Rootkit/Trojan Cleanup

Wibbler · April 25, 2012

Removed 0.Access.H,rootkit and trojans Agent,Ransom,Medhos and Dropper via MBAM,but I have huge volume of packet traffic on Ethernet whenever ANY browser is operating.

Waiting for your advice on cleanup.

Here aree my DDS reports:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by PKI at 11:09:51 on 2012-04-25

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1619 [GMT -5:00]

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\EeePC\ACPI\AsTray.exe

C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\EeePC\ACPI\AsEPCMon.exe

C:\Program Files\Elantech\ETDCtrl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe

mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe

mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe

mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe

IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll

LSP: mswsock.dll

DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB

DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262744045703

DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} - hxxp://utilities.pcpitstop.com/Exterminate2/pcpitstopAntiVirus.dll

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259547613218

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam.wyc.org/activex/AMC.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{34474385-B11B-4D43-87A0-097FE003BC6B} : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{3C18C5E7-98F1-471F-A486-8BC065C591C6} : NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{3C18C5E7-98F1-471F-A486-8BC065C591C6} : DhcpNameServer = 192.168.1.1

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

.

============= SERVICES / DRIVERS ===============

.

S3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [2011-3-3 1714176]

S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-4-23 32072]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]

S3 NWVMModem;Virgin Mobile USB Modem Driver;c:\windows\system32\drivers\nwvmmdm.sys [2009-5-15 174720]

S3 NWVMPort;Virgin Mobile USB Status Port Driver;c:\windows\system32\drivers\nwvmser.sys [2009-5-15 174720]

S3 NWVMPort2;Virgin Mobile USB Status2 Port Driver;c:\windows\system32\drivers\nwvmser2.sys [2009-5-15 174720]

S4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-8 253088]

S4 NvtlService;NovaCore SDK Service;c:\program files\novatel wireless\novacore\server\NvtlSrvr.exe [2009-8-24 82432]

.

=============== Created Last 30 ================

.

2012-04-24 14:34:30 -------- d-sh--r- C:\cmdcons

2012-04-24 14:34:28 -------- d-----w- c:\windows\setup.pss

2012-04-23 23:21:49 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-04-20 13:12:35 -------- d-----w- c:\program files\ESET

2012-04-15 12:43:14 -------- d-----w- c:\documents and settings\pki\application data\QuickScan

2012-04-14 13:03:33 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-13 21:20:48 -------- d-----w- c:\windows\system32\DBBK

2012-04-13 17:26:59 -------- d-----w- C:\TDSSKiller_Quarantine

2012-04-13 02:56:04 -------- d-----w- c:\documents and settings\pki\application data\Malwarebytes

2012-04-13 02:55:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-13 02:55:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-04-12 23:29:56 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-04-12 23:27:46 -------- d-----w- c:\documents and settings\all users\application data\529C50A8000023CA0000260AD151FC84

2012-04-12 01:15:45 -------- d-----w- c:\windows\system32\wbem\repository\FS

2012-04-12 01:15:45 -------- d-----w- c:\windows\system32\wbem\Repository

2012-04-12 00:54:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-04-08 20:48:49 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

.

==================== Find3M ====================

.

2012-04-14 13:02:55 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-04-14 12:08:07 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-13 17:31:14 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-03-01 11:01:32 916992 ----a-w- c:\windows\system32\wininet.dll

2012-03-01 11:01:32 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-03-01 11:01:32 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-02-29 14:10:16 177664 ----a-w- c:\windows\system32\wintrust.dll

2012-02-29 14:10:16 148480 ----a-w- c:\windows\system32\imagehlp.dll

2012-02-29 12:17:40 385024 ----a-w- c:\windows\system32\html.iec

2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys

2008-05-07 08:34:00 15523560 ----a-w- c:\program files\U1 Setup.exe

.

============= FINISH: 11:10:23.20 ===============

attach.txt

CatByte · April 25, 2012

Hi,

Please do the following:

Please download aswMBR.exe and save it to your desktop.
Double click aswMBR.exe to start the tool.
When asked if you want to download Avast's virus definitions please select Yes.
Click Scan
- Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
- You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

NEXT

Please download TDSSKiller.zip

Extract it to your desktop
Double click TDSSKiller.exe
when the window opens, click on Change Parameters
under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
click OK
Press Start Scan
- As we are only looking for a log of what is on the machine right now > choose to skip whatever is found
- Then click Continue > Reboot now
[*]Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)

Wibbler · April 25, 2012

Hey,C-B

Thx for your response....TDSS found nothing so did not reboot...should I reboot?

