3899072072:3085015063.exe in Process List

[Kazace]

Summary:

Whenever I start my machine (Windows XP Home Edition Service Pack 3) a process named "3899072072:3085015063.exe" is immediately running and un-killable from the Windows Task Manager. Additionally, shortly after I enable my internet connection a svchost.exe process spikes to 100% CPU and AVG sometimes reports blocking malware. The two messages I've seen are:

1) boobfactorthumblogger.info - Exploit Blackhole Exploit Kit (Type 2060) in svchost.exe

2) Something about a Phoenix Toolkit attack

The list of services under the svchost.exe in question during the spike were:

AudioSrv, CryptSvc, Dhcp, ERSvc,

EventSystem, FastUserSwitchingCompatibility,

helpsvc, lanmanserver, lanmanworkstation,

Netman, RasMan, Schedule, seclogon, SENS,

SharedAccess, ShellHWDetection, TapiSrv,

Themes, TrkWks, W32Time, winmgmt, wscsvc,

WZCSVC

Whatever it is also (so it seems) disables AVG and Malwarebytes' full system scan ability and they crash whenever I attempt to run them. So I had to do those scans in safe mode without the rogue process running. I had installed Avira as well and the system scan found and quarantined "C:\WINDOWS\3899072072:3085015063.exe 'TR/Crypt.XPACK.Gen'[trojan]" but after I rebooted the machine it was back in the process list.

I did the steps in the instructions in safe mode as well, but if I need to run them in normal mode just let me know...

DDS.txt :

.

DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL

Internet Explorer: 8.0.6001.18702

Run by Nick at 19:25:46 on 2011-10-09

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.756 [GMT -4:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\taskmgr.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

uInternet Settings,ProxyOverride = *.local

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [<NO NAME>]

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [nForce Tray Options] sstray.exe /r

mRun: [inCD] c:\program files\ahead\incd\InCD.exe

mRun: [sunKistEM] c:\program files\emachines bay reader\shwiconem.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNDgwNzM2MTY4LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMi1MSUMrMi1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVVArMi1ERFQrNjA5MTItREQxMEYrMS1TVDEwRkFQUCsxLUwxME0rMi1GMTBNMTJBVCsxLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLUYxME0xMkFUQk4rMQ"&"prod=90"&"ver=10.0.1410

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\nick\application data\mozilla\firefox\profiles\bukxkstt.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

.

============= SERVICES / DRIVERS ===============

.

S1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-9 36000]

S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-9 86224]

S2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-9 110032]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-9 74640]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 AU;AU;c:\docume~1\nick\locals~1\temp\au.exe --> c:\docume~1\nick\locals~1\temp\AU.exe [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-10-09 05:37:20 -------- d-----w- c:\documents and settings\nick\local settings\application data\PCHealth

2011-10-09 05:36:19 -------- d-----w- c:\documents and settings\nick\application data\Avira

2011-10-09 05:35:41 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-10-09 05:35:41 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2011-10-09 05:35:41 -------- d-----w- c:\program files\Avira

2011-10-09 05:35:41 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-10-09 04:49:36 -------- d-----w- c:\documents and settings\nick\application data\AVG10

2011-10-08 21:24:42 -------- d-----w- c:\documents and settings\nick\application data\Malwarebytes

2011-10-08 21:24:25 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-10-08 21:24:22 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-08 21:24:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-08 21:21:01 72192 ----a-w- c:\windows\system32\tasklist.exe

2011-10-08 05:56:52 -------- d--h--w- c:\windows\PIF

.

==================== Find3M ====================

.

2011-10-03 13:13:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 19:26:23.03 ===============

attach.zip

[screen317]

Hi and welcome to Malwarebytes.

• Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  
• Execute the file TDSSKiller.exe by double-clicking on it.
  
• Wait for the scan and disinfection process to be over.
  
• When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

[Kazace]

screen317,

Thanks for quick reply, here are the logs (which I may have done MBAM out of order at the end...). There was a warning that Avira was running during combofix and it was in fact enabled but I was in safe mode so it was not actively running at the time. It seems ComboFix found something which is good news I hope.

TDSSKiller :

14:58:21.0656 1140 TDSS rootkit removing tool 2.6.7.0 Oct 10 2011 09:40:06

14:58:21.0718 1140 ============================================================

14:58:21.0718 1140 Current date / time: 2011/10/10 14:58:21.0718

14:58:21.0718 1140 SystemInfo:

14:58:21.0718 1140

14:58:21.0718 1140 OS Version: 5.1.2600 ServicePack: 3.0

14:58:21.0718 1140 Product type: Workstation

14:58:21.0718 1140 ComputerName: SKYNET

14:58:21.0718 1140 UserName: Nick

14:58:21.0718 1140 Windows directory: C:\WINDOWS

14:58:21.0718 1140 System windows directory: C:\WINDOWS

14:58:21.0718 1140 Processor architecture: Intel x86

14:58:21.0718 1140 Number of processors: 1

14:58:21.0718 1140 Page size: 0x1000

14:58:21.0718 1140 Boot type: Safe boot

14:58:21.0718 1140 ============================================================

14:58:25.0062 1140 Initialize success

14:58:37.0343 1160 ============================================================

14:58:37.0343 1160 Scan started

14:58:37.0343 1160 Mode: Manual;

14:58:37.0343 1160 ============================================================

14:58:38.0640 1160 481e67e8 - ok

14:58:39.0062 1160 Abiosdsk - ok

14:58:39.0578 1160 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

14:58:39.0593 1160 abp480n5 - ok

14:58:40.0156 1160 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

14:58:40.0234 1160 ACPI - ok

14:58:40.0718 1160 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

14:58:40.0734 1160 ACPIEC - ok

14:58:41.0265 1160 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

14:58:41.0328 1160 adpu160m - ok

14:58:41.0859 1160 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

14:58:41.0921 1160 aec - ok

14:58:42.0468 1160 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys

14:58:42.0531 1160 AFD - ok

14:58:43.0015 1160 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

14:58:43.0031 1160 agp440 - ok

14:58:43.0531 1160 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

14:58:43.0546 1160 agpCPQ - ok

14:58:44.0015 1160 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

14:58:44.0015 1160 Aha154x - ok

14:58:44.0515 1160 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

14:58:44.0546 1160 aic78u2 - ok

14:58:45.0015 1160 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

14:58:45.0046 1160 aic78xx - ok

14:58:45.0546 1160 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

14:58:45.0546 1160 AliIde - ok

14:58:46.0031 1160 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

14:58:46.0046 1160 alim1541 - ok

14:58:46.0562 1160 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

14:58:46.0578 1160 amdagp - ok

14:58:47.0046 1160 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys

14:58:47.0062 1160 AmdK7 - ok

14:58:47.0546 1160 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

14:58:47.0562 1160 amsint - ok

14:58:48.0093 1160 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

14:58:48.0109 1160 asc - ok

14:58:48.0609 1160 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

14:58:48.0625 1160 asc3350p - ok

14:58:49.0078 1160 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

14:58:49.0078 1160 asc3550 - ok

14:58:49.0640 1160 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

14:58:49.0640 1160 AsyncMac - ok

14:58:50.0156 1160 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

14:58:50.0156 1160 atapi - ok

14:58:50.0609 1160 Atdisk - ok

14:58:52.0875 1160 ati2mtag (c0b86ecb324e50f6bbd529f9d5c6b24b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

