Jump to content

RootKit removal Help


Recommended Posts

Hello, I have a Windows XP SP2 workstation that has a root kit. I downloaded and installed MalwareBytes, but when I attempt to run it, it won't load. I have run SAS.com (SuperAntiSpyware Portable) on this machine and it finds a few things, tells me to reboot. After reboot I still cannot run MBAM. I have renamed the mbam.exe file to mbam1.exe and was able to run and scan the machine. But after a reboot, I attampted to name the exe back to normal (mbam.exe) and it still wont run.

After reading thru a lot of posts, I think its best if I ask for some help on this. Please see the attached HJT log file.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:56:01 AM, on 9/21/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\Program Files\Rockwell Software\FactoryTalk Activation\lmgrd.exe

C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE

C:\Program Files\Rockwell Software\FactoryTalk Activation\flexsvr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\lotus\notes\nsd.exe

C:\Program Files\lotus\notes\nslsvice.exe

C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

C:\WINDOWS\system32\mfevtps.exe

C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe

C:\Program Files\lotus\notes\ntmulti.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\pipc\BIN\pilogsrv.exe

C:\Program Files\pipc\BIN\pinetmgr.exe

C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE

C:\Program Files\Common Files\Rockwell\RsvcHost.exe

C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spool\ugplot\ugiipqd.exe

C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

C:\Program Files\pipc\BIN\pimsgss.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\SxpInst\sxplog32.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

C:\Program Files\McAfee\Common Framework\udaterui.exe

C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\Common Files\Java\Java Update\jucheck.exe

E:\EmsisoftEmergencyKit\start.exe

E:\EMSISOFTEMERGENCYKIT\run\a2emergencykit.exe

E:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://10.37.1.10/proxy.pac

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [sxplog] C:\SxpInst\sxpstub.exe

O4 - HKLM\..\Run: [sDJobCheck] triggusr.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AMUpdate] C:\PROGRA~1\COMMON~1\CYCOSH~1\AMUPDA~1.EXE

O4 - HKLM\..\Run: [usbCipHelper] C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey

O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-20\..\Run: [EFI Job Monitor] C:\WINDOWS\TEMP\JobMonitor\JobMonitor.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-1343024091-920026266-839522115-14314\..\Run: [iBM RecordNow!] (User 'usdso-wininst')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.taurus

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://intercall.webex.com/client/T26L10NS...bex/ieatgpc.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ame.pkg

O17 - HKLM\Software\..\Telephony: DomainName = ame.pkg

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ame.pkg

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE

O23 - Service: dnWhoDisp - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe

O23 - Service: FactoryTalk Activation Service - Macrovision Corporation - C:\Program Files\Rockwell Software\FactoryTalk Activation\lmgrd.exe

O23 - Service: FactoryTalk Activation Helper (FTActivationBoost) - Rockwell Automation Inc. - C:\Program Files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Harmony - Rockwell Automation, Inc. - C:\Program Files\Rockwell Software\RSCommon\RSOBSERV.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lotus Notes Diagnostics - IBM Corp - C:\Program Files\lotus\notes\nsd.exe

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe

O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: MotoConnect Service - Unknown owner - C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe

O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe

O23 - Service: PIPC Log Server (pilogsrv) - OSIsoft, Inc. - C:\Program Files\pipc\BIN\pilogsrv.exe

O23 - Service: PI Message Subsystem (pimsgss) - OSIsoft, Inc. - C:\Program Files\pipc\BIN\pimsgss.exe

O23 - Service: PI Network Manager (pinetmgr) - OSIsoft, Inc. - C:\Program Files\pipc\BIN\pinetmgr.exe

O23 - Service: FactoryTalk Diagnostics Local Reader (RNADiagnosticsService) - Rockwell Automation Inc. - C:\Program Files\Common Files\Rockwell\RNADiagnosticsSrv.exe

O23 - Service: FactoryTalk Diagnostics CE Receiver (RNADiagReceiver) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RNADiagReceiver.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: RSLinx Classic (RSLinx) - Rockwell Automation, Inc. - C:\PROGRA~1\ROCKWE~1\RSLinx\RSLINX.EXE

O23 - Service: Rockwell Application Services (RsvcHost) - Rockwell Automation, Inc. - C:\Program Files\Common Files\Rockwell\RsvcHost.exe

O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Unigraphics Plot Server (ugiipqd) (ugiipqd) - Unigraphics Solutions, Inc - C:\WINDOWS\system32\spool\ugplot\ugiipqd.exe

O23 - Service: Scalable WinINSTALL Master Agent (WIMASvc) - Scalable Software, Inc. - C:\Program Files\Scalable\WinINSTALL\Bin\WIMASvc.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 11163 bytes

Link to post
Share on other sites

:P

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Link to post
Share on other sites

LDTate - Thank you for the assisance. It appears to have worked. I'm all cleared up. I am now able to run MBAM w/o issues. Thank again. I will be a frequent flyer.

