System Check rogue/virus/trojan not fully removed by Malwarebytes

[Ndhlp]

I appreciate the link but the Accessories is one of the few shortcuts that are intact in their Start Menu. All of the icon images were changed to the same (not our concern, just an observation) icon that looks like a program file that you see (for example) for Accessories.

However, about half the list in All Programs says empty when you place your cursor over it. MBAM, Microsoft Works, Lexmark (their printer), Start Up among others.

The properties all say they are read only files with 1 folder located in C:\Documents and Settings\All Users\Start Menu\P

I went to My Computer> C:> Program Files and tried to create a shortcut for one of the missing All Programs items, Abby Fine Reader 6.0 Sprint. I right clicked the .exe file to creat a shortcut and tried to cut and paste it to the aforementioned folder. It did bring it up into the All Programs but says "shortcut to Sprint.exe" instead of "Abby Fine Reader 6.0 Sprint". It does open the program which is most important but is there a better way to do this?

Also, for programs like Microsoft Works, Lexmark, and MBAM there are several .exe files in that folder. How do I know which one to use? I must be doing something wrong here...

And in the C: Program Files folder almost all the programs have just a generic folder as their icon with the exception of 3 plus ComboFix, Rkill, and unhide. The MBAM desktop shortcut is also missing.

We appreciate your patience and help!

[MrCharlie]

This is one nasty infection, we can try downloading a fresh copy of ComboFix and running it.

It has the ability to correct some of these problems if it can.

Other than that, I'm out of ideas.... you can try bleepingcomputer and see what they say.

Give ComboFix a try if you'd like.

Let me know....MrC

[Ndhlp]

We do appreciate your patience and help.

Is there anything I you recommend I should do before I uninstall the current ComboFix and reinstall a fresh copy and run it? Aside from trying to get this rectified they've stayed off their computer. They still have the following installed:

OTL.exe

Roguekill.exe

FSS.exe

winxp-pro-32bit-sm-reset.exe

RK_Quarantine folder

unhide.exe

wuauserv.reg

wscsvc.reg

WUS_Fix.exe

Do any of this need to be uninstalled or deleted prior to running ComboFix?

I plan on running it from Normal mode so I can disable Avira, and disconnect from the Internet too.

Thanks again.

[MrCharlie]

Leave these for now:

OTL.exe

Roguekill.exe

RK_Quarantine folder

The rest you can delete.

All you have to do is delete your copy of CF and download a fresh one to your desktop, then run it.

I won't be around tomorrow, good luck MrC

[Ndhlp]

Thanks. Followed your directions. When ComboFix finished but prior to preparing the log report the computer shut down and restarted by itself. After it restarted the ComboFix box was on the screen with the "preparing log report" and don't do anything until it's done. It did take a few minutes to complete the report. Sounds odd but I hope it did find something. One of the files it was deleting when it was running was a screensaver file.

We do appreciated your patience and help.

ComboFix 12-03-02.01 - Owner 03/02/2012 14:05:57.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1354 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\oobe\msoobe.exe

c:\windows\system32\oobe\oobebaln.exe

c:\windows\TEMP\__3ESolutions_temp\simple_screensaver_gtw_slow.exe

.

.

((((((((((((((((((((((((( Files Created from 2012-02-02 to 2012-03-02 )))))))))))))))))))))))))))))))

.

.

2012-02-28 18:11 . 2012-02-28 18:11 -------- d-----w- c:\documents and settings\Owner\Application Data\ElevatedDiagnostics

2012-02-27 22:51 . 2012-02-27 22:51 -------- d-----w- c:\program files\ERUNT

2012-02-27 18:20 . 2012-02-27 18:20 -------- d-----w- C:\_OTL

2012-02-25 22:46 . 2012-02-25 22:46 607260 ------r- c:\program files\dds.scr

2012-02-25 22:17 . 2012-02-25 22:17 1008141 ----a-w- c:\program files\rkill.exe

2012-02-25 18:07 . 2012-02-25 18:07 -------- d-----w- c:\program files\ESET

2012-02-25 16:20 . 2012-02-25 16:20 -------- d-sh--w- c:\documents and settings\Administrator.YOUR-5E03CF73DE\PrivacIE

2012-02-24 22:55 . 2012-02-24 22:55 -------- d-----w- c:\documents and settings\Administrator.YOUR-5E03CF73DE\Application Data\Windows Search

2012-02-24 22:52 . 2012-02-24 22:52 -------- d-sh--w- c:\documents and settings\Administrator.YOUR-5E03CF73DE\IETldCache

2012-02-22 14:14 . 2012-02-22 14:14 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2012-02-22 01:40 . 2012-02-22 01:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2012-02-22 01:38 . 2012-02-22 01:38 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2012-02-22 01:19 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll

2012-02-22 01:14 . 2011-12-17 19:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2012-02-22 01:14 . 2011-12-17 19:46 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2012-02-22 01:14 . 2011-12-17 19:46 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2012-02-22 01:11 . 2012-02-22 01:13 -------- dc----w- c:\windows\ie8

2012-02-16 05:33 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll

2012-02-16 05:33 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-02-15 16:15 . 2011-10-24 18:51 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys

2012-01-12 16:53 . 2004-08-26 16:12 1859968 ----a-w- c:\windows\system32\win32k.sys

2011-12-29 18:29 . 2011-07-30 23:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-17 19:46 . 2004-08-26 16:12 916992 ----a-w- c:\windows\system32\wininet.dll

2011-12-17 19:46 . 2004-08-26 16:11 43520 ------w- c:\windows\system32\licmgr10.dll

2011-12-17 19:46 . 2004-08-26 16:11 1469440 ------w- c:\windows\system32\inetcpl.cpl

2011-12-16 12:22 . 2004-08-26 16:11 385024 ------w- c:\windows\system32\html.iec

2011-12-10 20:24 . 2011-06-20 20:15 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-23 15:31 . 2011-08-23 15:31 1284232 ----a-w- c:\program files\couponprinter.exe

2011-06-27 22:20 . 2011-06-27 22:20 900384 ----a-w- c:\program files\JavaSetup6u26.exe

2011-06-24 17:19 . 2011-06-24 17:19 50688 ----a-w- c:\program files\ATF_Cleaner.exe

2011-06-23 17:19 . 2011-06-23 17:19 684297 ----a-w- c:\program files\unhide.exe

.