14:58:54.0593 1160 ati2mtag - ok

14:58:55.0078 1160 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

14:58:55.0109 1160 Atmarpc - ok

14:58:55.0625 1160 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

14:58:55.0625 1160 audstub - ok

14:58:56.0156 1160 avgntflt (7713e4eb0276702faa08e52a6e23f2a6) C:\WINDOWS\system32\DRIVERS\avgntflt.sys

14:58:56.0187 1160 avgntflt - ok

14:58:56.0734 1160 avipbb (912d23140cd05980f6cdae790ddafc8d) C:\WINDOWS\system32\DRIVERS\avipbb.sys

14:58:56.0796 1160 avipbb - ok

14:58:57.0281 1160 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys

14:58:57.0296 1160 avkmgr - ok

14:58:57.0781 1160 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

14:58:57.0781 1160 Beep - ok

14:58:58.0312 1160 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

14:58:58.0312 1160 cbidf - ok

14:58:58.0781 1160 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

14:58:58.0781 1160 cbidf2k - ok

14:58:59.0281 1160 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

14:58:59.0296 1160 CCDECODE - ok

14:58:59.0796 1160 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

14:58:59.0796 1160 cd20xrnt - ok

14:59:00.0281 1160 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

14:59:00.0281 1160 Cdaudio - ok

14:59:00.0781 1160 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

14:59:00.0812 1160 Cdfs - ok

14:59:01.0296 1160 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

14:59:01.0328 1160 Cdrom - ok

14:59:01.0734 1160 Changer - ok

14:59:02.0328 1160 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

14:59:02.0328 1160 CmdIde - ok

14:59:02.0875 1160 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

14:59:02.0875 1160 Cpqarray - ok

14:59:03.0515 1160 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

14:59:03.0593 1160 dac2w2k - ok

14:59:04.0078 1160 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

14:59:04.0078 1160 dac960nt - ok

14:59:04.0625 1160 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

14:59:04.0656 1160 Disk - ok

14:59:05.0515 1160 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

14:59:05.0890 1160 dmboot - ok

14:59:06.0421 1160 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

14:59:06.0500 1160 dmio - ok

14:59:06.0968 1160 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

14:59:06.0984 1160 dmload - ok

14:59:07.0484 1160 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

14:59:07.0515 1160 DMusic - ok

14:59:08.0015 1160 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

14:59:08.0015 1160 dpti2o - ok

14:59:08.0500 1160 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

14:59:08.0500 1160 drmkaud - ok

14:59:09.0078 1160 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

14:59:09.0156 1160 Fastfat - ok

14:59:09.0671 1160 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

14:59:09.0687 1160 Fdc - ok

14:59:10.0171 1160 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

14:59:10.0187 1160 Fips - ok

14:59:10.0687 1160 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

14:59:10.0703 1160 Flpydisk - ok

14:59:11.0218 1160 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

14:59:11.0281 1160 FltMgr - ok

14:59:11.0781 1160 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

14:59:11.0781 1160 Fs_Rec - ok

14:59:12.0328 1160 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

14:59:12.0390 1160 Ftdisk - ok

14:59:12.0921 1160 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

14:59:12.0921 1160 GEARAspiWDM - ok

14:59:13.0421 1160 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

14:59:13.0437 1160 Gpc - ok

14:59:13.0953 1160 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

14:59:13.0968 1160 HidUsb - ok

14:59:14.0500 1160 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

14:59:14.0515 1160 hpn - ok

14:59:15.0093 1160 HSFHWBS2 (128ef741b2293c36810561092b566b1c) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

14:59:15.0203 1160 HSFHWBS2 - ok

14:59:16.0156 1160 HSF_DP (9a0d0c461ef2b3d80cb7875b4b995e47) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

14:59:16.0640 1160 HSF_DP - ok

14:59:17.0218 1160 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

14:59:17.0343 1160 HTTP - ok

14:59:17.0843 1160 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

14:59:17.0843 1160 i2omgmt - ok

14:59:18.0328 1160 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

14:59:18.0328 1160 i2omp - ok

14:59:18.0828 1160 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

14:59:18.0843 1160 i8042prt - ok

14:59:19.0343 1160 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

14:59:19.0359 1160 Imapi - ok

14:59:19.0906 1160 InCDfs (52f1dd6b069d15594c2e53cba40853dd) C:\WINDOWS\system32\drivers\InCDfs.sys

14:59:19.0953 1160 InCDfs - ok

14:59:20.0453 1160 InCDPass (5210a42eb4c92c57378b975d31a5dc4c) C:\WINDOWS\system32\DRIVERS\InCDPass.sys

14:59:20.0453 1160 InCDPass - ok

14:59:20.0921 1160 InCDrec (dde0fc5b4baa91a936b88e6cddd83296) C:\WINDOWS\system32\drivers\InCDrec.sys

14:59:20.0921 1160 InCDrec - ok

14:59:21.0453 1160 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

14:59:21.0453 1160 ini910u - ok

14:59:21.0921 1160 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

14:59:21.0937 1160 IntelIde - ok

14:59:22.0468 1160 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

14:59:22.0484 1160 ip6fw - ok

14:59:22.0984 1160 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

14:59:23.0000 1160 IpFilterDriver - ok

14:59:23.0468 1160 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

14:59:23.0468 1160 IpInIp - ok

14:59:24.0000 1160 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

14:59:24.0062 1160 IpNat - ok

14:59:24.0562 1160 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

14:59:24.0609 1160 IPSec - ok

14:59:25.0093 1160 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

14:59:25.0093 1160 IRENUM - ok

14:59:25.0640 1160 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

14:59:25.0656 1160 isapnp - ok

14:59:26.0125 1160 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

14:59:26.0140 1160 Kbdclass - ok

14:59:26.0703 1160 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

14:59:26.0781 1160 kmixer - ok

14:59:27.0312 1160 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

14:59:27.0359 1160 KSecDD - ok

14:59:27.0812 1160 lbrtfdc - ok

14:59:28.0343 1160 mdmxsdk (5110edd87e2508f02b922e83a2487dfc) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