Here is the log file you requested.

2010/09/21 16:36:07.0821 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44

2010/09/21 16:36:07.0821 ================================================================================

2010/09/21 16:36:07.0821 SystemInfo:

2010/09/21 16:36:07.0821

2010/09/21 16:36:07.0821 OS Version: 5.1.2600 ServicePack: 2.0

2010/09/21 16:36:07.0821 Product type: Workstation

2010/09/21 16:36:07.0821 ComputerName: WTV-111123

2010/09/21 16:36:07.0821 UserName: Administrator

2010/09/21 16:36:07.0821 Windows directory: C:\WINDOWS

2010/09/21 16:36:07.0821 System windows directory: C:\WINDOWS

2010/09/21 16:36:07.0821 Processor architecture: Intel x86

2010/09/21 16:36:07.0821 Number of processors: 2

2010/09/21 16:36:07.0821 Page size: 0x1000

2010/09/21 16:36:07.0821 Boot type: Normal boot

2010/09/21 16:36:07.0821 ================================================================================

2010/09/21 16:36:08.0114 Initialize success

2010/09/21 16:36:21.0068 ================================================================================

2010/09/21 16:36:21.0068 Scan started

2010/09/21 16:36:21.0068 Mode: Manual;

2010/09/21 16:36:21.0068 ================================================================================

2010/09/21 16:36:21.0499 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/09/21 16:36:21.0560 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/09/21 16:36:21.0606 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/09/21 16:36:21.0652 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/09/21 16:36:21.0729 aeaudio (3cb6ae5435987b1f8c83fd2730479878) C:\WINDOWS\system32\drivers\aeaudio.sys

2010/09/21 16:36:21.0791 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys

2010/09/21 16:36:21.0868 AFD (f92c6d162329a1367d71517c6b0de56c) C:\WINDOWS\System32\drivers\afd.sys

2010/09/21 16:36:21.0868 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: f92c6d162329a1367d71517c6b0de56c, Fake md5: 55e6e1c51b6d30e54335750955453702

2010/09/21 16:36:21.0868 AFD - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/09/21 16:36:21.0914 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/09/21 16:36:21.0960 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/09/21 16:36:22.0006 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/09/21 16:36:22.0068 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/09/21 16:36:22.0175 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/09/21 16:36:22.0237 akshasp (3f9f42085ab5b6a55498a539c54575ab) C:\WINDOWS\system32\DRIVERS\akshasp.sys

2010/09/21 16:36:22.0268 aksusb (d2b95315cc47f9230006fdbcba394d8d) C:\WINDOWS\system32\DRIVERS\aksusb.sys

2010/09/21 16:36:22.0314 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/09/21 16:36:22.0360 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/09/21 16:36:22.0391 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/09/21 16:36:22.0437 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/09/21 16:36:22.0483 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/09/21 16:36:22.0514 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/09/21 16:36:22.0560 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/09/21 16:36:22.0606 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/09/21 16:36:22.0668 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/09/21 16:36:22.0714 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/09/21 16:36:22.0806 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/09/21 16:36:22.0868 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/09/21 16:36:22.0899 b57w2k (2c078ae1a50b152a0e779c1f707f82c9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2010/09/21 16:36:22.0929 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/09/21 16:36:23.0052 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/09/21 16:36:23.0099 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/09/21 16:36:23.0145 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/09/21 16:36:23.0191 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/09/21 16:36:23.0237 CdaC15BA (f76cb7259aa575cc53f3996bc6b68c18) C:\WINDOWS\system32\drivers\CDAC15BA.SYS

2010/09/21 16:36:23.0268 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/09/21 16:36:23.0299 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/09/21 16:36:23.0345 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys

2010/09/21 16:36:23.0360 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys

2010/09/21 16:36:23.0391 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/09/21 16:36:23.0437 cdudf_xp (23347f35984fff18a6344fe2fd2d835c) C:\WINDOWS\system32\drivers\cdudf_xp.sys

2010/09/21 16:36:23.0514 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/09/21 16:36:23.0591 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/09/21 16:36:23.0668 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/09/21 16:36:23.0699 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/09/21 16:36:23.0760 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/09/21 16:36:23.0822 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

