Solved Can't get rid of rootkit infection / tcpip.sys

Status
Not open for further replies.
T

The_Reynolds

Posts: 24   +0
Hello there, I'm trying for a week now to get rid of some ominous rootkit infection.
Unfortunately I don't know its name, for the ONLY programm which detects it is AVAST Free Edition, which at first couldn't even detect which form of malware I have. Since three days now, it says it's a rootkit but is unable to remove it. The rootkit infects tcpip.sys in the ...\Windows\System32\Drivers folder, resulting in destruction of the tcpip protocol and disabling of AVASTs background scanners (network and filesystem). If I delete and replace tcpip.sys manually the rootkit usually doesn't do anything for up to 2 days, then returns again.
Yesterday I had a new symptom, my computer wouldn't boot. Said some file (not tcpip.sys, it just gave me a folder name without a filename) was corrupted and Windows needed to be re-installed or repaired. After treating that with the MS DART Disc (Microsoft Diagnostics and Rescue Tools) I could boot my system up again.
I tried up to a dozen different antimalware programs now and except for AVAST none of them did find anything! I even formatted my system partition and installed a fresh copy of Windows to get rid of it, but it came back after 2 days again. Other drives are allegedly clean, as no programm, not even AVAST can detect anything there, nonetheless, it keeps returning.
Note: AVAST prebootscan didn't bring any results either.

My system runs Win XP SP3 and I have all following updates installed.
As per usual, AVAST Free edition is my antivir programm and is always in the background.
Also I use Comodo Personal Firewall.

I will now follow the steps in the preliminary instructions. But I already tried MBAM and it didn't turn up anything. But I will run it again and post the logs here when finished.

I'm really desparate by now, I've never had such a persistent infection in my whole life. So I kindly ask for your help, because short of formatting 3 harddiscs, I don't know what else to try anymore.

Will start running scans now and post logs afterwards...

Kind regards,
The Reynolds
 
MBAM Log

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.18.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Icicle :: OLD-DOG [administrator]

Protection: Disabled

18.12.2012 16:59:55
mbam-log-2012-12-18 (16-59-55).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 184820
Time elapsed: 14 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
DDS Log - DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Icicle at 17:23:27 on 2012-12-18
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1033.18.1536.916 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ================
.
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\Program Files\AVAST Software\Avast\AvastSvc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\SiXPack.exe
E:\Program Files\AVAST Software\Avast\avastUI.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\PeerBlock\peerblock.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\WINDOWS\System32\alg.exe
E:\Program Files\Mozilla Firefox\firefox.exe
C:\everesthome_build_0290\everest.exe
E:\WINDOWS\system32\wbem\wmiprvse.exe
E:\WINDOWS\system32\svchost.exe -k netsvcs
E:\WINDOWS\system32\svchost.exe -k NetworkService
E:\WINDOWS\system32\svchost.exe -k LocalService
E:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - e:\program files\avast software\avast\aswWebRepIE.dll
BHO: QuickNet BHO: {EA5CA8B6-9B9C-4994-A7A1-947B6C631BE7} -
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - e:\program files\avast software\avast\aswWebRepIE.dll
uRun: [CTFMON.EXE] e:\windows\system32\ctfmon.exe
uRun: [PeerBlock] e:\program files\peerblock\peerblock.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [SiXPack] SiXPack.exe /minimize
mRun: [SiXPack 5.1+] e:\windows\system32\SiXPack 5.1+.exe /minimize
mRun: [avast] "e:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [COMODO Internet Security] "e:\program files\comodo\comodo internet security\cfp.exe" -h
mRunOnce: [Malwarebytes Anti-Malware] e:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] e:\windows\system32\CTFMON.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs= e:\windows\system32\guard32.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - e:\documents and settings\icicle\application data\mozilla\firefox\profiles\r453srqq.default\
FF - plugin: e:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: e:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - ExtSQL: 2012-12-13 14:25; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; e:\documents and settings\icicle\application data\mozilla\firefox\profiles\r453srqq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-12-13 14:27; {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}; e:\documents and settings\icicle\application data\mozilla\firefox\profiles\r453srqq.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF - ExtSQL: 2012-12-13 14:27; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; e:\documents and settings\icicle\application data\mozilla\firefox\profiles\r453srqq.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2012-12-13 14:27; trackmenot@mrl.nyu.edu; e:\documents and settings\icicle\application data\mozilla\firefox\profiles\r453srqq.default\extensions\trackmenot@mrl.nyu.edu.xpi
FF - ExtSQL: 2012-12-13 14:27; firefox@ghostery.com; e:\documents and settings\icicle\application data\mozilla\firefox\profiles\r453srqq.default\extensions\firefox@ghostery.com
FF - ExtSQL: 2012-12-13 14:46; wrc@avast.com; e:\program files\avast software\avast\webrep\FF
FF - ExtSQL: 2012-12-13 15:31; youtube2mp3@mondayx.de; e:\documents and settings\icicle\application data\mozilla\firefox\profiles\r453srqq.default\extensions\youtube2mp3@mondayx.de.xpi
FF - ExtSQL: 2012-12-13 15:31; ich@maltegoetz.de; e:\documents and settings\icicle\application data\mozilla\firefox\profiles\r453srqq.default\extensions\ich@maltegoetz.de
FF - ExtSQL: 2012-12-16 07:18; {20a82645-c095-46ed-80e3-08825760534b}; e:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;e:\windows\system32\drivers\aswSnx.sys [2012-12-13 738504]
R1 aswSP;aswSP;e:\windows\system32\drivers\aswSP.sys [2012-12-13 361032]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;e:\windows\system32\drivers\cmdGuard.sys [2012-10-5 497952]
R1 cmdHlp;COMODO Internet Security Helper Driver;e:\windows\system32\drivers\cmdhlp.sys [2012-10-5 32640]
R2 aswFsBlk;aswFsBlk;e:\windows\system32\drivers\aswFsBlk.sys [2012-12-13 21256]
R2 avast! Antivirus;avast! Antivirus;e:\program files\avast software\avast\AvastSvc.exe [2012-12-13 44808]
R2 cmdAgent;COMODO Internet Security Helper Service;e:\program files\comodo\comodo internet security\cmdagent.exe [2012-10-5 1990464]
R3 pbfilter;pbfilter;e:\program files\peerblock\pbfilter.sys [2012-12-13 19056]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;e:\windows\system32\drivers\hitmanpro37.sys [2012-12-16 30616]
S3 XDva401;XDva401;\??\e:\windows\system32\xdva401.sys --> e:\windows\system32\XDva401.sys [?]
.
=============== Created Last 30 ================
.
2012-12-18 15:57:25 22856 ----a-w- e:\windows\system32\drivers\mbam.sys
2012-12-18 15:57:25 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2012-12-17 21:40:36 -------- d-----w- E:\~ErdUserProfile.$$$
2012-12-17 03:05:57 -------- d-sh--w- e:\documents and settings\icicle\PrivacIE
2012-12-16 17:33:24 30616 ----a-w- e:\windows\system32\drivers\hitmanpro37.sys
2012-12-16 12:33:32 -------- d-sh--w- e:\documents and settings\icicle\IETldCache
2012-12-16 06:14:39 -------- d-----w- E:\decf8f00e89575da9e090c4454d19f
2012-12-16 04:38:44 521728 -c----w- e:\windows\system32\dllcache\jsdbgui.dll
2012-12-16 04:36:40 6144 -c----w- e:\windows\system32\dllcache\iecompat.dll
2012-12-16 04:34:57 -------- d-----w- e:\windows\ie8updates
2012-12-16 04:34:24 12800 -c----w- e:\windows\system32\dllcache\xpshims.dll
2012-12-16 04:34:18 55296 -c----w- e:\windows\system32\dllcache\msfeedsbs.dll
2012-12-16 04:34:17 630272 -c----w- e:\windows\system32\dllcache\msfeeds.dll
2012-12-16 04:34:16 247808 -c----w- e:\windows\system32\dllcache\ieproxy.dll
2012-12-16 04:34:16 2000384 -c----w- e:\windows\system32\dllcache\iertutil.dll
2012-12-16 04:34:14 11111424 -c----w- e:\windows\system32\dllcache\ieframe.dll
2012-12-16 04:34:13 743424 -c----w- e:\windows\system32\dllcache\iedvtool.dll
2012-12-16 04:31:43 -------- dc-h--w- e:\windows\ie8
2012-12-16 02:54:53 272128 -c----w- e:\windows\system32\dllcache\bthport.sys
2012-12-16 02:54:53 272128 ------w- e:\windows\system32\drivers\bthport.sys
2012-12-16 02:50:27 456320 -c----w- e:\windows\system32\dllcache\mrxsmb.sys
2012-12-16 02:41:54 293376 ------w- e:\windows\system32\browserchoice.exe
2012-12-16 02:33:24 2148864 -c----w- e:\windows\system32\dllcache\ntkrnlmp.exe
2012-12-16 02:33:23 2192896 -c----w- e:\windows\system32\dllcache\ntoskrnl.exe
2012-12-16 02:33:19 2027520 -c----w- e:\windows\system32\dllcache\ntkrpamp.exe
2012-12-16 02:33:18 2069632 -c----w- e:\windows\system32\dllcache\ntkrnlpa.exe
2012-12-16 02:31:02 3072 -c----w- e:\windows\system32\dllcache\iacenc.dll
2012-12-16 02:31:02 3072 ------w- e:\windows\system32\iacenc.dll
2012-12-16 02:27:42 5120 ----a-w- e:\windows\system32\xpsp4res.dll
2012-12-16 02:18:59 -------- d-----w- e:\windows\system32\PreInstall
2012-12-16 02:18:56 -------- d--h--w- e:\windows\$hf_mig$
2012-12-16 02:11:37 -------- d-----w- e:\windows\system32\SoftwareDistribution
2012-12-16 00:30:16 41527316 ----a-w- E:\regbackup.reg
2012-12-15 22:17:50 -------- d-----w- E:\MGtools
2012-12-15 22:02:31 135016 ----a-w- e:\windows\system32\LnkProtect.dll
2012-12-15 22:02:06 -------- d-----w- e:\documents and settings\all users\application data\HitmanPro
2012-12-15 17:01:01 -------- d-----w- e:\documents and settings\icicle\application data\Malwarebytes
2012-12-15 17:00:41 -------- d-----w- e:\documents and settings\all users\application data\Malwarebytes
2012-12-15 16:41:49 -------- d-----w- e:\documents and settings\icicle\application data\OpenOffice.org
2012-12-13 22:50:30 73656 ----a-w- e:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-13 22:50:30 697272 ----a-w- e:\windows\system32\FlashPlayerApp.exe
2012-12-13 17:01:54 -------- d-----w- e:\program files\TS3
2012-12-13 16:51:27 -------- d-----w- e:\program files\OpenOffice.org 3
2012-12-13 16:37:31 -------- d-----w- e:\program files\uTorrent
2012-12-13 16:35:39 -------- d-----w- e:\documents and settings\icicle\application data\uTorrent
2012-12-13 16:31:17 -------- d-----w- e:\program files\PeerBlock
2012-12-13 16:27:57 -------- d-----w- e:\program files\VideoLAN
2012-12-13 16:06:20 1892184 ----a-w- e:\windows\system32\D3DX9_42.dll
2012-12-13 16:06:19 2414360 ----a-w- e:\windows\system32\d3dx9_31.dll
2012-12-13 16:06:13 -------- d-----w- e:\windows\Logs
2012-12-13 16:06:01 819200 ----a-w- e:\program files\windows media player\wmsetsdk.exe
2012-12-13 16:06:01 47616 ----a-w- e:\program files\windows media player\msoobci.dll
2012-12-13 16:06:01 -------- d-----w- e:\program files\Winamp Detect
2012-12-13 16:05:20 -------- d-----w- e:\windows\RegisteredPackages
2012-12-13 15:19:32 -------- d-----w- e:\windows\system32\XPSViewer
2012-12-13 15:19:03 89088 ----a-w- e:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2012-12-13 15:18:50 14048 ------w- e:\windows\system32\spmsg2.dll
2012-12-13 15:18:47 26144 ----a-w- e:\windows\system32\spupdsvc.exe
2012-12-13 14:39:47 -------- d-----w- e:\documents and settings\all users\application data\Comodo
2012-12-13 14:39:39 -------- d-----w- e:\program files\COMODO
2012-12-13 14:32:28 -------- d-----w- e:\documents and settings\icicle\local settings\application data\PCHealth
2012-12-13 14:25:47 -------- d-----w- e:\program files\MSXML 4.0
.
==================== Find3M ====================
.
2012-12-13 13:08:25 472576 ----a-w- e:\windows\Radeon Omega Drivers v4.8.442 Uninstall.exe
2012-11-13 01:25:12 1866368 ----a-w- e:\windows\system32\win32k.sys
2012-11-07 23:38:16 32640 ----a-w- e:\windows\system32\drivers\cmdhlp.sys
2012-11-07 23:38:14 497952 ----a-w- e:\windows\system32\drivers\cmdGuard.sys
2012-11-07 23:38:13 18096 ----a-w- e:\windows\system32\drivers\cmderd.sys
2012-11-07 23:37:35 34024 ----a-w- e:\windows\system32\cmdcsr.dll
2012-11-07 23:37:34 301264 ----a-w- e:\windows\system32\guard32.dll
2012-11-02 02:02:42 375296 ----a-w- e:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- e:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ------w- e:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- e:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ------w- e:\windows\system32\html.iec
2012-10-30 22:51:58 738504 ----a-w- e:\windows\system32\drivers\aswSnx.sys
2012-10-30 22:51:07 41224 ----a-w- e:\windows\avastSS.scr
2012-10-02 18:04:21 58368 ----a-w- e:\windows\system32\synceng.dll
.
============= FINISH: 17:24:39,82 ===============
 