.

((((((((((((((((((((((((((((( SnapShot@2012-02-27_18.55.14 )))))))))))))))))))))))))))))))))))))))))

.

+ 1601-01-01 00:00 . 1601-01-01 00:00 0 c:\windows\temp\__3ESolutions_temp\simple_screensaver_gtw_slow.exe

+ 2012-03-02 19:13 . 2012-03-02 19:13 16384 c:\windows\temp\Perflib_Perfdata_6cc.dat

+ 2012-02-28 18:08 . 2007-11-01 04:48 20992 c:\windows\system32\windowspowershell\v1.0\pwrshsip.dll

+ 2004-08-26 18:01 . 2008-04-14 00:12 51200 c:\windows\system32\dllcache\oobebaln.exe

+ 2004-08-26 18:02 . 2008-04-14 00:12 29184 c:\windows\system32\dllcache\msoobe.exe

+ 2012-02-28 20:17 . 2012-02-28 20:16 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2004-08-26 18:07 . 2012-02-28 20:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2004-08-26 18:07 . 2012-01-11 00:09 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2012-02-28 20:17 . 2012-02-28 20:16 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2011-11-30 13:10 . 2012-01-11 00:09 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2012-02-28 19:44 . 2012-02-28 19:44 30208 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\9855d3fb15e6c63a811b1f0b66d78428\Microsoft.PowerShell.Commands.Utility.resources.ni.dll

+ 2012-02-28 19:44 . 2012-02-28 19:44 17408 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\7618f444d33b1311e952ba9285e4a4b2\Microsoft.PowerShell.Security.resources.ni.dll

+ 2012-02-28 19:41 . 2012-02-28 19:41 19456 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\1b23e2c0707d81e7eb14f78552562635\Microsoft.PowerShell.Commands.Management.resources.ni.dll

+ 2012-02-28 19:44 . 2012-02-28 19:44 35328 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\05bbffbe100ede49139819641a41dfda\Microsoft.PowerShell.ConsoleHost.resources.ni.dll

+ 2012-02-28 18:08 . 2012-02-28 18:08 65536 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll

+ 2012-02-28 18:08 . 2012-02-28 18:08 36864 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll

+ 2012-02-28 18:08 . 2012-02-28 18:08 32768 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll

+ 2012-02-28 18:08 . 2012-02-28 18:08 11264 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll

+ 2012-02-28 18:08 . 2007-06-30 18:49 4608 c:\windows\system32\windowspowershell\v1.0\pwrshmsg.dll

+ 2012-02-28 18:08 . 2012-02-28 18:08 8704 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll

+ 2012-02-28 18:08 . 2007-10-30 09:15 330240 c:\windows\system32\windowspowershell\v1.0\powershell.exe

+ 2012-02-27 22:56 . 2012-02-27 22:56 196608 c:\windows\ERDNT\2-27-2012\Users\00000002\UsrClass.dat

+ 2012-02-27 22:56 . 2005-10-20 17:02 163328 c:\windows\ERDNT\2-27-2012\ERDNT.EXE

+ 2012-02-28 19:46 . 2012-02-28 19:46 160256 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\5d6a0e02b8e1cff94d07d2507667edc7\System.Management.Automation.resources.ni.dll

+ 2012-02-28 19:44 . 2012-02-28 19:44 148480 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\fb938a1d399e2cfca2304bdca4fe76dc\Microsoft.PowerShell.Security.ni.dll

+ 2012-02-28 19:43 . 2012-02-28 19:43 968192 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\a03adbb7c3084d986da6e22dcce9805f\Microsoft.PowerShell.Commands.Utility.ni.dll

+ 2012-02-28 19:41 . 2012-02-28 19:41 433664 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\8a25afef0d57ac430ba392595eba639f\Microsoft.PowerShell.Commands.Management.ni.dll

+ 2012-02-28 19:44 . 2012-02-28 19:44 492032 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\875af0c2a5e8a4bed88232b6f445cfaa\Microsoft.PowerShell.ConsoleHost.ni.dll

+ 2012-02-28 18:08 . 2012-02-28 18:08 163840 c:\windows\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll

+ 2012-02-28 18:08 . 2012-02-28 18:08 200704 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll

+ 2012-02-28 18:08 . 2012-02-28 18:08 294912 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll

+ 2012-02-28 18:08 . 2012-02-28 18:08 139264 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll

+ 2012-02-27 22:56 . 2012-02-27 22:56 3895296 c:\windows\ERDNT\2-27-2012\Users\00000001\NTUSER.DAT

+ 2012-02-28 19:45 . 2012-02-28 19:46 4950016 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\10fdfb918f01ebc41f38a391334146a9\System.Management.Automation.ni.dll

+ 2012-02-28 18:08 . 2012-02-28 18:08 1564672 c:\windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-10 39408]

"AbacastDistributedOnDemand:11"="c:\documents and settings\Owner\Local Settings\Application Data\AbacastDistributedOnDemand\Node\11\AbacastDistributedOnDemand.exe" [2008-09-30 54776]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]