14:59:28.0343 1160 mdmxsdk - ok

14:59:28.0843 1160 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

14:59:28.0843 1160 mnmdd - ok

14:59:29.0328 1160 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

14:59:29.0343 1160 Modem - ok

14:59:29.0812 1160 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

14:59:29.0828 1160 Mouclass - ok

14:59:30.0328 1160 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

14:59:30.0343 1160 mouhid - ok

14:59:30.0812 1160 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

14:59:30.0828 1160 MountMgr - ok

14:59:31.0281 1160 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

14:59:31.0296 1160 mraid35x - ok

14:59:31.0859 1160 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

14:59:31.0937 1160 MRxDAV - ok

14:59:32.0625 1160 MRxSmb (e48bc30c0e2085dbd06597cf01561e99) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

14:59:32.0843 1160 MRxSmb - ok

14:59:33.0359 1160 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

14:59:33.0375 1160 Msfs - ok

14:59:33.0859 1160 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

14:59:33.0875 1160 MSKSSRV - ok

14:59:34.0390 1160 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

14:59:34.0390 1160 MSPCLOCK - ok

14:59:34.0875 1160 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

14:59:34.0875 1160 MSPQM - ok

14:59:35.0343 1160 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

14:59:35.0359 1160 mssmbios - ok

14:59:35.0859 1160 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

14:59:35.0859 1160 MSTEE - ok

14:59:36.0375 1160 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

14:59:36.0437 1160 Mup - ok

14:59:36.0906 1160 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys

14:59:36.0921 1160 mxnic - ok

14:59:37.0437 1160 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

14:59:37.0468 1160 NABTSFEC - ok

14:59:38.0015 1160 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

14:59:38.0109 1160 NDIS - ok

14:59:38.0578 1160 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

14:59:38.0578 1160 NdisIP - ok

14:59:39.0046 1160 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

14:59:39.0046 1160 NdisTapi - ok

14:59:39.0531 1160 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

14:59:39.0531 1160 Ndisuio - ok

14:59:40.0046 1160 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

14:59:40.0093 1160 NdisWan - ok

14:59:40.0593 1160 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

14:59:40.0609 1160 NDProxy - ok

14:59:41.0093 1160 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

14:59:41.0125 1160 NetBIOS - ok

14:59:41.0687 1160 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

14:59:41.0765 1160 NetBT - ok

14:59:42.0328 1160 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

14:59:42.0343 1160 Npfs - ok

14:59:43.0062 1160 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

14:59:43.0328 1160 Ntfs - ok

14:59:43.0828 1160 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

14:59:43.0828 1160 Null - ok

14:59:45.0234 1160 nv (69766e223343b4da517f49666556edc7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

14:59:46.0171 1160 nv - ok

14:59:46.0656 1160 nvax (51635322a7ba00b05977f70b1fff95bb) C:\WINDOWS\system32\drivers\nvax.sys

14:59:46.0671 1160 nvax - ok

14:59:47.0171 1160 NVENET (5155e22da2f2e1ca4023d00f6eb31b5e) C:\WINDOWS\system32\DRIVERS\NVENET.sys

14:59:47.0203 1160 NVENET - ok

14:59:47.0843 1160 nvnforce (f9000a5b746caba368810147ca804e9d) C:\WINDOWS\system32\drivers\nvapu.sys

14:59:48.0000 1160 nvnforce - ok

14:59:48.0531 1160 nv_agp (29291c3a7256337327051cc37e4fc09a) C:\WINDOWS\system32\DRIVERS\nv_agp.sys

14:59:48.0546 1160 nv_agp - ok

14:59:49.0015 1160 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

14:59:49.0031 1160 NwlnkFlt - ok

14:59:49.0500 1160 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

14:59:49.0515 1160 NwlnkFwd - ok

14:59:50.0062 1160 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys

14:59:50.0093 1160 P3 - ok

14:59:50.0812 1160 PAC7302 (81a0921e2a3fdcf840e43af64bf96ea2) C:\WINDOWS\system32\DRIVERS\PAC7302.SYS