2010/09/21 16:36:23.0852 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

2010/09/21 16:36:23.0883 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/09/21 16:36:23.0945 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

2010/09/21 16:36:23.0991 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/09/21 16:36:24.0037 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/09/21 16:36:24.0099 drvmcdb (dfdd4e4dfafc6b41dba4bd7b1f9ef7a6) C:\WINDOWS\system32\DRIVERS\drvmcdb.sys

2010/09/21 16:36:24.0145 drvnddm (d3c1e501ed42e77574b3095309dd4075) C:\WINDOWS\system32\drivers\drvnddm.sys

2010/09/21 16:36:24.0222 DVDVRRdr_xp (f0470a61ead8ec91bb0d40a189c9ef99) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys

2010/09/21 16:36:24.0268 dvd_2K (539f5dfcbe3eefae5bfa9c084df407f1) C:\WINDOWS\system32\drivers\dvd_2K.sys

2010/09/21 16:36:24.0299 EGATHDRV (7f220875288944c9c7856e2bc8613b1f) C:\WINDOWS\Downloaded Program Files\EGATHDRV.SYS

2010/09/21 16:36:24.0422 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/09/21 16:36:24.0452 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/09/21 16:36:24.0483 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

2010/09/21 16:36:24.0514 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/09/21 16:36:24.0560 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2010/09/21 16:36:24.0591 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/09/21 16:36:24.0637 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/09/21 16:36:24.0683 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/09/21 16:36:24.0760 Hardlock (d95554949082fd29a04d351b58396718) C:\WINDOWS\system32\drivers\hardlock.sys

2010/09/21 16:36:24.0822 Haspnt (2dd25f060dc9f79b5cdf33d90ed93669) C:\WINDOWS\system32\drivers\Haspnt.sys

2010/09/21 16:36:24.0868 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/09/21 16:36:24.0914 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/09/21 16:36:24.0976 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/09/21 16:36:25.0006 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/09/21 16:36:25.0068 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/09/21 16:36:25.0129 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/09/21 16:36:25.0160 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/09/21 16:36:25.0206 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/09/21 16:36:25.0237 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/09/21 16:36:25.0283 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/09/21 16:36:25.0345 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/09/21 16:36:25.0391 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/09/21 16:36:25.0422 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/09/21 16:36:25.0468 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2010/09/21 16:36:25.0499 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/09/21 16:36:25.0545 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/09/21 16:36:25.0591 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/09/21 16:36:25.0637 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/09/21 16:36:25.0668 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/09/21 16:36:25.0745 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/09/21 16:36:25.0776 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/09/21 16:36:25.0822 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/09/21 16:36:25.0868 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys

2010/09/21 16:36:25.0914 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/09/21 16:36:26.0052 mfeapfk (5cbf9d2fab2abc461b2f67c802f52543) C:\WINDOWS\system32\drivers\mfeapfk.sys

2010/09/21 16:36:26.0099 mfeavfk (10718b3eeb9e98c5b4aad7c0a23a9efa) C:\WINDOWS\system32\drivers\mfeavfk.sys

2010/09/21 16:36:26.0129 mfebopk (e665cff48e376b48d2cc84be1559f131) C:\WINDOWS\system32\drivers\mfebopk.sys

2010/09/21 16:36:26.0176 mfehidk (e2f200d38b72e47b88489e2c97dfd6d8) C:\WINDOWS\system32\drivers\mfehidk.sys

2010/09/21 16:36:26.0206 mferkdet (ef04236d1a4f9f672b5258de83e2ee35) C:\WINDOWS\system32\drivers\mferkdet.sys

2010/09/21 16:36:26.0252 mfetdik (d5a4b1ae4958ccfc66c1d17c1f42ba08) C:\WINDOWS\system32\drivers\mfetdik.sys

2010/09/21 16:36:26.0299 mmc_2K (ef513137587185f2726725ba1010c943) C:\WINDOWS\system32\drivers\mmc_2K.sys

2010/09/21 16:36:26.0345 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/09/21 16:36:26.0406 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

2010/09/21 16:36:26.0468 motccgp (c741717b0a18813dd7d12085937cee72) C:\WINDOWS\system32\DRIVERS\motccgp.sys

2010/09/21 16:36:26.0514 motccgpfl (b812da6605caf02641312f1f65c75419) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys

2010/09/21 16:36:26.0576 motmodem (54fee02961c70fd9d4d7e2f87afa23fa) C:\WINDOWS\system32\DRIVERS\motmodem.sys

2010/09/21 16:36:26.0652 motport (54fee02961c70fd9d4d7e2f87afa23fa) C:\WINDOWS\system32\DRIVERS\motport.sys

