Jump to content

Help with persistant malware


Recommended Posts

Hi there,

Symptoms

Intermittent redirects in google (mostly to get-answers-fast)

iexplore.exe -embedding running back background, run by svchost.exe, possibly DCOMLaunch (Dcom Server Process Launcher, c:windows\system32\rpcss.dll)

Audio being played with no visible windows, clearly commercials/videos

"Most visited sites" continually updated with random sites, guessing from where the rouge Internet Explorer is visiting

Occasionally, IE will crash when I am doing stuff.

McAfee reports blocking potentially dangerous connections that I am not initiating.

McAfee reports it has blocked an incoming file or trojan (random, various)

Occasionally, Explorer will crash (not internet explorer, explorer the windows explorer) and then my computer no longer can see the 2nd internal hard drive i have.

At one point I had all of java uninstalled. Occasionally I would get a popup saying Java is required to use this site, even when I had no browsers open.

AV Security 2012 infected the system. I spent a while removing most of the damage. Above is what remains.

Theory

I believe there is a process/trojan on the machine that is starting up internet explorer with no window and going to various places. It is playing audio from those places, and it occasionally (either through the websites it visits or part of a seperate process) downloads other viruses/bad stuff.

Additonal Info

I have a dell, and it has that special recovery partition thing. aswMBR reports the boot record as unknown but McAfee technicial checked with another tool and it looked fine to him.

McAfee technician unable to help. Declared the system virus free.

Steps Taken

I ran TDSSKiller, RKill, aswMBR (with and without the avast check), CCleaner, Malwarebytes anti malwhere(full scan), changed the internet explorer settings (back to default, plus rechecked lan/proxie settings), fixed hosts file, got latest and ran windows malicious software removal tool, McAfee's full scan, and ran Kaspersky malicous software removal tool (same site as their TDSSKiller program).

While many of these things helped kill the AV Security 2012 infection, nothing has been able to even detect whatever else is in the system, nevermind kill it.

I've done most of these tools in safemode, safemode with networking, and normal mode.

Since the main visible symptom is the iexplore window and audio (and redirects), it is difficult to tell if the thing is still working when in safemode with no networking.

After contacting McAfee and having them do the virus removal and them giving me a refund saying my computer was virus free and then hours later finding the redirects and music and stuff returning, I have come here. Here are my DDS logs.

DDS.txt

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421

Run by Vorlock at 9:27:00 on 2011-11-12

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4093.2424 [GMT -5:00]

.

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Program Files\Dell\DellDock\DockLogin.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k apphost

C:\Program Files (x86)\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Windows\system32\mfevtps.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Windows\system32\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Windows\system32\SearchIndexer.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Windows\RAVCpl64.exe

C:\Windows\System32\nvraidservice.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Windows\ehome\ehmsas.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Users\Vorlock\Desktop\procexp64.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Common Files\McAfee\Core\mchost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://my.yahoo.com/

uSearch Bar = Preserve

uWindow Title = Internet Explorer provided by Dell

uInternet Settings,ProxyOverride = *.local

mWinlogon: Userinit=userinit.exe,

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111011084022.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

uRun: [steam] "C:\Program Files (x86)\Steam\steam.exe" -silent

uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe

uRun: [igndlm.exe] C:\Program Files (x86)\Download Manager\DLM.exe /windowsstart /startifwork

uRun: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe

uRun: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe

mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

StartupFolder: C:\Users\Vorlock\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\IMPULS~1.LNK - C:\Program Files (x86)\Stardock\Impulse\Now\ImpulseNow.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{9A6B2F1D-CA0C-4D12-B373-216E705D8EBE} : DhcpNameServer = 192.168.0.1

Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC\McSnIePl.dll

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO-X64: Search Helper - No File

BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111011084022.dll

BHO-X64: scriptproxy - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File

mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

.

============= SERVICES / DRIVERS ===============

.

R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]

R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]

R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]

R1 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]

R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2008-9-23 155648]

R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-9-15 249936]

R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-9-15 249936]

R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-9-15 249936]

R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-9-15 249936]

R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2011-9-15 199008]

R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2011-9-15 208272]

R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]

R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-7-9 248936]

R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]

R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]

R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 fssfltr;FssFltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-22 1493352]

S3 GetSusp;GetSusp;C:\Windows\GetSusp.sys [2011-11-11 16200]

S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]

S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]

S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-12-29 89920]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== File Associations ===============

.

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

.

=============== Created Last 30 ================

.

2011-11-12 01:51:57 525544 ----a-w- C:\Windows\System32\deployJava1.dll

2011-11-12 00:36:38 -------- d-----w- C:\!KillBox

2011-11-12 00:02:22 16200 ----a-w- C:\Windows\GetSusp.sys

2011-11-11 21:59:08 -------- d-----w- C:\ProgramData\Kaspersky Lab

2011-11-11 04:47:49 -------- d-----w- C:\Program Files\CCleaner

2011-11-09 12:18:08 1426304 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2011-11-09 12:18:07 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat

2011-11-09 12:18:07 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat

2011-11-09 12:17:59 893440 ----a-w- C:\Program Files\Common Files\System\wab32.dll

2011-11-09 12:17:59 707584 ----a-w- C:\Program Files (x86)\Common Files\System\wab32.dll

2011-11-09 12:17:59 50688 ----a-w- C:\Program Files\Windows Mail\wabimp.dll

2011-11-08 01:29:41 -------- d-----w- C:\More Stuff

2011-10-27 23:09:07 -------- d-----w- C:\Program Files (x86)\LitexMedia

2011-10-27 22:49:49 -------- d-----w- C:\Users\Vorlock\AppData\Roaming\WinFF

2011-10-27 22:49:47 -------- d-----w- C:\Program Files (x86)\WinFF

.

==================== Find3M ====================

.

2011-11-12 01:45:26 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2011-10-20 11:11:22 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-09-15 18:41:01 103784 ----a-w- C:\Users\Vorlock\GoToAssistDownloadHelper.exe

2011-09-06 13:56:50 2764288 ----a-w- C:\Windows\System32\win32k.sys

2011-09-01 05:24:07 2309120 ----a-w- C:\Windows\System32\jscript9.dll

2011-09-01 05:17:57 1389056 ----a-w- C:\Windows\System32\wininet.dll

2011-09-01 05:12:04 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2011-09-01 02:35:59 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll

2011-09-01 02:28:15 1126912 ----a-w- C:\Windows\SysWow64\wininet.dll

2011-09-01 02:22:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-08-31 22:00:50 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-08-25 16:20:38 735744 ----a-w- C:\Windows\System32\UIAutomationCore.dll

2011-08-25 16:19:32 847360 ----a-w- C:\Windows\System32\oleaut32.dll

2011-08-25 16:19:32 332288 ----a-w- C:\Windows\System32\oleacc.dll

2011-08-25 16:15:04 555520 ----a-w- C:\Windows\SysWow64\UIAutomationCore.dll

2011-08-25 16:14:01 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll

2011-08-25 16:14:01 238080 ----a-w- C:\Windows\SysWow64\oleacc.dll

2011-08-25 13:54:14 4096 ----a-w- C:\Windows\System32\oleaccrc.dll

2011-08-25 13:31:01 4096 ----a-w- C:\Windows\SysWow64\oleaccrc.dll

2011-08-19 19:59:28 158832 ----a-w- C:\Windows\System32\mfevtps.exe

2011-08-15 14:00:06 9984 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys

2011-08-15 14:00:06 75672 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys

2011-08-15 14:00:06 65128 ----a-w- C:\Windows\System32\drivers\cfwids.sys

2011-08-15 14:00:06 642824 ----a-w- C:\Windows\System32\drivers\mfehidk.sys

2011-08-15 14:00:06 481504 ----a-w- C:\Windows\System32\drivers\mfefirek.sys

2011-08-15 14:00:06 283744 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys

2011-08-15 14:00:06 228752 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys

2011-08-15 14:00:06 158584 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys

2011-08-15 14:00:06 100904 ----a-w- C:\Windows\System32\drivers\mferkdet.sys

.

============= FINISH: 9:35:09.32 ===============

Attach.txt

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume3

Install Date: 2/3/2009 6:26:07 PM

System Uptime: 11/12/2011 9:11:49 AM (0 hours ago)

.

Motherboard: Dell Inc | | 0PP150

Processor: Intel® Core2 Duo CPU E8500 @ 3.16GHz | Socket 775 | 3335/1333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 464 GiB total, 328.117 GiB free.

D: is FIXED (NTFS) - 2 GiB total, 1.002 GiB free.

E: is CDROM ()

F: is FIXED (NTFS) - 112 GiB total, 12.553 GiB free.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

RP675: 11/11/2011 8:37:58 PM - Installed Java 6 Update 29

RP676: 11/11/2011 8:50:17 PM - Installed Java 6 Update 29 (64-bit)

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

Acrobat.com

Adobe AIR

Adobe Anchor Service CS3

Adobe Asset Services CS3

Adobe Bridge CS3

Adobe Bridge Start Meeting

Adobe Camera Raw 4.0

Adobe CMaps

Adobe Color - Photoshop Specific

Adobe Color Common Settings

Adobe Color EU Extra Settings

Adobe Color JA Extra Settings

Adobe Color NA Recommended Settings

Adobe Default Language CS3

Adobe Device Central CS3

Adobe Digital Editions

Adobe ExtendScript Toolkit 2

Adobe Flash Player 10 Plugin

Adobe Flash Player 11 ActiveX

Adobe Fonts All

Adobe Help Viewer CS3

Adobe Linguistics CS3

Adobe PDF Library Files

Adobe Photoshop CS3

Adobe Reader 9.4.6

Adobe Setup

Adobe Stock Photos CS3

Adobe Type Support

Adobe Update Manager CS3

Adobe Version Cue CS3 Client

Adobe WinSoft Linguistics Plugin

Adobe XMP Panels CS3

Amazon MP3 Downloader 1.0.12

Capitalism II

Company of Heroes

Company of Heroes - FAKEMSI

D3DX10

Defense Grid: The Awakening

Dell Getting Started Guide

Dell Video Chat (remove only)

Download Manager 2.3.9

Garmin Communicator Plugin

Garmin USB Drivers

Gratuitous Space Battles

Handbrake 0.9.4

Hearts of Iron III

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Impulse

Java Auto Updater

Java 6 Update 29

Junk Mail filter update

League of Legends

McAfee SecurityCenter

Mesh Runtime

Messenger Companion

Microsoft Games for Windows - LIVE Redistributable

Microsoft Games for Windows Marketplace

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Home and Student 2007

Microsoft Office Live Add-in 1.5

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Search Enhancement Pack

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Move Media Player

MSVCRT

MSVCRT_amd64

NVIDIA PhysX

NVIDIA Stereoscopic 3D Driver

Octoshape Streaming Services

Pando Media Booster

PDF Settings

Portal

Realtek High Definition Audio Driver

Roxio Creator Audio

Roxio Creator Copy

Roxio Creator Data

Roxio Creator DE

Roxio Creator Tools

Roxio Express Labeler 3

Roxio Update Manager

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB2553074)

Security Update for 2007 Microsoft Office System (KB2553089)

Security Update for 2007 Microsoft Office System (KB2553090)

Security Update for 2007 Microsoft Office System (KB2584063)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft Office Excel 2007 (KB2553073)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB2535818)

Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Segoe UI

Sins of a Solar Empire

Sins of a Solar Empire - Entrenchment

Spelling Dictionaries Support For Adobe Reader 9

SQL Server System CLR Types

StarCraft II

Steam

System Requirements Lab

TeamSpeak 2 RC2

Update for 2007 Microsoft Office System (KB2284654)

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 System (KB2539530)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

VideoLAN VLC media player 0.8.6d

Warhammer 40,000: Dawn of War II

Warhammer 40,000: Dawn of War II - Chaos Rising

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

WinFF 1.3.2

.