"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-08 73728]

"RTHDCPL"="RTHDCPL.EXE" [2006-01-12 15961088]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-06-28 98304]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-11-18 4269296]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2011-01-23 770728]

"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2010-01-18 139944]

"Lexmark Pro800-Pro900 Series Fax Server"="c:\program files\Lexmark Pro800-Pro900 Series\fm3032.exe" [2011-01-23 316072]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-11 258512]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\AbacastDistributedOnDemand\\Node\\11\\AbacastDistributedOnDemand.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient.exe"=

"c:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\Abacast\\Abaclient2.exe"=

"c:\\Program Files\\Verizon\\VSP\\ServicepointService.exe"=

"c:\\WINDOWS\\system32\\lxeccoms.exe"=

"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"50000:UDP"= 50000:UDP:IHA_MessageCenter

.

R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/24/2011 1:51 PM 36000]

R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/24/2011 1:52 PM 86224]

R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [10/28/2011 6:20 PM 290832]

R2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe -service --> c:\windows\system32\lxeccoms.exe -service [?]

R2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [5/10/2010 12:44 PM 668912]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 4:12 PM 135664]

S2 lxecCATSCustConnectService;lxecCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxecserv.exe [9/8/2010 1:47 PM 193192]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 4:12 PM 135664]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

.

2012-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 21:12]

.

2012-03-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-07 21:12]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.aspx?LOBCode=C&PromoTCode=MVZ00&PromoSrcCode=V&POEId=VU1SP&CMP=DMC-MVZ00

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

LSP: c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-03-02 14:14

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(456)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'lsass.exe'(516)

c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll

.

- - - - - - - > 'explorer.exe'(3940)

c:\windows\system32\WININET.dll

c:\program files\SmartFTP Client\sfShellTools.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\SmartFTP Client\smarthook.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxeccoms.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\program files\Netscape Internet Service\ncupdatesvc.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\SearchIndexer.exe

c:\windows\RTHDCPL.EXE

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\Verizon\VSP\VerizonServicepointComHandler.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2012-03-02 14:21:08 - machine was rebooted

ComboFix-quarantined-files.txt 2012-03-02 19:21

ComboFix2.txt 2012-02-27 18:57

.

Pre-Run: 137,403,297,792 bytes free

Post-Run: 137,432,842,240 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 8F481B5CBB17E6D19A7A56A5501222D5

[MrCharlie]

ComboFix deleted these files:

c:\windows\system32\oobe\msoobe.exe

c:\windows\system32\oobe\oobebaln.exe

c:\windows\TEMP\__3ESolutions_temp\simple_screensaver_gtw_slow.exe

When CF deletes a file, it's moved to this folder and renamed:

C:\Qoobox\Quarantine

So any file you want to restore is in there.

-------------------------

I looked through the 8 pages of Unhide tutorial and found nothing new to try.

ComboFix is a very powerful tool and would have restored any and all it could.

Want problems remain? MrC

[Ndhlp]

Unfortunately the same problems as described in post #26 remain. I tried to use the search for Qoobox but nothing would come up so I copy/pasted C:\Qoobox\Quarantine in the Start > Run box to pull it up.

In a folder named C > Documents and Settings > All Users > there is a file SPLC65C.tmp.vir that has a properties date of January 16, 2012 but I have no idea how to use it to help us or if it can.

At this point can/should I try an older System Restore? Otherwise they will not be able to open many programs unless they know a specific command prompt to open them...

The Program Files folder in C: > Program Files > is all program folders and clicking on it only further opens another folder.

[MrCharlie]

Yes, see if that works, MrC

[Ndhlp]

I tried System Restore in Normal both with and without Avira enabled, and in Safe Mode with Avira disabled and I keep getting the following after it "goes through" the restore process.

Your computer cannot be restored to (whatever date we try)

No changes have been made to your computer.

To chose another restore point restart System Restore.

We do have a number of dates to choose from. This is the only error that comes up. No others. I see on other boards other XP SP3 users have had the same problem but I didn't see or missed the solution...Any ideas?

Thank you for your help. It is too bad the people who create these bugs couldn't put their "talents" to a good use! ARRGH!

[MrCharlie]

Make sure hidden files is enabled and look in this folder and see if any restore points exists.

C:\System Volume Information

RP149, RP150 etc.

MrC

[Ndhlp]

Thanks for your help. Hidden files are "unhidden". The System Volume Information folder is there with a restore points folder with RP1035 through RP1124.

There is also a _driver.cfg _filelst.cfg drivetable.txt fifo.log in the folder.

When I went to the C: local disk to open the System Volume Information folder, I noticed that folder and several files have a very faded appearance.

NOTE: Microsoft had the following in there instructions on how to gain access to the System Information File but their computer didn't have the following options...I just unhid the files, went to the local disk and opened it.

1. Right-click the System Volume Information folder in the root folder, and then click Sharing and Security.
   
2. Click the Security tab.
   
3. Click Add, and then type the name of the user to whom you want to give access to the folder. Choose the account location if appropriate (either local or from the domain). Typically, this is the account with which you are logged on. Click OK, and then click OK again.
   
4. Double-click the System Volume Information folder in the root folder to open it.
   

[MrCharlie]

When I went to the C: local disk to open the System Volume Information folder, I noticed that folder and several files have a very faded appearance.

That's normal, they're hidden folders.

-----------------------------------------

Download and unzip GrantPerms

http://download.blee.../GrantPerms.zip

Now you can copy and paste the path of any file or folder into it, then click List Permissions and if need be Unlock if it's locked.