14:59:51.0031 1160 PAC7302 - ok

14:59:51.0515 1160 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

14:59:51.0546 1160 Parport - ok

14:59:52.0015 1160 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

14:59:52.0031 1160 PartMgr - ok

14:59:52.0500 1160 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

14:59:52.0500 1160 ParVdm - ok

14:59:53.0000 1160 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

14:59:53.0031 1160 PCI - ok

14:59:53.0484 1160 PCIDump - ok

14:59:53.0953 1160 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

14:59:53.0953 1160 PCIIde - ok

14:59:54.0468 1160 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

14:59:54.0531 1160 Pcmcia - ok

14:59:54.0968 1160 PDCOMP - ok

14:59:55.0390 1160 PDFRAME - ok

14:59:55.0812 1160 PDRELI - ok

14:59:56.0234 1160 PDRFRAME - ok

14:59:56.0734 1160 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

14:59:56.0750 1160 perc2 - ok

14:59:57.0218 1160 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

14:59:57.0218 1160 perc2hib - ok

14:59:57.0796 1160 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

14:59:57.0828 1160 PptpMiniport - ok

14:59:58.0343 1160 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

14:59:58.0359 1160 Processor - ok

14:59:58.0875 1160 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

14:59:58.0906 1160 PSched - ok

14:59:59.0375 1160 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

14:59:59.0390 1160 Ptilink - ok

14:59:59.0875 1160 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

14:59:59.0890 1160 ql1080 - ok

15:00:00.0406 1160 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

15:00:00.0421 1160 Ql10wnt - ok

15:00:00.0890 1160 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

15:00:00.0906 1160 ql12160 - ok

15:00:01.0390 1160 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

15:00:01.0421 1160 ql1240 - ok

15:00:01.0906 1160 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

15:00:01.0921 1160 ql1280 - ok

15:00:02.0390 1160 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

15:00:02.0390 1160 RasAcd - ok

15:00:02.0890 1160 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

15:00:02.0921 1160 Rasl2tp - ok

15:00:03.0421 1160 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

15:00:03.0437 1160 RasPppoe - ok

15:00:03.0906 1160 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

15:00:03.0921 1160 Raspti - ok

15:00:04.0468 1160 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

15:00:04.0562 1160 Rdbss - ok

15:00:05.0046 1160 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

15:00:05.0046 1160 RDPCDD - ok

15:00:05.0656 1160 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

15:00:05.0734 1160 rdpdr - ok

15:00:06.0281 1160 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

15:00:06.0359 1160 RDPWD - ok

15:00:06.0875 1160 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

15:00:06.0890 1160 redbook - ok

15:00:07.0468 1160 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

15:00:07.0468 1160 Secdrv - ok

15:00:07.0984 1160 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

15:00:07.0984 1160 Serenum - ok

15:00:08.0500 1160 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

15:00:08.0531 1160 Serial - ok

15:00:09.0062 1160 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

15:00:09.0078 1160 Sfloppy - ok

15:00:09.0546 1160 Simbad - ok

15:00:10.0031 1160 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

15:00:10.0046 1160 sisagp - ok

15:00:10.0578 1160 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

15:00:10.0578 1160 SLIP - ok

15:00:11.0093 1160 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

15:00:11.0109 1160 Sparrow - ok

15:00:11.0609 1160 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

15:00:11.0609 1160 splitter - ok

15:00:12.0140 1160 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys

15:00:12.0171 1160 sr - ok

15:00:12.0843 1160 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

15:00:13.0015 1160 Srv - ok

15:00:13.0515 1160 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

15:00:13.0531 1160 ssmdrv - ok

15:00:14.0046 1160 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

15:00:14.0046 1160 streamip - ok

15:00:14.0531 1160 SunkFilt (d8cbd8b4bf4dc9cd64b5cc8e2bec1b96) C:\WINDOWS\System32\Drivers\sunkfilt.sys

15:00:14.0562 1160 SunkFilt - ok

15:00:15.0031 1160 SunkFilt39 (fabcc3bec89a2853958cefb28943c470) C:\WINDOWS\System32\Drivers\sunkfilt39.sys

15:00:15.0031 1160 SunkFilt39 - ok

15:00:15.0484 1160 Sunkfiltp - ok

15:00:15.0953 1160 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

15:00:15.0953 1160 swenum - ok

15:00:16.0437 1160 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

15:00:16.0468 1160 swmidi - ok

15:00:16.0968 1160 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

15:00:16.0984 1160 symc810 - ok

15:00:17.0468 1160 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

15:00:17.0484 1160 symc8xx - ok

15:00:17.0968 1160 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

15:00:17.0984 1160 sym_hi - ok

15:00:18.0500 1160 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

15:00:18.0515 1160 sym_u3 - ok

15:00:19.0000 1160 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

15:00:19.0031 1160 sysaudio - ok

15:00:19.0687 1160 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

15:00:19.0859 1160 Tcpip - ok

15:00:20.0328 1160 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

15:00:20.0328 1160 TDPIPE - ok

15:00:20.0812 1160 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

15:00:20.0828 1160 TDTCP - ok

15:00:21.0296 1160 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

15:00:21.0312 1160 TermDD - ok

15:00:21.0828 1160 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

15:00:21.0828 1160 TosIde - ok

15:00:22.0328 1160 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

15:00:22.0359 1160 Udfs - ok

15:00:22.0828 1160 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

15:00:22.0843 1160 ultra - ok

15:00:23.0531 1160 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

15:00:23.0718 1160 Update - ok

15:00:24.0234 1160 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys

15:00:24.0265 1160 USBAAPL - ok

15:00:24.0765 1160 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

15:00:24.0796 1160 usbaudio - ok

15:00:25.0281 1160 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

15:00:25.0296 1160 usbccgp - ok

15:00:25.0796 1160 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

15:00:25.0812 1160 usbehci - ok

15:00:26.0312 1160 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

15:00:26.0343 1160 usbhub - ok

15:00:26.0812 1160 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

15:00:26.0828 1160 usbohci - ok

15:00:27.0296 1160 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

15:00:27.0312 1160 usbscan - ok

15:00:27.0781 1160 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

15:00:27.0781 1160 USBSTOR - ok

15:00:28.0265 1160 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

15:00:28.0265 1160 usbuhci - ok

15:00:28.0750 1160 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

15:00:28.0765 1160 VgaSave - ok

15:00:29.0250 1160 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

15:00:29.0265 1160 viaagp - ok

15:00:29.0734 1160 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

15:00:29.0750 1160 ViaIde - ok

15:00:30.0250 1160 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

15:00:30.0265 1160 VolSnap - ok

15:00:30.0796 1160 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

15:00:30.0812 1160 Wanarp - ok

15:00:31.0265 1160 wanatw - ok

15:00:31.0687 1160 WDICA - ok

15:00:32.0187 1160 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

15:00:32.0218 1160 wdmaud - ok

15:00:33.0031 1160 winachsf (ce545a84bf3411e7516fa8da51ad9d93) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

15:00:33.0343 1160 winachsf - ok

15:00:34.0015 1160 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

15:00:34.0031 1160 WSTCODEC - ok

15:00:34.0593 1160 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

15:00:34.0625 1160 WudfPf - ok

15:00:35.0125 1160 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

15:00:35.0156 1160 WudfRd - ok

15:00:35.0296 1160 MBR (0x1B8) (1a0cf2f717fd6f57c8577c8fc1dde7fc) \Device\Harddisk0\DR0

15:00:35.0531 1160 \Device\Harddisk0\DR0 - ok

15:00:35.0562 1160 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk5\DR10

15:00:35.0562 1160 \Device\Harddisk5\DR10 - ok

15:00:35.0593 1160 Boot (0x1200) (724747cbb035c322b0a3705d1b03c08e) \Device\Harddisk0\DR0\Partition0

15:00:35.0609 1160 \Device\Harddisk0\DR0\Partition0 - ok

15:00:35.0625 1160 Boot (0x1200) (334fb0eb25283e06cd56da47f71d91a7) \Device\Harddisk5\DR10\Partition0

15:00:35.0625 1160 \Device\Harddisk5\DR10\Partition0 - ok

15:00:35.0640 1160 ============================================================

15:00:35.0640 1160 Scan finished

15:00:35.0640 1160 ============================================================

15:00:35.0687 1152 Detected object count: 0

15:00:35.0687 1152 Actual detected object count: 0

15:00:53.0250 1136 Deinitialize success

ComboFix :

ComboFix 11-10-10.02 - Nick 10/10/2011 15:14:03.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.684 [GMT -4:00]