2010/09/21 16:36:26.0729 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/09/21 16:36:26.0776 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/09/21 16:36:26.0822 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/09/21 16:36:26.0868 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/09/21 16:36:26.0914 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/09/21 16:36:26.0991 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/09/21 16:36:27.0037 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

2010/09/21 16:36:27.0099 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/09/21 16:36:27.0145 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/09/21 16:36:27.0206 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/09/21 16:36:27.0252 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/09/21 16:36:27.0314 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/09/21 16:36:27.0360 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

2010/09/21 16:36:27.0422 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/09/21 16:36:27.0468 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

2010/09/21 16:36:27.0514 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/09/21 16:36:27.0560 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/09/21 16:36:27.0606 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/09/21 16:36:27.0668 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/09/21 16:36:27.0699 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/09/21 16:36:27.0745 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/09/21 16:36:27.0791 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/09/21 16:36:27.0852 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/09/21 16:36:27.0914 nm (60cf8c7192b3614f240838ddbaa4a245) C:\WINDOWS\system32\DRIVERS\NMnt.sys

2010/09/21 16:36:27.0976 NPF (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys

2010/09/21 16:36:28.0022 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

2010/09/21 16:36:28.0114 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/09/21 16:36:28.0160 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/09/21 16:36:28.0299 nv (933a02052aed2da698811a14b7848faf) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/09/21 16:36:28.0406 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/09/21 16:36:28.0468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/09/21 16:36:28.0560 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/09/21 16:36:28.0606 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/09/21 16:36:28.0637 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/09/21 16:36:28.0683 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/09/21 16:36:28.0745 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/09/21 16:36:28.0806 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/09/21 16:36:28.0852 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/09/21 16:36:29.0022 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/09/21 16:36:29.0068 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/09/21 16:36:29.0129 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys

2010/09/21 16:36:29.0206 pmem (fa292805788528c083f416e151b60ab6) C:\WINDOWS\system32\DRIVERS\pmemnt.sys

2010/09/21 16:36:29.0253 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/09/21 16:36:29.0299 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/09/21 16:36:29.0329 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/09/21 16:36:29.0376 pwd_2k (64515bc1d8737d05e09086ee6cabdc59) C:\WINDOWS\system32\drivers\pwd_2k.sys

2010/09/21 16:36:29.0422 PxHelp20 (f7bb4e7a7c02ab4a2672937e124e306e) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

2010/09/21 16:36:29.0468 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/09/21 16:36:29.0514 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/09/21 16:36:29.0560 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/09/21 16:36:29.0606 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/09/21 16:36:29.0637 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/09/21 16:36:29.0683 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/09/21 16:36:29.0729 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/09/21 16:36:29.0760 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/09/21 16:36:29.0791 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/09/21 16:36:29.0853 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/09/21 16:36:29.0883 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/09/21 16:36:29.0929 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/09/21 16:36:29.0991 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/09/21 16:36:30.0022 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/09/21 16:36:30.0114 RsiKtControl (2af65117091a47732f0997330e3daae6) C:\WINDOWS\system32\RSIKT.SYS

2010/09/21 16:36:30.0253 RSSERIAL (b089419975668e2a701178032d652a24) C:\WINDOWS\SYSTEM32\RSSERIAL.SYS

2010/09/21 16:36:30.0514 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/09/21 16:36:30.0591 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/09/21 16:36:30.0637 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/09/21 16:36:30.0714 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/09/21 16:36:30.0806 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/09/21 16:36:30.0853 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/09/21 16:36:30.0929 smwdm (9b8aeed0dc8198efb83d06baf2fab2e2) C:\WINDOWS\system32\drivers\smwdm.sys

2010/09/21 16:36:31.0006 sonypvs1 (dfadfc2c86662f40759bf02add27d569) C:\WINDOWS\system32\DRIVERS\sonypvs1.sys

2010/09/21 16:36:31.0053 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS

2010/09/21 16:36:31.0099 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/09/21 16:36:31.0160 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys

2010/09/21 16:36:31.0237 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/09/21 16:36:31.0299 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/09/21 16:36:31.0314 sscdbhk5 (328e8bb94ec58480f60458fb4b8437a7) C:\WINDOWS\system32\drivers\sscdbhk5.sys

2010/09/21 16:36:31.0360 ssrtln (7ec8b427cee5c0cdac066320b93f1355) C:\WINDOWS\system32\drivers\ssrtln.sys

2010/09/21 16:36:31.0422 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/09/21 16:36:31.0453 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/09/21 16:36:31.0499 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