DDS / Attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 13.12.2012 13:59:40
System Uptime: 18.12.2012 16:01:54 (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | A7V600
Processor: AMD Athlon(TM) XP 2600+ | SOCKET A | 1905/166mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 59 GiB total, 41,943 GiB free.
D: is FIXED (NTFS) - 233 GiB total, 1,617 GiB free.
E: is FIXED (NTFS) - 18 GiB total, 6,436 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 3Com Gigabit LOM (3C940)
Device ID: PCI\VEN_10B7&DEV_1700&SUBSYS_80EB1043&REV_12\3&61AAA01&0&48
Manufacturer: 3Com
Name: 3Com Gigabit LOM (3C940)
PNP Device ID: PCI\VEN_10B7&DEV_1700&SUBSYS_80EB1043&REV_12\3&61AAA01&0&48
Service: EL2000
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&61AAA01&0&78
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&61AAA01&0&78
Service:
.
==== System Restore Points ===================
.
RP13: 15.12.2012 20:21:14 - System Checkpoint
RP14: 15.12.2012 23:17:34 - Microsoft Fix it 50486 wird installiert
RP15: 16.12.2012 03:18:43 - Software Distribution Service 3.0
RP16: 16.12.2012 04:34:49 - Software Distribution Service 3.0
RP17: 16.12.2012 07:05:58 - Software Distribution Service 3.0
RP18: 16.12.2012 13:36:27 - Printer Driver Microsoft XPS Document Writer Installed
RP19: 17.12.2012 16:33:18 - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 11 Plugin
ATI Display Driver (Omega 3.8.442)
µTorrent
avast! Free Antivirus
COMODO Internet Security
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB976002-v5)
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Miranda IM 0.10.9
Mozilla Firefox 17.0.1 (x86 de)
Mozilla Maintenance Service
MSXML 4.0 SP3 Parser (KB2721691)
OpenOffice.org 3.4.1
PeerBlock 1.1 (r518)
Radeon Omega Drivers v4.8.442 Setup Files and Tools
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761465)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Sicherheitsupdate für Windows XP (KB923789)
SiXPack 5.1+ ControlPanel
SixpackDriver
TeamSpeak 3 Client
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973815)
VLC media player 2.0.4
WebFldrs XP
Winamp
Winamp Erkennungs-Plug-in
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 8
Windows Media Format Runtime
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
16.12.2012 02:24:32, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
16.12.2012 01:40:48, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
16.12.2012 01:33:37, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the NetBios over Tcpip service which failed to start because of the following error: The dependency service or group failed to start.
16.12.2012 01:33:37, error: Service Control Manager [7001] - The NetBios over Tcpip service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The system cannot find the file specified.
16.12.2012 01:33:37, error: Service Control Manager [7001] - The IPSEC Services service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The system cannot find the file specified.
16.12.2012 01:33:37, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The system cannot find the file specified.
16.12.2012 01:33:37, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: The dependency service or group failed to start.
16.12.2012 01:33:37, error: Service Control Manager [7000] - The TCP/IP Protocol Driver service failed to start due to the following error: The system cannot find the file specified.
16.12.2012 01:26:26, error: Service Control Manager [7003] - The IP Traffic Filter Driver service depends on the following nonexistent service: tcpip
16.12.2012 01:26:26, error: Service Control Manager [7003] - The AswRdr service depends on the following nonexistent service: tcpip
16.12.2012 01:24:52, error: Workstation [5728] - Could not load any transport.
16.12.2012 00:18:55, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
16.12.2012 00:18:52, error: Service Control Manager [7001] - The IP Traffic Filter Driver service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
16.12.2012 00:18:52, error: Service Control Manager [7001] - The AswRdr service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
16.12.2012 00:18:47, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AswRdr
16.12.2012 00:18:47, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
16.12.2012 00:18:47, error: Service Control Manager [7001] - The IPSEC Services service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
16.12.2012 00:18:47, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
16.12.2012 00:18:47, error: Service Control Manager [7001] - The DHCP Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
16.12.2012 00:16:11, error: NetBT [4311] - Initialization failed because the driver device could not be created.
16.12.2012 00:16:11, error: ati2mtag [45062] - CRT invalid display type
15.12.2012 23:29:57, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AswRdr uagp35
15.12.2012 23:27:45, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
.
==== End Of File ===========================
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

TDSSKiller Scan

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

tdss_1.jpg


-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg


------------------------

Click the Start Scan button.

tdss_3.jpg


-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue


tdss_4.jpg


----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


tdss_5.jpg



--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

-------------------

Here's a summary of what to do if you would like to print it out:

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
 
Hello DragonMaster Jay,

thank you for your fast reply! I'd like to point out, that I already tried Kaspersky TDSS Killer and it didn't turn up anything at the time. It was one of numerous anti-malware software I tried out, before posting here. However, I will run another scan following your directions and post the results here, when the scan is done.

Again than you very much for helping me!
 
Next:

CapperKiller Scan

The CapperKiller utility is designed for treating the aftermaths of a Trojan-Banker.Win32.Capper infection.

How to use the utility:
  • Download the CapperKiller.exe utility.
  • Run CapperKiller.exe

    9208-1-en.png
  • A reboot may be required after the treatment. Please make sure it reboots, if it asks.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "CapperKiller.[Version]_[Date]_[Time]_log.txt".
  • Please copy and paste its contents on your next reply.
  • Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.


avast! aswMBR

Please download aswMBR from here
  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Uncheck "Trace disk IO calls".
  • Click the Scan button to start the scan as illustrated below
aswMBR_Scan.jpg

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives.
  • Once the scan finishes click Save log to save the log to your Desktop
    aswMBR_SaveLog.png
  • Copy and paste the contents of aswMBR.txt back here for review
  • Please also find MBR.dat on your Desktop, and rename it to MBRscan.txt. Upload that as well. Do not copy and paste MBR.dat/txt, it needs to be uploaded.
 