Example:

C:\System Volume Information

C:\System Volume Information\_restore{A7CF232D-FC23-4DC2-9B57-5BD5892B5555}\RP150

MrC

[Ndhlp]

Forgive me for being a dunce but do you mean I need to pick a restore point and copy it into the list permissions, then unlock it? And then try system restore?

[MrCharlie]

Yes, do the whole folder first: (your paths may be different)

C:\System Volume Information

Then try a restore point:

C:\System Volume Information\_restore{A7CF232D-FC23-4DC2-9B57-5BD5892B5555}\RP150

See what the permissions are, see if the file or folder is locked.

I just did it for one of mine and this is the result:

C:\System Volume Information\_restore{A7CF232D-FC23-4DC2-9B57-5BD5892B5555}\RP150

Owner: Everyone <------------OK

MrC

[Ndhlp]

I was able to unlock the folder and a restore point. I did get this message when I clicked on List Permissions, but I was able to unlock it anyway. Should I go ahead and try a System Restore? Thank you!

GrantPerms by Farbar

Ran by Owner (administrator) at 2012-03-05 15:14:31

===============================================

ERROR: Parsing the SD of <\\?\C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}}\RP1110> failed with: The system cannot find the path specified.

Operating system error message: The system cannot find the path specified.

[MrCharlie]

ERROR: Parsing the SD of <\\?\C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}}\RP1110> failed with: The system cannot find the path specified.

From what I see you entered the incorrect path:

ERROR: Parsing the SD of <\\?\C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}}\RP1110

You put an extra } in.

Try this:

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1110

MrC

[Ndhlp]

Thank you. Looks like I might Ndhlp with glasses too

I didn't have the log saved from the full folder so I reran it. The restore point too (correctly). Should I go ahead and try a restore? If it works, I will update and run MBAM and Avira and see what comes up. Nothing should on the date I chose but...

GrantPerms by Farbar

Ran by Owner (administrator) at 2012-03-06 13:04:28

===============================================

\\?\C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1110

Owner: BUILTIN\Administrators

DACL(P)(AI):

Everyone ADD FILE ALLOW (NI)

BUILTIN\Administrators FULL ALLOW (CI)(OI)

NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)

GrantPerms by Farbar

Ran by Owner (administrator) at 2012-03-06 13:08:04

===============================================

\\?\C:\System Volume Information

Owner: BUILTIN\Administrators

DACL(NP)(AI):

BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)

NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)

CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)

BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)

BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)

BUILTIN\Users ADD FILE ALLOW (CI)(I)

[MrCharlie]

Please do this first, I don't think we ever ran TDSSKiller on this computer, it's easy to run and takes only a couple of minutes.

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

------------------------

Click the Start Scan button.

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

MrC

[Ndhlp]

Cure was not an option, so I skipped as directed.

13:29:02.0921 0340 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39

13:29:03.0187 0340 ============================================================

13:29:03.0187 0340 Current date / time: 2012/03/06 13:29:03.0187

13:29:03.0187 0340 SystemInfo:

13:29:03.0187 0340

13:29:03.0187 0340 OS Version: 5.1.2600 ServicePack: 3.0

13:29:03.0187 0340 Product type: Workstation

13:29:03.0187 0340 ComputerName: YOUR-5E03CF73DE

13:29:03.0187 0340 UserName: Owner

13:29:03.0187 0340 Windows directory: C:\WINDOWS

13:29:03.0187 0340 System windows directory: C:\WINDOWS

13:29:03.0187 0340 Processor architecture: Intel x86

13:29:03.0187 0340 Number of processors: 1

13:29:03.0187 0340 Page size: 0x1000

13:29:03.0187 0340 Boot type: Normal boot

13:29:03.0187 0340 ============================================================

13:29:05.0062 0340 Drive \Device\Harddisk0\DR0 - Size: 0x2658AE0000 (153.39 Gb), SectorSize: 0x200, Cylinders: 0x4E37, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

13:29:05.0156 0340 \Device\Harddisk0\DR0:

13:29:05.0156 0340 MBR used

13:29:05.0156 0340 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0xA30359, BlocksNum 0x1289075D

13:29:05.0156 0340 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0xA3031A

13:29:05.0187 0340 Initialize success

13:29:05.0187 0340 ============================================================

13:29:24.0640 0320 ============================================================

13:29:24.0640 0320 Scan started

13:29:24.0640 0320 Mode: Manual; SigCheck; TDLFS;

13:29:24.0640 0320 ============================================================

13:29:25.0109 0320 Abiosdsk - ok

13:29:25.0125 0320 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

13:29:27.0484 0320 abp480n5 - ok

13:29:27.0625 0320 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

13:29:27.0968 0320 ACPI - ok

13:29:28.0109 0320 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

13:29:28.0328 0320 ACPIEC - ok

13:29:28.0359 0320 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

13:29:28.0578 0320 adpu160m - ok

13:29:28.0750 0320 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

13:29:28.0937 0320 aec - ok

13:29:29.0000 0320 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys

13:29:29.0046 0320 AFD - ok

13:29:29.0218 0320 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

13:29:29.0421 0320 agp440 - ok

13:29:29.0437 0320 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

13:29:29.0625 0320 agpCPQ - ok

13:29:29.0656 0320 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

13:29:29.0750 0320 Aha154x - ok

13:29:29.0781 0320 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

13:29:29.0984 0320 aic78u2 - ok

13:29:30.0000 0320 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

13:29:30.0203 0320 aic78xx - ok

13:29:30.0265 0320 akshasp (d5987b854a62867d399a3d3d744547e5) C:\WINDOWS\system32\DRIVERS\akshasp.sys

13:29:30.0375 0320 akshasp - ok

13:29:30.0515 0320 aksusb (25c07de96a774622001935e36693c9c2) C:\WINDOWS\system32\DRIVERS\aksusb.sys