Running from: c:\documents and settings\Nick\Desktop\round2\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Nick\Application Data\Adobe\plugs

c:\documents and settings\Nick\Application Data\Adobe\shed

c:\documents and settings\Nick\WINDOWS

c:\windows\$NtUninstallKB53257$\1209952232\@

c:\windows\$NtUninstallKB53257$\1209952232\bckfg.tmp

c:\windows\$NtUninstallKB53257$\1209952232\cfg.ini

c:\windows\$NtUninstallKB53257$\1209952232\Desktop.ini

c:\windows\$NtUninstallKB53257$\1209952232\keywords

c:\windows\$NtUninstallKB53257$\1209952232\kwrd.dll

c:\windows\$NtUninstallKB53257$\1209952232\L\mrupfpgo

c:\windows\$NtUninstallKB53257$\1209952232\lsflt7.ver

c:\windows\$NtUninstallKB53257$\1209952232\U\00000001.@

c:\windows\$NtUninstallKB53257$\1209952232\U\00000002.@

c:\windows\$NtUninstallKB53257$\1209952232\U\80000000.@

c:\windows\$NtUninstallKB53257$\1209952232\U\80000032.@

c:\windows\$NtUninstallKB53257$\4184624671

c:\windows\help\wmplayer.bak

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\d3d9caps.dat

c:\windows\system32\hack

c:\windows\system32\hack\OEMLINK\OEM1.reg

c:\windows\system32\hack\OEMLINK\OEM2.reg

c:\windows\system32\hack\OEMLINK\OEM3.reg

c:\windows\system32\sstray.exe

c:\windows\tsoc.log

c:\windows\$NtUninstallKB53257$ . . . . Failed to delete

.

Infected copy of c:\windows\system32\drivers\ati2mtag.sys was found and disinfected

Restored copy from - The cat found it

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_481e67e8

.

.

((((((((((((((((((((((((( Files Created from 2011-09-10 to 2011-10-10 )))))))))))))))))))))))))))))))

.

.

2011-10-10 19:10 . 2004-08-04 05:29 701440 ----a-w- c:\windows\system32\drivers\ati2mtag.sys

2011-10-09 05:37 . 2011-10-09 05:37 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\PCHealth

2011-10-09 05:36 . 2011-10-09 05:36 -------- d-----w- c:\documents and settings\Nick\Application Data\Avira

2011-10-09 05:35 . 2011-10-09 05:35 -------- d-----w- c:\program files\Avira

2011-10-09 05:35 . 2011-10-09 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-10-09 05:35 . 2011-09-18 12:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-10-09 05:35 . 2011-09-16 03:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2011-10-09 05:35 . 2011-09-16 03:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-10-09 04:49 . 2011-10-09 04:49 -------- d-----w- c:\documents and settings\Nick\Application Data\AVG10

2011-10-08 21:24 . 2011-10-08 21:24 -------- d-----w- c:\documents and settings\Nick\Application Data\Malwarebytes

2011-10-08 21:24 . 2011-10-08 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-10-08 21:24 . 2011-10-08 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-08 21:24 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-08 21:21 . 2011-10-08 21:07 72192 ----a-w- c:\windows\system32\tasklist.exe

2011-10-08 05:56 . 2011-10-08 05:56 -------- d--h--w- c:\windows\PIF

2011-10-08 01:25 . 2011-10-08 20:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-03 13:13 . 2011-05-23 23:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-16 23:45 . 2011-08-07 22:03 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-03-04 2904064]

"nwiz"="nwiz.exe" [2004-03-04 782336]

"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-03-04 46080]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2003-12-18 1241138]

"SunKistEM"="c:\program files\eMachines Bay Reader\shwiconem.exe" [2004-03-12 135168]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]

"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-05 258512]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNDgwNzM2MTY4LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMi1MSUMrMi1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVVArMi1ERFQrNjA5MTItREQxMEYrMS1TVDEwRkFQUCsxLUwxME0rMi1GMTBNMTJBVCsxLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLUYxME0xMkFUQk4rMQ∏=90&ver=10.0.1410" [?]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]

2003-06-04 15:01 496640 ------w- c:\windows\zHotkey.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 --sh--w- c:\program files\messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-10 07:50 155648 ------w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ------w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Documents and Settings\\Nick\\My Documents\\Play\\Games\\Minecraft\\minecraft-server\\Minecraft_Server.exe"=

"c:\\Documents and Settings\\Nick\\My Documents\\Play\\Games\\Minecraft\\Minecraft.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"25565:TCP"= 25565:TCP:Minecraft

"25565:UDP"= 25565:UDP:Minecraft

"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.

R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/9/2011 1:35 AM 36000]

R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/9/2011 1:35 AM 86224]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 AU;AU;c:\docume~1\Nick\LOCALS~1\Temp\AU.exe --> c:\docume~1\Nick\LOCALS~1\Temp\AU.exe [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\bukxkstt.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

.

- - - - ORPHANS REMOVED - - - -

.

HKLM-Run-nForce Tray Options - sstray.exe

MSConfigStartUp-Freecorder FLV Service - c:\program files\Freecorder\FLVSrvc.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-10 15:24

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(456)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(2988)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Ahead\InCD\InCDsrv.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-10-10 15:30:26 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-10 19:30

.

Pre-Run: 42,788,114,432 bytes free

Post-Run: 43,126,894,592 bytes free

.

- - End Of File - - B1E516522605F70E03B88A804CC38771

MBAM :

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7904

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/10/2011 3:39:08 PM

mbam-log-2011-10-10 (15-39-08).txt

Scan type: Quick scan

Objects scanned: 179165

Time elapsed: 5 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS :

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Nick at 15:41:58 on 2011-10-10

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.671 [GMT -4:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Ahead\InCD\InCDsrv.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\eMachines Bay Reader\shwiconem.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\PixArt\PAC7302\Monitor.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

uInternet Settings,ProxyOverride = *.local

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [inCD] c:\program files\ahead\incd\InCD.exe

mRun: [sunKistEM] c:\program files\emachines bay reader\shwiconem.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [PAC7302_Monitor] c:\windows\pixart\pac7302\Monitor.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNDgwNzM2MTY4LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMi1MSUMrMi1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVVArMi1ERFQrNjA5MTItREQxMEYrMS1TVDEwRkFQUCsxLUwxME0rMi1GMTBNMTJBVCsxLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLUYxME0xMkFUQk4rMQ"&"prod=90"&"ver=10.0.1410

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\nick\application data\mozilla\firefox\profiles\bukxkstt.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll

FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

.

============= SERVICES / DRIVERS ===============

.

