye - Any guidance on next steps?

Just wanted to keep the thread active, in case the 5-day rule would shut it down tomorrow.

Thanks,
Eric
 
I'm so sorry Eric- I wouldn't close the thread when it's my fault! I broke my left hand last week (I'm left handed) and couldn't type for a few days. Am now trying to catch up but still have to limit time on keyboard.=
========================================
Run the following in Normal Mode, then leave the log:
Bootkit Remover:

Download bootkitremover.rar and save to your desktop.
  1. Extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. (Use 7-Zip if you don't have an extraction program, )
  2. Double-click on the remover.exe file to run the program.
    (Vista/7 users,right click on remover.exe and click Run As Administrator.)
  3. You will see a black screen with data
  4. Right click on the screen and click Select All.
  5. Press CTRL+C
  6. Open a Notepad and press CTRL+V
  7. Paste the output in your next reply.
=====================================
The sequence of programs I gave you was not done correctly and were ineffective. Let's see what this show and I'll then decide how to proceed.

In the meantime, please do not run any other cleaning or 'helper' scans.
 
Gosh, sorry to hear about your hand, Bobbye - I hope it heals quickly!

The provided link to bootkitremover.rar does not appear valid - I get a "file not found" error. I did find a bootkit_remover.zip program on the esagelab.com website, however - should I download and run that?

Thanks,
Eric
 
OK - here's the log:

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
 
Good job! We found it!
  • Open Notepad
  • Copy and paste the text in the codebox into Notepad:

Code: 
@ECHO OFF
START remover.exe fix  \\.\PhysicalDrive0  
EXIT
  • Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
  • In the FILE NAME box type fix.bat.
  • Save fix.bat to your Desktop.
  • Double click on fixbat to run.
    You may see a black box appear; this is normal.
  • When done, run remover.exe again and post its output.

When done, run remover.exe again and post its output.

Did the zip download run smoothly?
 
Sounds like good news!

I followed your instructions, but when I double-click fix.bat, "remover.exe" cannot be found.

I think the issue may be this: when I downloaded bootkit_remover.zip and extracted, the only executable file is called boot_cleaner. That's the file I ran to get the last log. Is that the file we should be executing with the code you provided? I know their output log specified "remover.exe", but perhaps that is simply incorrect. What do you think?

The zip file did download and run just fine.
 
I just downloded the bootkit zip. When you look at the download, you see 3 files. But you have to go through the zip wizard to make them active.

Just click on 'extract all files'> follow the 'wizard'> then double click on the bootkit remover.exe to run. If you did not do this when you first downloaded it, then it's not actually usable.

Download again if needed, walk with the wizard, run the program and use the same code I left for you. Let me know if there is a problem
 
The steps you list above are the same ones I followed when downloading the bootkit_remover.zip file. Of the 3 files extracted, only one is an executable file, named boot_cleaner.exe. Since there is no file named "remover.exe" the code you provided is returning an error. I went ahead and modified the code by replacing "remover.exe" with "boot_cleaner.exe", and the program produced the following log:

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00
Restoring boot code at \\.\PhysicalDrive0...
OK

Done;
Press any key to quit...


The program highly recommended a reboot after executing, which I allowed it to do. After the reboot, I ran boot_cleaner again, and it produced the following log:

Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Controlled by rootkit!

Boot code on some of your physical disks is hidden by a rootkit.
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]


Done;
Press any key to quit...
 
Eric, I managed to chase around for info on the bootkit scan. It appears the the rar version may have also included the remover.exe file when unzipped. But the URL you found does not include the file. I tried the downloads and it now includes 2 separate downloads> one for the scan itself and another with the remover.exe.

I'm not comfortable using the zip scan, then using the second download. Although running the 2 does what we want, I am not clear on why all URL references to this program are still showing the original URL which is a 404.

I'd like you to try the following instead:

Please download MBRCheck and save to your desktop
  • Double click on MBRCheck.exeto run.
  • It will show a Black screen with some information that will contain
    [o] Found non-standard or infected MBR.
    (you should see information about Physical Drive0 controlled by a rootkit as before)
  • Do you want to fix the MBR code? Type 'YES' > then Enter to continue.
  • Select 2: > (Restore the MBR of a physical disk with a standard boot code.)
  • Enter 0 for the physical disk number to fix> then enter .
  • For available MBR codes choose 1 for Windows XP> then enter
  • The program will prompt for confirmation. Type 'YES'> then Enter
  • Left click on the title bar (where program name and path is written).
  • Click on Edit -> Select All> Enter> Copy
  • Paste that text into Notepad, save it to your desktop as "MBRCheck results.txt"
  • Important! Restart your PC for the fix to take effect.
  • Post the contents of the MBRCheck results log in your next reply.
======================================
If you have any problem or if the information you get does not match the 'physical drive0, controlled by a rootkit, stop and let me know.
 
You must log in or register to reply here.

Similar threads

Scorpus
AMD promises upscaling quality improvements with FSR 3.1 update, adds Vulkan and Xbox...
Replies
7
Views
177
Puiu
Puiu
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni
Daniel Sims
Three days later, Star Wars Jedi: Survivor gets patched to improve PC performance, DLSS...
Replies
11
Views
890
Puiu
Puiu

Latest posts

Back