Inactive "Hard drive clusters are partly damaged" message

khastings

Posts: 35   +0
Good afternoon. I have seen many threads posted related to this "hard drive clusters are partly damaged" fake error message and am currently in the 5-step process. I've never posted on this website before, but I believe I am supposed to start a new thread in order to post the logs to it. I have AVG Anti-Virus Free Edition 2012 and although it appears to have scanned, I can't get it to update.

So here goes, and thank you!
Karen
 
MBAM Log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122405

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/27/2011 1:06:56 PM
mbam-log-2011-12-27 (13-06-56).txt

Scan type: Quick scan
Objects scanned: 185408
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
GMER Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-12-27 13:15:15
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD800JD-60LSA0 rev.07.01D07
Running: jpkqur93.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\fxtdypow.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----
 
Problems encountered

Hi - I couldn't temporarily disable AVG protection, says "An error occurred when saving the configuration. Connection is off-line." But I am online.
Also, can't find how to disable script blocking protection, can't run DDS as a result. Sorry this isn't going so smoothly...
 
Welcome to TechSpot Karen. These rogue programs are doing a number on a lot of people.

About AVG. Their author didn't leave any way for AVG to be disabled to run some of the scans. You will have to uninstall it temporarily to run Combofix and I'll give you a program to do that. So let's go this route:
(be sure to put one of the temporary AV on the system)

Download AppRemover and save to the desktop
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    image_preview
  5. Click on Next after choice has been made
  6. Check the AVG program you want to uninstall
  7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Avira-AntiVir-Personal-Free-Antivirus
Avast Free Version
=============================
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=======================================
it is important that you do not delete any files from your Temp folder or use any temp file cleaners.
================================
Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode with Networking option when the Windows Advanced Options
    menu appears, using your up/down arrows to reach it and then press ENTER.
=======================================
This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer
  • Access Internet Options through Tools> Connections tab
  • Click on the Lan Settings at the bottom
  • Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
  • Then click on OK> and OK again to close Internet Options.
========================================
To end the processes that belong to the rogue program:
Please click on RKill
  • At the download page, click on Download now button for iExplore.exe download link and save to the desktop
  • Double click on the iExplore.exe icon
  • Please be patient- it may take a bit.
  • The black Window will close when through and you can continue.
Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
=======================================
Do not reboot your computer after running RKilll as the malware programs will start again.
================================
4. This malware frequently comes with the TDSS rootkit, so do the following:
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
====================================
If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
====================================
5. Update and rescan with Malwarebytes:
  • Select Perform Full Scan on the Scanner tab
  • Click on the Scan button.
  • When scan has finished, you will see this image:
    scan-finished.jpg
  • Click on OK to close box and continue.
  • Click on the Show Results button.
  • Click on the Remove Selected button to remove all the listed malware.
  • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheck Word Wrap before copying the log to paste in your next reply.
==============================
If the desktop background is black or if the theme has been removed:
Correct Display Changes if needed:
For Windows XP: Click on Start> Control Panel> Display> change theme and/or background if needed.
For Windows Vista or Windows 7: Click on Start> Control Panel> Appearance & Personalization> Select Change Theme or Change Desktop Background
=====================================
You can now reboot back into Normal Mode
====================================
If you seem to be missing icons, program, files, etc., go ahead and run the following:
1. Download Unhide.exe and save to the desktop.
  • Double-click on Unhide.exe icon to run the program.
  • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.
====================================
Summary to help you get through:
Run App Remover for AVG- put temp. AV on system
Run Combofix
Boot into Safe Mode
Stop Proxy
Stop malware process>>RKill
Run TDSS
Do a Full scan Mbam
--------------------
If you have the black screen display problem, fix that,
If you have hidden processes, run unhide.
==================================
After I check these logs, I may have you go back and run DDS.
======================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
ComboFix issue

Hello Bobbye,

A couple of issues, I used the AppRemover and removed AVG, rebooted as it requested, but ComboFix is telling me it is still running. I searched "avg" on the C drive and there are all kinds of folders and some .exe files with avg in the names. I went to Add/Remove Programs and AVG is not listed. What do I do? One of those files is in the Temp folder and I know I am not supposed to delete anything out of the temp folder.

ComboFix did state that it will continue to run for malware check and appeared to be doing so, but it was an hour and no results yet. Any advice before I press on? Thank you.
 
Give Combofix a chance to finish and see if the logs is generated. AVG is a real pain! Can you tell me what file is in the temp folder?

You can try running the App Remover again. Or you can use the AVG Uninstall>

AVG Remover eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc.
Note:
  • AVG user settings will be removed.
  • Virus Vault contents will be removed.
  • All other items related to AVG installation and use will be removed.
  • You will be asked during the removal procedure to restart your computer. Please do so.
  • Make sure there is no open work in process prior to launching AVG Remover.
Use the appropriate download for your system for the AVG Remover: AVG Remover:32bit
AVG Remover:64 bit
 
AVG File

it is avginfo.id, it was still searching for those filenames when I posted, the folders are still there too.
the AVGremover didn't seem to work either, didn't request I reboot. Can I delete all the files and folders I can find, empty the Recycle Bin, then try ComboFix again?
 