R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-10-9 36000]

R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-10-9 86224]

R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-10-9 110032]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-10-9 74640]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 AU;AU;c:\docume~1\nick\locals~1\temp\au.exe --> c:\docume~1\nick\locals~1\temp\AU.exe [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-10-10 19:10:08 701440 ----a-w- c:\windows\system32\drivers\ati2mtag.sys

2011-10-10 19:05:58 98816 ----a-w- c:\windows\sed.exe

2011-10-10 19:05:58 518144 ----a-w- c:\windows\SWREG.exe

2011-10-10 19:05:58 256000 ----a-w- c:\windows\PEV.exe

2011-10-10 19:05:58 208896 ----a-w- c:\windows\MBR.exe

2011-10-09 05:37:20 -------- d-----w- c:\documents and settings\nick\local settings\application data\PCHealth

2011-10-09 05:36:19 -------- d-----w- c:\documents and settings\nick\application data\Avira

2011-10-09 05:35:41 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-10-09 05:35:41 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2011-10-09 05:35:41 -------- d-----w- c:\program files\Avira

2011-10-09 05:35:41 -------- d-----w- c:\documents and settings\all users\application data\Avira

2011-10-09 04:49:36 -------- d-----w- c:\documents and settings\nick\application data\AVG10

2011-10-08 21:24:42 -------- d-----w- c:\documents and settings\nick\application data\Malwarebytes

2011-10-08 21:24:25 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-10-08 21:24:22 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-08 21:24:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-08 21:21:01 72192 ----a-w- c:\windows\system32\tasklist.exe

2011-10-08 05:56:52 -------- d--h--w- c:\windows\PIF

.

==================== Find3M ====================

.

2011-10-03 13:13:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 15:42:26.60 ===============

[screen317]

Hi,

Please download this file and save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select Yes, and post the resultant log.

-screen317

[Kazace]

ComboFix 11-10-13.03 - Nick 10/13/2011 12:20:57.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.699 [GMT -4:00]

Running from: c:\documents and settings\Nick\Desktop\round2\ComboFix.exe

Command switches used :: c:\documents and settings\Nick\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\d3d9caps.dat

.

.

((((((((((((((((((((((((( Files Created from 2011-09-13 to 2011-10-13 )))))))))))))))))))))))))))))))

.

.

2011-10-11 17:16 . 2011-10-11 17:16 -------- d-----w- c:\program files\iPod

2011-10-11 17:16 . 2011-10-11 17:17 -------- d-----w- c:\program files\iTunes

2011-10-11 17:12 . 2011-10-11 17:12 -------- d-----w- c:\program files\Bonjour

2011-10-10 19:10 . 2004-08-04 05:29 701440 ----a-w- c:\windows\system32\drivers\ati2mtag.sys

2011-10-09 05:37 . 2011-10-09 05:37 -------- d-----w- c:\documents and settings\Nick\Local Settings\Application Data\PCHealth

2011-10-09 05:36 . 2011-10-09 05:36 -------- d-----w- c:\documents and settings\Nick\Application Data\Avira

2011-10-09 05:35 . 2011-10-09 05:35 -------- d-----w- c:\program files\Avira

2011-10-09 05:35 . 2011-10-09 05:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2011-10-09 05:35 . 2011-09-18 12:39 134344 ----a-w- c:\windows\system32\drivers\avipbb.sys

2011-10-09 05:35 . 2011-09-16 03:55 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2011-10-09 05:35 . 2011-09-16 03:55 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2011-10-09 04:49 . 2011-10-09 04:49 -------- d-----w- c:\documents and settings\Nick\Application Data\AVG10

2011-10-08 21:24 . 2011-10-08 21:24 -------- d-----w- c:\documents and settings\Nick\Application Data\Malwarebytes

2011-10-08 21:24 . 2011-10-08 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-10-08 21:24 . 2011-10-08 23:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-10-08 21:24 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-08 21:21 . 2011-10-08 21:07 72192 ----a-w- c:\windows\system32\tasklist.exe

2011-10-08 05:56 . 2011-10-08 05:56 -------- d--h--w- c:\windows\PIF

2011-10-08 01:25 . 2011-10-08 20:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-03 13:13 . 2011-05-23 23:26 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 03:05 . 2011-08-31 03:05 83816 ----a-w- c:\windows\system32\dns-sd.exe

2011-08-31 03:05 . 2011-08-31 03:05 73064 ----a-w- c:\windows\system32\dnssd.dll

2011-08-31 03:05 . 2011-08-31 03:05 50536 ----a-w- c:\windows\system32\jdns_sd.dll

2011-08-31 03:05 . 2011-08-31 03:05 178536 ----a-w- c:\windows\system32\dnssdX.dll

2011-08-02 21:38 . 2010-10-25 05:37 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll

2011-08-02 21:38 . 2010-10-25 05:37 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2011-08-16 23:45 . 2011-08-07 22:03 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-10-10_19.24.42 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-10-13 16:08 . 2011-10-13 16:08 16384 c:\windows\Temp\Perflib_Perfdata_6c.dat

+ 2011-10-11 17:13 . 2011-02-18 20:36 41984 c:\windows\system32\ReinstallBackups\0013\DriverFiles\usbaapl.sys

+ 2011-10-11 17:13 . 2011-08-02 21:38 42496 c:\windows\system32\DRVSTORE\usbaapl_091115F4EDEB41DBA0EC91574CE905B4E0482482\usbaapl.sys

+ 2011-10-11 17:13 . 2011-08-02 21:38 18432 c:\windows\system32\DRVSTORE\netaapl_63AA05C4700EB9CAF2D048DAC1D06D764A0D4C41\netaapl.sys

+ 2011-10-11 17:09 . 2011-10-11 17:09 27136 c:\windows\Installer\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}\AppleSoftwareUpdateIco.exe

+ 2011-05-14 05:17 . 2011-05-14 05:17 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcr80.dll

+ 2011-05-14 05:12 . 2011-05-14 05:12 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcp80.dll

+ 2011-05-14 05:11 . 2011-05-14 05:11 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcm80.dll

+ 2011-10-11 17:17 . 2011-10-11 17:17 380928 c:\windows\Installer\{29ED20C9-5E15-4969-9279-25BF3727A3DA}\iTunesIco.exe

+ 2011-10-11 17:13 . 2011-02-18 20:36 4184352 c:\windows\system32\ReinstallBackups\0013\DriverFiles\usbaaplrc.dll

+ 2011-10-11 17:13 . 2011-08-02 21:38 4517664 c:\windows\system32\DRVSTORE\usbaapl_091115F4EDEB41DBA0EC91574CE905B4E0482482\usbaaplrc.dll

+ 2011-10-11 17:13 . 2010-04-20 00:29 1461992 c:\windows\system32\DRVSTORE\netaapl_63AA05C4700EB9CAF2D048DAC1D06D764A0D4C41\wdfcoinstaller01009.dll

