Jump to content

Recommended Posts

I was working in Internet Explorer 7 (usually use Firefox except for special circumstances) with Win XP Pro SP3 and suddenly messages began popping up for all the programs: "DLL C:\Program\Google......dll is not a valid windows image. Please check this aginst your installation diskette." I shut the computer as soon as I could.

Before writing this, I checked your other posts under this trojan but they were all several years old and didn't help me any further than I got. I am keeping the laptop that is infected offline and using another until I can clean it up. I feel too much at risk since one of the items was a keylogger and so I have only run Malwarebytes (downloaded from another computer) and an old copy of HijackThis to produce the logs copied below.

I ran a full scan with Malwarebytes in Safe Mode. It quarantined 5 items (listed below). I rebooted and the error messages re-appeared. I ran Malwarebytes again, this time in quick mode and it found nothing even though the messages appeared whenever a program (notepad included) was opened. I deleted the files in quarantine, checked the registry to make sure they were gone (yes, Malwarebytes had removed them).

What can I do next without going online with the infected computer. (I could download from another computer and transfer by USB stick). I appreciate any help you can give me. - Mary Ann

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

1/23/2011 5:04:58 PM

mbam-log-2011-01-23 (17-04-58).txt

Scan type: Full scan (C:\)

Objects scanned 265968

Time elapsed: 1 hour(s) 55 Minutes(s), 50 seconds(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Items Quarantined: (and ultimately deleted)

Backdoor.Padodor - registry key

Backdoor.Padodor - registry key

PUM.Disabled.Security Center - Registry Data

PUM.Disabled.Security Center - Registry Data

PUM.Disabled.Security Center - Registry Data

HKEY_CLASSES_ROOT\CLSID\{79FEACFF-FFCE-815E-A-900-316290B5B738}

HKEY_LOCAL-MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\ShellServiceObjectDelayLoad\WebEventLogger

HKEY_LOCAL-MACHINE\SOFTWARE\MICROSOFT\SecurityCenter\AntiVirusDisableNotify|1|0

HKEY_LOCAL-MACHINE\SOFTWARE\MICROSOFT\SecurityCenter\UpdatesDisableNotify|1|0

HKEY_LOCAL-MACHINE\SOFTWARE\MICROSOFT\SecurityCenter\FirewallDisableNotify|1|0

File copy of HijackThis run in SAFE mode:

Logfile of HijackThis v1.99.1

Scan saved at 9:43:54 PM, on 1/23/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17093)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll

O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon

O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client

O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ism\pinger.exe

O4 - HKLM\..\Run: [lxdqmon.exe] "C:\Program Files\Lexmark Z2400 Series\lxdqmon.exe"

O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe

O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark Z2400 Series\ezprint.exe"

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O4 - Global Startup: Media Card Companion Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\CCDACCESS\Office10\OSA.EXE

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O4 - Global Startup: Snagit 9.lnk = C:\Program Files\TechSmith\Snagit 9\Snagit32.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - https://aps.naples.net/webmin_tools/ScriptX.cab

O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file://D:\CDVIEWER\CdViewer.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo1.walgreens.com/WalgreensActivia.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe

O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBServer.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: lxdqCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdqserv.exe

O23 - Service: lxdq_device - - C:\WINDOWS\system32\lxdqcoms.exe

O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)

O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Link to post
Share on other sites

:)

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

I wish to continue with cleaning and accept that it will be impossible to be 100% sure that the machine is clean.

Mary Ann

:)

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Link to post
Share on other sites

1) Is it recommended that I do all this in SAFE mode or Normal mode? Which would be more likely to be successful?

2) Must I be online with the infected computer to execute all these programs or can I download them to an uninfected online computer and transfer and execute them on the infected computer?

Mary Ann

Link to post
Share on other sites

1) Is it recommended that I do all this in SAFE mode or Normal mode? Which would be more likely to be successful?
Normal if possible
2) Must I be online with the infected computer to execute all these programs or can I download them to an uninfected online computer and transfer and execute them on the infected computer?
You can trasfer them
Link to post
Share on other sites

I tried Normal. I transferred the ATF Cleaner which is only around 50kb in size. I was not online. It would not open up.