ComboFix frozen

Good morning! I installed then uninstalled AVG and that worked, all set there. However, ComboFix ran all night and no response. I rebooted and re-ran ComboFix, and there was an update so it is now updated, but it has been 3 hours. Shall I let it run for a particular length of time? Thank you! Karen
 
Karen, regarding instructions for these:
Summary to help you get through:
Run App Remover for AVG- put temp. AV on system>> Skip for now
Run Combofix>>Skip for now

Begin with the following:
Boot into Safe Mode
Stop Proxy
Stop malware process>>RKill
Run TDSS
Do a Full scan Mbam
====================================
I'll have you go back and try Combofix after we get some of the bad entries out.
 
TDSS quarantine

Hello! I did everything but after quarantining the rootkit threat found by TDSS, I rebooted (though it didn't ask me to), then it wouldn't let me update Malwarebytes' database. I did TDSS again and it still finds the rootkit threat. How do I delete the threat, the quarantine doesn't seem to work?
Thanks, Karen
 
RKill Log

Sorry about that, here is the RKill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/28/2011 at 16:31:59.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 12/28/2011 at 16:32:04.
 
TDSS Log

and the TDSS Log:

21:39:01.0625 0272 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
21:39:02.0140 0272 ============================================================
21:39:02.0140 0272 Current date / time: 2011/12/28 21:39:02.0140
21:39:02.0140 0272 SystemInfo:
21:39:02.0140 0272
21:39:02.0140 0272 OS Version: 5.1.2600 ServicePack: 3.0
21:39:02.0140 0272 Product type: Workstation
21:39:02.0140 0272 ComputerName: MARTY
21:39:02.0140 0272 UserName: Administrator
21:39:02.0140 0272 Windows directory: C:\WINDOWS
21:39:02.0140 0272 System windows directory: C:\WINDOWS
21:39:02.0140 0272 Processor architecture: Intel x86
21:39:02.0140 0272 Number of processors: 2
21:39:02.0140 0272 Page size: 0x1000
21:39:02.0140 0272 Boot type: Safe boot with network
21:39:02.0140 0272 ============================================================
21:39:06.0140 0272 Initialize success
21:39:07.0812 0368 ============================================================
21:39:07.0812 0368 Scan started
21:39:07.0812 0368 Mode: Manual;
21:39:07.0812 0368 ============================================================
21:39:12.0031 0368 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
21:39:12.0031 0368 Aavmker4 - ok
21:39:12.0062 0368 Abiosdsk - ok
21:39:12.0125 0368 abp480n5 - ok
21:39:12.0234 0368 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
21:39:12.0250 0368 ac97intc - ok
21:39:12.0531 0368 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:39:12.0546 0368 ACPI - ok
21:39:12.0703 0368 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:39:12.0718 0368 ACPIEC - ok
21:39:13.0140 0368 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
21:39:13.0156 0368 adpu160m - ok
21:39:13.0359 0368 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
21:39:13.0421 0368 adpu320 - ok
21:39:14.0000 0368 aeaudio (3cb6ae5435987b1f8c83fd2730479878) C:\WINDOWS\system32\drivers\aeaudio.sys
21:39:14.0046 0368 aeaudio - ok
21:39:14.0687 0368 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:39:14.0734 0368 aec - ok
21:39:15.0468 0368 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
21:39:15.0593 0368 AFD - ok
21:39:16.0093 0368 Aha154x - ok
21:39:16.0687 0368 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
21:39:16.0703 0368 aic78u2 - ok
21:39:17.0265 0368 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
21:39:17.0281 0368 aic78xx - ok
21:39:17.0703 0368 AliIde - ok
21:39:18.0250 0368 amsint - ok
21:39:18.0578 0368 Andbus (3e59df4984fbd6800d6621480b38a34e) C:\WINDOWS\system32\DRIVERS\lgandbus.sys
21:39:18.0593 0368 Andbus - ok
21:39:18.0671 0368 AndDiag (8e0bf6f3b2c9c292bc7ce0de727cdd56) C:\WINDOWS\system32\DRIVERS\lganddiag.sys
21:39:18.0687 0368 AndDiag - ok
21:39:19.0171 0368 AndGps (1d2c90e25483363d54b652898bbc8f2a) C:\WINDOWS\system32\DRIVERS\lgandgps.sys
21:39:19.0171 0368 AndGps - ok
21:39:19.0546 0368 ANDModem (b1b06a95da2cac7fa19832c60c348c85) C:\WINDOWS\system32\DRIVERS\lgandmodem.sys
21:39:19.0546 0368 ANDModem - ok
21:39:19.0953 0368 asc - ok
21:39:20.0343 0368 asc3350p - ok
21:39:20.0390 0368 asc3550 - ok
21:39:20.0500 0368 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
21:39:20.0500 0368 aswFsBlk - ok
21:39:20.0921 0368 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
21:39:20.0921 0368 aswMon2 - ok
21:39:21.0640 0368 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
21:39:21.0640 0368 aswRdr - ok
21:39:21.0812 0368 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
21:39:21.0968 0368 aswSnx - ok
21:39:22.0484 0368 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
21:39:22.0500 0368 aswSP - ok
21:39:22.0562 0368 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
21:39:22.0562 0368 aswTdi - ok
