Dodni
-
Posts
59 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by Dodni
-
ok, did those and rebooted
-
I think so.... systray icons still acting inconsistent, but seems good so far
-
here is log mbam-log-2012-01-05 (23-30-35).txt
-
ok, removed all
-
Didn't want to do anything without your go-ahead
-
Hey MrC, here is the log from the MBAM log (I attached it) mbam-log-2012-01-06 (18-23-17).txt
-
Hey MrC, the scan is still going (11+ hrs so far) and I need to get to work. I will let this run and post the log when I get home later tonight
-
I was actually pleased to see that my Windows Update came back; I was unable to actually get to Windows Update while I was infected - the nasty bug was preventing me from doing updates. So, upon a couple reboots, my icons still did not return. I then activated that Flash SUbs utility you pointed me to last night. It went into its own kind of "safe mode" while creating the autorun.inf folders on my USB drives and requested a reboot. Rebooted, and when Windows started, ALL my systray icons returned (I think I have 11 of them; including the yellow Win Update and the Red Win Security warning). I did not notice a visible scan for malware, etc., and thought the "scan" was rather fast, so I activated that utility again... it did that "safe mode" thing again, and a couple of the icons disappeared (the yellow windows update badge being one of them). I started Malwarebytes Anti-Malware and started a scan of my USB drives (I checked all my externals and unchecked my system drive) figuring that the drives are dormant and that the scan would be completed by the morning; The scan is still going (@ 9am EST) and so far, the info screen is indicating 17 Objects Detected in red.
-
Thanks MrC!! Have a good night!!
-
The yellow windows update badge came back but I am missing a bunch of the icons in the systray; the audio icon (think it was SoundMax), the eject media icon, logmein app, extender resource monitor, apple airport manager and 2 others
-
Rebooting.... when it was finishing the combofix.txt log, the icons in the systray went wonky.... a couple are missing now, but will see after reboot
-
Network is ok.... posted the combofix.txt with the PC
-
Combofix.txt below ComboFix 12-01-05.04 - Administrator 01/05/2012 21:54:26.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1466 [GMT -5:00] Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FWHOOKDRV ((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 ))))))))))))))))))))))))))))))) 2012-01-06 03:16:25 . 2012-01-06 03:16:25 56200 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FFCBBDBA-0A64-439D-AF0E-34D4E4FA896D}\offreg.dll 2012-01-06 02:24:44 . 2012-01-06 02:24:44 -------- d-----w- C:\_OTL 2012-01-05 15:55:25 . 2011-11-30 07:21:44 6823496 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FFCBBDBA-0A64-439D-AF0E-34D4E4FA896D}\mpengine.dll 2012-01-05 15:49:59 . 2009-08-07 00:23:46 215920 ----a-w- C:\WINDOWS\system32\muweb.dll 2012-01-05 06:56:17 . 2012-01-05 06:56:17 -------- d-----w- C:\Documents and Settings\Dondi 2012-01-05 04:29:35 . 2008-06-20 11:51:12 361600 ----a-w- C:\tcpip.sys 2012-01-05 00:19:54 . 2012-01-05 00:19:54 -------- d--h--w- C:\Documents and Settings\Default User.WINDOWS.0 2012-01-05 00:19:54 . 2012-01-05 00:19:54 -------- d-----w- C:\Documents and Settings\All Users.WINDOWS.0 2012-01-04 23:51:06 . 2012-01-05 16:47:37 111872 ----a-w- C:\WINDOWS\system32\drivers\TrueSight.sys 2011-12-18 20:31:36 . 2011-12-18 20:31:36 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\PCHealth 2011-12-17 21:09:11 . 2011-12-17 21:09:11 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{8D50E0A0-BDC4-478A-B305-2C90839CD6E9}-A0193330.exe 2011-12-17 21:09:11 . 2011-12-17 21:09:11 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{69AF7BA9-D1BE-4500-870C-A9ED890A010B}-A0193400.exe 2011-12-17 21:09:06 . 2011-12-17 21:09:06 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{1F20FD2D-4BF4-4807-94B2-D7321EDAFDFB}-A0027261.exe 2011-12-17 21:09:04 . 2011-12-17 21:09:04 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{FE7F776B-2D39-41B2-B7C1-372A964E0DB5}-A0027192.exe 2011-12-17 21:09:02 . 2011-12-17 21:09:02 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{A3BCBC79-6628-4D9A-859B-8A33522D5114}-A0027056.exe 2011-12-17 21:09:02 . 2011-12-17 21:09:02 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{525C59F1-4A7E-4149-A643-F245ABA0B392}-A0027124.exe 2011-12-17 17:34:16 . 2011-12-10 20:24:06 20464 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys 2011-12-17 17:34:15 . 2012-01-05 00:12:14 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware 2011-12-17 06:31:02 . 2012-01-05 04:47:54 -------- d-----w- C:\Program Files\Spybot - Search & Destroy 2011-12-17 06:31:02 . 2012-01-05 04:44:58 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2011-12-17 05:59:29 . 2011-12-17 05:59:32 388096 ----a-r- C:\Documents and Settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-12-17 05:59:25 . 2011-12-17 05:59:25 -------- d-----w- C:\Program Files\Trend Micro 2011-12-17 04:34:15 . 2011-12-17 04:34:15 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{D026EE29-CB60-4592-ADE4-091B2E6AE395}-A0193330.exe 2011-12-17 04:34:15 . 2011-12-17 04:34:15 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{B7950F68-48CD-4E06-B807-87B6E0EDE3FB}-A0027056.exe 2011-12-17 04:34:15 . 2011-12-17 04:34:15 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{AFC77CBA-4C4E-47E7-A040-0AC7EB5FF577}-A0027261.exe 2011-12-17 04:34:15 . 2011-12-17 04:34:15 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{5C4CEE39-384A-4DBE-B6C1-5D3EF125C918}-A0027124.exe 2011-12-17 04:34:15 . 2011-12-17 04:34:15 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{1622A377-0375-4A86-A583-C78C5494CFFC}-A0027192.exe 2011-12-17 04:34:10 . 2011-12-17 04:34:10 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{9F11835D-FC56-40D6-B1C2-E39A3B4CFF3B}-A0193400.exe 2011-12-17 03:13:23 . 2011-12-17 03:13:23 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{C2DC7F42-4D0F-44CE-8094-FD7F2A70FCCF}-A0027056.exe 2011-12-17 03:13:23 . 2011-12-17 03:13:23 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{3869BA65-082A-4BB2-95EF-40093D435B79}-A0027124.exe 2011-12-17 03:13:22 . 2011-12-17 03:13:22 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{BCA44248-3F95-4E71-A95A-F3B810F1C5A9}-A0193400.exe 2011-12-17 03:13:22 . 2011-12-17 03:13:22 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{8422E27D-1BC0-442A-A394-3E5031F4D586}-A0027192.exe 2011-12-17 03:13:22 . 2011-12-17 03:13:22 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{827CE6EA-3803-48C3-A3E3-1FDDCEC141D8}-A0027261.exe 2011-12-17 03:13:22 . 2011-12-17 03:13:22 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{7D336F6D-8111-4602-AA81-D4B683EE8E59}-A0193330.exe 2011-12-16 16:03:36 . 2011-12-16 16:03:36 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{CAB83086-7C12-4626-BBA7-32666AA6D169}-A0193400.exe 2011-12-16 16:03:33 . 2011-12-16 16:03:33 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{EB11E7C0-B6EC-46FE-BC75-98FDE8ECCB3E}-A0193330.exe 2011-12-16 16:03:21 . 2011-12-16 16:03:21 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{471085BA-EC51-4397-8EEC-D436954974C3}-A0027261.exe 2011-12-16 16:03:09 . 2011-12-16 16:03:09 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{092F92E6-E717-4431-83DA-467643B73C30}-A0027192.exe 2011-12-16 16:03:00 . 2011-12-16 16:03:00 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{22D80A96-30E5-4916-A832-CA1B03E80F52}-A0027124.exe 2011-12-16 16:02:51 . 2011-12-16 16:02:51 16619 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{B6A85ADF-1D21-457A-B462-E7F57E6B667D}-A0027056.exe 2011-12-16 08:00:02 . 2011-12-16 08:00:02 -------- d-----w- C:\Program Files\AVG 2011-12-16 07:56:13 . 2011-12-16 07:56:13 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Common Files 2011-12-16 07:55:48 . 2011-12-16 07:56:42 -------- d-----w- C:\Documents and Settings\All Users\Application Data\MFAData 2011-12-16 03:12:20 . 2011-11-30 07:21:44 6823496 ----a-w- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-12-15 07:24:52 . 2011-12-15 11:22:48 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe 2011-12-15 01:37:39 . 2011-12-15 01:37:39 -------- d-----w- C:\Program Files\iPod 2011-12-15 01:37:34 . 2011-12-15 01:39:04 -------- d-----w- C:\Program Files\iTunes 2011-12-09 05:31:10 . 2011-12-09 07:41:05 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Auslogics 2011-12-09 05:31:03 . 2011-12-09 05:35:26 -------- d-----w- C:\Program Files\Auslogics 2011-12-09 04:49:10 . 2011-12-09 04:49:17 -------- d-----w- C:\Program Files\CCleaner 2011-12-09 04:38:20 . 2011-11-15 19:29:56 222080 ------w- C:\WINDOWS\system32\MpSigStub.exe 2011-12-09 04:35:35 . 2011-12-09 04:36:12 -------- d-----w- C:\Program Files\Microsoft Security Client 2011-12-09 02:45:47 . 2011-12-09 02:45:47 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes 2011-12-09 02:45:40 . 2011-12-09 02:45:40 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2011-12-08 05:26:01 . 2011-12-08 05:26:01 -------- d-s---w- C:\Documents and Settings\NetworkService\UserData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2011-12-17 12:59:17 . 2009-05-06 16:12:33 83360 ----a-w- C:\WINDOWS\system32\LMIRfsClientNP.dll 2011-12-17 12:59:16 . 2009-05-06 16:12:34 52096 ----a-w- C:\WINDOWS\system32\Spool\prtprocs\w32x86\LMIproc.dll 2011-12-17 12:59:16 . 2009-05-06 16:12:34 30592 ----a-w- C:\WINDOWS\system32\LMIport.dll 2011-12-17 12:59:16 . 