Are you sure I don't have to be online to run these programs? I'm confused as to how a 50kb program could clean my system. Is this just a shortcut to a full version on the Internet and if so, can I download the full version somewhere?

Mary ann

Normal if possible

You can trasfer them

Link to post
Share on other sites

I tried Normal. I transferred the ATF Cleaner which is only around 50kb in size. I was not online. It would not open up.

Are you sure I don't have to be online to run these programs? I'm confused as to how a 50kb program could clean my system. Is this just a shortcut to a full version on the Internet and if so, can I download the full version somewhere?

Mary ann

Update: I shut down computer and rebooted in SAFE mode. I was able to run ATF Cleaner which cleared up about 68mb. I then ran GooredFix. I then ran TDSSkiller and it didn't find any infection. Logs below:

GooredFix by jpshortstuff (03.07.10.1)

Log created at 21:31 on 24/01/2011 (Administrator)

Firefox version 3.6.8 (en-US)

========== GooredScan ==========

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\

{972ce4c6-7e08-4474-a285-3208198ce6fd} [17:42 29/04/2006]

{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [20:29 18/04/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]

"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [15:55 21/08/2009]

"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:29 18/04/2010]

"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG10\Firefox\" [15:48 04/12/2010]

-=E.O.F=-

2011/01/24 21:39:17.0615 TDSS rootkit removing tool 2.4.15.0 Jan 22 2011 19:37:53

2011/01/24 21:39:17.0615 ================================================================================

2011/01/24 21:39:17.0615 SystemInfo:

2011/01/24 21:39:17.0615

2011/01/24 21:39:17.0615 OS Version: 5.1.2600 ServicePack: 3.0

2011/01/24 21:39:17.0615 Product type: Workstation

2011/01/24 21:39:17.0615 ComputerName: TOSHIBA-WALLACE

2011/01/24 21:39:17.0625 UserName: Administrator

2011/01/24 21:39:17.0625 Windows directory: C:\WINDOWS

2011/01/24 21:39:17.0625 System windows directory: C:\WINDOWS

2011/01/24 21:39:17.0625 Processor architecture: Intel x86

2011/01/24 21:39:17.0625 Number of processors: 1

2011/01/24 21:39:17.0625 Page size: 0x1000

2011/01/24 21:39:17.0625 Boot type: Safe boot

2011/01/24 21:39:17.0625 ================================================================================

2011/01/24 21:39:18.0176 Initialize success

2011/01/24 21:39:24.0585 ================================================================================

2011/01/24 21:39:24.0585 Scan started

2011/01/24 21:39:24.0585 Mode: Manual;

2011/01/24 21:39:24.0585 ================================================================================

2011/01/24 21:39:28.0591 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/01/24 21:39:28.0972 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/01/24 21:39:29.0803 aeaudio (3cb6ae5435987b1f8c83fd2730479878) C:\WINDOWS\system32\drivers\aeaudio.sys

2011/01/24 21:39:30.0314 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/01/24 21:39:30.0724 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/01/24 21:39:31.0555 AgereSoftModem (e66ae825c42b668a90e67e7e41eeeee7) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/01/24 21:39:33.0799 ApfiltrService (4560a7079a53db71b1da013b8d18baf0) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2011/01/24 21:39:34.0249 AR5211 (32bf9185a7dc622c00791113d5568662) C:\WINDOWS\system32\DRIVERS\ar5211.sys

2011/01/24 21:39:35.0641 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/01/24 21:39:35.0982 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/01/24 21:39:36.0693 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/01/24 21:39:37.0083 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/01/24 21:39:37.0534 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys

2011/01/24 21:39:37.0935 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys

2011/01/24 21:39:38.0265 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys

2011/01/24 21:39:38.0575 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys

2011/01/24 21:39:39.0016 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\WINDOWS\system32\DRIVERS\avgldx86.sys

2011/01/24 21:39:39.0457 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys

2011/01/24 21:39:39.0807 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys

2011/01/24 21:39:40.0258 Avgtdix (660788ec46f10ece80274d564fa8b4aa) C:\WINDOWS\system32\DRIVERS\avgtdix.sys

