Jump to content

New infection for this PC.. SecureBill, INC


Vegittz

Recommended Posts

Hiya friends, I'm trying to help my friend fix their computer and have followed the directions in the "how to" forum... I got a lot of functionality back but the bug still persists. I ran malwarebytes full scan and selected the remove function. Upon request to restart I did, and the system locked for a full 10 min, I hard powered (sorry>.<) and rebooted to some of the origional symptoms. I still have every file on the HD marked as "Hidden" and the desktop is still wallpaperless (ohno ;))

Thanks for any help in advance!

As requested here are the two logs:

dds:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18

Run by Heather at 21:26:40 on 2011-11-10

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1344 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Messenger\MSMSGS.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [PhotoExplosionCalCheck] c:\program files\nova development\photo explosion 3.0 se\calcheck.exe

mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"

mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"

mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\documents and settings\heather\start menu\programs\startup\CurseClientStartup.ccip

dPolicies-explorer: NoDesktop = 1 (0x1)

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

TCP: Interfaces\{BB9D7449-46EA-4E27-9E4D-90E224B81761} : DhcpNameServer = 192.168.0.1 205.171.3.25

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\heather\application data\mozilla\firefox\profiles\xidn59ed.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=

FF - plugin: c:\documents and settings\heather\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\worldwinner.com, inc\worldwinner games\npwwload.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\DotNetAssistantExtension

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

.

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-10 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-10 22216]

S2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2011-7-18 99248]

.

=============== Created Last 30 ================

.

2011-11-11 04:15:18 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-11-11 03:34:05 6792 ----a-w- c:\windows\system32\0.4612228925453007.exe

2011-11-11 03:33:03 -------- d-----w- c:\documents and settings\heather\application data\Malwarebytes

2011-11-11 03:32:56 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-11 03:32:53 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-11 03:32:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-11 02:12:05 7077 ---ha-w- c:\windows\system32\0.7989301717041639.exe

2011-11-11 02:02:02 28160 ---ha-w- c:\windows\system32\dll.dll

2011-11-09 19:00:05 295762 ---ha-w- c:\windows\system32\shimg.dll

2011-11-09 18:59:36 7025 ---ha-w- c:\windows\system32\0.7134633267506013.exe

2011-11-09 04:28:38 6433 ---ha-w- c:\windows\system32\0.7358760714970098.exe

2011-11-09 04:28:31 6793 ---ha-w- c:\windows\system32\0.7235014016234915.exe

2011-11-09 04:28:25 7077 ---ha-w- c:\windows\system32\0.9024795825469005.exe

2011-11-09 04:27:24 7077 ---ha-w- c:\windows\system32\0.6106823250354919.exe

2011-11-04 02:41:49 -------- d--h--w- c:\documents and settings\heather\riotsGamesLogs

2011-11-04 02:41:10 -------- d--h--w- c:\documents and settings\heather\application data\LolClient

2011-11-04 02:27:55 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-03 22:29:52 -------- d--h--w- C:\Riot Games

2011-11-03 21:24:31 -------- d--h--w- c:\documents and settings\heather\local settings\application data\PMB Files

2011-11-03 21:24:29 -------- d--h--w- c:\documents and settings\all users\application data\PMB Files

2011-11-03 21:24:20 -------- d--h--w- c:\program files\Pando Networks

2011-10-22 05:41:20 -------- d--h--w- c:\program files\MSXML 4.0

.

==================== Find3M ====================

.

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3160815AS rev.4.ADA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x88FEC49F]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x88ff3728]; MOV EAX, [0x88ff389c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI;

JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x8A44DAB8]

3 CLASSPNP[0xBA0F905B] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\00000059[0x8A4A9F18]

5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> [0x8A467940]

\Driver\atapi[0x8A23B1D8] -> IRP_MJ_CREATE -> 0x88FEC49F

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ;

MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x88FEC2C6

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 21:27:21.26 ===============

and attach:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 1/19/2010 3:26:29 PM

System Uptime: 11/10/2011 9:13:40 PM (0 hours ago)

.

Motherboard: Dell Inc. | | 0RY206

Processor: AMD Sempron Processor LE-1300 | Socket AM2 | 2310/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 99.095 GiB free.

D: is CDROM (CDFS)

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description:

Device ID: ACPI\AWY0001\2&DABA3FF&0

Manufacturer:

Name:

PNP Device ID: ACPI\AWY0001\2&DABA3FF&0

Service:

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: PCI Simple Communications Controller

Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&72ACDAA&0&4820

Manufacturer:

Name: PCI Simple Communications Controller

PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&72ACDAA&0&4820

Service:

.

==== System Restore Points ===================

.

RP304: 10/21/2011 7:16:11 PM - System Checkpoint

RP305: 10/21/2011 11:41:15 PM - Software Distribution Service 3.0

RP306: 10/31/2011 6:56:55 PM - System Checkpoint

RP307: 11/1/2011 7:32:56 PM - System Checkpoint

RP308: 11/3/2011 3:40:07 PM - System Checkpoint

RP309: 11/3/2011 4:29:51 PM - Installed League of Legends

RP310: 11/6/2011 8:31:13 PM - System Checkpoint

.

==== Installed Programs ======================

.

Adobe Flash Player 11 Plugin

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Bonjour

Curse Client

Driver Detective

High Definition Audio Driver Package - KB888111

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB935448)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

iTunes

Java Auto Updater

Java 6 Update 18

League of Legends

Lexmark 2500 Series

Lexmark Fax Solutions

Lexmark Toolbar

Malwarebytes' Anti-Malware version 1.51.2.1300

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Web Publishing Wizard 1.52

MobileMe Control Panel

Mozilla Firefox (3.6.23)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB973686)

NVIDIA Drivers

Pando Media Booster

Photo Explosion 3.0 Special Edition

QuickTime

Realtek High Definition Audio Driver

Safari

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows Media Player 8 (KB917734)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB944338-v2)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958470)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165-v2)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB981350)

Security Update for Windows XP (KB982381)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB898461)

Update for Windows XP (KB908531)

Update for Windows XP (KB910437)

Update for Windows XP (KB911280)

Update for Windows XP (KB925720)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB978207)

Update for Windows XP (KB980182)

WebFldrs XP

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781

Windows XP Service Pack 2

World of Warcraft

WorldWinner Games

Yahoo! BrowserPlus 2.9.8

.

==== Event Viewer Messages From Past Week ========

.

11/9/2011 11:54:10 AM, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service

terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in

60000 milliseconds: Reboot the machine.

11/9/2011 11:42:05 AM, error: Service Control Manager [7034] - The iPod Service service terminated

unexpectedly. It has done this 1 time(s).

11/9/2011 11:41:25 AM, error: Service Control Manager [7031] - The Apple Mobile Device service

terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in

60000 milliseconds: Restart the service.

11/8/2011 8:34:51 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for

the lxddCATSCustConnectService service to connect.

11/8/2011 8:34:51 PM, error: Service Control Manager [7000] - The lxddCATSCustConnectService service

failed to start due to the following error: The service did not respond to the start or control request

in a timely fashion.

11/10/2011 9:24:02 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated

unexpectedly. It has done this 1 time(s).

11/10/2011 9:23:37 PM, error: Service Control Manager [7034] - The Java Quick Starter service

terminated unexpectedly. It has done this 1 time(s).

11/10/2011 9:23:29 PM, error: Service Control Manager [7034] - The lxdd_device service terminated

unexpectedly. It has done this 1 time(s).

11/10/2011 9:23:25 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service

service terminated unexpectedly. It has done this 1 time(s).

11/10/2011 7:02:16 PM, error: SRService [104] - The System Restore initialization process failed.

11/10/2011 7:02:16 PM, error: Service Control Manager [7023] - The System Restore Service service

terminated with the following error: Access is denied.

.

==== End Of File ===========================

Any additional help would be GREAT ^_^ thanks again!

Link to post
Share on other sites

Hello Vegittz! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/paste in your next reply.

Please follow the instructions here to try to run ComboFix tool:

www.bleepingcomputer.com/combofix/how-to-use-combofix#use

When you are ready, post the log.txt

Link to post
Share on other sites

Hi Maniac I am in process of running the combofix utility. Unfortunatyely it seems to have hung up. It went throught the 50 stage process then moved on to deleting files, and passed on to "Deleting Folders" and has been frozen there for about 20 min with no change or log creation. I still have it running in the background, but I fear it is stuck.

Link to post
Share on other sites

Great news! I rebooted and ran combofix again and got the log! so without further adue!

ComboFix 11-11-11.04 - Heather 11/11/2011 9:47.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1489 [GMT -7:00]

Running from: c:\documents and settings\Heather\My Documents\Downloads\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-10-11 to 2011-11-11 )))))))))))))))))))))))))))))))

.

.

2011-11-11 03:33 . 2011-11-11 03:33 -------- d-----w- c:\documents and settings\Heather\Application Data\Malwarebytes

2011-11-11 03:32 . 2011-11-11 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-11 03:32 . 2011-11-11 03:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-11 03:32 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-09 03:52 . 2011-11-09 03:52 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-11-04 02:41 . 2011-11-09 18:58 -------- d--h--w- c:\documents and settings\Heather\riotsGamesLogs

2011-11-04 02:41 . 2011-11-04 02:41 -------- d--h--w- c:\documents and settings\Heather\Application Data\LolClient

2011-11-04 02:27 . 2011-11-04 02:27 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-03 22:29 . 2011-11-03 22:29 -------- d-----w- C:\Riot Games

2011-11-03 21:24 . 2011-11-11 16:53 -------- d--h--w- c:\documents and settings\Heather\Local Settings\Application Data\PMB Files

2011-11-03 21:24 . 2011-11-09 18:59 -------- d--h--w- c:\documents and settings\All Users\Application Data\PMB Files

2011-11-03 21:24 . 2011-11-03 21:24 -------- d--h--w- c:\program files\Pando Networks

2011-10-22 05:41 . 2011-10-22 05:41 -------- d--h--w- c:\program files\MSXML 4.0

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-11-03 3077528]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-11-03 3077528]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-09-04 8466432]

"nwiz"="nwiz.exe" [2007-09-04 1626112]

"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-09-04 81920]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]

"PhotoExplosionCalCheck"="c:\program files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe" [2006-09-20 69632]

"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-11 291760]

"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 312240]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]

.

c:\documents and settings\Heather\Start Menu\Programs\Startup\

CurseClientStartup.ccip [2011-1-1 0]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\lxddcoms.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\Heather\\Local Settings\\Apps\\2.0\\52A0Q1QR.KLH\\22952QH5.AZW\\curs..tion_eee711038731a406_0004.0000_0d453ed5fea2fe48\\CurseClient.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"57047:TCP"= 57047:TCP:Pando Media Booster

"57047:UDP"= 57047:UDP:Pando Media Booster

.