2009-05-06 16:09:47 87424 ----a-w- C:\WINDOWS\system32\LMIinit.dll 2011-12-08 07:25:39 . 2008-11-15 15:46:25 57600 ----a-w- C:\WINDOWS\system32\drivers\redbook.sys 2011-11-27 23:03:18 . 2011-05-28 23:00:44 414368 ----a-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl 2011-10-24 18:29:02 . 2011-10-24 18:29:02 94208 ----a-w- C:\WINDOWS\system32\QuickTimeVR.qtx 2011-10-24 18:29:02 . 2011-10-24 18:29:02 69632 ----a-w- C:\WINDOWS\system32\QuickTime.qts 2011-10-10 14:22:41 . 2005-01-25 21:16:30 692736 ----a-w- C:\WINDOWS\system32\inetcomm.dll 2011-11-21 04:04:51 . 2011-04-30 17:14:33 134104 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll ((((((((((((((((((((((((((((( SnapShot@2012-01-05_06.53.16 ))))))))))))))))))))))))))))))))))))))))) + 2012-01-06 03:16:44 . 2012-01-06 03:16:44 16384 C:\WINDOWS\Temp\Perflib_Perfdata_dcc.dat + 2012-01-06 03:16:40 . 2012-01-06 03:16:40 16384 C:\WINDOWS\Temp\Perflib_Perfdata_280.dat + 2008-11-15 15:46:26 . 2008-04-13 19:19:42 75264 C:\WINDOWS\system32\dllcache\ipsec.sys ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 18:56:34 64512] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-01 02:10:00 344064] "CTHelper"="CTHELPER.EXE" [2007-04-09 17:32:32 19456] "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-10-23 14:37:46 962560] "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 22:46:10 63048] "Transcode360"="C:\Program Files\Transcode360\Transcode360Tray.exe" [2006-05-02 17:01:30 192512] "My Movies Tray"="C:\Program Files\MCE\My Movies\My Movies Tray.exe" [2009-11-16 20:45:46 312280] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 22:53:56 153136] "UsbBoost"="C:\Program Files\UsbBoost\TurboHddUsb.exe" [2010-06-02 00:59:10 3788800] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 22:58:10 37296] "Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 04:59:06 937920] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 05:52:06 59240] "AirPort Base Station Agent"="C:\Program Files\AirPort\APAgent.exe" [2009-11-11 20:17:02 771360] "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 06:41:12 49208] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 03:32:54 61440] "APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 04:25:58 59240] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2011-10-24 18:28:52 421888] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-12-08 06:36:42 421736] "Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 22:50:18 460872] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 06:01:00 437160] C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ Shortcut to MTV.lnk - C:\Documents and Settings\Administrator\Desktop\MTV.vbs [2008-12-18 2502] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 18432] VLC360.lnk - C:\Program Files\Dun74\VLC360\VLC360.bat [2006-3-27 76] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "GreyMSIAds"= 0 (0x0) "HideSCABattery"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2011-12-17 12:59:16 87424 ----a-w- C:\WINDOWS\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /p \??\O:\0autocheck autochk /p \??\J:\0autocheck autochk /p \??\I:\0autocheck autochk * [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\dCut\\DCutService.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Transcode360\\Transcode360Tray.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\WINDOWS\\ehome\\ehExtHost.exe"= "C:\\Program Files\\NETGEAR ReadyNAS\\RAIDar.exe"= "C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "C:\\Program Files\\Java\\jre6\\bin\\java.exe"= "C:\\Program Files\\AirPort\\APUtil.exe"= "C:\\Program Files\\AirPort\\APAgent.exe"= "C:\\Program Files\\NETGEAR ReadyNAS\\Remote\\bin\\ReadyNASRemote.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "20001:UDP"= 20001:UDP:MicroSAN "3776:UDP"= 3776:UDP:Media Center Extender Service "3390:TCP"= 3390:TCP:Remote Media Center Experience "5353:UDP"= 5353:UDP:Bonjour "9100:TCP"= 9100:TCP:PORT_9100_TCP "161:UDP"= 161:UDP:PORT_161_UDP "427:UDP"= 427:UDP:PORT_427_UDP "50000:UDP"= 50000:UDP:IHA_MessageCenter "50120:UDP"= 50120:UDP:IHA_MessageCenter [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R1 FNETURPX;FNETURPX;C:\WINDOWS\system32\drivers\FNETURPX.SYS [6/1/2010 7:59:11 PM 7936] R1 oxfwlf;oxfwlf;C:\WINDOWS\system32\drivers\OxFWLF.sys [6/17/2010 6:52:58 PM 12043] R2 IHA_MessageCenter;IHA_MessageCenter;C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [7/1/2011 2:01:18 PM 286736] R2 LMIGuardianSvc;LMIGuardianSvc;C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe [9/30/2010 5:56:25 PM 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46:12 PM 12856] R2 MBAMService;MBAMService;C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [12/17/2011 12:34:22 PM 652872] R2 MSSQL$MYMOVIES;SQL Server (MYMOVIES);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 5:29:30 PM 29293408] R3 FNETTBOH;FNETTBOH;C:\WINDOWS\system32\drivers\FNETTBOH.SYS [6/1/2010 7:59:10 PM 23680] R3 leafnets;Leaf Networks Adapter;C:\WINDOWS\system32\drivers\leafnets.sys [5/26/2011 12:51:44 PM 55296] R3 MBAMProtector;MBAMProtector;C:\WINDOWS\system32\drivers\mbam.sys [12/17/2011 12:34:16 PM 20464] R3 powerfil;powerfil;C:\WINDOWS\system32\drivers\powerfil.sys [11/15/2008 10:46:26 AM 8832] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16:28 PM 130384] S2 XMLProvS;Network ProService;C:\WINDOWS\System32\svchost.exe -k xmlpros [8/10/2004 7:00:00 AM 14336] S3 CEUSBAUD;DigiTech USB MIDI Driver (MIDI);C:\WINDOWS\system32\drivers\ceusbaud.sys [6/11/2011 11:27:52 AM 17920] S3 ivusb;Initio Driver for USB Default Controller;C:\WINDOWS\system32\drivers\ivusb.sys [7/29/2010 12:25:42 AM 25112] S3 WDC_SAM;WD SCSI Pass Thru driver;C:\WINDOWS\system32\drivers\wdcsam.sys [5/6/2008 3:06:00 PM 11520] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16:28 PM 753504] S3 WPRO_41_1742;WinPcap Packet Driver (WPRO_41_1742); [x] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE xmlpros REG_MULTI_SZ XMLProvS Contents of the 'Scheduled Tasks' folder 2012-01-06 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39:26 . 2011-04-27 20:39:26] ------- Supplementary Scan ------- TCP: Interfaces\{E6B482D6-C571-43EE-B7CF-80D299D37BAF}: NameServer = 192.168.1.1,68.237.161.12 FF - ProfilePath - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a26tfnti.default\
-
Making me a little nervous MrC, but I admire your tenacity. Ok, it rebooted into what looked like Combofix's own "safe mode", restarted the scan, rebacked-up the registry and started going through the stages (Stages 4 & 5 took a really long time). Finished everything, rebooted and upon reboot it looks like it is hung on preparing the log report at the Find3M point (guessing, but that is what is in the title bar), which is where it hung the very first time we did this. By the looks of the systray, I think the internet is still working though (I haven't touchwed the PC)..... ahhhhhh just as I wrote this, Combofix completed the log... stand by
-
2 more dialog boxes... next one said rootkit activity detected, be patient, this may take some moments, last one says detected rootkit activity and needs to reboot
-
Getting dialog box saying infected with Rootkit.ZeroAccess! and has inserted itself into the tcp/ip stack. Also telling me it is a particularly difficult infection ;-P (writing this from my laptop. Combofix still running on the MCE PC)
-
Ok, that fix script instantiated a reboot and when windows opened the log file was already open. AND...... my systray has the running programs back. Previous to this I only had the red MS Security badge (Firewall and Security are presently off), the yellow MS Update badge (which hadn't been there in a reallly long time until last night after the ComboFix) and the icon for the network connection. Now, all my resident apps are back in the systray. Here is the log: All processes killed ========== OTL ========== C:\Documents and Settings\All Users\Application Data\441012f6c087i562i532w0vpl3l8 moved successfully. C:\Documents and Settings\Administrator\Local Settings\Application Data\441012f6c087i562i532w0vpl3l8 moved successfully. C:\Documents and Settings\All Users\Application Data\663815s6c502f177c640s6gwy0d0 moved successfully. C:\Documents and Settings\Administrator\Local Settings\Application Data\663815s6c502f177c640s6gwy0d0 moved successfully. C:\Documents and Settings\All Users\Application Data\~1kAlMiG2Kb7FzP moved successfully. C:\Documents and Settings\All Users\Application Data\~1kAlMiG2Kb7FzPr moved successfully. C:\Documents and Settings\All Users\Application Data\1kAlMiG2Kb7FzP moved successfully. C:\Documents and Settings\Administrator\Application Data\8c94a2bd moved successfully. C:\Documents and Settings\Administrator\Application Data\9b312ab8 moved successfully. C:\Documents and Settings\Administrator\Application Data\7becd547 moved successfully. Folder C:\Documents and Settings\All Users\Application Data\mBjNeCk15405\ not found. ========== FILES ========== C:\WINDOWS\tasks\AppleSoftwareUpdate.job moved successfully. C:\WINDOWS\tasks\At1.job moved successfully. C:\WINDOWS\tasks\At2.job moved successfully. C:\WINDOWS\tasks\At3.job moved successfully. C:\WINDOWS\tasks\At4.job moved successfully. C:\WINDOWS\tasks\Auslogics BoostSpeed Integrator Scan and Repair.job moved successfully. C:\WINDOWS\tasks\MP Scheduled Scan.job moved successfully. File\Folder [emptytemp] not found. OTL by OldTimer - Version 3.2.31.0 log created on 01052012_212444 Files\Folders moved on Reboot... Registry entries deleted on Reboot...