2010/09/21 16:36:31.0545 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/09/21 16:36:31.0606 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/09/21 16:36:31.0637 symmpi (75b645790c705d37d22a88dc5315eac5) C:\WINDOWS\system32\drivers\symmpi.sys

2010/09/21 16:36:31.0683 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/09/21 16:36:31.0729 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/09/21 16:36:31.0776 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/09/21 16:36:31.0853 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/09/21 16:36:31.0899 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/09/21 16:36:31.0945 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/09/21 16:36:31.0991 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/09/21 16:36:32.0068 tfsnboio (a03e3c621f8cc5751c46a4f671f7b7f4) C:\WINDOWS\system32\dla\tfsnboio.sys

2010/09/21 16:36:32.0176 tfsncofs (04d9d5db0e8339d75606c86b9cef5f4e) C:\WINDOWS\system32\dla\tfsncofs.sys

2010/09/21 16:36:32.0299 tfsndrct (bd09c104e02eb6a4afe3dd0af9b1cb17) C:\WINDOWS\system32\dla\tfsndrct.sys

2010/09/21 16:36:32.0391 tfsndres (5c984670fea565a9ec3855ff9c29f7cc) C:\WINDOWS\system32\dla\tfsndres.sys

2010/09/21 16:36:32.0483 tfsnifs (965c1af88c6528172cebe7674a37d8cd) C:\WINDOWS\system32\dla\tfsnifs.sys

2010/09/21 16:36:32.0591 tfsnopio (90aed91115eef3bab265e5f145a31def) C:\WINDOWS\system32\dla\tfsnopio.sys

2010/09/21 16:36:32.0699 tfsnpool (32a53cb321b8628d41e882223b2d0e4f) C:\WINDOWS\system32\dla\tfsnpool.sys

2010/09/21 16:36:32.0791 tfsnudf (f275b4c714300b6e018a57d6c555fb2c) C:\WINDOWS\system32\dla\tfsnudf.sys

2010/09/21 16:36:32.0899 tfsnudfa (5d85572f26db3ca565b9eababaaf074c) C:\WINDOWS\system32\dla\tfsnudfa.sys

2010/09/21 16:36:33.0037 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/09/21 16:36:33.0114 TWXWD (7395af1c1d50bd65a0797e0bf9d593db) C:\WINDOWS\system32\drivers\TWXWD.sys

2010/09/21 16:36:33.0176 UdfReadr_xp (227490c65313ad65ff0430209db20b58) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys

2010/09/21 16:36:33.0206 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

2010/09/21 16:36:33.0268 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/09/21 16:36:33.0329 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys

2010/09/21 16:36:33.0391 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/09/21 16:36:33.0437 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/09/21 16:36:33.0499 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/09/21 16:36:33.0545 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/09/21 16:36:33.0606 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/09/21 16:36:33.0668 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/09/21 16:36:33.0714 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/09/21 16:36:33.0745 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/09/21 16:36:33.0806 usb_rndisx (0ed867f3227383d7de971909cdec4d48) C:\WINDOWS\system32\DRIVERS\usb8023x.sys

2010/09/21 16:36:33.0837 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

2010/09/21 16:36:33.0883 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/09/21 16:36:33.0945 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/09/21 16:36:34.0022 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/09/21 16:36:34.0083 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/09/21 16:36:34.0145 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2010/09/21 16:36:34.0237 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/09/21 16:36:34.0406 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/09/21 16:36:34.0483 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/09/21 16:36:34.0529 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/09/21 16:36:34.0606 ================================================================================

2010/09/21 16:36:34.0606 Scan finished

2010/09/21 16:36:34.0606 ================================================================================

2010/09/21 16:36:34.0622 Detected object count: 1

2010/09/21 16:36:45.0668 AFD (f92c6d162329a1367d71517c6b0de56c) C:\WINDOWS\System32\drivers\afd.sys

2010/09/21 16:36:45.0668 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: f92c6d162329a1367d71517c6b0de56c, Fake md5: 55e6e1c51b6d30e54335750955453702

2010/09/21 16:36:46.0068 Backup copy found, using it..

2010/09/21 16:36:46.0299 C:\WINDOWS\System32\drivers\afd.sys - will be cured after reboot

2010/09/21 16:36:46.0299 Rootkit.Win32.TDSS.tdl3(AFD) - User select action: Cure

2010/09/21 16:36:57.0022 Deinitialize success

Link to post
Share on other sites

I agree and will install SP3 asap. Also upgrade IE to version 7 or 8 at least. MBAM did find something.