==== Event Viewer Messages From Past Week ========

.

11/12/2011 9:12:51 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ASPI32 is3srv szkg5

11/12/2011 9:12:29 AM, Error: Microsoft-Windows-IIS-APPHOSTSVC [9010] - The Application Host Helper Service encountered an error trying to access the root history directory 'C:\inetpub\history'. The directory either doesn't exist or the permissions on it don't allow the history service to access it. The config history feature is disabled for now and will be re-enabled after the issue is resolved. To resolve this issue, please ensure that the directory exists and that the Administrators group have read and write access to it. The data field contains the error number.

11/11/2011 8:42:53 PM, Error: volsnap [20] - The shadow copies of volume C: were aborted because of a failed free space computation.

11/11/2011 8:42:31 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.

11/11/2011 8:42:11 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.

11/11/2011 8:41:53 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the EMDMgmt service.

11/11/2011 8:41:08 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WPDBusEnum service.

11/11/2011 8:38:31 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the TrkWks service.

11/11/2011 8:31:50 PM, Error: Ntfs [137] - The default transaction resource manager on volume OS encountered a non-retryable error and could not start. The data contains the error code.

11/11/2011 7:24:45 PM, Error: EventLog [6008] - The previous system shutdown at 7:21:47 PM on 11/11/2011 was unexpected.

11/11/2011 7:13:06 PM, Error: EventLog [6008] - The previous system shutdown at 7:09:02 PM on 11/11/2011 was unexpected.

11/11/2011 6:02:44 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}

11/11/2011 6:00:58 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

11/11/2011 6:00:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

11/11/2011 6:00:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

11/11/2011 6:00:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

11/11/2011 6:00:21 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

11/11/2011 6:00:20 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

11/11/2011 6:00:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

11/11/2011 6:00:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

11/11/2011 5:59:39 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD ASPI32 DfsC is3srv mfehidk mfenlfk mfewfpk NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr szkg5 Tcpip tdx Wanarpv6

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The McAfee Anti-Spam Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

11/11/2011 5:59:39 PM, Error: Service Control Manager [7001] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

11/11/2011 5:58:31 PM, Error: EventLog [6008] - The previous system shutdown at 5:31:07 PM on 11/11/2011 was unexpected.

11/11/2011 3:15:12 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ASPI32 is3srv spldr szkg5 Wanarpv6

11/10/2011 7:49:51 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ASPI32

11/10/2011 11:23:03 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the szserver service.

.

==== End Of File ===========================

I forgot to mention that I have ProcessExplorer (64 bit) and am using it to track the iexplore process when possible.

Link to post
Share on other sites

Hello NeedHelpVista and welcome to Malwarebytes! :welcome:

I sincerely apologize for the delay.

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

-------------

Please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue tdsskiller2.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

In your next reply, please include the following (you may need to use two posts to get it all in):

  • TDSSKiller_log.txt
how the PC is running now?
-------------
Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
***IMPORTANT: save ComboFix to your Desktop***
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please go here to see a list of programs that should be disabled.
**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**
Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.
-------------
Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:

  • TDSSKiller report
  • C:\ComboFix.txt
  • checkup.txt

How is your computer running now?

Link to post
Share on other sites

Thank you for your help, though I dont believe this round killed it. Here is the story so far.

Downloaded the new TDSSKiller and ran it. Forgot to run it as administrator, so I ran it again. (So I will post 2 logs.) Neither time did it find anything, and when it was done the rogue iexplore.exe process was still running. Note that during this process I had open a 64 bit version of IE as well, displaying these instructions.

Then I downloaded ComboFix and ran it, this time remembering to run as admin.

It ran but after the disclaimer (where I accepted) it took a long time for the next window to show up (preparing...) so I opened ProcessExplorer64 to see what was going on (i thought the virus might have killed it). It was still running, as was the rogue iexplorer process, so I closed ProcessExplorer down and waiting for ComboFix, which did eventually keep going. No other windows by me were open. (It did not install Recovery Console, so I must have it already.)

It went through all 50 stages and then started deleting some files. I stepped away for a moment and when I came back it was rebooting. I logged back in and it continued, making logs. Note that while it was making logs, after the reboot, some of my "on startup" programs started. I didnt touch anything.

Once it was done I checked and the rogue iexplore process is still running, and still going to lots of random places, such as mevio.com.

Lastly I downloaded and ran the SecurityCheck program, as Administrator. It did its thing. I checked and the rogue iexplore process is still running. Its currently up to over 500megs of memory now.

So, I guess its not fixed. Here are the logs. First, the TDSSKiller NOT run as administrator:

18:12:51.0933 2804 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15

18:12:53.0854 2804 ============================================================

18:12:53.0854 2804 Current date / time: 2011/11/14 18:12:53.0854

18:12:53.0854 2804 SystemInfo:

18:12:53.0854 2804

18:12:53.0854 2804 OS Version: 6.0.6002 ServicePack: 2.0

18:12:53.0854 2804 Product type: Workstation

18:12:53.0854 2804 ComputerName: XPS-PC

18:12:53.0854 2804 UserName: Vorlock

18:12:53.0854 2804 Windows directory: C:\Windows

18:12:53.0854 2804 System windows directory: C:\Windows

18:12:53.0854 2804 Running under WOW64

18:12:53.0854 2804 Processor architecture: Intel x64

18:12:53.0854 2804 Number of processors: 2

18:12:53.0854 2804 Page size: 0x1000

18:12:53.0854 2804 Boot type: Normal boot

18:12:53.0854 2804 ============================================================

18:12:55.0525 2804 Initialize success

18:13:03.0038 5864 ============================================================

18:13:03.0038 5864 Scan started

18:13:03.0038 5864 Mode: Manual; SigCheck; TDLFS;

18:13:03.0038 5864 ============================================================

18:13:12.0968 5864 ACPI (1965aaffab07e3fb03c77f81beba3547) C:\Windows\system32\drivers\acpi.sys

18:13:13.0169 5864 ACPI - ok

18:13:13.0537 5864 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys

18:13:13.0784 5864 adp94xx - ok

18:13:14.0300 5864 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys

18:13:14.0327 5864 adpahci - ok

18:13:14.0435 5864 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys

18:13:14.0449 5864 adpu160m - ok

18:13:14.0510 5864 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys

18:13:14.0524 5864 adpu320 - ok

18:13:14.0856 5864 AFD (0cc146c4addea45791b18b1e2659f4a9) C:\Windows\system32\drivers\afd.sys

18:13:15.0077 5864 AFD - ok

18:13:15.0360 5864 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys

18:13:15.0373 5864 agp440 - ok

18:13:15.0519 5864 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys

18:13:15.0547 5864 aic78xx - ok

18:13:16.0213 5864 aliide (9544c2c55541c0c6bfd7b489d0e7d430) C:\Windows\system32\drivers\aliide.sys

18:13:16.0227 5864 aliide - ok

18:13:16.0682 5864 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys

18:13:16.0696 5864 amdide - ok

18:13:17.0156 5864 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys

18:13:23.0456 5864 AmdK8 - ok

18:13:23.0966 5864 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys

18:13:24.0010 5864 arc - ok

18:13:24.0478 5864 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys

18:13:24.0563 5864 arcsas - ok

18:13:24.0963 5864 ASPI32 - ok

18:13:25.0267 5864 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys

18:13:25.0391 5864 AsyncMac - ok

18:13:25.0492 5864 atapi (e68d9b3a3905619732f7fe039466a623) C:\Windows\system32\drivers\atapi.sys

18:13:25.0512 5864 atapi - ok

18:13:25.0996 5864 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys

18:13:26.0062 5864 blbdrive - ok

18:13:26.0493 5864 bowser (2348447a80920b2493a9b582a23e81e1) C:\Windows\system32\DRIVERS\bowser.sys

18:13:26.0823 5864 bowser - ok

18:13:27.0281 5864 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys

18:13:28.0993 5864 BrFiltLo - ok

18:13:29.0547 5864 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys

18:13:29.0650 5864 BrFiltUp - ok

18:13:30.0316 5864 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys

18:13:33.0843 5864 Brserid - ok

18:13:34.0411 5864 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys

18:13:34.0594 5864 BrSerWdm - ok

18:13:34.0792 5864 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys

18:13:34.0918 5864 BrUsbMdm - ok

18:13:35.0163 5864 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys

18:13:35.0274 5864 BrUsbSer - ok

18:13:35.0474 5864 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys

18:13:35.0584 5864 BTHMODEM - ok

18:13:35.0906 5864 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys

18:13:35.0968 5864 cdfs - ok

18:13:36.0265 5864 cdrom (c025aa69be3d0d25c7a2e746ef6f94fc) C:\Windows\system32\DRIVERS\cdrom.sys

18:13:36.0358 5864 cdrom - ok

18:13:36.0894 5864 cfwids (75f91554e5fa6e962b880405fecc97a1) C:\Windows\system32\drivers\cfwids.sys

18:13:36.0937 5864 cfwids - ok

18:13:37.0168 5864 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys

18:13:37.0262 5864 circlass - ok

18:13:37.0544 5864 CLFS (3dca9a18b204939cfb24bea53e31eb48) C:\Windows\system32\CLFS.sys

18:13:37.0729 5864 CLFS - ok

18:13:38.0054 5864 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys

18:13:38.0067 5864 cmdide - ok

18:13:38.0599 5864 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\drivers\compbatt.sys

18:13:38.0659 5864 Compbatt - ok

18:13:39.0104 5864 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys

18:13:39.0141 5864 crcdisk - ok

18:13:39.0724 5864 DfsC (8b722ba35205c71e7951cdc4cdbade19) C:\Windows\system32\Drivers\dfsc.sys

18:13:40.0119 5864 DfsC - ok

18:13:40.0543 5864 disk (b0107e40ecdb5fa692ebf832f295d905) C:\Windows\system32\drivers\disk.sys

18:13:40.0557 5864 disk - ok

18:13:40.0874 5864 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys

18:13:40.0967 5864 drmkaud - ok

18:13:41.0407 5864 DXGKrnl (b8e554e502d5123bc111f99d6a2181b4) C:\Windows\System32\drivers\dxgkrnl.sys

18:13:41.0774 5864 DXGKrnl - ok

18:13:42.0185 5864 e1express (17d40652ef3e55eeae187a89df40965a) C:\Windows\system32\DRIVERS\e1e6032e.sys

18:13:42.0380 5864 e1express - ok

18:13:42.0651 5864 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys

18:13:42.0856 5864 E1G60 - ok

18:13:43.0336 5864 Ecache (5f94962be5a62db6e447ff6470c4f48a) C:\Windows\system32\drivers\ecache.sys