-
Thanks, I will do that once we are all done, and when I have some time to go through them. Now that we are getting close, I was wondering you would suggest what utilities, tools, etc I should have on my machine and which ones I should have running resident on the PC. I know there is a thread somewhere, but perhaps you could give me some guidance in this thread. I also have a NAS box and another USB hanging off of an Apple Airport Extreme; both have shares that I have mapped to drive letters to this PC. I hope to give them a thorough scan as well. Thanks in advance MrC
-
Ok, here are the TXT files from OTL OTL.Txt Extras.Txt
-
Ok, will do. I wanted to ask you about what I should use for external USB drives. I have a number of them with files on them. If I had to guess, I would say that maybe the root of the problem came from one of those external drives. I recently attached a USB hub to the PC and connected all my USB drives. I am thinking that my problem started there while the drives went into Autorun mode (I have since disabled the Autorun for external drives). Perhaps you could give me some guidance on how to attack the USB drives (e.g., which scan tools, etc.) I will post the logs soon. Thanks MrC
-
Haven't really messed with it much besides the quick scan, but so far, so good. Internet seems good. Startup time didnt seem to change, still a bit on the slow side. Hee is the MBR.dat zipped & attached MBR.zip
-
Wow, that "Quick Scan" took a really long time. Here is the log: aswMBR version 0.9.9.1156 Copyright© 2011 AVAST Software Run date: 2012-01-05 19:08:34 ----------------------------- 19:08:34.171 OS Version: Windows 5.1.2600 Service Pack 3 19:08:34.171 Number of processors: 2 586 0x409 19:08:34.187 ComputerName: DONDIMCE UserName: 19:08:41.609 Initialize success 19:09:35.812 AVAST engine defs: 12010501 19:10:11.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 19:10:11.312 Disk 0 Vendor: ST3200822A 3.01 Size: 190782MB BusType: 3 19:10:11.328 Disk 0 MBR read successfully 19:10:11.328 Disk 0 MBR scan 19:10:11.437 Disk 0 Windows XP default MBR code 19:10:11.453 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 37997 MB offset 63 19:10:11.468 Disk 0 Partition - 00 0F Extended LBA 152782 MB offset 77818860 19:10:11.500 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 152782 MB offset 77818923 19:10:11.531 Disk 0 scanning sectors +390716865 19:10:11.640 Disk 0 scanning C:\WINDOWS\system32\drivers 19:10:49.078 Service scanning 19:10:50.984 Modules scanning 19:11:03.156 Disk 0 trace - called modules: 19:11:03.156 19:11:03.609 AVAST engine scan C:\WINDOWS 19:11:08.546 AVAST engine scan C:\WINDOWS\system32 19:12:58.687 AVAST engine scan C:\WINDOWS\system32\drivers 19:13:14.250 AVAST engine scan C:\Documents and Settings\Administrator 20:16:41.406 AVAST engine scan C:\Documents and Settings\All Users 20:18:56.750 Scan finished successfully 20:19:35.609 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat" 20:19:35.625 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
-
I am unsure if it specified, but I know a dialog box came up each time saying it detected it and was working on a rootkit, had to reboot and Combofix also did the deeper scans each time (maybe it always does?). Sorry I couldn't be more specific, but I don't recall it signifying the rootkit name. I am assuming it still being Zero.Access?? Windows Update has appeared for the first time in a long while in the systray though... good sign. Thanks MrC. I am shutting the computer down and off to work. I will await your direction for when I get home later. RogueKiller log RogueKiller V6.2.2 [12/31/2011] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User: Administrator [Admin rights] Mode: Scan -- Date : 01/05/2012 11:38:58 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 3 ¤¤¤ [sUSP PATH] Shortcut to MTV.lnk : C:\Documents and Settings\Administrator\Desktop\MTV.vbs -> FOUND [DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{E6B482D6-C571-43EE-B7CF-80D299D37BAF} : NameServer (192.168.1.1,68.237.161.12) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver: [LOADED] ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: +++++ --- User --- [MBR] 3c1e4cbc3502f365d373dcfed71a4ae0 [bSP] 3a200ce8e0e512e3e28ec5a81102d592 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 63 | Size: 39843 Mo 1 - [XXXXXX] UNKNW [VISIBLE] Offset (sectors): 77818860 | Size: 160203 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: +++++ --- User --- [MBR] 6499cd8ffcfc7acc3b6c4f1e712460ee [bSP] d5ba21d79064270431b71c1fdfbd4aef : Windows XP MBR Code Partition table: 0 - [XXXXXX] NTFS [VISIBLE] Offset (sectors): 2048 | Size: 1000203 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[2].txt >> RKreport[1].txt ; RKreport[2].txt TDSSkiller log 11:39:47.0171 4500 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16 11:39:47.0406 4500 ============================================================ 11:39:47.0406 4500 Current date / time: 2012/01/05 11:39:47.0406 11:39:47.0406 4500 SystemInfo: 11:39:47.0421 4500 11:39:47.0421 4500 OS Version: 5.1.2600 ServicePack: 3.0 11:39:47.0421 4500 Product type: Workstation 11:39:47.0421 4500 ComputerName: DONDIMCE 11:39:47.0421 4500 UserName: Administrator 11:39:47.0421 4500 Windows directory: C:\WINDOWS 11:39:47.0421 4500 System windows directory: C:\WINDOWS 11:39:47.0421 4500 Processor architecture: Intel x86 11:39:47.0421 4500 Number of processors: 2 11:39:47.0421 4500 Page size: 0x1000 11:39:47.0421 4500 Boot type: Normal boot 11:39:47.0421 4500 ============================================================ 11:39:54.0781 4500 Initialize success 11:40:05.0468 4684 ============================================================ 11:40:05.0468 4684 Scan started 11:40:05.0468 4684 Mode: Manual; SigCheck; TDLFS; 11:40:05.0468 4684 ============================================================ 11:40:07.0625 4684 Abiosdsk - ok 11:40:07.0656 4684 abp480n5 - ok 11:40:07.0703 4684 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 11:40:08.0062 4684 ACPI - ok 11:40:08.0093 4684 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 11:40:08.0296 4684 ACPIEC - ok 11:40:08.0312 4684 adpu160m - ok 11:40:08.0359 4684 aeaudio (2c5b1f8142a96233c07c93328b5ea635) C:\WINDOWS\system32\drivers\aeaudio.sys 11:40:08.0390 4684 aeaudio - ok 11:40:08.0421 4684 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 11:40:08.0593 4684 aec - ok 11:40:08.0640 4684 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys 11:40:08.0671 4684 AFD - ok 11:40:08.0703 4684 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 11:40:08.0843 4684 agp440 - ok 11:40:08.0859 4684 Aha154x - ok 11:40:08.0875 4684 aic78u2 - ok 11:40:08.0890 4684 aic78xx - ok 11:40:08.0921 4684 AliIde - ok 11:40:08.0937 4684 amsint - ok 11:40:08.0968 4684 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 11:40:09.0109 4684 Arp1394 - ok 11:40:09.0109 4684 asc - ok 11:40:09.0125 4684 asc3350p - ok 11:40:09.0140 4684 asc3550 - ok 11:40:09.0187 4684 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 11:40:09.0312 4684 AsyncMac - ok 11:40:09.0375 4684 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 11:40:09.0515 4684 atapi - ok 11:40:09.0515 4684 Atdisk - ok 11:40:09.0640 4684 ati2mtag (c0b86ecb324e50f6bbd529f9d5c6b24b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 11:40:09.0859 4684 ati2mtag ( UnsignedFile.Multi.Generic ) - warning 11:40:09.0859 4684 ati2mtag - detected UnsignedFile.Multi.Generic (1) 11:40:09.0890 4684 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 11:40:10.0015 4684 Atmarpc - ok 11:40:10.0046 4684 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 11:40:10.0171 4684 audstub - ok 11:40:10.0203 4684 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 11:40:10.0343 4684 Beep - ok 11:40:10.0406 4684 catchme - ok 11:40:10.0453 4684 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 11:40:10.0578 4684 cbidf2k - ok 11:40:10.0609 4684 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 11:40:10.0750 4684 CCDECODE - ok 11:40:10.0765 4684 cd20xrnt - ok 11:40:10.0796 4684 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 11:40:10.0921 4684 Cdaudio - ok 11:40:10.0953 4684 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 11:40:11.0078 4684 Cdfs - ok 11:40:11.0109 4684 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 11:40:11.0250 4684 Cdrom - ok 11:40:11.0281 4684 CEUSBAUD (42291a123cad3914ead8d73169e13661) C:\WINDOWS\system32\Drivers\CEUSBAUD.sys 11:40:11.0296 4684 CEUSBAUD ( UnsignedFile.Multi.Generic ) - warning 11:40:11.0296 4684 CEUSBAUD - detected UnsignedFile.Multi.Generic (1) 11:40:11.0312 4684 Changer - ok 11:40:11.0328 4684 CmdIde - ok 11:40:11.0375 4684 COMMONFX.DLL (1ef05b641e9a67ded74ac8ad40055dbf) C:\WINDOWS\system32\COMMONFX.DLL 11:40:11.0484 4684 COMMONFX.DLL - ok 11:40:11.0531 4684 Cpqarray - ok 11:40:11.0578 4684 CT20XUT.DLL (6191a973461852a09d643609e1d5f7c6) C:\WINDOWS\system32\CT20XUT.DLL 11:40:11.0609 4684 CT20XUT.DLL - ok 11:40:11.0656 4684 ctac32k (8ac5f77e30e37d2d11bd99eff0c53d8c) C:\WINDOWS\system32\drivers\ctac32k.sys 11:40:11.0687 4684 ctac32k - ok 11:40:11.0734 4684 ctaud2k (673241d314e932f4890509ae8ebf26db) C:\WINDOWS\system32\drivers\ctaud2k.sys 11:40:11.0765 4684 ctaud2k - ok 11:40:11.0812 4684 CTAUDFX.DLL (472b82d7e549e7fab428852e4d16f21d) C:\WINDOWS\system32\CTAUDFX.DLL 11:40:11.0875 4684 CTAUDFX.DLL - ok 11:40:11.0906 4684 ctdvda2k (ed316d4c3d39c5b6c23de067e275c183) C:\WINDOWS\system32\drivers\ctdvda2k.sys 11:40:11.0937 4684 ctdvda2k - ok 11:40:11.0953 4684 CTEAPSFX.DLL (6a57f82009563aee8826f117e1d3c72c) C:\WINDOWS\system32\CTEAPSFX.DLL 11:40:11.0984 4684 CTEAPSFX.DLL - ok 11:40:12.0046 4684 CTEDSPFX.DLL (c8ac1ffaeadd655193d7b1811a572d8d) C:\WINDOWS\system32\CTEDSPFX.DLL 11:40:12.0078 4684 CTEDSPFX.DLL - ok 11:40:12.0109 4684 CTEDSPIO.DLL (44495d9daf675257d00b25b041ee6667) C:\WINDOWS\system32\CTEDSPIO.DLL 11:40:12.0140 4684 CTEDSPIO.DLL - ok 11:40:12.0171 4684 CTEDSPSY.DLL (8e90b1762cb42e2fc76dac9210c83c66) C:\WINDOWS\system32\CTEDSPSY.DLL 11:40:12.0218 4684 CTEDSPSY.DLL - ok 11:40:12.0234 4684 CTERFXFX.DLL (d3fbd9983325435b06795f29cb57ed3d) C:\WINDOWS\system32\CTERFXFX.DLL 11:40:12.0265 4684 CTERFXFX.DLL - ok 11:40:12.0328 4684 CTEXFIFX.DLL (2c48e9d8ca703964463f27ae341115b7) C:\WINDOWS\system32\CTEXFIFX.DLL 11:40:12.0437 4684 CTEXFIFX.DLL - ok 11:40:12.0453 4684 CTHWIUT.DLL (f7657c598e7c29c6683c1e4a8dd68884) C:\WINDOWS\system32\CTHWIUT.DLL 11:40:12.0484 4684 CTHWIUT.DLL - ok 11:40:12.0593 4684 ctprxy2k (34e7f8a499fd8361df14fedb724c0ad3) C:\WINDOWS\system32\drivers\ctprxy2k.sys 11:40:12.0609 4684 ctprxy2k - ok 11:40:12.0640 4684 CTSBLFX.DLL (679ae21eb7f48a08184813aebabdec7c) C:\WINDOWS\system32\CTSBLFX.DLL 11:40:12.0703 4684 CTSBLFX.DLL - ok 11:40:12.0718 4684 ctsfm2k (32098497cb4dfe9ea7660fa62dd91060) C:\WINDOWS\system32\drivers\ctsfm2k.sys 11:40:12.0734 4684 ctsfm2k - ok 11:40:12.0750 4684 dac2w2k - ok 11:40:12.0765 4684 dac960nt - ok 11:40:12.0796 4684 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 11:40:12.0937 4684 Disk - ok 11:40:12.0984 4684 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 11:40:13.0281 4684 dmboot - ok 11:40:13.0312 4684 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 11:40:13.0531 4684 dmio - ok 11:40:13.0562 4684 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 11:40:13.0703 4684 dmload - ok 11:40:13.0734 4684 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 11:40:13.0859 4684 DMusic - ok 11:40:13.0875 4684 dpti2o - ok 11:40:13.0906 4684 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 11:40:14.0031 4684 drmkaud - ok 11:40:14.0062 4684 E1000 (4de4bae4accb5a49fa85801d4f226355) C:\WINDOWS\system32\DRIVERS\e1000325.sys 11:40:14.0078 4684 E1000 - ok 11:40:14.0125 4684 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys 11:40:14.0125 4684 E100B ( UnsignedFile.Multi.Generic ) - warning 11:40:14.0125 4684 E100B - detected UnsignedFile.Multi.Generic (1) 11:40:14.0171 4684 emupia (2885f72d2daffd0329272f12e16d6579) C:\WINDOWS\system32\drivers\emupia2k.sys 11:40:14.0171 4684 emupia - ok 11:40:14.0234 4684 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 11:40:14.0375 4684 Fastfat - ok 11:40:14.0421 4684 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 11:40:14.0546 4684 Fdc - ok 11:40:14.0578 4684 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 11:40:14.0718 4684 Fips - ok 11:40:14.0734 4684 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 11:40:14.0875 4684 Flpydisk - ok 11:40:14.0906 4684 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 11:40:15.0046 4684 FltMgr - ok 11:40:15.0078 4684 FNETTBOH (a9e2df40ed6ec9e8885da72b6e1818f3) C:\WINDOWS\system32\drivers\FNETTBOH.SYS 11:40:15.0093 4684 FNETTBOH ( UnsignedFile.Multi.Generic ) - warning 11:40:15.0093 4684 FNETTBOH - detected UnsignedFile.Multi.Generic (1) 11:40:15.0109 4684 FNETURPX (784ffba7ee5c5f3a396407e4712f72f0) C:\WINDOWS\system32\drivers\FNETURPX.SYS 11:40:15.0125 4684 FNETURPX ( UnsignedFile.Multi.Generic ) - warning 11:40:15.0125 4684 FNETURPX - detected UnsignedFile.Multi.Generic (1) 11:40:15.0171 4684 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 11:40:15.0328 4684 Fs_Rec - ok 11:40:15.0578 4684 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 11:40:15.0718 4684 Ftdisk - ok 11:40:15.0953 4684 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys 11:40:16.0109 4684 gameenum - ok 11:40:16.0343 4684 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 11:40:16.0359 4684 GEARAspiWDM - ok 11:40:16.0593 4684 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 11:40:16.0750 4684 Gpc - ok 11:40:17.0125 4684 ha10kx2k (da2c735b66d2e7b739f9a46146581a9d) C:\WINDOWS\system32\drivers\ha10kx2k.sys 11:40:17.0453 4684 ha10kx2k - ok 11:40:17.0671 4684 hap16v2k (5c7d6d68796e4621b4168c879908dae0) C:\WINDOWS\system32\drivers\hap16v2k.sys 11:40:17.0703 4684 hap16v2k - ok 11:40:17.0937 4684 hap17v2k (a595b88ad16d8b5693ddf08113caf30e) C:\WINDOWS\system32\drivers\hap17v2k.sys 11:40:17.0968 4684 hap17v2k - ok 11:40:18.0328 4684 hcwPVRP2 (db4f8d5edd3c004667f66445c84ffcf1) C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys 11:40:18.0687 4684 hcwPVRP2 ( UnsignedFile.Multi.Generic ) - warning 11:40:18.0687 4684 hcwPVRP2 - detected UnsignedFile.Multi.Generic (1) 11:40:18.0953 4684 HidIr (bb1a6fb7d35a91e599973fa74a619056) C:\WINDOWS\system32\DRIVERS\hidir.sys 11:40:19.0109 4684 HidIr - ok 11:40:19.0375 4684 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 11:40:19.0531 4684 HidUsb - ok 11:40:19.0703 4684 hpn - ok 11:40:19.0937 4684 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 11:40:20.0015 4684 HTTP - ok 11:40:20.0203 4684 i2omgmt - ok 11:40:20.0343 4684 i2omp - ok 11:40:20.0484 4684 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 11:40:20.0656 4684 i8042prt - ok 11:40:20.0921 4684 imagedrv (6f86988eeb7a58fbd16a77ed51a84de1) C:\WINDOWS\system32\Drivers\imagedrv.sys 11:40:20.0921 4684 imagedrv - ok 11:40:21.0140 4684 imagesrv (6cd5f93aa6691dbbc7f409a3dbfc0d8e) C:\WINDOWS\system32\DRIVERS\imagesrv.sys 11:40:21.0171 4684 imagesrv - ok 11:40:21.0828 4684 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 11:40:27.0500 4684 Imapi - ok 11:40:27.0703 4684 ini910u - ok 11:40:27.0828 4684 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 11:40:28.0062 4684 IntelIde - ok 11:40:28.0250 4684 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 11:40:28.0375 4684 intelppm - ok 11:40:28.0593 4684 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 11:40:28.0765 4684 Ip6Fw - ok 11:40:29.0000 4684 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 11:40:29.0140 4684 IpFilterDriver - ok 11:40:29.0375 4684 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 11:40:29.0531 4684 IpInIp - ok 11:40:29.0781 4684 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 11:40:29.0937 4684 IpNat - ok 11:40:30.0171 4684 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 11:40:30.0343 4684 IPSec - ok 11:40:30.0531 4684 IrBus (b43b36b382aea10861f7c7a37f9d4ae2) C:\WINDOWS\system32\DRIVERS\IrBus.sys 11:40:30.0671 4684 IrBus - ok 11:40:30.0921 4684 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 11:40:31.0062 4684 IRENUM - ok 11:40:31.0296 4684 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 11:40:31.0453 4684 isapnp - ok 11:40:31.0640 4684 ivusb (de96bbf842059a67d876b692076d8875) C:\WINDOWS\system32\DRIVERS\ivusb.sys 11:40:31.0656 4684 ivusb - ok 11:40:31.0890 4684 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 11:40:32.0031 4684 Kbdclass - ok 11:40:32.0281 4684 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 11:40:32.0406 4684 kbdhid - ok 11:40:33.0250 4684 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 11:40:33.0890 4684 kmixer - ok 11:40:34.0062 4684 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 11:40:34.0093 4684 KSecDD - ok 11:40:34.0281 4684 lbrtfdc - ok 11:40:34.0484 4684 leafnets (51674c5c2eeff3d155edab0f5ef9a4d2) C:\WINDOWS\system32\DRIVERS\leafnets.sys 11:40:34.0531 4684 leafnets - ok 11:40:34.0703 4684 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys 11:40:34.0718 4684 LMIInfo - ok 11:40:34.0968 4684 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys 11:40:34.0984 4684 lmimirr - ok 11:40:35.0156 4684 LMIRfsClientNP - ok 11:40:35.0359 4684 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys 11:40:35.0390 4684 LMIRfsDriver - ok 11:40:35.0640 4684 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys 11:40:35.0671 4684 MBAMProtector - ok 11:40:35.0890 4684 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys 11:40:35.0921 4684 MHNDRV ( UnsignedFile.Multi.Generic ) - warning 11:40:35.0921 4684 MHNDRV - detected UnsignedFile.Multi.Generic (1) 11:40:36.0187 4684 MidiSyn (63c34814492aa65fc517b002de77b191) C:\WINDOWS\system32\drivers\MidiSyn.sys 11:40:36.0296 4684 MidiSyn - ok 11:40:36.0531 4684 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 11:40:36.0656 4684 mnmdd - ok 11:40:36.0734 4684 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 11:40:36.0921 4684 Modem - ok 11:40:37.0000 4684 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 11:40:37.0156 4684 Mouclass - ok 11:40:37.0250 4684 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 11:40:37.0421 4684 mouhid - ok 11:40:37.0468 4684 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 11:40:37.0593 4684 MountMgr - ok 11:40:37.0656 4684 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys 11:40:37.0671 4684 MpFilter - ok 11:40:37.0687 4684 mraid35x - ok 11:40:37.0734 4684 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 11:40:37.0875 4684 MRxDAV - ok 11:40:38.0000 4684 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 11:40:38.0093 4684 MRxSmb - ok 11:40:38.0203 4684 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 11:40:38.0328 4684 Msfs - ok 11:40:38.0359 4684 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 11:40:38.0484 4684 MSKSSRV - ok 11:40:38.0515 4684 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 11:40:38.0640 4684 MSPCLOCK - ok 11:40:38.0656 4684 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 11:40:38.0781 4684 MSPQM - ok 11:40:38.0890 4684 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 11:40:39.0015 4684 mssmbios - ok 11:40:39.0031 4684 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys 11:40:39.0156 4684 MSTEE - ok 11:40:39.0187 4684 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys 11:40:39.0203 4684 Mup - ok 11:40:39.0234 4684 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 11:40:39.0359 4684 NABTSFEC - ok 11:40:39.0375 4684 NAVAP - ok 11:40:39.0390 4684 NAVAPEL - ok 11:40:39.0390 4684 NAVENG - ok 11:40:39.0406 4684 NAVEX15 - ok 11:40:39.0484 4684 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 11:40:39.0625 4684 NDIS - ok 11:40:39.0656 4684 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 11:40:39.0781 4684 NdisIP - ok 11:40:39.0921 4684 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 11:40:40.0500 4684 NdisTapi - ok 11:40:40.0531 4684 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 11:40:40.0671 4684 Ndisuio - ok 11:40:40.0687 4684 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 11:40:40.0828 4684 NdisWan - ok 11:40:40.0906 4684 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 11:40:40.0921 4684 NDProxy - ok 11:40:41.0046 4684 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 11:40:41.0187 4684 NetBIOS - ok 11:40:41.0234 4684 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 11:40:41.0359 4684 NetBT - ok 11:40:41.0390 4684 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 11:40:41.0531 4684 NIC1394 - ok 11:40:41.0562 4684 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys 11:40:41.0687 4684 nm - ok 11:40:41.0718 4684 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 11:40:41.0843 