R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/10/2011 8:32 PM 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/10/2011 8:32 PM 22216]

S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [7/18/2011 2:24 PM 99248]

.

Contents of the 'Scheduled Tasks' folder

.

2010-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

FF - ProfilePath - c:\documents and settings\Heather\Application Data\Mozilla\Firefox\Profiles\xidn59ed.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-11 09:53

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

1Y5U7AYUVGXZYFXDCQRADEFD = c:\fonts\6DFBBA7729B.exe /q

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3160815AS rev.4.ADA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5

.

device: opened successfully

user: MBR read successfully

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x890EE2C6

user & kernel MBR OK

.

**************************************************************************

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"1Y5U7AYUVGXZYFXDCQRADEFD"="c:\\Fonts\\6DFBBA7729B.exe /q"

.

Completion time: 2011-11-11 09:59:48

ComboFix-quarantined-files.txt 2011-11-11 16:59

.

Pre-Run: 106,604,175,360 bytes free

Post-Run: 106,614,173,696 bytes free

.

- - End Of File - - 45A23C2EB1AA5A1B367973B8C3BCA267

Link to post
Share on other sites

I ran mbam again for no result, see log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8136

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

11/11/2011 11:03:53 AM

mbam-log-2011-11-11 (11-03-53).txt

Scan type: Full scan (C:\|)

Objects scanned: 207544

Time elapsed: 28 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I also decided a new DDS may be useful:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18

Run by Heather at 11:19:02 on 2011-11-11

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1199 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe

C:\Program Files\Lexmark 2500 Series\lxddmon.exe

C:\Program Files\Lexmark 2500 Series\lxddamon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Pando Networks\Media Booster\PMB.exe

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lxddcoms.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [PhotoExplosionCalCheck] c:\program files\nova development\photo explosion 3.0 se\calcheck.exe

mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"

mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"

mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\documents and settings\heather\start menu\programs\startup\CurseClientStartup.ccip

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

TCP: Interfaces\{BB9D7449-46EA-4E27-9E4D-90E224B81761} : DhcpNameServer = 192.168.0.1 205.171.3.25

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\heather\application data\mozilla\firefox\profiles\xidn59ed.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=

FF - plugin: c:\documents and settings\heather\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\worldwinner.com, inc\worldwinner games\npwwload.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

.

============= SERVICES / DRIVERS ===============

.

R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-10 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-10 22216]

S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2011-7-18 99248]

.

=============== Created Last 30 ================

.

2011-11-11 17:34:43 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-11-11 15:53:30 -------- d-sha-r- C:\cmdcons

2011-11-11 15:51:28 98816 ----a-w- c:\windows\sed.exe

2011-11-11 15:51:28 518144 ----a-w- c:\windows\SWREG.exe

2011-11-11 15:51:28 256000 ----a-w- c:\windows\PEV.exe

2011-11-11 15:51:28 208896 ----a-w- c:\windows\MBR.exe

2011-11-11 03:33:03 -------- d-----w- c:\documents and settings\heather\application data\Malwarebytes

2011-11-11 03:32:56 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-11 03:32:53 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-11 03:32:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-04 02:41:49 -------- d-----w- c:\documents and settings\heather\riotsGamesLogs

2011-11-04 02:41:10 -------- d-----w- c:\documents and settings\heather\application data\LolClient

2011-11-04 02:27:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-03 22:29:52 -------- d-----w- C:\Riot Games

2011-11-03 21:24:31 -------- d-----w- c:\documents and settings\heather\local settings\application data\PMB Files

2011-11-03 21:24:29 -------- d-----w- c:\documents and settings\all users\application data\PMB Files

2011-11-03 21:24:20 -------- d-----w- c:\program files\Pando Networks

2011-10-22 05:41:20 -------- d-----w- c:\program files\MSXML 4.0

.

==================== Find3M ====================

.

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST3160815AS rev.4.ADA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x890EE49F]<<

c:\docume~1\heather\locals~1\temp\catchme.sys

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x890f5728]; MOV EAX, [0x890f589c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x8A4ECAB8]

3 CLASSPNP[0xBA0E905B] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\00000059[0x8A4A9F18]

5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> [0x8A463D98]

\Driver\atapi[0x8A28FA20] -> IRP_MJ_CREATE -> 0x890EE49F

error: Read A device attached to the system is not functioning.

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

detected hooks:

\Driver\atapi DriverStartIo -> 0x890EE2C6

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 11:19:38.29 ===============

And the attach:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 1/19/2010 3:26:29 PM

System Uptime: 11/11/2011 9:43:53 AM (2 hours ago)

.

Motherboard: Dell Inc. | | 0RY206

Processor: AMD Sempron Processor LE-1300 | Socket AM2 | 2310/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 149 GiB total, 99.32 GiB free.

D: is CDROM (CDFS)

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description:

Device ID: ACPI\AWY0001\2&DABA3FF&0

Manufacturer:

Name:

PNP Device ID: ACPI\AWY0001\2&DABA3FF&0

Service:

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: PCI Simple Communications Controller

Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&72ACDAA&0&4820

Manufacturer:

Name: PCI Simple Communications Controller

PNP Device ID: PCI\VEN_14F1&DEV_2F20&SUBSYS_200F14F1&REV_00\4&72ACDAA&0&4820

Service:

.

==== System Restore Points ===================

.

RP304: 10/21/2011 7:16:11 PM - System Checkpoint

RP305: 10/21/2011 11:41:15 PM - Software Distribution Service 3.0

RP306: 10/31/2011 6:56:55 PM - System Checkpoint

RP307: 11/1/2011 7:32:56 PM - System Checkpoint

RP308: 11/3/2011 3:40:07 PM - System Checkpoint

RP309: 11/3/2011 4:29:51 PM - Installed League of Legends

RP310: 11/6/2011 8:31:13 PM - System Checkpoint

.

==== Installed Programs ======================

.

Adobe Flash Player 11 Plugin

Apple Application Support

Apple Mobile Device Support

Apple Software Update

Bonjour

Curse Client

Driver Detective

High Definition Audio Driver Package - KB888111

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB935448)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

iTunes

Java Auto Updater

Java 6 Update 18

League of Legends

Lexmark 2500 Series

Lexmark Fax Solutions

Lexmark Toolbar

Malwarebytes' Anti-Malware version 1.51.2.1300

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Web Publishing Wizard 1.52

MobileMe Control Panel

Mozilla Firefox (3.6.23)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB973686)

NVIDIA Drivers

Pando Media Booster

Photo Explosion 3.0 Special Edition

QuickTime

Realtek High Definition Audio Driver

Safari

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows Media Player 8 (KB917734)

Security Update for Windows Media Player 9 (KB911565)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB944338-v2)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958470)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165-v2)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB981350)

Security Update for Windows XP (KB982381)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB898461)

Update for Windows XP (KB908531)

Update for Windows XP (KB910437)

Update for Windows XP (KB911280)

Update for Windows XP (KB925720)

Update for Windows XP (KB955759)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update for Windows XP (KB978207)

Update for Windows XP (KB980182)

WebFldrs XP

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781

Windows XP Service Pack 2

World of Warcraft

WorldWinner Games

Yahoo! BrowserPlus 2.9.8

.

==== Event Viewer Messages From Past Week ========

.

11/9/2011 11:54:10 AM, error: Service Control Manager [7031] - The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.

11/9/2011 11:44:00 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxddCATSCustConnectService service to connect.

11/9/2011 11:44:00 AM, error: Service Control Manager [7000] - The lxddCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

11/9/2011 11:42:05 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).

11/9/2011 11:41:25 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

11/10/2011 9:24:02 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).

11/10/2011 9:23:37 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

11/10/2011 9:23:29 PM, error: Service Control Manager [7034] - The lxdd_device service terminated unexpectedly. It has done this 1 time(s).

11/10/2011 9:23:25 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

11/10/2011 7:02:16 PM, error: SRService [104] - The System Restore initialization process failed.

11/10/2011 7:02:16 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: Access is denied.

.

==== End Of File ===========================

Hope you can see what it is still there trying to send out to the malicious IP add. :/

Thanks for all your help !

Link to post
Share on other sites

Please do not scan with anything without my instructions, follow them closely, please...

Hope you can see what it is still there trying to send out to the malicious IP add. :/

I think found it: TDL3 rootkit infection . You can find a lot of interesting articles about this infection, for example here: Rootkit TDL 3

Download the latest version of TDSSKiller from here and save it to your Desktop.

  1. Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    tdss_1.jpg
  2. Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
    tdss_2.jpg
  3. Click the Start Scan button.
    tdss_3.jpg
  4. If a suspicious object is detected, the default action will be Skip, click on Continue.
    tdss_4.jpg
  5. If malicious objects are found, they will show in the Scan results and offer three (3) options.
  6. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    tdss_5.jpg
  7. Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

In your next reply, please include the log file from TDSSKiller and then a new fresh log file from DDS.