18:13:43.0366 5864 Ecache - ok

18:13:44.0042 5864 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys

18:13:44.0143 5864 elxstor - ok

18:13:44.0355 5864 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys

18:13:44.0446 5864 ErrDev - ok

18:13:44.0811 5864 exfat (486844f47b6636044a42454614ed4523) C:\Windows\system32\drivers\exfat.sys

18:13:45.0117 5864 exfat - ok

18:13:45.0530 5864 fastfat (1a4bee34277784619ddaf0422c0c6e23) C:\Windows\system32\drivers\fastfat.sys

18:13:45.0664 5864 fastfat - ok

18:13:46.0109 5864 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys

18:13:46.0152 5864 fdc - ok

18:13:46.0400 5864 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys

18:13:46.0413 5864 FileInfo - ok

18:13:46.0619 5864 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys

18:13:46.0848 5864 Filetrace - ok

18:13:47.0015 5864 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys

18:13:47.0064 5864 flpydisk - ok

18:13:47.0345 5864 FltMgr (e3041bc26d6930d61f42aedb79c91720) C:\Windows\system32\drivers\fltmgr.sys

18:13:47.0403 5864 FltMgr - ok

18:13:48.0157 5864 fssfltr (6c06701bf1db05405804d7eb610991ce) C:\Windows\system32\DRIVERS\fssfltr.sys

18:13:48.0176 5864 fssfltr - ok

18:13:48.0588 5864 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys

18:13:48.0721 5864 Fs_Rec - ok

18:13:48.0842 5864 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys

18:13:48.0855 5864 gagp30kx - ok

18:13:49.0163 5864 GetSusp (2b455b3c001c047a90cb886e5e8dc900) C:\Windows\GetSusp.sys

18:13:49.0264 5864 GetSusp - ok

18:13:50.0404 5864 HDAudBus (f942c5820205f2fb453243edfec82a3d) C:\Windows\system32\DRIVERS\HDAudBus.sys

18:13:50.0559 5864 HDAudBus - ok

18:13:51.0126 5864 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys

18:13:51.0208 5864 HidBth - ok

18:13:51.0729 5864 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys

18:13:51.0844 5864 HidIr - ok

18:13:52.0122 5864 HidUsb (443bdd2d30bb4f00795c797e2cf99edf) C:\Windows\system32\DRIVERS\hidusb.sys

18:13:52.0210 5864 HidUsb - ok

18:13:52.0655 5864 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys

18:13:52.0668 5864 HpCISSs - ok

18:13:53.0143 5864 HTTP (098f1e4e5c9cb5b0063a959063631610) C:\Windows\system32\drivers\HTTP.sys

18:13:53.0510 5864 HTTP - ok

18:13:53.0885 5864 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys

18:13:53.0915 5864 i2omp - ok

18:13:54.0150 5864 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys

18:13:54.0239 5864 i8042prt - ok

18:13:54.0386 5864 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys

18:13:54.0404 5864 iaStorV - ok

18:13:54.0448 5864 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys

18:13:54.0460 5864 iirsp - ok

18:13:54.0627 5864 IntcAzAudAddService (baa12aeced01041ffe309048cfdd573a) C:\Windows\system32\drivers\RTKVHD64.sys

18:13:55.0018 5864 IntcAzAudAddService - ok

18:13:55.0247 5864 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys

18:13:55.0267 5864 intelide - ok

18:13:55.0336 5864 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys

18:13:55.0422 5864 intelppm - ok

18:13:55.0561 5864 IpFilterDriver (d8aabc341311e4780d6fce8c73c0ad81) C:\Windows\system32\DRIVERS\ipfltdrv.sys

18:13:55.0735 5864 IpFilterDriver - ok

18:13:55.0914 5864 IpInIp - ok

18:13:56.0157 5864 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys

18:13:56.0239 5864 IPMIDRV - ok

18:13:56.0609 5864 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys

18:13:56.0661 5864 IPNAT - ok

18:13:56.0902 5864 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys

18:13:56.0980 5864 IRENUM - ok

18:13:56.0983 5864 is3srv - ok

18:13:57.0358 5864 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys

18:13:57.0380 5864 isapnp - ok

18:13:57.0837 5864 iScsiPrt (e4fdf99599f27ec25d2cf6d754243520) C:\Windows\system32\DRIVERS\msiscsi.sys

18:13:57.0883 5864 iScsiPrt - ok

18:13:58.0149 5864 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys

18:13:58.0162 5864 iteatapi - ok

18:13:58.0476 5864 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys

18:13:58.0487 5864 iteraid - ok

18:13:58.0817 5864 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys

18:13:58.0830 5864 kbdclass - ok

18:13:59.0132 5864 kbdhid (dbdf75d51464fbc47d0104ec3d572c05) C:\Windows\system32\DRIVERS\kbdhid.sys

18:13:59.0205 5864 kbdhid - ok

18:13:59.0534 5864 KSecDD (476e2c1dcea45895994bef11c2a98715) C:\Windows\system32\Drivers\ksecdd.sys

18:13:59.0589 5864 KSecDD - ok

18:13:59.0914 5864 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys

18:14:00.0056 5864 ksthunk - ok

18:14:00.0331 5864 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys

18:14:00.0474 5864 lltdio - ok

18:14:00.0824 5864 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys

18:14:00.0836 5864 LSI_FC - ok

18:14:01.0048 5864 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys

18:14:01.0081 5864 LSI_SAS - ok

18:14:01.0305 5864 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys

18:14:01.0339 5864 LSI_SCSI - ok

18:14:01.0542 5864 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys

18:14:01.0597 5864 luafv - ok

18:14:02.0027 5864 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys

18:14:02.0055 5864 megasas - ok

18:14:02.0562 5864 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys

18:14:02.0704 5864 MegaSR - ok

18:14:03.0134 5864 mfeapfk (eac376dd77ec9e95d38108a27c261dca) C:\Windows\system32\drivers\mfeapfk.sys

18:14:03.0228 5864 mfeapfk - ok

18:14:03.0535 5864 mfeavfk (f55f50b11d635658f346db0457bb2b79) C:\Windows\system32\drivers\mfeavfk.sys

18:14:03.0559 5864 mfeavfk - ok

18:14:04.0111 5864 mfeavfk01 - ok

18:14:04.0596 5864 mfefirek (33b8e35c5839a83d6700aab3e464553b) C:\Windows\system32\drivers\mfefirek.sys

18:14:04.0860 5864 mfefirek - ok

18:14:05.0331 5864 mfehidk (ada8c105c8f9a61284c75157c170585b) C:\Windows\system32\drivers\mfehidk.sys

18:14:05.0745 5864 mfehidk - ok

18:14:06.0161 5864 mfenlfk (c52ee6d1e1e5a69c989acc478051964e) C:\Windows\system32\DRIVERS\mfenlfk.sys

18:14:06.0234 5864 mfenlfk - ok

18:14:06.0741 5864 mferkdet (b000720e19ef733f938a6269d630f5dd) C:\Windows\system32\drivers\mferkdet.sys

18:14:06.0755 5864 mferkdet - ok

18:14:07.0123 5864 mfewfpk (62717ab68b38efee54678b85e19b0538) C:\Windows\system32\drivers\mfewfpk.sys

18:14:07.0219 5864 mfewfpk - ok

18:14:07.0631 5864 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys

18:14:07.0916 5864 Modem - ok

18:14:08.0459 5864 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys

18:14:08.0568 5864 monitor - ok

18:14:09.0065 5864 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys

18:14:09.0077 5864 mouclass - ok

18:14:09.0490 5864 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys

18:14:09.0541 5864 mouhid - ok

18:14:09.0891 5864 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys

18:14:09.0941 5864 MountMgr - ok

18:14:10.0362 5864 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys

18:14:10.0419 5864 mpio - ok

18:14:10.0978 5864 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys

18:14:11.0024 5864 mpsdrv - ok

18:14:11.0143 5864 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys

18:14:11.0156 5864 Mraid35x - ok

18:14:11.0329 5864 MRxDAV (7c1de4aa96dc0c071611f9e7de02a68d) C:\Windows\system32\drivers\mrxdav.sys

18:14:11.0621 5864 MRxDAV - ok

18:14:12.0054 5864 mrxsmb (1485811b320ff8c7edad1caebb1c6c2b) C:\Windows\system32\DRIVERS\mrxsmb.sys

18:14:12.0179 5864 mrxsmb - ok

18:14:12.0540 5864 mrxsmb10 (3b929a60c833fc615fd97fba82bc7632) C:\Windows\system32\DRIVERS\mrxsmb10.sys

18:14:12.0617 5864 mrxsmb10 - ok

18:14:12.0977 5864 mrxsmb20 (c64ab3e1f53b4f5b5bb6d796b2d7bec3) C:\Windows\system32\DRIVERS\mrxsmb20.sys

18:14:13.0011 5864 mrxsmb20 - ok

18:14:13.0208 5864 msahci (730b784962d22d2c6481eae2370e7c8c) C:\Windows\system32\drivers\msahci.sys

18:14:13.0220 5864 msahci - ok

18:14:13.0377 5864 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys

18:14:13.0411 5864 msdsm - ok

18:14:13.0563 5864 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys

18:14:13.0688 5864 Msfs - ok

18:14:14.0094 5864 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys

18:14:14.0106 5864 msisadrv - ok

18:14:14.0356 5864 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys

18:14:14.0421 5864 MSKSSRV - ok

18:14:14.0794 5864 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys

18:14:14.0833 5864 MSPCLOCK - ok

18:14:15.0038 5864 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys

18:14:15.0092 5864 MSPQM - ok

18:14:15.0572 5864 MsRPC (dc6ccf440cdede4293db41c37a5060a5) C:\Windows\system32\drivers\MsRPC.sys

18:14:15.0681 5864 MsRPC - ok

18:14:16.0287 5864 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys

18:14:16.0300 5864 mssmbios - ok

18:14:16.0479 5864 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys

18:14:16.0527 5864 MSTEE - ok

18:14:16.0997 5864 Mup (0cc49f78d8aca0877d885f149084e543) C:\Windows\system32\Drivers\mup.sys

18:14:17.0009 5864 Mup - ok

18:14:17.0423 5864 NativeWifiP (2007b826c4acd94ae32232b41f0842b9) C:\Windows\system32\DRIVERS\nwifi.sys

18:14:17.0468 5864 NativeWifiP - ok

18:14:17.0923 5864 NDIS (65950e07329fcee8e6516b17c8d0abb6) C:\Windows\system32\drivers\ndis.sys

18:14:18.0330 5864 NDIS - ok

18:14:18.0594 5864 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys

18:14:18.0729 5864 NdisTapi - ok

18:14:18.0840 5864 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys

18:14:18.0912 5864 Ndisuio - ok

18:14:19.0196 5864 NdisWan (f8158771905260982ce724076419ef19) C:\Windows\system32\DRIVERS\ndiswan.sys