Here is the MBAM log file.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4663

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

9/21/2010 5:49:22 PM

mbam-log-2010-09-21 (17-49-22).txt

Scan type: Quick scan

Objects scanned: 197200

Time elapsed: 11 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

We can see if anything else is hiding

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

My company forces McAfee Enterprise to run using ePO agent and policy. I have attempted to shut it down, but eveytime I do, it just restarts due to the policies in place. I am running ComboFix now, but it has told me it didn't like that fact about McAfee.

At the moment, it is downloading from MS the recovery console. Should I continue with ComboFix even if I cannot disable the AV scanners?

Link to post
Share on other sites

I have run ComboFix. It never said I needed to reboot. Please let me know what you find, if anything. The computer appears to be running normal (forgot to mention that from your earlier post).

What else do you suggest?

ComboFix 10-09-20.04 - Administrator 09/21/2010 18:10:19.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2536 [GMT -4:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2010-08-21 to 2010-09-21 )))))))))))))))))))))))))))))))

.

2010-09-21 22:04 . 2010-09-21 22:04 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-60ac0811-n\msvcp71.dll

2010-09-21 22:04 . 2010-09-21 22:04 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-60ac0811-n\jmc.dll

2010-09-21 22:04 . 2010-09-21 22:04 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-60ac0811-n\msvcr71.dll

2010-09-21 22:04 . 2010-09-21 22:04 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-25707c44-n\decora-sse.dll

2010-09-21 22:04 . 2010-09-21 22:04 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-25707c44-n\decora-d3d.dll

2010-09-21 20:44 . 2010-09-21 20:44 -------- d-----w- c:\documents and settings\husseR\Application Data\Malwarebytes

2010-09-21 20:43 . 2010-09-21 20:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-09-21 20:42 . 2010-09-21 20:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2010-09-21 20:35 . 2010-09-21 20:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee

2010-09-20 21:03 . 2010-09-20 21:03 -------- d-----w- c:\documents and settings\piked\Application Data\Xerox

2010-09-20 21:01 . 2010-09-20 21:01 -------- d-----w- c:\documents and settings\piked\Application Data\Malwarebytes

2010-09-20 20:59 . 2010-09-20 20:59 59928 ----a-w- c:\documents and settings\piked\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-09-20 20:39 . 2010-09-20 20:39 503808 ----a-w- c:\documents and settings\piked\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-46c4cc5a-n\msvcp71.dll

2010-09-20 20:39 . 2010-09-20 20:39 499712 ----a-w- c:\documents and settings\piked\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-46c4cc5a-n\jmc.dll

2010-09-20 20:39 . 2010-09-20 20:39 348160 ----a-w- c:\documents and settings\piked\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-46c4cc5a-n\msvcr71.dll

2010-09-20 20:39 . 2010-09-20 20:39 61440 ----a-w- c:\documents and settings\piked\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3cdbe6fc-n\decora-sse.dll

2010-09-20 20:39 . 2010-09-20 20:39 12800 ----a-w- c:\documents and settings\piked\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3cdbe6fc-n\decora-d3d.dll

2010-09-20 19:25 . 2010-09-20 19:25 -------- d-----w- c:\documents and settings\piked\Application Data\SUPERAntiSpyware.com

2010-09-20 19:25 . 2010-09-20 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-09-20 19:04 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-20 19:04 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-20 18:59 . 2010-09-20 19:00 -------- d-----w- c:\temp\MotoConnectTemp

2010-09-20 18:59 . 2010-09-20 18:59 -------- d-----w- C:\Temp

2010-09-20 18:20 . 2010-09-20 18:20 -------- d-----w- c:\windows\system32\wbem\Repository

2010-09-20 18:19 . 2010-09-20 18:19 -------- d-----w- c:\documents and settings\husseR\Application Data\smkits

2010-09-20 18:19 . 2010-09-20 18:19 -------- d-----w- C:\RATrendData

2010-09-20 18:18 . 2010-09-20 18:18 -------- d-----w- C:\PhoneTool

2010-09-20 18:18 . 2010-09-20 18:18 -------- d-----w- C:\HEMtemp

2010-09-20 18:18 . 2010-09-20 18:18 -------- d-----w- C:\CGCM

2010-09-20 18:18 . 2010-09-20 18:18 -------- d-----w- c:\program files\Fiery

2010-09-20 18:18 . 2010-09-20 18:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2010-09-20 18:18 . 2010-09-20 18:18 -------- d-----w- c:\program files\Common Files\EFI

2010-09-20 18:18 . 2010-09-20 18:18 -------- d-----w- c:\program files\Avanquest update