4684 Npfs - ok 11:40:42.0000 4684 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 11:40:42.0218 4684 Ntfs - ok 11:40:42.0250 4684 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 11:40:42.0390 4684 Null - ok 11:40:42.0437 4684 NvNdis (0b7f59271f2694efd2f540b3332ddf5c) C:\WINDOWS\system32\Drivers\NvNdis.sys 11:40:42.0453 4684 NvNdis ( UnsignedFile.Multi.Generic ) - warning 11:40:42.0453 4684 NvNdis - detected UnsignedFile.Multi.Generic (1) 11:40:42.0484 4684 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 11:40:42.0671 4684 NwlnkFlt - ok 11:40:42.0687 4684 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 11:40:42.0890 4684 NwlnkFwd - ok 11:40:42.0968 4684 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 11:40:43.0093 4684 ohci1394 - ok 11:40:43.0140 4684 ossrv (61c85afeaa6ef0c1b32d43f84f7bfbcf) C:\WINDOWS\system32\drivers\ctoss2k.sys 11:40:43.0156 4684 ossrv - ok 11:40:43.0187 4684 oxfwlf (d2ba7e474940363d9de386f3e437de04) C:\WINDOWS\system32\drivers\oxfwlf.sys 11:40:43.0187 4684 oxfwlf ( UnsignedFile.Multi.Generic ) - warning 11:40:43.0187 4684 oxfwlf - detected UnsignedFile.Multi.Generic (1) 11:40:43.0218 4684 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 11:40:43.0343 4684 Parport - ok 11:40:43.0375 4684 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 11:40:43.0500 4684 PartMgr - ok 11:40:43.0531 4684 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 11:40:43.0656 4684 ParVdm - ok 11:40:43.0687 4684 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 11:40:43.0812 4684 PCI - ok 11:40:43.0859 4684 PCIDump - ok 11:40:43.0890 4684 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 11:40:44.0031 4684 PCIIde - ok 11:40:44.0062 4684 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 11:40:44.0187 4684 Pcmcia - ok 11:40:44.0203 4684 PDCOMP - ok 11:40:44.0218 4684 PDFRAME - ok 11:40:44.0234 4684 PDRELI - ok 11:40:44.0250 4684 PDRFRAME - ok 11:40:44.0265 4684 perc2 - ok 11:40:44.0281 4684 perc2hib - ok 11:40:44.0343 4684 pfc (da86016f0672ada925f589ede715f185) C:\WINDOWS\system32\drivers\pfc.sys 11:40:44.0343 4684 pfc ( UnsignedFile.Multi.Generic ) - warning 11:40:44.0343 4684 pfc - detected UnsignedFile.Multi.Generic (1) 11:40:44.0390 4684 PfModNT (6dabb70783ef470492adb7b9a6e60bf3) C:\WINDOWS\system32\drivers\PfModNT.sys 11:40:44.0406 4684 PfModNT - ok 11:40:44.0437 4684 powerfil (8733a00b08f8cf05d50a5b8f61758a93) C:\WINDOWS\system32\DRIVERS\powerfil.sys 11:40:44.0562 4684 powerfil - ok 11:40:44.0593 4684 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 11:40:44.0734 4684 PptpMiniport - ok 11:40:44.0828 4684 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 11:40:44.0968 4684 PSched - ok 11:40:45.0015 4684 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 11:40:45.0140 4684 Ptilink - ok 11:40:45.0156 4684 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys 11:40:45.0171 4684 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning 11:40:45.0171 4684 PxHelp20 - detected UnsignedFile.Multi.Generic (1) 11:40:45.0187 4684 ql1080 - ok 11:40:45.0203 4684 Ql10wnt - ok 11:40:45.0218 4684 ql12160 - ok 11:40:45.0234 4684 ql1240 - ok 11:40:45.0250 4684 ql1280 - ok 11:40:45.0296 4684 QWAVEDRV (2bb1d2baf3493362e5c1949c5f210d5f) C:\WINDOWS\system32\DRIVERS\qwavedrv.sys 11:40:45.0312 4684 QWAVEDRV ( UnsignedFile.Multi.Generic ) - warning 11:40:45.0312 4684 QWAVEDRV - detected UnsignedFile.Multi.Generic (1) 11:40:45.0343 4684 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 11:40:45.0468 4684 RasAcd - ok 11:40:45.0500 4684 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 11:40:45.0625 4684 Rasl2tp - ok 11:40:45.0656 4684 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 11:40:45.0781 4684 RasPppoe - ok 11:40:45.0812 4684 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 11:40:45.0937 4684 Raspti - ok 11:40:45.0968 4684 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 11:40:46.0093 4684 Rdbss - ok 11:40:46.0109 4684 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 11:40:46.0250 4684 RDPCDD - ok 11:40:46.0281 4684 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 11:40:46.0421 4684 rdpdr - ok 11:40:46.0453 4684 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys 11:40:46.0468 4684 RDPWD - ok 11:40:46.0500 4684 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 11:40:46.0625 4684 redbook - ok 11:40:46.0671 4684 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys 11:40:46.0796 4684 sbp2port - ok 11:40:46.0828 4684 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 11:40:46.0968 4684 Secdrv - ok 11:40:47.0000 4684 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 11:40:47.0125 4684 serenum - ok 11:40:47.0156 4684 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 11:40:47.0671 4684 Serial - ok 11:40:47.0718 4684 sf (e8cc4ba7b2e962bd932c7bf678e762e0) C:\WINDOWS\system32\drivers\sf.sys 11:40:47.0734 4684 sf - ok 11:40:47.0796 4684 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 11:40:47.0921 4684 Sfloppy - ok 11:40:47.0937 4684 Simbad - ok 11:40:47.0968 4684 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys 11:40:48.0093 4684 SLIP - ok 11:40:48.0125 4684 SMBios (d72a21424ca66c7a745bd995eca6a710) C:\WINDOWS\system32\DRIVERS\SMBios.sys 11:40:48.0125 4684 SMBios ( UnsignedFile.Multi.Generic ) - warning 11:40:48.0125 4684 SMBios - detected UnsignedFile.Multi.Generic (1) 11:40:48.0203 4684 smwdm (986d2f9d2653e1eda2c54c80c0309835) C:\WINDOWS\system32\drivers\smwdm.sys 11:40:48.0234 4684 smwdm - ok 11:40:48.0265 4684 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS 11:40:48.0390 4684 SONYPVU1 - ok 11:40:48.0406 4684 Sparrow - ok 11:40:48.0437 4684 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 11:40:48.0562 4684 splitter - ok 11:40:48.0593 4684 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 11:40:48.0734 4684 sr - ok 11:40:48.0796 4684 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys 11:40:48.0843 4684 Srv - ok 11:40:48.0890 4684 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys 11:40:49.0000 4684 StillCam - ok 11:40:49.0046 4684 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 11:40:49.0171 4684 streamip - ok 11:40:49.0203 4684 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 11:40:49.0328 4684 swenum - ok 11:40:49.0343 4684 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 11:40:49.0484 4684 swmidi - ok 11:40:49.0500 4684 symc810 - ok 11:40:49.0515 4684 symc8xx - ok 11:40:49.0531 4684 sym_hi - ok 11:40:49.0546 4684 sym_u3 - ok 11:40:49.0593 4684 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 11:40:49.0718 4684 sysaudio - ok 11:40:49.0796 4684 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys 11:40:49.0921 4684 Tcpip - ok 11:40:49.0968 4684 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 11:40:50.0093 4684 TDPIPE - ok 11:40:50.0156 4684 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 11:40:50.0281 4684 TDTCP - ok 11:40:50.0312 4684 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 11:40:50.0437 4684 TermDD - ok 11:40:50.0468 4684 TosIde - ok 11:40:50.0515 4684 TrueSight (f69641efdb19acb4753b0155f7fdeed5) c:\windows\system32\drivers\TrueSight.sys 11:40:50.0515 4684 TrueSight ( UnsignedFile.Multi.Generic ) - warning 11:40:50.0515 4684 TrueSight - detected UnsignedFile.Multi.Generic (1) 11:40:50.0562 4684 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys 11:40:50.0703 4684 tunmp - ok 11:40:50.0734 4684 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 11:40:50.0859 4684 Udfs - ok 11:40:50.0875 4684 ultra - ok 11:40:50.0921 4684 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 11:40:51.0062 4684 Update - ok 11:40:51.0109 4684 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys 11:40:51.0125 4684 USBAAPL - ok 11:40:51.0171 4684 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys 11:40:51.0296 4684 usbaudio - ok 11:40:51.0328 4684 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 11:40:51.0453 4684 usbccgp - ok 11:40:51.0484 4684 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 11:40:51.0593 4684 usbehci - ok 11:40:51.0625 4684 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 11:40:51.0765 4684 usbhub - ok 11:40:51.0796 4684 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 11:40:51.0921 4684 usbprint - ok 11:40:51.0953 4684 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 11:40:52.0078 4684 usbscan - ok 11:40:52.0109 4684 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 11:40:52.0234 4684 USBSTOR - ok 11:40:52.0250 4684 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 11:40:52.0375 4684 usbuhci - ok 11:40:52.0390 4684 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 11:40:52.0531 4684 VgaSave - ok 11:40:52.0546 4684 ViaIde - ok 11:40:52.0593 4684 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 11:40:52.0718 4684 VolSnap - ok 11:40:52.0750 4684 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 11:40:52.0875 4684 Wanarp - ok 11:40:52.0937 4684 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys 11:40:52.0968 4684 WDC_SAM - ok 11:40:52.0984 4684 WDICA - ok 11:40:53.0015 4684 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 11:40:53.0140 4684 wdmaud - ok 11:40:53.0187 4684 WPRO_41_1742 - ok 11:40:53.0234 4684 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 11:40:53.0437 4684 WS2IFSL - ok 11:40:53.0468 4684 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 11:40:53.0671 4684 WSTCODEC - ok 11:40:53.0718 4684 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 11:40:53.0750 4684 WudfPf - ok 11:40:53.0796 4684 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 11:40:53.0812 4684 WudfRd - ok 11:40:53.0890 4684 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0 11:40:54.0125 4684 \Device\Harddisk0\DR0 - ok 11:40:54.0125 4684 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR3 11:40:54.0343 4684 \Device\Harddisk1\DR3 - ok 11:40:54.0343 4684 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR5 11:40:54.0890 4684 \Device\Harddisk2\DR5 - ok 11:40:55.0187 4684 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk3\DR7 11:40:55.0421 4684 \Device\Harddisk3\DR7 - ok 11:40:55.0437 4684 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk4\DR8 11:40:55.0968 4684 \Device\Harddisk4\DR8 - ok 11:40:55.0968 4684 Boot (0x1200) (2831d0dada75bbb7bb6046e189cc1be5) \Device\Harddisk0\DR0\Partition0 11:40:55.0968 4684 \Device\Harddisk0\DR0\Partition0 - ok 11:40:55.0984 4684 Boot (0x1200) (2c6b0bff72e0c069f42472aacb181f8c) \Device\Harddisk0\DR0\Partition1 11:40:55.0984 4684 \Device\Harddisk0\DR0\Partition1 - ok 11:40:56.0000 4684 Boot (0x1200) (965458fc126dd2778950c2001965740a) \Device\Harddisk1\DR3\Partition0 11:40:56.0000 4684 \Device\Harddisk1\DR3\Partition0 - ok 11:40:56.0031 4684 Boot (0x1200) (214743c3335f5449d4f6961815141396) \Device\Harddisk2\DR5\Partition0 11:40:56.0031 4684 \Device\Harddisk2\DR5\Partition0 - ok 11:40:56.0031 4684 Boot (0x1200) (03d147b88e4f509c87ba38edc5da3c09) \Device\Harddisk3\DR7\Partition0 11:40:56.0031 4684 \Device\Harddisk3\DR7\Partition0 - ok 11:40:56.0046 4684 Boot (0x1200) (120b042391f8f1403f7d125faa283c07) \Device\Harddisk4\DR8\Partition0 11:40:56.0046 4684 \Device\Harddisk4\DR8\Partition0 - ok 11:40:56.0046 4684 ============================================================ 11:40:56.0046 4684 Scan finished 11:40:56.0046 4684 ============================================================ 11:40:56.0156 4412 Detected object count: 14 11:40:56.0156 4412 Actual detected object count: 14 11:41:03.0750 4412 ati2mtag ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0750 4412 ati2mtag ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0750 4412 CEUSBAUD ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0750 4412 CEUSBAUD ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0750 4412 E100B ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0750 4412 E100B ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0750 4412 FNETTBOH ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0750 4412 FNETTBOH ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0750 4412 FNETURPX ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0765 4412 FNETURPX ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0765 4412 hcwPVRP2 ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0765 4412 hcwPVRP2 ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0765 4412 MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0765 4412 MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0765 4412 NvNdis ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0765 4412 NvNdis ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0765 4412 oxfwlf ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0765 4412 oxfwlf ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0765 4412 pfc ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0765 4412 pfc ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0765 4412 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0765 4412 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0781 4412 QWAVEDRV ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0781 4412 QWAVEDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0781 4412 SMBios ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0781 4412 SMBios ( UnsignedFile.Multi.Generic ) - User select action: Skip 11:41:03.0781 4412 TrueSight ( UnsignedFile.Multi.Generic ) - skipped by user 11:41:03.0781 4412 TrueSight ( UnsignedFile.Multi.Generic ) - User select action: Skip
-
Ok... I ran the last Combofix via the drag-and-drop of the ipsec copy script. Didn't have internet when it was finished, but I rebooted, the machine did a chkdsk, fixed bad sectors, etc., and my NIC was able to get its static IP settings to stick; internet is back. So far, the Combofix has run 3 times, and has found a rootkit on each. The latest combofix.txt is copy/pasted below: ComboFix 12-01-05.01 - Administrator 01/05/2012 10:15:52.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1579 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . . --------------- FCopy --------------- . c:\windows\ServicePackFiles\i386\ipsec.sys --> c:\windows\system32\drivers\ipsec.sys c:\windows\ServicePackFiles\i386\ipsec.sys --> c:\windows\system32\dllcache\ipsec.sys . ((((((((((((((((((((((((( Files Created from 2011-12-05 to 2012-01-05 ))))))))))))))))))))))))))))))) . . 2012-01-05 15:12 . 2012-01-05 15:12 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C867A949-591F-4CA5-AF91-A62EDE267C7F}\offreg.dll 2012-01-05 06:56 . 2012-01-05 06:56 -------- d-----w- c:\documents and settings\Dondi 2012-01-05 04:29 . 2008-06-20 11:51 361600 ----a-w- C:\tcpip.sys 2012-01-05 00:19 . 2012-01-05 00:19 -------- d--h--w- c:\documents and settings\Default User.WINDOWS.0 2012-01-05 00:19 . 2012-01-05 00:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0 2012-01-04 23:51 . 2012-01-04 23:51 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2011-12-22 05:44 . 2011-11-30 07:21 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C867A949-591F-4CA5-AF91-A62EDE267C7F}\mpengine.dll 2011-12-18 20:31 . 2011-12-18 20:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2011-12-17 21:09 . 2011-12-17 21:09 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{8D50E0A0-BDC4-478A-B305-2C90839CD6E9}-A0193330.exe 2011-12-17 21:09 . 2011-12-17 21:09 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{69AF7BA9-D1BE-4500-870C-A9ED890A010B}-A0193400.exe 2011-12-17 21:09 . 2011-12-17 21:09 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{1F20FD2D-4BF4-4807-94B2-D7321EDAFDFB}-A0027261.exe 2011-12-17 21:09 . 2011-12-17 21:09 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{FE7F776B-2D39-41B2-B7C1-372A964E0DB5}-A0027192.exe 2011-12-17 21:09 . 2011-12-17 21:09 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{A3BCBC79-6628-4D9A-859B-8A33522D5114}-A0027056.exe 2011-12-17 21:09 . 2011-12-17 21:09 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{525C59F1-4A7E-4149-A643-F245ABA0B392}-A0027124.exe 2011-12-17 17:34 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-12-17 17:34 . 2012-01-05 00:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-12-17 06:31 . 2012-01-05 04:47 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-12-17 06:31 . 2012-01-05 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2011-12-17 05:59 . 2011-12-17 05:59 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-12-17 05:59 . 2011-12-17 05:59 -------- d-----w- c:\program files\Trend Micro 2011-12-17 04:34 . 2011-12-17 04:34 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{D026EE29-CB60-4592-ADE4-091B2E6AE395}-A0193330.exe 2011-12-17 04:34 . 2011-12-17 04:34 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{B7950F68-48CD-4E06-B807-87B6E0EDE3FB}-A0027056.exe 2011-12-17 04:34 . 2011-12-17 04:34 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{AFC77CBA-4C4E-47E7-A040-0AC7EB5FF577}-A0027261.exe 2011-12-17 04:34 . 2011-12-17 04:34 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{5C4CEE39-384A-4DBE-B6C1-5D3EF125C918}-A0027124.exe 2011-12-17 04:34 . 2011-12-17 04:34 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{1622A377-0375-4A86-A583-C78C5494CFFC}-A0027192.exe 2011-12-17 04:34 . 2011-12-17 04:34 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{9F11835D-FC56-40D6-B1C2-E39A3B4CFF3B}-A0193400.exe 2011-12-17 03:13 . 2011-12-17 03:13 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{C2DC7F42-4D0F-44CE-8094-FD7F2A70FCCF}-A0027056.exe 2011-12-17 03:13 . 2011-12-17 03:13 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{3869BA65-082A-4BB2-95EF-40093D435B79}-A0027124.exe 2011-12-17 03:13 . 2011-12-17 03:13 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{BCA44248-3F95-4E71-A95A-F3B810F1C5A9}-A0193400.exe 2011-12-17 03:13 . 2011-12-17 03:13 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{8422E27D-1BC0-442A-A394-3E5031F4D586}-A0027192.exe 2011-12-17 03:13 . 2011-12-17 03:13 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{827CE6EA-3803-48C3-A3E3-1FDDCEC141D8}-A0027261.exe 2011-12-17 03:13 . 2011-12-17 03:13 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{7D336F6D-8111-4602-AA81-D4B683EE8E59}-A0193330.exe 2011-12-16 16:03 . 2011-12-16 16:03 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{CAB83086-7C12-4626-BBA7-32666AA6D169}-A0193400.exe 2011-12-16 16:03 . 2011-12-16 16:03 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{EB11E7C0-B6EC-46FE-BC75-98FDE8ECCB3E}-A0193330.exe 2011-12-16 16:03 . 2011-12-16 16:03 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{471085BA-EC51-4397-8EEC-D436954974C3}-A0027261.exe 2011-12-16 16:03 . 2011-12-16 16:03 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{092F92E6-E717-4431-83DA-467643B73C30}-A0027192.exe 2011-12-16 16:03 . 2011-12-16 16:03 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{22D80A96-30E5-4916-A832-CA1B03E80F52}-A0027124.exe 2011-12-16 16:02 . 2011-12-16 16:02 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{B6A85ADF-1D21-457A-B462-E7F57E6B667D}-A0027056.exe 2011-12-16 08:00 . 2011-12-16 08:00 -------- d-----w- c:\program files\AVG 2011-12-16 07:56 . 2011-12-16 07:56 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2011-12-16 07:55 . 2011-12-16 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2011-12-16 03:12 . 2011-11-30 07:21 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-12-15 07:24 . 2011-12-15 11:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-12-15 01:37 . 2011-12-15 01:37 -------- d-----w- c:\program files\iPod 2011-12-15 01:37 . 2011-12-15 01:39 -------- d-----w- c:\program files\iTunes 2011-12-09 05:31 . 2011-12-09 07:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Auslogics 2011-12-09 05:31 . 2011-12-09 05:35 -------- d-----w- c:\program files\Auslogics 2011-12-09 04:49 . 2011-12-09 04:49 -------- d-----w- c:\program files\CCleaner 2011-12-09 04:38 . 2011-11-15 19:29 222080 ------w- c:\windows\system32\MpSigStub.exe 2011-12-09 04:35 . 2011-12-09 04:36 -------- d-----w- c:\program files\Microsoft Security Client 2011-12-09 02:45 . 2011-12-09 02:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2011-12-09 02:45 . 2011-12-09 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-12-08 05:26 . 2011-12-08 05:26 -------- d-s---w- c:\documents and settings\NetworkService\UserData . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-17 12:59 . 2009-05-06 16:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2011-12-17 12:59 . 2009-05-06 16:12 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll 2011-12-17 12:59 . 2009-05-06 16:12 30592 ----a-w- c:\windows\system32\LMIport.dll 2011-12-17 12:59 . 2009-05-06 16:09 87424 ----a-w- c:\windows\system32\LMIinit.dll 2011-12-08 07:25 . 2008-11-15 15:46 57600 ----a-w- c:\windows\system32\drivers\redbook.sys 2011-11-27 23:03 . 