netsvcs.exe errors

ra12r · November 19, 2011

I have ran malwarebytes multiple times in regular and safemode. Sometimes it finds 1 or so things, but removing changes nothing. Have ran spybot and it too really finds not much and changes nothing.

When my computer starts it makes it to my wallpaper pic fairly normal, but slower. Then I ALWAYS notice that my wallpaper pic disappears to the background blank color page and then the wallpaper pic gets "re-drawn". Once that happens the computer is changed. But, now the refresh is real slow like in 1/4 screen slices. This is visible when closing or changing screens. My wireless keyboard is also very slow reading the keystrokes. The whole computer gets bound up and when the svcs finally error, then I also lose my sound. But, once they finally error, The whole system speeds up. Some consistant errors are the following:

1) appcompat.txt

2) wr34ofdir\appopat.txt

3) svchost.exe -k netsvcs which uses an excessive amount of memory till it crashes

4) I noticed when everything is running, that there is excessive IP activity and my computer is connected to a bunch of servers......ALOT

HERE is my scan:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Sonia Evans at 19:55:57 on 2011-11-18

.

============== Running Processes ===============

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [VTTimer] VTTimer.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: gamls.com\www

Trusted Zone: rexplorer.net\atl

Trusted Zone: rexplorer.net

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/C/B/F/CBF23A2C-3E55-4664-BC5C-762780D79BA0/OGAControl.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {1E3F1348-4370-4BBE-A67A-CC7ED824CA85} - hxxp://download.microsoft.com/download/7/4/9/749b0dc5-2175-4d5b-a6dd-9c4bc923683e/Selfhelpcontrol.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1318504715250

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1318649841562

TCP: DhcpNameServer = 192.168.1.254

TCP: Interfaces\{29B64B33-71B6-48DC-9796-9058471823B5} : DhcpNameServer = 192.168.1.254

TCP: Interfaces\{9CEA6E8D-6780-4CBD-B697-934D4F39934C} : DhcpNameServer = 192.168.1.254

Notify: WRNotifier - WRLogonNTF.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\sonia evans\application data\mozilla\firefox\profiles\axuvh315.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npybrowserplus_2.4.17.dll

FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Forecastfox: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

.

============= SERVICES / DRIVERS ===============

.

=============== Created Last 30 ================

.

2011-11-14 03:50:22 -------- d-----w- c:\program files\DriverGuide DriverScan

2011-11-13 18:42:41 -------- d-----w- c:\documents and settings\sonia evans\local settings\application data\Apple Computer

2011-11-13 18:41:32 -------- d-----w- c:\documents and settings\all users\application data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2011-11-13 18:41:11 -------- d-----w- c:\documents and settings\sonia evans\local settings\application data\Apple

2011-10-21 13:37:21 -------- d-----w- c:\documents and settings\all users\application data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}

2011-10-21 03:54:04 -------- d-----w- c:\documents and settings\sonia evans\local settings\application data\PackageAware

2011-10-20 03:28:45 -------- d-----w- c:\windows\UltraDefrag

2011-10-20 03:28:03 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

.

==================== Find3M ====================

.

2011-11-18 11:55:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 21:00:50 22216 -c--a-w- c:\windows\system32\drivers\mbam.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD1600AAJB-00J3A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8329F4C0]<<

_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x832a68a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x832a6730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }

1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x83342AB8]

3 CLASSPNP[0xF7EFAFD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\0000005a[0x833472E0]

5 ACPI[0xF7E71620] -> nt!IofCallDriver[0x804E37C5] -> [0x8337E940]

\Driver\atapi[0x833D7218] -> IRP_MJ_CREATE -> 0x8329F4C0

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x8329F2E0

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 19:57:37.56 ===============

Here is Attach.txt

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

==== Disk Partitions =========================

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Sansa Media Converter

µTorrent

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 7.1.0

Adobe Shockwave Player

AnyDVD

Apple Application Support

Bing Maps 3D

Brother MFL-Pro Suite

C-Media WDM Audio Driver

Collectorz.com Movie Collector

DriverGuide DriverScan

DVD Shrink 3.2

Engine Analyzer Pro v3.3

Hayabusa ECUeditor for K2-K7, K8- models

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB954550-v5)

ImgBurn

KM400/KN400 Display Driver and Utilities

Malwarebytes' Anti-Malware version 1.51.2.1300

MediaMonkey 2.5

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Office 2000 Premium

Microsoft Office 2000 Web Archive Add-On

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Windows Script 5.7

Microsoft Word Supplemental Templates and Wizards

Mozilla Firefox (3.6.23)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB973686)

Nero OEM

Nitrous Log

PaperPort

PC Camera Capture

PC Link Nitrous

Power Commander 3

Power Commander 5 Software V1.0.1

Punch! 5 in 1 Home Design

Quicken 2005

QuickTime

RemotePlayback

RTLSetup

S3 S3Display

S3 S3Gamma2

S3 S3Info2

S3 S3Overlay

Sansa Media Converter

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player 8 (KB911565)