Link to post
Share on other sites

As requested the log file from the Kapersky App:

17:26:13.0875 1980 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15

17:26:15.0875 1980 ============================================================

17:26:15.0875 1980 Current date / time: 2011/11/11 17:26:15.0875

17:26:15.0875 1980 SystemInfo:

17:26:15.0875 1980

17:26:15.0875 1980 OS Version: 5.1.2600 ServicePack: 2.0

17:26:15.0875 1980 Product type: Workstation

17:26:15.0875 1980 ComputerName: HOME-810I8BKMSF

17:26:15.0875 1980 UserName: Heather

17:26:15.0875 1980 Windows directory: C:\WINDOWS

17:26:15.0875 1980 System windows directory: C:\WINDOWS

17:26:15.0875 1980 Processor architecture: Intel x86

17:26:15.0875 1980 Number of processors: 1

17:26:15.0875 1980 Page size: 0x1000

17:26:15.0875 1980 Boot type: Normal boot

17:26:15.0875 1980 ============================================================

17:26:17.0093 1980 Initialize success

17:26:42.0343 2956 ============================================================

17:26:42.0343 2956 Scan started

17:26:42.0343 2956 Mode: Manual; SigCheck; TDLFS;

17:26:42.0343 2956 ============================================================

17:26:42.0640 2956 Abiosdsk - ok

17:26:42.0656 2956 abp480n5 - ok

17:26:42.0718 2956 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

17:26:44.0312 2956 ACPI - ok

17:26:44.0421 2956 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

17:26:44.0562 2956 ACPIEC - ok

17:26:44.0640 2956 adpu160m - ok

17:26:44.0703 2956 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

17:26:44.0812 2956 aec - ok

17:26:44.0921 2956 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

17:26:44.0984 2956 AFD - ok

17:26:45.0000 2956 Aha154x - ok

17:26:45.0031 2956 aic78u2 - ok

17:26:45.0062 2956 aic78xx - ok

17:26:45.0093 2956 AliIde - ok

17:26:45.0125 2956 amsint - ok

17:26:45.0156 2956 asc - ok

17:26:45.0171 2956 asc3350p - ok

17:26:45.0203 2956 asc3550 - ok

17:26:45.0265 2956 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

17:26:45.0375 2956 AsyncMac - ok

17:26:45.0437 2956 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

17:26:45.0531 2956 atapi - ok

17:26:45.0578 2956 Atdisk - ok

17:26:45.0671 2956 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

17:26:45.0781 2956 Atmarpc - ok

17:26:45.0875 2956 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

17:26:45.0984 2956 audstub - ok

17:26:46.0015 2956 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

17:26:46.0140 2956 Beep - ok

17:26:46.0265 2956 catchme - ok

17:26:46.0390 2956 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

17:26:46.0500 2956 cbidf2k - ok

17:26:46.0515 2956 cd20xrnt - ok

17:26:46.0578 2956 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

17:26:46.0671 2956 Cdaudio - ok

17:26:46.0781 2956 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

17:26:46.0890 2956 Cdfs - ok

17:26:46.0953 2956 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

17:26:47.0046 2956 Cdrom - ok

17:26:47.0109 2956 Changer - ok

17:26:47.0140 2956 CmdIde - ok

17:26:47.0156 2956 Cpqarray - ok

17:26:47.0171 2956 dac2w2k - ok

17:26:47.0203 2956 dac960nt - ok

17:26:47.0265 2956 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

17:26:47.0359 2956 Disk - ok

17:26:47.0453 2956 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

17:26:47.0593 2956 dmboot - ok

17:26:47.0750 2956 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

17:26:47.0859 2956 dmio - ok

17:26:47.0968 2956 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

17:26:48.0062 2956 dmload - ok

17:26:48.0109 2956 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

17:26:48.0203 2956 DMusic - ok

17:26:48.0218 2956 dpti2o - ok

17:26:48.0281 2956 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

17:26:48.0390 2956 drmkaud - ok

17:26:48.0421 2956 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

17:26:48.0546 2956 Fastfat - ok

17:26:48.0656 2956 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys

17:26:48.0781 2956 Fdc - ok

17:26:48.0828 2956 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

17:26:48.0953 2956 Fips - ok

17:26:48.0984 2956 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys

17:26:49.0078 2956 Flpydisk - ok

17:26:49.0125 2956 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys

17:26:49.0234 2956 FltMgr - ok

17:26:49.0265 2956 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

17:26:49.0375 2956 Fs_Rec - ok

17:26:49.0421 2956 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

17:26:49.0531 2956 Ftdisk - ok

17:26:49.0656 2956 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

17:26:49.0671 2956 GEARAspiWDM - ok

17:26:49.0718 2956 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

17:26:49.0828 2956 Gpc - ok

17:26:49.0953 2956 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

17:26:50.0015 2956 HDAudBus - ok

17:26:50.0078 2956 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

17:26:50.0187 2956 hidusb - ok

17:26:50.0265 2956 hpn - ok

17:26:50.0312 2956 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

17:26:50.0406 2956 HTTP - ok

17:26:50.0468 2956 i2omgmt - ok

17:26:50.0500 2956 i2omp - ok

17:26:50.0562 2956 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\drivers\i8042prt.sys

17:26:50.0671 2956 i8042prt - ok

17:26:50.0750 2956 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

17:26:50.0875 2956 Imapi - ok

17:26:50.0890 2956 ini910u - ok

17:26:51.0062 2956 IntcAzAudAddService (dbc702fbc70dc58d9122ce56eadbd659) C:\WINDOWS\system32\drivers\RtkHDAud.sys

17:26:51.0234 2956 IntcAzAudAddService - ok

17:26:51.0328 2956 IntelIde - ok

17:26:51.0375 2956 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

17:26:51.0484 2956 ip6fw - ok

17:26:51.0515 2956 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

17:26:51.0609 2956 IpFilterDriver - ok

17:26:51.0703 2956 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

17:26:51.0828 2956 IpInIp - ok

17:26:51.0859 2956 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys

17:26:51.0968 2956 IpNat - ok

17:26:52.0000 2956 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

17:26:52.0109 2956 IPSec - ok

17:26:52.0156 2956 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

17:26:52.0265 2956 IRENUM - ok

17:26:52.0312 2956 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

17:26:52.0437 2956 isapnp - ok

17:26:52.0562 2956 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

17:26:52.0671 2956 Kbdclass - ok

17:26:52.0687 2956 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

17:26:52.0781 2956 kbdhid - ok

17:26:52.0828 2956 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

17:26:52.0937 2956 kmixer - ok

17:26:52.0984 2956 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

17:26:53.0031 2956 KSecDD - ok

17:26:53.0046 2956 lbrtfdc - ok

17:26:53.0109 2956 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys

17:26:53.0156 2956 MBAMProtector - ok

17:26:53.0281 2956 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

17:26:53.0406 2956 mnmdd - ok

17:26:53.0468 2956 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

17:26:53.0562 2956 Modem - ok

17:26:53.0640 2956 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

17:26:53.0750 2956 Mouclass - ok

17:26:53.0875 2956 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

17:26:54.0000 2956 mouhid - ok

17:26:54.0062 2956 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

17:26:54.0171 2956 MountMgr - ok

17:26:54.0250 2956 mraid35x - ok

17:26:54.0296 2956 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

17:26:54.0406 2956 MRxDAV - ok

17:26:54.0484 2956 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

17:26:54.0531 2956 MRxSmb - ok

17:26:54.0609 2956 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

17:26:54.0718 2956 Msfs - ok

17:26:54.0812 2956 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

17:26:54.0921 2956 MSKSSRV - ok

17:26:55.0031 2956 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

17:26:55.0140 2956 MSPCLOCK - ok

17:26:55.0171 2956 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

17:26:55.0281 2956 MSPQM - ok

17:26:55.0312 2956 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

17:26:55.0421 2956 mssmbios - ok

17:26:55.0468 2956 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

17:26:55.0578 2956 Mup - ok

17:26:55.0625 2956 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

17:26:55.0734 2956 NDIS - ok

17:26:55.0843 2956 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

17:26:55.0968 2956 NdisTapi - ok

17:26:56.0000 2956 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

17:26:56.0109 2956 Ndisuio - ok

17:26:56.0156 2956 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

17:26:56.0265 2956 NdisWan - ok

17:26:56.0296 2956 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

17:26:56.0406 2956 NDProxy - ok

17:26:56.0546 2956 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

17:26:56.0640 2956 NetBIOS - ok

17:26:56.0687 2956 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

17:26:56.0781 2956 NetBT - ok

17:26:56.0921 2956 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

17:26:57.0000 2956 Npfs - ok

17:26:57.0046 2956 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

17:26:57.0203 2956 Ntfs - ok

17:26:57.0343 2956 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

17:26:57.0453 2956 Null - ok

17:26:57.0718 2956 nv (cce4877e45f5300fffbb4a6bc5e7fda7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

17:26:58.0093 2956 nv - ok

17:26:58.0203 2956 NVENETFD (1492c7738f68625805f5f53c8bad24c6) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

17:26:58.0250 2956 NVENETFD - ok

17:26:58.0281 2956 nvnetbus (ae73e61f07ddc84255bece6b02f18390) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

17:26:58.0312 2956 nvnetbus - ok

17:26:58.0343 2956 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

17:26:58.0453 2956 NwlnkFlt - ok

17:26:58.0515 2956 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

17:26:58.0625 2956 NwlnkFwd - ok

17:26:58.0703 2956 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys

17:26:58.0812 2956 Parport - ok

17:26:58.0843 2956 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

17:26:58.0953 2956 PartMgr - ok

17:26:58.0984 2956 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

17:26:59.0078 2956 ParVdm - ok

17:26:59.0109 2956 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

17:26:59.0234 2956 PCI - ok

17:26:59.0234 2956 PCIDump - ok

17:26:59.0312 2956 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

17:26:59.0421 2956 PCIIde - ok

17:26:59.0468 2956 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

17:26:59.0562 2956 Pcmcia - ok

17:26:59.0656 2956 PDCOMP - ok

17:26:59.0687 2956 PDFRAME - ok

17:26:59.0718 2956 PDRELI - ok

17:26:59.0734 2956 PDRFRAME - ok

17:26:59.0796 2956 perc2 - ok

17:26:59.0812 2956 perc2hib - ok

17:26:59.0906 2956 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

17:27:00.0015 2956 PptpMiniport - ok

17:27:00.0062 2956 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

17:27:00.0171 2956 Processor - ok

17:27:00.0281 2956 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

17:27:00.0390 2956 PSched - ok

17:27:00.0484 2956 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

17:27:00.0593 2956 Ptilink - ok

17:27:00.0687 2956 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\Drivers\PxHelp20.sys

17:27:00.0703 2956 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning

17:27:00.0703 2956 PxHelp20 - detected UnsignedFile.Multi.Generic (1)