21:39:22.0640 0368 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:39:22.0656 0368 AsyncMac - ok
21:39:22.0734 0368 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:39:22.0734 0368 atapi - ok
21:39:23.0234 0368 Atdisk - ok
21:39:23.0484 0368 ati2mtag (92e6e84d152d2acc44936c1c89ff26c4) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
21:39:23.0703 0368 ati2mtag - ok
21:39:24.0078 0368 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:39:24.0093 0368 Atmarpc - ok
21:39:24.0234 0368 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:39:24.0265 0368 audstub - ok
21:39:24.0640 0368 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
21:39:24.0671 0368 b57w2k - ok
21:39:25.0140 0368 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:39:25.0156 0368 Beep - ok
21:39:25.0234 0368 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:39:25.0250 0368 cbidf2k - ok
21:39:25.0375 0368 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:39:25.0390 0368 CCDECODE - ok
21:39:25.0437 0368 cd20xrnt - ok
21:39:25.0562 0368 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:39:25.0578 0368 Cdaudio - ok
21:39:25.0921 0368 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:39:25.0921 0368 Cdfs - ok
21:39:26.0062 0368 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:39:26.0078 0368 Cdrom - ok
21:39:26.0218 0368 Changer - ok
21:39:26.0312 0368 CmdIde - ok
21:39:26.0468 0368 Cpqarray - ok
21:39:26.0562 0368 dac2w2k - ok
21:39:26.0625 0368 dac960nt - ok
21:39:26.0734 0368 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:39:26.0750 0368 Disk - ok
21:39:27.0234 0368 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:39:27.0312 0368 dmboot - ok
21:39:27.0390 0368 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:39:27.0390 0368 dmio - ok
21:39:27.0468 0368 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:39:27.0484 0368 dmload - ok
21:39:27.0656 0368 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:39:27.0671 0368 DMusic - ok
21:39:28.0046 0368 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
21:39:28.0046 0368 dpti2o - ok
21:39:28.0437 0368 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:39:28.0468 0368 drmkaud - ok
21:39:28.0531 0368 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
21:39:28.0546 0368 E100B - ok
21:39:28.0656 0368 e1express (00192f0c612591d585594e9467e6ca8b) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
21:39:28.0687 0368 e1express - ok
21:39:28.0890 0368 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:39:28.0937 0368 Fastfat - ok
21:39:29.0296 0368 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
21:39:29.0328 0368 Fdc - ok
21:39:29.0406 0368 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:39:29.0437 0368 Fips - ok
21:39:29.0531 0368 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:39:29.0531 0368 Flpydisk - ok
21:39:29.0937 0368 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:39:29.0968 0368 FltMgr - ok
21:39:30.0203 0368 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:39:30.0218 0368 Fs_Rec - ok
21:39:30.0328 0368 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:39:30.0328 0368 Ftdisk - ok
21:39:30.0484 0368 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:39:30.0500 0368 GEARAspiWDM - ok
21:39:31.0078 0368 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:39:31.0093 0368 Gpc - ok
21:39:31.0453 0368 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:39:31.0484 0368 HDAudBus - ok
21:39:31.0546 0368 HECI (d0fc694df051bc65946db616f20d1168) C:\WINDOWS\system32\DRIVERS\HECI.sys
21:39:31.0562 0368 HECI - ok
21:39:31.0640 0368 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:39:31.0640 0368 HidUsb - ok
21:39:31.0671 0368 hpn - ok
21:39:32.0046 0368 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:39:32.0078 0368 HTTP - ok
21:39:32.0281 0368 i2omgmt - ok
21:39:32.0312 0368 i2omp - ok
21:39:32.0421 0368 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:39:32.0437 0368 i8042prt - ok
21:39:32.0765 0368 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
21:39:32.0812 0368 i81x - ok
21:39:33.0031 0368 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
21:39:33.0046 0368 iAimFP0 - ok
21:39:33.0156 0368 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
21:39:33.0171 0368 iAimFP1 - ok
21:39:33.0468 0368 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
21:39:33.0484 0368 iAimFP2 - ok
21:39:33.0625 0368 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
21:39:33.0656 0368 iAimFP3 - ok
21:39:33.0890 0368 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
21:39:33.0921 0368 iAimFP4 - ok
21:39:34.0359 0368 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
21:39:34.0375 0368 iAimFP5 - ok
21:39:34.0750 0368 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
21:39:34.0765 0368 iAimFP6 - ok
21:39:34.0937 0368 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
21:39:34.0937 0368 iAimFP7 - ok