Security Update for Windows Media Player 8 (KB917734)

Sid Meier's Civilization 4

Slotman

Spybot - Search & Destroy

Ultimate Racer 3.0

Ultra Defragmenter

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

WebCam

WebFldrs XP

WEGO Log

Windows Genuine Advantage Notifications (KB905474)

Windows Imaging Component

Windows Internet Explorer 8

Windows Media Format Runtime

Windows XP Service Pack 3

WinRAR archiver

Xfire (remove only)

Xtranormal State

Xtranormal State - Showpak-Playgoz-Preview

Xtranormal State - SoundPack-Starter Kit

Xtranormal State - Voicepack-English-UK-Daniel

Xtranormal State - Voicepack-English-UK-Serena

Xtranormal State - Voicepack-English-US-Samantha

Xtranormal State - Voicepack-English-US-Tom

Yahoo! Messenger

YOSHIMURA Engine Management Professional

.

==== End Of File ===========================

LDTate · November 19, 2011

:welcome:

Logs will be closed if you haven't replied within 3 days

You have a Master Boot Record RootKit

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

ra12r · November 19, 2011

LDTATE, Thanks you for your assistance. I have followed the TTDS and now the computer is running good. I did not see the "re-load" of the screen and my keyboard is typing at speed. Currently my problem Generic Host process is not eating up the memory.

Here is a post of the log.

08:53:07.0015 1576 TDSS rootkit removing tool 2.6.19.0 Nov 16 2011 12:18:50

08:53:07.0484 1576 ============================================================

08:53:07.0484 1576 Current date / time: 2011/11/19 08:53:07.0484

08:53:07.0484 1576 SystemInfo:

08:53:07.0484 1576

08:53:07.0484 1576 OS Version: 5.1.2600 ServicePack: 3.0

08:53:07.0484 1576 Product type: Workstation

08:53:07.0484 1576 ComputerName: HIGHLANDER

08:53:07.0484 1576 UserName: Sonia Evans

08:53:07.0484 1576 Windows directory: C:\WINDOWS

08:53:07.0484 1576 System windows directory: C:\WINDOWS

08:53:07.0484 1576 Processor architecture: Intel x86

08:53:07.0484 1576 Number of processors: 1

08:53:07.0484 1576 Page size: 0x1000

08:53:07.0484 1576 Boot type: Normal boot

08:53:07.0484 1576 ============================================================

08:53:08.0796 1576 Initialize success

08:54:07.0156 1056 ============================================================

08:54:07.0156 1056 Scan started

08:54:07.0156 1056 Mode: Manual;

08:54:07.0156 1056 ============================================================

08:54:08.0375 1056 Abiosdsk - ok

08:54:08.0609 1056 abp480n5 - ok

08:54:08.0734 1056 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

08:54:08.0750 1056 ACPI - ok

08:54:08.0968 1056 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

08:54:08.0968 1056 ACPIEC - ok

08:54:09.0156 1056 adpu160m - ok

08:54:09.0296 1056 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

08:54:09.0296 1056 aec - ok

08:54:09.0546 1056 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys

08:54:09.0546 1056 AFD - ok

08:54:09.0750 1056 Aha154x - ok

08:54:09.0859 1056 aic78u2 - ok

08:54:09.0906 1056 aic78xx - ok

08:54:10.0140 1056 AliIde - ok

08:54:10.0265 1056 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys

08:54:10.0265 1056 AmdK7 - ok

08:54:10.0437 1056 AmdLLD - ok

08:54:10.0546 1056 amsint - ok

08:54:10.0656 1056 AnyDVD (64f24088dbb1d68ee9963f66f8eb68cf) C:\WINDOWS\system32\Drivers\AnyDVD.sys

08:54:10.0656 1056 AnyDVD - ok

08:54:10.0875 1056 asc - ok

08:54:10.0968 1056 asc3350p - ok

08:54:11.0031 1056 asc3550 - ok

08:54:11.0328 1056 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

08:54:11.0328 1056 AsyncMac - ok

08:54:11.0562 1056 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

08:54:11.0562 1056 atapi - ok

08:54:11.0796 1056 Atdisk - ok

08:54:12.0015 1056 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

08:54:12.0015 1056 Atmarpc - ok

08:54:12.0250 1056 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

08:54:12.0250 1056 audstub - ok

08:54:12.0453 1056 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

08:54:12.0453 1056 Beep - ok

08:54:12.0734 1056 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\Drivers\BrScnUsb.sys

08:54:12.0734 1056 BrScnUsb - ok

08:54:12.0937 1056 BrSerIf (c121e10c64318182a6478acae1855ee0) C:\WINDOWS\system32\Drivers\BrSerIf.sys