18:14:19.0290 5864 NdisWan - ok

18:14:19.0541 5864 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys

18:14:19.0580 5864 NDProxy - ok

18:14:19.0802 5864 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys

18:14:19.0842 5864 NetBIOS - ok

18:14:20.0022 5864 netbt (fc2c792ebddc8e28df939d6a92c83d61) C:\Windows\system32\DRIVERS\netbt.sys

18:14:20.0062 5864 netbt - ok

18:14:20.0401 5864 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys

18:14:20.0436 5864 nfrd960 - ok

18:14:20.0863 5864 Npfs (b298874f8e0ea93f06ec40aa8d146478) C:\Windows\system32\drivers\Npfs.sys

18:14:20.0935 5864 Npfs - ok

18:14:21.0207 5864 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys

18:14:21.0266 5864 nsiproxy - ok

18:14:21.0665 5864 Ntfs (bac869dfb98e499ba4d9bb1fb43270e1) C:\Windows\system32\drivers\Ntfs.sys

18:14:22.0019 5864 Ntfs - ok

18:14:22.0259 5864 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys

18:14:22.0356 5864 Null - ok

18:14:22.0949 5864 NVENETFD (211d111d01d4b74015d4e58e84588f86) C:\Windows\system32\DRIVERS\nvmfdx64.sys

18:14:23.0346 5864 NVENETFD - ok

18:14:25.0591 5864 nvlddmkm (e55cab397f77d5208db18a78b1b7c0d5) C:\Windows\system32\DRIVERS\nvlddmkm.sys

18:14:29.0123 5864 nvlddmkm - ok

18:14:29.0601 5864 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys

18:14:29.0619 5864 nvraid - ok

18:14:29.0844 5864 nvrd64 (a4b9af8d1793f67ce894bf051342110f) C:\Windows\system32\drivers\nvrd64.sys

18:14:29.0863 5864 nvrd64 - ok

18:14:30.0146 5864 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys

18:14:30.0160 5864 nvstor - ok

18:14:30.0488 5864 nvstor64 (7919ee9458b6d84517bc5a598d795931) C:\Windows\system32\drivers\nvstor64.sys

18:14:30.0497 5864 nvstor64 - ok

18:14:30.0735 5864 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys

18:14:30.0758 5864 nv_agp - ok

18:14:30.0950 5864 NwlnkFlt - ok

18:14:31.0102 5864 NwlnkFwd - ok

18:14:31.0606 5864 ohci1394 (b5b1ce65ac15bbd11c0619e3ef7cfc28) C:\Windows\system32\DRIVERS\ohci1394.sys

18:14:31.0683 5864 ohci1394 - ok

18:14:31.0992 5864 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys

18:14:32.0061 5864 Parport - ok

18:14:32.0477 5864 partmgr (f9b5eda4c17a2be7663f064dbf0fe254) C:\Windows\system32\drivers\partmgr.sys

18:14:32.0499 5864 partmgr - ok

18:14:32.0951 5864 pci (47ab1e0fc9d0e12bb53ba246e3a0906d) C:\Windows\system32\drivers\pci.sys

18:14:32.0992 5864 pci - ok

18:14:33.0425 5864 pciide (2657f6c0b78c36d95034be109336e382) C:\Windows\system32\drivers\pciide.sys

18:14:33.0439 5864 pciide - ok

18:14:33.0828 5864 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys

18:14:33.0851 5864 pcmcia - ok

18:14:34.0212 5864 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys

18:14:34.0646 5864 PEAUTH - ok

18:14:35.0305 5864 PptpMiniport (23386e9952025f5f21c368971e2e7301) C:\Windows\system32\DRIVERS\raspptp.sys

18:14:35.0402 5864 PptpMiniport - ok

18:14:35.0553 5864 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys

18:14:35.0612 5864 Processor - ok

18:14:35.0934 5864 PSched (c5ab7f0809392d0da027f4a2a81bfa31) C:\Windows\system32\DRIVERS\pacer.sys

18:14:35.0957 5864 PSched - ok

18:14:36.0510 5864 PxHlpa64 (46851bc18322da70f3f2299a1007c479) C:\Windows\system32\Drivers\PxHlpa64.sys

18:14:36.0522 5864 PxHlpa64 - ok

18:14:37.0127 5864 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys

18:14:37.0456 5864 ql2300 - ok

18:14:37.0787 5864 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys

18:14:37.0802 5864 ql40xx - ok

18:14:38.0031 5864 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys

18:14:38.0401 5864 QWAVEdrv - ok

18:14:38.0978 5864 R300 (2a09a6b271d1f50adf5e33b37d460de6) C:\Windows\system32\DRIVERS\atikmdag.sys

18:14:40.0122 5864 R300 - ok

18:14:40.0658 5864 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys

18:14:40.0746 5864 RasAcd - ok

18:14:41.0417 5864 Rasl2tp (ac7bc4d42a7e558718dfdec599bbfc2c) C:\Windows\system32\DRIVERS\rasl2tp.sys

18:14:41.0486 5864 Rasl2tp - ok

18:14:41.0912 5864 RasPppoe (4517fbf8b42524afe4ede1de102aae3e) C:\Windows\system32\DRIVERS\raspppoe.sys

18:14:41.0954 5864 RasPppoe - ok

18:14:42.0420 5864 RasSstp (c6a593b51f34c33e5474539544072527) C:\Windows\system32\DRIVERS\rassstp.sys

18:14:42.0517 5864 RasSstp - ok

18:14:42.0887 5864 rdbss (322db5c6b55e8d8ee8d6f358b2aaabb1) C:\Windows\system32\DRIVERS\rdbss.sys

18:14:42.0995 5864 rdbss - ok

18:14:43.0307 5864 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys

18:14:43.0343 5864 RDPCDD - ok

18:14:43.0743 5864 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys

18:14:43.0802 5864 rdpdr - ok

18:14:44.0015 5864 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys

18:14:44.0100 5864 RDPENCDD - ok

18:14:44.0283 5864 RDPWD (b1d741c87cea8d7282146366cc9c3f81) C:\Windows\system32\drivers\RDPWD.sys

18:14:44.0327 5864 RDPWD - ok

18:14:44.0547 5864 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys

18:14:44.0577 5864 rspndr - ok

18:14:44.0785 5864 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys

18:14:44.0821 5864 sbp2port - ok

18:14:44.0900 5864 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys

18:14:44.0961 5864 secdrv - ok

18:14:45.0023 5864 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys

18:14:45.0079 5864 Serenum - ok

18:14:45.0206 5864 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys

18:14:45.0280 5864 Serial - ok

18:14:45.0430 5864 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys

18:14:45.0489 5864 sermouse - ok

18:14:45.0556 5864 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys

18:14:45.0616 5864 sffdisk - ok

18:14:45.0826 5864 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys

18:14:45.0878 5864 sffp_mmc - ok

18:14:45.0999 5864 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys

18:14:46.0060 5864 sffp_sd - ok

18:14:46.0258 5864 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys

18:14:46.0315 5864 sfloppy - ok

18:14:46.0374 5864 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys

18:14:46.0387 5864 SiSRaid2 - ok

18:14:46.0499 5864 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys

18:14:46.0512 5864 SiSRaid4 - ok

18:14:46.0605 5864 Smb (290b6f6a0ec4fcdfc90f5cb6d7020473) C:\Windows\system32\DRIVERS\smb.sys

18:14:46.0694 5864 Smb - ok

18:14:46.0828 5864 spldr (386c3c63f00a7040c7ec5e384217e89d) C:\Windows\system32\drivers\spldr.sys

18:14:46.0863 5864 spldr - ok

18:14:47.0010 5864 srv (880a57fccb571ebd063d4dd50e93e46d) C:\Windows\system32\DRIVERS\srv.sys

18:14:47.0358 5864 srv - ok

18:14:47.0671 5864 srv2 (a1ad14a6d7a37891fffeca35ebbb0730) C:\Windows\system32\DRIVERS\srv2.sys

18:14:47.0771 5864 srv2 - ok

18:14:48.0087 5864 srvnet (4bed62f4fa4d8300973f1151f4c4d8a7) C:\Windows\system32\DRIVERS\srvnet.sys

18:14:48.0144 5864 srvnet - ok

18:14:48.0590 5864 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys

18:14:48.0602 5864 swenum - ok

18:14:48.0796 5864 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys

18:14:48.0813 5864 Symc8xx - ok

18:14:49.0074 5864 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys

18:14:49.0090 5864 Sym_hi - ok

18:14:49.0454 5864 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys

18:14:49.0471 5864 Sym_u3 - ok

18:14:49.0474 5864 szkg5 - ok

18:14:50.0049 5864 Tcpip (2cc45d932bd193cd4117321d469ad6b2) C:\Windows\system32\drivers\tcpip.sys

18:14:50.0850 5864 Tcpip - ok

18:14:51.0802 5864 Tcpip6 (2cc45d932bd193cd4117321d469ad6b2) C:\Windows\system32\DRIVERS\tcpip.sys

18:14:52.0188 5864 Tcpip6 - ok

18:14:52.0751 5864 tcpipreg (c7e72a4071ee0200e3c075dacfb2b334) C:\Windows\system32\drivers\tcpipreg.sys

18:14:53.0185 5864 tcpipreg - ok

18:14:53.0850 5864 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys

18:14:53.0907 5864 TDPIPE - ok

18:14:54.0341 5864 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys

18:14:54.0458 5864 TDTCP - ok

18:14:54.0925 5864 tdx (458919c8c42e398dc4802178d5ffee27) C:\Windows\system32\DRIVERS\tdx.sys

18:14:55.0023 5864 tdx - ok

18:14:55.0468 5864 TermDD (8c19678d22649ec002ef2282eae92f98) C:\Windows\system32\DRIVERS\termdd.sys

18:14:55.0484 5864 TermDD - ok

18:14:56.0060 5864 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys

18:14:56.0152 5864 tssecsrv - ok

18:14:56.0603 5864 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys

18:14:56.0839 5864 tunmp - ok

18:14:57.0175 5864 tunnel (30a9b3f45ad081bffc3bcaa9c812b609) C:\Windows\system32\DRIVERS\tunnel.sys

18:14:57.0219 5864 tunnel - ok

18:14:57.0458 5864 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys

18:14:57.0472 5864 uagp35 - ok

18:14:57.0837 5864 udfs (faf2640a2a76ed03d449e443194c4c34) C:\Windows\system32\DRIVERS\udfs.sys

18:14:57.0949 5864 udfs - ok

18:14:58.0139 5864 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys

18:14:58.0159 5864 uliagpkx - ok

18:14:58.0657 5864 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys

18:14:58.0855 5864 uliahci - ok

18:14:58.0964 5864 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys

18:14:58.0991 5864 UlSata - ok

18:14:59.0108 5864 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys

18:14:59.0126 5864 ulsata2 - ok

18:14:59.0355 5864 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys

18:14:59.0390 5864 umbus - ok

18:14:59.0794 5864 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys

18:14:59.0897 5864 usbccgp - ok

18:15:00.0482 5864 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys

18:15:00.0626 5864 usbcir - ok

18:15:01.0129 5864 usbehci (827e44de934a736ea31e91d353eb126f) C:\Windows\system32\DRIVERS\usbehci.sys