21:39:35.0203 0368 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
21:39:35.0203 0368 iAimTV0 - ok
21:39:35.0609 0368 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
21:39:35.0609 0368 iAimTV1 - ok
21:39:36.0000 0368 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
21:39:36.0015 0368 iAimTV3 - ok
21:39:36.0515 0368 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
21:39:36.0515 0368 iAimTV4 - ok
21:39:36.0703 0368 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
21:39:36.0718 0368 iAimTV5 - ok
21:39:37.0312 0368 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
21:39:37.0312 0368 iAimTV6 - ok
21:39:38.0421 0368 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
21:39:39.0375 0368 ialm - ok
21:39:40.0015 0368 iaStor (019cf5f31c67030841233c545a0e217a) C:\WINDOWS\system32\DRIVERS\iaStor.sys
21:39:40.0046 0368 iaStor - ok
21:39:40.0437 0368 IFXTPM (f67554da27d5b55efcb6c7cb4818fbfd) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
21:39:40.0453 0368 IFXTPM - ok
21:39:40.0593 0368 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:39:40.0593 0368 Imapi - ok
21:39:41.0078 0368 ini910u - ok
21:39:42.0921 0368 IntcAzAudAddService (418fe3a08346ccca61bc9a04457f46cf) C:\WINDOWS\system32\drivers\RtkHDAud.sys
21:39:44.0890 0368 IntcAzAudAddService - ok
21:39:45.0453 0368 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
21:39:45.0484 0368 IntelIde - ok
21:39:45.0578 0368 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:39:45.0625 0368 intelppm - ok
21:39:45.0921 0368 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:39:45.0937 0368 Ip6Fw - ok
21:39:46.0343 0368 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:39:46.0359 0368 IpFilterDriver - ok
21:39:46.0484 0368 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:39:46.0484 0368 IpInIp - ok
21:39:46.0562 0368 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:39:46.0593 0368 IpNat - ok
21:39:46.0843 0368 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:39:46.0968 0368 IPSec - ok
21:39:47.0296 0368 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:39:47.0312 0368 IRENUM - ok
21:39:47.0359 0368 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:39:47.0375 0368 isapnp - ok
21:39:47.0500 0368 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:39:47.0515 0368 Kbdclass - ok
21:39:47.0609 0368 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:39:47.0640 0368 kbdhid - ok
21:39:48.0140 0368 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:39:48.0281 0368 kmixer - ok
21:39:48.0718 0368 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:39:48.0781 0368 KSecDD - ok
21:39:48.0890 0368 Lavasoft Kernexplorer - ok
21:39:49.0171 0368 lbrtfdc - ok
21:39:49.0671 0368 lmimirr - ok
21:39:50.0046 0368 mferkdk - ok
21:39:50.0531 0368 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:39:50.0546 0368 mnmdd - ok
21:39:50.0703 0368 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:39:50.0703 0368 Modem - ok
21:39:50.0796 0368 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:39:50.0828 0368 Mouclass - ok
21:39:51.0140 0368 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:39:51.0171 0368 mouhid - ok
21:39:51.0656 0368 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:39:51.0671 0368 MountMgr - ok
21:39:52.0078 0368 mraid35x - ok
21:39:52.0296 0368 MREMP50 - ok
21:39:52.0453 0368 MREMPR5 - ok
21:39:52.0562 0368 MRENDIS5 - ok
21:39:52.0640 0368 MRESP50 - ok
21:39:53.0031 0368 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:39:53.0062 0368 MRxDAV - ok
21:39:53.0296 0368 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:39:53.0343 0368 MRxSmb - ok
21:39:53.0437 0368 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:39:53.0453 0368 Msfs - ok
21:39:53.0500 0368 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:39:53.0515 0368 MSKSSRV - ok
21:39:53.0812 0368 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:39:53.0828 0368 MSPCLOCK - ok
21:39:53.0890 0368 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:39:53.0890 0368 MSPQM - ok
21:39:54.0015 0368 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:39:54.0015 0368 mssmbios - ok
21:39:54.0078 0368 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
21:39:54.0093 0368 MSTEE - ok
21:39:54.0156 0368 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:39:54.0171 0368 Mup - ok
21:39:54.0250 0368 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:39:54.0265 0368 NABTSFEC - ok
21:39:54.0343 0368 NAL (1e59aaed42a5e3a5ed86ec403f9c0776) C:\WINDOWS\system32\Drivers\iqvw32.sys
21:39:54.0343 0368 NAL - ok
21:39:54.0703 0368 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:39:54.0718 0368 NDIS - ok
21:39:54.0796 0368 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:39:54.0812 0368 NdisIP - ok
21:39:54.0921 0368 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:39:54.0937 0368 NdisTapi - ok
21:39:55.0000 0368 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:39:55.0000 0368 Ndisuio - ok