08:54:12.0937 1056 BrSerIf - ok

08:54:13.0171 1056 BrUsbSer (7ac85cdc03befd78908b3b6a73d201d0) C:\WINDOWS\system32\Drivers\BrUsbSer.sys

08:54:13.0171 1056 BrUsbSer - ok

08:54:13.0265 1056 catchme - ok

08:54:13.0484 1056 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

08:54:13.0484 1056 cbidf2k - ok

08:54:13.0734 1056 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

08:54:13.0734 1056 CCDECODE - ok

08:54:13.0937 1056 cd20xrnt - ok

08:54:14.0062 1056 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

08:54:14.0062 1056 Cdaudio - ok

08:54:14.0281 1056 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

08:54:14.0281 1056 Cdfs - ok

08:54:14.0546 1056 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

08:54:14.0546 1056 Cdrom - ok

08:54:14.0781 1056 Changer - ok

08:54:15.0046 1056 CmdIde - ok

08:54:15.0187 1056 cmuda (d9b11a34a4efbd4e12b719c89f09bef3) C:\WINDOWS\system32\drivers\cmuda.sys

08:54:15.0218 1056 cmuda - ok

08:54:15.0421 1056 Cpqarray - ok

08:54:15.0531 1056 dac2w2k - ok

08:54:15.0609 1056 dac960nt - ok

08:54:15.0828 1056 DCamUSBNW802 (34a8699292b57abbbf2ace00b87f9d2d) C:\WINDOWS\system32\DRIVERS\pcam.sys

08:54:15.0843 1056 DCamUSBNW802 - ok

08:54:16.0109 1056 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

08:54:16.0109 1056 Disk - ok

08:54:16.0375 1056 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

08:54:16.0406 1056 dmboot - ok

08:54:16.0671 1056 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

08:54:16.0671 1056 dmio - ok

08:54:16.0937 1056 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

08:54:16.0937 1056 dmload - ok

08:54:17.0125 1056 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

08:54:17.0125 1056 DMusic - ok

08:54:17.0343 1056 dpti2o - ok

08:54:17.0562 1056 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

08:54:17.0562 1056 drmkaud - ok

08:54:17.0843 1056 ElbyCDIO (d71233d7ccc2e64f8715a20428d5a33b) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys

08:54:17.0843 1056 ElbyCDIO - ok

08:54:18.0093 1056 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

08:54:18.0093 1056 Fastfat - ok

08:54:18.0312 1056 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

08:54:18.0312 1056 Fdc - ok

08:54:18.0515 1056 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys

08:54:18.0515 1056 FETNDIS - ok

08:54:18.0718 1056 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

08:54:18.0718 1056 Fips - ok

08:54:18.0953 1056 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

08:54:18.0953 1056 Flpydisk - ok

08:54:19.0156 1056 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

08:54:19.0171 1056 FltMgr - ok

08:54:19.0390 1056 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

08:54:19.0390 1056 Fs_Rec - ok

08:54:19.0593 1056 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

08:54:19.0609 1056 Ftdisk - ok

08:54:19.0828 1056 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

08:54:19.0843 1056 gameenum - ok

08:54:20.0078 1056 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

08:54:20.0078 1056 Gpc - ok

08:54:20.0312 1056 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

08:54:20.0312 1056 HidUsb - ok

08:54:20.0515 1056 hpn - ok

08:54:20.0656 1056 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

08:54:20.0656 1056 HTTP - ok

08:54:20.0875 1056 i2omgmt - ok

08:54:20.0953 1056 i2omp - ok

08:54:21.0140 1056 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

08:54:21.0140 1056 i8042prt - ok

08:54:21.0359 1056 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

08:54:21.0359 1056 Imapi - ok

08:54:21.0593 1056 ini910u - ok

08:54:21.0718 1056 IntelIde - ok

08:54:21.0796 1056 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

08:54:21.0796 1056 ip6fw - ok

08:54:22.0015 1056 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

08:54:22.0031 1056 IpFilterDriver - ok

08:54:22.0218 1056 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

08:54:22.0218 1056 IpInIp - ok

08:54:22.0437 1056 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

08:54:22.0437 1056 IpNat - ok

08:54:22.0765 1056 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

08:54:22.0781 1056 IPSec - ok

08:54:23.0046 1056 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

08:54:23.0046 1056 IRENUM - ok

08:54:23.0281 1056 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

08:54:23.0281 1056 isapnp - ok

08:54:23.0500 1056 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys

08:54:23.0500 1056 Iviaspi - ok

08:54:23.0687 1056 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

08:54:23.0687 1056 Kbdclass - ok

08:54:23.0906 1056 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

08:54:23.0921 1056 kmixer - ok

08:54:24.0125 1056 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys

08:54:24.0125 1056 KSecDD - ok

08:54:24.0359 1056 lbrtfdc - ok

08:54:24.0609 1056 MBAMSwissArmy - ok

08:54:24.0765 1056 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

08:54:24.0765 1056 mnmdd - ok

08:54:24.0984 1056 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

08:54:24.0984 1056 Modem - ok

08:54:25.0187 1056 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

08:54:25.0187 1056 Mouclass - ok

08:54:25.0406 1056 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

08:54:25.0406 1056 mouhid - ok

08:54:25.0625 1056 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

08:54:25.0625 1056 MountMgr - ok

08:54:25.0828 1056 mraid35x - ok

08:54:25.0953 1056 MREMP50 (80b2ec735495823ae5771a5f603e73bd) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS

08:54:25.0953 1056 MREMP50 - ok

08:54:25.0968 1056 MREMP50a64 - ok

08:54:26.0015 1056 MRESP50 (37d7c22f7e26da90e2d2d260e5d27846) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS

08:54:26.0015 1056 MRESP50 - ok

08:54:26.0031 1056 MRESP50a64 - ok

08:54:26.0250 1056 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

08:54:26.0250 1056 MRxDAV - ok

08:54:26.0484 1056 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

08:54:26.0500 1056 MRxSmb - ok

08:54:26.0750 1056 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

08:54:26.0750 1056 Msfs - ok

08:54:27.0015 1056 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

08:54:27.0015 1056 MSKSSRV - ok

08:54:27.0234 1056 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

08:54:27.0234 1056 MSPCLOCK - ok

08:54:27.0453 1056 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

08:54:27.0453 1056 MSPQM - ok

08:54:27.0703 1056 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

08:54:27.0703 1056 mssmbios - ok

08:54:27.0937 1056 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

08:54:27.0937 1056 MSTEE - ok

08:54:28.0156 1056 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

08:54:28.0156 1056 Mup - ok

08:54:28.0375 1056 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

08:54:28.0390 1056 NABTSFEC - ok

08:54:28.0625 1056 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

08:54:28.0640 1056 NDIS - ok

08:54:28.0906 1056 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

08:54:28.0906 1056 NdisIP - ok

08:54:29.0125 1056 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

08:54:29.0125 1056 NdisTapi - ok

08:54:29.0328 1056 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

08:54:29.0328 1056 Ndisuio - ok

08:54:29.0562 1056 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

08:54:29.0578 1056 NdisWan - ok

08:54:29.0812 1056 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

08:54:29.0812 1056 NDProxy - ok

08:54:30.0078 1056 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

08:54:30.0078 1056 NetBIOS - ok

08:54:30.0296 1056 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

08:54:30.0312 1056 NetBT - ok

08:54:30.0656 1056 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

08:54:30.0656 1056 Npfs - ok

08:54:30.0875 1056 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

08:54:30.0890 1056 Ntfs - ok

08:54:31.0171 1056 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

08:54:31.0171 1056 Null - ok

08:54:31.0375 1056 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

08:54:31.0375 1056 NwlnkFlt - ok

08:54:31.0656 1056 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

08:54:31.0671 1056 NwlnkFwd - ok

08:54:32.0234 1056 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

08:54:32.0250 1056 Parport - ok

08:54:32.0578 1056 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

08:54:32.0578 1056 PartMgr - ok

08:54:32.0812 1056 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

08:54:32.0812 1056 ParVdm - ok

08:54:33.0078 1056 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

08:54:33.0078 1056 PCI - ok

08:54:33.0281 1056 PCIDump - ok

08:54:33.0390 1056 PCIIde - ok

08:54:33.0484 1056 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

08:54:33.0484 1056 Pcmcia - ok

08:54:33.0687 1056 PDCOMP - ok

08:54:33.0796 1056 PDFRAME - ok

08:54:33.0859 1056 PDRELI - ok

08:54:34.0031 1056 PDRFRAME - ok

08:54:34.0218 1056 perc2 - ok

08:54:34.0343 1056 perc2hib - ok

08:54:34.0515 1056 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

08:54:34.0515 1056 PptpMiniport - ok

08:54:34.0734 1056 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

08:54:34.0734 1056 Processor - ok

08:54:34.0968 1056 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

08:54:34.0968 1056 PSched - ok

08:54:35.0187 1056 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

08:54:35.0187 1056 Ptilink - ok

08:54:35.0421 1056 PxHelp20 (b572ed0c3e6165643fa116af20425a54) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

08:54:35.0421 1056 PxHelp20 - ok

08:54:35.0609 1056 ql1080 - ok

08:54:35.0703 1056 Ql10wnt - ok

08:54:35.0765 1056 ql12160 - ok

08:54:35.0937 1056 ql1240 - ok

08:54:36.0046 1056 ql1280 - ok

08:54:36.0125 1056 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

08:54:36.0125 1056 RasAcd - ok

08:54:36.0343 1056 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

08:54:36.0343 1056 Rasl2tp - ok

08:54:36.0578 1056 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

08:54:36.0578 1056 RasPppoe - ok

08:54:36.0765 1056 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

08:54:36.0781 1056 Raspti - ok

08:54:36.0984 1056 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

08:54:37.0000 1056 Rdbss - ok

08:54:37.0218 1056 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

08:54:37.0218 1056 RDPCDD - ok

08:54:37.0437 1056 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

08:54:37.0453 1056 rdpdr - ok

08:54:37.0937 1056 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

08:54:37.0968 1056 RDPWD - ok

08:54:38.0406 1056 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

08:54:38.0406 1056 redbook - ok

08:54:38.0718 1056 RTL8023xp (3529828ec571fb2f64f6b142f9109993) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys

08:54:38.0718 1056 RTL8023xp - ok

08:54:38.0921 1056 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

08:54:38.0937 1056 rtl8139 - ok

08:54:39.0187 1056 rtl8185 (88b63f291ae10c1b66d2b9ed6921a7df) C:\WINDOWS\system32\DRIVERS\rtl8185.sys

08:54:39.0187 1056 rtl8185 - ok

08:54:39.0500 1056 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

08:54:39.0500 1056 Secdrv - ok

08:54:39.0765 1056 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

08:54:39.0765 1056 serenum - ok

08:54:39.0953 1056 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

08:54:39.0968 1056 Serial - ok

08:54:40.0187 1056 sermouse (1f16931c722c69e4a7866244796c66a0) C:\WINDOWS\system32\DRIVERS\sermouse.sys

08:54:40.0187 1056 sermouse - ok

08:54:40.0546 1056 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

08:54:40.0546 1056 Sfloppy - ok

08:54:40.0781 1056 Simbad - ok

08:54:40.0906 1056 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

08:54:40.0906 1056 SLIP - ok

08:54:41.0109 1056 Sparrow - ok

08:54:41.0250 1056 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

08:54:41.0250 1056 splitter - ok

08:54:41.0500 1056 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

08:54:41.0500 1056 sr - ok

08:54:41.0765 1056 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys

08:54:41.0781 1056 Srv - ok

08:54:42.0031 1056 SSKBFD (2b38da14e1bad3e4227cfcfaeb505239) C:\WINDOWS\system32\Drivers\sskbfd.sys

08:54:42.0031 1056 SSKBFD - ok

08:54:42.0250 1056 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys

08:54:42.0265 1056 StillCam - ok

08:54:42.0500 1056 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

08:54:42.0500 1056 streamip - ok

08:54:42.0718 1056 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

08:54:42.0718 1056 swenum - ok

08:54:42.0937 1056 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

08:54:42.0937 1056 swmidi - ok

08:54:43.0156 1056 symc810 - ok

08:54:43.0531 1056 symc8xx - ok

08:54:43.0734 1056 sym_hi - ok

08:54:44.0140 1056 sym_u3 - ok

08:54:44.0609 1056 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

08:54:44.0609 1056 sysaudio - ok

08:54:44.0703 1056 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys

08:54:44.0718 1056 Tcpip - ok

08:54:44.0781 1056 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

08:54:44.0781 1056 TDPIPE - ok

08:54:44.0843 1056 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

08:54:44.0843 1056 TDTCP - ok

08:54:44.0890 1056 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

08:54:44.0890 1056 TermDD - ok

08:54:45.0015 1056 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

08:54:45.0015 1056 tifsfilter - ok

08:54:45.0109 1056 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys

08:54:45.0125 1056 timounter - ok

08:54:45.0187 1056 TosIde - ok

08:54:45.0296 1056 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys

08:54:45.0328 1056 uagp35 - ok

08:54:45.0390 1056 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

08:54:45.0390 1056 Udfs - ok

08:54:45.0437 1056 ultra - ok

08:54:45.0531 1056 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

08:54:45.0546 1056 Update - ok

08:54:45.0640 1056 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

08:54:45.0640 1056 usbccgp - ok

08:54:45.0703 1056 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

08:54:45.0703 1056 usbehci - ok

08:54:45.0750 1056 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

08:54:45.0750 1056 usbhub - ok

08:54:45.0812 1056 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

08:54:45.0812 1056 usbprint - ok

08:54:45.0875 1056 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

08:54:45.0875 1056 usbscan - ok

08:54:45.0937 1056 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

08:54:45.0937 1056 USBSTOR - ok

08:54:45.0984 1056 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

08:54:45.0984 1056 usbuhci - ok

08:54:46.0015 1056 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

08:54:46.0031 1056 VgaSave - ok

08:54:46.0140 1056 viagfx (3bcc43e2225851e0aef2a8c27ce420ea) C:\WINDOWS\system32\DRIVERS\vtmini.sys

08:54:46.0140 1056 viagfx - ok

08:54:46.0187 1056 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

08:54:46.0203 1056 ViaIde - ok

08:54:46.0250 1056 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

08:54:46.0265 1056 VolSnap - ok

08:54:46.0390 1056 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

08:54:46.0406 1056 Wanarp - ok

08:54:46.0453 1056 WDICA - ok

08:54:46.0515 1056 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

08:54:46.0515 1056 wdmaud - ok

08:54:46.0781 1056 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

08:54:46.0796 1056 WSTCODEC - ok

08:54:46.0953 1056 MBR (0x1B8) (cdac57608c39097805c8c958f1f73d97) \Device\Harddisk0\DR0