13:29:30.0578 0320 aksusb - ok

13:29:30.0609 0320 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

13:29:30.0812 0320 AliIde - ok

13:29:30.0859 0320 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

13:29:31.0046 0320 alim1541 - ok

13:29:31.0187 0320 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

13:29:31.0390 0320 amdagp - ok

13:29:31.0406 0320 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

13:29:31.0531 0320 amsint - ok

13:29:31.0578 0320 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

13:29:31.0781 0320 Arp1394 - ok

13:29:31.0828 0320 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

13:29:32.0015 0320 asc - ok

13:29:32.0062 0320 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

13:29:32.0171 0320 asc3350p - ok

13:29:32.0187 0320 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

13:29:32.0390 0320 asc3550 - ok

13:29:32.0437 0320 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys

13:29:32.0453 0320 ASCTRM ( UnsignedFile.Multi.Generic ) - warning

13:29:32.0453 0320 ASCTRM - detected UnsignedFile.Multi.Generic (1)

13:29:32.0593 0320 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

13:29:32.0796 0320 AsyncMac - ok

13:29:32.0843 0320 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

13:29:33.0031 0320 atapi - ok

13:29:33.0046 0320 Atdisk - ok

13:29:33.0156 0320 ati2mtag (9bbefce3d18cf3c6eaf4f13920f75200) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

13:29:33.0265 0320 ati2mtag - ok

13:29:33.0468 0320 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

13:29:33.0703 0320 Atmarpc - ok

13:29:33.0765 0320 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

13:29:33.0953 0320 audstub - ok

13:29:34.0062 0320 avgntflt (7713e4eb0276702faa08e52a6e23f2a6) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

13:29:34.0937 0320 avgntflt - ok

13:29:35.0093 0320 avipbb (13b02b9b969dde270cd7c351203dad3c) C:\WINDOWS\system32\DRIVERS\avipbb.sys

13:29:35.0109 0320 avipbb - ok

13:29:35.0140 0320 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys

13:29:35.0171 0320 avkmgr - ok

13:29:35.0218 0320 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

13:29:35.0421 0320 Beep - ok

13:29:35.0437 0320 catchme - ok

13:29:35.0484 0320 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

13:29:35.0703 0320 cbidf - ok

13:29:35.0796 0320 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

13:29:36.0000 0320 cbidf2k - ok

13:29:36.0015 0320 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

13:29:36.0125 0320 cd20xrnt - ok

13:29:36.0171 0320 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

13:29:36.0375 0320 Cdaudio - ok

13:29:36.0437 0320 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

13:29:36.0609 0320 Cdfs - ok

13:29:36.0718 0320 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

13:29:36.0906 0320 Cdrom - ok

13:29:36.0937 0320 Changer - ok

13:29:36.0984 0320 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

13:29:37.0187 0320 CmdIde - ok

13:29:37.0234 0320 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

13:29:37.0468 0320 Cpqarray - ok

13:29:37.0531 0320 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

13:29:37.0796 0320 dac2w2k - ok

13:29:37.0906 0320 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

13:29:38.0125 0320 dac960nt - ok

13:29:38.0218 0320 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

13:29:38.0421 0320 Disk - ok

13:29:38.0484 0320 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

13:29:38.0718 0320 dmboot - ok

13:29:38.0859 0320 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

13:29:39.0078 0320 dmio - ok

13:29:39.0125 0320 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

13:29:39.0343 0320 dmload - ok

13:29:39.0406 0320 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

13:29:39.0593 0320 DMusic - ok

13:29:39.0765 0320 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

13:29:39.0968 0320 dpti2o - ok

13:29:40.0000 0320 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

13:29:40.0171 0320 drmkaud - ok

13:29:40.0203 0320 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

13:29:40.0375 0320 Fastfat - ok

13:29:40.0421 0320 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

13:29:40.0609 0320 Fdc - ok

13:29:40.0671 0320 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

13:29:40.0843 0320 Fips - ok

13:29:41.0000 0320 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

13:29:41.0203 0320 Flpydisk - ok

13:29:41.0265 0320 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

13:29:41.0484 0320 FltMgr - ok

13:29:41.0640 0320 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

13:29:41.0843 0320 Fs_Rec - ok

13:29:41.0890 0320 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

13:29:42.0093 0320 Ftdisk - ok

13:29:42.0156 0320 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

13:29:42.0343 0320 Gpc - ok

13:29:42.0546 0320 Hardlock (c1cc0c9742b881c42f1cc628e6f9ebd1) C:\WINDOWS\system32\drivers\hardlock.sys

13:29:42.0609 0320 Hardlock - ok

13:29:42.0671 0320 Haspnt (2dd25f060dc9f79b5cdf33d90ed93669) C:\WINDOWS\system32\drivers\Haspnt.sys

13:29:42.0718 0320 Haspnt ( UnsignedFile.Multi.Generic ) - warning

13:29:42.0718 0320 Haspnt - detected UnsignedFile.Multi.Generic (1)

13:29:42.0890 0320 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

13:29:43.0078 0320 HDAudBus - ok

13:29:43.0109 0320 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

13:29:43.0312 0320 HidUsb - ok

13:29:43.0375 0320 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

13:29:43.0562 0320 hpn - ok

13:29:43.0703 0320 HSFHWBS2 (c02dc9d4358e43d088f2061c2b2bf30e) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

13:29:43.0765 0320 HSFHWBS2 - ok

13:29:43.0828 0320 HSF_DPV (cbf6831420a97e8fbb91e5f52b707ef7) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