21:39:55.0062 0368 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:39:55.0093 0368 NdisWan - ok
21:39:55.0156 0368 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:39:55.0156 0368 NDProxy - ok
21:39:55.0250 0368 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:39:55.0250 0368 NetBIOS - ok
21:39:55.0781 0368 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:39:55.0843 0368 NetBT - ok
21:39:56.0093 0368 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:39:56.0093 0368 Npfs - ok
21:39:56.0625 0368 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:39:56.0796 0368 Ntfs - ok
21:39:57.0078 0368 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:39:57.0093 0368 Null - ok
21:39:57.0203 0368 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:39:57.0218 0368 NwlnkFlt - ok
21:39:57.0390 0368 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:39:57.0390 0368 NwlnkFwd - ok
21:39:57.0484 0368 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
21:39:57.0500 0368 P3 - ok
21:39:57.0562 0368 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
21:39:57.0578 0368 Parport - ok
21:39:57.0687 0368 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:39:57.0703 0368 PartMgr - ok
21:39:58.0031 0368 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:39:58.0093 0368 ParVdm - ok
21:39:58.0515 0368 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:39:58.0531 0368 PCI - ok
21:39:58.0609 0368 PCIDump - ok
21:39:58.0656 0368 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:39:58.0671 0368 PCIIde - ok
21:39:58.0718 0368 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:39:58.0750 0368 Pcmcia - ok
21:39:59.0156 0368 PDCOMP - ok
21:39:59.0625 0368 PDFRAME - ok
21:40:00.0062 0368 PDRELI - ok
21:40:00.0500 0368 PDRFRAME - ok
21:40:00.0890 0368 perc2 - ok
21:40:01.0265 0368 perc2hib - ok
21:40:01.0718 0368 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:40:01.0734 0368 PptpMiniport - ok
21:40:02.0156 0368 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:40:02.0203 0368 PSched - ok
21:40:02.0718 0368 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:40:02.0750 0368 Ptilink - ok
21:40:03.0171 0368 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:40:03.0187 0368 PxHelp20 - ok
21:40:03.0343 0368 ql1080 - ok
21:40:03.0437 0368 Ql10wnt - ok
21:40:03.0609 0368 ql12160 - ok
21:40:04.0328 0368 ql1240 - ok
21:40:05.0062 0368 ql1280 - ok
21:40:05.0703 0368 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:40:05.0718 0368 RasAcd - ok
21:40:06.0281 0368 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:40:06.0312 0368 Rasl2tp - ok
21:40:06.0921 0368 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:40:06.0937 0368 RasPppoe - ok
21:40:07.0406 0368 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:40:07.0453 0368 Raspti - ok
21:40:07.0687 0368 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:40:07.0750 0368 Rdbss - ok
21:40:08.0281 0368 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:40:08.0281 0368 RDPCDD - ok
21:40:08.0875 0368 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:40:08.0968 0368 rdpdr - ok
21:40:09.0468 0368 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
21:40:09.0515 0368 RDPWD - ok
21:40:09.0812 0368 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:40:09.0875 0368 redbook - ok
21:40:10.0546 0368 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:40:10.0562 0368 Secdrv - ok
21:40:11.0140 0368 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
21:40:11.0171 0368 serenum - ok
21:40:11.0703 0368 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
21:40:11.0734 0368 Serial - ok
21:40:11.0875 0368 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:40:11.0875 0368 Sfloppy - ok
21:40:12.0000 0368 Simbad - ok
21:40:12.0109 0368 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:40:12.0109 0368 SLIP - ok
21:40:12.0531 0368 smwdm (86d17b6760dd2b09e932ff101714e0dc) C:\WINDOWS\system32\drivers\smwdm.sys
21:40:12.0640 0368 smwdm - ok
21:40:12.0828 0368 Sparrow - ok
21:40:12.0984 0368 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:40:13.0015 0368 splitter - ok
21:40:13.0390 0368 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:40:13.0437 0368 sr - ok
21:40:13.0578 0368 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
21:40:13.0625 0368 Srv - ok
21:40:13.0671 0368 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:40:13.0671 0368 streamip - ok
21:40:13.0796 0368 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:40:13.0812 0368 swenum - ok
21:40:14.0125 0368 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:40:14.0140 0368 swmidi - ok
21:40:14.0578 0368 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
21:40:14.0593 0368 symc810 - ok
21:40:15.0187 0368 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
21:40:15.0203 0368 symc8xx - ok
21:40:15.0390 0368 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
21:40:15.0421 0368 Symmpi - ok