2010-09-20 18:18 . 2010-09-20 18:18 -------- d-----w- c:\documents and settings\husseR\Application Data\InstallShield

2010-09-20 18:15 . 2010-09-20 18:18 -------- d-----w- c:\program files\ThermaCAM Report Viewer 2000 Dec 02 Ed

2010-09-20 18:15 . 2010-09-20 18:16 -------- d-----w- c:\program files\My Company Name

2010-09-20 18:15 . 2010-09-20 18:16 -------- d-----w- c:\program files\Investintech.com Inc

2010-09-20 18:15 . 2010-09-20 18:15 -------- d-----w- c:\program files\Visioneer OneTouch

2010-09-20 18:15 . 2010-09-20 18:15 -------- d-----w- c:\program files\Visicom Media

2010-09-20 18:15 . 2010-09-20 18:15 -------- d-----w- c:\program files\VideoLAN

2010-09-20 18:15 . 2010-09-20 18:15 -------- d-----w- c:\program files\TriActive

2010-09-20 18:15 . 2010-09-20 18:15 -------- d-----w- c:\program files\New River Kinematics

2010-09-20 18:15 . 2010-09-20 18:15 -------- d-----w- c:\program files\Google

2010-09-17 19:26 . 2010-09-17 19:26 -------- d-----w- c:\documents and settings\piked\Application Data\McAfee

2010-09-17 14:03 . 2010-09-17 14:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-17 14:03 . 2010-09-21 16:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-21 20:38 . 1980-01-01 08:00 138368 ----a-w- c:\windows\system32\drivers\afd.sys

2010-09-20 18:18 . 2007-11-08 12:23 -------- d-----w- c:\program files\Motorola Phone Tools

2010-09-17 13:45 . 2005-01-29 17:39 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-09-17 12:59 . 2009-04-02 14:18 -------- d-----w- c:\program files\Motorola

2010-09-17 12:56 . 2007-11-08 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software

2010-09-17 12:54 . 2006-01-17 13:31 -------- d-----w- c:\program files\Citrix

2010-08-31 15:29 . 2010-04-22 19:16 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-03 20:14 . 2010-08-03 20:14 -------- d-----w- c:\documents and settings\husseR\Application Data\McAfee

2010-08-03 20:12 . 2010-08-03 20:12 5292733 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Common Framework\Current\EPOAGENT3000\Install\0409\FramePkg.exe

2010-08-03 13:58 . 2010-08-03 13:58 503808 ----a-w- c:\documents and settings\husseR\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-76955abf-n\msvcp71.dll

2010-08-03 13:58 . 2010-08-03 13:58 499712 ----a-w- c:\documents and settings\husseR\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-76955abf-n\jmc.dll

2010-08-03 13:58 . 2010-08-03 13:58 348160 ----a-w- c:\documents and settings\husseR\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-76955abf-n\msvcr71.dll

2010-08-03 13:58 . 2010-08-03 13:58 61440 ----a-w- c:\documents and settings\husseR\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-38d9775b-n\decora-sse.dll

2010-08-03 13:58 . 2010-08-03 13:58 12800 ----a-w- c:\documents and settings\husseR\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-38d9775b-n\decora-d3d.dll

2010-07-27 17:41 . 2010-07-27 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Macrovision

2010-07-27 17:40 . 2010-07-27 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\WFCU

2010-07-07 18:23 . 2010-07-07 18:23 45056 ----a-w- c:\documents and settings\All Users\Application Data\Rockwell Automation\RSLogix 5000\root\c42821f4\afb6e0d8\assembly\dl3\5f451c84\0090c3f6_bd90c901\Logix5000.Reports.Generator.DLL

2010-01-07 00:07 . 2010-01-04 17:05 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-09-21_16.53.03 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-09-21 21:56 . 2010-09-21 21:56 16384 c:\windows\temp\Perflib_Perfdata_118.dat

+ 2005-03-07 17:55 . 2010-09-21 20:32 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2005-03-07 17:55 . 2010-09-21 16:08 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2005-03-07 17:55 . 2010-09-21 20:32 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2005-03-07 17:55 . 2010-09-21 16:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2010-09-21 18:23 . 2010-09-21 20:32 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2005-03-07 17:55 . 2010-09-21 16:08 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-04-20 438272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-10-22 114741]

"Sxplog"="c:\sxpinst\sxpstub.exe" [2004-03-18 20480]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-08-03 4493312]

"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-02 65536]

"nwiz"="nwiz.exe" [2004-08-03 917504]

"UsbCipHelper"="c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe" [2008-05-27 434176]