08:54:46.0953 1056 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - infected

08:54:46.0953 1056 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)

08:54:47.0000 1056 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1

08:54:47.0140 1056 \Device\Harddisk1\DR1 - ok

08:54:47.0171 1056 Boot (0x1200) (65d618203286eca004a097f30dcfa923) \Device\Harddisk0\DR0\Partition0

08:54:47.0171 1056 \Device\Harddisk0\DR0\Partition0 - ok

08:54:47.0203 1056 Boot (0x1200) (b69aee1c213a7e7fe1e9d3f1721eb166) \Device\Harddisk1\DR1\Partition0

08:54:47.0203 1056 \Device\Harddisk1\DR1\Partition0 - ok

08:54:47.0218 1056 ============================================================

08:54:47.0218 1056 Scan finished

08:54:47.0218 1056 ============================================================

08:54:47.0265 1572 Detected object count: 1

08:54:47.0265 1572 Actual detected object count: 1

08:55:10.0890 1572 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - will be cured on reboot

08:55:10.0890 1572 \Device\Harddisk0\DR0 - ok

08:55:10.0890 1572 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - User select action: Cure

08:55:19.0218 0524 Deinitialize success

LDTate · November 19, 2011

That looks much better.

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.
Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
Note: If you have XP SP3, use the XP SP2 package.
If Vista or Windows 7, skip the Recovery Console part
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

ra12r · November 19, 2011

LDTate, okay now my computer is still having a slow screen reload. When I close the browser it closes in rows slowly. Now that I have typed more, I am still noticing that my keystrokes are being interupted. I have not had a generic host services error yet though. I have been looking at the scans reports some myself, and i see stuff loading that i don't want even if they are not virus's. It is geting hader to typ as i am msng ltters nw...

Hereisthescan

ComboFix 11-11-19.03 - Sonia Evans 11/19/2011 9:19.6.1 - x86

Running from: c:\internet downloads\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\CSC\d6

.

((((((((((((((((((((((((( Files Created from 2011-10-19 to 2011-11-19 )))))))))))))))))))))))))))))))

.

2011-11-13 18:41 . 2011-11-13 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2011-10-21 13:37 . 2011-11-19 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-18 11:55 . 2011-08-16 10:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-20 11:59 . 2011-10-20 03:28 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe

2011-08-31 21:00 . 2009-11-22 23:55 22216 -c--a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((( SnapShot_2011-10-21_02.27.19 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-06-21 02:07 . 2008-04-14 05:15 26368 c:\windows\system32\drivers\USBSTOR.SYS

- 2006-06-21 02:07 . 2008-04-14 04:15 26368 c:\windows\system32\drivers\usbstor.sys

+ 2002-08-29 12:00 . 2008-04-14 05:10 36352 c:\windows\system32\drivers\disk.sys

- 2002-08-29 12:00 . 2008-04-14 04:10 36352 c:\windows\system32\drivers\disk.sys

- 2006-06-09 23:44 . 2011-10-20 03:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2006-06-09 23:44 . 2011-11-19 09:18 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2006-06-09 23:44 . 2011-10-20 03:41 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2006-06-09 23:44 . 2011-11-19 09:18 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2011-10-16 16:35 . 2011-11-19 09:18 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

- 2011-10-16 16:35 . 2011-10-20 03:41 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2011-10-21 05:50 . 2011-11-19 09:18 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2011-10-16 16:35 . 2011-10-20 03:41 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2004-08-04 07:56 . 2004-08-04 07:56 151552 c:\windows\system32\scrrun.dll

+ 2011-11-18 11:55 . 2011-11-18 11:55 247968 c:\windows\system32\Macromed\Flash\FlashUtil11e_Plugin.exe

+ 2006-06-09 19:30 . 2011-10-22 02:14 126912 c:\windows\system32\FNTCACHE.DAT

+ 2004-08-04 07:56 . 2004-08-04 07:56 151552 c:\windows\system32\dllcache\scrrun.dll

+ 2004-02-23 08:00 . 2004-02-23 08:00 1386496 c:\windows\system32\msvbvm60.dll

+ 2010-01-27 01:07 . 2011-11-18 11:55 8527008 c:\windows\system32\Macromed\Flash\NPSWF32.dll

+ 2007-05-05 00:40 . 2011-11-19 06:05 15411796 c:\windows\system32\Restore\rstrlog.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-10 98304]

"VTTimer"="VTTimer.exe" [2003-05-07 36864]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]

c:\windows\system32\dumprep 0 -u [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

2011-09-30 11:35 5361272 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 15:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2007-02-10 01:56 98304 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2009-03-05 20:07 2260480 -c----w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]