2011/01/24 21:39:40.0759 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/01/24 21:39:41.0099 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/01/24 21:39:41.0680 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/01/24 21:39:42.0020 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/01/24 21:39:42.0371 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys

2011/01/24 21:39:42.0701 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys

2011/01/24 21:39:43.0032 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/01/24 21:39:43.0422 cdudf_xp (bce04a21510e721aaba3f893b6770c12) C:\WINDOWS\system32\drivers\cdudf_xp.sys

2011/01/24 21:39:44.0153 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/01/24 21:39:44.0774 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/01/24 21:39:46.0086 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/01/24 21:39:46.0717 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/01/24 21:39:47.0298 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/01/24 21:39:47.0679 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/01/24 21:39:48.0029 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/01/24 21:39:48.0700 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/01/24 21:39:49.0061 dvd_2K (f5ca443d58a53de968685ee43fbe8f17) C:\WINDOWS\system32\drivers\dvd_2K.sys

2011/01/24 21:39:49.0792 dwusbdnt (732ab6d2fc7f2afebc4a9d2750655b7f) C:\WINDOWS\system32\DRIVERS\dwusbdnt.sys

2011/01/24 21:39:50.0222 E100B (fae8b6b311f898df3d19bc638e980ca5) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2011/01/24 21:39:50.0703 EPUSBSTOR (9ff9df112f551f34ce7894c7ce41bfee) C:\WINDOWS\system32\DRIVERS\epusbsto.sys

2011/01/24 21:39:51.0144 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/01/24 21:39:51.0544 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/01/24 21:39:51.0875 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/01/24 21:39:52.0185 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/01/24 21:39:52.0516 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/01/24 21:39:52.0956 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/01/24 21:39:53.0327 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/01/24 21:39:53.0697 GEARAspiWDM (32a73a8952580b284a47290adb62032a) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2011/01/24 21:39:54.0038 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/01/24 21:39:54.0398 grmnusb (d956358054e99e6ffac69cd87e893a89) C:\WINDOWS\system32\drivers\grmnusb.sys

2011/01/24 21:39:54.0849 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/01/24 21:39:55.0259 HPFXBULK (e4e0b356a8756066cf89080d9da69f22) C:\WINDOWS\system32\drivers\hpfxbulk.sys

2011/01/24 21:39:55.0980 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/01/24 21:39:56.0982 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/01/24 21:39:57.0342 ialm (537efe2f9adcd01073f59e9d3d24164e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2011/01/24 21:39:57.0783 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/01/24 21:39:58.0444 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/01/24 21:39:58.0785 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/01/24 21:39:59.0235 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/01/24 21:39:59.0606 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/01/24 21:39:59.0966 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/01/24 21:40:00.0327 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/01/24 21:40:00.0717 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/01/24 21:40:01.0088 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys

2011/01/24 21:40:01.0408 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/01/24 21:40:01.0749 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/01/24 21:40:02.0119 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/01/24 21:40:02.0400 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/01/24 21:40:02.0750 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/01/24 21:40:03.0131 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/01/24 21:40:03.0581 L8042Kbd (e141ab3701ea166109212dca4b28ca2c) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys

2011/01/24 21:40:03.0962 LBeepKE (ac3b39817bfde9735f5654468dbf7d49) C:\WINDOWS\system32\Drivers\LBeepKE.sys

2011/01/24 21:40:04.0663 LHidFilt (24e0ddb99aeccf86bb37702611761459) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys

2011/01/24 21:40:05.0174 LHidKe (dd40c03d85649205ec086722474c8a63) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys

2011/01/24 21:40:05.0534 LMouFilt (d58b330d318361a66a9fe60d7c9b4951) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys

2011/01/24 21:40:05.0895 LMouKE (2ebd4c02d259944869630a912ec86bce) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys

2011/01/24 21:40:06.0305 MDC8021X (4fe6172e2fa816c6f55b31e99784fc33) C:\WINDOWS\system32\DRIVERS\mdc8021x.sys

2011/01/24 21:40:06.0646 meiudf (766a1d242f4390ddf1243084898a20c9) C:\WINDOWS\system32\Drivers\meiudf.sys