2011-05-28 23:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts 2011-10-10 14:22 . 2005-01-25 21:16 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-11-21 04:04 . 2011-04-30 17:14 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-01-05_06.53.16 ))))))))))))))))))))))))))))))))))))))))) . + 2012-01-05 15:14 . 2012-01-05 15:14 16384 c:\windows\Temp\Perflib_Perfdata_51c.dat + 2012-01-05 15:14 . 2012-01-05 15:14 16384 c:\windows\Temp\Perflib_Perfdata_1e4.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-01 344064] "CTHelper"="CTHELPER.EXE" [2007-04-09 19456] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-10-23 962560] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "Transcode360"="c:\program files\Transcode360\Transcode360Tray.exe" [2006-05-02 192512] "My Movies Tray"="c:\program files\MCE\My Movies\My Movies Tray.exe" [2009-11-16 312280] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136] "UsbBoost"="c:\program files\UsbBoost\TurboHddUsb.exe" [2010-06-02 3788800] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240] "AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Shortcut to MTV.lnk - c:\documents and settings\Administrator\Desktop\MTV.vbs [2008-12-18 2502] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432] VLC360.lnk - c:\program files\Dun74\VLC360\VLC360.bat [2006-3-27 76] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "GreyMSIAds"= 0 (0x0) "HideSCABattery"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2011-12-17 12:59 87424 ----a-w- c:\windows\system32\LMIinit.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /p \??\o:\0autocheck autochk /p \??\j:\0autocheck autochk /p \??\I:\0autocheck autochk * . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\dCut\\DCutService.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Transcode360\\Transcode360Tray.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\ehome\\ehExtHost.exe"= "c:\\Program Files\\NETGEAR ReadyNAS\\RAIDar.exe"= "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\AirPort\\APUtil.exe"= "c:\\Program Files\\AirPort\\APAgent.exe"= "c:\\Program Files\\NETGEAR ReadyNAS\\Remote\\bin\\ReadyNASRemote.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "20001:UDP"= 20001:UDP:MicroSAN "3776:UDP"= 3776:UDP:Media Center Extender Service "3390:TCP"= 3390:TCP:Remote Media Center Experience "5353:UDP"= 5353:UDP:Bonjour "9100:TCP"= 9100:TCP:PORT_9100_TCP "161:UDP"= 161:UDP:PORT_161_UDP "427:UDP"= 427:UDP:PORT_427_UDP "50000:UDP"= 50000:UDP:IHA_MessageCenter . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) . R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [6/1/2010 7:59 PM 7936] R1 oxfwlf;oxfwlf;c:\windows\system32\drivers\OxFWLF.sys [6/17/2010 6:52 PM 12043] R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [7/1/2011 2:01 PM 286736] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/30/2010 5:56 PM 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/17/2011 12:34 PM 652872] R3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [6/1/2010 7:59 PM 23680] R3 leafnets;Leaf Networks Adapter;c:\windows\system32\drivers\leafnets.sys [5/26/2011 12:51 PM 55296] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/17/2011 12:34 PM 20464] R3 powerfil;powerfil;c:\windows\system32\drivers\powerfil.sys [11/15/2008 10:46 AM 8832] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384] S2 MSSQL$MYMOVIES;SQL Server (MYMOVIES);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 5:29 PM 29293408] S2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe -k xmlpros [8/10/2004 7:00 AM 14336] S3 CEUSBAUD;DigiTech USB MIDI Driver (MIDI);c:\windows\system32\drivers\ceusbaud.sys [6/11/2011 11:27 AM 17920] S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [7/29/2010 12:25 AM 25112] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504] S3 WPRO_41_1742;WinPcap Packet Driver (WPRO_41_1742); [x] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE xmlpros REG_MULTI_SZ XMLProvS . Contents of the 'Scheduled Tasks' folder . 2011-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . 2011-12-21 c:\windows\Tasks\At1.job - c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 20:07] . 2012-01-05 c:\windows\Tasks\At2.job - c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 20:07] . 2011-12-22 c:\windows\Tasks\At3.job - c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 20:07] . 2011-12-21 c:\windows\Tasks\At4.job - c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 20:07] . 2011-12-20 c:\windows\Tasks\Auslogics BoostSpeed Integrator Scan and Repair.job - c:\program files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe [2011-12-09 23:33] . 2012-01-05 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39] . . ------- Supplementary Scan ------- . TCP: Interfaces\{E6B482D6-C571-43EE-B7CF-80D299D37BAF}: NameServer = 192.168.1.1,68.237.161.12 FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a26tfnti.default\ . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-05 10:29 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(700) c:\windows\system32\Ati2evxx.dll c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll . Completion time: 2012-01-05 10:32:24 ComboFix-quarantined-files.txt 2012-01-05 15:32 ComboFix2.txt 2012-01-05 06:56 . Pre-Run: 13,312,720,896 bytes free Post-Run: 13,300,285,440 bytes free . - - End Of File - - 851A3C1D2B92989B0772D72A0A71009C
-
Sorry MrC.... Hope I am not making this more difficult for you... I looked at posts of other people's Combofix.txt files and realized that my ComboFix session from above was incomplete so I ran another one. Much faster this time and the machine only rebooted once (rebooted twice the 1st time and hung after the 2nd reboot). Still no network. I am turning my PC off now... here is the log: ComboFix 12-01-04.03 - Administrator 01/05/2012 1:40.2.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1583 [GMT -5:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a26tfnti.default\extensions\{b496155d-30aa-4bb8-920a-04d109ffb095}\chrome.manifest c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a26tfnti.default\extensions\{b496155d-30aa-4bb8-920a-04d109ffb095}\chrome\xulcache.jar c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a26tfnti.default\extensions\{b496155d-30aa-4bb8-920a-04d109ffb095}\install.rdf c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a26tfnti.default\searchplugins\bing-zugo.xml c:\documents and settings\Administrator\hwrufegslf.tmp c:\windows\$NtUninstallKB44787$\399808621 c:\windows\$NtUninstallKB44787$\592350653\@ c:\windows\$NtUninstallKB44787$\592350653\bckfg.tmp c:\windows\$NtUninstallKB44787$\592350653\cfg.ini c:\windows\$NtUninstallKB44787$\592350653\Desktop.ini c:\windows\$NtUninstallKB44787$\592350653\keywords c:\windows\$NtUninstallKB44787$\592350653\kwrd.dll c:\windows\$NtUninstallKB44787$\592350653\L\dbvpzhgj c:\windows\$NtUninstallKB44787$\592350653\lsflt7.ver c:\windows\$NtUninstallKB44787$\592350653\U\00000001.@ c:\windows\$NtUninstallKB44787$\592350653\U\00000002.@ c:\windows\$NtUninstallKB44787$\592350653\U\00000004.@ c:\windows\$NtUninstallKB44787$\592350653\U\80000000.@ c:\windows\$NtUninstallKB44787$\592350653\U\80000004.@ c:\windows\$NtUninstallKB44787$\592350653\U\80000032.@ c:\windows\kb913800.exe c:\windows\system32\SET92.tmp c:\windows\system32\SETA3.tmp c:\windows\system32\SETAC.tmp c:\windows\system32\SETB5.tmp c:\windows\system32\SETB8.tmp c:\windows\system32\SETBE.tmp c:\windows\system32\SETC1.tmp c:\windows\system32\SETC4.tmp c:\windows\system32\xmlrpw32.dll I:\Autorun.inf J:\autorun.inf L:\Autorun.inf . . ((((((((((((((((((((((((( Files Created from 2011-12-05 to 2012-01-05 ))))))))))))))))))))))))))))))) . . 2012-01-05 06:37 . 2012-01-05 06:37 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C867A949-591F-4CA5-AF91-A62EDE267C7F}\offreg.dll 2012-01-05 04:29 . 2008-06-20 11:51 361600 ----a-w- C:\tcpip.sys 2012-01-05 00:19 . 2012-01-05 00:19 -------- d--h--w- c:\documents and settings\Default User.WINDOWS.0 2012-01-05 00:19 . 2012-01-05 00:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS.0 2012-01-04 23:51 . 2012-01-04 23:51 111872 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2011-12-22 05:44 . 2011-11-30 07:21 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C867A949-591F-4CA5-AF91-A62EDE267C7F}\mpengine.dll 2011-12-18 20:31 . 2011-12-18 20:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth 2011-12-17 21:09 . 2011-12-17 21:09 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{8D50E0A0-BDC4-478A-B305-2C90839CD6E9}-A0193330.exe 2011-12-17 21:09 . 2011-12-17 21:09 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{69AF7BA9-D1BE-4500-870C-A9ED890A010B}-A0193400.exe 2011-12-17 21:09 . 2011-12-17 21:09 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{1F20FD2D-4BF4-4807-94B2-D7321EDAFDFB}-A0027261.exe 2011-12-17 21:09 . 2011-12-17 21:09 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{FE7F776B-2D39-41B2-B7C1-372A964E0DB5}-A0027192.exe 2011-12-17 21:09 . 2011-12-17 21:09 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{A3BCBC79-6628-4D9A-859B-8A33522D5114}-A0027056.exe 2011-12-17 21:09 . 2011-12-17 21:09 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{525C59F1-4A7E-4149-A643-F245ABA0B392}-A0027124.exe 2011-12-17 17:34 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-12-17 17:34 . 2012-01-05 00:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-12-17 06:31 . 2012-01-05 04:47 -------- d-----w- c:\program files\Spybot - Search & Destroy 2011-12-17 06:31 . 2012-01-05 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2011-12-17 05:59 . 2011-12-17 05:59 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2011-12-17 05:59 . 2011-12-17 05:59 -------- d-----w- c:\program files\Trend Micro 2011-12-17 04:34 . 2011-12-17 04:34 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{D026EE29-CB60-4592-ADE4-091B2E6AE395}-A0193330.exe 2011-12-17 04:34 . 2011-12-17 04:34 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{B7950F68-48CD-4E06-B807-87B6E0EDE3FB}-A0027056.exe 2011-12-17 04:34 . 2011-12-17 04:34 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{AFC77CBA-4C4E-47E7-A040-0AC7EB5FF577}-A0027261.exe 2011-12-17 04:34 . 2011-12-17 04:34 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{5C4CEE39-384A-4DBE-B6C1-5D3EF125C918}-A0027124.exe 2011-12-17 04:34 . 