18:15:01.0235 5864 usbehci - ok

18:15:01.0947 5864 usbhub (bb35cd80a2ececfadc73569b3d70c7d1) C:\Windows\system32\DRIVERS\usbhub.sys

18:15:02.0314 5864 usbhub - ok

18:15:03.0334 5864 usbohci (e406b003a354776d317762694956b0fc) C:\Windows\system32\DRIVERS\usbohci.sys

18:15:03.0421 5864 usbohci - ok

18:15:03.0962 5864 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys

18:15:04.0012 5864 usbprint - ok

18:15:04.0557 5864 USBSTOR (b854c1558fca0c269a38663e8b59b581) C:\Windows\system32\DRIVERS\USBSTOR.SYS

18:15:04.0755 5864 USBSTOR - ok

18:15:05.0258 5864 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys

18:15:05.0343 5864 usbuhci - ok

18:15:05.0654 5864 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys

18:15:05.0775 5864 vga - ok

18:15:06.0071 5864 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys

18:15:06.0188 5864 VgaSave - ok

18:15:06.0679 5864 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys

18:15:06.0692 5864 viaide - ok

18:15:07.0066 5864 volmgr (2b7e885ed951519a12c450d24535dfca) C:\Windows\system32\drivers\volmgr.sys

18:15:07.0087 5864 volmgr - ok

18:15:08.0115 5864 volmgrx (cec5ac15277d75d9e5dec2e1c6eaf877) C:\Windows\system32\drivers\volmgrx.sys

18:15:08.0546 5864 volmgrx - ok

18:15:09.0509 5864 volsnap (5280aada24ab36b01a84a6424c475c8d) C:\Windows\system32\drivers\volsnap.sys

18:15:09.0538 5864 volsnap - ok

18:15:10.0476 5864 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys

18:15:10.0505 5864 vsmraid - ok

18:15:11.0223 5864 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys

18:15:11.0303 5864 WacomPen - ok

18:15:12.0226 5864 Wanarp (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys

18:15:12.0408 5864 Wanarp - ok

18:15:12.0507 5864 Wanarpv6 (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys

18:15:12.0528 5864 Wanarpv6 - ok

18:15:13.0231 5864 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys

18:15:13.0249 5864 Wd - ok

18:15:14.0392 5864 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys

18:15:14.0685 5864 Wdf01000 - ok

18:15:15.0484 5864 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\drivers\wmiacpi.sys

18:15:15.0601 5864 WmiAcpi - ok

18:15:16.0391 5864 WpdUsb (5e2401b3fc1089c90e081291357371a9) C:\Windows\system32\DRIVERS\wpdusb.sys

18:15:16.0739 5864 WpdUsb - ok

18:15:17.0046 5864 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys

18:15:17.0116 5864 ws2ifsl - ok

18:15:17.0944 5864 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys

18:15:18.0101 5864 WUDFRd - ok

18:15:18.0177 5864 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0

18:15:26.0641 5864 \Device\Harddisk0\DR0 - ok

18:15:26.0652 5864 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk1\DR1

18:15:27.0272 5864 \Device\Harddisk1\DR1 - ok

18:15:27.0298 5864 Boot (0x1200) (12613448714e6edf5b192732cc1e7128) \Device\Harddisk0\DR0\Partition0

18:15:27.0309 5864 \Device\Harddisk0\DR0\Partition0 - ok

18:15:27.0323 5864 Boot (0x1200) (3bd5ea4fdc5f5dc87e198c68aa86e9eb) \Device\Harddisk0\DR0\Partition1

18:15:27.0388 5864 \Device\Harddisk0\DR0\Partition1 - ok

18:15:27.0406 5864 Boot (0x1200) (2431d61a58d383c0a494a12f3731c08f) \Device\Harddisk1\DR1\Partition0

18:15:27.0407 5864 \Device\Harddisk1\DR1\Partition0 - ok

18:15:27.0410 5864 Boot (0x1200) (f7bc4b3891d36c7b4509de5c17b41db3) \Device\Harddisk1\DR1\Partition1

18:15:27.0411 5864 \Device\Harddisk1\DR1\Partition1 - ok

18:15:27.0411 5864 ============================================================

18:15:27.0411 5864 Scan finished

18:15:27.0411 5864 ============================================================

18:15:27.0417 3492 Detected object count: 0

18:15:27.0417 3492 Actual detected object count: 0

Link to post
Share on other sites

Now, the TDSSKiller log from when I ran it as Administrator:

18:16:21.0153 0264 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15

18:16:21.0615 0264 ============================================================

18:16:21.0615 0264 Current date / time: 2011/11/14 18:16:21.0615

18:16:21.0615 0264 SystemInfo:

18:16:21.0615 0264

18:16:21.0615 0264 OS Version: 6.0.6002 ServicePack: 2.0

18:16:21.0615 0264 Product type: Workstation

18:16:21.0615 0264 ComputerName: XPS-PC

18:16:21.0615 0264 UserName: Vorlock

18:16:21.0615 0264 Windows directory: C:\Windows

18:16:21.0615 0264 System windows directory: C:\Windows

18:16:21.0615 0264 Running under WOW64

18:16:21.0615 0264 Processor architecture: Intel x64

18:16:21.0615 0264 Number of processors: 2

18:16:21.0615 0264 Page size: 0x1000

18:16:21.0615 0264 Boot type: Normal boot

18:16:21.0615 0264 ============================================================

18:16:27.0821 0264 Initialize success

18:16:33.0790 6080 ============================================================

18:16:33.0790 6080 Scan started

18:16:33.0790 6080 Mode: Manual; SigCheck; TDLFS;

18:16:33.0790 6080 ============================================================

18:16:45.0662 6080 ACPI (1965aaffab07e3fb03c77f81beba3547) C:\Windows\system32\drivers\acpi.sys

18:16:45.0739 6080 ACPI - ok

18:16:47.0216 6080 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys

18:16:47.0537 6080 adp94xx - ok

18:16:48.0552 6080 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys

18:16:48.0604 6080 adpahci - ok

18:16:49.0101 6080 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys

18:16:49.0110 6080 adpu160m - ok

18:16:49.0427 6080 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys

18:16:49.0437 6080 adpu320 - ok

18:16:50.0252 6080 AFD (0cc146c4addea45791b18b1e2659f4a9) C:\Windows\system32\drivers\afd.sys

18:16:50.0279 6080 AFD - ok

18:16:50.0593 6080 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys

18:16:50.0602 6080 agp440 - ok

18:16:50.0943 6080 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys

18:16:50.0953 6080 aic78xx - ok

18:16:51.0337 6080 aliide (9544c2c55541c0c6bfd7b489d0e7d430) C:\Windows\system32\drivers\aliide.sys

18:16:51.0347 6080 aliide - ok

18:16:51.0423 6080 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys

18:16:51.0432 6080 amdide - ok

18:16:51.0564 6080 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys

18:16:51.0590 6080 AmdK8 - ok

18:16:51.0918 6080 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys

18:16:51.0927 6080 arc - ok

18:16:52.0114 6080 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys

18:16:52.0123 6080 arcsas - ok

18:16:52.0441 6080 ASPI32 - ok

18:16:52.0736 6080 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys

18:16:52.0762 6080 AsyncMac - ok

18:16:53.0053 6080 atapi (e68d9b3a3905619732f7fe039466a623) C:\Windows\system32\drivers\atapi.sys

18:16:53.0066 6080 atapi - ok

18:16:53.0348 6080 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys

18:16:53.0391 6080 blbdrive - ok

18:16:53.0546 6080 bowser (2348447a80920b2493a9b582a23e81e1) C:\Windows\system32\DRIVERS\bowser.sys

18:16:53.0562 6080 bowser - ok

18:16:53.0800 6080 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys

18:16:53.0821 6080 BrFiltLo - ok

18:16:53.0951 6080 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys

18:16:53.0978 6080 BrFiltUp - ok

18:16:54.0146 6080 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys

18:16:54.0205 6080 Brserid - ok

18:16:54.0317 6080 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys

18:16:54.0357 6080 BrSerWdm - ok

18:16:54.0481 6080 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys

18:16:54.0521 6080 BrUsbMdm - ok

18:16:54.0744 6080 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys

18:16:54.0789 6080 BrUsbSer - ok

18:16:55.0022 6080 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys

18:16:55.0114 6080 BTHMODEM - ok

18:16:55.0324 6080 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys

18:16:55.0370 6080 cdfs - ok

18:16:55.0605 6080 cdrom (c025aa69be3d0d25c7a2e746ef6f94fc) C:\Windows\system32\DRIVERS\cdrom.sys

18:16:55.0635 6080 cdrom - ok

18:16:56.0025 6080 cfwids (75f91554e5fa6e962b880405fecc97a1) C:\Windows\system32\drivers\cfwids.sys

18:16:56.0051 6080 cfwids - ok

18:16:56.0200 6080 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys

18:16:56.0230 6080 circlass - ok

18:16:56.0461 6080 CLFS (3dca9a18b204939cfb24bea53e31eb48) C:\Windows\system32\CLFS.sys

18:16:56.0537 6080 CLFS - ok

18:16:56.0885 6080 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys

18:16:56.0900 6080 cmdide - ok

18:16:57.0348 6080 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\drivers\compbatt.sys

18:16:57.0367 6080 Compbatt - ok

18:16:57.0619 6080 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys

18:16:57.0631 6080 crcdisk - ok

18:16:58.0014 6080 DfsC (8b722ba35205c71e7951cdc4cdbade19) C:\Windows\system32\Drivers\dfsc.sys

18:16:58.0076 6080 DfsC - ok

18:16:58.0309 6080 disk (b0107e40ecdb5fa692ebf832f295d905) C:\Windows\system32\drivers\disk.sys

18:16:58.0330 6080 disk - ok

18:16:58.0790 6080 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys

18:16:58.0813 6080 drmkaud - ok

18:16:59.0027 6080 DXGKrnl (b8e554e502d5123bc111f99d6a2181b4) C:\Windows\System32\drivers\dxgkrnl.sys

18:16:59.0258 6080 DXGKrnl - ok

18:16:59.0910 6080 e1express (17d40652ef3e55eeae187a89df40965a) C:\Windows\system32\DRIVERS\e1e6032e.sys

18:16:59.0943 6080 e1express - ok

18:17:00.0621 6080 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys

18:17:00.0654 6080 E1G60 - ok

18:17:01.0129 6080 Ecache (5f94962be5a62db6e447ff6470c4f48a) C:\Windows\system32\drivers\ecache.sys

18:17:01.0206 6080 Ecache - ok

18:17:01.0655 6080 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys

18:17:01.0890 6080 elxstor - ok

18:17:02.0304 6080 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys

18:17:02.0334 6080 ErrDev - ok

18:17:02.0703 6080 exfat (486844f47b6636044a42454614ed4523) C:\Windows\system32\drivers\exfat.sys

18:17:02.0749 6080 exfat - ok

18:17:03.0152 6080 fastfat (1a4bee34277784619ddaf0422c0c6e23) C:\Windows\system32\drivers\fastfat.sys