Run date: 2012-04-25 18:09:00

-----------------------------

18:09:00.312 OS Version: Windows 5.1.2600 Service Pack 3

18:09:00.312 Number of processors: 1 586 0xD08

18:09:00.312 ComputerName: WEEE UserName: PKI

18:09:01.968 Initialize success

18:12:13.265 AVAST engine defs: 12042501

18:12:19.187 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

18:12:19.187 Disk 0 Vendor: ST9160310AS 0303 Size: 152627MB BusType: 3

18:12:20.546 Disk 0 MBR read successfully

18:12:20.546 Disk 0 MBR scan

18:12:20.781 Disk 0 Windows XP default MBR code

18:12:20.781 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 81940 MB offset 63

18:12:20.812 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 70653 MB offset 167814990

18:12:20.859 Disk 0 Partition 3 00 EF EFI FAT B 31 MB offset 312512445

18:12:20.875 Disk 0 scanning sectors +312576705

18:12:21.062 Disk 0 scanning C:\WINDOWS\system32\drivers

18:12:41.000 Service scanning

18:13:12.890 Modules scanning

18:13:26.484 Disk 0 trace - called modules:

18:13:27.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys

18:13:27.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89df1ab8]

18:13:27.265 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000065[0x89df29e8]

18:13:27.281 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89dd6940]

18:13:28.718 AVAST engine scan C:\WINDOWS

18:13:43.187 AVAST engine scan C:\WINDOWS\system32

18:18:25.234 AVAST engine scan C:\WINDOWS\system32\drivers

18:18:45.875 AVAST engine scan C:\Documents and Settings\PKI

18:25:21.250 AVAST engine scan C:\Documents and Settings\All Users

18:25:34.640 Scan finished successfully

18:25:47.921 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\PKI\Desktop\MBR.dat"

18:25:47.937 The log file has been saved successfully to "C:\Documents and Settings\PKI\Desktop\aswMBR.txt"

18:31:25.0515 4052 TDSS rootkit removing tool 2.7.33.0 Apr 24 2012 18:43:43

18:31:25.0953 4052 ============================================================

18:31:25.0953 4052 Current date / time: 2012/04/25 18:31:25.0953

18:31:25.0953 4052 SystemInfo:

18:31:25.0953 4052

18:31:25.0953 4052 OS Version: 5.1.2600 ServicePack: 3.0

18:31:25.0953 4052 Product type: Workstation

18:31:25.0953 4052 ComputerName: WEEE

18:31:25.0953 4052 UserName: PKI

18:31:25.0953 4052 Windows directory: C:\WINDOWS

18:31:25.0953 4052 System windows directory: C:\WINDOWS

18:31:25.0953 4052 Processor architecture: Intel x86

18:31:25.0953 4052 Number of processors: 1

18:31:25.0953 4052 Page size: 0x1000

18:31:25.0953 4052 Boot type: Normal boot

18:31:25.0953 4052 ============================================================

18:31:29.0234 4052 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

18:31:29.0250 4052 ============================================================

18:31:29.0250 4052 \Device\Harddisk0\DR0:

18:31:29.0250 4052 MBR partitions:

18:31:29.0250 4052 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xA00A70F

18:31:29.0250 4052 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xA00A74E, BlocksNum 0x89FE86F

18:31:29.0250 4052 ============================================================

18:31:29.0312 4052 C: <-> \Device\Harddisk0\DR0\Partition0

18:31:29.0375 4052 D: <-> \Device\Harddisk0\DR0\Partition1

18:31:29.0375 4052 ============================================================

18:31:29.0375 4052 Initialize success

18:31:29.0375 4052 ============================================================

18:31:47.0500 1116 ============================================================

18:31:47.0500 1116 Scan started

18:31:47.0500 1116 Mode: Manual; TDLFS;

18:31:47.0500 1116 ============================================================

18:31:48.0890 1116 6to4 (c07d5197410aab28d0d93f943f59656d) C:\WINDOWS\System32\6to4svc.dll

18:31:48.0890 1116 6to4 - ok

18:31:48.0937 1116 Abiosdsk - ok

18:31:48.0953 1116 abp480n5 - ok

18:31:49.0078 1116 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

18:31:49.0109 1116 ACPI - ok

18:31:49.0156 1116 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

18:31:49.0156 1116 ACPIEC - ok

18:31:49.0328 1116 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe

18:31:49.0328 1116 AdobeFlashPlayerUpdateSvc - ok

18:31:49.0343 1116 adpu160m - ok

18:31:49.0437 1116 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

18:31:49.0468 1116 aec - ok

18:31:49.0562 1116 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys

18:31:49.0562 1116 AFD - ok

18:31:49.0578 1116 Aha154x - ok

18:31:49.0593 1116 aic78u2 - ok

18:31:49.0609 1116 aic78xx - ok

18:31:49.0625 1116 ALABULK - ok

18:31:49.0671 1116 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll

18:31:49.0671 1116 Alerter - ok

18:31:49.0718 1116 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe

18:31:49.0718 1116 ALG - ok

18:31:49.0734 1116 AliIde - ok

18:31:49.0750 1116 amsint - ok

18:31:49.0765 1116 AppMgmt - ok

18:31:49.0984 1116 AR5211 (6d5f95602b8d0d994d31a864872b38ef) C:\WINDOWS\system32\DRIVERS\ar5211.sys

18:31:50.0000 1116 AR5211 - ok

18:31:50.0625 1116 AR9271 (8e2257584b2c52d44b4cb1949947d885) C:\WINDOWS\system32\DRIVERS\athuw.sys

18:31:50.0656 1116 AR9271 - ok

18:31:50.0906 1116 asc - ok

18:31:50.0921 1116 asc3350p - ok

18:31:50.0937 1116 asc3550 - ok

18:31:51.0093 1116 aspnet_state (e1a1206a4fb19b675e947b29ccd25fba) C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe

18:31:51.0109 1116 aspnet_state - ok

18:31:51.0156 1116 AsusACPI (784fcb197f9a50a419d8ce4980655ae4) C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys

18:31:51.0156 1116 AsusACPI - ok

18:31:51.0203 1116 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

18:31:51.0218 1116 AsyncMac - ok

18:31:51.0296 1116 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

18:31:51.0296 1116 atapi - ok

18:31:51.0312 1116 Atdisk - ok

18:31:51.0359 1116 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

18:31:51.0359 1116 Atmarpc - ok

18:31:51.0421 1116 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll

18:31:51.0421 1116 AudioSrv - ok

18:31:51.0468 1116 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

18:31:51.0468 1116 audstub - ok

18:31:51.0500 1116 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

18:31:51.0500 1116 Beep - ok

18:31:51.0687 1116 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll

18:31:51.0812 1116 BITS - ok

18:31:51.0859 1116 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll

18:31:51.0875 1116 Browser - ok

18:31:51.0906 1116 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

18:31:51.0906 1116 cbidf2k - ok

18:31:51.0953 1116 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

18:31:51.0953 1116 CCDECODE - ok

18:31:51.0968 1116 cd20xrnt - ok

18:31:52.0015 1116 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

18:31:52.0015 1116 Cdaudio - ok

18:31:52.0062 1116 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

18:31:52.0062 1116 Cdfs - ok

18:31:52.0140 1116 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

18:31:52.0140 1116 Cdrom - ok

18:31:52.0156 1116 Changer - ok

18:31:52.0203 1116 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe

18:31:52.0203 1116 CiSvc - ok

18:31:52.0234 1116 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe

18:31:52.0234 1116 ClipSrv - ok

18:31:52.0296 1116 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

18:31:52.0296 1116 CmBatt - ok

18:31:52.0312 1116 CmdIde - ok

18:31:52.0375 1116 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

18:31:52.0375 1116 Compbatt - ok

18:31:52.0390 1116 COMSysApp - ok

18:31:52.0406 1116 Cpqarray - ok

18:31:52.0484 1116 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys

18:31:52.0484 1116 cpudrv - ok

18:31:52.0562 1116 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll

18:31:52.0562 1116 CryptSvc - ok

18:31:52.0593 1116 dac2w2k - ok

18:31:52.0609 1116 dac960nt - ok

18:31:52.0781 1116 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll

18:31:52.0937 1116 DcomLaunch - ok

18:31:53.0046 1116 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll

18:31:53.0062 1116 Dhcp - ok

18:31:53.0109 1116 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

18:31:53.0109 1116 Disk - ok

18:31:53.0109 1116 dmadmin - ok

18:31:53.0437 1116 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

18:31:53.0656 1116 dmboot - ok

18:31:53.0781 1116 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

18:31:53.0828 1116 dmio - ok

18:31:53.0890 1116 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

18:31:53.0890 1116 dmload - ok

18:31:53.0921 1116 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll

18:31:53.0937 1116 dmserver - ok

18:31:54.0000 1116 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

18:31:54.0000 1116 DMusic - ok

18:31:54.0046 1116 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll

18:31:54.0046 1116 Dnscache - ok

18:31:54.0140 1116 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll

18:31:54.0140 1116 Dot3svc - ok

18:31:54.0156 1116 dpti2o - ok

18:31:54.0187 1116 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

18:31:54.0187 1116 drmkaud - ok

18:31:54.0203 1116 dwmrcs - ok

18:31:54.0250 1116 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll

18:31:54.0250 1116 EapHost - ok

18:31:54.0296 1116 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll

18:31:54.0312 1116 ERSvc - ok

18:31:54.0390 1116 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe

18:31:54.0406 1116 Eventlog - ok

18:31:54.0531 1116 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll

18:31:54.0593 1116 EventSystem - ok

18:31:54.0687 1116 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

18:31:54.0734 1116 Fastfat - ok

18:31:54.0812 1116 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll

18:31:54.0812 1116 FastUserSwitchingCompatibility - ok

18:31:54.0875 1116 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

18:31:54.0875 1116 Fdc - ok

18:31:54.0921 1116 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

18:31:54.0921 1116 Fips - ok

18:31:54.0968 1116 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

18:31:54.0968 1116 Flpydisk - ok

18:31:55.0046 1116 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

18:31:55.0062 1116 FltMgr - ok

18:31:55.0109 1116 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

18:31:55.0109 1116 Fs_Rec - ok

18:31:55.0203 1116 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

18:31:55.0234 1116 Ftdisk - ok

18:31:55.0281 1116 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

18:31:55.0281 1116 Gpc - ok

18:31:55.0359 1116 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

18:31:55.0390 1116 HDAudBus - ok

18:31:55.0500 1116 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll

18:31:55.0500 1116 helpsvc - ok

18:31:55.0500 1116 HidServ - ok

18:31:55.0546 1116 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

18:31:55.0546 1116 HidUsb - ok

18:31:55.0625 1116 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll

18:31:55.0625 1116 hkmsvc - ok

18:31:55.0640 1116 hpn - ok

18:31:55.0781 1116 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

18:31:55.0859 1116 HTTP - ok

18:31:55.0906 1116 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll

18:31:55.0906 1116 HTTPFilter - ok

18:31:55.0921 1116 i2omgmt - ok

18:31:55.0937 1116 i2omp - ok

18:31:56.0000 1116 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

18:31:56.0000 1116 i8042prt - ok

18:31:56.0453 1116 ialm (6fcb904910da07c9dc2593d66438fa29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