2011-12-17 04:34 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{1622A377-0375-4A86-A583-C78C5494CFFC}-A0027192.exe 2011-12-17 04:34 . 2011-12-17 04:34 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{9F11835D-FC56-40D6-B1C2-E39A3B4CFF3B}-A0193400.exe 2011-12-17 03:13 . 2011-12-17 03:13 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{C2DC7F42-4D0F-44CE-8094-FD7F2A70FCCF}-A0027056.exe 2011-12-17 03:13 . 2011-12-17 03:13 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{3869BA65-082A-4BB2-95EF-40093D435B79}-A0027124.exe 2011-12-17 03:13 . 2011-12-17 03:13 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{BCA44248-3F95-4E71-A95A-F3B810F1C5A9}-A0193400.exe 2011-12-17 03:13 . 2011-12-17 03:13 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{8422E27D-1BC0-442A-A394-3E5031F4D586}-A0027192.exe 2011-12-17 03:13 . 2011-12-17 03:13 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{827CE6EA-3803-48C3-A3E3-1FDDCEC141D8}-A0027261.exe 2011-12-17 03:13 . 2011-12-17 03:13 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{7D336F6D-8111-4602-AA81-D4B683EE8E59}-A0193330.exe 2011-12-16 16:03 . 2011-12-16 16:03 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{CAB83086-7C12-4626-BBA7-32666AA6D169}-A0193400.exe 2011-12-16 16:03 . 2011-12-16 16:03 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{EB11E7C0-B6EC-46FE-BC75-98FDE8ECCB3E}-A0193330.exe 2011-12-16 16:03 . 2011-12-16 16:03 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{471085BA-EC51-4397-8EEC-D436954974C3}-A0027261.exe 2011-12-16 16:03 . 2011-12-16 16:03 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{092F92E6-E717-4431-83DA-467643B73C30}-A0027192.exe 2011-12-16 16:03 . 2011-12-16 16:03 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{22D80A96-30E5-4916-A832-CA1B03E80F52}-A0027124.exe 2011-12-16 16:02 . 2011-12-16 16:02 16619 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{B6A85ADF-1D21-457A-B462-E7F57E6B667D}-A0027056.exe 2011-12-16 08:00 . 2011-12-16 08:00 -------- d-----w- c:\program files\AVG 2011-12-16 07:56 . 2011-12-16 07:56 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files 2011-12-16 07:55 . 2011-12-16 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData 2011-12-16 03:12 . 2011-11-30 07:21 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2011-12-15 07:24 . 2011-12-15 11:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-12-15 01:37 . 2011-12-15 01:37 -------- d-----w- c:\program files\iPod 2011-12-15 01:37 . 2011-12-15 01:39 -------- d-----w- c:\program files\iTunes 2011-12-09 05:31 . 2011-12-09 07:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Auslogics 2011-12-09 05:31 . 2011-12-09 05:35 -------- d-----w- c:\program files\Auslogics 2011-12-09 04:49 . 2011-12-09 04:49 -------- d-----w- c:\program files\CCleaner 2011-12-09 04:38 . 2011-11-15 19:29 222080 ------w- c:\windows\system32\MpSigStub.exe 2011-12-09 04:35 . 2011-12-09 04:36 -------- d-----w- c:\program files\Microsoft Security Client 2011-12-09 02:45 . 2011-12-09 02:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes 2011-12-09 02:45 . 2011-12-09 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-12-08 05:26 . 2011-12-08 05:26 -------- d-s---w- c:\documents and settings\NetworkService\UserData . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-12-17 12:59 . 2009-05-06 16:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2011-12-17 12:59 . 2009-05-06 16:12 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll 2011-12-17 12:59 . 2009-05-06 16:12 30592 ----a-w- c:\windows\system32\LMIport.dll 2011-12-17 12:59 . 2009-05-06 16:09 87424 ----a-w- c:\windows\system32\LMIinit.dll 2011-12-08 07:25 . 2008-11-15 15:46 57600 ----a-w- c:\windows\system32\drivers\redbook.sys 2011-11-27 23:03 . 2011-05-28 23:00 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-10-24 18:29 . 2011-10-24 18:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2011-10-24 18:29 . 2011-10-24 18:29 69632 ----a-w- c:\windows\system32\QuickTime.qts 2011-10-10 14:22 . 2005-01-25 21:16 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-10-07 14:30 . 2009-05-06 16:12 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak 2011-10-07 14:30 . 2009-05-06 16:09 87424 ----a-w- c:\windows\system32\LMIinit.dll.000.bak 2011-11-21 04:04 . 2011-04-30 17:14 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ------- Sigcheck ------- Note: Unsigned files aren't necessarily malware. . [7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys [-] 2008-04-13 19:19 . 1DA6C0C952319F33A54C16C024FE905A . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys [-] 2004-08-10 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys . [7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys [-] 2008-04-13 19:19 . 1DA6C0C952319F33A54C16C024FE905A . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys [-] 2004-08-10 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-01 344064] "CTHelper"="CTHELPER.EXE" [2007-04-09 19456] "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-10-23 962560] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048] "Transcode360"="c:\program files\Transcode360\Transcode360Tray.exe" [2006-05-02 192512] "My Movies Tray"="c:\program files\MCE\My Movies\My Movies Tray.exe" [2009-11-16 312280] "NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136] "UsbBoost"="c:\program files\UsbBoost\TurboHddUsb.exe" [2010-06-02 3788800] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240] "AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736] "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872] . [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] . c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Shortcut to MTV.lnk - c:\documents and settings\Administrator\Desktop\MTV.vbs [2008-12-18 2502] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432] VLC360.lnk - c:\program files\Dun74\VLC360\VLC360.bat [2006-3-27 76] . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "GreyMSIAds"= 0 (0x0) "HideSCABattery"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2011-12-17 12:59 87424 ----a-w- c:\windows\system32\LMIinit.dll . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager] BootExecute REG_MULTI_SZ autocheck autochk /p \??\o:\0autocheck autochk /p \??\j:\0autocheck autochk /p \??\I:\0autocheck autochk * . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\dCut\\DCutService.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Transcode360\\Transcode360Tray.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\ehome\\ehExtHost.exe"= "c:\\Program Files\\NETGEAR ReadyNAS\\RAIDar.exe"= "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\AirPort\\APUtil.exe"= "c:\\Program Files\\AirPort\\APAgent.exe"= "c:\\Program Files\\NETGEAR ReadyNAS\\Remote\\bin\\ReadyNASRemote.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "20001:UDP"= 20001:UDP:MicroSAN "3776:UDP"= 3776:UDP:Media Center Extender Service "3390:TCP"= 3390:TCP:Remote Media Center Experience "5353:UDP"= 5353:UDP:Bonjour "9100:TCP"= 9100:TCP:PORT_9100_TCP "161:UDP"= 161:UDP:PORT_161_UDP "427:UDP"= 427:UDP:PORT_427_UDP "50000:UDP"= 50000:UDP:IHA_MessageCenter . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) . R1 FNETURPX;FNETURPX;c:\windows\system32\drivers\FNETURPX.SYS [6/1/2010 7:59 PM 7936] R1 oxfwlf;oxfwlf;c:\windows\system32\drivers\OxFWLF.sys [6/17/2010 6:52 PM 12043] R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [7/1/2011 2:01 PM 286736] R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [9/30/2010 5:56 PM 374152] R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 5:46 PM 12856] R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/17/2011 12:34 PM 652872] R3 FNETTBOH;FNETTBOH;c:\windows\system32\drivers\FNETTBOH.SYS [6/1/2010 7:59 PM 23680] R3 leafnets;Leaf Networks Adapter;c:\windows\system32\drivers\leafnets.sys [5/26/2011 12:51 PM 55296] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/17/2011 12:34 PM 20464] R3 powerfil;powerfil;c:\windows\system32\drivers\powerfil.sys [11/15/2008 10:46 AM 8832] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384] S2 MSSQL$MYMOVIES;SQL Server (MYMOVIES);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 5:29 PM 29293408] S2 XMLProvS;Network ProService;c:\windows\System32\svchost.exe -k xmlpros [8/10/2004 7:00 AM 14336] S3 CEUSBAUD;DigiTech USB MIDI Driver (MIDI);c:\windows\system32\drivers\ceusbaud.sys [6/11/2011 11:27 AM 17920] S3 ivusb;Initio Driver for USB Default Controller;c:\windows\system32\drivers\ivusb.sys [7/29/2010 12:25 AM 25112] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 3:06 PM 11520] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504] S3 WPRO_41_1742;WinPcap Packet Driver (WPRO_41_1742); [x] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] QWAVE REG_MULTI_SZ QWAVE xmlpros REG_MULTI_SZ XMLProvS . Contents of the 'Scheduled Tasks' folder . 2011-12-21 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57] . 2011-12-21 c:\windows\Tasks\At1.job - c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 20:07] . 2012-01-05 c:\windows\Tasks\At2.job - c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 20:07] . 2011-12-22 c:\windows\Tasks\At3.job - c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 20:07] . 2011-12-21 c:\windows\Tasks\At4.job - c:\program files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-06-14 20:07] . 2011-12-20 c:\windows\Tasks\Auslogics BoostSpeed Integrator Scan and Repair.job - c:\program files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe [2011-12-09 23:33] . 2012-01-05 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39] . . ------- Supplementary Scan ------- . TCP: Interfaces\{E6B482D6-C571-43EE-B7CF-80D299D37BAF}: NameServer = 192.168.1.1,68.237.161.12 FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a26tfnti.default\ . - - - - ORPHANS REMOVED - - - - . HKLM-Run-SpybotSnD - c:\program files\Spybot - Search & Destroy\SpybotSD.exe Notify-xmlproservice - xmlrpw32.dll SafeBoot-68114861.sys SafeBoot-WinDefend . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-01-05 01:53 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(700) c:\windows\system32\Ati2evxx.dll c:\windows\system32\LMIinit.dll c:\windows\system32\LMIRfsClientNP.dll . Completion time: 2012-01-05 01:56:15 ComboFix-quarantined-files.txt 2012-01-05 06:56 . Pre-Run: 13,348,659,200 bytes free Post-Run: 13,313,150,976 bytes free . - - End Of File - - 0632D190D152E4CAA8D2B57873FA121F