19:40:10.0437 2588 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
19:40:10.0968 2588 ============================================================
19:40:10.0968 2588 Current date / time: 2012/12/18 19:40:10.0968
19:40:10.0968 2588 SystemInfo:
19:40:10.0968 2588
19:40:10.0968 2588 OS Version: 5.1.2600 ServicePack: 3.0
19:40:10.0968 2588 Product type: Workstation
19:40:10.0968 2588 ComputerName: OLD-DOG
19:40:10.0968 2588 UserName: Icicle
19:40:10.0968 2588 Windows directory: E:\WINDOWS
19:40:10.0968 2588 System windows directory: E:\WINDOWS
19:40:10.0968 2588 Processor architecture: Intel x86
19:40:10.0968 2588 Number of processors: 1
19:40:10.0968 2588 Page size: 0x1000
19:40:10.0968 2588 Boot type: Normal boot
19:40:10.0968 2588 ============================================================
19:40:19.0671 2588 Drive \Device\Harddisk0\DR0 - Size: 0x1315740000 (76.34 Gb), SectorSize: 0x200, Cylinders: 0x26EC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:40:19.0687 2588 Drive \Device\Harddisk1\DR1 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:40:19.0687 2588 ============================================================
19:40:19.0687 2588 \Device\Harddisk0\DR0:
19:40:19.0687 2588 MBR partitions:
19:40:19.0687 2588 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F00, BlocksNum 0x2373C4B
19:40:19.0687 2588 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x2377B4B, BlocksNum 0x75304A1
19:40:19.0687 2588 \Device\Harddisk1\DR1:
19:40:19.0687 2588 MBR partitions:
19:40:19.0687 2588 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C0681
19:40:19.0687 2588 ============================================================
19:40:19.0765 2588 C: <-> \Device\Harddisk0\DR0\Partition2
19:40:19.0921 2588 D: <-> \Device\Harddisk1\DR1\Partition1
19:40:19.0953 2588 E: <-> \Device\Harddisk0\DR0\Partition1
19:40:19.0953 2588 ============================================================
19:40:19.0953 2588 Initialize success
19:40:19.0953 2588 ============================================================
19:40:51.0375 0176 ============================================================
19:40:51.0375 0176 Scan started
19:40:51.0375 0176 Mode: Manual; SigCheck; TDLFS;
19:40:51.0375 0176 ============================================================
19:40:51.0687 0176 ================ Scan services =============================
19:40:51.0921 0176 [ 149A8F7ADF9742554DC323E290551E3E ] Aavmker4 E:\WINDOWS\system32\drivers\Aavmker4.sys
19:40:52.0171 0176 Aavmker4 - ok
19:40:52.0187 0176 Abiosdsk - ok
19:40:52.0203 0176 abp480n5 - ok
19:40:52.0281 0176 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI E:\WINDOWS\system32\DRIVERS\ACPI.sys
19:40:52.0750 0176 ACPI - ok
19:40:52.0796 0176 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC E:\WINDOWS\system32\drivers\ACPIEC.sys
19:40:53.0015 0176 ACPIEC - ok
19:40:53.0031 0176 adpu160m - ok
19:40:53.0093 0176 [ 8BED39E3C35D6A489438B8141717A557 ] aec E:\WINDOWS\system32\drivers\aec.sys
19:40:53.0328 0176 aec - ok
19:40:53.0406 0176 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD E:\WINDOWS\System32\drivers\afd.sys
19:40:53.0484 0176 AFD - ok
19:40:53.0500 0176 Aha154x - ok
19:40:53.0515 0176 aic78u2 - ok
19:40:53.0531 0176 aic78xx - ok
19:40:53.0578 0176 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter E:\WINDOWS\system32\alrsvc.dll
19:40:53.0796 0176 Alerter - ok
19:40:53.0828 0176 [ 8C515081584A38AA007909CD02020B3D ] ALG E:\WINDOWS\System32\alg.exe
19:40:53.0937 0176 ALG - ok
19:40:53.0953 0176 AliIde - ok
19:40:54.0000 0176 [ 8FCE268CDBDD83B23419D1F35F42C7B1 ] AmdK7 E:\WINDOWS\system32\DRIVERS\amdk7.sys
19:40:54.0203 0176 AmdK7 - ok
19:40:54.0218 0176 amsint - ok
19:40:54.0281 0176 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt E:\WINDOWS\System32\appmgmts.dll
19:40:54.0375 0176 AppMgmt - ok
19:40:54.0390 0176 asc - ok
19:40:54.0406 0176 asc3350p - ok
19:40:54.0421 0176 asc3550 - ok
19:40:54.0515 0176 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
19:40:54.0546 0176 aspnet_state - ok
19:40:54.0578 0176 [ DE6ED95AEF259979B2830450072A627B ] aswFsBlk E:\WINDOWS\system32\drivers\aswFsBlk.sys
19:40:54.0593 0176 aswFsBlk - ok
19:40:54.0625 0176 [ 84F0BE324EE111338589F448C3E8BAB2 ] aswMon2 E:\WINDOWS\system32\drivers\aswMon2.sys
19:40:54.0671 0176 aswMon2 - ok
19:40:54.0703 0176 [ 7C9F0A2AB17D52261A9252A2EB320884 ] AswRdr E:\WINDOWS\system32\drivers\AswRdr.sys
19:40:54.0734 0176 AswRdr - ok
19:40:54.0921 0176 [ B32E9AD44A1DBB3E8095E80F8DF32B03 ] aswSnx E:\WINDOWS\system32\drivers\aswSnx.sys
19:40:55.0234 0176 aswSnx - ok
19:40:55.0343 0176 [ 67B558895695545FB0568B7541F3BCA7 ] aswSP E:\WINDOWS\system32\drivers\aswSP.sys
19:40:55.0531 0176 aswSP - ok
19:40:55.0562 0176 [ E3E73B2B73A4DFADFDDF557192C4B08A ] aswTdi E:\WINDOWS\system32\drivers\aswTdi.sys
19:40:55.0593 0176 aswTdi - ok
19:40:55.0640 0176 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac E:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:40:55.0859 0176 AsyncMac - ok
19:40:55.0921 0176 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi E:\WINDOWS\system32\DRIVERS\atapi.sys
19:40:56.0187 0176 atapi - ok
19:40:56.0203 0176 Atdisk - ok
19:40:56.0343 0176 [ E02ABC15C3428809F7BCB82571633575 ] Ati HotKey Poller E:\WINDOWS\system32\Ati2evxx.exe
19:40:56.0562 0176 Ati HotKey Poller ( UnsignedFile.Multi.Generic ) - warning
19:40:56.0562 0176 Ati HotKey Poller - detected UnsignedFile.Multi.Generic (1)
19:40:56.0750 0176 [ 3AE69EA1AF3D65C362869D6DEC0CFA52 ] ATI Smart E:\WINDOWS\system32\ati2sgag.exe
19:40:57.0031 0176 ATI Smart ( UnsignedFile.Multi.Generic ) - warning
19:40:57.0031 0176 ATI Smart - detected UnsignedFile.Multi.Generic (1)
19:40:57.0703 0176 [ EC2743BF722D4356375A0A01B69A81E0 ] ati2mtag E:\WINDOWS\system32\DRIVERS\ati2mtag.sys
19:40:59.0031 0176 ati2mtag ( UnsignedFile.Multi.Generic ) - warning
19:40:59.0031 0176 ati2mtag - detected UnsignedFile.Multi.Generic (1)
19:40:59.0093 0176 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc E:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:40:59.0312 0176 Atmarpc - ok
19:40:59.0359 0176 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv E:\WINDOWS\System32\audiosrv.dll
19:40:59.0593 0176 AudioSrv - ok
19:40:59.0625 0176 [ D9F724AA26C010A217C97606B160ED68 ] audstub E:\WINDOWS\system32\DRIVERS\audstub.sys
19:40:59.0828 0176 audstub - ok
19:40:59.0906 0176 [ 8FA553E9AE69808D99C164733A0F9590 ] avast! Antivirus E:\Program Files\AVAST Software\Avast\AvastSvc.exe
19:40:59.0937 0176 avast! Antivirus - ok
19:41:00.0000 0176 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep E:\WINDOWS\system32\drivers\Beep.sys
19:41:00.0218 0176 Beep - ok
19:41:00.0343 0176 [ 574738F61FCA2935F5265DC4E5691314 ] BITS E:\WINDOWS\system32\qmgr.dll
19:41:00.0734 0176 BITS - ok
19:41:00.0796 0176 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser E:\WINDOWS\System32\browser.dll
19:41:00.0859 0176 Browser - ok
19:41:00.0906 0176 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k E:\WINDOWS\system32\drivers\cbidf2k.sys
19:41:01.0171 0176 cbidf2k - ok
19:41:01.0187 0176 cd20xrnt - ok
19:41:01.0218 0176 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio E:\WINDOWS\system32\drivers\Cdaudio.sys
19:41:01.0437 0176 Cdaudio - ok
19:41:01.0500 0176 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs E:\WINDOWS\system32\drivers\Cdfs.sys
19:41:01.0734 0176 Cdfs - ok
19:41:01.0781 0176 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom E:\WINDOWS\system32\DRIVERS\cdrom.sys
19:41:02.0031 0176 Cdrom - ok
19:41:02.0046 0176 Changer - ok
19:41:02.0093 0176 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc E:\WINDOWS\system32\cisvc.exe
19:41:02.0296 0176 CiSvc - ok
19:41:02.0328 0176 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv E:\WINDOWS\system32\clipsrv.exe
19:41:02.0578 0176 ClipSrv - ok
19:41:02.0625 0176 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:41:02.0671 0176 clr_optimization_v2.0.50727_32 - ok
19:41:03.0218 0176 [ 2A2D72271844C52F004901A60312B96A ] cmdAgent E:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
19:41:04.0125 0176 cmdAgent - ok
19:41:04.0281 0176 [ 9181CC4D007ADBE21DB9A11BFECAFEF5 ] cmdGuard E:\WINDOWS\system32\DRIVERS\cmdguard.sys
19:41:04.0468 0176 cmdGuard - ok
19:41:04.0500 0176 [ C5A9FB50E8CA7FD99F256255FEE71580 ] cmdHlp E:\WINDOWS\system32\DRIVERS\cmdhlp.sys
19:41:04.0546 0176 cmdHlp - ok
19:41:04.0562 0176 CmdIde - ok
19:41:04.0578 0176 COMSysApp - ok
19:41:04.0609 0176 Cpqarray - ok
19:41:04.0656 0176 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc E:\WINDOWS\System32\cryptsvc.dll
19:41:04.0890 0176 CryptSvc - ok
19:41:04.0984 0176 [ 3EB0DBAE1CEE2019E3D659E7A35EA749 ] cwcspud E:\WINDOWS\system32\drivers\cwcspud.sys
19:41:05.0062 0176 cwcspud ( UnsignedFile.Multi.Generic ) - warning
19:41:05.0062 0176 cwcspud - detected UnsignedFile.Multi.Generic (1)
19:41:05.0234 0176 [ C844B29F17AC7F4A9A75DF0195AE0385 ] cwcwdm E:\WINDOWS\system32\drivers\cwcwdm.sys
19:41:05.0453 0176 cwcwdm ( UnsignedFile.Multi.Generic ) - warning
19:41:05.0453 0176 cwcwdm - detected UnsignedFile.Multi.Generic (1)
19:41:05.0468 0176 dac2w2k - ok
19:41:05.0484 0176 dac960nt - ok
19:41:05.0609 0176 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch E:\WINDOWS\system32\rpcss.dll
19:41:05.0828 0176 DcomLaunch - ok
19:41:05.0890 0176 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp E:\WINDOWS\System32\dhcpcsvc.dll
19:41:06.0187 0176 Dhcp - ok
19:41:06.0234 0176 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk E:\WINDOWS\system32\DRIVERS\disk.sys
19:41:06.0484 0176 Disk - ok
19:41:06.0500 0176 dmadmin - ok
19:41:06.0734 0176 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot E:\WINDOWS\system32\drivers\dmboot.sys
19:41:07.0250 0176 dmboot - ok
19:41:07.0328 0176 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio E:\WINDOWS\system32\drivers\dmio.sys
19:41:07.0578 0176 dmio - ok
19:41:07.0609 0176 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload E:\WINDOWS\system32\drivers\dmload.sys
19:41:07.0843 0176 dmload - ok
19:41:07.0875 0176 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver E:\WINDOWS\System32\dmserver.dll
19:41:08.0109 0176 dmserver - ok
19:41:08.0171 0176 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic E:\WINDOWS\system32\drivers\DMusic.sys
19:41:08.0406 0176 DMusic - ok
19:41:08.0453 0176 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache E:\WINDOWS\System32\dnsrslvr.dll
19:41:08.0515 0176 Dnscache - ok
19:41:08.0578 0176 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc E:\WINDOWS\System32\dot3svc.dll
19:41:08.0812 0176 Dot3svc - ok
19:41:08.0843 0176 dpti2o - ok
19:41:08.0859 0176 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud E:\WINDOWS\system32\drivers\drmkaud.sys
19:41:09.0093 0176 drmkaud - ok
19:41:09.0125 0176 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost E:\WINDOWS\System32\eapsvc.dll
19:41:09.0375 0176 EapHost - ok
19:41:09.0468 0176 [ D0C7F8CA97D16263D434D943B4B7004F ] EL2000 E:\WINDOWS\system32\DRIVERS\EL2K_XP.sys
19:41:09.0500 0176 EL2000 ( UnsignedFile.Multi.Generic ) - warning
19:41:09.0500 0176 EL2000 - detected UnsignedFile.Multi.Generic (1)
19:41:09.0531 0176 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc E:\WINDOWS\System32\ersvc.dll
19:41:09.0765 0176 ERSvc - ok
19:41:09.0828 0176 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog E:\WINDOWS\system32\services.exe
19:41:09.0906 0176 Eventlog - ok
19:41:10.0000 0176 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem E:\WINDOWS\system32\es.dll
19:41:10.0125 0176 EventSystem - ok
19:41:10.0187 0176 [ 38D332A6D56AF32635675F132548343E ] Fastfat E:\WINDOWS\system32\drivers\Fastfat.sys
19:41:10.0453 0176 Fastfat - ok
19:41:10.0515 0176 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility E:\WINDOWS\System32\shsvcs.dll
19:41:10.0593 0176 FastUserSwitchingCompatibility - ok
19:41:10.0640 0176 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc E:\WINDOWS\system32\DRIVERS\fdc.sys
19:41:10.0906 0176 Fdc - ok
19:41:10.0937 0176 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips E:\WINDOWS\system32\drivers\Fips.sys
19:41:11.0218 0176 Fips - ok
19:41:11.0250 0176 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk E:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:41:11.0468 0176 Flpydisk - ok
19:41:11.0531 0176 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr E:\WINDOWS\system32\DRIVERS\fltMgr.sys
19:41:11.0765 0176 FltMgr - ok
19:41:11.0843 0176 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 e:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
19:41:11.0875 0176 FontCache3.0.0.0 - ok
19:41:11.0906 0176 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec E:\WINDOWS\system32\drivers\Fs_Rec.sys