13:29:43.0906 0320 HSF_DPV - ok

13:29:43.0984 0320 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

13:29:44.0046 0320 HTTP - ok

13:29:44.0218 0320 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

13:29:44.0390 0320 i2omgmt - ok

13:29:44.0437 0320 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

13:29:44.0609 0320 i2omp - ok

13:29:44.0671 0320 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

13:29:44.0859 0320 i8042prt - ok

13:29:45.0000 0320 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

13:29:45.0187 0320 Imapi - ok

13:29:45.0234 0320 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

13:29:45.0453 0320 ini910u - ok

13:29:45.0625 0320 IntcAzAudAddService (90e1b42e49d9e91e5accaaaaefa10ce8) C:\WINDOWS\system32\drivers\RtkHDAud.sys

13:29:45.0828 0320 IntcAzAudAddService - ok

13:29:46.0000 0320 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

13:29:46.0187 0320 IntelIde - ok

13:29:46.0234 0320 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

13:29:46.0421 0320 intelppm - ok

13:29:46.0453 0320 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

13:29:46.0671 0320 Ip6Fw - ok

13:29:46.0781 0320 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

13:29:47.0000 0320 IpFilterDriver - ok

13:29:47.0046 0320 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

13:29:47.0250 0320 IpInIp - ok

13:29:47.0296 0320 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

13:29:47.0515 0320 IpNat - ok

13:29:47.0671 0320 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

13:29:47.0875 0320 IPSec - ok

13:29:47.0921 0320 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

13:29:48.0140 0320 IRENUM - ok

13:29:48.0281 0320 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

13:29:48.0500 0320 isapnp - ok

13:29:48.0562 0320 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

13:29:48.0796 0320 Kbdclass - ok

13:29:48.0843 0320 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

13:29:49.0015 0320 kmixer - ok

13:29:49.0171 0320 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

13:29:49.0296 0320 KSecDD - ok

13:29:49.0359 0320 lbrtfdc - ok

13:29:49.0500 0320 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

13:29:49.0531 0320 mdmxsdk - ok

13:29:49.0578 0320 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

13:29:49.0796 0320 mnmdd - ok

13:29:49.0859 0320 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

13:29:50.0046 0320 Modem - ok

13:29:50.0187 0320 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

13:29:50.0375 0320 Mouclass - ok

13:29:50.0468 0320 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

13:29:50.0750 0320 mouhid - ok

13:29:50.0890 0320 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

13:29:51.0171 0320 MountMgr - ok

13:29:51.0328 0320 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

13:29:51.0593 0320 mraid35x - ok

13:29:51.0718 0320 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS

13:29:51.0796 0320 MREMP50 ( UnsignedFile.Multi.Generic ) - warning

13:29:51.0796 0320 MREMP50 - detected UnsignedFile.Multi.Generic (1)

13:29:51.0812 0320 MREMPR5 - ok

13:29:51.0828 0320 MRENDIS5 - ok

13:29:51.0859 0320 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS

13:29:51.0890 0320 MRESP50 ( UnsignedFile.Multi.Generic ) - warning

13:29:51.0890 0320 MRESP50 - detected UnsignedFile.Multi.Generic (1)