+ 2011-10-11 17:17 . 2011-10-11 17:17 5235200 c:\windows\Installer\d5d46.msi

+ 2011-10-11 17:13 . 2011-10-11 17:13 1717248 c:\windows\Installer\d5361.msi

+ 2011-10-11 17:12 . 2011-10-11 17:12 2002432 c:\windows\Installer\d5304.msi

+ 2011-10-11 17:12 . 2011-10-11 17:12 1532928 c:\windows\Installer\d52b2.msi

+ 2011-10-11 17:09 . 2011-10-11 17:09 1769984 c:\windows\Installer\d518a.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-03-04 2904064]

"nwiz"="nwiz.exe" [2004-03-04 782336]

"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-03-04 46080]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2003-12-18 1241138]

"SunKistEM"="c:\program files\eMachines Bay Reader\shwiconem.exe" [2004-03-12 135168]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-05 258512]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNDgwNzM2MTY4LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMi1MSUMrMi1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVVArMi1ERFQrNjA5MTItREQxMEYrMS1TVDEwRkFQUCsxLUwxME0rMi1GMTBNMTJBVCsxLUYxME0xMkErMS1GMTBNMTJBQisxLVUxMCsxLUYxME0xMkFUQk4rMQ∏=90&ver=10.0.1410" [?]

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]

2003-06-04 15:01 496640 ------w- c:\windows\zHotkey.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 --sh--w- c:\program files\messenger\msmsgs.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-10 07:50 155648 ------w- c:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 22:38 421888 ------w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\Documents and Settings\\Nick\\My Documents\\Play\\Games\\Minecraft\\minecraft-server\\Minecraft_Server.exe"=

"c:\\Documents and Settings\\Nick\\My Documents\\Play\\Games\\Minecraft\\Minecraft.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"25565:TCP"= 25565:TCP:Minecraft

"25565:UDP"= 25565:UDP:Minecraft

"6112:TCP"= 6112:TCP:Blizzard Downloader: 6112

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

.

R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/9/2011 1:35 AM 36000]

R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/9/2011 1:35 AM 86224]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S3 AU;AU;c:\docume~1\Nick\LOCALS~1\Temp\AU.exe --> c:\docume~1\Nick\LOCALS~1\Temp\AU.exe [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 21:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\bukxkstt.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: network.proxy.type - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-13 12:26

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(624)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2011-10-13 12:28:25

ComboFix-quarantined-files.txt 2011-10-13 16:28

.

Pre-Run: 41,197,985,792 bytes free

Post-Run: 41,182,396,416 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional Edition" /fastdetect /NoExecute=OptIn

.

- - End Of File - - B1304195A7A76FA794DD3C899287E890

[screen317]

Hi,

I notice that you are using more than one antivirus program (AVG and Antivir). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
   
2. Click Start
   
3. When asked, allow the ActiveX control to install
   
4. Click Start
   
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
   
6. Click Scan
   Wait for the scan to finish
   
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
   
8. Copy and paste that log as a reply to this topic
   

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[Kazace]

I notice that you are using more than one antivirus program (AVG and Antivir). This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you go to Start -> Control Panel -> Add or Remove Programs and uninstall all but one antivirus program.

I had uninstalled AVG with their uninstall tool but there are some residual things left on the computer. It is not actually installed or running anymore. I think I just missed some final steps to completely remove it.

Here is the online scan result:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6528

# api_version=3.0.2

# EOSSerial=0c9d42fed4f86f48bc46d132532abfc3

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-10-17 04:53:34

# local_time=2011-10-17 12:53:34 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1792 16777175 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=106738

# found=1

# cleaned=0

# scan_time=3936

C:\WINDOWS\system32\drivers\mrxsmb.sys a variant of Win32/Kryptik.TKY trojan (unable to clean) 00000000000000000000000000000000 I

And the security check:

Results of screen317's Security Check version 0.99.24

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Avira Free Antivirus

ESET Online Scanner v3

Avira successfully updated!

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java Media Framework 2.1.1e

Java MP3 PlugIn

Java DB 10.5.3.0

Java 6 Update 22

Java SE Development Kit 6 Update 22

Java 2 Runtime Environment, SE v1.4.2

Out of date Java installed!

Adobe Flash Player ( 10.3.183.10) Flash Player Out of Date!

Mozilla Firefox (x86 en-US..)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Avira Antivir avgnt.exe