19:41:12.0171 0176 Fs_Rec - ok
19:41:12.0218 0176 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk E:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:41:12.0453 0176 Ftdisk - ok
19:41:12.0500 0176 [ 065639773D8B03F33577F6CDAEA21063 ] gameenum E:\WINDOWS\system32\DRIVERS\gameenum.sys
19:41:12.0734 0176 gameenum - ok
19:41:12.0765 0176 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc E:\WINDOWS\system32\DRIVERS\msgpc.sys
19:41:13.0015 0176 Gpc - ok
19:41:13.0078 0176 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc E:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
19:41:13.0328 0176 helpsvc - ok
19:41:13.0375 0176 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ E:\WINDOWS\System32\hidserv.dll
19:41:13.0609 0176 HidServ - ok
19:41:13.0656 0176 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb E:\WINDOWS\system32\DRIVERS\hidusb.sys
19:41:13.0906 0176 hidusb - ok
19:41:13.0937 0176 [ 7EAB073BF5949ED639660787A01B623D ] hitmanpro37 E:\WINDOWS\system32\drivers\hitmanpro37.sys
19:41:13.0968 0176 hitmanpro37 - ok
19:41:14.0046 0176 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc E:\WINDOWS\System32\kmsvc.dll
19:41:14.0312 0176 hkmsvc - ok
19:41:14.0328 0176 hpn - ok
19:41:14.0437 0176 [ F6AACF5BCE2893E0C1754AFEB672E5C9 ] HTTP E:\WINDOWS\system32\Drivers\HTTP.sys
19:41:14.0718 0176 HTTP - ok
19:41:14.0750 0176 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter E:\WINDOWS\System32\w3ssl.dll
19:41:15.0031 0176 HTTPFilter - ok
19:41:15.0046 0176 i2omgmt - ok
19:41:15.0062 0176 i2omp - ok
19:41:15.0093 0176 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt E:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:41:15.0343 0176 i8042prt - ok
19:41:15.0656 0176 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
19:41:16.0125 0176 idsvc - ok
19:41:16.0156 0176 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi E:\WINDOWS\system32\DRIVERS\imapi.sys
19:41:16.0437 0176 Imapi - ok
19:41:16.0500 0176 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService E:\WINDOWS\system32\imapi.exe
19:41:16.0781 0176 ImapiService - ok
19:41:16.0796 0176 ini910u - ok
19:41:16.0859 0176 [ E1DF634BEC066B3D4FFE437BCB78C282 ] Inspect E:\WINDOWS\system32\DRIVERS\inspect.sys
19:41:16.0890 0176 Inspect - ok
19:41:16.0921 0176 IntelIde - ok
19:41:16.0968 0176 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw E:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
19:41:17.0234 0176 Ip6Fw - ok
19:41:17.0281 0176 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver E:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:41:17.0531 0176 IpFilterDriver - ok
19:41:17.0562 0176 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp E:\WINDOWS\system32\DRIVERS\ipinip.sys
19:41:17.0781 0176 IpInIp - ok
19:41:17.0859 0176 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat E:\WINDOWS\system32\DRIVERS\ipnat.sys
19:41:18.0171 0176 IpNat - ok
19:41:18.0234 0176 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec E:\WINDOWS\system32\DRIVERS\ipsec.sys
19:41:18.0515 0176 IPSec - ok
19:41:18.0546 0176 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM E:\WINDOWS\system32\DRIVERS\irenum.sys
19:41:18.0640 0176 IRENUM - ok
19:41:18.0703 0176 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp E:\WINDOWS\system32\DRIVERS\isapnp.sys
19:41:18.0921 0176 isapnp - ok
19:41:18.0968 0176 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass E:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:41:19.0250 0176 Kbdclass - ok
19:41:19.0281 0176 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid E:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:41:19.0515 0176 kbdhid - ok
19:41:19.0593 0176 [ 692BCF44383D056AED41B045A323D378 ] kmixer E:\WINDOWS\system32\drivers\kmixer.sys
19:41:19.0875 0176 kmixer - ok
19:41:19.0937 0176 [ B467646C54CC746128904E1654C750C1 ] KSecDD E:\WINDOWS\system32\drivers\KSecDD.sys
19:41:20.0015 0176 KSecDD - ok
19:41:20.0078 0176 [ F385F4B02C535BFFE1D70CAB80838123 ] LanmanServer E:\WINDOWS\System32\srvsvc.dll
19:41:20.0359 0176 LanmanServer - ok
19:41:20.0421 0176 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation E:\WINDOWS\System32\wkssvc.dll
19:41:20.0515 0176 lanmanworkstation - ok
19:41:20.0531 0176 lbrtfdc - ok
19:41:20.0578 0176 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts E:\WINDOWS\System32\lmhsvc.dll
19:41:20.0843 0176 LmHosts - ok
19:41:20.0890 0176 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger E:\WINDOWS\System32\msgsvc.dll
19:41:21.0187 0176 Messenger - ok
19:41:21.0234 0176 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd E:\WINDOWS\system32\drivers\mnmdd.sys
19:41:21.0453 0176 mnmdd - ok
19:41:21.0484 0176 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc E:\WINDOWS\system32\mnmsrvc.exe
19:41:21.0750 0176 mnmsrvc - ok
19:41:21.0781 0176 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem E:\WINDOWS\system32\drivers\Modem.sys
19:41:22.0046 0176 Modem - ok
19:41:22.0078 0176 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass E:\WINDOWS\system32\DRIVERS\mouclass.sys
19:41:22.0359 0176 Mouclass - ok
19:41:22.0406 0176 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr E:\WINDOWS\system32\drivers\MountMgr.sys
19:41:22.0671 0176 MountMgr - ok
19:41:22.0734 0176 [ 8C7336950F1E69CDFD811CBBD9CF00A2 ] MozillaMaintenance E:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
19:41:22.0812 0176 MozillaMaintenance - ok
19:41:22.0828 0176 mraid35x - ok
19:41:22.0906 0176 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV E:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:41:23.0187 0176 MRxDAV - ok
19:41:23.0328 0176 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb E:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:41:23.0531 0176 MRxSmb - ok
19:41:23.0578 0176 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC E:\WINDOWS\system32\msdtc.exe
19:41:23.0796 0176 MSDTC - ok
19:41:23.0843 0176 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs E:\WINDOWS\system32\drivers\Msfs.sys
19:41:24.0109 0176 Msfs - ok
19:41:24.0125 0176 MSIServer - ok
19:41:24.0156 0176 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV E:\WINDOWS\system32\drivers\MSKSSRV.sys
19:41:24.0375 0176 MSKSSRV - ok
19:41:24.0390 0176 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK E:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:41:24.0609 0176 MSPCLOCK - ok
19:41:24.0640 0176 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM E:\WINDOWS\system32\drivers\MSPQM.sys
19:41:24.0843 0176 MSPQM - ok
19:41:24.0890 0176 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios E:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:41:25.0171 0176 mssmbios - ok
19:41:25.0234 0176 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup E:\WINDOWS\system32\drivers\Mup.sys
19:41:25.0281 0176 Mup - ok
19:41:25.0390 0176 [ 0102140028FAD045756796E1C685D695 ] napagent E:\WINDOWS\System32\qagentrt.dll
19:41:25.0687 0176 napagent - ok
19:41:25.0765 0176 [ 1DF7F42665C94B825322FAE71721130D ] NDIS E:\WINDOWS\system32\drivers\NDIS.sys
19:41:26.0062 0176 NDIS - ok
19:41:26.0109 0176 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi E:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:41:26.0156 0176 NdisTapi - ok
19:41:26.0203 0176 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio E:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:41:26.0437 0176 Ndisuio - ok
19:41:26.0500 0176 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan E:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:41:26.0796 0176 NdisWan - ok
19:41:26.0843 0176 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy E:\WINDOWS\system32\drivers\NDProxy.sys
19:41:26.0890 0176 NDProxy - ok
19:41:26.0921 0176 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS E:\WINDOWS\system32\DRIVERS\netbios.sys
19:41:27.0203 0176 NetBIOS - ok
19:41:27.0265 0176 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT E:\WINDOWS\system32\DRIVERS\netbt.sys
19:41:27.0515 0176 NetBT - ok
19:41:27.0593 0176 [ B857BA82860D7FF85AE29B095645563B ] NetDDE E:\WINDOWS\system32\netdde.exe
19:41:27.0843 0176 NetDDE - ok
19:41:27.0875 0176 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm E:\WINDOWS\system32\netdde.exe
19:41:28.0187 0176 NetDDEdsdm - ok
19:41:28.0234 0176 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon E:\WINDOWS\system32\lsass.exe
19:41:28.0468 0176 Netlogon - ok
19:41:28.0546 0176 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman E:\WINDOWS\System32\netman.dll
19:41:28.0812 0176 Netman - ok
19:41:28.0890 0176 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
19:41:28.0953 0176 NetTcpPortSharing - ok
19:41:29.0046 0176 [ 943337D786A56729263071623BBB9DE5 ] Nla E:\WINDOWS\System32\mswsock.dll
19:41:29.0140 0176 Nla - ok
19:41:29.0203 0176 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs E:\WINDOWS\system32\drivers\Npfs.sys
19:41:29.0468 0176 Npfs - ok
19:41:29.0640 0176 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs E:\WINDOWS\system32\drivers\Ntfs.sys
19:41:30.0078 0176 Ntfs - ok
19:41:30.0109 0176 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp E:\WINDOWS\system32\lsass.exe
19:41:30.0359 0176 NtLmSsp - ok
19:41:30.0500 0176 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc E:\WINDOWS\system32\ntmssvc.dll
19:41:30.0906 0176 NtmsSvc - ok
19:41:30.0937 0176 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null E:\WINDOWS\system32\drivers\Null.sys
19:41:31.0187 0176 Null - ok
19:41:31.0234 0176 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt E:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:41:31.0484 0176 NwlnkFlt - ok
19:41:31.0515 0176 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd E:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:41:31.0734 0176 NwlnkFwd - ok
19:41:31.0781 0176 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport E:\WINDOWS\system32\DRIVERS\parport.sys
19:41:32.0078 0176 Parport - ok
19:41:32.0109 0176 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr E:\WINDOWS\system32\drivers\PartMgr.sys
19:41:32.0328 0176 PartMgr - ok
19:41:32.0375 0176 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm E:\WINDOWS\system32\drivers\ParVdm.sys
19:41:32.0609 0176 ParVdm - ok
19:41:32.0671 0176 [ 61A5701E3F543861B21BBE0932C4CC03 ] pbfilter E:\Program Files\PeerBlock\pbfilter.sys
19:41:32.0703 0176 pbfilter - ok
19:41:32.0734 0176 [ A219903CCF74233761D92BEF471A07B1 ] PCI E:\WINDOWS\system32\DRIVERS\pci.sys
19:41:33.0000 0176 PCI - ok
19:41:33.0015 0176 PCIDump - ok
19:41:33.0031 0176 PCIIde - ok
19:41:33.0093 0176 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia E:\WINDOWS\system32\drivers\Pcmcia.sys
19:41:33.0312 0176 Pcmcia - ok
19:41:33.0328 0176 PDCOMP - ok
19:41:33.0343 0176 PDFRAME - ok
19:41:33.0375 0176 PDRELI - ok
19:41:33.0390 0176 PDRFRAME - ok
19:41:33.0406 0176 perc2 - ok
19:41:33.0421 0176 perc2hib - ok
19:41:33.0500 0176 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay E:\WINDOWS\system32\services.exe
19:41:33.0531 0176 PlugPlay - ok
19:41:33.0562 0176 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent E:\WINDOWS\system32\lsass.exe
19:41:33.0812 0176 PolicyAgent - ok
19:41:33.0843 0176 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport E:\WINDOWS\system32\DRIVERS\raspptp.sys
19:41:34.0109 0176 PptpMiniport - ok
19:41:34.0125 0176 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage E:\WINDOWS\system32\lsass.exe
19:41:34.0359 0176 ProtectedStorage - ok
19:41:34.0390 0176 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched E:\WINDOWS\system32\DRIVERS\psched.sys
19:41:34.0687 0176 PSched - ok
19:41:34.0703 0176 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink E:\WINDOWS\system32\DRIVERS\ptilink.sys
19:41:34.0921 0176 Ptilink - ok
19:41:34.0937 0176 ql1080 - ok
19:41:34.0937 0176 Ql10wnt - ok
19:41:34.0968 0176 ql12160 - ok
19:41:34.0984 0176 ql1240 - ok
19:41:35.0000 0176 ql1280 - ok
19:41:35.0031 0176 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd E:\WINDOWS\system32\DRIVERS\rasacd.sys
19:41:35.0234 0176 RasAcd - ok
19:41:35.0296 0176 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto E:\WINDOWS\System32\rasauto.dll
19:41:35.0546 0176 RasAuto - ok
19:41:35.0593 0176 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp E:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:41:35.0796 0176 Rasl2tp - ok
19:41:35.0890 0176 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan E:\WINDOWS\System32\rasmans.dll
19:41:36.0156 0176 RasMan - ok
19:41:36.0187 0176 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe E:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:41:36.0468 0176 RasPppoe - ok
19:41:36.0500 0176 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti E:\WINDOWS\system32\DRIVERS\raspti.sys