13:29:52.0062 0320 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

13:29:52.0250 0320 MRxDAV - ok

13:29:52.0312 0320 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

13:29:52.0421 0320 MRxSmb - ok

13:29:52.0640 0320 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

13:29:52.0828 0320 Msfs - ok

13:29:52.0875 0320 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

13:29:53.0062 0320 MSKSSRV - ok

13:29:53.0109 0320 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

13:29:53.0312 0320 MSPCLOCK - ok

13:29:53.0437 0320 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

13:29:53.0687 0320 MSPQM - ok

13:29:53.0734 0320 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

13:29:53.0968 0320 mssmbios - ok

13:29:54.0031 0320 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

13:29:54.0078 0320 Mup - ok

13:29:54.0203 0320 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys

13:29:54.0437 0320 mxnic - ok

13:29:54.0531 0320 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

13:29:54.0734 0320 NDIS - ok

13:29:54.0890 0320 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

13:29:54.0921 0320 NdisTapi - ok

13:29:54.0984 0320 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

13:29:55.0171 0320 Ndisuio - ok

13:29:55.0312 0320 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

13:29:55.0531 0320 NdisWan - ok

13:29:55.0625 0320 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

13:29:55.0687 0320 NDProxy - ok

13:29:55.0812 0320 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

13:29:55.0984 0320 NetBIOS - ok

13:29:56.0046 0320 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

13:29:56.0234 0320 NetBT - ok

13:29:56.0390 0320 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

13:29:56.0593 0320 NIC1394 - ok

13:29:56.0640 0320 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

13:29:56.0812 0320 Npfs - ok

13:29:56.0890 0320 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

13:29:57.0109 0320 Ntfs - ok

13:29:57.0187 0320 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

13:29:57.0390 0320 Null - ok

13:29:57.0546 0320 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

13:29:57.0921 0320 nv - ok

13:29:58.0046 0320 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

13:29:58.0296 0320 NwlnkFlt - ok

13:29:58.0328 0320 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

13:29:58.0578 0320 NwlnkFwd - ok

13:29:58.0625 0320 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

13:29:58.0812 0320 ohci1394 - ok

13:29:59.0343 0320 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys

13:29:59.0515 0320 P3 - ok

13:29:59.0578 0320 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

13:29:59.0765 0320 Parport - ok

13:29:59.0875 0320 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

13:30:00.0046 0320 PartMgr - ok

13:30:00.0093 0320 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

13:30:00.0312 0320 ParVdm - ok

13:30:00.0437 0320 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

13:30:00.0625 0320 PCI - ok

13:30:00.0656 0320 PCIDump - ok

13:30:00.0687 0320 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

13:30:00.0906 0320 PCIIde - ok

13:30:00.0953 0320 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

13:30:01.0156 0320 Pcmcia - ok

13:30:01.0343 0320 PDCOMP - ok

13:30:01.0421 0320 PDFRAME - ok

13:30:01.0453 0320 PDRELI - ok

13:30:01.0484 0320 PDRFRAME - ok

13:30:01.0562 0320 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

13:30:01.0765 0320 perc2 - ok

13:30:01.0796 0320 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

13:30:02.0000 0320 perc2hib - ok

13:30:02.0093 0320 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

13:30:02.0281 0320 PptpMiniport - ok

13:30:02.0468 0320 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

13:30:02.0671 0320 PSched - ok

13:30:02.0765 0320 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

13:30:02.0968 0320 Ptilink - ok

13:30:03.0046 0320 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

13:30:03.0234 0320 ql1080 - ok

13:30:03.0265 0320 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

13:30:03.0468 0320 Ql10wnt - ok

13:30:03.0531 0320 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

13:30:03.0718 0320 ql12160 - ok

13:30:03.0750 0320 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

13:30:03.0953 0320 ql1240 - ok

13:30:03.0968 0320 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

13:30:04.0156 0320 ql1280 - ok

13:30:04.0250 0320 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

13:30:04.0453 0320 RasAcd - ok

13:30:04.0546 0320 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

13:30:04.0734 0320 Rasl2tp - ok

13:30:04.0812 0320 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

13:30:05.0000 0320 RasPppoe - ok

13:30:05.0046 0320 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

13:30:05.0281 0320 Raspti - ok

13:30:05.0343 0320 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

13:30:05.0609 0320 Rdbss - ok

13:30:05.0687 0320 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

13:30:05.0968 0320 RDPCDD - ok

13:30:06.0187 0320 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

13:30:06.0515 0320 rdpdr - ok

13:30:06.0625 0320 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

13:30:06.0687 0320 RDPWD - ok

13:30:06.0781 0320 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

13:30:06.0953 0320 redbook - ok

13:30:07.0046 0320 RTL8023xp (e9877aa069dc11b03dbd1d33b8b2a3ca) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys

13:30:07.0078 0320 RTL8023xp - ok

13:30:07.0218 0320 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

13:30:07.0421 0320 Secdrv - ok

13:30:07.0500 0320 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

13:30:07.0687 0320 serenum - ok

13:30:07.0781 0320 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

13:30:07.0953 0320 Serial - ok

13:30:08.0078 0320 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

13:30:08.0250 0320 Sfloppy - ok

13:30:08.0312 0320 Simbad - ok

13:30:08.0375 0320 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

13:30:08.0578 0320 sisagp - ok

13:30:08.0687 0320 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

13:30:08.0812 0320 Sparrow - ok

13:30:08.0890 0320 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

13:30:09.0062 0320 splitter - ok

13:30:09.0203 0320 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

13:30:09.0390 0320 sr - ok

13:30:09.0453 0320 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

13:30:09.0546 0320 Srv - ok

13:30:09.0687 0320 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

13:30:09.0703 0320 ssmdrv - ok

13:30:09.0781 0320 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

13:30:09.0953 0320 swenum - ok

13:30:10.0031 0320 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

13:30:10.0203 0320 swmidi - ok

13:30:10.0375 0320 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

13:30:10.0562 0320 symc810 - ok

13:30:10.0609 0320 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

13:30:10.0796 0320 symc8xx - ok

13:30:10.0843 0320 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

13:30:11.0187 0320 sym_hi - ok

13:30:11.0218 0320 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

13:30:11.0421 0320 sym_u3 - ok

13:30:11.0468 0320 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

13:30:11.0656 0320 sysaudio - ok

13:30:11.0796 0320 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

13:30:11.0890 0320 Tcpip - ok

13:30:11.0937 0320 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

13:30:12.0156 0320 TDPIPE - ok

13:30:12.0250 0320 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

13:30:12.0468 0320 TDTCP - ok

13:30:12.0531 0320 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

13:30:12.0718 0320 TermDD - ok

13:30:12.0843 0320 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

13:30:13.0046 0320 TosIde - ok

13:30:13.0093 0320 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

13:30:13.0312 0320 Udfs - ok

13:30:13.0484 0320 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

13:30:13.0578 0320 ultra - ok

13:30:13.0656 0320 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

13:30:13.0875 0320 Update - ok

13:30:14.0000 0320 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

13:30:14.0187 0320 usbccgp - ok

13:30:14.0250 0320 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

13:30:14.0437 0320 usbehci - ok

13:30:14.0546 0320 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

13:30:14.0734 0320 usbhub - ok

13:30:14.0796 0320 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

13:30:14.0984 0320 usbohci - ok

13:30:15.0062 0320 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

13:30:15.0250 0320 usbprint - ok

13:30:15.0281 0320 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

13:30:15.0468 0320 usbscan - ok

13:30:15.0515 0320 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

13:30:15.0718 0320 USBSTOR - ok

13:30:15.0750 0320 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

13:30:15.0953 0320 usbuhci - ok

13:30:16.0046 0320 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

13:30:16.0218 0320 VgaSave - ok

13:30:16.0281 0320 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

13:30:16.0453 0320 viaagp - ok

13:30:16.0484 0320 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

13:30:16.0687 0320 ViaIde - ok

13:30:16.0828 0320 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

13:30:17.0015 0320 VolSnap - ok

13:30:17.0093 0320 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

13:30:17.0281 0320 Wanarp - ok

13:30:17.0359 0320 wanatw - ok

13:30:17.0406 0320 WDICA - ok

13:30:17.0453 0320 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

13:30:17.0640 0320 wdmaud - ok

13:30:17.0750 0320 winachsf (59d043485a6eda2ed2685c81489ae5bd) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

13:30:17.0828 0320 winachsf - ok

13:30:18.0000 0320 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

13:30:18.0203 0320 WS2IFSL - ok

13:30:18.0281 0320 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

13:30:18.0375 0320 WudfPf - ok

13:30:18.0453 0320 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

13:30:18.0515 0320 WudfRd - ok

13:30:18.0593 0320 MBR (0x1B8) (b20939cd98b7710036274839082ae757) \Device\Harddisk0\DR0

13:30:18.0656 0320 \Device\Harddisk0\DR0 - ok

13:30:18.0687 0320 Boot (0x1200) (024c066480f4dd930855c37df1592739) \Device\Harddisk0\DR0\Partition0

13:30:18.0687 0320 \Device\Harddisk0\DR0\Partition0 - ok

13:30:18.0703 0320 Boot (0x1200) (8a476eb8b51ddac82ebfdd9cf09ebcc0) \Device\Harddisk0\DR0\Partition1

13:30:18.0703 0320 \Device\Harddisk0\DR0\Partition1 - ok

13:30:18.0703 0320 ============================================================

13:30:18.0703 0320 Scan finished

13:30:18.0703 0320 ============================================================

13:30:18.0828 3992 Detected object count: 4

13:30:18.0828 3992 Actual detected object count: 4

13:32:02.0328 3992 ASCTRM ( UnsignedFile.Multi.Generic ) - skipped by user

13:32:02.0328 3992 ASCTRM ( UnsignedFile.Multi.Generic ) - User select action: Skip

13:32:02.0328 3992 Haspnt ( UnsignedFile.Multi.Generic ) - skipped by user

13:32:02.0328 3992 Haspnt ( UnsignedFile.Multi.Generic ) - User select action: Skip

13:32:02.0343 3992 MREMP50 ( UnsignedFile.Multi.Generic ) - skipped by user

13:32:02.0343 3992 MREMP50 ( UnsignedFile.Multi.Generic ) - User select action: Skip

13:32:02.0343 3992 MRESP50 ( UnsignedFile.Multi.Generic ) - skipped by user

13:32:02.0343 3992 MRESP50 ( UnsignedFile.Multi.Generic ) - User select action: Skip

13:33:51.0526 2068 Deinitialize success

[MrCharlie]

Those files are OK, just unsigned.

Continue on with system restore. MrC

[Ndhlp]

O.K. Thanks!

[Ndhlp]

No luck with System Restore. I got this message again.

Your computer cannot be restored to (whatever date we try)

No changes have been made to your computer.

To chose another restore point restart System Restore.

I may not get back to this computer til tomorrow. Thank you again for your help. This is drving me nuts!

[MrCharlie]

Do........

Method 4: View the event logs to investigate System Restore service errors

Link below:

http://support.microsoft.com/kb/302796

Let me know, and you can also look through the rest of them.

MrC

[Ndhlp]

Hello again and thank you for again your help. The only System Restore errors that showed were for the probable date of the infection, the day after, and when I tried System Restore yesterday. There was no record of anything in the Even Viewer for System Restore when I ran it on 3 March and posted a failure.

There were two errors for one of the restore point dates I tried but I think that may be related to when I disconnected from the internet as I had disabled Avira prior to running System Restore. (see logs for this and the above).

Event Type: Error

Event Source: SRService

Event Category: None

Event ID: 104

Date: 2/24/2012

Time: 5:14:35 PM

User: N/A

Computer: YOUR-5E03CF73DE

Description:

The System Restore initialization process failed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 05 00 00 00 ....

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7000

Date: 2/20/2012

Time: 12:40:42 AM

User: N/A

Computer: YOUR-5E03CF73DE

Description:

The lxecCATSCustConnectService service failed to start due to the following error:

The service did not respond to the start or control request in a timely fashion.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7009

Date: 2/20/2012

Time: 12:40:42 AM

User: N/A

Computer: YOUR-5E03CF73DE

Description:

Timeout (30000 milliseconds) waiting for the lxecCATSCustConnectService service to connect.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Information

Event Source: SRService

Event Category: None

Event ID: 111

Date: 3/6/2012

Time: 1:56:33 PM

User: N/A

Computer: YOUR-5E03CF73DE

Description:

A restoration to "Software Distribution Service 3.0" restore point failed. No changes have been made to the system.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

According to diskmgmt.msc the C: drive has 128.86 GB free and the D: drive has 5.08. The D drive is listed as a local disk on their computer. But if System Restore failed due to lack of space on the D, wouldn't it show an error relating to that?

Sorry to sound like a doofus, but at this point I would rather have someone say, "Well duh. I can't believe you missed..." and point a glaring error out to me because at least this darn thing would be fixed. Thanks again for your help!

[Ndhlp]

I don't know if this will help but in poking around the Event Viewer I noticed that this trojan was found on several occasions by Avira and put into quarantine starting on 06 Feb which was way before they started having problems.

Beginning disinfection:

C:\Documents and Settings\All Users\Application Data\~17424164

[DETECTION] Is the TR/Fakealert.grb.174 Trojan

[NOTE] The file was moved to the quarantine directory under the name '4ccb1d86.qua'.

Begin scan in 'C:\Documents and Settings\Owner\Local Settings\temp\hdd32.exe'

C:\Documents and Settings\Owner\Local Settings\temp\hdd32.exe

[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

[NOTE] The file was moved to the quarantine directory under the name '4c3f7cb4.qua'.

The Crypt.XPACK.Gen Trojan came up on the 24th of Feb as well.

What do you think about trying a restore point prior to 07 Feb?