18:17:03.0217 6080 fastfat - ok

18:17:03.0584 6080 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys

18:17:03.0613 6080 fdc - ok

18:17:03.0874 6080 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys

18:17:03.0888 6080 FileInfo - ok

18:17:04.0127 6080 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys

18:17:04.0156 6080 Filetrace - ok

18:17:04.0497 6080 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys

18:17:04.0530 6080 flpydisk - ok

18:17:04.0724 6080 FltMgr (e3041bc26d6930d61f42aedb79c91720) C:\Windows\system32\drivers\fltmgr.sys

18:17:04.0789 6080 FltMgr - ok

18:17:05.0315 6080 fssfltr (6c06701bf1db05405804d7eb610991ce) C:\Windows\system32\DRIVERS\fssfltr.sys

18:17:05.0358 6080 fssfltr - ok

18:17:05.0787 6080 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys

18:17:05.0809 6080 Fs_Rec - ok

18:17:06.0066 6080 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys

18:17:06.0081 6080 gagp30kx - ok

18:17:06.0237 6080 GetSusp (2b455b3c001c047a90cb886e5e8dc900) C:\Windows\GetSusp.sys

18:17:06.0246 6080 GetSusp - ok

18:17:06.0471 6080 HDAudBus (f942c5820205f2fb453243edfec82a3d) C:\Windows\system32\DRIVERS\HDAudBus.sys

18:17:06.0657 6080 HDAudBus - ok

18:17:06.0943 6080 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys

18:17:06.0997 6080 HidBth - ok

18:17:07.0121 6080 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys

18:17:07.0161 6080 HidIr - ok

18:17:07.0339 6080 HidUsb (443bdd2d30bb4f00795c797e2cf99edf) C:\Windows\system32\DRIVERS\hidusb.sys

18:17:07.0363 6080 HidUsb - ok

18:17:07.0646 6080 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys

18:17:07.0659 6080 HpCISSs - ok

18:17:08.0321 6080 HTTP (098f1e4e5c9cb5b0063a959063631610) C:\Windows\system32\drivers\HTTP.sys

18:17:08.0552 6080 HTTP - ok

18:17:08.0968 6080 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys

18:17:08.0979 6080 i2omp - ok

18:17:09.0159 6080 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys

18:17:09.0184 6080 i8042prt - ok

18:17:09.0494 6080 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys

18:17:09.0672 6080 iaStorV - ok

18:17:09.0990 6080 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys

18:17:10.0004 6080 iirsp - ok

18:17:10.0164 6080 IntcAzAudAddService (baa12aeced01041ffe309048cfdd573a) C:\Windows\system32\drivers\RTKVHD64.sys

18:17:10.0525 6080 IntcAzAudAddService - ok

18:17:10.0922 6080 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys

18:17:10.0932 6080 intelide - ok

18:17:11.0144 6080 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys

18:17:11.0174 6080 intelppm - ok

18:17:11.0511 6080 IpFilterDriver (d8aabc341311e4780d6fce8c73c0ad81) C:\Windows\system32\DRIVERS\ipfltdrv.sys

18:17:11.0534 6080 IpFilterDriver - ok

18:17:11.0776 6080 IpInIp - ok

18:17:12.0165 6080 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys

18:17:12.0248 6080 IPMIDRV - ok

18:17:13.0592 6080 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys

18:17:13.0625 6080 IPNAT - ok

18:17:14.0160 6080 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys

18:17:14.0193 6080 IRENUM - ok

18:17:14.0195 6080 is3srv - ok

18:17:14.0574 6080 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys

18:17:14.0586 6080 isapnp - ok

18:17:15.0155 6080 iScsiPrt (e4fdf99599f27ec25d2cf6d754243520) C:\Windows\system32\DRIVERS\msiscsi.sys

18:17:15.0193 6080 iScsiPrt - ok

18:17:15.0498 6080 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys

18:17:15.0509 6080 iteatapi - ok

18:17:15.0816 6080 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys

18:17:15.0843 6080 iteraid - ok

18:17:16.0116 6080 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys

18:17:16.0129 6080 kbdclass - ok

18:17:16.0397 6080 kbdhid (dbdf75d51464fbc47d0104ec3d572c05) C:\Windows\system32\DRIVERS\kbdhid.sys

18:17:16.0419 6080 kbdhid - ok

18:17:16.0849 6080 KSecDD (476e2c1dcea45895994bef11c2a98715) C:\Windows\system32\Drivers\ksecdd.sys

18:17:17.0258 6080 KSecDD - ok

18:17:17.0821 6080 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys

18:17:17.0865 6080 ksthunk - ok

18:17:18.0279 6080 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys

18:17:18.0309 6080 lltdio - ok

18:17:18.0822 6080 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys

18:17:18.0890 6080 LSI_FC - ok

18:17:19.0454 6080 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys

18:17:19.0467 6080 LSI_SAS - ok

18:17:20.0095 6080 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys

18:17:20.0114 6080 LSI_SCSI - ok

18:17:20.0466 6080 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys

18:17:20.0504 6080 luafv - ok

18:17:21.0016 6080 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys

18:17:21.0042 6080 megasas - ok

18:17:21.0257 6080 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys

18:17:21.0317 6080 MegaSR - ok

18:17:21.0834 6080 mfeapfk (eac376dd77ec9e95d38108a27c261dca) C:\Windows\system32\drivers\mfeapfk.sys

18:17:21.0859 6080 mfeapfk - ok

18:17:22.0575 6080 mfeavfk (f55f50b11d635658f346db0457bb2b79) C:\Windows\system32\drivers\mfeavfk.sys

18:17:22.0589 6080 mfeavfk - ok

18:17:23.0015 6080 mfeavfk01 - ok

18:17:23.0391 6080 mfefirek (33b8e35c5839a83d6700aab3e464553b) C:\Windows\system32\drivers\mfefirek.sys

18:17:23.0419 6080 mfefirek - ok

18:17:23.0750 6080 mfehidk (ada8c105c8f9a61284c75157c170585b) C:\Windows\system32\drivers\mfehidk.sys

18:17:23.0814 6080 mfehidk - ok

18:17:24.0101 6080 mfenlfk (c52ee6d1e1e5a69c989acc478051964e) C:\Windows\system32\DRIVERS\mfenlfk.sys

18:17:24.0110 6080 mfenlfk - ok

18:17:24.0457 6080 mferkdet (b000720e19ef733f938a6269d630f5dd) C:\Windows\system32\drivers\mferkdet.sys

18:17:24.0465 6080 mferkdet - ok

18:17:25.0152 6080 mfewfpk (62717ab68b38efee54678b85e19b0538) C:\Windows\system32\drivers\mfewfpk.sys

18:17:25.0162 6080 mfewfpk - ok

18:17:25.0497 6080 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys

18:17:25.0524 6080 Modem - ok

18:17:25.0658 6080 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys

18:17:25.0684 6080 monitor - ok

18:17:25.0806 6080 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys

18:17:25.0815 6080 mouclass - ok

18:17:26.0023 6080 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys

18:17:26.0048 6080 mouhid - ok

18:17:26.0132 6080 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys

18:17:26.0147 6080 MountMgr - ok

18:17:26.0394 6080 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys

18:17:26.0419 6080 mpio - ok

18:17:26.0686 6080 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys

18:17:26.0707 6080 mpsdrv - ok

18:17:27.0301 6080 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys

18:17:27.0313 6080 Mraid35x - ok

18:17:27.0620 6080 MRxDAV (7c1de4aa96dc0c071611f9e7de02a68d) C:\Windows\system32\drivers\mrxdav.sys

18:17:27.0634 6080 MRxDAV - ok

18:17:27.0978 6080 mrxsmb (1485811b320ff8c7edad1caebb1c6c2b) C:\Windows\system32\DRIVERS\mrxsmb.sys

18:17:28.0004 6080 mrxsmb - ok

18:17:28.0375 6080 mrxsmb10 (3b929a60c833fc615fd97fba82bc7632) C:\Windows\system32\DRIVERS\mrxsmb10.sys

18:17:28.0395 6080 mrxsmb10 - ok

18:17:28.0567 6080 mrxsmb20 (c64ab3e1f53b4f5b5bb6d796b2d7bec3) C:\Windows\system32\DRIVERS\mrxsmb20.sys

18:17:28.0579 6080 mrxsmb20 - ok

18:17:28.0916 6080 msahci (730b784962d22d2c6481eae2370e7c8c) C:\Windows\system32\drivers\msahci.sys

18:17:28.0931 6080 msahci - ok

18:17:29.0085 6080 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys

18:17:29.0115 6080 msdsm - ok

18:17:29.0296 6080 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys

18:17:29.0326 6080 Msfs - ok

18:17:29.0678 6080 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys

18:17:29.0691 6080 msisadrv - ok

18:17:30.0022 6080 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys

18:17:30.0048 6080 MSKSSRV - ok

18:17:30.0444 6080 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys

18:17:30.0470 6080 MSPCLOCK - ok

18:17:30.0946 6080 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys

18:17:30.0971 6080 MSPQM - ok

18:17:31.0068 6080 MsRPC (dc6ccf440cdede4293db41c37a5060a5) C:\Windows\system32\drivers\MsRPC.sys

18:17:31.0099 6080 MsRPC - ok

18:17:31.0179 6080 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys

18:17:31.0187 6080 mssmbios - ok

18:17:31.0362 6080 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys

18:17:31.0390 6080 MSTEE - ok

18:17:31.0459 6080 Mup (0cc49f78d8aca0877d885f149084e543) C:\Windows\system32\Drivers\mup.sys

18:17:31.0469 6080 Mup - ok

18:17:31.0580 6080 NativeWifiP (2007b826c4acd94ae32232b41f0842b9) C:\Windows\system32\DRIVERS\nwifi.sys

18:17:31.0593 6080 NativeWifiP - ok

18:17:32.0059 6080 NDIS (65950e07329fcee8e6516b17c8d0abb6) C:\Windows\system32\drivers\ndis.sys

18:17:32.0121 6080 NDIS - ok

18:17:32.0262 6080 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys

18:17:32.0282 6080 NdisTapi - ok

18:17:32.0616 6080 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys

18:17:32.0641 6080 Ndisuio - ok

18:17:32.0965 6080 NdisWan (f8158771905260982ce724076419ef19) C:\Windows\system32\DRIVERS\ndiswan.sys

18:17:32.0986 6080 NdisWan - ok

18:17:33.0100 6080 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys

18:17:33.0121 6080 NDProxy - ok

18:17:33.0311 6080 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys

18:17:33.0338 6080 NetBIOS - ok

18:17:33.0568 6080 netbt (fc2c792ebddc8e28df939d6a92c83d61) C:\Windows\system32\DRIVERS\netbt.sys

18:17:33.0591 6080 netbt - ok

18:17:33.0860 6080 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys

18:17:33.0872 6080 nfrd960 - ok

18:17:34.0264 6080 Npfs (b298874f8e0ea93f06ec40aa8d146478) C:\Windows\system32\drivers\Npfs.sys