19:41:36.0734 0176 Raspti - ok
19:41:36.0812 0176 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss E:\WINDOWS\system32\DRIVERS\rdbss.sys
19:41:37.0093 0176 Rdbss - ok
19:41:37.0125 0176 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD E:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:41:37.0312 0176 RDPCDD - ok
19:41:37.0421 0176 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr E:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:41:37.0671 0176 rdpdr - ok
19:41:37.0750 0176 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD E:\WINDOWS\system32\drivers\RDPWD.sys
19:41:37.0828 0176 RDPWD - ok
19:41:37.0921 0176 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr E:\WINDOWS\system32\sessmgr.exe
19:41:38.0250 0176 RDSessMgr - ok
19:41:38.0296 0176 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook E:\WINDOWS\system32\DRIVERS\redbook.sys
19:41:38.0562 0176 redbook - ok
19:41:38.0609 0176 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess E:\WINDOWS\System32\mprdim.dll
19:41:38.0875 0176 RemoteAccess - ok
19:41:38.0921 0176 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry E:\WINDOWS\system32\regsvc.dll
19:41:39.0203 0176 RemoteRegistry - ok
19:41:39.0265 0176 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator E:\WINDOWS\system32\locator.exe
19:41:39.0500 0176 RpcLocator - ok
19:41:39.0625 0176 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs E:\WINDOWS\system32\rpcss.dll
19:41:39.0734 0176 RpcSs - ok
19:41:39.0796 0176 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP E:\WINDOWS\system32\rsvp.exe
19:41:40.0093 0176 RSVP - ok
19:41:40.0125 0176 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs E:\WINDOWS\system32\lsass.exe
19:41:40.0359 0176 SamSs - ok
19:41:40.0421 0176 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr E:\WINDOWS\System32\SCardSvr.exe
19:41:40.0656 0176 SCardSvr - ok
19:41:40.0734 0176 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule E:\WINDOWS\system32\schedsvc.dll
19:41:41.0078 0176 Schedule - ok
19:41:41.0125 0176 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv E:\WINDOWS\system32\DRIVERS\secdrv.sys
19:41:41.0203 0176 Secdrv - ok
19:41:41.0250 0176 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon E:\WINDOWS\System32\seclogon.dll
19:41:41.0484 0176 seclogon - ok
19:41:41.0531 0176 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS E:\WINDOWS\system32\sens.dll
19:41:41.0859 0176 SENS - ok
19:41:41.0890 0176 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum E:\WINDOWS\system32\DRIVERS\serenum.sys
19:41:42.0140 0176 serenum - ok
19:41:42.0187 0176 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial E:\WINDOWS\system32\DRIVERS\serial.sys
19:41:42.0390 0176 Serial - ok
19:41:42.0437 0176 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy E:\WINDOWS\system32\drivers\Sfloppy.sys
19:41:42.0796 0176 Sfloppy - ok
19:41:42.0906 0176 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess E:\WINDOWS\System32\ipnathlp.dll
19:41:43.0265 0176 SharedAccess - ok
19:41:43.0312 0176 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection E:\WINDOWS\System32\shsvcs.dll
19:41:43.0359 0176 ShellHWDetection - ok
19:41:43.0375 0176 Simbad - ok
19:41:43.0390 0176 Sparrow - ok
19:41:43.0421 0176 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter E:\WINDOWS\system32\drivers\splitter.sys
19:41:43.0750 0176 splitter - ok
19:41:43.0796 0176 [ 60784F891563FB1B767F70117FC2428F ] Spooler E:\WINDOWS\system32\spoolsv.exe
19:41:43.0859 0176 Spooler - ok
19:41:43.0921 0176 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr E:\WINDOWS\system32\DRIVERS\sr.sys
19:41:44.0046 0176 sr - ok
19:41:44.0109 0176 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice E:\WINDOWS\system32\srsvc.dll
19:41:44.0218 0176 srservice - ok
19:41:44.0343 0176 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv E:\WINDOWS\system32\DRIVERS\srv.sys
19:41:44.0515 0176 Srv - ok
19:41:44.0562 0176 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV E:\WINDOWS\System32\ssdpsrv.dll
19:41:44.0750 0176 SSDPSRV - ok
19:41:44.0875 0176 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc E:\WINDOWS\system32\wiaservc.dll
19:41:45.0250 0176 stisvc - ok
19:41:45.0265 0176 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum E:\WINDOWS\system32\DRIVERS\swenum.sys
19:41:45.0515 0176 swenum - ok
19:41:45.0562 0176 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi E:\WINDOWS\system32\drivers\swmidi.sys
19:41:45.0875 0176 swmidi - ok
19:41:45.0890 0176 SwPrv - ok
19:41:45.0906 0176 symc810 - ok
19:41:45.0921 0176 symc8xx - ok
19:41:45.0937 0176 sym_hi - ok
19:41:45.0953 0176 sym_u3 - ok
19:41:45.0984 0176 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio E:\WINDOWS\system32\drivers\sysaudio.sys
19:41:46.0281 0176 sysaudio - ok
19:41:46.0343 0176 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog E:\WINDOWS\system32\smlogsvc.exe
19:41:46.0578 0176 SysmonLog - ok
19:41:46.0765 0176 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv E:\WINDOWS\System32\tapisrv.dll
19:41:47.0093 0176 TapiSrv - ok
19:41:47.0187 0176 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip E:\WINDOWS\system32\DRIVERS\tcpip.sys
19:41:47.0375 0176 Tcpip - ok
19:41:47.0421 0176 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE E:\WINDOWS\system32\drivers\TDPIPE.sys
19:41:47.0671 0176 TDPIPE - ok
19:41:47.0703 0176 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP E:\WINDOWS\system32\drivers\TDTCP.sys
19:41:47.0953 0176 TDTCP - ok
19:41:48.0031 0176 [ 88155247177638048422893737429D9E ] TermDD E:\WINDOWS\system32\DRIVERS\termdd.sys
19:41:48.0296 0176 TermDD - ok
19:41:48.0390 0176 [ FF3477C03BE7201C294C35F684B3479F ] TermService E:\WINDOWS\System32\termsrv.dll
19:41:48.0625 0176 TermService - ok
19:41:48.0687 0176 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes E:\WINDOWS\System32\shsvcs.dll
19:41:48.0718 0176 Themes - ok
19:41:48.0765 0176 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr E:\WINDOWS\system32\tlntsvr.exe
19:41:48.0875 0176 TlntSvr - ok
19:41:48.0890 0176 TosIde - ok
19:41:48.0937 0176 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks E:\WINDOWS\system32\trkwks.dll
19:41:49.0250 0176 TrkWks - ok
19:41:49.0296 0176 [ D85938F272D1BCF3DB3A31FC0A048928 ] uagp35 E:\WINDOWS\system32\DRIVERS\uagp35.sys
19:41:49.0546 0176 uagp35 - ok
19:41:49.0593 0176 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs E:\WINDOWS\system32\drivers\Udfs.sys
19:41:49.0859 0176 Udfs - ok
19:41:49.0875 0176 ultra - ok
19:41:49.0921 0176 [ AB0A7CA90D9E3D6A193905DC1715DED0 ] UMWdf E:\WINDOWS\system32\wdfmgr.exe
19:41:50.0000 0176 UMWdf - ok
19:41:50.0140 0176 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update E:\WINDOWS\system32\DRIVERS\update.sys
19:41:50.0531 0176 Update - ok
19:41:50.0609 0176 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost E:\WINDOWS\System32\upnphost.dll
19:41:50.0750 0176 upnphost - ok
19:41:50.0781 0176 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS E:\WINDOWS\System32\ups.exe
19:41:51.0046 0176 UPS - ok
19:41:51.0093 0176 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp E:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:41:51.0343 0176 usbccgp - ok
19:41:51.0375 0176 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci E:\WINDOWS\system32\DRIVERS\usbehci.sys
19:41:51.0609 0176 usbehci - ok
19:41:51.0656 0176 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub E:\WINDOWS\system32\DRIVERS\usbhub.sys
19:41:51.0937 0176 usbhub - ok
19:41:51.0968 0176 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci E:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:41:52.0234 0176 usbuhci - ok
19:41:52.0265 0176 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave E:\WINDOWS\System32\drivers\vga.sys
19:41:52.0546 0176 VgaSave - ok
19:41:52.0578 0176 [ 4B039BBD037B01F5DB5A144C837F283A ] viaagp1 E:\WINDOWS\system32\DRIVERS\viaagp1.sys
19:41:52.0625 0176 viaagp1 - ok
19:41:52.0640 0176 [ 3B3EFCDA263B8AC14FDF9CBDD0791B2E ] ViaIde E:\WINDOWS\system32\DRIVERS\viaide.sys
19:41:52.0843 0176 ViaIde - ok
19:41:52.0875 0176 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap E:\WINDOWS\system32\drivers\VolSnap.sys
19:41:53.0156 0176 VolSnap - ok
19:41:53.0265 0176 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS E:\WINDOWS\System32\vssvc.exe
19:41:53.0421 0176 VSS - ok
19:41:53.0515 0176 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time E:\WINDOWS\system32\w32time.dll
19:41:53.0750 0176 W32Time - ok
19:41:53.0781 0176 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp E:\WINDOWS\system32\DRIVERS\wanarp.sys
19:41:54.0093 0176 Wanarp - ok
19:41:54.0109 0176 WDICA - ok
19:41:54.0156 0176 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud E:\WINDOWS\system32\drivers\wdmaud.sys
19:41:54.0390 0176 wdmaud - ok
19:41:54.0437 0176 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient E:\WINDOWS\System32\webclnt.dll
19:41:54.0671 0176 WebClient - ok
19:41:54.0781 0176 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt E:\WINDOWS\system32\wbem\WMIsvc.dll
19:41:55.0062 0176 winmgmt - ok
19:41:55.0125 0176 [ 140EF97B64F560FD78643CAE2CDAD838 ] WmdmPmSN E:\WINDOWS\system32\MsPMSNSv.dll
19:41:55.0171 0176 WmdmPmSN - ok
19:41:55.0343 0176 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi E:\WINDOWS\System32\advapi32.dll
19:41:55.0656 0176 Wmi - ok
19:41:55.0734 0176 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv E:\WINDOWS\system32\wbem\wmiapsrv.exe
19:41:56.0046 0176 WmiApSrv - ok
19:41:56.0125 0176 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc E:\WINDOWS\system32\wscsvc.dll
19:41:56.0375 0176 wscsvc - ok
19:41:56.0406 0176 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv E:\WINDOWS\system32\wuauserv.dll
19:41:56.0640 0176 wuauserv - ok
19:41:56.0812 0176 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC E:\WINDOWS\System32\wzcsvc.dll
19:41:57.0265 0176 WZCSVC - ok
19:41:57.0281 0176 XDva401 - ok
19:41:57.0359 0176 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov E:\WINDOWS\System32\xmlprov.dll
19:41:57.0562 0176 xmlprov - ok
19:41:57.0578 0176 ================ Scan global ===============================
19:41:57.0625 0176 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] E:\WINDOWS\system32\basesrv.dll
19:41:57.0734 0176 [ 8C7DCA4B158BF16894120786A7A5F366 ] E:\WINDOWS\system32\winsrv.dll
19:41:57.0890 0176 [ 8C7DCA4B158BF16894120786A7A5F366 ] E:\WINDOWS\system32\winsrv.dll
19:41:57.0968 0176 [ 65DF52F5B8B6E9BBD183505225C37315 ] E:\WINDOWS\system32\services.exe
19:41:57.0968 0176 [Global] - ok
19:41:58.0000 0176 ================ Scan MBR ==================================
19:41:58.0031 0176 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
19:41:58.0421 0176 \Device\Harddisk0\DR0 - ok
19:41:58.0437 0176 [ 72B8CE41AF0DE751C946802B3ED844B4 ] \Device\Harddisk1\DR1
19:41:58.0765 0176 \Device\Harddisk1\DR1 - ok
19:41:58.0765 0176 ================ Scan VBR ==================================
19:41:58.0796 0176 [ 5DA6A76993B6824B2C35585790C74824 ] \Device\Harddisk0\DR0\Partition1
19:41:58.0796 0176 \Device\Harddisk0\DR0\Partition1 - ok
19:41:58.0828 0176 [ 00BF10FE91F6C58146BC359176F5C9F0 ] \Device\Harddisk0\DR0\Partition2
19:41:58.0843 0176 \Device\Harddisk0\DR0\Partition2 - ok
19:41:58.0843 0176 [ 1FA26932434F69C5AE8B23D77C525AFE ] \Device\Harddisk1\DR1\Partition1
19:41:58.0859 0176 \Device\Harddisk1\DR1\Partition1 - ok
19:41:58.0859 0176 ============================================================
19:41:58.0859 0176 Scan finished
19:41:58.0859 0176 ============================================================
19:41:58.0984 0308 Detected object count: 6
19:41:58.0984 0308 Actual detected object count: 6
20:05:39.0390 0308 Ati HotKey Poller ( UnsignedFile.Multi.Generic ) - skipped by user
20:05:39.0390 0308 Ati HotKey Poller ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:05:39.0390 0308 ATI Smart ( UnsignedFile.Multi.Generic ) - skipped by user
20:05:39.0390 0308 ATI Smart ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:05:39.0390 0308 ati2mtag ( UnsignedFile.Multi.Generic ) - skipped by user
20:05:39.0390 0308 ati2mtag ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:05:39.0390 0308 cwcspud ( UnsignedFile.Multi.Generic ) - skipped by user
20:05:39.0390 0308 cwcspud ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:05:39.0406 0308 cwcwdm ( UnsignedFile.Multi.Generic ) - skipped by user
20:05:39.0406 0308 cwcwdm ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:05:39.0406 0308 EL2000 ( UnsignedFile.Multi.Generic ) - skipped by user
20:05:39.0406 0308 EL2000 ( UnsignedFile.Multi.Generic ) - User select action: Skip
 