21:40:15.0578 0368 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
21:40:15.0593 0368 sym_hi - ok
21:40:15.0703 0368 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
21:40:15.0718 0368 sym_u3 - ok
21:40:16.0171 0368 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:40:16.0171 0368 sysaudio - ok
21:40:16.0468 0368 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:40:16.0515 0368 Tcpip - ok
21:40:17.0000 0368 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:40:17.0031 0368 TDPIPE - ok
21:40:17.0421 0368 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:40:17.0453 0368 TDTCP - ok
21:40:17.0593 0368 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:40:17.0625 0368 TermDD - ok
21:40:17.0796 0368 TosIde - ok
21:40:17.0937 0368 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:40:17.0937 0368 Udfs - ok
21:40:18.0203 0368 ultra - ok
21:40:18.0359 0368 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
21:40:18.0375 0368 USBAAPL - ok
21:40:18.0625 0368 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
21:40:18.0656 0368 usbaudio - ok
21:40:18.0953 0368 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:40:18.0984 0368 usbccgp - ok
21:40:19.0390 0368 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:40:19.0421 0368 usbehci - ok
21:40:19.0671 0368 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:40:19.0718 0368 usbhub - ok
21:40:20.0171 0368 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:40:20.0203 0368 usbprint - ok
21:40:20.0375 0368 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:40:20.0406 0368 USBSTOR - ok
21:40:20.0562 0368 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:40:20.0578 0368 usbuhci - ok
21:40:20.0718 0368 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
21:40:20.0734 0368 usbvideo - ok
21:40:21.0125 0368 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:40:21.0125 0368 VgaSave - ok
21:40:21.0250 0368 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
21:40:21.0265 0368 ViaIde - ok
21:40:21.0359 0368 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:40:21.0375 0368 VolSnap - ok
21:40:21.0468 0368 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:40:21.0484 0368 Wanarp - ok
21:40:21.0562 0368 WDICA - ok
21:40:22.0171 0368 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:40:22.0234 0368 wdmaud - ok
21:40:22.0687 0368 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
21:40:22.0703 0368 WmiAcpi - ok
21:40:23.0468 0368 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:40:23.0500 0368 WS2IFSL - ok
21:40:24.0156 0368 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:40:24.0187 0368 WSTCODEC - ok
21:40:24.0515 0368 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:40:24.0531 0368 WudfPf - ok
21:40:24.0640 0368 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:40:24.0640 0368 WudfRd - ok
21:40:24.0750 0368 MBR (0x1B8) (4f02a8d4048a138c450ed7f867eb0144) \Device\Harddisk0\DR0
21:40:24.0875 0368 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
21:40:24.0875 0368 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
21:40:24.0921 0368 Boot (0x1200) (5dce6ed2ad9d67a06de72d409e21a2ba) \Device\Harddisk0\DR0\Partition0
21:40:24.0921 0368 \Device\Harddisk0\DR0\Partition0 - ok
21:40:24.0953 0368 Boot (0x1200) (254f515a0246b66cb1433240ce3b570c) \Device\Harddisk0\DR0\Partition1
21:40:24.0968 0368 \Device\Harddisk0\DR0\Partition1 - ok
21:40:24.0968 0368 ============================================================
21:40:24.0968 0368 Scan finished
21:40:24.0968 0368 ============================================================
21:40:25.0015 0360 Detected object count: 1
21:40:25.0015 0360 Actual detected object count: 1
21:40:32.0171 0360 \Device\Harddisk0\DR0 - copied to quarantine
21:40:34.0687 0360 \Device\Harddisk0\DR0\TDLFS\mbr - copied to quarantine
21:40:34.0703 0360 \Device\Harddisk0\DR0\TDLFS\vbr - copied to quarantine
21:40:34.0703 0360 \Device\Harddisk0\DR0\TDLFS\bid - copied to quarantine
21:40:34.0703 0360 \Device\Harddisk0\DR0\TDLFS\affid - copied to quarantine
21:40:34.0703 0360 \Device\Harddisk0\DR0\TDLFS\boot - copied to quarantine
21:40:34.0718 0360 \Device\Harddisk0\DR0\TDLFS\cmd32 - copied to quarantine
21:40:34.0781 0360 \Device\Harddisk0\DR0\TDLFS\cmd64 - copied to quarantine
21:40:34.0968 0360 \Device\Harddisk0\DR0\TDLFS\dbg32 - copied to quarantine
21:40:35.0000 0360 \Device\Harddisk0\DR0\TDLFS\dbg64 - copied to quarantine
21:40:35.0046 0360 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
21:40:35.0093 0360 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
21:40:35.0156 0360 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
21:40:35.0203 0360 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
21:40:35.0234 0360 \Device\Harddisk0\DR0\TDLFS\main - copied to quarantine
21:40:35.0296 0360 \Device\Harddisk0\DR0\TDLFS\subid - copied to quarantine
21:40:35.0296 0360 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Quarantine
 