2003-05-07 20:32 36864 -c--a-r- c:\windows\system32\VTTimer.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Messenger"=2 (0x2)

"McciCMService"=2 (0x2)

"gusvc"=3 (0x3)

"wuauserv"=2 (0x2)

"wscsvc"=2 (0x2)

"TrkWks"=2 (0x2)

"Themes"=2 (0x2)

"TapiSrv"=3 (0x3)

"SysmonLog"=3 (0x3)

"Schedule"=2 (0x2)

"SCardSvr"=3 (0x3)

"FastUserSwitchingCompatibility"=3 (0x3)

"Eventlog"=2 (0x2)

"ERSvc"=2 (0x2)

"idsvc"=3 (0x3)

"AMDFusionSVC"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

.

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]

R4 MaxSch2Svc;Maxtor Scheduler2 Service;c:\program files\Common Files\Maxtor\Schedule2\schedul2.exe [x]

S3 DCamUSBNW802;PC Camera Capture;c:\windows\system32\DRIVERS\pcam.sys [2006-09-25 269480]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - PROCEXP141

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-16 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2011-10-15 02:18]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: gamls.com\www

Trusted Zone: rexplorer.net\atl

Trusted Zone: rexplorer.net

TCP: DhcpNameServer = 192.168.1.254

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Sonia Evans\Application Data\Mozilla\Firefox\Profiles\axuvh315.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Forecastfox: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - user.js: yahoo.homepage.dontask - true

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\documents and settings\All Users\Application Data\{3C0AACBF-B491-4BE5-BAF9-AA46E0629E42}\bm_installer.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-19 09:30

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(832)

c:\windows\system32\ieframe.dll

c:\windows\system32\msls31.dll

c:\windows\system32\OneX.DLL

c:\windows\system32\eappprxy.dll

c:\windows\system32\webcheck.dll

.

Completion time: 2011-11-19 09:33:37

ComboFix-quarantined-files.txt 2011-11-19 14:33

ComboFix2.txt 2011-10-21 02:31

ComboFix3.txt 2011-10-14 04:37

ComboFix4.txt 2011-10-12 12:23

ComboFix5.txt 2011-11-19 14:18

.

Pre-Run: 54,731,513,856 bytes free

Post-Run: 61,333,962,752 bytes free

.

- - End Of File - - 01289E168D4171FFFFBC9AE1E6F99AD4

LDTate · November 19, 2011

Do you have a anti-virus program?

ra12r · November 19, 2011

This is the section that the "monster" works in that when I stop the processes I can affect the symptoms

path

C:\WINDOWS\system32\svchost.exe

command line

C:\WINDOWS\System32\svchost.exe -k netsvcs

current directory

C:\WINDOWS\system32\

I attached an image of my generic host list that is running and one of them crashes the whole svchost

ra12r · November 19, 2011

LDTate, NO, not that i am aware, but I did uninstall zonealarm a longtime. I do use spybot, malwarebytes, but I don't really ever consciously keep a antivirus program running. I only scan as needed manually.

LDTate · November 19, 2011

I don't see anything bad there.

Svchost.exe is a process on your computer that hosts, or contains, other individual services that Windows uses to perform various functions. For example, Windows Defender uses a service that is hosted by a svchost.exe process.

There can be multiple instances of svchost.exe running on your computer, with each instance containing different services. One instance of svchost.exe might host a single service for a program, and another instance might host several services related to Windows. You can use Task Manager to view which services are running under each instance of svchost.exe.

Do you have a anti-virus program?

I don't see one installed.

I don't see a anti-virus program running. Get a free one.

Only run one Anti-Virus at a time.

Use an AntiVirus Software - Choose only one - More than one will conflict. It is very important that your computer has anti-virus software running to protect against viruses. Update Antivirus prior to manual scans as necessary or as used. Please only choose one, having more than one can cause problems, such as crashes and your computer to slow down.

Run a full scan and let us know what it finds.

Also please describe how your computer behaves at the moment

ra12r · November 19, 2011

i ran microsoft essentials and it found nothing. But immediately IE opened by itself and wanted to download stuff... dang!!! But, my screen is still "re-loading" very slowly. I think I am going to reboot now.

ra12r · November 19, 2011

LDTate, ok, i rebooted and again the computer loads my desktop pic and then before it loads the LAN/internet connection icon, the pics disappears and then "re-loads" all choppy slow. So I know that what ever is loading during this time frame is playing into the symptoms I am having. I would like to DELETE whatever is causing my screen to reload. When I close down the computer it does the reverse. Choppy closing pic then blue screen then INSTANT pic,,, but I cant stop the system at that point. The "monster" is connected to something that runs in the above picture list. I have tried to kill each process one at a time till I discover which one does it, but that has not worked to find it at this point.

Can you see anything that "loads" between the initial wallpaper pic and the second reload of the wallpaper pic?