2011/01/24 21:40:07.0116 mmc_2K (2739df798b44809407879e9134233de4) C:\WINDOWS\system32\drivers\mmc_2K.sys

2011/01/24 21:40:07.0447 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/01/24 21:40:07.0787 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/01/24 21:40:08.0118 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/01/24 21:40:08.0448 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/01/24 21:40:08.0789 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/01/24 21:40:09.0540 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/01/24 21:40:10.0151 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/01/24 21:40:10.0632 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/01/24 21:40:10.0962 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/01/24 21:40:11.0333 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/01/24 21:40:11.0683 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/01/24 21:40:12.0024 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/01/24 21:40:12.0404 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/01/24 21:40:12.0785 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/01/24 21:40:13.0155 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/01/24 21:40:13.0456 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/01/24 21:40:13.0826 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/01/24 21:40:14.0217 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/01/24 21:40:14.0547 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/01/24 21:40:14.0878 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/01/24 21:40:15.0278 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys

2011/01/24 21:40:15.0729 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/01/24 21:40:16.0310 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/01/24 21:40:16.0830 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/01/24 21:40:17.0141 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/01/24 21:40:17.0451 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/01/24 21:40:17.0832 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/01/24 21:40:18.0192 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/01/24 21:40:18.0533 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/01/24 21:40:18.0843 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/01/24 21:40:19.0454 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/01/24 21:40:19.0835 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2011/01/24 21:40:22.0098 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/01/24 21:40:22.0418 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/01/24 21:40:22.0799 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/01/24 21:40:23.0140 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/01/24 21:40:23.0540 pwd_2k (2e162e3856c9c6a3b53e0ece28386fe3) C:\WINDOWS\system32\drivers\pwd_2k.sys

2011/01/24 21:40:23.0871 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

2011/01/24 21:40:25.0693 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/01/24 21:40:26.0034 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys

2011/01/24 21:40:26.0364 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/01/24 21:40:26.0705 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/01/24 21:40:27.0025 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/01/24 21:40:27.0386 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/01/24 21:40:27.0806 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/01/24 21:40:28.0217 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/01/24 21:40:28.0667 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/01/24 21:40:29.0098 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/01/24 21:40:29.0629 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2011/01/24 21:40:29.0989 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/01/24 21:40:30.0380 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/01/24 21:40:30.0720 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/01/24 21:40:31.0191 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys

2011/01/24 21:40:31.0492 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys

2011/01/24 21:40:31.0852 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2011/01/24 21:40:32.0553 SKYSCOUT (7e00e1c6f2cf9822f15d17ffb684a200) C:\WINDOWS\system32\DRIVERS\UsbScout.sys

2011/01/24 21:40:32.0944 SMCIRDA (9951b523fe6820f29ef010680cb692d2) C:\WINDOWS\system32\DRIVERS\smcirda.sys

2011/01/24 21:40:33.0484 smwdm (3a11abb30c6a64173f99c8c42e76827c) C:\WINDOWS\system32\drivers\smwdm.sys

2011/01/24 21:40:34.0085 snapman380 (5ce1cf27620b144e212d407cdb14d339) C:\WINDOWS\system32\DRIVERS\snman380.sys

2011/01/24 21:40:34.0796 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/01/24 21:40:35.0177 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/01/24 21:40:35.0668 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/01/24 21:40:36.0168 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/01/24 21:40:36.0509 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/01/24 21:40:37.0480 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys

2011/01/24 21:40:38.0371 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/01/24 21:40:38.0732 TBiosDrv (eeca2b57545e7b7be949b5e70e31444f) C:\WINDOWS\System32\drivers\TBiosDrv.sys

2011/01/24 21:40:39.0243 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/01/24 21:40:39.0693 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/01/24 21:40:40.0444 tdrpman174 (d953f161177dab3c8440844a9ab6e5a2) C:\WINDOWS\system32\DRIVERS\tdrpm174.sys

2011/01/24 21:40:41.0135 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/01/24 21:40:41.0486 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/01/24 21:40:41.0876 tifsfilter (6dcb8ddb481cd3c40fa68593723b4d89) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