Capperkiller results as follows.... will be gone for a few hours and run aswMBR when I return....


20:08:13.0343 3604 Trojan-Banker.Win32.Capper removal tool 1.0.8.0 Dec 10 2012 09:09:46
20:08:13.0625 3604 ============================================================
20:08:13.0625 3604 Current date / time: 2012/12/18 20:08:13.0625
20:08:13.0625 3604 SystemInfo:
20:08:13.0625 3604
20:08:13.0625 3604 OS Version: 5.1.2600 ServicePack: 3.0
20:08:13.0625 3604 Product type: Workstation
20:08:13.0625 3604 ComputerName: OLD-DOG
20:08:13.0625 3604 UserName: Icicle
20:08:13.0625 3604 Windows directory: E:\WINDOWS
20:08:13.0625 3604 System windows directory: E:\WINDOWS
20:08:13.0625 3604 Processor architecture: Intel x86
20:08:13.0625 3604 Number of processors: 1
20:08:13.0625 3604 Page size: 0x1000
20:08:13.0625 3604 Boot type: Normal boot
20:08:13.0625 3604 ============================================================
20:08:13.0625 3604 Initialize success
20:08:13.0625 3604 ============================================================
20:09:29.0406 2124 ================================================================================
20:09:29.0406 2124 Scan started
20:09:29.0406 2124 ================================================================================
20:09:29.0406 2124 ProcessDriveEnumEx: Drive A:\ type 2:350
20:09:29.0406 2124 ProcessDriveEnumEx: Drive C:\ type 3:0
20:09:41.0125 2124 ProcessDriveEnumEx: Drive D:\ type 3:0
20:10:24.0421 2124 ProcessDriveEnumEx: Drive E:\ type 3:0
20:12:11.0453 2124 ProcessDriveEnumEx: Drive F:\ type 5:0
20:12:11.0531 2124 ================================================================================
20:12:11.0531 2124 Scan finished
20:12:11.0531 2124 ================================================================================
 