18:31:56.0468 1116 ialm - ok

18:31:56.0531 1116 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

18:31:56.0531 1116 Imapi - ok

18:31:56.0625 1116 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe

18:31:56.0656 1116 ImapiService - ok

18:31:56.0671 1116 ini910u - ok

18:31:58.0375 1116 IntcAzAudAddService (47c79f7e330cbb829934d00f64d55fc9) C:\WINDOWS\system32\drivers\RtkHDAud.sys

18:31:58.0437 1116 IntcAzAudAddService - ok

18:31:58.0718 1116 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

18:31:58.0718 1116 IntelIde - ok

18:31:58.0781 1116 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

18:31:58.0781 1116 intelppm - ok

18:31:58.0843 1116 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

18:31:58.0843 1116 Ip6Fw - ok

18:31:58.0890 1116 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

18:31:58.0890 1116 IpFilterDriver - ok

18:31:58.0906 1116 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

18:31:58.0906 1116 IpInIp - ok

18:31:59.0000 1116 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

18:31:59.0031 1116 IpNat - ok

18:31:59.0109 1116 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

18:31:59.0109 1116 IPSec - ok

18:31:59.0156 1116 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

18:31:59.0156 1116 IRENUM - ok

18:31:59.0234 1116 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

18:31:59.0234 1116 isapnp - ok

18:31:59.0265 1116 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

18:31:59.0265 1116 Kbdclass - ok

18:31:59.0375 1116 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

18:31:59.0375 1116 kmixer - ok

18:31:59.0453 1116 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

18:31:59.0453 1116 KSecDD - ok

18:31:59.0500 1116 Ktp (9ea9d6ba04629cb14260f46ff8bbd65a) C:\WINDOWS\system32\DRIVERS\ETD.sys

18:31:59.0500 1116 Ktp - ok

18:31:59.0546 1116 L1e (303627228dd739d98289679901a38c8f) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys

18:31:59.0546 1116 L1e - ok

18:31:59.0609 1116 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll

18:31:59.0625 1116 LanmanServer - ok

18:31:59.0703 1116 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll

18:31:59.0734 1116 lanmanworkstation - ok

18:31:59.0750 1116 lbrtfdc - ok

18:31:59.0828 1116 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll

18:31:59.0828 1116 LmHosts - ok

18:31:59.0890 1116 mbamchameleon (e0e22c8a2c5528919c45b834ca68e5ef) C:\WINDOWS\system32\drivers\mbamchameleon.sys

18:31:59.0890 1116 mbamchameleon - ok

18:31:59.0921 1116 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll

18:31:59.0937 1116 Messenger - ok

18:31:59.0984 1116 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

18:31:59.0984 1116 mnmdd - ok

18:32:00.0031 1116 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe

18:32:00.0046 1116 mnmsrvc - ok

18:32:00.0093 1116 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

18:32:00.0093 1116 Modem - ok

18:32:00.0140 1116 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

18:32:00.0140 1116 Mouclass - ok

18:32:00.0203 1116 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

18:32:00.0203 1116 mouhid - ok

18:32:00.0250 1116 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

18:32:00.0250 1116 MountMgr - ok

18:32:00.0265 1116 mraid35x - ok

18:32:00.0281 1116 MREMP50 - ok

18:32:00.0390 1116 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

18:32:00.0437 1116 MRxDAV - ok

18:32:00.0625 1116 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

18:32:00.0625 1116 MRxSmb - ok

18:32:00.0687 1116 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe

18:32:00.0687 1116 MSDTC - ok

18:32:00.0750 1116 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

18:32:00.0750 1116 Msfs - ok

18:32:00.0750 1116 MSFWDrv - ok

18:32:00.0765 1116 MSIServer - ok

18:32:00.0812 1116 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

18:32:00.0812 1116 MSKSSRV - ok

18:32:00.0890 1116 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

18:32:00.0890 1116 MSPCLOCK - ok

18:32:00.0906 1116 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

18:32:00.0906 1116 MSPQM - ok

18:32:00.0968 1116 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

18:32:00.0968 1116 mssmbios - ok

18:32:01.0015 1116 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

18:32:01.0015 1116 MSTEE - ok

18:32:01.0093 1116 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

18:32:01.0109 1116 Mup - ok

18:32:01.0187 1116 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

18:32:01.0187 1116 NABTSFEC - ok

18:32:01.0343 1116 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll

18:32:01.0343 1116 napagent - ok

18:32:01.0421 1116 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

18:32:01.0468 1116 NDIS - ok

18:32:01.0500 1116 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

18:32:01.0500 1116 NdisIP - ok

18:32:01.0546 1116 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

18:32:01.0546 1116 NdisTapi - ok

18:32:01.0609 1116 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

18:32:01.0609 1116 Ndisuio - ok

18:32:01.0703 1116 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

18:32:01.0718 1116 NdisWan - ok

18:32:01.0781 1116 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

18:32:01.0781 1116 NDProxy - ok

18:32:01.0828 1116 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

18:32:01.0828 1116 NetBIOS - ok

18:32:01.0937 1116 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

18:32:01.0968 1116 NetBT - ok

18:32:02.0031 1116 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe

18:32:02.0046 1116 NetDDE - ok

18:32:02.0062 1116 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe

18:32:02.0078 1116 NetDDEdsdm - ok

18:32:02.0109 1116 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

18:32:02.0109 1116 Netlogon - ok

18:32:02.0250 1116 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll

18:32:02.0281 1116 Netman - ok

18:32:02.0406 1116 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll

18:32:02.0421 1116 Nla - ok

18:32:02.0437 1116 NMSCFG - ok

18:32:02.0484 1116 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys

18:32:02.0484 1116 NPF - ok

18:32:02.0531 1116 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

18:32:02.0531 1116 Npfs - ok

18:32:02.0765 1116 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

18:32:02.0937 1116 Ntfs - ok

18:32:02.0984 1116 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

18:32:02.0984 1116 NtLmSsp - ok

18:32:03.0171 1116 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll

18:32:03.0203 1116 NtmsSvc - ok

18:32:03.0265 1116 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

18:32:03.0265 1116 Null - ok

18:32:03.0406 1116 NvtlService (23e6a6a7d4930b70d9fffd371450ef1c) C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe

18:32:03.0437 1116 NvtlService - ok

18:32:03.0500 1116 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

18:32:03.0500 1116 NwlnkFlt - ok

18:32:03.0531 1116 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

18:32:03.0531 1116 NwlnkFwd - ok

18:32:03.0625 1116 NWVMModem (b7112f30d7eff4b5052eba879f46228f) C:\WINDOWS\system32\DRIVERS\nwvmmdm.sys

18:32:03.0625 1116 NWVMModem - ok

18:32:03.0703 1116 NWVMPort (b7112f30d7eff4b5052eba879f46228f) C:\WINDOWS\system32\DRIVERS\nwvmser.sys

18:32:03.0703 1116 NWVMPort - ok

18:32:03.0812 1116 NWVMPort2 (b7112f30d7eff4b5052eba879f46228f) C:\WINDOWS\system32\DRIVERS\nwvmser2.sys

18:32:03.0828 1116 NWVMPort2 - ok

18:32:03.0906 1116 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

18:32:03.0906 1116 Parport - ok

18:32:03.0953 1116 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

18:32:03.0953 1116 PartMgr - ok

18:32:04.0000 1116 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

18:32:04.0000 1116 ParVdm - ok

18:32:04.0046 1116 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys

18:32:04.0046 1116 PCASp50 - ok

18:32:04.0125 1116 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

18:32:04.0125 1116 PCI - ok

18:32:04.0140 1116 PCIDump - ok

18:32:04.0203 1116 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys

18:32:04.0203 1116 PCIIde - ok

18:32:04.0296 1116 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

18:32:04.0312 1116 Pcmcia - ok

18:32:04.0328 1116 PDCOMP - ok

18:32:04.0343 1116 PDFRAME - ok

18:32:04.0359 1116 PDRELI - ok

18:32:04.0375 1116 PDRFRAME - ok

18:32:04.0390 1116 perc2 - ok

18:32:04.0406 1116 perc2hib - ok

18:32:04.0515 1116 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe

18:32:04.0515 1116 PlugPlay - ok

18:32:04.0562 1116 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

18:32:04.0578 1116 PolicyAgent - ok

18:32:04.0640 1116 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

18:32:04.0640 1116 PptpMiniport - ok

18:32:04.0656 1116 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

18:32:04.0656 1116 ProtectedStorage - ok

18:32:04.0718 1116 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

18:32:04.0718 1116 PSched - ok

18:32:04.0781 1116 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

18:32:04.0781 1116 Ptilink - ok

18:32:04.0796 1116 ql1080 - ok

18:32:04.0812 1116 Ql10wnt - ok

18:32:04.0828 1116 ql12160 - ok

18:32:04.0843 1116 ql1240 - ok

18:32:04.0859 1116 ql1280 - ok

18:32:04.0890 1116 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

18:32:04.0906 1116 RasAcd - ok

18:32:04.0953 1116 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll

18:32:04.0984 1116 RasAuto - ok

18:32:05.0046 1116 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

18:32:05.0046 1116 Rasl2tp - ok

18:32:05.0140 1116 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll

18:32:05.0187 1116 RasMan - ok

18:32:05.0250 1116 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

18:32:05.0250 1116 RasPppoe - ok

18:32:05.0281 1116 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

18:32:05.0281 1116 Raspti - ok

18:32:05.0390 1116 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

18:32:05.0421 1116 Rdbss - ok

18:32:05.0484 1116 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

18:32:05.0484 1116 RDPCDD - ok

18:32:05.0593 1116 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys

18:32:05.0609 1116 RDPWD - ok

18:32:05.0703 1116 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe

18:32:05.0734 1116 RDSessMgr - ok

18:32:05.0812 1116 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

18:32:05.0812 1116 redbook - ok

18:32:05.0875 1116 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll

18:32:05.0890 1116 RemoteAccess - ok

18:32:05.0984 1116 rpcapd (b60f58f175de20a6739194e85b035178) C:\Program Files\WinPcap\rpcapd.exe

18:32:06.0031 1116 rpcapd - ok

18:32:06.0078 1116 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe

18:32:06.0093 1116 RpcLocator - ok

18:32:06.0265 1116 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll

18:32:06.0281 1116 RpcSs - ok

18:32:06.0375 1116 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe

18:32:06.0375 1116 RSVP - ok

18:32:06.0421 1116 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

18:32:06.0421 1116 SamSs - ok

18:32:06.0500 1116 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe

18:32:06.0515 1116 SCardSvr - ok

18:32:06.0625 1116 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll

18:32:06.0671 1116 Schedule - ok

18:32:06.0687 1116 se45mdm - ok

18:32:06.0750 1116 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

18:32:06.0750 1116 Secdrv - ok

18:32:06.0796 1116 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll

18:32:06.0812 1116 seclogon - ok

18:32:06.0859 1116 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll

18:32:06.0859 1116 SENS - ok

18:32:06.0921 1116 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

18:32:06.0921 1116 Serial - ok

18:32:06.0968 1116 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

18:32:06.0968 1116 Sfloppy - ok

18:32:07.0125 1116 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll

18:32:07.0218 1116 SharedAccess - ok

18:32:07.0312 1116 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll

18:32:07.0312 1116 ShellHWDetection - ok

18:32:07.0328 1116 Simbad - ok

18:32:07.0390 1116 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

18:32:07.0390 1116 SLIP - ok

18:32:07.0406 1116 Sparrow - ok

18:32:07.0421 1116 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

18:32:07.0421 1116 splitter - ok

18:32:07.0484 1116 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe

18:32:07.0484 1116 Spooler - ok

18:32:07.0562 1116 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

18:32:07.0562 1116 sr - ok

18:32:07.0640 1116 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll

18:32:07.0687 1116 srservice - ok

18:32:07.0890 1116 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

18:32:07.0890 1116 Srv - ok

18:32:07.0953 1116 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll

18:32:07.0953 1116 SSDPSRV - ok

18:32:08.0156 1116 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll

18:32:08.0281 1116 stisvc - ok

18:32:08.0328 1116 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

18:32:08.0328 1116 streamip - ok

18:32:08.0375 1116 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

18:32:08.0375 1116 swenum - ok

18:32:08.0437 1116 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

18:32:08.0437 1116 swmidi - ok

18:32:08.0453 1116 SwPrv - ok

18:32:08.0468 1116 symc810 - ok

18:32:08.0484 1116 symc8xx - ok

18:32:08.0500 1116 sym_hi - ok

18:32:08.0515 1116 sym_u3 - ok

18:32:08.0578 1116 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

18:32:08.0578 1116 sysaudio - ok

18:32:08.0640 1116 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe

18:32:08.0671 1116 SysmonLog - ok

18:32:08.0796 1116 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll

18:32:08.0890 1116 TapiSrv - ok

18:32:09.0046 1116 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

18:32:09.0140 1116 Tcpip - ok

18:32:09.0250 1116 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys

18:32:09.0296 1116 Tcpip6 - ok

18:32:09.0312 1116 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

18:32:09.0312 1116 TDPIPE - ok

18:32:09.0359 1116 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

18:32:09.0359 1116 TDTCP - ok

18:32:09.0406 1116 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

18:32:09.0406 1116 TermDD - ok

18:32:09.0531 1116 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll

18:32:09.0609 1116 TermService - ok

18:32:09.0703 1116 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll

18:32:09.0718 1116 Themes - ok

18:32:09.0734 1116 TosIde - ok

18:32:09.0843 1116 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll

18:32:09.0843 1116 TrkWks - ok

18:32:09.0906 1116 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys

18:32:09.0906 1116 tunmp - ok

18:32:09.0968 1116 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

18:32:09.0984 1116 Udfs - ok

18:32:10.0000 1116 ultra - ok

18:32:10.0156 1116 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

18:32:10.0265 1116 Update - ok

18:32:10.0390 1116 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll

18:32:10.0421 1116 upnphost - ok

18:32:10.0453 1116 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe

18:32:10.0468 1116 UPS - ok

18:32:10.0515 1116 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

18:32:10.0531 1116 usbccgp - ok

18:32:10.0562 1116 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

18:32:10.0562 1116 usbehci - ok

18:32:10.0609 1116 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

18:32:10.0609 1116 usbhub - ok

18:32:10.0656 1116 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

18:32:10.0656 1116 usbstor - ok

18:32:10.0687 1116 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

18:32:10.0687 1116 usbuhci - ok

18:32:10.0781 1116 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

18:32:10.0781 1116 usbvideo - ok

18:32:10.0937 1116 usnjsvc (9d19b042a4fd5c02195071ea2fe0c821) C:\Program Files\Windows Live\Messenger\usnsvc.exe

18:32:10.0984 1116 usnjsvc - ok

18:32:11.0031 1116 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

18:32:11.0046 1116 VgaSave - ok

18:32:11.0062 1116 ViaIde - ok

18:32:11.0109 1116 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

18:32:11.0109 1116 VolSnap - ok

18:32:11.0250 1116 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe

18:32:11.0328 1116 VSS - ok

18:32:11.0437 1116 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll

18:32:11.0453 1116 W32Time - ok

18:32:11.0515 1116 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

18:32:11.0515 1116 Wanarp - ok

18:32:11.0531 1116 WDICA - ok

18:32:11.0593 1116 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

18:32:11.0609 1116 wdmaud - ok

18:32:11.0671 1116 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll

18:32:11.0671 1116 WebClient - ok

18:32:11.0828 1116 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll

18:32:11.0859 1116 winmgmt - ok

18:32:12.0046 1116 WLSetupSvc (94a85e956a065e23e0010a6a7826243b) C:\Program Files\Windows Live\installer\WLSetupSvc.exe

18:32:12.0171 1116 WLSetupSvc - ok

18:32:12.0234 1116 WmdmPmSN (c7e39ea41233e9f5b86c8da3a9f1e4a8) C:\WINDOWS\system32\mspmsnsv.dll

18:32:12.0234 1116 WmdmPmSN - ok

18:32:12.0328 1116 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe

18:32:12.0343 1116 WmiApSrv - ok

18:32:12.0390 1116 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

18:32:12.0390 1116 WSTCODEC - ok

18:32:12.0421 1116 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll

18:32:12.0421 1116 wuauserv - ok

18:32:12.0609 1116 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll

18:32:12.0750 1116 WZCSVC - ok

18:32:12.0843 1116 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll

18:32:12.0859 1116 xmlprov - ok

18:32:12.0921 1116 MBR (0x1B8) (72b8ce41af0de751c946802b3ed844b4) \Device\Harddisk0\DR0

18:32:13.0671 1116 \Device\Harddisk0\DR0 - ok

18:32:13.0687 1116 Boot (0x1200) (1dc4412d68b167435d62b4b8ab51d995) \Device\Harddisk0\DR0\Partition0

18:32:13.0687 1116 \Device\Harddisk0\DR0\Partition0 - ok

18:32:13.0734 1116 Boot (0x1200) (a331878794d7e3bcbc5b06e7e2f073bf) \Device\Harddisk0\DR0\Partition1

18:32:13.0828 1116 \Device\Harddisk0\DR0\Partition1 - ok

18:32:13.0828 1116 ============================================================

18:32:13.0828 1116 Scan finished

18:32:13.0828 1116 ============================================================

18:32:13.0859 1336 Detected object count: 0

18:32:13.0859 1336 Actual detected object count: 0

18:33:03.0390 2956 Deinitialize success

MBR.zip

CatByte · April 26, 2012

No, that's fine, a reboot is not needed, this next tool may do an automatic reboot if it finds anything, so please run the following:

Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Wibbler · April 26, 2012

C-B:-

ComboFix seemed to run smoothly...still have lots of packet traffic on my NIC. Here is CF log:

ComboFix 12-04-25.02 - PKI 04/25/2012 19:19:06.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1592 [GMT -5:00]

Running from: c:\documents and settings\PKI\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\dds_trash_log.cmd

c:\windows\system32\urttemp

c:\windows\system32\urttemp\fusion.dll

c:\windows\system32\urttemp\mscoree.dll

c:\windows\system32\urttemp\mscoree.dll.local

c:\windows\system32\urttemp\mscorsn.dll

c:\windows\system32\urttemp\mscorwks.dll

c:\windows\system32\urttemp\msvcr71.dll

c:\windows\system32\urttemp\regtlib.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_usnjsvc

.

((((((((((((((((((((((((( Files Created from 2012-03-26 to 2012-04-26 )))))))))))))))))))))))))))))))

.

2012-04-23 23:21 . 2012-04-23 23:21 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys

2012-04-20 13:12 . 2012-04-20 13:12 -------- d-----w- c:\program files\ESET

2012-04-15 12:43 . 2012-04-15 12:43 -------- d-----w- c:\documents and settings\PKI\Application Data\QuickScan

2012-04-14 13:04 . 2012-04-14 13:04 -------- d-----w- c:\program files\Common Files\Java

2012-04-14 13:03 . 2012-04-14 13:02 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-04-13 21:20 . 2012-04-13 22:33 -------- d-----w- c:\windows\system32\DBBK

2012-04-13 17:26 . 2012-04-13 17:26 -------- d-----w- C:\TDSSKiller_Quarantine

2012-04-13 02:56 . 2012-04-13 02:56 -------- d-----w- c:\documents and settings\PKI\Application Data\Malwarebytes

2012-04-13 02:55 . 2012-04-13 02:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-04-13 02:55 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-12 23:54 . 2012-04-13 01:20 -------- d-----w- c:\documents and settings\Administrator

2012-04-12 23:27 . 2012-04-12 23:27 -------- d-----w- c:\documents and settings\All Users\Application Data\529C50A8000023CA0000260AD151FC84

2012-04-12 01:15 . 2012-04-12 01:15 -------- d-----w- c:\windows\system32\wbem\Repository

2012-04-12 00:54 . 2012-04-12 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-04-08 20:48 . 2012-04-14 12:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-04-14 13:02 . 2011-05-08 21:48 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-04-14 12:08 . 2011-05-15 10:43 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-13 17:31 . 2008-08-07 21:23 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2012-03-01 11:01 . 2008-08-07 21:23 916992 ----a-w- c:\windows\system32\wininet.dll

2012-03-01 11:01 . 2008-08-07 21:23 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-03-01 11:01 . 2008-08-07 21:23 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2012-02-29 14:10 . 2008-08-07 21:23 177664 ----a-w- c:\windows\system32\wintrust.dll

2012-02-29 14:10 . 2008-08-07 21:23 148480 ----a-w- c:\windows\system32\imagehlp.dll

2012-02-29 12:17 . 2008-08-07 21:23 385024 ----a-w- c:\windows\system32\html.iec

2012-02-03 09:22 . 2008-08-07 21:23 1860096 ----a-w- c:\windows\system32\win32k.sys

2008-05-07 08:34 . 2008-08-08 18:09 15523560 ----a-w- c:\program files\U1 Setup.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 16806400]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]

"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-07-23 98304]

"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-07-23 479232]

"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]

"ETDWare"="c:\program files\Elantech\ETDCtrl.exe" [2008-07-23 335872]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

SuperHybridEngine.lnk - c:\program files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-8-8 303104]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2008-06-19 08:20 57344 ----a-w- c:\windows\Alcmtr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobiLink3]

2009-08-27 00:44 902144 ----a-w- c:\program files\Novatel Wireless\Virgin Mobile\MobiLink3.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

2007-10-18 15:34 5724184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SansaDispatch]

2009-08-23 04:03 79872 ----a-w- c:\documents and settings\PKI\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2012-01-18 19:02 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"NvtlService"=2 (0x2)

"AdobeFlashPlayerUpdateSvc"=3 (0x3)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

.

S3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [3/3/2011 4:47 PM 1714176]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 12:58 PM 11336]

S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [4/23/2012 6:21 PM 32072]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 12:07 PM 35088]

S3 NWVMModem;Virgin Mobile USB Modem Driver;c:\windows\system32\drivers\nwvmmdm.sys [5/15/2009 2:34 PM 174720]

S3 NWVMPort;Virgin Mobile USB Status Port Driver;c:\windows\system32\drivers\nwvmser.sys [5/15/2009 2:34 PM 174720]

S3 NWVMPort2;Virgin Mobile USB Status2 Port Driver;c:\windows\system32\drivers\nwvmser2.sys [5/15/2009 2:34 PM 174720]

S4 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/8/2012 3:48 PM 253088]

S4 NvtlService;NovaCore SDK Service;c:\program files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [8/24/2009 6:52 PM 82432]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

dwmrcs

cpuidlep

nvenetfd

MSFWDrv

rpcnet

ALABULK

atimpab

MREMP50

NMSCFG

se45mdm

SlNtHal

tnbrlds

.

Contents of the 'Scheduled Tasks' folder

.

2012-04-25 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 12:08]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

TCP: DhcpNameServer = 192.168.1.1

TCP: Interfaces\{34474385-B11B-4D43-87A0-097FE003BC6B}: NameServer = 208.67.222.222,208.67.220.220

TCP: Interfaces\{3C18C5E7-98F1-471F-A486-8BC065C591C6}: NameServer = 208.67.222.222,208.67.220.220

DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://webcam.wyc.org/activex/AMC.cab

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-68042079.sys

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-04-25 19:30

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(1928)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\igfxext.exe

.

**************************************************************************

.

Completion time: 2012-04-25 19:35:22 - machine was rebooted

ComboFix-quarantined-files.txt 2012-04-26 00:35

.

Pre-Run: 63,695,011,840 bytes free

Post-Run: 65,573,859,328 bytes free

.

- - End Of File - - BD8F181B710FDD9FFB2EEFFD10DECBEE

CatByte · April 26, 2012

still have lots of packet traffic on my NIC

Just as a precaution, while we are cleaning this machine, don't use your computer for any personal or financial transactions, that could be an indication of a "back door trojan". This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

Please run the following:

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

NETSVC::
dwmrcs
cpuidlep
nvenetfd
MSFWDrv
rpcnet
ALABULK
atimpab
MREMP50
NMSCFG
se45mdm
SlNtHal
tnbrlds

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update; please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

NEXT
Please download TDSSKiller.zip

Extract it to your desktop
Double click TDSSKiller.exe
when the window opens, click on Change Parameters
under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
click OK
Press Start Scan
- If Malicious objects are found then ensure Cure is selected
- If TDLFS File System is found then ensure Delete is selected
- Then click Continue > Reboot now
[*]Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)

Wibbler · April 26, 2012

C-B:- Thanks for such speedy replies....ComboFix did not display a message box when it finished and TDSS found zero objects,so no reboot. Here are the logs:

ComboFix 12-04-25.02 - PKI 04/25/2012 20:31:11.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1684 [GMT -5:00]

Running from: c:\documents and settings\PKI\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\PKI\Desktop\CFScript.txt