17:27:00.0718 2956 ql1080 - ok

17:27:00.0750 2956 Ql10wnt - ok

17:27:00.0765 2956 ql12160 - ok

17:27:00.0828 2956 ql1240 - ok

17:27:00.0843 2956 ql1280 - ok

17:27:00.0875 2956 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

17:27:00.0984 2956 RasAcd - ok

17:27:01.0015 2956 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

17:27:01.0140 2956 Rasl2tp - ok

17:27:01.0171 2956 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

17:27:01.0281 2956 RasPppoe - ok

17:27:01.0312 2956 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

17:27:01.0421 2956 Raspti - ok

17:27:01.0562 2956 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

17:27:01.0906 2956 Rdbss - ok

17:27:02.0031 2956 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

17:27:02.0140 2956 RDPCDD - ok

17:27:02.0187 2956 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

17:27:02.0468 2956 RDPWD - ok

17:27:02.0515 2956 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

17:27:02.0625 2956 redbook - ok

17:27:02.0781 2956 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

17:27:02.0875 2956 Secdrv - ok

17:27:02.0921 2956 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys

17:27:03.0015 2956 Serial - ok

17:27:03.0140 2956 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

17:27:03.0250 2956 Sfloppy - ok

17:27:03.0265 2956 Simbad - ok

17:27:03.0281 2956 Sparrow - ok

17:27:03.0343 2956 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

17:27:03.0437 2956 splitter - ok

17:27:03.0500 2956 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

17:27:03.0640 2956 sr - ok

17:27:03.0687 2956 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

17:27:03.0718 2956 Srv - ok

17:27:03.0781 2956 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

17:27:03.0890 2956 swenum - ok

17:27:04.0000 2956 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

17:27:04.0125 2956 swmidi - ok

17:27:04.0140 2956 symc810 - ok

17:27:04.0156 2956 symc8xx - ok

17:27:04.0171 2956 sym_hi - ok

17:27:04.0187 2956 sym_u3 - ok

17:27:04.0250 2956 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

17:27:04.0359 2956 sysaudio - ok

17:27:04.0421 2956 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

17:27:04.0500 2956 Tcpip - ok

17:27:04.0515 2956 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

17:27:04.0625 2956 TDPIPE - ok

17:27:04.0671 2956 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

17:27:04.0781 2956 TDTCP - ok

17:27:04.0921 2956 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

17:27:05.0031 2956 TermDD - ok

17:27:05.0046 2956 TosIde - ok

17:27:05.0125 2956 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

17:27:05.0218 2956 Udfs - ok

17:27:05.0234 2956 ultra - ok

17:27:05.0281 2956 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

17:27:05.0390 2956 Update - ok

17:27:05.0453 2956 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys

17:27:05.0500 2956 USBAAPL - ok

17:27:05.0531 2956 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

17:27:05.0625 2956 usbccgp - ok

17:27:05.0671 2956 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

17:27:05.0765 2956 usbehci - ok

17:27:05.0812 2956 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

17:27:05.0921 2956 usbhub - ok

17:27:05.0953 2956 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

17:27:06.0062 2956 usbohci - ok

17:27:06.0171 2956 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

17:27:06.0281 2956 usbprint - ok

17:27:06.0359 2956 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

17:27:06.0468 2956 usbscan - ok

17:27:06.0484 2956 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

17:27:06.0593 2956 USBSTOR - ok

17:27:06.0640 2956 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

17:27:06.0750 2956 VgaSave - ok

17:27:06.0750 2956 ViaIde - ok

17:27:06.0828 2956 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

17:27:06.0921 2956 VolSnap - ok

17:27:06.0968 2956 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

17:27:07.0078 2956 Wanarp - ok

17:27:07.0093 2956 WDICA - ok

17:27:07.0156 2956 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

17:27:07.0265 2956 wdmaud - ok

17:27:07.0359 2956 MBR (0x1B8) (b0b17de2470979f6aa7d36e451109b01) \Device\Harddisk0\DR0

17:27:07.0359 2956 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected

17:27:07.0359 2956 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)

17:27:07.0406 2956 \Device\Harddisk0\DR0 ( TDSS File System ) - warning

17:27:07.0406 2956 \Device\Harddisk0\DR0 - detected TDSS File System (1)

17:27:07.0437 2956 Boot (0x1200) (3e4b8aeccc496afb720697b3eee9add3) \Device\Harddisk0\DR0\Partition0

17:27:07.0437 2956 \Device\Harddisk0\DR0\Partition0 - ok

17:27:07.0437 2956 ============================================================

17:27:07.0437 2956 Scan finished

17:27:07.0437 2956 ============================================================

17:27:07.0562 3992 Detected object count: 3

17:27:07.0562 3992 Actual detected object count: 3

17:27:48.0921 3992 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user

17:27:48.0921 3992 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip

17:27:48.0953 3992 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot

17:27:48.0953 3992 \Device\Harddisk0\DR0 - ok

17:27:48.0953 3992 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure

17:27:48.0968 3992 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

17:27:48.0968 3992 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

17:28:11.0015 3520 Deinitialize success

New DDS:

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18

Run by Heather at 17:31:58 on 2011-11-11

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1387 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

C:\WINDOWS\system32\svchost.exe -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe

C:\Program Files\Lexmark 2500 Series\lxddmon.exe

C:\Program Files\Lexmark 2500 Series\lxddamon.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Pando Networks\Media Booster\PMB.exe

c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe

C:\WINDOWS\System32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lxddcoms.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uInternet Settings,ProxyOverride = *.local

BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [PhotoExplosionCalCheck] c:\program files\nova development\photo explosion 3.0 se\calcheck.exe

mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"

mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"

mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\documents and settings\heather\start menu\programs\startup\CurseClientStartup.ccip

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

TCP: Interfaces\{BB9D7449-46EA-4E27-9E4D-90E224B81761} : DhcpNameServer = 192.168.0.1 205.171.3.25

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\heather\application data\mozilla\firefox\profiles\xidn59ed.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=

FF - plugin: c:\documents and settings\heather\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll

FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll

FF - plugin: c:\program files\worldwinner.com, inc\worldwinner games\npwwload.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

.

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true

.

============= SERVICES / DRIVERS ===============

.

R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-10 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-10 22216]

S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2011-7-18 99248]

.

=============== Created Last 30 ================

.

2011-11-11 15:53:30 -------- d-sha-r- C:\cmdcons

2011-11-11 15:51:28 98816 ----a-w- c:\windows\sed.exe

2011-11-11 15:51:28 518144 ----a-w- c:\windows\SWREG.exe

2011-11-11 15:51:28 256000 ----a-w- c:\windows\PEV.exe

2011-11-11 15:51:28 208896 ----a-w- c:\windows\MBR.exe

2011-11-11 03:33:03 -------- d-----w- c:\documents and settings\heather\application data\Malwarebytes

2011-11-11 03:32:56 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-11-11 03:32:53 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-11 03:32:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-04 02:41:49 -------- d-----w- c:\documents and settings\heather\riotsGamesLogs

2011-11-04 02:41:10 -------- d-----w- c:\documents and settings\heather\application data\LolClient

2011-11-04 02:27:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-03 22:29:52 -------- d-----w- C:\Riot Games

2011-11-03 21:24:31 -------- d-----w- c:\documents and settings\heather\local settings\application data\PMB Files

2011-11-03 21:24:29 -------- d-----w- c:\documents and settings\all users\application data\PMB Files

2011-11-03 21:24:20 -------- d-----w- c:\program files\Pando Networks

2011-10-22 05:41:20 -------- d-----w- c:\program files\MSXML 4.0

.

==================== Find3M ====================

.

.

============= FINISH: 17:32:53.51 ===============

Thanks once again Maniac!! :blink:

Link to post
Share on other sites

Fresh combofix DL'd and run here is the log:

ComboFix 11-11-12.04 - Heather 11/12/2011 10:10:10.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1469 [GMT -7:00]

Running from: c:\documents and settings\Heather\My Documents\Downloads\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-10-12 to 2011-11-12 )))))))))))))))))))))))))))))))

.

.

2011-11-11 03:33 . 2011-11-11 03:33 -------- d-----w- c:\documents and settings\Heather\Application Data\Malwarebytes

2011-11-11 03:32 . 2011-11-11 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-11 03:32 . 2011-11-11 03:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-11 03:32 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-09 03:52 . 2011-11-09 03:52 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-11-04 02:41 . 2011-11-09 18:58 -------- d-----w- c:\documents and settings\Heather\riotsGamesLogs

2011-11-04 02:41 . 2011-11-04 02:41 -------- d-----w- c:\documents and settings\Heather\Application Data\LolClient

2011-11-04 02:27 . 2011-11-04 02:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-03 22:29 . 2011-11-03 22:29 -------- d-----w- C:\Riot Games

2011-11-03 21:24 . 2011-11-12 17:16 -------- d-----w- c:\documents and settings\Heather\Local Settings\Application Data\PMB Files

2011-11-03 21:24 . 2011-11-09 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2011-11-03 21:24 . 2011-11-03 21:24 -------- d-----w- c:\program files\Pando Networks

2011-10-22 05:41 . 2011-10-22 05:41 -------- d-----w- c:\program files\MSXML 4.0

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((( SnapShot@2011-11-11_16.53.41 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-11-12 17:04 . 2011-11-12 17:04 16384 c:\windows\Temp\Perflib_Perfdata_4c4.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-11-03 3077528]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-11-03 3077528]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-09-04 8466432]

"nwiz"="nwiz.exe" [2007-09-04 1626112]

"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-09-04 81920]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]

"PhotoExplosionCalCheck"="c:\program files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe" [2006-09-20 69632]

"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-11 291760]

"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 312240]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]

.

c:\documents and settings\Heather\Start Menu\Programs\Startup\

CurseClientStartup.ccip [2011-1-1 0]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\lxddcoms.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\Heather\\Local Settings\\Apps\\2.0\\52A0Q1QR.KLH\\22952QH5.AZW\\curs..tion_eee711038731a406_0004.0000_0d453ed5fea2fe48\\CurseClient.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"57047:TCP"= 57047:TCP:Pando Media Booster

"57047:UDP"= 57047:UDP:Pando Media Booster

.

R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/10/2011 8:32 PM 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/10/2011 8:32 PM 22216]

S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [7/18/2011 2:24 PM 99248]

.

Contents of the 'Scheduled Tasks' folder

.

2010-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

FF - ProfilePath - c:\documents and settings\Heather\Application Data\Mozilla\Firefox\Profiles\xidn59ed.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-12 10:16

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

1Y5U7AYUVGXZYFXDCQRADEFD = c:\fonts\6DFBBA7729B.exe /q

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"1Y5U7AYUVGXZYFXDCQRADEFD"="c:\\Fonts\\6DFBBA7729B.exe /q"

.

Completion time: 2011-11-12 10:18:07

ComboFix-quarantined-files.txt 2011-11-12 17:18

ComboFix2.txt 2011-11-11 16:59

.

Pre-Run: 106,679,209,984 bytes free

Post-Run: 106,657,058,816 bytes free

.

- - End Of File - - 44812B2E6CF43A468967CC6B916F3CCB

:) Thanks!

Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=99590

Collect::
c:\Fonts\6DFBBA7729B.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1Y5U7AYUVGXZYFXDCQRADEFD"=-

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

In your next post here, please include ComboFix.txt and let me know how are things there.

Link to post
Share on other sites

All seems well from what I can see today! Hopefully this means that were about to finish with this process! THANK YOU SO MUCH!!! :lol:

ComboFix 11-11-12.04 - Heather 11/12/2011 23:27:10.4.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1363 [GMT -7:00]

Running from: c:\documents and settings\Heather\Desktop\KWRESEARCH\ComboFix.exe

Command switches used :: c:\documents and settings\Heather\Desktop\KWRESEARCH\CFScript.txt

.

file zipped: c:\fonts\6DFBBA7729B.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\fonts\6DFBBA7729B.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))

.

.

2011-11-11 03:33 . 2011-11-11 03:33 -------- d-----w- c:\documents and settings\Heather\Application Data\Malwarebytes

2011-11-11 03:32 . 2011-11-11 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-11 03:32 . 2011-11-11 03:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-11 03:32 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-09 03:52 . 2011-11-09 03:52 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-11-04 02:41 . 2011-11-09 18:58 -------- d-----w- c:\documents and settings\Heather\riotsGamesLogs

2011-11-04 02:41 . 2011-11-04 02:41 -------- d-----w- c:\documents and settings\Heather\Application Data\LolClient

2011-11-04 02:27 . 2011-11-04 02:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-03 22:29 . 2011-11-03 22:29 -------- d-----w- C:\Riot Games

2011-11-03 21:24 . 2011-11-13 06:32 -------- d-----w- c:\documents and settings\Heather\Local Settings\Application Data\PMB Files

2011-11-03 21:24 . 2011-11-09 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2011-11-03 21:24 . 2011-11-03 21:24 -------- d-----w- c:\program files\Pando Networks

2011-10-22 05:41 . 2011-10-22 05:41 -------- d-----w- c:\program files\MSXML 4.0

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-11-03 3077528]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-09-04 8466432]

"nwiz"="nwiz.exe" [2007-09-04 1626112]

"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-09-04 81920]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]

"PhotoExplosionCalCheck"="c:\program files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe" [2006-09-20 69632]

"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-11 291760]

"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 312240]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]

.

c:\documents and settings\Heather\Start Menu\Programs\Startup\

CurseClientStartup.ccip [2011-1-1 0]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\lxddcoms.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\Heather\\Local Settings\\Apps\\2.0\\52A0Q1QR.KLH\\22952QH5.AZW\\curs..tion_eee711038731a406_0004.0000_0d453ed5fea2fe48\\CurseClient.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"57047:TCP"= 57047:TCP:Pando Media Booster

"57047:UDP"= 57047:UDP:Pando Media Booster

.

R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/10/2011 8:32 PM 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/10/2011 8:32 PM 22216]

S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [7/18/2011 2:24 PM 99248]

.

Contents of the 'Scheduled Tasks' folder

.

2010-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

FF - ProfilePath - c:\documents and settings\Heather\Application Data\Mozilla\Firefox\Profiles\xidn59ed.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-12 23:34

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\RUNDLL32.EXE

c:\windows\RTHDCPL.EXE

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxddcoms.exe

c:\windows\System32\nvsvc32.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2011-11-12 23:37:40 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-13 06:37

.

Pre-Run: 107,024,175,104 bytes free

Post-Run: 107,000,594,432 bytes free

.

- - End Of File - - DCC0EFB847A8FF95C07AB77058025A9F

Link to post
Share on other sites

Glad you are happy. :) I just want to be sure, so...

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next:

  1. Please run a free online scan with the ESET Online Scanner
    Note: You will need to use Internet Explorer for this scan
  2. Tick the box next to YES, I accept the Terms of Use
  3. Click Start
  4. When asked, allow the ActiveX control to install
  5. Click Start
  6. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  7. Click Scan (This scan can take several hours, so please be patient)
  8. Once the scan is completed, you may close the window
  9. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  10. Copy and paste that log as a reply to this topic

In your next post, please include both the log file specified above and let me know how are things then.

Link to post
Share on other sites

Alright so here is the Malwarebytes new log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8149

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

11/13/2011 10:21:24 AM

mbam-log-2011-11-13 (10-21-24).txt

Scan type: Quick scan

Objects scanned: 152265

Time elapsed: 2 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

and the Eset log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

# OnlineScanner.ocx=1.0.0.6583

# api_version=3.0.2

# EOSSerial=14ba093cf5d0134a9d755d095fb595ef

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-11-13 05:57:14

# local_time=2011-11-13 10:57:14 (-0700, Mountain Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=74333

# found=0

# cleaned=0

# scan_time=1587

There's also a shortcut on my desktop that is titled after the original "system restore" malware that was my orig reason for posting here.

I hope I don't make you mad but I found the path for the shortcut:

"C:\Documents and Settings\All Users\Application Data\jYtAyGnutB8B7k.exe"

Link to post
Share on other sites

Neither application has not found this file.

Open Notepad and copy and paste the text in the code box below into it:

http://forums.malwarebytes.org/index.php?showtopic=99590

Collect::
C:\Documents and Settings\All Users\Application Data\jYtAyGnutB8B7k.exe

KillAll::

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

In your next post here, please include ComboFix.txt and let me know how are things there.

Link to post
Share on other sites

Ok so I ran the newest scan and have this:

ComboFix 11-11-13.03 - Heather 11/13/2011 16:22:45.5.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1982.1500 [GMT -7:00]

Running from: c:\documents and settings\Heather\Desktop\KWRESEARCH\ComboFix.exe

Command switches used :: c:\documents and settings\Heather\Desktop\KWRESEARCH\CFScript.txt

.

.

((((((((((((((((((((((((( Files Created from 2011-10-13 to 2011-11-13 )))))))))))))))))))))))))))))))

.

.

2011-11-13 17:27 . 2011-11-13 17:27 -------- d-----w- c:\program files\ESET

2011-11-11 03:33 . 2011-11-11 03:33 -------- d-----w- c:\documents and settings\Heather\Application Data\Malwarebytes

2011-11-11 03:32 . 2011-11-11 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-11-11 03:32 . 2011-11-11 03:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-11-11 03:32 . 2011-09-01 00:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-11-09 03:52 . 2011-11-09 03:52 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2011-11-04 02:41 . 2011-11-09 18:58 -------- d-----w- c:\documents and settings\Heather\riotsGamesLogs

2011-11-04 02:41 . 2011-11-04 02:41 -------- d-----w- c:\documents and settings\Heather\Application Data\LolClient

2011-11-04 02:27 . 2011-11-04 02:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-03 22:29 . 2011-11-03 22:29 -------- d-----w- C:\Riot Games

2011-11-03 21:24 . 2011-11-13 23:30 -------- d-----w- c:\documents and settings\Heather\Local Settings\Application Data\PMB Files

2011-11-03 21:24 . 2011-11-09 18:59 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2011-11-03 21:24 . 2011-11-03 21:24 -------- d-----w- c:\program files\Pando Networks

2011-10-22 05:41 . 2011-10-22 05:41 -------- d-----w- c:\program files\MSXML 4.0

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((( SnapShot@2011-11-13_06.34.11 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-11-13 23:29 . 2011-11-13 23:29 16384 c:\windows\temp\Perflib_Perfdata_1a0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-11-03 3077528]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-09-04 8466432]

"nwiz"="nwiz.exe" [2007-09-04 1626112]

"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-09-04 81920]

"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 16859648]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-15 47904]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-02 421160]

"PhotoExplosionCalCheck"="c:\program files\Nova Development\Photo Explosion 3.0 SE\calcheck.exe" [2006-09-20 69632]

"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-11 291760]

"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]

"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 312240]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-09-01 449608]

.

c:\documents and settings\Heather\Start Menu\Programs\Startup\

CurseClientStartup.ccip [2011-1-1 0]

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\lxddcoms.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Documents and Settings\\Heather\\Local Settings\\Apps\\2.0\\PDXKLEHX.372\\G09Q4N0N.9R3\\curs..tion_eee711038731a406_0004.0000_0d453ed5fea2fe48\\CurseClient.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"57047:TCP"= 57047:TCP:Pando Media Booster

"57047:UDP"= 57047:UDP:Pando Media Booster

.

R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/10/2011 8:32 PM 366152]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/10/2011 8:32 PM 22216]

S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [7/18/2011 2:24 PM 99248]

.

Contents of the 'Scheduled Tasks' folder

.

2010-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

FF - ProfilePath - c:\documents and settings\Heather\Application Data\Mozilla\Firefox\Profiles\xidn59ed.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.myheritage.com/?orig=ds&q=

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - user.js: yahoo.homepage.dontask - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-11-13 16:30

Windows 5.1.2600 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\system32\RUNDLL32.EXE

c:\windows\RTHDCPL.EXE

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe

c:\windows\system32\lxddcoms.exe

c:\windows\System32\nvsvc32.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\imapi.exe

.

**************************************************************************

.

Completion time: 2011-11-13 16:32:29 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-13 23:32

ComboFix2.txt 2011-11-13 06:37

.

Pre-Run: 106,853,167,104 bytes free

Post-Run: 106,837,393,408 bytes free

.

- - End Of File - - 39C7860E5BA00A92198FCCDAB68337DB

Something else strange... My friend plays World of Warcraft and uses a client(Curse website) to update 3rd party mods for the game. I updated the client yesterday, but its already back and asking to update again :unsure: . As this is 3rd party software to a big MMORPG I know this would be a prime target for malware. In my opinion taking this totally off the machine would be a good idea, at least until the infection is under control.

Link to post
Share on other sites

A little further about the Client:

The application install security warning that came up had a link to Herewhich I recognize as a World of Warcraft related site. Though The coding seems funky there.

Also, I viewed the client certificate and got an IP out of it

"Ensures software came from software publisher

Protects software from alteration after publication

2.16.840.1.113733.1.7.23.3"

Doing a Google search on that IP is a little intimidating as well as the "Curse" corp. not being mentioned once in like 3 Google pages. As well as it being flagged as potentially hazardous.

:unsure: I feel like a dummy. :unsure: I know you've asked me multiple times to chill out on trying to do anything on this computer myself and I promise from this moment on I will.

The owner of the PC is also about to quit trying to save the machine and has asked me about reformat options. I don't want to give up, but if you think it would be better at this point I'm all for doing it. There is nothing we need data wise from the computer.

Again thank you Maniac :D

Link to post
Share on other sites

Ok new TDSSKiller log here:

00:48:09.0000 2216 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15

00:48:10.0171 2216 ============================================================

00:48:10.0171 2216 Current date / time: 2011/11/14 00:48:10.0171

00:48:10.0171 2216 SystemInfo:

00:48:10.0171 2216

00:48:10.0171 2216 OS Version: 5.1.2600 ServicePack: 2.0

00:48:10.0171 2216 Product type: Workstation

00:48:10.0171 2216 ComputerName: HOME-810I8BKMSF

00:48:10.0171 2216 UserName: Heather

00:48:10.0171 2216 Windows directory: C:\WINDOWS

00:48:10.0171 2216 System windows directory: C:\WINDOWS

00:48:10.0171 2216 Processor architecture: Intel x86

00:48:10.0171 2216 Number of processors: 1

00:48:10.0171 2216 Page size: 0x1000

00:48:10.0171 2216 Boot type: Normal boot

00:48:10.0171 2216 ============================================================

00:48:11.0421 2216 Initialize success

00:48:33.0750 2924 ============================================================

00:48:33.0750 2924 Scan started

00:48:33.0750 2924 Mode: Manual; SigCheck; TDLFS;

00:48:33.0750 2924 ============================================================

00:48:34.0343 2924 Abiosdsk - ok

00:48:34.0359 2924 abp480n5 - ok

00:48:34.0406 2924 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

00:48:35.0828 2924 ACPI - ok

00:48:35.0953 2924 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

00:48:36.0093 2924 ACPIEC - ok

00:48:36.0171 2924 adpu160m - ok

00:48:36.0234 2924 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

00:48:36.0421 2924 aec - ok

00:48:36.0625 2924 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

00:48:36.0828 2924 AFD - ok

00:48:36.0859 2924 Aha154x - ok

00:48:36.0875 2924 aic78u2 - ok

00:48:36.0875 2924 aic78xx - ok

00:48:36.0906 2924 AliIde - ok

00:48:36.0921 2924 amsint - ok

00:48:36.0953 2924 asc - ok

00:48:36.0968 2924 asc3350p - ok

00:48:36.0968 2924 asc3550 - ok

00:48:37.0031 2924 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

00:48:37.0140 2924 AsyncMac - ok

00:48:37.0203 2924 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

00:48:37.0312 2924 atapi - ok

00:48:37.0406 2924 Atdisk - ok

00:48:37.0453 2924 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

00:48:37.0562 2924 Atmarpc - ok

00:48:37.0625 2924 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

00:48:37.0750 2924 audstub - ok

00:48:37.0781 2924 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

00:48:37.0921 2924 Beep - ok

00:48:37.0937 2924 catchme - ok

00:48:37.0984 2924 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

00:48:38.0109 2924 cbidf2k - ok

00:48:38.0125 2924 cd20xrnt - ok

00:48:38.0171 2924 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

00:48:38.0312 2924 Cdaudio - ok

00:48:38.0359 2924 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

00:48:38.0468 2924 Cdfs - ok

00:48:38.0500 2924 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

00:48:38.0609 2924 Cdrom - ok

00:48:38.0625 2924 Changer - ok

00:48:38.0640 2924 CmdIde - ok

00:48:38.0687 2924 Cpqarray - ok

00:48:38.0703 2924 dac2w2k - ok

00:48:38.0718 2924 dac960nt - ok

00:48:38.0781 2924 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

00:48:38.0890 2924 Disk - ok

00:48:39.0046 2924 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

00:48:39.0171 2924 dmboot - ok

00:48:39.0343 2924 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

00:48:39.0437 2924 dmio - ok

00:48:39.0546 2924 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

00:48:39.0656 2924 dmload - ok

00:48:39.0703 2924 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

00:48:39.0796 2924 DMusic - ok

00:48:39.0812 2924 dpti2o - ok

00:48:39.0859 2924 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

00:48:39.0968 2924 drmkaud - ok

00:48:40.0000 2924 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

00:48:40.0125 2924 Fastfat - ok

00:48:40.0250 2924 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys

00:48:40.0343 2924 Fdc - ok

00:48:40.0390 2924 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

00:48:40.0515 2924 Fips - ok

00:48:40.0640 2924 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys

00:48:40.0750 2924 Flpydisk - ok

00:48:40.0796 2924 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys

00:48:40.0906 2924 FltMgr - ok

00:48:41.0015 2924 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

00:48:41.0140 2924 Fs_Rec - ok

00:48:41.0203 2924 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

00:48:41.0328 2924 Ftdisk - ok

00:48:41.0453 2924 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

00:48:41.0468 2924 GEARAspiWDM - ok

00:48:41.0515 2924 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

00:48:41.0625 2924 Gpc - ok

00:48:41.0687 2924 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

00:48:41.0750 2924 HDAudBus - ok

00:48:41.0796 2924 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

00:48:41.0921 2924 hidusb - ok

00:48:41.0937 2924 hpn - ok

00:48:42.0000 2924 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

00:48:42.0078 2924 HTTP - ok

00:48:42.0093 2924 i2omgmt - ok

00:48:42.0125 2924 i2omp - ok

00:48:42.0171 2924 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\drivers\i8042prt.sys

00:48:42.0281 2924 i8042prt - ok

00:48:42.0328 2924 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

00:48:42.0437 2924 Imapi - ok

00:48:42.0453 2924 ini910u - ok

00:48:42.0609 2924 IntcAzAudAddService (dbc702fbc70dc58d9122ce56eadbd659) C:\WINDOWS\system32\drivers\RtkHDAud.sys

00:48:42.0796 2924 IntcAzAudAddService - ok

00:48:42.0890 2924 IntelIde - ok

00:48:42.0953 2924 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

00:48:43.0046 2924 ip6fw - ok

00:48:43.0078 2924 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

00:48:43.0187 2924 IpFilterDriver - ok

00:48:43.0296 2924 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

00:48:43.0390 2924 IpInIp - ok

00:48:43.0421 2924 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys

00:48:43.0531 2924 IpNat - ok

00:48:43.0578 2924 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

00:48:43.0671 2924 IPSec - ok

00:48:43.0750 2924 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

00:48:43.0843 2924 IRENUM - ok

00:48:43.0953 2924 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

00:48:44.0093 2924 isapnp - ok

00:48:44.0218 2924 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

00:48:44.0312 2924 Kbdclass - ok

00:48:44.0359 2924 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

00:48:44.0437 2924 kbdhid - ok

00:48:44.0500 2924 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

00:48:44.0593 2924 kmixer - ok

00:48:44.0687 2924 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

00:48:44.0765 2924 KSecDD - ok

00:48:44.0796 2924 lbrtfdc - ok

00:48:44.0875 2924 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys

00:48:44.0906 2924 MBAMProtector - ok

00:48:45.0046 2924 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

00:48:45.0171 2924 mnmdd - ok

00:48:45.0203 2924 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

00:48:45.0296 2924 Modem - ok

00:48:45.0343 2924 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

00:48:45.0437 2924 Mouclass - ok

00:48:45.0484 2924 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

00:48:45.0609 2924 mouhid - ok

00:48:45.0656 2924 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

00:48:45.0750 2924 MountMgr - ok

00:48:45.0765 2924 mraid35x - ok

00:48:45.0828 2924 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

00:48:45.0937 2924 MRxDAV - ok

00:48:45.0984 2924 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

00:48:46.0031 2924 MRxSmb - ok

00:48:46.0046 2924 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

00:48:46.0156 2924 Msfs - ok

00:48:46.0281 2924 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

00:48:46.0390 2924 MSKSSRV - ok

00:48:46.0531 2924 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

00:48:46.0703 2924 MSPCLOCK - ok

00:48:46.0703 2924 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

00:48:46.0812 2924 MSPQM - ok

00:48:46.0843 2924 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

00:48:46.0953 2924 mssmbios - ok

00:48:46.0984 2924 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

00:48:47.0078 2924 Mup - ok

00:48:47.0125 2924 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

00:48:47.0234 2924 NDIS - ok

00:48:47.0265 2924 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

00:48:47.0406 2924 NdisTapi - ok

00:48:47.0453 2924 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

00:48:47.0531 2924 Ndisuio - ok

00:48:47.0656 2924 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

00:48:47.0765 2924 NdisWan - ok

00:48:47.0796 2924 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

00:48:47.0921 2924 NDProxy - ok

00:48:48.0046 2924 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

00:48:48.0156 2924 NetBIOS - ok

00:48:48.0187 2924 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

00:48:48.0281 2924 NetBT - ok

00:48:48.0343 2924 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

00:48:48.0421 2924 Npfs - ok

00:48:48.0453 2924 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

00:48:48.0578 2924 Ntfs - ok

00:48:48.0718 2924 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

00:48:48.0843 2924 Null - ok

00:48:49.0109 2924 nv (cce4877e45f5300fffbb4a6bc5e7fda7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

00:48:49.0437 2924 nv - ok

00:48:49.0562 2924 NVENETFD (1492c7738f68625805f5f53c8bad24c6) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

00:48:49.0593 2924 NVENETFD - ok

00:48:49.0625 2924 nvnetbus (ae73e61f07ddc84255bece6b02f18390) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

00:48:49.0640 2924 nvnetbus - ok

00:48:49.0703 2924 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

00:48:49.0828 2924 NwlnkFlt - ok

00:48:49.0843 2924 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

00:48:49.0953 2924 NwlnkFwd - ok

00:48:50.0000 2924 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys

00:48:50.0109 2924 Parport - ok

00:48:50.0140 2924 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

00:48:50.0250 2924 PartMgr - ok

00:48:50.0281 2924 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

00:48:50.0390 2924 ParVdm - ok

00:48:50.0468 2924 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

00:48:50.0578 2924 PCI - ok

00:48:50.0593 2924 PCIDump - ok

00:48:50.0656 2924 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

00:48:50.0781 2924 PCIIde - ok

00:48:50.0828 2924 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

00:48:50.0921 2924 Pcmcia - ok

00:48:50.0937 2924 PDCOMP - ok

00:48:50.0953 2924 PDFRAME - ok

00:48:50.0968 2924 PDRELI - ok

00:48:50.0984 2924 PDRFRAME - ok

00:48:51.0000 2924 perc2 - ok

00:48:51.0015 2924 perc2hib - ok

00:48:51.0078 2924 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

00:48:51.0187 2924 PptpMiniport - ok

00:48:51.0265 2924 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

00:48:51.0375 2924 Processor - ok

00:48:51.0406 2924 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

00:48:51.0500 2924 PSched - ok

00:48:51.0546 2924 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

00:48:51.0671 2924 Ptilink - ok

00:48:51.0765 2924 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\Drivers\PxHelp20.sys