Not sure whether to do Quickscan oder do a complete check of system drive? Default option in my version of aswMBR is on Quickscan... changed it to system drive. The option is not available on the screenshots you provided, hence my confusion ^^
Will post system drive results when ready.
I have a question: if I shut down the PC it's likely that it either won't boot again without doing some kind of file recovery or it might lead to disabling TCP/IP and Network services resulting in mine having no internet access anymore. Now I can repair that if it happens, but of course it needs tampering with the system then, I hope that is alright? Because when that happens, I really don't see any way to do this without doing stuff that you didn't explicitly want me to do. System Recovery won't work by the way, so I can't do that.
 
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2012-12-19 01:41:16
-----------------------------
01:41:16.390 OS Version: Windows 5.1.2600 Service Pack 3
01:41:16.390 Number of processors: 1 586 0xA00
01:41:16.390 ComputerName: OLD-DOG UserName: Icicle
01:41:16.859 Initialize success
01:41:16.984 AVAST engine defs: 12121801
01:41:20.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
01:41:20.734 Disk 0 Vendor: Maxtor_6Y080L0 YAR41BW0 Size: 78167MB BusType: 3
01:41:20.734 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
01:41:20.734 Disk 1 Vendor: WDC_WD2500JB-00REA0 20.00K20 Size: 238475MB BusType: 3
01:41:20.750 Disk 0 MBR read successfully
01:41:20.750 Disk 0 MBR scan
01:41:20.765 Disk 0 Windows XP default MBR code
01:41:20.765 Disk 0 Partition - 00 0F Extended LBA 18151 MB offset 16065
01:41:20.781 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 60000 MB offset 37190475
01:41:20.812 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 18151 MB offset 16128
01:41:20.828 Disk 0 scanning sectors +160071660
01:41:20.984 Disk 0 scanning E:\WINDOWS\system32\drivers
01:41:42.171 Service scanning
01:42:01.593 Modules scanning
01:42:35.312 AVAST engine scan E:\WINDOWS
01:43:00.000 AVAST engine scan E:\WINDOWS\system32
01:50:15.593 AVAST engine scan E:\WINDOWS\system32\drivers
01:50:59.218 AVAST engine scan E:\Documents and Settings\Icicle
01:56:08.921 AVAST engine scan E:\Documents and Settings\All Users
01:56:25.750 Scan finished successfully
01:57:21.265 Disk 0 MBR has been saved successfully to "E:\Documents and Settings\Icicle\Desktop\MBR.dat"
01:57:21.281 The log file has been saved successfully to "E:\Documents and Settings\Icicle\Desktop\aswMBR.txt"
 

Attachments

  • MBRscan.txt
    512 bytes · Views: 0
ComboFix scan

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop.

Important information about ComboFix


After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on ComboFix.exe & follow the prompts.
  • When ComboFix finishes, it will produce a report for you.
  • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
 
The funniest things happened.... -.-

I disabled Avast and Comodo Firewall and ran Combofix.... it ran several steps up to over ten I think and then my machine rebooted suddenly. Boots through smoothely, internet connection seems to be there, but.... I can't run any programs. Or to be precise, taskmanager shows the programs to be running, but I can't see them, they don't show up on my screen. Also, I can't terminate any processes with the taskmanager, or reboot my machine. So I pressed reset and rebooted the MS DART disc. I was about to repair any corrupt system files, when I thought I'd first run a check on the filesystem.
Chkdsk report, run with parameters /F /X for fixing filesystem errors and dismounting the drive if necessary, said:
"discovered free space marked as allocated in the master file table (MTF) bitmap. Windows has made corrections to the file system."

Then I ran system file repair and it turned out there was nothing to repair. Which is a first, because usually tcpip.sys is replaced since the infection, I exchanged it for a valid file manually myself over the last week, but this time it seemed to be okay.
I rebooted the system, but nothing had changed, except that I had an error report for microsoft because the system was "recovering" from a serious error, which I'll attach here, don't know if it's of any use for you....

Then I restarted the DART disc another time thinking, maybe I can succesfully do a system restore with the cd, instead via my infected Windows, because I already know the latter won't work. Turns out, I can start programs again and can finally post you all this weird ****. I feel like I'm incubating Skynet here :eek:

How should I proceed? Try and run Combofix in Safemode or do you have any other suggestions?


PS: Just noticed that I'm not allowed to upload my memorydump or sysdata.xml from the Serious Error Recovery Thingy. So I'll just give you the error number here:

Error Signature:

BCCode : ca BCP1 : 00000004 BCP2 : 87CAC780 BCP3 : 00000000
BCP4 : 00000000 OSVer : 5_1_2600 SP : 3_0 Product : 256_1
 
Will hibernate my computer for now, since shutting down is followed by unpredictable consequences.... but this old machine can only go to hibernate a few times before having to do a proper reboot.
 