18:17:34.0283 6080 Npfs - ok

18:17:34.0525 6080 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys

18:17:34.0551 6080 nsiproxy - ok

18:17:35.0078 6080 Ntfs (bac869dfb98e499ba4d9bb1fb43270e1) C:\Windows\system32\drivers\Ntfs.sys

18:17:36.0155 6080 Ntfs - ok

18:17:36.0643 6080 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys

18:17:36.0668 6080 Null - ok

18:17:37.0102 6080 NVENETFD (211d111d01d4b74015d4e58e84588f86) C:\Windows\system32\DRIVERS\nvmfdx64.sys

18:17:37.0830 6080 NVENETFD - ok

18:17:39.0543 6080 nvlddmkm (e55cab397f77d5208db18a78b1b7c0d5) C:\Windows\system32\DRIVERS\nvlddmkm.sys

18:17:42.0020 6080 nvlddmkm - ok

18:17:42.0408 6080 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys

18:17:42.0429 6080 nvraid - ok

18:17:42.0747 6080 nvrd64 (a4b9af8d1793f67ce894bf051342110f) C:\Windows\system32\drivers\nvrd64.sys

18:17:42.0755 6080 nvrd64 - ok

18:17:43.0105 6080 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys

18:17:43.0117 6080 nvstor - ok

18:17:43.0667 6080 nvstor64 (7919ee9458b6d84517bc5a598d795931) C:\Windows\system32\drivers\nvstor64.sys

18:17:43.0675 6080 nvstor64 - ok

18:17:43.0903 6080 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys

18:17:43.0912 6080 nv_agp - ok

18:17:44.0408 6080 NwlnkFlt - ok

18:17:44.0971 6080 NwlnkFwd - ok

18:17:45.0481 6080 ohci1394 (b5b1ce65ac15bbd11c0619e3ef7cfc28) C:\Windows\system32\DRIVERS\ohci1394.sys

18:17:45.0501 6080 ohci1394 - ok

18:17:45.0717 6080 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys

18:17:45.0781 6080 Parport - ok

18:17:45.0928 6080 partmgr (f9b5eda4c17a2be7663f064dbf0fe254) C:\Windows\system32\drivers\partmgr.sys

18:17:45.0938 6080 partmgr - ok

18:17:46.0055 6080 pci (47ab1e0fc9d0e12bb53ba246e3a0906d) C:\Windows\system32\drivers\pci.sys

18:17:46.0067 6080 pci - ok

18:17:46.0126 6080 pciide (2657f6c0b78c36d95034be109336e382) C:\Windows\system32\drivers\pciide.sys

18:17:46.0139 6080 pciide - ok

18:17:46.0304 6080 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys

18:17:46.0321 6080 pcmcia - ok

18:17:46.0512 6080 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys

18:17:46.0646 6080 PEAUTH - ok

18:17:47.0007 6080 PptpMiniport (23386e9952025f5f21c368971e2e7301) C:\Windows\system32\DRIVERS\raspptp.sys

18:17:47.0026 6080 PptpMiniport - ok

18:17:47.0138 6080 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys

18:17:47.0170 6080 Processor - ok

18:17:47.0402 6080 PSched (c5ab7f0809392d0da027f4a2a81bfa31) C:\Windows\system32\DRIVERS\pacer.sys

18:17:47.0423 6080 PSched - ok

18:17:47.0696 6080 PxHlpa64 (46851bc18322da70f3f2299a1007c479) C:\Windows\system32\Drivers\PxHlpa64.sys

18:17:47.0708 6080 PxHlpa64 - ok

18:17:48.0060 6080 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys

18:17:48.0438 6080 ql2300 - ok

18:17:48.0581 6080 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys

18:17:48.0649 6080 ql40xx - ok

18:17:48.0800 6080 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys

18:17:48.0812 6080 QWAVEdrv - ok

18:17:49.0380 6080 R300 (2a09a6b271d1f50adf5e33b37d460de6) C:\Windows\system32\DRIVERS\atikmdag.sys

18:17:49.0615 6080 R300 - ok

18:17:49.0869 6080 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys

18:17:49.0900 6080 RasAcd - ok

18:17:50.0786 6080 Rasl2tp (ac7bc4d42a7e558718dfdec599bbfc2c) C:\Windows\system32\DRIVERS\rasl2tp.sys

18:17:50.0808 6080 Rasl2tp - ok

18:17:51.0548 6080 RasPppoe (4517fbf8b42524afe4ede1de102aae3e) C:\Windows\system32\DRIVERS\raspppoe.sys

18:17:51.0570 6080 RasPppoe - ok

18:17:51.0990 6080 RasSstp (c6a593b51f34c33e5474539544072527) C:\Windows\system32\DRIVERS\rassstp.sys

18:17:52.0018 6080 RasSstp - ok

18:17:52.0364 6080 rdbss (322db5c6b55e8d8ee8d6f358b2aaabb1) C:\Windows\system32\DRIVERS\rdbss.sys

18:17:52.0386 6080 rdbss - ok

18:17:52.0410 6080 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys

18:17:52.0436 6080 RDPCDD - ok

18:17:52.0593 6080 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys

18:17:52.0634 6080 rdpdr - ok

18:17:52.0665 6080 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys

18:17:52.0692 6080 RDPENCDD - ok

18:17:52.0800 6080 RDPWD (b1d741c87cea8d7282146366cc9c3f81) C:\Windows\system32\drivers\RDPWD.sys

18:17:52.0821 6080 RDPWD - ok

18:17:52.0917 6080 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys

18:17:52.0942 6080 rspndr - ok

18:17:53.0013 6080 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys

18:17:53.0064 6080 sbp2port - ok

18:17:53.0162 6080 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys

18:17:53.0200 6080 secdrv - ok

18:17:53.0277 6080 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys

18:17:53.0316 6080 Serenum - ok

18:17:53.0401 6080 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys

18:17:53.0452 6080 Serial - ok

18:17:53.0492 6080 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys

18:17:53.0530 6080 sermouse - ok

18:17:53.0610 6080 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys

18:17:53.0639 6080 sffdisk - ok

18:17:53.0704 6080 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys

18:17:53.0730 6080 sffp_mmc - ok

18:17:53.0761 6080 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys

18:17:53.0815 6080 sffp_sd - ok

18:17:53.0895 6080 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys

18:17:53.0937 6080 sfloppy - ok

18:17:54.0003 6080 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys

18:17:54.0034 6080 SiSRaid2 - ok

18:17:54.0069 6080 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys

18:17:54.0081 6080 SiSRaid4 - ok

18:17:54.0209 6080 Smb (290b6f6a0ec4fcdfc90f5cb6d7020473) C:\Windows\system32\DRIVERS\smb.sys

18:17:54.0228 6080 Smb - ok

18:17:54.0323 6080 spldr (386c3c63f00a7040c7ec5e384217e89d) C:\Windows\system32\drivers\spldr.sys

18:17:54.0335 6080 spldr - ok

18:17:54.0472 6080 srv (880a57fccb571ebd063d4dd50e93e46d) C:\Windows\system32\DRIVERS\srv.sys

18:17:54.0544 6080 srv - ok

18:17:54.0618 6080 srv2 (a1ad14a6d7a37891fffeca35ebbb0730) C:\Windows\system32\DRIVERS\srv2.sys

18:17:54.0658 6080 srv2 - ok

18:17:54.0754 6080 srvnet (4bed62f4fa4d8300973f1151f4c4d8a7) C:\Windows\system32\DRIVERS\srvnet.sys

18:17:54.0766 6080 srvnet - ok

18:17:54.0936 6080 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys

18:17:54.0945 6080 swenum - ok

18:17:55.0000 6080 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys

18:17:55.0040 6080 Symc8xx - ok

18:17:55.0078 6080 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys

18:17:55.0088 6080 Sym_hi - ok

18:17:55.0133 6080 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys

18:17:55.0150 6080 Sym_u3 - ok

18:17:55.0154 6080 szkg5 - ok

18:17:55.0388 6080 Tcpip (2cc45d932bd193cd4117321d469ad6b2) C:\Windows\system32\drivers\tcpip.sys

18:17:55.0451 6080 Tcpip - ok

18:17:55.0755 6080 Tcpip6 (2cc45d932bd193cd4117321d469ad6b2) C:\Windows\system32\DRIVERS\tcpip.sys

18:17:55.0961 6080 Tcpip6 - ok

18:17:56.0082 6080 tcpipreg (c7e72a4071ee0200e3c075dacfb2b334) C:\Windows\system32\drivers\tcpipreg.sys

18:17:56.0115 6080 tcpipreg - ok

18:17:56.0206 6080 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys

18:17:56.0234 6080 TDPIPE - ok

18:17:56.0264 6080 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys

18:17:56.0291 6080 TDTCP - ok

18:17:56.0381 6080 tdx (458919c8c42e398dc4802178d5ffee27) C:\Windows\system32\DRIVERS\tdx.sys

18:17:56.0403 6080 tdx - ok

18:17:56.0524 6080 TermDD (8c19678d22649ec002ef2282eae92f98) C:\Windows\system32\DRIVERS\termdd.sys

18:17:56.0534 6080 TermDD - ok

18:17:56.0556 6080 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys

18:17:56.0582 6080 tssecsrv - ok

18:17:56.0668 6080 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys

18:17:56.0697 6080 tunmp - ok

18:17:56.0758 6080 tunnel (30a9b3f45ad081bffc3bcaa9c812b609) C:\Windows\system32\DRIVERS\tunnel.sys

18:17:56.0769 6080 tunnel - ok

18:17:56.0899 6080 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys

18:17:56.0908 6080 uagp35 - ok

18:17:56.0986 6080 udfs (faf2640a2a76ed03d449e443194c4c34) C:\Windows\system32\DRIVERS\udfs.sys

18:17:57.0013 6080 udfs - ok

18:17:57.0147 6080 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys

18:17:57.0156 6080 uliagpkx - ok

18:17:57.0200 6080 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys

18:17:57.0239 6080 uliahci - ok

18:17:57.0296 6080 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys

18:17:57.0307 6080 UlSata - ok

18:17:57.0326 6080 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys

18:17:57.0339 6080 ulsata2 - ok

18:17:57.0363 6080 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys

18:17:57.0390 6080 umbus - ok

18:17:57.0610 6080 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys

18:17:57.0630 6080 usbccgp - ok

18:17:57.0757 6080 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys

18:17:57.0814 6080 usbcir - ok

18:17:57.0946 6080 usbehci (827e44de934a736ea31e91d353eb126f) C:\Windows\system32\DRIVERS\usbehci.sys

18:17:57.0966 6080 usbehci - ok

18:17:58.0025 6080 usbhub (bb35cd80a2ececfadc73569b3d70c7d1) C:\Windows\system32\DRIVERS\usbhub.sys

18:17:58.0047 6080 usbhub - ok

18:17:58.0069 6080 usbohci (e406b003a354776d317762694956b0fc) C:\Windows\system32\DRIVERS\usbohci.sys

18:17:58.0089 6080 usbohci - ok

18:17:58.0189 6080 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys

18:17:58.0220 6080 usbprint - ok

18:17:58.0383 6080 USBSTOR (b854c1558fca0c269a38663e8b59b581) C:\Windows\system32\DRIVERS\USBSTOR.SYS