00:48:51.0781 2924 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning

00:48:51.0781 2924 PxHelp20 - detected UnsignedFile.Multi.Generic (1)

00:48:51.0796 2924 ql1080 - ok

00:48:51.0812 2924 Ql10wnt - ok

00:48:51.0828 2924 ql12160 - ok

00:48:51.0843 2924 ql1240 - ok

00:48:51.0859 2924 ql1280 - ok

00:48:51.0906 2924 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

00:48:52.0000 2924 RasAcd - ok

00:48:52.0062 2924 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

00:48:52.0171 2924 Rasl2tp - ok

00:48:52.0203 2924 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

00:48:52.0312 2924 RasPppoe - ok

00:48:52.0406 2924 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

00:48:52.0531 2924 Raspti - ok

00:48:52.0625 2924 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

00:48:52.0984 2924 Rdbss - ok

00:48:53.0109 2924 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

00:48:53.0234 2924 RDPCDD - ok

00:48:53.0265 2924 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

00:48:53.0609 2924 RDPWD - ok

00:48:53.0640 2924 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

00:48:53.0750 2924 redbook - ok

00:48:53.0906 2924 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

00:48:53.0984 2924 Secdrv - ok

00:48:54.0031 2924 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys

00:48:54.0125 2924 Serial - ok

00:48:54.0234 2924 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

00:48:54.0343 2924 Sfloppy - ok

00:48:54.0359 2924 Simbad - ok

00:48:54.0375 2924 Sparrow - ok

00:48:54.0421 2924 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

00:48:54.0515 2924 splitter - ok

00:48:54.0593 2924 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

00:48:54.0687 2924 sr - ok

00:48:54.0734 2924 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

00:48:54.0796 2924 Srv - ok

00:48:54.0875 2924 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

00:48:54.0968 2924 swenum - ok

00:48:55.0046 2924 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

00:48:55.0171 2924 swmidi - ok

00:48:55.0250 2924 symc810 - ok

00:48:55.0265 2924 symc8xx - ok

00:48:55.0281 2924 sym_hi - ok

00:48:55.0312 2924 sym_u3 - ok

00:48:55.0375 2924 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

00:48:55.0468 2924 sysaudio - ok

00:48:55.0531 2924 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

00:48:55.0593 2924 Tcpip - ok

00:48:55.0625 2924 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

00:48:55.0718 2924 TDPIPE - ok

00:48:55.0781 2924 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

00:48:55.0875 2924 TDTCP - ok

00:48:55.0984 2924 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

00:48:56.0093 2924 TermDD - ok

00:48:56.0109 2924 TosIde - ok

00:48:56.0187 2924 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

00:48:56.0281 2924 Udfs - ok

00:48:56.0281 2924 ultra - ok

00:48:56.0359 2924 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

00:48:56.0453 2924 Update - ok

00:48:56.0656 2924 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys

00:48:56.0734 2924 USBAAPL - ok

00:48:56.0781 2924 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

00:48:56.0859 2924 usbccgp - ok

00:48:56.0984 2924 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

00:48:57.0062 2924 usbehci - ok

00:48:57.0109 2924 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

00:48:57.0218 2924 usbhub - ok

00:48:57.0265 2924 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

00:48:57.0359 2924 usbohci - ok

00:48:57.0468 2924 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

00:48:57.0578 2924 usbprint - ok

00:48:57.0687 2924 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

00:48:57.0781 2924 usbscan - ok

00:48:57.0812 2924 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

00:48:57.0906 2924 USBSTOR - ok

00:48:57.0968 2924 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

00:48:58.0062 2924 VgaSave - ok

00:48:58.0078 2924 ViaIde - ok

00:48:58.0140 2924 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

00:48:58.0234 2924 VolSnap - ok

00:48:58.0281 2924 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

00:48:58.0390 2924 Wanarp - ok

00:48:58.0406 2924 WDICA - ok

00:48:58.0468 2924 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

00:48:58.0562 2924 wdmaud - ok

00:48:58.0656 2924 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

00:48:58.0812 2924 \Device\Harddisk0\DR0 ( TDSS File System ) - warning

00:48:58.0812 2924 \Device\Harddisk0\DR0 - detected TDSS File System (1)

00:48:58.0812 2924 Boot (0x1200) (3e4b8aeccc496afb720697b3eee9add3) \Device\Harddisk0\DR0\Partition0

00:48:58.0812 2924 \Device\Harddisk0\DR0\Partition0 - ok

00:48:58.0812 2924 ============================================================

00:48:58.0812 2924 Scan finished

00:48:58.0812 2924 ============================================================

00:48:58.0937 1384 Detected object count: 2

00:48:58.0937 1384 Actual detected object count: 2

00:49:21.0687 1384 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user

00:49:21.0687 1384 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip

00:49:21.0687 1384 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

00:49:21.0687 1384 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

00:49:34.0578 1856 ============================================================

00:49:34.0578 1856 Scan started

00:49:34.0578 1856 Mode: Manual; SigCheck; TDLFS;

00:49:34.0578 1856 ============================================================

00:49:34.0875 1856 Abiosdsk - ok

00:49:34.0875 1856 abp480n5 - ok

00:49:34.0937 1856 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys

00:49:35.0046 1856 ACPI - ok

00:49:35.0109 1856 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

00:49:35.0218 1856 ACPIEC - ok

00:49:35.0218 1856 adpu160m - ok

00:49:35.0296 1856 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys

00:49:35.0406 1856 aec - ok

00:49:35.0437 1856 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys

00:49:35.0484 1856 AFD - ok

00:49:35.0484 1856 Aha154x - ok

00:49:35.0515 1856 aic78u2 - ok

00:49:35.0531 1856 aic78xx - ok

00:49:35.0562 1856 AliIde - ok

00:49:35.0593 1856 amsint - ok

00:49:35.0609 1856 asc - ok

00:49:35.0625 1856 asc3350p - ok

00:49:35.0640 1856 asc3550 - ok

00:49:35.0703 1856 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

00:49:35.0796 1856 AsyncMac - ok

00:49:35.0875 1856 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys

00:49:35.0968 1856 atapi - ok

00:49:35.0968 1856 Atdisk - ok

00:49:36.0031 1856 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

00:49:36.0125 1856 Atmarpc - ok

00:49:36.0171 1856 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

00:49:36.0296 1856 audstub - ok

00:49:36.0328 1856 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

00:49:36.0453 1856 Beep - ok

00:49:36.0468 1856 catchme - ok

00:49:36.0640 1856 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

00:49:36.0781 1856 cbidf2k - ok

00:49:36.0796 1856 cd20xrnt - ok

00:49:36.0828 1856 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

00:49:36.0937 1856 Cdaudio - ok

00:49:37.0000 1856 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys

00:49:37.0093 1856 Cdfs - ok

00:49:37.0109 1856 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys

00:49:37.0218 1856 Cdrom - ok

00:49:37.0218 1856 Changer - ok

00:49:37.0250 1856 CmdIde - ok

00:49:37.0281 1856 Cpqarray - ok

00:49:37.0296 1856 dac2w2k - ok

00:49:37.0312 1856 dac960nt - ok

00:49:37.0406 1856 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys

00:49:37.0500 1856 Disk - ok

00:49:37.0593 1856 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys

00:49:37.0703 1856 dmboot - ok

00:49:37.0828 1856 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys

00:49:37.0921 1856 dmio - ok

00:49:38.0031 1856 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

00:49:38.0140 1856 dmload - ok

00:49:38.0171 1856 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys

00:49:38.0281 1856 DMusic - ok

00:49:38.0281 1856 dpti2o - ok

00:49:38.0343 1856 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys

00:49:38.0437 1856 drmkaud - ok

00:49:38.0484 1856 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys

00:49:38.0578 1856 Fastfat - ok

00:49:38.0609 1856 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys

00:49:38.0703 1856 Fdc - ok

00:49:38.0703 1856 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys

00:49:38.0843 1856 Fips - ok

00:49:38.0953 1856 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys

00:49:39.0046 1856 Flpydisk - ok

00:49:39.0093 1856 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys

00:49:39.0187 1856 FltMgr - ok

00:49:39.0218 1856 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

00:49:39.0343 1856 Fs_Rec - ok

00:49:39.0359 1856 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

00:49:39.0484 1856 Ftdisk - ok

00:49:39.0515 1856 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

00:49:39.0515 1856 GEARAspiWDM - ok

00:49:39.0578 1856 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys

00:49:39.0687 1856 Gpc - ok

00:49:39.0796 1856 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

00:49:39.0812 1856 HDAudBus - ok

00:49:39.0859 1856 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys

00:49:39.0968 1856 hidusb - ok

00:49:40.0046 1856 hpn - ok

00:49:40.0109 1856 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys

00:49:40.0125 1856 HTTP - ok

00:49:40.0140 1856 i2omgmt - ok

00:49:40.0140 1856 i2omp - ok

00:49:40.0203 1856 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\drivers\i8042prt.sys

00:49:40.0312 1856 i8042prt - ok

00:49:40.0343 1856 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys

00:49:40.0453 1856 Imapi - ok

00:49:40.0453 1856 ini910u - ok

00:49:40.0625 1856 IntcAzAudAddService (dbc702fbc70dc58d9122ce56eadbd659) C:\WINDOWS\system32\drivers\RtkHDAud.sys