2011/01/24 21:40:42.0397 timounter (394fc70b88b7958fa85798bbc76d140a) C:\WINDOWS\system32\DRIVERS\timntr.sys

2011/01/24 21:40:42.0978 TMEI3E (dde020c16673b702d7235b0d96d34fd7) C:\WINDOWS\system32\Drivers\TMEI3E.SYS

2011/01/24 21:40:43.0649 tossmbnt (b3b20cd6ab0c9ef8feef9fbbe04f1cb2) C:\WINDOWS\system32\drivers\tossmbnt.sys

2011/01/24 21:40:44.0040 TVALZ (9d8fcc6099d641d7c2bdc7f41193bec5) C:\WINDOWS\system32\DRIVERS\TVALZ.SYS

2011/01/24 21:40:44.0430 U2SP (228d8e60bc9c5238587b0bf1654ec580) C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys

2011/01/24 21:40:44.0911 UdfReadr_xp (e398bde2e6c978f357faedff784ffd70) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys

2011/01/24 21:40:45.0311 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/01/24 21:40:46.0103 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/01/24 21:40:46.0683 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/01/24 21:40:46.0984 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/01/24 21:40:47.0324 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/01/24 21:40:47.0645 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/01/24 21:40:47.0975 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/01/24 21:40:48.0286 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/01/24 21:40:48.0646 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/01/24 21:40:48.0967 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/01/24 21:40:49.0588 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/01/24 21:40:50.0509 w22n51 (4c009d4352849d79bf347846b6e03bfd) C:\WINDOWS\system32\DRIVERS\w22n51.sys

2011/01/24 21:40:51.0741 w70n51 (3eccbb3689807787cd4c0fed20b1d0d8) C:\WINDOWS\system32\DRIVERS\w70n51.sys

2011/01/24 21:40:52.0352 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/01/24 21:40:52.0832 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2011/01/24 21:40:53.0623 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/01/24 21:40:54.0264 {6080A529-897E-4629-A488-ABA0C29B635E} (e6c22d34baef5196e1b23a4492c275b7) C:\WINDOWS\system32\drivers\ialmsbw.sys

2011/01/24 21:40:54.0705 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (6e53bd96b0ebad721cdd6320dbfc3f5f) C:\WINDOWS\system32\drivers\ialmkchw.sys

2011/01/24 21:40:55.0126 ================================================================================

2011/01/24 21:40:55.0126 Scan finished

2011/01/24 21:40:55.0126 ================================================================================

Link to post
Share on other sites

Download Combofix from any of the links below but rename it to iexplore.exe before saving it to your desktop.

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Note:

If combofix (iexplore.exe) won't run from the desktop, try running it from the USB device.

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save iexplore.exe to your Desktop

Double click on the iexplore.exe ComboFix.exe & follow the prompts.

Be sure to download any updates.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Current Operation of Machine: After turning on, no matter if Safe or Normal, bad image notices appear first for services.exe (if I don't click okay on the notice, nothing will happen from then on - I have to click ok to get anywhere). As soon as I click on okay, another box pops up, this time for lsass.exe - bad image with the same message: The application or DLL C:\PROGRA~1\Google|GOOGLE~1\GOE62~1.DLL is not a valid Windows image. Please check this against your installation diskette. After clicking okay I finally get the Windows message: Windows is starting up. I click on administrator and another popup appears for userinit.exe bad image with the same message. Once I click okay, another message for explorer.exe bad image appears. After clicking okay I then get Desktop Safe Notice and eventually the desktop opens up.

If I look at Task Manager I have only 14 processes running in Safe Mode with Networking. I am suspicious about 2 duplicate entries showing different kb. (In Normal Mode there are perhaps 20 duplicates to some processes and all but one usually show the same kb. In SAFE the only two duplicates are svchost.exe SYSTEM 4,724k and svchost.exe SYSTEM 12,508k if this means anything.

I can't run combofix. I booted up in SAFE mode with Networking, attached the LAN cable and tried to run the renamed file from the desktop. I saw a quick Combo loading bar, it disappeared and then the bad image popups appeared: npif, iexplore, etc. If I don't click ok on the bad image popup message nothing happens with the computer. If I click ok, the only thing that happens is another bad image popup appears, perhaps 10 in a row for iexplore.exe.