LDTate · November 19, 2011

SPYBOT TEATIMER

Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click on Tools, then click on the Resident Icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
Click on the "System Startup" icon in the List
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done.
(When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

DDS::
Trusted Zone: gamls.com\www
Trusted Zone: rexplorer.net\atl
Trusted Zone: rexplorer.net 

FireFox::
FF - ProfilePath - c:\documents and settings\Sonia Evans\Application Data\Mozilla\Firefox\Profiles\axuvh315.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Forecastfox: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

ra12r · November 19, 2011

LDTate,

After my last post, a notice from Microsoft to update IE 8 came up so I did, and then another popup from that there was 108 microsoft updates required in the yellow shield as a different popup, so I let that go ahead and run... Well it rebooted itself and when it restarted i attempted to get back to this website on mozilla and IE8 and it cannot find it?!?!?! I can get to other sites, but no longer to this site. So now I am on a different computer to post this message... HELP?!

LDTate · November 19, 2011

You can get to other sites but not:

My link

LDTate · November 19, 2011

Keep in mind you can't be logged in with two different computers at the same time with your account.

ra12r · November 19, 2011

That is correct. Using your link, my infected computer now does not find this site with my browsers now. It acts like I have no internet connection. But if i go to other saved sites, no problem....??? I think the site is blocked now somehow?! Does microsoft block other sites that are competitors? I am apparently blocked in Mozilla and IE8.

Because I cant get to the website, I am definitely not logged in simultaneously. Anyway, I should still be able to get to this website on multiple computers at the same time.

LDTate · November 20, 2011

Did you do this?

SPYBOT TEATIMER

Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
On the left hand side, click on Tools, then click on the Resident Icon in the list.
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
Click on the "System Startup" icon in the List
Uncheck the "TeaTimer" box and "OK" any prompts.
If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
Exit Spybot S&D when done.
(When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

DDS::
Trusted Zone: gamls.com\www
Trusted Zone: rexplorer.net\atl
Trusted Zone: rexplorer.net 

FireFox::
FF - ProfilePath - c:\documents and settings\Sonia Evans\Application Data\Mozilla\Firefox\Profiles\axuvh315.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Forecastfox: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

ra12r · November 20, 2011

LDTate, I have not been able to do the above yet... I have tried many things to "unblock" this website on that computer. I can get to the internet, but not here. I went to another computer on that same router gate, and it was blocked too. So I rebooted the router and unplugged the computer rebooted everything and still the same. I am typing this message from a computer on a different router. So now I think I have something blocking in the router too. I also noticed that there was A BUNCH of blocked sites in mozilla and IE8 so I deleted all of them.... no change. This all started after I did the antivirus with the microsoft. I have uninstalled that program. Did uninstalling the antivirus cause the issue?!

I thought we were almost finished with my problems and now this new problem. If you can log on directly, I am not opposed to that either, as I can still get on the internet with that computer. I will try and figure out how to take the above information and save to a flash to do the procedure... Do you need to add anymore "kill all" to the script?!?!

LDTate · November 20, 2011

Let’s try to reset the router to its default configuration.

This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
You also need to reconfigure any security settings you had in place prior to the reset.
You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

ra12r · November 21, 2011

LDTate, Ok i am back on the infected computer. I have ran the CFScript and the computer booted up at least 2x faster!!! The wallpaper pic did "reload" though. I had to do a dns flush and complete router reboot again to get back to the website. But, I had to use the email verification link to find the thread, because the newest update was 4am 11-20-11 and it is currently 12:30am 11-21-11. So I am not sure why the website will not refresh from your server yet?! Here is the current combofix report:

ComboFix 11-11-20.02 - Sonia Evans 11/20/2011 23:59:27.7.1 - x86

Running from: c:\internet downloads\ComboFix.exe

Command switches used :: c:\documents and settings\All Users\Documents\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Sonia Evans\Application Data\Mozilla\Firefox\Profiles\axuvh315.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}

c:\documents and settings\Sonia Evans\Application Data\Mozilla\Firefox\Profiles\axuvh315.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}\chrome.manifest

c:\documents and settings\Sonia Evans\Application Data\Mozilla\Firefox\Profiles\axuvh315.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}\chrome\forecastfox.jar

c:\documents and settings\Sonia Evans\Application Data\Mozilla\Firefox\Profiles\axuvh315.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}\icon.png

c:\documents and settings\Sonia Evans\Application Data\Mozilla\Firefox\Profiles\axuvh315.default\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}\install.rdf

c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\icon.png

c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf

c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\preview.png

c:\windows\CSC\d6

.

((((((((((((((((((((((((( Files Created from 2011-10-21 to 2011-11-21 )))))))))))))))))))))))))))))))

.

2011-11-21 04:12 . 2011-11-21 04:12 -------- d-sh--w- c:\documents and settings\Sonia Evans\IECompatCache

2011-11-19 15:52 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe