Not sure which infection this is? Java Exploit maybe..?

kevinf80 · November 20, 2013

Can you open Device manager expand any relevant entries and see if any have Question or Exclamation marks against them

hiesenberg · November 20, 2013

pretty sure I did that. found it under network adapters, it was a pci modem and I have uninstalled it only to watch it come back... not sure how. Thanks!

kevinf80 · November 20, 2013

That must be hardware (network card) that is on your system, Windows finds it at boot but cannot attribute a driver from your PC driver cache. Go back into Device Manager > Right click on the PCI entry under Network Adapters > Select > "Update Driver Software" > then choose the option where windows will search online as well as your PC.

If windows fails to find the driver you will have to locate the manufacturers website and get a driver from there...

hiesenberg · November 20, 2013

kevin:

Just a few minutes ago, the gray taskbar issue appeared again preceeded by the svchost.exe running at 100%. UUGGGHH!!!!

I was curious to know if the last combofix scan had any obvious findings on it?

What about a system restore? Can these infections hide/disguise so well that they may go undetected by all the scanners available

on this forum? What are our options at this point? this is soooo frustrating.

Thanks.

kevinf80 · November 20, 2013

The log from Combofix does not show any obvious malware/infection, there are remnants from previous security that may cause problems, Run the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

ClearJavaCache::Driver::DasBootDasBootFPRSBDRVRlswd2yhnFolder::c:\program files\Panda SecurityFile::c:\windows\\SystemRoot\system32\drivers\DasBoot.SYSc:\windows\\SystemRoot\system32\drivers\DasBootF.SYSc:\windows\\SystemRoot\system32\drivers\PRSBDRVR.SYSc:\windows\System32\Drivers\lswd2yhn.sysC:\Iexplore.exe.exe

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next,

Run Malwarebytes, Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware,

Make sure that everything is checked, and click Remove Selected on any found items.

Post those logs, does svchost issue still happen?

hiesenberg · November 21, 2013

kevin-

machine is quiet, nothing weird going on, looks good in normal mode so far.. combo & mbam logs attached.

ComboFix 13-11-18.01 - RICH 11/20/2013 18:14:38.6.1 - x86 NETWORK
Running from: C:\Documents and Settings\RICH\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\RICH\Desktop\cfscript.txt

FILE ::
"C:\Iexplore.exe.exe"
"c:\windows\\SystemRoot\system32\drivers\DasBoot.SYS"
"c:\windows\\SystemRoot\system32\drivers\DasBootF.SYS"
"c:\windows\\SystemRoot\system32\drivers\PRSBDRVR.SYS"
"c:\windows\System32\Drivers\lswd2yhn.sys"

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.20.14

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
RICH :: RICH-BIZ [administrator]

11/20/2013 6:49:07 PM

mbam-log-2013-11-20 (18-49-07).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 213770
Time elapsed: 11 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

kevinf80 · November 21, 2013

I guess the best way forward is to run the system for maybe 12 to 24 hours or so, see how it responds. If all is still ok we run another online AV scan just to double check, if that is clean we remove all tools etc...

Does that sound ok with you....

You did not post the full CF log?

hiesenberg · November 21, 2013

okay lots going on...

>could not locate the combo log but I will look again

> taskbar change is back, this time the blue version added a 2nd level, like 2 rows of icons. very weird.

> while svchost was running at 90-100%, I ran Rkill and it listed well over a 100 drivers as unsigned. it ran for much longer period than what it usually takes, (I saved the log-can be posted)

> also ran Junkware-jrt and it found 2 registry entries. previously, JRT has always come up clean.

please tell me if these jrt findings are serious or harmless..?

Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows XP x86
Ran by Administrator on Thu 11/21/2013 at 16:16:48.18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL

~~~ Registry Keys
~~~ Files
~~~ Folders
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 11/21/2013 at 16:20:44.26
End of JRT log

kevinf80 · November 21, 2013

JRT log is ok, can you post RKill log

hiesenberg · November 22, 2013

thanks for hanging in there. great admiration for your persistence!

Rkill 2.6.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/21/2013 03:33:52 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* C:\WINDOWS\System32\ws2_32.dll : 82,432 : 04/14/2008 07:00 AM : 2ccc474eb85ceaa3e1fa1726580a3e5a [NoSig]
+-> C:\WINDOWS\erdnt\cache\ws2_32.dll : 82,432 : 04/14/2008 07:00 AM : 2ccc474eb85ceaa3e1fa1726580a3e5a [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\ws2_32.dll : 82,432 : 04/14/2008 07:00 AM : 2ccc474eb85ceaa3e1fa1726580a3e5a [Pos Repl]

* C:\WINDOWS\System32\ws2help.dll : 19,968 : 04/14/2008 07:00 AM : 9789e95e1d88eeb4b922bf3ea7779c28 [NoSig]
+-> C:\WINDOWS\erdnt\cache\ws2help.dll : 19,968 : 04/14/2008 07:00 AM : 9789e95e1d88eeb4b922bf3ea7779c28 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\ws2help.dll : 19,968 : 04/14/2008 07:00 AM : 9789e95e1d88eeb4b922bf3ea7779c28 [Pos Repl]

* C:\WINDOWS\System32\wscntfy.exe : 13,824 : 04/14/2008 07:00 AM : f92e1076c42fcd6db3d72d8cfe9816d5 [NoSig]
+-> C:\WINDOWS\erdnt\cache\wscntfy.exe : 13,824 : 04/14/2008 07:00 AM : f92e1076c42fcd6db3d72d8cfe9816d5 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\wscntfy.exe : 13,824 : 04/14/2008 07:00 AM : f92e1076c42fcd6db3d72d8cfe9816d5 [Pos Repl]

* C:\WINDOWS\System32\xmlprov.dll : 129,024 : 04/14/2008 07:00 AM : 295d21f14c335b53cb8154e5b1f892b9 [NoSig]
+-> C:\WINDOWS\erdnt\cache\xmlprov.dll : 129,024 : 04/14/2008 07:00 AM : 295d21f14c335b53cb8154e5b1f892b9 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\xmlprov.dll : 129,024 : 04/14/2008 07:00 AM : 295d21f14c335b53cb8154e5b1f892b9 [Pos Repl]

* C:\WINDOWS\explorer.exe : 1,033,728 : 04/14/2008 07:00 AM : 12896823fb95bfb3dc9b46bcaedc9923 [NoSig]
+-> C:\WINDOWS\erdnt\cache\explorer.exe : 1,033,728 : 04/14/2008 07:00 AM : 12896823fb95bfb3dc9b46bcaedc9923 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\explorer.exe : 1,033,728 : 04/14/2008 07:00 AM : 12896823fb95bfb3dc9b46bcaedc9923 [Pos Repl]

* C:\WINDOWS\System32\drivers\acpiec.sys : 11,648 : 04/14/2008 07:00 AM : 9859c0f6936e723e4892d7141b1327d5 [NoSig]
+-> C:\WINDOWS\erdnt\cache\acpiec.sys : 11,648 : 04/14/2008 07:00 AM : 9859c0f6936e723e4892d7141b1327d5 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\acpiec.sys : 11,648 : 04/14/2008 07:00 AM : 9859c0f6936e723e4892d7141b1327d5 [Pos Repl]

* C:\WINDOWS\System32\drivers\acpi.sys : 187,776 : 04/14/2008 07:00 AM : 8fd99680a539792a30e97944fdaecf17 [NoSig]
+-> C:\WINDOWS\system32\dllcache\acpi.sys : 187,776 : 04/14/2008 07:00 AM : 8fd99680a539792a30e97944fdaecf17 [Pos Repl]

* C:\WINDOWS\System32\drivers\aec.sys : 142,592 : 04/14/2008 07:00 AM : 8bed39e3c35d6a489438b8141717a557 [NoSig]
+-> C:\WINDOWS\erdnt\cache\aec.sys : 142,592 : 04/14/2008 07:00 AM : 8bed39e3c35d6a489438b8141717a557 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\aec.sys : 142,592 : 04/14/2008 07:00 AM : 8bed39e3c35d6a489438b8141717a557 [Pos Repl]

* C:\WINDOWS\System32\drivers\afd.sys : 138,496 : 08/17/2011 08:49 AM : 1e44bc1e83d8fd2305f8d452db109cf9 [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys : 138,496 : 10/16/2008 10:07 AM : 38d7b715504da4741df35e3594fe2099 [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys : 138,496 : 08/17/2011 08:41 AM : f6b7b1ecd7b41736bdb6ff4b092bcb79 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB2509553$\afd.sys : 138,112 : 04/14/2008 07:00 AM : 322d0e36693d6e24a2398bee62a268cd [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB2592799$\afd.sys : 138,496 : 10/16/2008 09:43 AM : 7618d5218f2a614672ec61a80d854a37 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\afd.sys : 138,496 : 08/17/2011 08:49 AM : 1e44bc1e83d8fd2305f8d452db109cf9 [Pos Repl]

* C:\WINDOWS\System32\drivers\agp440.sys : 42,368 : 04/14/2008 07:00 AM : 08fd04aa961bdc77fb983f328334e3d7 [NoSig]
+-> C:\WINDOWS\erdnt\cache\agp440.sys : 42,368 : 04/14/2008 07:00 AM : 08fd04aa961bdc77fb983f328334e3d7 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\agp440.sys : 42,368 : 04/14/2008 07:00 AM : 08fd04aa961bdc77fb983f328334e3d7 [Pos Repl]

* C:\WINDOWS\System32\drivers\amdk6.sys : 37,376 : 04/14/2008 07:00 AM : d7701d7e72243286cc88c9973d891057 [NoSig]
+-> C:\WINDOWS\system32\dllcache\amdk6.sys : 37,376 : 04/14/2008 07:00 AM : d7701d7e72243286cc88c9973d891057 [Pos Repl]

* C:\WINDOWS\System32\drivers\amdk7.sys : 37,760 : 04/14/2008 07:00 AM : 8fce268cdbdd83b23419d1f35f42c7b1 [NoSig]
+-> C:\WINDOWS\system32\dllcache\amdk7.sys : 37,760 : 04/14/2008 07:00 AM : 8fce268cdbdd83b23419d1f35f42c7b1 [Pos Repl]

* C:\WINDOWS\System32\drivers\arp1394.sys : 60,800 : 04/14/2008 07:00 AM : b5b8a80875c1dededa8b02765642c32f [NoSig]
+-> C:\WINDOWS\system32\dllcache\arp1394.sys : 60,800 : 04/14/2008 07:00 AM : b5b8a80875c1dededa8b02765642c32f [Pos Repl]

* C:\WINDOWS\System32\drivers\asyncmac.sys : 14,336 : 04/14/2008 07:00 AM : b153affac761e7f5fcfa822b9c4e97bc [NoSig]
+-> C:\WINDOWS\erdnt\cache\asyncmac.sys : 14,336 : 04/14/2008 07:00 AM : b153affac761e7f5fcfa822b9c4e97bc [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\asyncmac.sys : 14,336 : 04/14/2008 07:00 AM : b153affac761e7f5fcfa822b9c4e97bc [Pos Repl]

* C:\WINDOWS\System32\drivers\atapi.sys : 96,512 : 04/14/2008 07:00 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [NoSig]
+-> C:\WINDOWS\erdnt\cache\atapi.sys : 96,512 : 04/14/2008 07:00 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\atapi.sys : 96,512 : 04/14/2008 07:00 AM : 9f3a2f5aa6875c72bf062c712cfa2674 [Pos Repl]

* C:\WINDOWS\System32\drivers\audstub.sys : 3,072 : 08/17/2001 08:59 AM : d9f724aa26c010a217c97606b160ed68 [NoSig]
+-> C:\WINDOWS\system32\dllcache\audstub.sys : 3,072 : 08/17/2001 08:59 AM : d9f724aa26c010a217c97606b160ed68 [Pos Repl]

* C:\WINDOWS\System32\drivers\beep.sys : 4,224 : 04/14/2008 07:00 AM : da1f27d85e0d1525f6621372e7b685e9 [NoSig]
+-> C:\WINDOWS\erdnt\cache\beep.sys : 4,224 : 04/14/2008 07:00 AM : da1f27d85e0d1525f6621372e7b685e9 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\beep.sys : 4,224 : 04/14/2008 07:00 AM : da1f27d85e0d1525f6621372e7b685e9 [Pos Repl]

* C:\WINDOWS\System32\drivers\bridge.sys : 71,552 : 04/14/2008 07:00 AM : f934d1b230f84e1d19dd00ac5a7a83ed [NoSig]
+-> C:\WINDOWS\system32\dllcache\bridge.sys : 71,552 : 04/14/2008 07:00 AM : f934d1b230f84e1d19dd00ac5a7a83ed [Pos Repl]

* C:\WINDOWS\System32\drivers\bthport.sys : 272,128 : 06/13/2008 06:05 AM : 662bfd909447dd9cc15b1a1c366583b4 [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB951376-v2\SP3QFE\bthport.sys : 272,128 : 06/13/2008 06:27 AM : 51d05d5a8a7d93ab0b1a8d6a38db3ca4 [Pos Repl]
+-> C:\WINDOWS\Driver Cache\i386\bthport.sys : 272,128 : 06/13/2008 06:05 AM : 662bfd909447dd9cc15b1a1c366583b4 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\bthport.sys : 272,128 : 06/13/2008 06:05 AM : 662bfd909447dd9cc15b1a1c366583b4 [Pos Repl]

* C:\WINDOWS\System32\drivers\cbidf2k.sys : 13,952 : 04/14/2008 07:00 AM : 90a673fc8e12a79afbed2576f6a7aaf9 [NoSig]
+-> C:\WINDOWS\system32\dllcache\cbidf2k.sys : 13,952 : 04/14/2008 07:00 AM : 90a673fc8e12a79afbed2576f6a7aaf9 [Pos Repl]

* C:\WINDOWS\System32\drivers\cdaudio.sys : 18,688 : 04/14/2008 07:00 AM : c1b486a7658353d33a10cc15211a873b [NoSig]
+-> C:\WINDOWS\system32\dllcache\cdaudio.sys : 18,688 : 04/14/2008 07:00 AM : c1b486a7658353d33a10cc15211a873b [Pos Repl]

* C:\WINDOWS\System32\drivers\cdfs.sys : 63,744 : 04/14/2008 07:00 AM : c885b02847f5d2fd45a24e219ed93b32 [NoSig]
+-> C:\WINDOWS\system32\dllcache\cdfs.sys : 63,744 : 04/14/2008 07:00 AM : c885b02847f5d2fd45a24e219ed93b32 [Pos Repl]

* C:\WINDOWS\System32\drivers\cdrom.sys : 62,976 : 04/14/2008 07:00 AM : 1f4260cc5b42272d71f79e570a27a4fe [NoSig]
+-> C:\WINDOWS\system32\dllcache\cdrom.sys : 62,976 : 04/14/2008 07:00 AM : 1f4260cc5b42272d71f79e570a27a4fe [Pos Repl]

* C:\WINDOWS\System32\drivers\classpnp.sys : 49,536 : 04/14/2008 07:00 AM : fe47dd8fe6d7768ff94ebec6c74b2719 [NoSig]
+-> C:\WINDOWS\system32\dllcache\classpnp.sys : 49,536 : 04/14/2008 07:00 AM : fe47dd8fe6d7768ff94ebec6c74b2719 [Pos Repl]

* C:\WINDOWS\System32\drivers\cpqdap01.sys : 11,776 : 04/14/2008 07:00 AM : 9624293e55ad405415862b504ca95b73 [NoSig]
+-> C:\WINDOWS\system32\dllcache\cpqdap01.sys : 11,776 : 04/14/2008 07:00 AM : 9624293e55ad405415862b504ca95b73 [Pos Repl]

* C:\WINDOWS\System32\drivers\crusoe.sys : 36,736 : 04/14/2008 07:00 AM : f50d9bdbb25cce075e514dc07472a22f [NoSig]
+-> C:\WINDOWS\system32\dllcache\crusoe.sys : 36,736 : 04/14/2008 07:00 AM : f50d9bdbb25cce075e514dc07472a22f [Pos Repl]

* C:\WINDOWS\System32\drivers\diskdump.sys : 14,208 : 04/14/2008 07:00 AM : e65e2353a5d74ea89971cb918eeeb2f6 [NoSig]
+-> C:\WINDOWS\system32\dllcache\diskdump.sys : 14,208 : 04/14/2008 07:00 AM : e65e2353a5d74ea89971cb918eeeb2f6 [Pos Repl]

* C:\WINDOWS\System32\drivers\disk.sys : 36,352 : 04/14/2008 07:00 AM : 044452051f3e02e7963599fc8f4f3e25 [NoSig]
+-> C:\WINDOWS\system32\dllcache\disk.sys : 36,352 : 04/14/2008 07:00 AM : 044452051f3e02e7963599fc8f4f3e25 [Pos Repl]

* C:\WINDOWS\System32\drivers\dmboot.sys : 799,744 : 04/14/2008 07:00 AM : d992fe1274bde0f84ad826acae022a41 [NoSig]
+-> C:\WINDOWS\system32\dllcache\dmboot.sys : 799,744 : 04/14/2008 07:00 AM : d992fe1274bde0f84ad826acae022a41 [Pos Repl]

* C:\WINDOWS\System32\drivers\dmio.sys : 153,344 : 04/14/2008 07:00 AM : 7c824cf7bbde77d95c08005717a95f6f [NoSig]
+-> C:\WINDOWS\system32\dllcache\dmio.sys : 153,344 : 04/14/2008 07:00 AM : 7c824cf7bbde77d95c08005717a95f6f [Pos Repl]

* C:\WINDOWS\System32\drivers\dmload.sys : 5,888 : 04/14/2008 07:00 AM : e9317282a63ca4d188c0df5e09c6ac5f [NoSig]
+-> C:\WINDOWS\system32\dllcache\dmload.sys : 5,888 : 04/14/2008 07:00 AM : e9317282a63ca4d188c0df5e09c6ac5f [Pos Repl]

* C:\WINDOWS\System32\drivers\DMusic.sys : 52,864 : 04/13/2008 11:15 PM : 8a208dfcf89792a484e76c40e5f50b45 [NoSig]
+-> C:\WINDOWS\system32\dllcache\dmusic.sys : 52,864 : 04/13/2008 11:15 PM : 8a208dfcf89792a484e76c40e5f50b45 [Pos Repl]

* C:\WINDOWS\System32\drivers\drmkaud.sys : 2,944 : 04/14/2008 07:00 AM : 8f5fcff8e8848afac920905fbd9d33c8 [NoSig]
+-> C:\WINDOWS\system32\dllcache\drmkaud.sys : 2,944 : 04/14/2008 07:00 AM : 8f5fcff8e8848afac920905fbd9d33c8 [Pos Repl]

* C:\WINDOWS\System32\drivers\drmk.sys : 60,160 : 04/13/2008 11:15 PM : 6cb08593487f5701d2d2254e693eafce [NoSig]
+-> C:\WINDOWS\system32\dllcache\drmk.sys : 60,160 : 04/13/2008 11:15 PM : 6cb08593487f5701d2d2254e693eafce [Pos Repl]

* C:\WINDOWS\System32\drivers\dxapi.sys : 10,496 : 04/14/2008 07:00 AM : fe97d0343acfdebdd578fc67cc91fa87 [NoSig]
+-> C:\WINDOWS\system32\dllcache\dxapi.sys : 10,496 : 04/14/2008 07:00 AM : fe97d0343acfdebdd578fc67cc91fa87 [Pos Repl]

* C:\WINDOWS\System32\drivers\dxg.sys : 71,168 : 04/14/2008 07:00 AM : ac7280566a7bb85cb3291f04ddc1198e [NoSig]
+-> C:\WINDOWS\system32\dllcache\dxg.sys : 71,168 : 04/14/2008 07:00 AM : ac7280566a7bb85cb3291f04ddc1198e [Pos Repl]

* C:\WINDOWS\System32\drivers\dxgthk.sys : 3,328 : 04/14/2008 07:00 AM : a73f5d6705b1d820c19b18782e176efd [NoSig]
+-> C:\WINDOWS\system32\dllcache\dxgthk.sys : 3,328 : 04/14/2008 07:00 AM : a73f5d6705b1d820c19b18782e176efd [Pos Repl]

* C:\WINDOWS\System32\drivers\fastfat.sys : 143,744 : 04/14/2008 07:00 AM : 38d332a6d56af32635675f132548343e [NoSig]
+-> C:\WINDOWS\system32\dllcache\fastfat.sys : 143,744 : 04/14/2008 07:00 AM : 38d332a6d56af32635675f132548343e [Pos Repl]

* C:\WINDOWS\System32\drivers\fdc.sys : 27,392 : 04/14/2008 07:00 AM : 92cdd60b6730b9f50f6a1a0c1f8cdc81 [NoSig]
+-> C:\WINDOWS\system32\dllcache\fdc.sys : 27,392 : 04/14/2008 07:00 AM : 92cdd60b6730b9f50f6a1a0c1f8cdc81 [Pos Repl]

* C:\WINDOWS\System32\drivers\fips.sys : 44,544 : 04/14/2008 07:00 AM : d45926117eb9fa946a6af572fbe1caa3 [NoSig]
+-> C:\WINDOWS\system32\dllcache\fips.sys : 44,544 : 04/14/2008 07:00 AM : d45926117eb9fa946a6af572fbe1caa3 [Pos Repl]

* C:\WINDOWS\System32\drivers\flpydisk.sys : 20,480 : 04/14/2008 07:00 AM : 9d27e7b80bfcdf1cdd9b555862d5e7f0 [NoSig]
+-> C:\WINDOWS\system32\dllcache\flpydisk.sys : 20,480 : 04/14/2008 07:00 AM : 9d27e7b80bfcdf1cdd9b555862d5e7f0 [Pos Repl]

* C:\WINDOWS\System32\drivers\fltMgr.sys : 129,792 : 04/14/2008 07:00 AM : b2cf4b0786f8212cb92ed2b50c6db6b0 [NoSig]
+-> C:\WINDOWS\system32\dllcache\fltmgr.sys : 129,792 : 04/14/2008 07:00 AM : b2cf4b0786f8212cb92ed2b50c6db6b0 [Pos Repl]

* C:\WINDOWS\System32\drivers\fs_rec.sys : 7,936 : 04/14/2008 07:00 AM : 3e1e2bd4f39b0e2b7dc4f4d2bcc2779a [NoSig]
+-> C:\WINDOWS\system32\dllcache\fs_rec.sys : 7,936 : 04/14/2008 07:00 AM : 3e1e2bd4f39b0e2b7dc4f4d2bcc2779a [Pos Repl]

* C:\WINDOWS\System32\drivers\fsvga.sys : 12,160 : 04/14/2008 07:00 AM : 455f778ee14368468560bd7cb8c854d0 [NoSig]
+-> C:\WINDOWS\system32\dllcache\fsvga.sys : 12,160 : 04/14/2008 07:00 AM : 455f778ee14368468560bd7cb8c854d0 [Pos Repl]

* C:\WINDOWS\System32\drivers\ftdisk.sys : 125,056 : 04/14/2008 07:00 AM : 6ac26732762483366c3969c9e4d2259d [NoSig]
+-> C:\WINDOWS\system32\dllcache\ftdisk.sys : 125,056 : 04/14/2008 07:00 AM : 6ac26732762483366c3969c9e4d2259d [Pos Repl]

* C:\WINDOWS\System32\drivers\hidclass.sys : 36,864 : 04/14/2008 07:00 AM : 1af592532532a402ed7c060f6954004f [NoSig]
+-> C:\WINDOWS\system32\dllcache\hidclass.sys : 36,864 : 04/14/2008 07:00 AM : 1af592532532a402ed7c060f6954004f [Pos Repl]

* C:\WINDOWS\System32\drivers\hidparse.sys : 25,088 : 07/02/2013 09:12 PM : c569ef030b11f896e123a30ac92678db [NoSig]
+-> C:\WINDOWS\$NtUninstallKB2862335$\hidparse.sys : 24,960 : 04/14/2008 07:00 AM : 96eccf28fdbf1b2cc12725818a63628d [Pos Repl]
+-> C:\WINDOWS\Driver Cache\i386\hidparse.sys : 25,088 : 07/02/2013 09:12 PM : c569ef030b11f896e123a30ac92678db [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\80d0a80404d440ef21afe2a803e22ea8\SP3QFE\hidparse.sys : 25,088 : 07/02/2013 09:12 PM : c569ef030b11f896e123a30ac92678db [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\hidparse.sys : 25,088 : 07/02/2013 09:12 PM : c569ef030b11f896e123a30ac92678db [Pos Repl]

* C:\WINDOWS\System32\drivers\hidusb.sys : 10,368 : 04/13/2008 11:15 PM : ccf82c5ec8a7326c3066de870c06daf1 [NoSig]
+-> C:\WINDOWS\system32\dllcache\hidusb.sys : 10,368 : 04/13/2008 11:15 PM : ccf82c5ec8a7326c3066de870c06daf1 [Pos Repl]

* C:\WINDOWS\System32\drivers\http.sys : 265,728 : 10/20/2009 11:20 AM : f80a415ef82cd06ffaf0d971528ead38 [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB970430\SP3QFE\http.sys : 265,728 : 10/20/2009 10:21 AM : 937031c085718c1c04a9c0864625ec6b [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB970430$\http.sys : 264,832 : 04/14/2008 07:00 AM : f6aacf5bce2893e0c1754afeb672e5c9 [Pos Repl]
+-> C:\WINDOWS\Driver Cache\i386\http.sys : 265,728 : 10/20/2009 11:20 AM : f80a415ef82cd06ffaf0d971528ead38 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\http.sys : 265,728 : 10/20/2009 11:20 AM : f80a415ef82cd06ffaf0d971528ead38 [Pos Repl]

* C:\WINDOWS\System32\drivers\i8042prt.sys : 52,480 : 04/14/2008 07:00 AM : 4a0b06aa8943c1e332520f7440c0aa30 [NoSig]
+-> C:\WINDOWS\system32\dllcache\i8042prt.sys : 52,480 : 04/14/2008 07:00 AM : 4a0b06aa8943c1e332520f7440c0aa30 [Pos Repl]

* C:\WINDOWS\System32\drivers\imapi.sys : 42,112 : 04/14/2008 07:00 AM : 083a052659f5310dd8b6a6cb05edcf8e [NoSig]
+-> C:\WINDOWS\system32\dllcache\imapi.sys : 42,112 : 04/14/2008 07:00 AM : 083a052659f5310dd8b6a6cb05edcf8e [Pos Repl]

* C:\WINDOWS\System32\drivers\intelppm.sys : 36,352 : 04/14/2008 07:00 AM : 8c953733d8f36eb2133f5bb58808b66b [NoSig]
+-> C:\WINDOWS\system32\dllcache\intelppm.sys : 36,352 : 04/14/2008 07:00 AM : 8c953733d8f36eb2133f5bb58808b66b [Pos Repl]

* C:\WINDOWS\System32\drivers\ip6fw.sys : 36,608 : 04/14/2008 07:00 AM : 3bb22519a194418d5fec05d800a19ad0 [NoSig]
+-> C:\WINDOWS\erdnt\cache\ip6fw.sys : 36,608 : 04/14/2008 07:00 AM : 3bb22519a194418d5fec05d800a19ad0 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\ip6fw.sys : 36,608 : 04/14/2008 07:00 AM : 3bb22519a194418d5fec05d800a19ad0 [Pos Repl]

* C:\WINDOWS\System32\drivers\ipfltdrv.sys : 32,896 : 04/14/2008 07:00 AM : 731f22ba402ee4b62748adaf6363c182 [NoSig]
+-> C:\WINDOWS\system32\dllcache\ipfltdrv.sys : 32,896 : 04/14/2008 07:00 AM : 731f22ba402ee4b62748adaf6363c182 [Pos Repl]

* C:\WINDOWS\System32\drivers\ipinip.sys : 20,864 : 04/14/2008 07:00 AM : b87ab476dcf76e72010632b5550955f5 [NoSig]
+-> C:\WINDOWS\system32\dllcache\ipinip.sys : 20,864 : 04/14/2008 07:00 AM : b87ab476dcf76e72010632b5550955f5 [Pos Repl]

* C:\WINDOWS\System32\drivers\ipnat.sys : 152,832 : 04/14/2008 07:00 AM : cc748ea12c6effde940ee98098bf96bb [NoSig]
+-> C:\WINDOWS\system32\dllcache\ipnat.sys : 152,832 : 04/14/2008 07:00 AM : cc748ea12c6effde940ee98098bf96bb [Pos Repl]

* C:\WINDOWS\System32\drivers\ipsec.sys : 75,264 : 04/14/2008 07:00 AM : 23c74d75e36e7158768dd63d92789a91 [NoSig]
+-> C:\WINDOWS\erdnt\cache\ipsec.sys : 75,264 : 04/14/2008 07:00 AM : 23c74d75e36e7158768dd63d92789a91 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\ipsec.sys : 75,264 : 04/14/2008 07:00 AM : 23c74d75e36e7158768dd63d92789a91 [Pos Repl]

* C:\WINDOWS\System32\drivers\irenum.sys : 11,264 : 04/14/2008 07:00 AM : c93c9ff7b04d772627a3646d89f7bf89 [NoSig]
+-> C:\WINDOWS\system32\dllcache\irenum.sys : 11,264 : 04/14/2008 07:00 AM : c93c9ff7b04d772627a3646d89f7bf89 [Pos Repl]

* C:\WINDOWS\System32\drivers\isapnp.sys : 37,248 : 04/14/2008 07:00 AM : 05a299ec56e52649b1cf2fc52d20f2d7 [NoSig]
+-> C:\WINDOWS\system32\dllcache\isapnp.sys : 37,248 : 04/14/2008 07:00 AM : 05a299ec56e52649b1cf2fc52d20f2d7 [Pos Repl]

* C:\WINDOWS\System32\drivers\kbdclass.sys : 24,576 : 04/14/2008 07:00 AM : 463c1ec80cd17420a542b7f36a36f128 [NoSig]
+-> C:\WINDOWS\erdnt\cache\kbdclass.sys : 24,576 : 04/14/2008 07:00 AM : 463c1ec80cd17420a542b7f36a36f128 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\kbdclass.sys : 24,576 : 04/14/2008 07:00 AM : 463c1ec80cd17420a542b7f36a36f128 [Pos Repl]

* C:\WINDOWS\System32\drivers\kmixer.sys : 172,416 : 04/14/2008 07:00 AM : 692bcf44383d056aed41b045a323d378 [NoSig]
+-> C:\WINDOWS\system32\dllcache\kmixer.sys : 172,416 : 04/14/2008 07:00 AM : 692bcf44383d056aed41b045a323d378 [Pos Repl]

* C:\WINDOWS\System32\drivers\ksecdd.sys : 92,928 : 06/24/2009 06:18 AM : b467646c54cc746128904e1654c750c1 [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB968389\SP3QFE\ksecdd.sys : 92,928 : 06/24/2009 05:28 AM : c6ebf1d6ad71df30db49b8d3287e1368 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB968389$\ksecdd.sys : 92,288 : 04/14/2008 07:00 AM : 1705745d900dabf2d89f90ebaddc7517 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\ksecdd.sys : 92,928 : 06/24/2009 06:18 AM : b467646c54cc746128904e1654c750c1 [Pos Repl]

* C:\WINDOWS\System32\drivers\ks.sys : 141,056 : 04/13/2008 11:46 PM : 0753515f78df7f271a5e61c20bcd36a1 [NoSig]
+-> C:\WINDOWS\system32\dllcache\ks.sys : 141,056 : 04/13/2008 11:46 PM : 0753515f78df7f271a5e61c20bcd36a1 [Pos Repl]

* C:\WINDOWS\System32\drivers\mcd.sys : 7,680 : 04/14/2008 07:00 AM : d1f8be91ed4ddb671d42e473e3fe71ab [NoSig]
+-> C:\WINDOWS\system32\dllcache\mcd.sys : 7,680 : 04/14/2008 07:00 AM : d1f8be91ed4ddb671d42e473e3fe71ab [Pos Repl]

* C:\WINDOWS\System32\drivers\mf.sys : 63,744 : 04/14/2008 07:00 AM : a7da20ab18a1bdae28b0f349e57da0d1 [NoSig]
+-> C:\WINDOWS\system32\dllcache\mf.sys : 63,744 : 04/14/2008 07:00 AM : a7da20ab18a1bdae28b0f349e57da0d1 [Pos Repl]

* C:\WINDOWS\System32\drivers\mnmdd.sys : 4,224 : 04/14/2008 07:00 AM : 4ae068242760a1fb6e1a44bf4e16afa6 [NoSig]
+-> C:\WINDOWS\system32\dllcache\mnmdd.sys : 4,224 : 04/14/2008 07:00 AM : 4ae068242760a1fb6e1a44bf4e16afa6 [Pos Repl]

* C:\WINDOWS\System32\drivers\modem.sys : 30,080 : 04/14/2008 07:00 AM : dfcbad3cec1c5f964962ae10e0bcc8e1 [NoSig]
+-> C:\WINDOWS\system32\dllcache\modem.sys : 30,080 : 04/14/2008 07:00 AM : dfcbad3cec1c5f964962ae10e0bcc8e1 [Pos Repl]

* C:\WINDOWS\System32\drivers\mouclass.sys : 23,040 : 04/14/2008 07:00 AM : 35c9e97194c8cfb8430125f8dbc34d04 [NoSig]
+-> C:\WINDOWS\system32\dllcache\mouclass.sys : 23,040 : 04/14/2008 07:00 AM : 35c9e97194c8cfb8430125f8dbc34d04 [Pos Repl]

* C:\WINDOWS\System32\drivers\mouhid.sys : 12,160 : 08/17/2001 12:48 AM : b1c303e17fb9d46e87a98e4ba6769685 [NoSig]
+-> C:\WINDOWS\system32\dllcache\mouhid.sys : 12,160 : 08/17/2001 12:48 AM : b1c303e17fb9d46e87a98e4ba6769685 [Pos Repl]

* C:\WINDOWS\System32\drivers\mountmgr.sys : 42,368 : 04/14/2008 07:00 AM : a80b9a0bad1b73637dbcbba7df72d3fd [NoSig]
+-> C:\WINDOWS\system32\dllcache\mountmgr.sys : 42,368 : 04/14/2008 07:00 AM : a80b9a0bad1b73637dbcbba7df72d3fd [Pos Repl]

* C:\WINDOWS\System32\drivers\mrxdav.sys : 180,608 : 04/14/2008 07:00 AM : 11d42bb6206f33fbb3ba0288d3ef81bd [NoSig]
+-> C:\WINDOWS\system32\dllcache\mrxdav.sys : 180,608 : 04/14/2008 07:00 AM : 11d42bb6206f33fbb3ba0288d3ef81bd [Pos Repl]

* C:\WINDOWS\System32\drivers\mrxsmb.sys : 456,320 : 07/15/2011 08:29 AM : 7d304a5eb4344ebeeab53a2fe3ffb9f0 [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB2536276-v2\SP3QFE\mrxsmb.sys : 457,856 : 07/15/2011 08:29 AM : fb2fccc70f7174c7bf64f48e96d3adf4 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB2536276-v2$\mrxsmb.sys : 456,576 : 04/14/2008 07:00 AM : 68755f0ff16070178b54674fe5b847b0 [Pos Repl]
+-> C:\WINDOWS\Driver Cache\i386\mrxsmb.sys : 456,320 : 07/15/2011 08:29 AM : 7d304a5eb4344ebeeab53a2fe3ffb9f0 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\mrxsmb.sys : 456,320 : 07/15/2011 08:29 AM : 7d304a5eb4344ebeeab53a2fe3ffb9f0 [Pos Repl]

* C:\WINDOWS\System32\drivers\msfs.sys : 19,072 : 04/14/2008 07:00 AM : c941ea2454ba8350021d774daf0f1027 [NoSig]
+-> C:\WINDOWS\system32\dllcache\msfs.sys : 19,072 : 04/14/2008 07:00 AM : c941ea2454ba8350021d774daf0f1027 [Pos Repl]

* C:\WINDOWS\System32\drivers\msgpc.sys : 35,072 : 04/14/2008 07:00 AM : 0a02c63c8b144bd8c86b103dee7c86a2 [NoSig]
+-> C:\WINDOWS\system32\dllcache\msgpc.sys : 35,072 : 04/14/2008 07:00 AM : 0a02c63c8b144bd8c86b103dee7c86a2 [Pos Repl]

* C:\WINDOWS\System32\drivers\MSKSSRV.sys : 7,552 : 04/13/2008 11:09 PM : d1575e71568f4d9e14ca56b7b0453bf1 [NoSig]
+-> C:\WINDOWS\system32\dllcache\mskssrv.sys : 7,552 : 04/13/2008 11:09 PM : d1575e71568f4d9e14ca56b7b0453bf1 [Pos Repl]

* C:\WINDOWS\System32\drivers\MSPCLOCK.sys : 5,376 : 04/13/2008 11:09 PM : 325bb26842fc7ccc1fcce2c457317f3e [NoSig]
+-> C:\WINDOWS\system32\dllcache\mspclock.sys : 5,376 : 04/13/2008 11:09 PM : 325bb26842fc7ccc1fcce2c457317f3e [Pos Repl]

* C:\WINDOWS\System32\drivers\MSPQM.sys : 4,992 : 04/13/2008 11:09 PM : bad59648ba099da4a17680b39730cb3d [NoSig]
+-> C:\WINDOWS\system32\dllcache\mspqm.sys : 4,992 : 04/13/2008 11:09 PM : bad59648ba099da4a17680b39730cb3d [Pos Repl]

* C:\WINDOWS\System32\drivers\mssmbios.sys : 15,488 : 04/14/2008 07:00 AM : af5f4f3f14a8ea2c26de30f7a1e17136 [NoSig]
+-> C:\WINDOWS\system32\dllcache\mssmbios.sys : 15,488 : 04/14/2008 07:00 AM : af5f4f3f14a8ea2c26de30f7a1e17136 [Pos Repl]

* C:\WINDOWS\System32\drivers\mup.sys : 105,472 : 04/21/2011 08:37 AM : de6a75f5c270e756c5508d94b6cf68f5 [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB2535512\SP3QFE\mup.sys : 105,472 : 04/21/2011 08:52 AM : f7b1ad991491f02af6da70b00b8bf114 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB2535512$\mup.sys : 105,344 : 04/14/2008 07:00 AM : 2f625d11385b1a94360bfc70aaefdee1 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\mup.sys : 105,472 : 04/21/2011 08:37 AM : de6a75f5c270e756c5508d94b6cf68f5 [Pos Repl]

* C:\WINDOWS\System32\drivers\ndis.sys : 182,656 : 04/14/2008 07:00 AM : 1df7f42665c94b825322fae71721130d [NoSig]
+-> C:\WINDOWS\erdnt\cache\ndis.sys : 182,656 : 04/14/2008 07:00 AM : 1df7f42665c94b825322fae71721130d [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\ndis.sys : 182,656 : 04/14/2008 07:00 AM : 1df7f42665c94b825322fae71721130d [Pos Repl]

* C:\WINDOWS\System32\drivers\ndistapi.sys : 10,496 : 07/08/2011 09:02 AM : 0109c4f3850dfbab279542515386ae22 [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB2566454\SP3QFE\ndistapi.sys : 10,496 : 07/08/2011 08:51 AM : 091735a5f20acb1dc147383a905ae002 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB2566454$\ndistapi.sys : 10,112 : 04/14/2008 07:00 AM : 1ab3d00c991ab086e69db84b6c0ed78f [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\ndistapi.sys : 10,496 : 07/08/2011 09:02 AM : 0109c4f3850dfbab279542515386ae22 [Pos Repl]

* C:\WINDOWS\System32\drivers\ndisuio.sys : 14,592 : 04/14/2008 07:00 AM : f927a4434c5028758a842943ef1a3849 [NoSig]
+-> C:\WINDOWS\system32\dllcache\ndisuio.sys : 14,592 : 04/14/2008 07:00 AM : f927a4434c5028758a842943ef1a3849 [Pos Repl]

* C:\WINDOWS\System32\drivers\ndiswan.sys : 91,520 : 04/14/2008 07:00 AM : edc1531a49c80614b2cfda43ca8659ab [NoSig]
+-> C:\WINDOWS\system32\dllcache\ndiswan.sys : 91,520 : 04/14/2008 07:00 AM : edc1531a49c80614b2cfda43ca8659ab [Pos Repl]

* C:\WINDOWS\System32\drivers\ndproxy.sys : 40,960 : 11/02/2010 10:17 AM : 9282bd12dfb069d3889eb3fcc1000a9b [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB2440591\SP3QFE\ndproxy.sys : 40,960 : 11/03/2010 00:55 AM : 816460bd4b4acd27937d1d0813e2e9e9 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB2440591$\ndproxy.sys : 40,576 : 04/14/2008 07:00 AM : 6215023940cfd3702b46abc304e1d45a [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\ndproxy.sys : 40,960 : 11/02/2010 10:17 AM : 9282bd12dfb069d3889eb3fcc1000a9b [Pos Repl]

* C:\WINDOWS\System32\drivers\netbios.sys : 34,688 : 04/14/2008 07:00 AM : 5d81cf9a2f1a3a756b66cf684911cdf0 [NoSig]
+-> C:\WINDOWS\system32\dllcache\netbios.sys : 34,688 : 04/14/2008 07:00 AM : 5d81cf9a2f1a3a756b66cf684911cdf0 [Pos Repl]

* C:\WINDOWS\System32\drivers\netbt.sys : 162,816 : 04/14/2008 07:00 AM : 74b2b2f5bea5e9a3dc021d685551bd3d [NoSig]
+-> C:\WINDOWS\system32\dllcache\netbt.sys : 162,816 : 04/14/2008 07:00 AM : 74b2b2f5bea5e9a3dc021d685551bd3d [Pos Repl]

* C:\WINDOWS\System32\drivers\nic1394.sys : 61,824 : 04/14/2008 07:00 AM : e9e47cfb2d461fa0fc75b7a74c6383ea [NoSig]
+-> C:\WINDOWS\system32\dllcache\nic1394.sys : 61,824 : 04/14/2008 07:00 AM : e9e47cfb2d461fa0fc75b7a74c6383ea [Pos Repl]

* C:\WINDOWS\System32\drivers\nikedrv.sys : 12,032 : 04/14/2008 07:00 AM : be984d604d91c217355cdd3737aad25d [NoSig]
+-> C:\WINDOWS\system32\dllcache\nikedrv.sys : 12,032 : 04/14/2008 07:00 AM : be984d604d91c217355cdd3737aad25d [Pos Repl]

* C:\WINDOWS\System32\drivers\nmnt.sys : 40,320 : 04/14/2008 07:00 AM : 1e421a6bcf2203cc61b821ada9de878b [NoSig]
+-> C:\WINDOWS\system32\dllcache\nmnt.sys : 40,320 : 04/14/2008 07:00 AM : 1e421a6bcf2203cc61b821ada9de878b [Pos Repl]

* C:\WINDOWS\System32\drivers\npfs.sys : 30,848 : 04/14/2008 07:00 AM : 3182d64ae053d6fb034f44b6def8034a [NoSig]
+-> C:\WINDOWS\system32\dllcache\npfs.sys : 30,848 : 04/14/2008 07:00 AM : 3182d64ae053d6fb034f44b6def8034a [Pos Repl]

* C:\WINDOWS\System32\drivers\ntfs.sys : 574,976 : 04/14/2008 07:00 AM : 78a08dd6a8d65e697c18e1db01c5cdca [NoSig]
+-> C:\WINDOWS\erdnt\cache\ntfs.sys : 574,976 : 04/14/2008 07:00 AM : 78a08dd6a8d65e697c18e1db01c5cdca [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\ntfs.sys : 574,976 : 04/14/2008 07:00 AM : 78a08dd6a8d65e697c18e1db01c5cdca [Pos Repl]

* C:\WINDOWS\System32\drivers\null.sys : 2,944 : 04/14/2008 07:00 AM : 73c1e1f395918bc2c6dd67af7591a3ad [NoSig]
+-> C:\WINDOWS\erdnt\cache\null.sys : 2,944 : 04/14/2008 07:00 AM : 73c1e1f395918bc2c6dd67af7591a3ad [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\null.sys : 2,944 : 04/14/2008 07:00 AM : 73c1e1f395918bc2c6dd67af7591a3ad [Pos Repl]

* C:\WINDOWS\System32\drivers\nwlnkflt.sys : 12,416 : 04/14/2008 07:00 AM : b305f3fad35083837ef46a0bbce2fc57 [NoSig]
+-> C:\WINDOWS\system32\dllcache\nwlnkflt.sys : 12,416 : 04/14/2008 07:00 AM : b305f3fad35083837ef46a0bbce2fc57 [Pos Repl]

* C:\WINDOWS\System32\drivers\nwlnkfwd.sys : 32,512 : 04/14/2008 07:00 AM : c99b3415198d1aab7227f2c88fd664b9 [NoSig]
+-> C:\WINDOWS\system32\dllcache\nwlnkfwd.sys : 32,512 : 04/14/2008 07:00 AM : c99b3415198d1aab7227f2c88fd664b9 [Pos Repl]

* C:\WINDOWS\System32\drivers\nwlnkipx.sys : 88,320 : 04/14/2008 07:00 AM : 8b8b1be2dba4025da6786c645f77f123 [NoSig]
+-> C:\WINDOWS\system32\dllcache\nwlnkipx.sys : 88,320 : 04/14/2008 07:00 AM : 8b8b1be2dba4025da6786c645f77f123 [Pos Repl]

* C:\WINDOWS\System32\drivers\nwlnknb.sys : 63,232 : 04/14/2008 07:00 AM : 56d34a67c05e94e16377c60609741ff8 [NoSig]
+-> C:\WINDOWS\system32\dllcache\nwlnknb.sys : 63,232 : 04/14/2008 07:00 AM : 56d34a67c05e94e16377c60609741ff8 [Pos Repl]

* C:\WINDOWS\System32\drivers\nwlnkspx.sys : 55,936 : 04/14/2008 07:00 AM : c0bb7d1615e1acbdc99757f6ceaf8cf0 [NoSig]
+-> C:\WINDOWS\system32\dllcache\nwlnkspx.sys : 55,936 : 04/14/2008 07:00 AM : c0bb7d1615e1acbdc99757f6ceaf8cf0 [Pos Repl]

* C:\WINDOWS\System32\drivers\oprghdlr.sys : 3,456 : 04/14/2008 07:00 AM : 4bb30ddc53ebc76895e38694580cdfe9 [NoSig]
+-> C:\WINDOWS\system32\dllcache\oprghdlr.sys : 3,456 : 04/14/2008 07:00 AM : 4bb30ddc53ebc76895e38694580cdfe9 [Pos Repl]

* C:\WINDOWS\System32\drivers\p3.sys : 42,752 : 04/14/2008 07:00 AM : c90018bafdc7098619a4a95b046b30f3 [NoSig]
+-> C:\WINDOWS\system32\dllcache\p3.sys : 42,752 : 04/14/2008 07:00 AM : c90018bafdc7098619a4a95b046b30f3 [Pos Repl]

* C:\WINDOWS\System32\drivers\parport.sys : 80,128 : 04/14/2008 07:00 AM : 5575faf8f97ce5e713d108c2a58d7c7c [NoSig]
+-> C:\WINDOWS\system32\dllcache\parport.sys : 80,128 : 04/14/2008 07:00 AM : 5575faf8f97ce5e713d108c2a58d7c7c [Pos Repl]

* C:\WINDOWS\System32\drivers\partmgr.sys : 19,712 : 04/14/2008 07:00 AM : beb3ba25197665d82ec7065b724171c6 [NoSig]
+-> C:\WINDOWS\system32\dllcache\partmgr.sys : 19,712 : 04/14/2008 07:00 AM : beb3ba25197665d82ec7065b724171c6 [Pos Repl]

* C:\WINDOWS\System32\drivers\parvdm.sys : 6,784 : 04/14/2008 07:00 AM : 70e98b3fd8e963a6a46a2e6247e0bea1 [NoSig]
+-> C:\WINDOWS\system32\dllcache\parvdm.sys : 6,784 : 04/14/2008 07:00 AM : 70e98b3fd8e963a6a46a2e6247e0bea1 [Pos Repl]

* C:\WINDOWS\System32\drivers\pciidex.sys : 24,960 : 04/14/2008 07:00 AM : 52e60f29221d0d1ac16737e8dbf7c3e9 [NoSig]
+-> C:\WINDOWS\system32\dllcache\pciidex.sys : 24,960 : 04/14/2008 07:00 AM : 52e60f29221d0d1ac16737e8dbf7c3e9 [Pos Repl]

* C:\WINDOWS\System32\drivers\pci.sys : 68,224 : 04/14/2008 07:00 AM : a219903ccf74233761d92bef471a07b1 [NoSig]
+-> C:\WINDOWS\system32\dllcache\pci.sys : 68,224 : 04/14/2008 07:00 AM : a219903ccf74233761d92bef471a07b1 [Pos Repl]

* C:\WINDOWS\System32\drivers\pcmcia.sys : 120,192 : 04/14/2008 07:00 AM : 9e89ef60e9ee05e3f2eef2da7397f1c1 [NoSig]
+-> C:\WINDOWS\system32\dllcache\pcmcia.sys : 120,192 : 04/14/2008 07:00 AM : 9e89ef60e9ee05e3f2eef2da7397f1c1 [Pos Repl]

* C:\WINDOWS\System32\drivers\portcls.sys : 146,048 : 04/13/2008 11:49 PM : e82a496c3961efc6828b508c310ce98f [NoSig]
+-> C:\WINDOWS\system32\dllcache\portcls.sys : 146,048 : 04/13/2008 11:49 PM : e82a496c3961efc6828b508c310ce98f [Pos Repl]

* C:\WINDOWS\System32\drivers\processr.sys : 35,840 : 04/14/2008 07:00 AM : a32bebaf723557681bfc6bd93e98bd26 [NoSig]
+-> C:\WINDOWS\system32\dllcache\processr.sys : 35,840 : 04/14/2008 07:00 AM : a32bebaf723557681bfc6bd93e98bd26 [Pos Repl]

* C:\WINDOWS\System32\drivers\psched.sys : 69,120 : 04/14/2008 07:00 AM : 09298ec810b07e5d582cb3a3f9255424 [NoSig]
+-> C:\WINDOWS\system32\dllcache\psched.sys : 69,120 : 04/14/2008 07:00 AM : 09298ec810b07e5d582cb3a3f9255424 [Pos Repl]

* C:\WINDOWS\System32\drivers\ptilink.sys : 17,792 : 04/14/2008 07:00 AM : 80d317bd1c3dbc5d4fe7b1678c60cadd [NoSig]
+-> C:\WINDOWS\system32\dllcache\ptilink.sys : 17,792 : 04/14/2008 07:00 AM : 80d317bd1c3dbc5d4fe7b1678c60cadd [Pos Repl]

* C:\WINDOWS\System32\drivers\rasacd.sys : 8,832 : 04/14/2008 07:00 AM : fe0d99d6f31e4fad8159f690d68ded9c [NoSig]
+-> C:\WINDOWS\system32\dllcache\rasacd.sys : 8,832 : 04/14/2008 07:00 AM : fe0d99d6f31e4fad8159f690d68ded9c [Pos Repl]

* C:\WINDOWS\System32\drivers\rasl2tp.sys : 51,328 : 04/14/2008 07:00 AM : 11b4a627bc9614b885c4969bfa5ff8a6 [NoSig]
+-> C:\WINDOWS\system32\dllcache\rasl2tp.sys : 51,328 : 04/14/2008 07:00 AM : 11b4a627bc9614b885c4969bfa5ff8a6 [Pos Repl]

* C:\WINDOWS\System32\drivers\raspppoe.sys : 41,472 : 04/14/2008 07:00 AM : 5bc962f2654137c9909c3d4603587dee [NoSig]
+-> C:\WINDOWS\system32\dllcache\raspppoe.sys : 41,472 : 04/14/2008 07:00 AM : 5bc962f2654137c9909c3d4603587dee [Pos Repl]

* C:\WINDOWS\System32\drivers\raspptp.sys : 48,384 : 04/14/2008 07:00 AM : efeec01b1d3cf84f16ddd24d9d9d8f99 [NoSig]
+-> C:\WINDOWS\system32\dllcache\raspptp.sys : 48,384 : 04/14/2008 07:00 AM : efeec01b1d3cf84f16ddd24d9d9d8f99 [Pos Repl]

* C:\WINDOWS\System32\drivers\raspti.sys : 16,512 : 04/14/2008 07:00 AM : fdbb1d60066fcfbb7452fd8f9829b242 [NoSig]
+-> C:\WINDOWS\system32\dllcache\raspti.sys : 16,512 : 04/14/2008 07:00 AM : fdbb1d60066fcfbb7452fd8f9829b242 [Pos Repl]

* C:\WINDOWS\System32\drivers\rawwan.sys : 34,432 : 04/14/2008 07:00 AM : 01524cd237223b18adbb48f70083f101 [NoSig]
+-> C:\WINDOWS\system32\dllcache\rawwan.sys : 34,432 : 04/14/2008 07:00 AM : 01524cd237223b18adbb48f70083f101 [Pos Repl]

* C:\WINDOWS\System32\drivers\rdbss.sys : 175,744 : 04/14/2008 07:00 AM : 7ad224ad1a1437fe28d89cf22b17780a [NoSig]
+-> C:\WINDOWS\system32\dllcache\rdbss.sys : 175,744 : 04/14/2008 07:00 AM : 7ad224ad1a1437fe28d89cf22b17780a [Pos Repl]

* C:\WINDOWS\System32\drivers\rdpcdd.sys : 4,224 : 04/14/2008 07:00 AM : 4912d5b403614ce99c28420f75353332 [NoSig]
+-> C:\WINDOWS\system32\dllcache\rdpcdd.sys : 4,224 : 04/14/2008 07:00 AM : 4912d5b403614ce99c28420f75353332 [Pos Repl]

* C:\WINDOWS\System32\drivers\rdpdr.sys : 196,224 : 04/13/2008 11:02 PM : 15cabd0f7c00c47c70124907916af3f1 [NoSig]
+-> C:\WINDOWS\system32\dllcache\rdpdr.sys : 196,224 : 04/13/2008 11:02 PM : 15cabd0f7c00c47c70124907916af3f1 [Pos Repl]

* C:\WINDOWS\System32\drivers\rdpwd.sys : 139,784 : 07/04/2012 09:05 AM : 43af5212bd8fb5ba6eed9754358bd8f7 [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB2723135-v2\SP3QFE\rdpwd.sys : 139,784 : 07/04/2012 08:59 AM : c7d9bc54354b8c706abf172d48313f1b [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB2723135-v2$\rdpwd.sys : 139,656 : 04/14/2008 07:00 AM : 6728e45b66f93c08f11de2e316fc70dd [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\rdpwd.sys : 139,784 : 07/04/2012 09:05 AM : 43af5212bd8fb5ba6eed9754358bd8f7 [Pos Repl]

* C:\WINDOWS\System32\drivers\redbook.sys : 57,600 : 04/13/2008 11:10 PM : f828dd7e1419b6653894a8f97a0094c5 [NoSig]
+-> C:\WINDOWS\system32\dllcache\redbook.sys : 57,600 : 04/13/2008 11:10 PM : f828dd7e1419b6653894a8f97a0094c5 [Pos Repl]

* C:\WINDOWS\System32\drivers\rmcast.sys : 203,136 : 05/08/2008 09:02 AM : 96f7a9a7bf0c9c0440a967440065d33c [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB950762\SP3QFE\rmcast.sys : 203,136 : 05/08/2008 08:58 AM : c711645c76b8ed87c021bf6165e52795 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB950762$\rmcast.sys : 202,624 : 04/14/2008 07:00 AM : ecff394d65671efde5a872eb9ef4f2d5 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\rmcast.sys : 203,136 : 05/08/2008 09:02 AM : 96f7a9a7bf0c9c0440a967440065d33c [Pos Repl]

* C:\WINDOWS\System32\drivers\rndismp.sys : 30,592 : 04/14/2008 07:00 AM : 601844cbcf617ff8c868130ca5b2039d [NoSig]
+-> C:\WINDOWS\system32\dllcache\rndismp.sys : 30,592 : 04/14/2008 07:00 AM : 601844cbcf617ff8c868130ca5b2039d [Pos Repl]

* C:\WINDOWS\System32\drivers\rootmdm.sys : 5,888 : 04/14/2008 07:00 AM : d8b0b4ade32574b2d9c5cc34dc0dbbe7 [NoSig]
+-> C:\WINDOWS\system32\dllcache\rootmdm.sys : 5,888 : 04/14/2008 07:00 AM : d8b0b4ade32574b2d9c5cc34dc0dbbe7 [Pos Repl]

* C:\WINDOWS\System32\drivers\scsiport.sys : 96,384 : 04/14/2008 07:00 AM : 76c465f570e90c28942d52ccb2580a10 [NoSig]
+-> C:\WINDOWS\system32\dllcache\scsiport.sys : 96,384 : 04/14/2008 07:00 AM : 76c465f570e90c28942d52ccb2580a10 [Pos Repl]

* C:\WINDOWS\System32\drivers\sdbus.sys : 79,232 : 04/14/2008 07:00 AM : 8d04819a3ce51b9eb47e5689b44d43c4 [NoSig]
+-> C:\WINDOWS\system32\dllcache\sdbus.sys : 79,232 : 04/14/2008 07:00 AM : 8d04819a3ce51b9eb47e5689b44d43c4 [Pos Repl]

* C:\WINDOWS\System32\drivers\serenum.sys : 15,744 : 04/14/2008 07:00 AM : 0f29512ccd6bead730039fb4bd2c85ce [NoSig]
+-> C:\WINDOWS\system32\dllcache\serenum.sys : 15,744 : 04/14/2008 07:00 AM : 0f29512ccd6bead730039fb4bd2c85ce [Pos Repl]

* C:\WINDOWS\System32\drivers\serial.sys : 64,512 : 04/14/2008 07:00 AM : cca207a8896d4c6a0c9ce29a4ae411a7 [NoSig]
+-> C:\WINDOWS\system32\dllcache\serial.sys : 64,512 : 04/14/2008 07:00 AM : cca207a8896d4c6a0c9ce29a4ae411a7 [Pos Repl]

* C:\WINDOWS\System32\drivers\sffdisk.sys : 11,904 : 04/14/2008 07:00 AM : 0fa803c64df0914b41f807ea276bf2a6 [NoSig]
+-> C:\WINDOWS\system32\dllcache\sffdisk.sys : 11,904 : 04/14/2008 07:00 AM : 0fa803c64df0914b41f807ea276bf2a6 [Pos Repl]

* C:\WINDOWS\System32\drivers\sffp_sd.sys : 11,008 : 04/14/2008 07:00 AM : c17c331e435ed8737525c86a7557b3ac [NoSig]
+-> C:\WINDOWS\system32\dllcache\sffp_sd.sys : 11,008 : 04/14/2008 07:00 AM : c17c331e435ed8737525c86a7557b3ac [Pos Repl]

* C:\WINDOWS\System32\drivers\sfloppy.sys : 11,392 : 04/14/2008 07:00 AM : 8e6b8c671615d126fdc553d1e2de5562 [NoSig]
+-> C:\WINDOWS\system32\dllcache\sfloppy.sys : 11,392 : 04/14/2008 07:00 AM : 8e6b8c671615d126fdc553d1e2de5562 [Pos Repl]

* C:\WINDOWS\System32\drivers\smclib.sys : 14,592 : 04/14/2008 07:00 AM : 017daecf0ed3aa731313433601ec40fa [NoSig]
+-> C:\WINDOWS\system32\dllcache\smclib.sys : 14,592 : 04/14/2008 07:00 AM : 017daecf0ed3aa731313433601ec40fa [Pos Repl]

* C:\WINDOWS\System32\drivers\sonydcam.sys : 25,344 : 04/14/2008 07:00 AM : 489703624dac94ed943c2abda022a1cd [NoSig]
+-> C:\WINDOWS\system32\dllcache\sonydcam.sys : 25,344 : 04/14/2008 07:00 AM : 489703624dac94ed943c2abda022a1cd [Pos Repl]

* C:\WINDOWS\System32\drivers\splitter.sys : 6,272 : 04/13/2008 11:15 PM : ab8b92451ecb048a4d1de7c3ffcb4a9f [NoSig]
+-> C:\WINDOWS\system32\dllcache\splitter.sys : 6,272 : 04/13/2008 11:15 PM : ab8b92451ecb048a4d1de7c3ffcb4a9f [Pos Repl]

* C:\WINDOWS\System32\drivers\sr.sys : 73,472 : 04/14/2008 07:00 AM : 76bb022c2fb6902fd5bdd4f78fc13a5d [NoSig]
+-> C:\WINDOWS\system32\dllcache\sr.sys : 73,472 : 04/14/2008 07:00 AM : 76bb022c2fb6902fd5bdd4f78fc13a5d [Pos Repl]

* C:\WINDOWS\System32\drivers\srv.sys : 357,888 : 02/17/2011 08:18 AM : 47ddfc2f003f7f9f0592c6874962a2e7 [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB2345886\SP3QFE\srv.sys : 357,248 : 08/26/2010 08:37 AM : 70cd8b8dd2a680b128617c19eb0ab94f [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB2508429\SP3QFE\srv.sys : 357,888 : 02/17/2011 08:19 AM : 9b390283569ea58d43d2586032b892f5 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB2508429$\srv.sys : 334,848 : 04/14/2008 07:00 AM : 5252605079810904e31c332e241cd59b [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\srv.sys : 357,888 : 02/17/2011 08:18 AM : 47ddfc2f003f7f9f0592c6874962a2e7 [Pos Repl]

* C:\WINDOWS\System32\drivers\stream.sys : 49,408 : 04/13/2008 11:15 PM : 3e5d89099ded9e86e5639f411693218f [NoSig]
+-> C:\WINDOWS\system32\dllcache\stream.sys : 49,408 : 04/13/2008 11:15 PM : 3e5d89099ded9e86e5639f411693218f [Pos Repl]

* C:\WINDOWS\System32\drivers\swenum.sys : 4,352 : 04/14/2008 07:00 AM : 3941d127aef12e93addf6fe6ee027e0f [NoSig]
+-> C:\WINDOWS\system32\dllcache\swenum.sys : 4,352 : 04/14/2008 07:00 AM : 3941d127aef12e93addf6fe6ee027e0f [Pos Repl]

* C:\WINDOWS\System32\drivers\swmidi.sys : 56,576 : 04/14/2008 07:00 AM : 8ce882bcc6cf8a62f2b2323d95cb3d01 [NoSig]
+-> C:\WINDOWS\system32\dllcache\swmidi.sys : 56,576 : 04/14/2008 07:00 AM : 8ce882bcc6cf8a62f2b2323d95cb3d01 [Pos Repl]

* C:\WINDOWS\System32\drivers\sysaudio.sys : 60,800 : 04/14/2008 07:00 AM : 8b83f3ed0f1688b4958f77cd6d2bf290 [NoSig]
+-> C:\WINDOWS\system32\dllcache\sysaudio.sys : 60,800 : 04/14/2008 07:00 AM : 8b83f3ed0f1688b4958f77cd6d2bf290 [Pos Repl]

* C:\WINDOWS\System32\drivers\tape.sys : 14,976 : 04/14/2008 07:00 AM : fd6093e3decd925f1cffc8a0dd539d72 [NoSig]
+-> C:\WINDOWS\system32\dllcache\tape.sys : 14,976 : 04/14/2008 07:00 AM : fd6093e3decd925f1cffc8a0dd539d72 [Pos Repl]

* C:\WINDOWS\System32\drivers\tcpip6.sys : 226,880 : 02/11/2010 07:02 AM : 4e53bbcc4be37d7a4bd6ef1098c89ff7 [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\tcpip6.sys : 225,856 : 06/20/2008 06:16 AM : 026a94e4eb2960fdc96a447b5391d56a [Pos Repl]
+-> C:\WINDOWS\$hf_mig$\KB978338\SP3QFE\tcpip6.sys : 226,880 : 02/11/2010 06:36 AM : f4a3c6abe7818b1b53f58fa1adb605cd [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB978338$\tcpip6.sys : 225,664 : 04/14/2008 07:00 AM : aa7a55536096d646dc7ab0ac5641e9e8 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\tcpip6.sys : 226,880 : 02/11/2010 07:02 AM : 4e53bbcc4be37d7a4bd6ef1098c89ff7 [Pos Repl]

* C:\WINDOWS\System32\Drivers\tcpip.sys : 361,600 : 06/20/2008 06:51 AM : 9aefa14bd6b182d61e3119fa5f436d3d [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\tcpip.sys : 361,600 : 06/20/2008 06:59 AM : ad978a1b783b5719720cff204b666c8e [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB2509553$\tcpip.sys : 361,344 : 04/14/2008 07:00 AM : 93ea8d04ec73a85db02eb8805988f733 [Pos Repl]
+-> C:\WINDOWS\erdnt\cache\tcpip.sys : 361,600 : 06/20/2008 06:51 AM : 9aefa14bd6b182d61e3119fa5f436d3d [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\tcpip.sys : 361,600 : 06/20/2008 06:51 AM : 9aefa14bd6b182d61e3119fa5f436d3d [Pos Repl]

* C:\WINDOWS\System32\drivers\tdi.sys : 19,072 : 04/14/2008 07:00 AM : 0539d5e53587f82d1b4fd74c5be205cf [NoSig]
+-> C:\WINDOWS\system32\dllcache\tdi.sys : 19,072 : 04/14/2008 07:00 AM : 0539d5e53587f82d1b4fd74c5be205cf [Pos Repl]

* C:\WINDOWS\System32\drivers\tdpipe.sys : 12,040 : 04/14/2008 07:00 AM : 6471a66807f5e104e4885f5b67349397 [NoSig]
+-> C:\WINDOWS\system32\dllcache\tdpipe.sys : 12,040 : 04/14/2008 07:00 AM : 6471a66807f5e104e4885f5b67349397 [Pos Repl]

* C:\WINDOWS\System32\drivers\tdtcp.sys : 21,896 : 04/14/2008 07:00 AM : c56b6d0402371cf3700eb322ef3aaf61 [NoSig]
+-> C:\WINDOWS\system32\dllcache\tdtcp.sys : 21,896 : 04/14/2008 07:00 AM : c56b6d0402371cf3700eb322ef3aaf61 [Pos Repl]

* C:\WINDOWS\System32\drivers\termdd.sys : 40,840 : 04/14/2008 04:43 AM : 88155247177638048422893737429d9e [NoSig]
+-> C:\WINDOWS\system32\dllcache\termdd.sys : 40,840 : 04/14/2008 04:43 AM : 88155247177638048422893737429d9e [Pos Repl]

* C:\WINDOWS\System32\drivers\tosdvd.sys : 51,712 : 04/14/2008 07:00 AM : 699450901c5ccfd82357cbc531cedd23 [NoSig]
+-> C:\WINDOWS\system32\dllcache\tosdvd.sys : 51,712 : 04/14/2008 07:00 AM : 699450901c5ccfd82357cbc531cedd23 [Pos Repl]

* C:\WINDOWS\System32\drivers\tunmp.sys : 12,288 : 04/14/2008 07:00 AM : 8f861eda21c05857eb8197300a92501c [NoSig]
+-> C:\WINDOWS\system32\dllcache\tunmp.sys : 12,288 : 04/14/2008 07:00 AM : 8f861eda21c05857eb8197300a92501c [Pos Repl]

* C:\WINDOWS\System32\drivers\udfs.sys : 66,048 : 04/14/2008 07:00 AM : 5787b80c2e3c5e2f56c2a233d91fa2c9 [NoSig]
+-> C:\WINDOWS\system32\dllcache\udfs.sys : 66,048 : 04/14/2008 07:00 AM : 5787b80c2e3c5e2f56c2a233d91fa2c9 [Pos Repl]

* C:\WINDOWS\System32\drivers\update.sys : 384,768 : 04/14/2008 07:00 AM : 402ddc88356b1bac0ee3dd1580c76a31 [NoSig]
+-> C:\WINDOWS\system32\dllcache\update.sys : 384,768 : 04/14/2008 07:00 AM : 402ddc88356b1bac0ee3dd1580c76a31 [Pos Repl]

* C:\WINDOWS\System32\drivers\usb8023.sys : 12,928 : 02/11/2013 07:32 PM : 2a7a8ad9d39a2faf9d9293b5daff3a4b [NoSig]
+-> C:\WINDOWS\$hf_mig$\KB2807986\SP3QFE\usb8023.sys : 12,928 : 02/11/2013 07:43 PM : c74f25c77d6c3edf58221e4060d8cd16 [Pos Repl]
+-> C:\WINDOWS\$NtUninstallKB2807986$\usb8023.sys : 12,800 : 04/14/2008 07:00 AM : bee793d4a059caea55d6ac20e19b3a8f [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\usb8023.sys : 12,928 : 02/11/2013 07:32 PM : 2a7a8ad9d39a2faf9d9293b5daff3a4b [Pos Repl]

* C:\WINDOWS\System32\drivers\usbcamd2.sys : 25,728 : 04/14/2008 07:00 AM : ce97845d2e3f0d274b8bac1ed07c6149 [NoSig]
+-> C:\WINDOWS\system32\dllcache\usbcamd2.sys : 25,728 : 04/14/2008 07:00 AM : ce97845d2e3f0d274b8bac1ed07c6149 [Pos Repl]

* C:\WINDOWS\System32\drivers\usbcamd.sys : 25,600 : 04/14/2008 07:00 AM : 1c1a47b40c23358245aa8d0443b6935e [NoSig]
+-> C:\WINDOWS\system32\dllcache\usbcamd.sys : 25,600 : 04/14/2008 07:00 AM : 1c1a47b40c23358245aa8d0443b6935e [Pos Repl]

* C:\WINDOWS\System32\drivers\usbccgp.sys : 32,384 : 08/08/2013 07:55 PM : 1b611611c28d2df25bc057d79c6f13fc [NoSig]
+-> C:\WINDOWS\$NtUninstallKB2862330$\usbccgp.sys : 32,128 : 04/13/2008 11:15 PM : 173f317ce0db8e21322e71b7e60a27e8 [Pos Repl]
+-> C:\WINDOWS\Driver Cache\i386\usbccgp.sys : 32,384 : 08/08/2013 07:55 PM : 1b611611c28d2df25bc057d79c6f13fc [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\102823955b46c36a71487909615a4bf0\SP3QFE\usbccgp.sys : 32,384 : 08/08/2013 07:55 PM : 1b611611c28d2df25bc057d79c6f13fc [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\usbccgp.sys : 32,384 : 08/08/2013 07:55 PM : 1b611611c28d2df25bc057d79c6f13fc [Pos Repl]

* C:\WINDOWS\System32\drivers\usbd.sys : 5,376 : 08/08/2013 07:55 PM : 04fe5ef6ed4818ec4839ea5c611a6310 [NoSig]
+-> C:\WINDOWS\$NtUninstallKB2862330$\usbd.sys : 4,736 : 04/14/2008 07:00 AM : 596eb39b50d6ebd9b734dc4ae0544693 [Pos Repl]
+-> C:\WINDOWS\Driver Cache\i386\usbd.sys : 5,376 : 08/08/2013 07:55 PM : 04fe5ef6ed4818ec4839ea5c611a6310 [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\102823955b46c36a71487909615a4bf0\SP3QFE\usbd.sys : 5,376 : 08/08/2013 07:55 PM : 04fe5ef6ed4818ec4839ea5c611a6310 [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\usbd.sys : 5,376 : 08/08/2013 07:55 PM : 04fe5ef6ed4818ec4839ea5c611a6310 [Pos Repl]

* C:\WINDOWS\System32\drivers\usbehci.sys : 30,336 : 03/18/2009 06:02 AM : 4bac8df07f1d8434fc640e677a62204e [NoSig]
+-> C:\WINDOWS\$NtUninstallKB2862330$\usbehci.sys : 30,208 : 04/14/2008 07:00 AM : 65dcf09d0e37d4c6b11b5b0b76d470a7 [Pos Repl]
+-> C:\WINDOWS\Driver Cache\i386\usbehci.sys : 30,336 : 03/18/2009 06:02 AM : 4bac8df07f1d8434fc640e677a62204e [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\102823955b46c36a71487909615a4bf0\SP3QFE\usbehci.sys : 30,336 : 03/18/2009 06:02 AM : 4bac8df07f1d8434fc640e677a62204e [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\usbehci.sys : 30,336 : 03/18/2009 06:02 AM : 4bac8df07f1d8434fc640e677a62204e [Pos Repl]

* C:\WINDOWS\System32\drivers\usbhub.sys : 59,520 : 04/14/2008 07:00 AM : 1ab3cdde553b6e064d2e754efe20285c [NoSig]
+-> C:\WINDOWS\system32\dllcache\usbhub.sys : 59,520 : 04/14/2008 07:00 AM : 1ab3cdde553b6e064d2e754efe20285c [Pos Repl]

* C:\WINDOWS\System32\drivers\usbintel.sys : 15,872 : 04/14/2008 07:00 AM : 290913dc4f1125e5a82de52579a44c43 [NoSig]
+-> C:\WINDOWS\system32\dllcache\usbintel.sys : 15,872 : 04/14/2008 07:00 AM : 290913dc4f1125e5a82de52579a44c43 [Pos Repl]

* C:\WINDOWS\System32\drivers\usbport.sys : 144,128 : 08/08/2013 07:55 PM : 6df35ca139c3bc15cc74390abb114efe [NoSig]
+-> C:\WINDOWS\$NtUninstallKB2862330$\usbport.sys : 143,872 : 04/14/2008 07:00 AM : 791912e524cc2cc6f50b5f2b52d1eb71 [Pos Repl]
+-> C:\WINDOWS\Driver Cache\i386\usbport.sys : 144,128 : 08/08/2013 07:55 PM : 6df35ca139c3bc15cc74390abb114efe [Pos Repl]
+-> C:\WINDOWS\SoftwareDistribution\Download\102823955b46c36a71487909615a4bf0\SP3QFE\usbport.sys : 144,128 : 08/08/2013 07:55 PM : 6df35ca139c3bc15cc74390abb114efe [Pos Repl]
+-> C:\WINDOWS\system32\dllcache\usbport.sys : 144,128 : 08/08/2013 07:55 PM : 6df35ca139c3bc15cc74390abb114efe [Pos Repl]

* C:\WINDOWS\System32\drivers\USBSTOR.sys : 26,368 : 04/14/2008 07:00 AM : a32426d9b14a089eaa1d922e0c5801a9 [NoSig]
+-> C:\WINDOWS\system32\dllcache\usbstor.sys : 26,368 : 04/14/2008 07:00 AM : a32426d9b14a089eaa1d922e0c5801a9 [Pos Repl]

* C:\WINDOWS\System32\drivers\vga.sys : 20,992 : 04/14/2008 07:00 AM : 0d3a8fafceacd8b7625cd549757a7df1 [NoSig]
+-> C:\WINDOWS\system32\dllcache\vga.sys : 20,992 : 04/14/2008 07:00 AM : 0d3a8fafceacd8b7625cd549757a7df1 [Pos Repl]

* C:\WINDOWS\System32\drivers\videoprt.sys : 81,664 : 04/14/2008 07:00 AM : e28726b72c46821a28830e077d39a55b [NoSig]
+-> C:\WINDOWS\system32\dllcache\videoprt.sys : 81,664 : 04/14/2008 07:00 AM : e28726b72c46821a28830e077d39a55b [Pos Repl]

* C:\WINDOWS\System32\drivers\volsnap.sys : 52,352 : 04/14/2008 07:00 AM : 4c8fcb5cc53aab716d810740fe59d025 [NoSig]
+-> C:\WINDOWS\system32\dllcache\volsnap.sys : 52,352 : 04/14/2008 07:00 AM : 4c8fcb5cc53aab716d810740fe59d025 [Pos Repl]

* C:\WINDOWS\System32\drivers\wanarp.sys : 34,560 : 04/14/2008 07:00 AM : e20b95baedb550f32dd489265c1da1f6 [NoSig]
+-> C:\WINDOWS\system32\dllcache\wanarp.sys : 34,560 : 04/14/2008 07:00 AM : e20b95baedb550f32dd489265c1da1f6 [Pos Repl]

* C:\WINDOWS\System32\drivers\wdmaud.sys : 83,072 : 04/14/2008 07:00 AM : 6768acf64b18196494413695f0c3a00f [NoSig]
+-> C:\WINDOWS\system32\dllcache\wdmaud.sys : 83,072 : 04/14/2008 07:00 AM : 6768acf64b18196494413695f0c3a00f [Pos Repl]

* C:\WINDOWS\System32\drivers\wmilib.sys : 4,352 : 04/14/2008 07:00 AM : 2f31b7f954bed437f2c75026c65caf7b [NoSig]
+-> C:\WINDOWS\system32\dllcache\wmilib.sys : 4,352 : 04/14/2008 07:00 AM : 2f31b7f954bed437f2c75026c65caf7b [Pos Repl]

* C:\WINDOWS\System32\drivers\ws2ifsl.sys : 12,032 : 04/14/2008 07:00 AM : 6abe6e225adb5a751622a9cc3bc19ce8 [NoSig]
+-> C:\WINDOWS\system32\dllcache\ws2ifsl.sys : 12,032 : 04/14/2008 07:00 AM : 6abe6e225adb5a751622a9cc3bc19ce8 [Pos Repl]

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 11/21/2013 03:36:45 PM
Execution time: 0 hours(s), 2 minute(s), and 53 seconds(s)

hiesenberg · November 22, 2013

kevin-

I also found this, "https //$talisma_url$" within my list of IE trusted sites. hopefully this is somewhat of a clue as to what the hell we're fighting here.

kevinf80 · November 22, 2013

https //$talisma_url$ is usually considered to be quite safe, there is no real reason to have it in trusted sites however, you can remove that if you want.

Regarding unsigned files, that is not always an issue and does not mean malicious. The files you list MD5 information does list as clean, not malicious...

Can you run Combofix one more time, make sure to delete the old version and down load fresh version and save to Desktop, run again as before:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

hiesenberg · November 22, 2013

kevin,

ran a fresh download of Combofix in normal mode. during the scan it gave me an error that "PEV.EXE encountered a problem", but it finished scanning with no other issues. yesterday while testing, I let the pc run win-updates.

ComboFix 13-11-22.01 - RICH 11/22/2013 12:48:13.7.1 - x86
Running from: c:\documents and settings\RICH\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-22 to 2013-11-22 )))))))))))))))))))))))))))))))
.
.
2013-11-21 20:19 . 2013-11-21 20:20   --------   dc-h--w-   c:\windows\ie8
2013-11-21 20:13 . 2013-11-21 20:12   16883056   ----a-w-   c:\program files\IE8-WindowsXP-x86-ENU.exe
2013-11-21 04:13 . 2013-11-21 04:13   --------   d-sh--w-   c:\documents and settings\RICH\IECompatCache
2013-11-21 01:12 . 2013-11-21 16:48   --------   d-----w-   c:\windows\system32\XPSViewer
2013-11-21 01:12 . 2013-11-21 01:12   --------   d-----w-   c:\program files\MSBuild
2013-11-21 01:12 . 2013-11-21 01:12   --------   d-----w-   c:\program files\Reference Assemblies
2013-11-21 01:11 . 2008-07-06 12:06   89088   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2013-11-21 01:10 . 2008-07-06 12:06   89088   -c----w-   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2013-11-21 01:10 . 2008-07-06 12:06   117760   ------w-   c:\windows\system32\prntvpt.dll
2013-11-21 01:10 . 2008-07-06 12:06   575488   -c----w-   c:\windows\system32\dllcache\xpsshhdr.dll
2013-11-21 01:10 . 2008-07-06 12:06   575488   ------w-   c:\windows\system32\xpsshhdr.dll
2013-11-21 01:10 . 2008-07-06 10:50   597504   -c----w-   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2013-11-21 01:10 . 2008-07-06 10:50   597504   ------w-   c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2013-11-21 01:10 . 2008-07-06 12:06   1676288   -c----w-   c:\windows\system32\dllcache\xpssvcs.dll
2013-11-21 01:10 . 2008-07-06 12:06   1676288   ------w-   c:\windows\system32\xpssvcs.dll
2013-11-21 01:10 . 2013-11-21 01:11   --------   d-----w-   C:\5fb5562cc79d999f538320a3b6f889a1
2013-11-20 23:05 . 2013-11-20 23:05   --------   d-----w-   c:\windows\Microsoft Antimalware
2013-11-20 20:28 . 2013-11-20 20:28   --------   d-----w-   C:\27326b470d00a276235bd9c056b86c70
2013-11-20 20:19 . 2013-11-08 01:15   7772552   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{543B7A6C-B61D-4C7A-94BA-D84BBD9C6BFE}\mpengine.dll
2013-11-19 17:13 . 2013-11-21 01:53   --------   d-----w-   c:\windows\system32\MRT
2013-11-14 22:37 . 2013-11-14 22:37   --------   d-sh--w-   c:\documents and settings\RICH\PrivacIE
2013-11-13 14:10 . 2013-10-14 06:39   7796464   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-13 00:06 . 2013-10-13 07:25   522240   -c----w-   c:\windows\system32\dllcache\jsdbgui.dll
2013-11-12 18:29 . 2013-06-12 18:10   31848   ----a-w-   c:\windows\system32\drivers\DasPtct.SYS
2013-10-31 23:44 . 2013-10-31 23:44   --------   d-----w-   C:\FRST
2013-10-31 20:43 . 2013-10-31 20:43   35904   ----a-w-   c:\windows\system32\drivers\lswd2yhn.sys
2013-10-31 20:01 . 2013-10-31 20:01   782640   ----a-w-   C:\Iexplore.exe.exe
2013-10-28 16:18 . 2013-11-20 17:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-18 07:25 . 2013-10-04 04:13   47064   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2013-10-31 19:59 . 2013-10-31 19:59   1472131   ----a-w-   C:\vba32arkit.zip
2013-10-19 07:33 . 2013-10-19 07:33   30976   ----a-w-   c:\windows\system32\drivers\hitmanpro37.sys
2013-10-18 05:11 . 2013-10-23 01:12   24064   ----a-w-   c:\windows\zoek-delete.exe
2013-10-12 15:56 . 2008-04-14 12:00   278528   ----a-w-   c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2008-04-14 12:00   287744   ----a-w-   c:\windows\system32\gdi32.dll
2013-10-07 10:59 . 2008-04-14 12:00   603136   ----a-w-   c:\windows\system32\crypt32.dll
2013-10-05 01:14 . 2013-04-19 21:58   7168   ----a-w-   c:\windows\system32\xpsp4res.dll
2013-10-01 23:31 . 2013-10-01 23:32   1207928   ----a-w-   c:\program files\rc-installer.exe
2013-09-27 14:53 . 2013-01-20 19:59   214696   ----a-w-   c:\windows\system32\drivers\MpFilter.sys
2013-09-19 07:54 . 2013-09-19 07:40   181064   ----a-w-   c:\windows\PSEXESVC.EXE
2013-09-17 15:26 . 2013-09-17 15:26   325960   ----a-w-   c:\program files\lua5.1.dll
2013-09-04 03:02 . 2013-07-19 00:22   1966080   ----a-w-   c:\program files\Repair_Windows.exe
2013-08-29 01:31 . 2008-04-14 12:00   1878656   ----a-w-   c:\windows\system32\win32k.sys
2013-04-19 22:40 . 2013-04-19 22:40   11091432   ----a-w-   c:\program files\MSEInstall.exe
2013-03-25 03:24 . 2013-03-25 03:24   2483904   ----a-w-   c:\program files\Procmon.exe
2011-03-08 17:54 . 2013-07-19 00:22   229376   ----a-w-   c:\program files\pcwintech_tabs.ocx
2009-03-24 19:52 . 2013-07-19 00:22   1069376   ----a-w-   c:\program files\MSCOMCTL.OCX
2009-03-24 19:52 . 2013-07-19 00:22   136008   ----a-w-   c:\program files\msinet.ocx
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-04-12 49152]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\40286280.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\65300409.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\80392994.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\86660297.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"AlcxMonitor"=ALCXMNTR.EXE
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" -hide -runkey
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-08-10 45288]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2013-10-19 30976]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2009-11-27 594048]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-03 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2013-04-16 01:09]
.
2013-11-22 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-10-23 20:01]
.
.
------- Supplementary Scan -------
.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\RICH\Application Data\Mozilla\Firefox\Profiles\ud60wonb.default\
FF - ExtSQL: 2013-11-20 20:15; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-22 13:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(160)
c:\windows\System32\OneX.DLL
c:\windows\System32\eappprxy.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-11-22 13:14:37
ComboFix-quarantined-files.txt 2013-11-22 18:14
.
Pre-Run: 91,164,995,584 bytes free
Post-Run: 91,201,699,840 bytes free
.
- - End Of File - - E0A5E85F14D9C90DA3FF0DF7ADD3023F
8F558EB6672622401DA993E1E865C861

kevinf80 · November 22, 2013

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

ClearJavaCache::File::c:\windows\system32\drivers\lswd2yhn.sysC:\Iexplore.exe.exe

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

hiesenberg · November 22, 2013

kevin- just noticed, the winXP file search tool is no longer available, that window now comes up blank. Thanks!

ComboFix 13-11-22.01 - RICH 11/22/2013 17:10:44.8.1 - x86
Running from: c:\documents and settings\RICH\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\RICH\Desktop\CFScript.txt
.
FILE ::
"C:\Iexplore.exe.exe"
"c:\windows\system32\drivers\lswd2yhn.sys"
.
.
(((((((((((((((((((((((((   Files Created from 2013-10-22 to 2013-11-22 )))))))))))))))))))))))))))))))
.
.
2013-11-21 20:19 . 2013-11-21 20:20   --------   dc-h--w-   c:\windows\ie8
2013-11-21 20:13 . 2013-11-21 20:12   16883056   ----a-w-   c:\program files\IE8-WindowsXP-x86-ENU.exe
2013-11-21 04:13 . 2013-11-21 04:13   --------   d-sh--w-   c:\documents and settings\RICH\IECompatCache
2013-11-21 01:12 . 2013-11-21 16:48   --------   d-----w-   c:\windows\system32\XPSViewer
2013-11-21 01:12 . 2013-11-21 01:12   --------   d-----w-   c:\program files\MSBuild
2013-11-21 01:12 . 2013-11-21 01:12   --------   d-----w-   c:\program files\Reference Assemblies
2013-11-21 01:11 . 2008-07-06 12:06   89088   ----a-w-   c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2013-11-21 01:10 . 2008-07-06 12:06   89088   -c----w-   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2013-11-21 01:10 . 2008-07-06 12:06   117760   ------w-   c:\windows\system32\prntvpt.dll
2013-11-21 01:10 . 2008-07-06 12:06   575488   -c----w-   c:\windows\system32\dllcache\xpsshhdr.dll
2013-11-21 01:10 . 2008-07-06 12:06   575488   ------w-   c:\windows\system32\xpsshhdr.dll
2013-11-21 01:10 . 2008-07-06 10:50   597504   -c----w-   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2013-11-21 01:10 . 2008-07-06 10:50   597504   ------w-   c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2013-11-21 01:10 . 2008-07-06 12:06   1676288   -c----w-   c:\windows\system32\dllcache\xpssvcs.dll
2013-11-21 01:10 . 2008-07-06 12:06   1676288   ------w-   c:\windows\system32\xpssvcs.dll
2013-11-21 01:10 . 2013-11-21 01:11   --------   d-----w-   C:\5fb5562cc79d999f538320a3b6f889a1
2013-11-20 23:05 . 2013-11-20 23:05   --------   d-----w-   c:\windows\Microsoft Antimalware
2013-11-20 20:28 . 2013-11-20 20:28   --------   d-----w-   C:\27326b470d00a276235bd9c056b86c70
2013-11-20 20:19 . 2013-11-08 01:15   7772552   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{543B7A6C-B61D-4C7A-94BA-D84BBD9C6BFE}\mpengine.dll
2013-11-19 17:13 . 2013-11-21 01:53   --------   d-----w-   c:\windows\system32\MRT
2013-11-14 22:37 . 2013-11-14 22:37   --------   d-sh--w-   c:\documents and settings\RICH\PrivacIE
2013-11-13 14:10 . 2013-10-14 06:39   7796464   ----a-w-   c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-13 00:06 . 2013-10-13 07:25   522240   -c----w-   c:\windows\system32\dllcache\jsdbgui.dll
2013-11-12 18:29 . 2013-06-12 18:10   31848   ----a-w-   c:\windows\system32\drivers\DasPtct.SYS
2013-10-31 23:44 . 2013-10-31 23:44   --------   d-----w-   C:\FRST
2013-10-31 20:43 . 2013-10-31 20:43   35904   ----a-w-   c:\windows\system32\drivers\lswd2yhn.sys
2013-10-31 20:01 . 2013-10-31 20:01   782640   ----a-w-   C:\Iexplore.exe.exe
2013-10-28 16:18 . 2013-11-20 17:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-18 07:25 . 2013-10-04 04:13   47064   ----a-w-   c:\windows\system32\drivers\mbamchameleon.sys
2013-10-31 19:59 . 2013-10-31 19:59   1472131   ----a-w-   C:\vba32arkit.zip
2013-10-19 07:33 . 2013-10-19 07:33   30976   ----a-w-   c:\windows\system32\drivers\hitmanpro37.sys
2013-10-18 05:11 . 2013-10-23 01:12   24064   ----a-w-   c:\windows\zoek-delete.exe
2013-10-12 15:56 . 2008-04-14 12:00   278528   ----a-w-   c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2008-04-14 12:00   287744   ----a-w-   c:\windows\system32\gdi32.dll
2013-10-07 10:59 . 2008-04-14 12:00   603136   ----a-w-   c:\windows\system32\crypt32.dll
2013-10-05 01:14 . 2013-04-19 21:58   7168   ----a-w-   c:\windows\system32\xpsp4res.dll
2013-10-01 23:31 . 2013-10-01 23:32   1207928   ----a-w-   c:\program files\rc-installer.exe
2013-09-27 14:53 . 2013-01-20 19:59   214696   ----a-w-   c:\windows\system32\drivers\MpFilter.sys
2013-09-19 07:54 . 2013-09-19 07:40   181064   ----a-w-   c:\windows\PSEXESVC.EXE
2013-09-17 15:26 . 2013-09-17 15:26   325960   ----a-w-   c:\program files\lua5.1.dll
2013-09-04 03:02 . 2013-07-19 00:22   1966080   ----a-w-   c:\program files\Repair_Windows.exe
2013-08-29 01:31 . 2008-04-14 12:00   1878656   ----a-w-   c:\windows\system32\win32k.sys
2013-04-19 22:40 . 2013-04-19 22:40   11091432   ----a-w-   c:\program files\MSEInstall.exe
2013-03-25 03:24 . 2013-03-25 03:24   2483904   ----a-w-   c:\program files\Procmon.exe
2011-03-08 17:54 . 2013-07-19 00:22   229376   ----a-w-   c:\program files\pcwintech_tabs.ocx
2009-03-24 19:52 . 2013-07-19 00:22   1069376   ----a-w-   c:\program files\MSCOMCTL.OCX
2009-03-24 19:52 . 2013-07-19 00:22   136008   ----a-w-   c:\program files\msinet.ocx
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSPower"="SiSPower.dll" [2005-04-12 49152]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-10-23 948440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\40286280.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\65300409.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\80392994.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\86660297.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"AlcxMonitor"=ALCXMNTR.EXE
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" -hide -runkey
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-08-10 45288]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2013-10-19 30976]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2009-11-27 594048]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-03 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2013-04-16 01:09]
.
2013-11-22 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-10-23 20:01]
.
.
------- Supplementary Scan -------
.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\RICH\Application Data\Mozilla\Firefox\Profiles\ud60wonb.default\
FF - ExtSQL: 2013-11-20 20:15; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-22 17:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1388)
c:\windows\system32\ieframe.dll
c:\windows\System32\OneX.DLL
c:\windows\System32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-11-22 17:22:47
ComboFix-quarantined-files.txt 2013-11-22 22:22
ComboFix2.txt 2013-11-22 18:14
.
Pre-Run: 91,163,914,240 bytes free
Post-Run: 91,117,903,872 bytes free
.
- - End Of File - - 5FA2572DC48D59076759FCC2A6721310
8F558EB6672622401DA993E1E865C861

kevinf80 · November 22, 2013

The two files I list for removal are still onboard, they were not removed....

2013-10-31 20:43 . 2013-10-31 20:43 35904 ----a-w- c:\windows\system32\drivers\lswd2yhn.sys
2013-10-31 20:01 . 2013-10-31 20:01 782640 ----a-w- C:\Iexplore.exe.exe

Run this please:

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

http://oldtimer.geekstogo.com/OTM.exe.

http://www.itxassociates.com/OT-Tools/OTM.com

http://www.itxassociates.com/OT-Tools/OTM.exe

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Files
```
:Filesc:\windows\system32\drivers\lswd2yhn.sysC:\Iexplore.exe.exe:Commands[EmptyTemp]
```
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

hiesenberg · November 23, 2013

kevin- pretty sure those files are going to be clean. Iexplore is actually a mcaffe utility that I renamed.

> c:\windows\system32\drivers\lswd2yhn.sys belongs to this utility> Vba32 AntiRootkit driver, by VirusBlokAda Ltd.

> Iexplore.exe--McAfee Labs Rootkit Remover

let me know if you still want them removed.

kevinf80 · November 23, 2013

OK leave Iexplore entry but do remove the other one, having remnant drivers on a system is not good practice and can cause issues... Re-boot after removal

Give an update on issues/concerns when done....

hiesenberg · November 24, 2013

I will able to run that first thing in the morning, not home now. Do you have any other scanner options to uncover deeply rooted infections? I just feel like we're hitting a wall and not making more progress. i'm guessing that this bug has evolved to were it is evading most av-scans we've run.

couple of new issues:

> 2 folders marked network connections in control panel, (there should only be one)

> win file search tool, comes up blank. no way to run a file search

I await your next steps

kevinf80 · November 24, 2013

> 2 folders marked network connections in control panel, (there should only be one)

Can you post a screen shot of above....

> win file search tool, comes up blank. no way to run a file search

I do not know what you mean by above, what search tool?

Scans are not revealing any obvious malware or infection, is proving to be very frustrating for sure...

Can you run the system in a clean boot state and see how it responds in that mode.....

Click Start, click Run, type msconfig, and then click OK.

The System Configuration Utility dialog box is displayed.

We now need to configure selective startup options:

In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK. this will disable none MS services.
When you are prompted, click Restart to restart the computer.

When you receive the following message, click to select the Don't show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

hiesenberg · November 25, 2013

Kevin-
I ran it in a clean boot and it looks alot like running in safe mode, minimal processes... I did not see the svchost/tasbar
issue, it was inactive just like when I run the p/c in safemode. So I ran Rogue Killer and it found 6 new entries.
Please note, I also noticed that a previous RK log,(added at the bottom) correctly list my h-d as a Samsung but the
latest log does not identify it all...? and the 2nd Network Connection folder did not appear while in clean-boot status
but the internet does not connect either. the win search tool coming up blank is opened by clicking the start button, 2nd column on the right. hopefully this info will provide some new clues. you'll deserve a medal
if you can actually solve this one!! :-) Thanks!!

RogueKiller V8.7.6 [Oct 28 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : RICH [Admin rights]
Mode : Scan -- Date : 11/25/2013 13:35:49
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH][DLL] explorer.exe -- C:\Documents and Settings\Administrator\Desktop\zebranMalwarebytes' Anti-Malware\mbamext.dll [x] -> UNLOADED

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][sUSP PATH] HKLM\[...]\RunOnce : 4DF37C11-28CE-42CF-9F83-1D4723EEBDE8 (cmd.exe /C start /D "C:\DOCUME~1\RICH\LOCALS~1\Temp" /B 4DF37C11-28CE-42CF-9F83-1D4723EEBDE8.exe -activeimages -postboot [x][-][x]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[inline] EAT @explorer.exe (@Oledb@DBOBJECT_DOMAIN) : rtl70.bpl -> HOOKED (Unknown @ 0x33CFF34F)
[inline] EAT @explorer.exe (@Oledb@DBOBJECT_SCHEMA) : rtl70.bpl -> HOOKED (Unknown @ 0x33CFF33F)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ( @ ) +++++
--- User ---
[MBR] 9c24779718baa28a177f1792c868d0f9
[bSP] 85f5c2091b2e329b4ea8d90f28511751 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 50225 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 102861360 | Size: 102399 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_11252013_133549.txt >>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX OLD RK LOG ADDED BELOW XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG SP1604N +++++
--- User ---
[MBR] 9c24779718baa28a177f1792c868d0f9
[bSP] 85f5c2091b2e329b4ea8d90f28511751 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 50225 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 102861360 | Size: 102399 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_08282013_132750.txt >>
RKreport[0]_S_08282013_132204.txt

kevinf80 · November 25, 2013

When we run the system in a clean boot state all none Microsoft Services are stopped, if the system does improve we know there is possibly a clash with one or more of the none MS services. That is not unusual. I`ve had many logs here with issues similar to yours, they all seem to end with service clashes, a simple fix is to put the problem service in Manual as opposed to Automatic start up type.

OK as RogueKiller has identified a couple of entries do the following:

Put the PC back into Normal boot mode:

Open msconfig...
On the General tab, click Normal Startup - load all device drivers and services, and then click OK.
When you are prompted, click Restart.

Next,

Quit all programs that you may have started.

Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7, right-click and select "Run as Administrator" to start
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and copy/paste the content of the Notepad into your next reply.
The log should be found in RKreport[?].txt on your Desktop
Exit/Close RogueKiller

Next,

Run Malwarebytes, Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware,

Make sure that everything is checked, and click Remove Selected on any found items.

Post the produced log...

Next,

Go back into Clean boot mode and see if the system run OK. If it does I want to find the problem None MS service, instructions follow:

Click Start, click Run, type msconfig, and then click OK.

The System Configuration Utility dialog box is displayed.

We now need to configure selective startup options:

In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK. this will disable none MS services.
When you are prompted, click Restart to restart the computer.

When you receive the following message, click to select the Don't show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

If the clean boot makes an improvement continue as follows....

Repeat as above, ensure all MS services are hidden, enable half of the non MS services then re-boot. If the issue does not return do exactly the same again, this time only enable the bottom half of non MS services.

If the issue returns we know the issue is in the bottom half, so you now repeat again but only enable half of the bottom half. Keep doing that until you isolate the rogue sevice.

Let me know how you get on, I know it is a laborious task but it will locate the issue. Obviously if the issue happens with the initial clean boot we`ll have to think again....

hiesenberg · November 26, 2013

kevin:

I'm not sure when I can complete that rather long task.. and we have a Holiday starting tomorrow so it might be a few days,

(please do not close my topic). I'm particularly interested to know what those 2 drivers are found by rogue kill:

¤¤¤ Driver : [LOADED] ¤¤¤
[inline] EAT @explorer.exe (@Oledb@DBOBJECT_DOMAIN) : rtl70.bpl -> HOOKED (Unknown @ 0x33CFF34F)
[inline] EAT @explorer.exe (@Oledb@DBOBJECT_SCHEMA) : rtl70.bpl -> HOOKED (Unknown @ 0x33CFF33F)

are these harmless or how serious are they? They reappeared on the RK scan and when I tried to delete the pc froze. I will try again later. Thanks!

kevinf80 · November 26, 2013

When you see this entry ¤¤¤ Driver : [LOADED] ¤¤¤ it means a driver related to RK scan is loaded whilst it completes an AntiRootkit scan, that entry will only be there for 32 bit systems, 64 bit systems show as such ¤¤¤ Driver: [NOT LOADED] ¤¤¤

It would then follow with a possible list of entries deemed as suspicious underneath. In your case the entries are safe...They would not be included in the Delete action when it is selected...

hiesenberg · November 27, 2013

kevin- that's fine, so those hooked drivers are safe and pose no threat. but what about the registry constantly changing..?

I think that's what has me worried the most. what/where is the source of what causes those entries to consistently reactivate

themselves? I believe there is something residing on this p/c that executes on reboot to make those changes.. are you saying that a non-ms service clash, if there is one, can cause those repeated registry changes..? i have deleted them over and over

to only watch them pop up again after rescanning. I'm off for holiday time here in the states! Happy Thanksgiving! (not sure you folks even know what that is)

RogueKiller V8.7.6 [Oct 28 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : RICH [Admin rights]
Mode : Scan -- Date : 11/27/2013 00:39:28
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[inline] EAT @explorer.exe (@Oledb@DBOBJECT_DOMAIN) : rtl70.bpl -> HOOKED (Unknown @ 0x33CFF34F)
[inline] EAT @explorer.exe (@Oledb@DBOBJECT_SCHEMA) : rtl70.bpl -> HOOKED (Unknown @ 0x33CFF33F)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SAMSUNG SP1604N +++++
--- User ---
[MBR] 9c24779718baa28a177f1792c868d0f9
[bSP] 85f5c2091b2e329b4ea8d90f28511751 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 50225 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 102861360 | Size: 102399 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished :

Not sure which infection this is? Java Exploit maybe..?

Recommended Posts

Link to post

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information