00:49:40.0781 1856 IntcAzAudAddService - ok

00:49:40.0875 1856 IntelIde - ok

00:49:40.0906 1856 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys

00:49:41.0015 1856 ip6fw - ok

00:49:41.0046 1856 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

00:49:41.0156 1856 IpFilterDriver - ok

00:49:41.0265 1856 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys

00:49:41.0359 1856 IpInIp - ok

00:49:41.0390 1856 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys

00:49:41.0500 1856 IpNat - ok

00:49:41.0531 1856 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys

00:49:41.0640 1856 IPSec - ok

00:49:41.0656 1856 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys

00:49:41.0765 1856 IRENUM - ok

00:49:41.0812 1856 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys

00:49:41.0953 1856 isapnp - ok

00:49:42.0000 1856 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

00:49:42.0109 1856 Kbdclass - ok

00:49:42.0140 1856 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

00:49:42.0234 1856 kbdhid - ok

00:49:42.0250 1856 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys

00:49:42.0359 1856 kmixer - ok

00:49:42.0406 1856 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys

00:49:42.0421 1856 KSecDD - ok

00:49:42.0437 1856 lbrtfdc - ok

00:49:42.0468 1856 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys

00:49:42.0484 1856 MBAMProtector - ok

00:49:42.0531 1856 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

00:49:42.0625 1856 mnmdd - ok

00:49:42.0734 1856 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys

00:49:42.0828 1856 Modem - ok

00:49:42.0859 1856 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys

00:49:42.0953 1856 Mouclass - ok

00:49:43.0000 1856 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

00:49:43.0109 1856 mouhid - ok

00:49:43.0156 1856 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys

00:49:43.0265 1856 MountMgr - ok

00:49:43.0265 1856 mraid35x - ok

00:49:43.0343 1856 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

00:49:43.0437 1856 MRxDAV - ok

00:49:43.0500 1856 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

00:49:43.0531 1856 MRxSmb - ok

00:49:43.0546 1856 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys

00:49:43.0656 1856 Msfs - ok

00:49:43.0750 1856 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys

00:49:43.0843 1856 MSKSSRV - ok

00:49:43.0890 1856 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

00:49:43.0984 1856 MSPCLOCK - ok

00:49:44.0046 1856 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys

00:49:44.0171 1856 MSPQM - ok

00:49:44.0265 1856 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

00:49:44.0375 1856 mssmbios - ok

00:49:44.0484 1856 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys

00:49:44.0578 1856 Mup - ok

00:49:44.0640 1856 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys

00:49:44.0750 1856 NDIS - ok

00:49:44.0796 1856 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

00:49:44.0921 1856 NdisTapi - ok

00:49:44.0968 1856 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

00:49:45.0078 1856 Ndisuio - ok

00:49:45.0109 1856 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

00:49:45.0218 1856 NdisWan - ok

00:49:45.0250 1856 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys

00:49:45.0375 1856 NDProxy - ok

00:49:45.0500 1856 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys

00:49:45.0593 1856 NetBIOS - ok

00:49:45.0625 1856 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys

00:49:45.0718 1856 NetBT - ok

00:49:45.0859 1856 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys

00:49:45.0953 1856 Npfs - ok

00:49:46.0000 1856 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys

00:49:46.0109 1856 Ntfs - ok

00:49:46.0156 1856 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

00:49:46.0265 1856 Null - ok

00:49:46.0468 1856 nv (cce4877e45f5300fffbb4a6bc5e7fda7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

00:49:46.0984 1856 nv - ok

00:49:47.0000 1856 NVENETFD (1492c7738f68625805f5f53c8bad24c6) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

00:49:47.0000 1856 NVENETFD - ok

00:49:47.0015 1856 nvnetbus (ae73e61f07ddc84255bece6b02f18390) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

00:49:47.0046 1856 nvnetbus - ok

00:49:47.0062 1856 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

00:49:47.0203 1856 NwlnkFlt - ok

00:49:47.0265 1856 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

00:49:47.0390 1856 NwlnkFwd - ok

00:49:47.0468 1856 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys

00:49:47.0562 1856 Parport - ok

00:49:47.0640 1856 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys

00:49:47.0750 1856 PartMgr - ok

00:49:47.0781 1856 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

00:49:47.0890 1856 ParVdm - ok

00:49:47.0968 1856 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys

00:49:48.0078 1856 PCI - ok

00:49:48.0109 1856 PCIDump - ok

00:49:48.0187 1856 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

00:49:48.0312 1856 PCIIde - ok

00:49:48.0390 1856 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys

00:49:48.0484 1856 Pcmcia - ok

00:49:48.0500 1856 PDCOMP - ok

00:49:48.0531 1856 PDFRAME - ok

00:49:48.0546 1856 PDRELI - ok

00:49:48.0562 1856 PDRFRAME - ok

00:49:48.0593 1856 perc2 - ok

00:49:48.0593 1856 perc2hib - ok

00:49:48.0671 1856 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys

00:49:48.0781 1856 PptpMiniport - ok

00:49:48.0890 1856 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys

00:49:49.0000 1856 Processor - ok

00:49:49.0031 1856 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys

00:49:49.0125 1856 PSched - ok

00:49:49.0140 1856 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

00:49:49.0265 1856 Ptilink - ok

00:49:49.0296 1856 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\Drivers\PxHelp20.sys

00:49:49.0312 1856 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning

00:49:49.0312 1856 PxHelp20 - detected UnsignedFile.Multi.Generic (1)

00:49:49.0328 1856 ql1080 - ok

00:49:49.0359 1856 Ql10wnt - ok

00:49:49.0375 1856 ql12160 - ok

00:49:49.0375 1856 ql1240 - ok

00:49:49.0406 1856 ql1280 - ok

00:49:49.0437 1856 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

00:49:49.0546 1856 RasAcd - ok

00:49:49.0609 1856 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

00:49:49.0718 1856 Rasl2tp - ok

00:49:49.0750 1856 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

00:49:49.0859 1856 RasPppoe - ok

00:49:49.0890 1856 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

00:49:50.0000 1856 Raspti - ok

00:49:50.0046 1856 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys

00:49:50.0390 1856 Rdbss - ok

00:49:50.0437 1856 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

00:49:50.0546 1856 RDPCDD - ok

00:49:50.0578 1856 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys

00:49:50.0906 1856 RDPWD - ok

00:49:51.0015 1856 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys

00:49:51.0125 1856 redbook - ok

00:49:51.0171 1856 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys

00:49:51.0265 1856 Secdrv - ok

00:49:51.0312 1856 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys

00:49:51.0406 1856 Serial - ok

00:49:51.0453 1856 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys

00:49:51.0546 1856 Sfloppy - ok

00:49:51.0562 1856 Simbad - ok

00:49:51.0609 1856 Sparrow - ok

00:49:51.0656 1856 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys

00:49:51.0750 1856 splitter - ok

00:49:51.0812 1856 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys

00:49:51.0921 1856 sr - ok

00:49:52.0000 1856 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys

00:49:52.0015 1856 Srv - ok

00:49:52.0093 1856 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys

00:49:52.0203 1856 swenum - ok

00:49:52.0234 1856 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys

00:49:52.0359 1856 swmidi - ok

00:49:52.0406 1856 symc810 - ok

00:49:52.0437 1856 symc8xx - ok

00:49:52.0453 1856 sym_hi - ok

00:49:52.0484 1856 sym_u3 - ok

00:49:52.0531 1856 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys

00:49:52.0640 1856 sysaudio - ok

00:49:52.0734 1856 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys

00:49:52.0781 1856 Tcpip - ok

00:49:52.0812 1856 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys

00:49:52.0906 1856 TDPIPE - ok

00:49:52.0921 1856 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys

00:49:53.0000 1856 TDTCP - ok

00:49:53.0031 1856 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys

00:49:53.0125 1856 TermDD - ok

00:49:53.0140 1856 TosIde - ok

00:49:53.0203 1856 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys

00:49:53.0296 1856 Udfs - ok

00:49:53.0312 1856 ultra - ok

00:49:53.0375 1856 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys

00:49:53.0453 1856 Update - ok

00:49:53.0500 1856 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys

00:49:53.0500 1856 USBAAPL - ok

00:49:53.0562 1856 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

00:49:53.0640 1856 usbccgp - ok

00:49:53.0687 1856 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

00:49:53.0765 1856 usbehci - ok

00:49:53.0859 1856 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys

00:49:53.0937 1856 usbhub - ok

00:49:53.0984 1856 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys

00:49:54.0078 1856 usbohci - ok

00:49:54.0125 1856 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys

00:49:54.0203 1856 usbprint - ok

00:49:54.0250 1856 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys

00:49:54.0343 1856 usbscan - ok

00:49:54.0406 1856 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

00:49:54.0484 1856 USBSTOR - ok

00:49:54.0562 1856 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys

00:49:54.0640 1856 VgaSave - ok

00:49:54.0671 1856 ViaIde - ok

00:49:54.0734 1856 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys

00:49:54.0812 1856 VolSnap - ok

00:49:54.0875 1856 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys

00:49:54.0968 1856 Wanarp - ok

00:49:54.0984 1856 WDICA - ok

00:49:55.0062 1856 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys

00:49:55.0156 1856 wdmaud - ok

00:49:55.0234 1856 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

00:49:55.0375 1856 \Device\Harddisk0\DR0 ( TDSS File System ) - warning

00:49:55.0375 1856 \Device\Harddisk0\DR0 - detected TDSS File System (1)

00:49:55.0390 1856 Boot (0x1200) (3e4b8aeccc496afb720697b3eee9add3) \Device\Harddisk0\DR0\Partition0

00:49:55.0390 1856 \Device\Harddisk0\DR0\Partition0 - ok

00:49:55.0390 1856 ============================================================

00:49:55.0390 1856 Scan finished

00:49:55.0390 1856 ============================================================

00:49:55.0390 0488 Detected object count: 2

00:49:55.0390 0488 Actual detected object count: 2

00:50:01.0968 0488 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user

00:50:01.0968 0488 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip

00:50:01.0968 0488 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

00:50:01.0968 0488 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

00:50:48.0078 2176 Deinitialize success

:D Thanks Maniac!

Link to post
Share on other sites

So I have new symptoms of odd behavior from the PC. In "Start-> All Programs" I have a populated list of some (if not all) of the applications that have been installed on this computer, but when I mouseover the application title, it shows that the folder is (empty)... I confirmed on the C: that the applications are still there, including any *.exe. So start menu is not showing any launchable *.exe's even though they remain in the same place on the Hard Drive.

Guessing here: possibly through our extensive cleaning we eliminated any linking between the start menu and the hard drive. This would say that there is not disfunction, just some side effects of our actions. :) just thinking.

:D Have you given any thought to the re-format idea? I don't think my friend knows where the recovery/reinstall discs are, so this is an option but a potentially costly one.

:huh:

:P You're awesome Maniac!!!

Link to post
Share on other sites

TDSSKiller log is okay.

  1. Please download Restore Accessories Program Files Menu with accrestore.zip for XP
  2. Extract (unzip) the tool, double-click on it to run and ensure that the following check boxes are checked (as shown below):
    restore-start-menu-accessories-folder.png
  3. Then click on the Restore button.

Next:

  1. Please download Restore Admin Tools Program Files Menu with admintools.zip for XP
  2. Extract (unzip) the tool, double-click on it to run and click on Restore Administrative Tools Items (as shown below):
    RestoreAdministrativeTools.png
  3. Then click on the Restore button.

For any other missing program shortcuts you will probably need to reinstall the application or manually create new shortcuts.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.