Malwarebytes' Log

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122405

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

12/28/2011 11:25:52 PM
mbam-log-2011-12-28 (23-25-52).txt

Scan type: Full scan (C:\|)
Objects scanned: 243392
Time elapsed: 21 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Please go ahead and run the following:

Please download MBRCheck and save to your desktop
  • Double click on MBRCheck.exeto run.(Vista and Windows 7 users will have to confirm the UAC prompt)
  • It will show a Black screen with some information that will contain either the below line if no problem is found:
    [o] Done! Press ENTER to exit...
  • Or you will see more information like below if a problem is found:
    [o] Found non-standard or infected MBR.
    [o] Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
  • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
  • Paste this log to your next message.
================================================
Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg

Then go back and download Combofix again and try the scan.
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • Follow the additional Combofix instructions in Reply #5
 
MBRCheck Log

Good morning! Here is the MBRCheck Log:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 99):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x80700000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF7607000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF798D000 dmload.sys
0xF74B2000 dmio.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF749A000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF747A000 fltmgr.sys
0xF7468000 sr.sys
0xF7647000 PxHelp20.sys
0xF7451000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF7424000 NDIS.sys
0xF740A000 Mup.sys
0xBA749000 iaStor.sys
0xBA6B1000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA687000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xF774F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xBA663000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7757000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7767000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF776F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF777F000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7677000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7687000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7697000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA5A0000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7797000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7927000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF792F000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xBA589000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77B7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA550000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA4D0000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7995000 \SystemRoot\system32\DRIVERS\swenum.sys
0xBA721000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF76F7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7577000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF799B000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF799F000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A96000 \SystemRoot\System32\Drivers\Null.SYS
0xF79A3000 \SystemRoot\System32\Drivers\Beep.SYS
0xF77FF000 \SystemRoot\System32\drivers\vga.sys
0xBA3F4000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0xF79A7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF780F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF781F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA6E9000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xBA3C1000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xBA368000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA342000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA31A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF775F000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xBA2F8000 \SystemRoot\System32\drivers\afd.sys
0xF7547000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA2A5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA235000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF77A7000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF77BF000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7527000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA571000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF7517000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA540000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA569000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA561000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA21D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79B1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA4C0000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA518000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A70000 \SystemRoot\System32\drivers\dxgthk.sys
0xBFF50000 \SystemRoot\System32\framebuf.dll
0xBF012000 \SystemRoot\System32\ATMFD.DLL
0xB9CFD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB9A4B000 \SystemRoot\system32\DRIVERS\srv.sys
0xF7817000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB9820000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 19):
0 System Idle Process
4 System
520 C:\WINDOWS\system32\smss.exe
568 csrss.exe
592 C:\WINDOWS\system32\winlogon.exe
636 C:\WINDOWS\system32\services.exe
648 C:\WINDOWS\system32\lsass.exe
808 C:\WINDOWS\system32\svchost.exe
876 svchost.exe
1056 C:\WINDOWS\system32\svchost.exe
1084 svchost.exe
1240 svchost.exe
1780 C:\WINDOWS\explorer.exe
244 C:\Program Files\Internet Explorer\iexplore.exe
328 C:\Program Files\Internet Explorer\iexplore.exe
416 C:\WINDOWS\system32\ctfmon.exe
1584 C:\WINDOWS\system32\igfxsrvc.exe
1756 C:\WINDOWS\system32\notepad.exe
284 C:\Documents and Settings\Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000010`2102cc00 (NTFS)

PhysicalDrive0 Model Number: WDCWD800JD-60LSA0, Rev: 07.01D07

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Hewlett-Packard MBR code detected
SHA1: 6DE5B7C1EEAFBE901B2807597A84F9F19604E031


Done!
 
ComboFix not working

Hi Bobbye,
ComboFix ran for 4 hours with no results. Do you have any suggestions as to why?
Thanks, Karen
 
MBR is okay.
======================================
NOTE: If, for some reason, Combofix refuses to run, try one of the following:
1. Run Combofix from Safe Mode.
2. Delete Combofix file, download fresh one, but rename combofix.exe to
friday.exe BEFORE saving it to your desktop.
Do NOT run it yet.
-------------------------------------
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 3 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
  • Rkill.com
  • Rkill.scr
  • Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run then try to immediately run the following>>>>.

Please download exeHelper by Raktor and save it to your desktop.
  • Double-click on exeHelper.com or exeHelper.scr to run the fix tool.
  • A black window should pop up, press any key to close once the fix is completed.
  • A log file called exehelperlog.txt will be created and should open at the end of the scan)
  • A copy of that log will also be saved in the directory where you ran exeHelper.com
  • Copy and paste the contents of exehelperlog.txt in your next reply.

Note: If the window shows a message that says "Error deleting file", please re-run the tool again before posting a log and then post the two logs together (they both will be in the one file).

Rkill instructions
Once you've gotten one of them to run
  • immediately double click on friday.exe to run
  • If normal mode still doesn't work, run BOTH tools from safe mode.

In you have done #2, please post BOTH logs, rKill and Combofix.
===========================================
New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
 
RKill Log; ComboFix still doesn't run

Hello Bobbye,
I ran everything in your latest post in Safe Mode.

Here is the RKill log from tonight:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 12/30/2011 at 18:38:44.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:



Rkill completed on 12/30/2011 at 18:38:48.