What do I do?

Download Combofix from any of the links below but rename it to iexplore.exe before saving it to your desktop.

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Note:

If combofix (iexplore.exe) won't run from the desktop, try running it from the USB device.

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save iexplore.exe to your Desktop

Double click on the iexplore.exe ComboFix.exe & follow the prompts.

Be sure to download any updates.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have SP3, use the SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Add/Remove Program will not open (I didn't think Google was a program that would be in add/remove programs?). And while having to click the oks on bad image notices, combofix must still be in residence because windows message came up:Windows cannot open this file: nircmd.cfxxe Use web service? Search on computer? When I have it browse on computer and highlight combo (iexplore) on desktop, it only highlights Internet Explorer as the program to open it. Do I let it?

Link to post
Share on other sites

It did when I first started up - and it seems everything takes a long time to open up now - the Add/Remove Programs just opened up - but only after I clicked to let IE open up the nircmd.cfxxe and also clicked on 3 bad image popups in a row. Something about having to click on the notices to work through for something to run-

Add/Remove Programs won't work in SAFE Mode. Just got message: Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode or if the Windows Installer is not correctly installed. I only found Google Earth in the list. I don't have Google Chrome on that machine although I may have at one time. I use google as a search engine and google calendar. I thinkI'm ruling out using Add/Remove Programs to help solve the problem.

If I get task manager to open up, what shall I do?

Link to post
Share on other sites

Latest Development: I have not yet downloaded fixAssociations.com - Please advise if I should download it or not after what has taken place while I was waiting to see if Task Manager would come up

I had left off with continuing to click the bad image notices Ok as they continually brought up the next process that apparently was trying to run - they looked like combo files and combo had come up with license agreement after I said to use I.E. to open nircmd.cfxxe.

Then Add/Remove Programs finally indicates it will work (I must have clicked on enough of the bad image notices to get to the process running it. Suspicious that Combofix was still somehow working but slowed with these bad image notices, I just closed Add/remove and continued clicking bad image notices until suddenly a Combofix notice came up saying it couldn't go any further because AVG2011 (free edition) was installed and it had to be uninstalled (apparently no way to just stop the program) although it wasn't showing as a process under SAFE mode). I went to All Program-AVG-and Uninstall rather than use Add/Remove Programs. AVG came up and took me through the process of uninstalling and when finished, said the machine needed to be rebooted before changes could take place. So I clicked ok and the machine rebooted in NORMAL mode - AND NO MORE BAD IMAGE NOTICES!

I opened task manager without problem, I have 79 processes running and took a Snagit screen shot of them so I could make a list. I do not see any duplicates other than svchost.exe SYSTEM 4,416K with varying kb and assume it is normal to have several svchost.exe processes running at the same time.

QUESTIONS:

It appears that starting up ComboFix and getting it to work to the AVG notice may have been enough to clear up the problem. Do you think so? It did not, of course finish or leave a log. Should I run Combofix again now in normal mode? And/or should I run the fixAssociations program for good measure? Or leave well enough alone?

My immediate need now is to improve my security. I need to get another anti-virus program, but what else would you recommend to prevent backdoor trojans in addition to paid versions of Avira AntiVirus and Malwarebytes? Working with dsl troubleshooting, it's obvious I didn't have enough protection.

Thanks for your all your help so far. Please let me know what you think in regard to my questions.

Mary Ann

Link to post
Share on other sites

ComboFix in progress with setback - computer wasn't clean - SWREG.cfxxe bad image notice appeared, clicked okay, same process appeared again, but then notices stopped. Gave a warning that AVG real scanner detected to be active and I should stop but AVG not in TaskMgr processes, not in Programs, nor in Add/Remove Programs. ComboFix said it would proceed anyway. ComboFix wanted to go online for Recovery console and even though I was online, it said no connection and instead said it would scan for infected files which apparently is doing now.

In hindsight, should have done a second reboot to make sure any hidden remnants of AVG weren't there and although I had used Firefox, probably should have opened it up so to double check Lan connection.