Ran Combofix in Safe Mode now... it complained that Avast was running, I checked via taskmanager and couldn't make out any avast processes running so I continued anyway. Report is as follows:

ComboFix 12-12-19.02 - Icicle 19.12.2012 18:01:51.1.1 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1033.18.1536.1312 [GMT 1:00]
ausgeführt von:: e:\documents and settings\Icicle\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
e:\program files\RegTweaker\keY.dll
.
.
((((((((((((((((((((((( Dateien erstellt von 2012-11-19 bis 2012-12-19 ))))))))))))))))))))))))))))))
.
.
2012-12-19 02:16 . 2012-12-19 02:16 -------- d-----w- E:\0ba8f8a063c460cf5264012f
2012-12-19 02:12 . 2012-12-19 02:12 -------- d-----w- E:\~ErdUserProfile.$$$
2012-12-16 06:14 . 2012-12-16 06:15 -------- d-----w- E:\decf8f00e89575da9e090c4454d19f
2012-12-16 00:30 . 2012-12-16 00:30 41527316 ----a-w- E:\regbackup.reg
2012-12-15 22:17 . 2012-12-15 22:23 -------- d-----w- E:\MGtools
.
.
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-15 22:23 . 2012-12-15 22:18 167634 ----a-w- E:\MGlogs.zip
2012-11-13 01:25 . 2008-04-13 23:00 1866368 ----a-w- e:\windows\system32\win32k.sys
2012-11-07 23:38 . 2012-10-05 00:33 99080 ----a-w- e:\windows\system32\drivers\inspect.sys
2012-11-07 23:38 . 2012-10-05 00:32 32640 ----a-w- e:\windows\system32\drivers\cmdhlp.sys
2012-11-07 23:38 . 2012-10-05 00:32 497952 ----a-w- e:\windows\system32\drivers\cmdGuard.sys
2012-11-07 23:38 . 2012-10-05 00:32 18096 ----a-w- e:\windows\system32\drivers\cmderd.sys
2012-11-07 23:37 . 2012-10-05 00:32 34024 ----a-w- e:\windows\system32\cmdcsr.dll
2012-11-07 23:37 . 2012-10-05 00:32 301264 ----a-w- e:\windows\system32\guard32.dll
2012-11-02 02:02 . 2008-04-14 03:41 375296 ----a-w- e:\windows\system32\dpnet.dll
2012-11-01 00:35 . 2008-04-13 22:07 385024 ------w- e:\windows\system32\html.iec
2012-10-31 11:33 . 2008-04-14 03:42 667136 ----a-w- e:\windows\system32\wininet.dll
2012-10-31 11:33 . 2008-04-14 03:41 81920 ----a-w- e:\windows\system32\ieencode.dll
2012-10-31 11:33 . 2008-04-14 03:41 61952 ----a-w- e:\windows\system32\tdc.ocx
2012-10-02 18:04 . 2008-04-14 03:42 58368 ----a-w- e:\windows\system32\synceng.dll
2012-11-29 08:26 . 2012-12-13 13:24 262112 ----a-w- e:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 22:50 121528 ----a-w- e:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="e:\program files\PeerBlock\peerblock.exe" [2010-11-06 1867888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2006-02-22 344064]
"SiXPack"="SiXPack.exe" [2003-03-25 647168]
"avast"="e:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"COMODO Internet Security"="e:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-11-07 6756048]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="e:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=e:\windows\system32\guard32.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"e:\\Program Files\\Miranda IM\\miranda32.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\CrossFire\\CF_G4box.exe"=
.
R1 aswSnx;aswSnx;e:\windows\system32\drivers\aswSnx.sys [13.12.2012 14:38 738504]
R1 aswSP;aswSP;e:\windows\system32\drivers\aswSP.sys [13.12.2012 14:38 361032]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;e:\windows\system32\drivers\cmdGuard.sys [05.10.2012 01:32 497952]
R1 cmdHlp;COMODO Internet Security Helper Driver;e:\windows\system32\drivers\cmdhlp.sys [05.10.2012 01:32 32640]
R2 aswFsBlk;aswFsBlk;e:\windows\system32\drivers\aswFsBlk.sys [13.12.2012 14:38 21256]
R3 pbfilter;pbfilter;e:\program files\PeerBlock\pbfilter.sys [13.12.2012 17:31 19056]
S3 XDva401;XDva401;\??\e:\windows\system32\XDva401.sys --> e:\windows\system32\XDva401.sys [?]
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - PBFILTER
*NewlyCreated* - WS2IFSL
.
Inhalt des "geplante Tasks" Ordners
.
2012-12-19 e:\windows\Tasks\avast! Emergency Update.job
- e:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-12-13 22:50]
.
.
------- Zusätzlicher Suchlauf -------
.
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - e:\documents and settings\Icicle\Application Data\Mozilla\Firefox\Profiles\r453srqq.default\
FF - ExtSQL: 2012-12-13 14:25; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; e:\documents and settings\Icicle\Application Data\Mozilla\Firefox\Profiles\r453srqq.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-12-13 14:27; {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}; e:\documents and settings\Icicle\Application Data\Mozilla\Firefox\Profiles\r453srqq.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi
FF - ExtSQL: 2012-12-13 14:27; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; e:\documents and settings\Icicle\Application Data\Mozilla\Firefox\Profiles\r453srqq.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2012-12-13 14:27; trackmenot@mrl.nyu.edu; e:\documents and settings\Icicle\Application Data\Mozilla\Firefox\Profiles\r453srqq.default\extensions\trackmenot@mrl.nyu.edu.xpi
FF - ExtSQL: 2012-12-13 14:27; firefox@ghostery.com; e:\documents and settings\Icicle\Application Data\Mozilla\Firefox\Profiles\r453srqq.default\extensions\firefox@ghostery.com
FF - ExtSQL: 2012-12-13 14:46; wrc@avast.com; e:\program files\AVAST Software\Avast\WebRep\FF
FF - ExtSQL: 2012-12-13 15:31; youtube2mp3@mondayx.de; e:\documents and settings\Icicle\Application Data\Mozilla\Firefox\Profiles\r453srqq.default\extensions\youtube2mp3@mondayx.de.xpi
FF - ExtSQL: 2012-12-13 15:31; ich@maltegoetz.de; e:\documents and settings\Icicle\Application Data\Mozilla\Firefox\Profiles\r453srqq.default\extensions\ich@maltegoetz.de
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
HKLM-Run-SiXPack 5.1+ - e:\windows\system32\SiXPack 5.1+.exe
AddRemove-2kv4.8.442 - e:\windows\Radeon Omega Drivers v4.8.442
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-19 18:11
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
.
- - - - - - - > 'winlogon.exe'(792)
e:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(848)
e:\windows\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(3620)
e:\windows\system32\guard32.dll
.
- - - - - - - > 'csrss.exe'(744)
e:\windows\system32\cmdcsr.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
e:\windows\system32\Ati2evxx.exe
e:\windows\system32\Ati2evxx.exe
e:\program files\AVAST Software\Avast\AvastSvc.exe
e:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
e:\windows\system32\wdfmgr.exe
e:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2012-12-19 18:16:37 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2012-12-19 17:16
.
Vor Suchlauf: 10.079.846.400 bytes free
Nach Suchlauf: 9.863.516.160 bytes free
.
- - End Of File - - 09CDB70DFA3DF392A38BA4DC2052BC03
 
Good job working through that...

Download Windows Repair (all in one) from this site

Install the program then run it.

Go to Step 2 and allow it to run CheckDisk by clicking on Do It button:

p22001645.gif




Once that is done then go to Step 3 and allow it to run System File Check by clicking on Do It button:

p22001646.gif



Go to Step 4 and under "System Restore" click on Create button:

p22001644.gif



Go to Start Repairs tab and click Start button.

p22001166.gif



Please ensure that ONLY items seen in the image below are ticked as indicated (they're all checked by default):

p22001647.gif


Click on box next to the Restart System when Finished. Then click on Start.



Hitman Pro

Please download Hitman Pro

  • After the download completes please double click the program to run it.
  • Accept the terms of the license agreement and click Next
  • Let the scan run. It will not take long
  • When the scan finishes, and all the files have been uploaded to the Scan Cloud, click Next
  • Click Next again. At the bottom left you will see Export Scan Results To XML File. Click that and save it in a convenient location
  • Upload log.xml here for review please
 
Thanks... downloaded both programs and will execute them as instructed. I should mention, that HitmanPro is another one of the solutions I previously tried, but will try again.
 
Okay, interim report... executed filesystem check, system rebooted after the inboot fs-check, which I found odd, because normally it carries on with the interrupted boot sequence, but well. Then ran system file check and rebooted. System seems to work normally, except my sound drivers are shot, also the system behaved as if a new graphics driver was installed, testing the monitor, but my graphics driver seems to be intact ^^ Continuing with Restore & Repair now....
 
Contents of HitmanPro xml log file as follows:


<Log computer="OLD-DOG" windows="5.1.3.2600.X86/1" scan="Normal" version="3.7.0.183" date="2012-12-20T01:49:53" timeSpentInSecs="1056" filesProcessed="6678"><Item type="Cookie" score="0.0" status="Deleted"><File path="E:\Documents and Settings\Icicle\Cookies\0T13669J.txt" /></Item></Log>
 
No prob...good job! One more crazy check and we'll see how it's doing. :)

Kaspersky Virus Removal Tool

The Kaspersky Virus Removal Tool is a scan-and-remove solution from Kaspersky that searches out the most common malware and attempts to remove it from your computer.

Please download the Kaspersky Virus Removal Tool from Kaspersky's Official Link and save it to your Desktop.

  • Double-click the Setup file to install it on your computer.
  • Once it has installed, review and accept the agreement and press the Start button.
  • You will presented with the main interface, but don't scan yet, click the options tab (gear icon):
    image1nz.png
  • On the Scan Scope tab, make sure to checkmark all the options, except for the CD/DVD drive:
    image2pmb.png
  • On the Security Level tab, make sure to move the slider up denoting "Current Security Level: High":
    image3vd.png
  • Now, go back to the Automatic Scan tab, and choose "Start Scanning". It may take several hours to complete. Please allow it to do so.
  • Once done scanning, choose the Report tab (page icon), select Detected Threats tab on left, and choose Disinfect All:
    image5mf.png
  • Then, choose Save. Also, in the Automatic Report tab, select Save:
    image4vy.png
  • Please post the reports in your next reply.
  • Once you exit, the tool should uninstall automatically.
 
Status
Not open for further replies.

Similar threads

losdavos
Malware removal help, please and thank you!
Replies
1
Views
831
losdavos
losdavos
A
Microsoft left a kernel-level, zero-day bug in Windows for six months before patching it
Replies
9
Views
229
LimyG
LimyG
dcovalencia
Solved Downloaded a .exe file from a copy of a website
Replies
23
Views
3K
Broni
Broni

Latest posts

Back