ComboFix doesn't complete its run, I tried both ways (usual way, and the file rename to friday.exe).

Here is the Exehelper log:

exeHelper by Raktor
Build 20100414
Run at 18:39:38 on 12/30/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Thank you so much. Happy New Year to you! Karen
 
MBAM Full Scan in Normal Mode

Hi Bobbye!

Thank you for all of your help. A concern I have is that I still can't update Malwarebytes' database, it gives me the error:

"An error has occurred. Please report this error code to our support team.
PROGRAM_ERROR_UPDATING (5. 0. CreateFile)
Access is denied."

Should I unstall and reinstall to fix this do you think?

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122405

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/2/2012 7:30:49 PM
mbam-log-2012-01-02 (19-30-49).txt

Scan type: Full scan (C:\|)
Objects scanned: 242129
Time elapsed: 32 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Karen, here's the scoop on the 3 Malwarebytes scans:
1. Malwarebytes' Anti-Malware 1.51.2.1300> Normal Mode
Database version: 911122405
12/27/2011 1:06:56 PM
mbam-log-2011-12-27 (13-06-56).txt
Scan type: Quick scan
Objects scanned: 185408
Registry Data Items Infected: 7>>
Hijcked Start Menu:
No Desktop
No ControlPanel
No MyComputer
No Help
No MyDocs
No Run
No Search
--------------------------------------------
2. Malwarebytes' Anti-Malware 1.51.2.1300> (Safe Mode)
Database version: 911122405
Windows 5.1.2600 Service Pack 3
12/28/2011 11:25:52 PM
Scan type: Full scan (C:\|)
Objects scanned: 243392
Registry Data Items Infected: 6
Shows all Hijacked Start Menu processes except for No Desktop which was restored when you ran the Unhide program
---------------------------------
after quarantining the rootkit threat found by TDSS, I rebooted (though it didn't ask me to), then it wouldn't let me update Malwarebytes' database.
>> that's because you were in Safe Mode. It appears you were in just plain Safe Mode and not in Safe Mode with Networking as instructed.

TDSSKiller: Removed the rootkit processes
21:40:25.0015 0360 Detected object count: 1
21:40:25.0015 0360 Actual detected object count: 1
21:40:35.0296 0360 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Quarantine

3. Malwarebytes' Anti-Malware 1.51.2.1300> Normal Mode
Database version: 911122405
1/2/2012 7:30:49 PM
mbam-log-2012-01-02 (19-30-49).txt
Clean!
--------------------------------------
Safe Mode: Loads the minimum set of device drivers. User specific startup programs do not run.
Safe Mode with Networking: Includes the services and drivers needed for network connectivity.Enables logging on to the network, logon scripts, security, and Group Policy settings.
============================================
Do you now have the desktop with icons? Do you now have the My Computer, the Control Panel, your Docs,, the Run, Help and Search functions? If not, what are you missing?

You did not tell me which features in particular you were experiencing regarding the particular malware so I need to know if you are having any remaining problem other than problem with Mbam.
--------------------------------------------
You "should" be able to run both Mbam and Combofix with their updates now. Some of our replies were made at the same time, so let remove these 2 programs now then download both new and scan. Both should be done in Normal mode:

Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg

Then download new Combofix from the link in my directions and run the scan.
-----------------------------------
Uninstall Malwarebytes using Add/Remove Programs, then use Windows Explorer to access Computer> Local Drive> Programs> do a right click> Delete on the Mbam folder.
Download and install new Mbam with this link:HERE Be sure you're logged into the Administrative Account. Go to my directions again for the full scan.

I don't think the "access is denied" is a permissions issue, but if you get than with the new download, let me know and we'll fix it.
 
Hi Bobbye,
If I restarted in Safe Mode (without Networking) I did it in error, I apologize. Now when I turn the computer on, the screen goes black though the power indicator is lit. I have to hit the off switch then again to turn it on but it only stays on for about 15 seconds. I can't get the information you need nor uninstall and reinstall the programs and run them. I'll have to try to connect my other screen to proceed, I will try that in the next few hours. Thank you for your patience.
Karen
 
Status & ComboFix info.

Good morning,
I am in Normal Mode and uninstalled then reinstalled ComboFix, and I turned off Avast. It still says it is blocking something with regards to ComboFix (a few different things, goes by quick, one is pev something). Then after the black ComboFix screen closes, I get the error: "Warning!! Do not run ComboFix in Compatibility Mode. Doing so may damage the machine." I never get the blue ComboFix screen.
What I see as still an issue is that the files (i.e. shortcuts on the desktop) are still hidden, and I would believe that there is still a problem because I can't run ComboFix and can't update MBAM. Now my screen goes blank, had to switch screens with another computer. I am not however getting the same error messages in Normal Mode that I was before due to the virus, so we're getting somewhere which is great!
I'm going to uninstall then reinstall MBAM and run again, will post the results.
Thanks, Karen
 
Back