Avira Antivir avguard.exe

``````````End of Log````````````

What should I do about the file that was not cleaned by the online scan?

[screen317]

Hi,

My apologies for the delay.

Please go to VirusTotal, and upload the following file(s) for analysis:

C:\WINDOWS\system32\drivers\mrxsmb.sys

Post the results in your reply.

Also zip up that file and attach it to your reply.

[Kazace]

No worries, just glad to have the help.

For some reason I couldn't open their homepage, so I had to download the uploader and use that.

VirusTotal:

File name: mrxsmb.sys

Submission date: 2011-10-23 17:08:31 (UTC)

Current status: finished

Result: 23/ 43 (53.5%)

Antivirus Version Last Update Result

AhnLab-V3 2011.10.23.00 2011.10.23 Backdoor/Win32.ZAccess

AntiVir 7.11.16.107 2011.10.23 -

Antiy-AVL 2.0.3.7 2011.10.23 Trojan/Win32.ZAccess.gen

Avast 6.0.1289.0 2011.10.23 Win32:Crypt-KMR [Trj]

AVG 10.0.0.1190 2011.10.23 Agent_r.APW

BitDefender 7.2 2011.10.23 Trojan.Generic.KDV.373845

ByteHero 1.0.0.1 2011.09.23 -

CAT-QuickHeal 11.00 2011.10.23 -

ClamAV 0.97.0.0 2011.10.23 -

Commtouch 5.3.2.6 2011.10.23 -

Comodo 10540 2011.10.23 -

DrWeb 5.0.2.03300 2011.10.23 -

Emsisoft 5.1.0.11 2011.10.23 Trojan-Dropper.Win32.Sirefef!IK

eSafe 7.0.17.0 2011.10.17 -

eTrust-Vet 36.1.8633 2011.10.21 -

F-Prot 4.6.5.141 2011.10.23 -

F-Secure 9.0.16440.0 2011.10.23 Trojan.Generic.KDV.373845

Fortinet 4.3.370.0 2011.10.23 W32/Rorpian.C!tr

GData 22 2011.10.23 Trojan.Generic.KDV.373845

Ikarus T3.1.1.107.0 2011.10.23 Trojan-Dropper.Win32.Sirefef

Jiangmin 13.0.900 2011.10.23 Rootkit.ZAccess.ee

K7AntiVirus 9.116.5326 2011.10.22 RootKit

Kaspersky 9.0.0.837 2011.10.23 Rootkit.Win32.ZAccess.j

McAfee 5.400.0.1158 2011.10.23 Generic Dropper.va.ay

McAfee-GW-Edition 2010.1D 2011.10.23 Generic Dropper.va.ay

Microsoft 1.7801 2011.10.23 TrojanDropper:Win32/Sirefef.B

NOD32 6568 2011.10.23 a variant of Win32/Kryptik.TKY

Norman 6.07.13 2011.10.23 W32/ZAccess.AF

nProtect 2011-10-23.01 2011.10.23 Gen:Variant.Renos.37

Panda 10.0.3.5 2011.10.23 -

PCTools 8.0.0.5 2011.10.23 -

Prevx 3.0 2011.10.23 -

Rising 23.80.04.02 2011.10.21 -

Sophos 4.70.0 2011.10.23 Mal/ZAccess-A

SUPERAntiSpyware 4.40.0.1006 2011.10.22 -

Symantec 20111.2.0.82 2011.10.23 -

TheHacker 6.7.0.1.329 2011.10.23 Trojan/Kryptik.tky

TrendMicro 9.500.0.1008 2011.10.23 -

TrendMicro-HouseCall 9.500.0.1008 2011.10.23 -

VBA32 3.12.16.4 2011.10.21 Rootkit.ZAccess.j

VIPRE 10852 2011.10.23 Trojan-Dropper.Win32.Sirefef.b (v)

ViRobot 2011.10.22.4733 2011.10.23 -

VirusBuster 14.1.26.0 2011.10.23 -

MD5 : e48bc30c0e2085dbd06597cf01561e99

SHA1 : 08f38b5d2fb169690a39079d797e2113724596f1

SHA256: 442957568f6f03a6c529ba1b53d9b6ef4e3d56d599391857c6b870128880bd90

ssdeep: 12288:Tta0yyktJjYVFLtYgG3e/KWuKfGXlgPZ9:FyjJjFKKWuKfGXCh9

File size : 455936 bytes

First seen: 2011-10-23 17:08:31

Last seen : 2011-10-23 17:08:31

TrID:

Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

sigcheck:

publisher....: n/a

copyright....: n/a

product......: n/a

description..: n/a

original name: n/a

internal name: n/a

file version.: n/a

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x3F15

timedatestamp....: 0x4DB032C3 (Thu Apr 21 13:36:03 2011)

machinetype......: 0x14c (I386)

[[ 5 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x16917, 0x6A00, 7.79, e015abc9667ad36860477d36e9e879e9

.rdata, 0x18000, 0x37C, 0x400, 4.85, 4949a6e1621651205711f268ee7d31d4

.data, 0x19000, 0x51FF, 0x5200, 7.61, b9eb32d8a2c0dda10c3be6532a4e51d4

.rsrc, 0x1F000, 0x10, 0x200, 0.02, 4e3b2ec5da7200456d338156d854c01b

.reloc, 0x20000, 0x400, 0x400, 6.52, 678c80cf4f689a51636e12715d7377fc

[[ 1 import(s) ]]

ntoskrnl.exe: strcpy, ZwClose, RtlCompareString, RtlCreateRegistryKey, IoFreeIrp, RtlIntegerToUnicodeString, KeInitializeTimerEx, MmAllocateContiguousMemory, RtlEqualString, RtlEqualUnicodeString, RtlFindSetBits, IoGetRequestorProcessId, RtlInitUnicodeString, ZwCreateKey, ObReleaseObjectSecurity, RtlInitString, IoInvalidateDeviceRelations, IoUpdateShareAccess, RtlUpperString, RtlRemoveUnicodePrefix, CcFastMdlReadWait, FsRtlNotifyInitializeSync, KeUnstackDetachProcess, KeSetTimer, MmLockPagableSectionByHandle, KeCancelTimer, ExLocalTimeToSystemTime

[[ 15 export(s) ]]

WWCQ_GXgwrT__XQ__HgaL_M_, AZVFXOYD, ol_tDLUUOUldglYUGrlb_i_sjsikUd_lkjP, aip__tvXY_P_MYLOOks__OU__dRTS_QY_R, br__ZUHDFao___TQNBLEXD__W__NGnmLGJKXny_p___h, oypbrj_pMOCETaalilgmv_pyevjcOPUIherHKdflktw_E__ctafy, CUJYv__mtzqsh___CURW_L_Law_iO_fbaw__pMTDOZKSZ_, qzwIAfmst_Z__iow__n__, EVLBtoyQAXM, JA_NIJufZ___WXVqHNtq_bWUTJRWIBRHSICZ_v_d___jjtt__h_, JPVkp_DFFXNLKONAYzVMXGML__DKPFM_RT_Ee_u_pEP_W, jgs__uetrT_GUKXR_tmbwt__fYYSu_c_es_mmaker_MI, g_d_awFwrkDTAOVhzbhtg_b_nGU_Oxf_s_fjH_WQ, bdol_OTQKIE_M_LUCFUSPEU_FKK_A__SK_YVHGf__ie_tb, L_JOA_XCyz_texuIYOSJmp_fgOAS__U_bjURF_W_EB

ExifTool:

file metadata

CodeSize: 48128

EntryPoint: 0x3f15

FileSize: 445 kB

FileType: Win32 DLL

ImageVersion: 0.0

InitializedDataSize: 2560

LinkerVersion: 10.0

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 5.1

PEType: PE32

Subsystem: Native

SubsystemVersion: 5.1

TimeStamp: 2011:04:21 15:36:03+02:00

UninitializedDataSize: 0

[Kazace]

I forgot to ZIP the file before uploading and didn't realize it wasn't attached, here it is attached to this post:

mrxsmb.zip

[screen317]

Hi,

I'm afraid I have bad news.

Your logs reveal a backdoor trojan. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[Kazace]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

Yeah sorry about that... got caught up in some work. I am going to go with the reformat route and have a disk from the computer manufacturer that resets it to factory state. Is there any way to be sure that my files on the computer are clean and that it's just the underlying system that is compromised? I'd like to be able to save off all my documents and reload them after reformatting.

[screen317]

Hi,

Documents and photos should be safe to backup. Executable files such as .exe and .scr, including any archives such as .zip should not be backed up. Let me know how it goes.

[screen317]

Are you still with us? This topic will be closed in a few days if we do not hear back from you.

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!