"NvMediaCenter"="NvMCTray.dll" [2004-08-03 86016]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2010-01-07 124240]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-03-07 20531]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2010-06-01 140608]

"SDJobCheck"="triggusr.exe" [bU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-920026266-839522115-14939\Scripts\Logon\0\0]

"Script"=US-Huhtamaki Screen Saver Settings.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-920026266-839522115-9228\Scripts\Logon\0\0]

"Script"=US-Huhtamaki Screen Saver Settings.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1343024091-920026266-839522115-9454\Scripts\Logon\0\0]

"Script"=US-Huhtamaki Screen Saver Settings.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start 3DxWare.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Start 3DxWare.lnk

backup=c:\windows\pss\Start 3DxWare.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

2007-03-09 15:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]

2004-04-20 10:01 438272 ----a-w- c:\program files\IBM\Messages By IBM\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]

2003-07-15 20:36 319488 ----a-w- c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]

2003-07-17 08:19 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-02-27 17:31 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ERSvc"=2 (0x2)

"bufserv"=3 (0x3)

"Alerter"=2 (0x2)

"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\Rockwell Software\\FactoryTalk Activation\\lmgrd.exe"=

"c:\\Program Files\\Rockwell Software\\FactoryTalk Activation\\flexsvr.exe"=

R2 FactoryTalk Activation Service;FactoryTalk Activation Service;c:\program files\Rockwell Software\FactoryTalk Activation\lmgrd.exe [11/17/2003 7:50 PM 659456]

R2 FTActivationBoost;FactoryTalk Activation Helper;c:\program files\Rockwell Software\FactoryTalk Activation\Tools\FTActivationBoost.exe [9/29/2008 2:49 PM 66848]

R2 Lotus Notes Diagnostics;Lotus Notes Diagnostics;c:\program files\lotus\notes\nsd.exe [3/16/2010 5:59 PM 3391488]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [1/6/2010 8:07 PM 22816]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [1/4/2010 1:05 PM 70728]

R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [12/15/2009 8:34 AM 91392]

R2 SDService;Unicenter Software Delivery;c:\program files\CA\Unicenter Software Delivery\BIN\SDServ.exe [11/19/2003 11:29 AM 32768]

R2 ugiipqd;Unigraphics Plot Server (ugiipqd);c:\windows\system32\spool\ugplot\ugiipqd.exe [7/23/2003 8:07 PM 57344]

R2 WIMASvc;Scalable WinINSTALL Master Agent;c:\program files\Scalable\WinINSTALL\Bin\WIMASvc.exe [12/29/2008 9:01 PM 202048]

S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\piked\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\piked\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\piked\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\piked\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]

S1 VirtualBackplane;A-B Virtual Backplane;c:\windows\system32\Drivers\VirtualBackplane.sys --> c:\windows\system32\Drivers\VirtualBackplane.sys [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 2:10 PM 135664]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [1/4/2010 1:05 PM 66600]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [11/9/2009 4:48 PM 19712]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [11/9/2009 4:48 PM 8320]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/15/2009 8:35 AM 23936]

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 4:22 PM 34064]

S3 RsiKtControl;RsiKtControl;c:\windows\system32\RSIKT.SYS [7/5/2008 7:19 PM 39067]

S3 RSSERIAL;RSLinx Classic Serial Driver;c:\windows\system32\rsserial.sys [7/5/2008 7:19 PM 155440]

S3 TWXWD;TWXWD;c:\windows\system32\drivers\TwxWD.sys [8/5/2004 3:44 AM 26964]

S4 AdvTCPIPDataLogger;Advanced TCP/IP Data Logger service;c:\program files\Advanced TCP IP Data Logger\aipdlogsrv.exe --> c:\program files\Advanced TCP IP Data Logger\aipdlogsrv.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

.

------- Supplementary Scan -------

.

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: usdso-sirius

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

AddRemove-HijackThis - E:\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-21 18:16

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

UsbCipHelper = c:\program files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe????????????j?w??????@???D????? ??|P?E????|????????????1??|????P?E?????????4???????????????????>?@?????L???<??????|?????????????$???? ???D??????>@????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(908)

c:\program files\lotus\notes\npnotes.dll

- - - - - - - > 'explorer.exe'(196)

c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll

c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll

c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll

c:\windows\system32\msi.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-21 18:19:17

ComboFix-quarantined-files.txt 2010-09-21 22:19

ComboFix2.txt 2010-09-21 16:54

Pre-Run: 11,408,879,616 bytes free

Post-Run: 11,382,124,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 86F8AD237294B45771D0CF1C3FC0C697

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.