Waiiting for scan to complete. Wondering if another run of ComboFix may be necessary.

Link to post
Share on other sites

Computer appears to have frozen. After almost 40 minutes of a screen showing the scanning message, I became suspicious it may not be scanning. Cannot access task manager and clicking start, shutdown doesn't lead to anything.

Will work on getting the computer to shutdown and will restart and run Combofix again. Looks like 5 hours before I have any more to report due to another commitment.

Link to post
Share on other sites

Current situation: My second attempt at running ComboFix went a little better but still did not complete. ComboFix leads users to believe it'll take around 30 min max to scan. My old AVG (now uninstalled) would take almost 3 hours. I may not have been patient enough. After 2 hrs I saw nothing happening except the scanning notice and a blinker. Not knowing whether it was working (because it doesn't show you anything in progress), I decided to shut down and ended up having to power down to do so. I have now booted my computer for the third time in Normal mode, and ComboFix is again scanning. This time I will leave the computer on overnight if necessary to see if it finally gives me a log.

Summary: 1st attempt after uninstalling AVG: Normal boot, no bad image popups until ComboFix starts running, and then only two for swreg.cfxxe. Combo detects AVG real time scanner to be active although AVG is gone (Maybe a leftover remnant in registry?) It proceeds anyway. Tries to go online to download Microsoft Recovery Console but fails because no Internet connection. I power down computer, unable to shut down normally.

Observations: Internet connection was on at time of starting ComboFix ComboFix closed the connections as part of its

process (which I hadn't realized until after 2nd attempt). ComboFix also changes the name of iexplore.exe on the desktop back to ComboFix when user clicks on iexplore to execute the program. (I thought I had neglected to change the name, but during the 2nd attempt observed Combo changing its shortcut.)

2nd attempt - deleted ComboFix from desktop and put new copy of iexplore on desktop. Checked Internet connection, left Firefox running on a webpage and started ComboFix(iexplore). ComboFix started - NO BAD IMAGE POPUPS! Gave notice about AVG, ignored, and gave notice about Internet Connection. Since I was on LAN and had disabled Wireless, I just enabled Wireless and ComboFix proceeded to download and install Recovery Console. Firefox disappeared, probably closed out by ComboFix as it again turned off internet connection after downloading recovery console. Started scanning. After almost 2 hours, the blinking cursor remained blinking. I became concerned that it had frozen again and powered down computer.

Observations: No bad image popups, Still detecting AVG but apparently not interfering (May have to investigate how to check registry to remove any remaining AVG values--or, they may disappear/be overwritten when I eventually install a new anti-virus program). Realized Internet connection was result of ComboFix stopping, no other problem. Recovery console downloaded, although the red note says: If you have SP3, use the SP2 package - I was never given a choice and have no knowledge of what version recovery console ComboFix downloaded.

3rd attempt - Rebooted, deleted old ComboFix shortcut and put new copy of iexplore on desktop. Executed, no bad image popups, ComboFix obviously checked and saw recovery console now present because no further Internet connection notification and it went directly to scanning process: "Scanning for infected files... This typically doesn't take more than 10 minutes. However scan times for badly infected machines may easily double." and blinking cursor.

Observations: The 2nd attempt I noticed my computer clock stopped when I started ComboFix. It did not stop this time and is back on system time. ComboFix(iexplore) has renamed itself to ComboFix. No "bad image" popups.

And that is where I'm at now. Reassure me, please - as long as I see a blinking cursor, it means ComboFix is running and I need not worry? I shall leave the computer on overnight if necessary and my hands won't touch the mouse or computer!

Link to post
Share on other sites

It's been over an hour. Cannot open taskmanager - I tried Ctrl-Alt-Delete, Ctrl-shift-Esc, Start-Run-Taskmgr, Right-clicking taskbar - none operative. I saw a note on the web that the scan will disable desktop and if it does to reboot to restore desktop. I guess I have no choice but to reboot and am doing that now.

What do I do when I return to the desktop? Should I try running Malwarebytes again since this time I'm online and in Normal mode and can try updating for latest version other than the one I downloaded 2 days ago?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.