18:17:58.0404 6080 USBSTOR - ok

18:17:58.0485 6080 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys

18:17:58.0506 6080 usbuhci - ok

18:17:58.0565 6080 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys

18:17:58.0591 6080 vga - ok

18:17:58.0606 6080 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys

18:17:58.0632 6080 VgaSave - ok

18:17:58.0857 6080 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys

18:17:58.0867 6080 viaide - ok

18:17:58.0986 6080 volmgr (2b7e885ed951519a12c450d24535dfca) C:\Windows\system32\drivers\volmgr.sys

18:17:58.0997 6080 volmgr - ok

18:17:59.0448 6080 volmgrx (cec5ac15277d75d9e5dec2e1c6eaf877) C:\Windows\system32\drivers\volmgrx.sys

18:17:59.0507 6080 volmgrx - ok

18:17:59.0605 6080 volsnap (5280aada24ab36b01a84a6424c475c8d) C:\Windows\system32\drivers\volsnap.sys

18:17:59.0632 6080 volsnap - ok

18:17:59.0719 6080 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys

18:17:59.0733 6080 vsmraid - ok

18:17:59.0785 6080 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys

18:17:59.0825 6080 WacomPen - ok

18:17:59.0922 6080 Wanarp (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys

18:17:59.0963 6080 Wanarp - ok

18:18:00.0021 6080 Wanarpv6 (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys

18:18:00.0041 6080 Wanarpv6 - ok

18:18:00.0102 6080 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys

18:18:00.0112 6080 Wd - ok

18:18:00.0154 6080 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys

18:18:00.0204 6080 Wdf01000 - ok

18:18:00.0273 6080 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\drivers\wmiacpi.sys

18:18:00.0292 6080 WmiAcpi - ok

18:18:00.0373 6080 WpdUsb (5e2401b3fc1089c90e081291357371a9) C:\Windows\system32\DRIVERS\wpdusb.sys

18:18:00.0384 6080 WpdUsb - ok

18:18:00.0420 6080 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys

18:18:00.0447 6080 ws2ifsl - ok

18:18:00.0576 6080 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys

18:18:00.0603 6080 WUDFRd - ok

18:18:00.0667 6080 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0

18:18:01.0035 6080 \Device\Harddisk0\DR0 - ok

18:18:01.0050 6080 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk1\DR1

18:18:01.0645 6080 \Device\Harddisk1\DR1 - ok

18:18:01.0684 6080 Boot (0x1200) (12613448714e6edf5b192732cc1e7128) \Device\Harddisk0\DR0\Partition0

18:18:01.0688 6080 \Device\Harddisk0\DR0\Partition0 - ok

18:18:01.0721 6080 Boot (0x1200) (3bd5ea4fdc5f5dc87e198c68aa86e9eb) \Device\Harddisk0\DR0\Partition1

18:18:01.0815 6080 \Device\Harddisk0\DR0\Partition1 - ok

18:18:01.0838 6080 Boot (0x1200) (2431d61a58d383c0a494a12f3731c08f) \Device\Harddisk1\DR1\Partition0

18:18:01.0838 6080 \Device\Harddisk1\DR1\Partition0 - ok

18:18:01.0840 6080 Boot (0x1200) (f7bc4b3891d36c7b4509de5c17b41db3) \Device\Harddisk1\DR1\Partition1

18:18:01.0840 6080 \Device\Harddisk1\DR1\Partition1 - ok

18:18:01.0841 6080 ============================================================

18:18:01.0841 6080 Scan finished

18:18:01.0841 6080 ============================================================

18:18:01.0847 5992 Detected object count: 0

18:18:01.0847 5992 Actual detected object count: 0

Now for the ComboFix log:

ComboFix 11-11-14.02 - Vorlock 11/14/2011 18:41:35.1.2 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4093.2595 [GMT -5:00]

Running from: c:\users\Vorlock\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

.

ADS - Windows: deleted 24 bytes in 1 streams.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Vorlock\GoToAssistDownloadHelper.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-10-15 to 2011-11-15 )))))))))))))))))))))))))))))))

.

.

2011-11-15 00:16 . 2011-11-15 00:16 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-11-12 14:36 . 2011-11-12 14:36 -------- d-----w- c:\users\Vorlock\AppData\Local\Adobe

2011-11-12 01:51 . 2011-11-12 01:51 525544 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-12 01:51 . 2011-11-12 01:51 -------- d-----w- c:\program files\Java

2011-11-12 01:47 . 2011-11-12 01:47 -------- d-----w- c:\program files (x86)\Common Files\Java

2011-11-12 01:45 . 2011-11-12 01:45 -------- d-----w- c:\program files (x86)\Java

2011-11-12 00:36 . 2011-11-12 00:36 -------- d-----w- C:\!KillBox

2011-11-12 00:02 . 2011-11-12 00:02 16200 ----a-w- c:\windows\GetSusp.sys

2011-11-11 21:59 . 2011-11-11 21:59 -------- d-----w- c:\programdata\Kaspersky Lab

2011-11-11 04:47 . 2011-11-11 04:47 -------- d-----w- c:\program files\CCleaner

2011-11-09 12:18 . 2011-09-20 21:06 1426304 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-09 12:18 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2011-11-09 12:18 . 2011-10-17 11:41 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat

2011-11-09 12:17 . 2011-09-30 16:16 893440 ----a-w- c:\program files\Common Files\System\wab32.dll

2011-11-09 12:17 . 2011-09-30 16:16 50688 ----a-w- c:\program files\Windows Mail\wabimp.dll

2011-11-09 12:17 . 2011-09-30 15:57 707584 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll

2011-11-08 01:29 . 2011-11-08 03:23 -------- d-----w- C:\More Stuff

2011-10-27 23:09 . 2011-10-29 16:04 -------- d-----w- c:\program files (x86)\LitexMedia

2011-10-27 22:49 . 2011-10-28 15:56 -------- d-----w- c:\users\Vorlock\AppData\Roaming\WinFF

2011-10-27 22:49 . 2011-10-27 22:49 -------- d-----w- c:\program files (x86)\WinFF

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-12 01:45 . 2010-05-18 02:13 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2011-11-10 21:09 . 2009-03-29 21:54 467744 ----a-w- c:\programdata\Microsoft\VWDExpress\9.0\1033\ResourceCache.dll

2011-10-20 11:11 . 2011-05-19 11:35 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-09-06 13:56 . 2011-10-12 02:56 2764288 ----a-w- c:\windows\system32\win32k.sys

2011-09-01 05:24 . 2011-10-12 11:14 2309120 ----a-w- c:\windows\system32\jscript9.dll

2011-09-01 05:17 . 2011-10-12 11:14 1389056 ----a-w- c:\windows\system32\wininet.dll

2011-09-01 05:12 . 2011-10-12 11:14 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-09-01 02:35 . 2011-10-12 11:14 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll

2011-09-01 02:28 . 2011-10-12 11:14 1126912 ----a-w- c:\windows\SysWow64\wininet.dll

2011-09-01 02:22 . 2011-10-12 11:14 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-08-31 22:00 . 2011-09-15 13:02 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-25 16:20 . 2011-10-12 02:56 735744 ----a-w- c:\windows\system32\UIAutomationCore.dll

2011-08-25 16:19 . 2011-10-12 02:56 332288 ----a-w- c:\windows\system32\oleacc.dll

2011-08-25 16:19 . 2011-10-12 02:56 847360 ----a-w- c:\windows\system32\oleaut32.dll

2011-08-25 16:15 . 2011-10-12 02:56 555520 ----a-w- c:\windows\SysWow64\UIAutomationCore.dll

2011-08-25 16:14 . 2011-10-12 02:56 563712 ----a-w- c:\windows\SysWow64\oleaut32.dll

2011-08-25 16:14 . 2011-10-12 02:56 238080 ----a-w- c:\windows\SysWow64\oleacc.dll

2011-08-25 13:54 . 2011-10-12 02:55 4096 ----a-w- c:\windows\system32\oleaccrc.dll

2011-08-25 13:31 . 2011-10-12 02:55 4096 ----a-w- c:\windows\SysWow64\oleaccrc.dll

2011-08-19 19:59 . 2011-09-16 01:53 158832 ----a-w- c:\windows\system32\mfevtps.exe

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

"igndlm.exe"="c:\program files (x86)\Download Manager\DLM.exe" [2009-05-15 1103216]

"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2010-09-17 2969496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1674896]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

.

c:\users\Vorlock\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Impulse Now.lnk - c:\program files (x86)\Stardock\Impulse\Now\ImpulseNow.exe [2009-7-3 419104]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R0 is3srv;is3srv;c:\windows\SySWOW64\drivers\is3srv64.sys [x]

R0 szkg5;szkg5;c:\windows\SySWOW64\DRIVERS\szkg64.sys [x]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 GetSusp;GetSusp;c:\windows\GetSusp.sys [2011-11-12 16200]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]

S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]

S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]

S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]

S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-08-19 208272]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]

S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

iissvcs REG_MULTI_SZ w3svc was

apphost REG_MULTI_SZ apphostsvc

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RAVCpl64.exe" [2008-08-18 6440480]

"Skytel"="Skytel.exe" [2008-08-18 1833504]

"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-19 333344]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"LoadAppInit_DLLs"=0x0

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://my.yahoo.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 192.168.0.1

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

.

- - - - ORPHANS REMOVED - - - -

.

Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)

HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Bonjour\mDNSResponder.exe

c:\windows\SysWOW64\rundll32.exe

c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files (x86)\Internet Explorer\iexplore.exe

.

**************************************************************************

.

Completion time: 2011-11-14 19:42:26 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-15 00:42

.

Pre-Run: 351,148,339,200 bytes free

Post-Run: 349,822,775,296 bytes free

.

- - End Of File - - CAFE344435C8689FE72F9278A5238EFB

And finally, the security check log:

Results of screen317's Security Check version 0.99.26

Windows Vista x64 (UAC is enabled)

Out of date service pack!!

Internet Explorer 9

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

McAfee SecurityCenter

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Java 6 Update 29

Adobe Flash Player ( 10.0.45.2) Flash Player Out of Date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

``````````End of Log````````````

Hope this info helps. Thanks for your efforts.

Link to post
Share on other sites

Hello :)

Let's run some more scans to give us a better look at what might be causing the problem:

Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:

http://ad13.geekstogo.com/MBRCheck.exe

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

http://www.kernelmode.info/MBRCheck.exe

Close all opened programs/ windows and double-click on MBRCheck.exe.

It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.

-------------

Please do the following:

  • Please download aswMBR.exe from here and save it to your Desktop.
  • Double click aswMBR.exe to start the tool. (Vista - Win 7 Rt click to run as Administrator)
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your Desktop, and post that log in your next reply. Do NOT attempt any Fix at this time!
  • This will also create a file on your Desktop named MBR.dat. Right click that file and select Send To->Compressed (zipped) folder. Attach that zipped folder in your next reply as well.

-------------

Please include both scan results in your next reply ;)

Link to post
Share on other sites

Downloaded MBRCheck. Tried to run it but it timed out. I disabled active scan on mcafee and tried again and it worked...Kinda.

MBRCheck crashes on me. I accidentally left stuff open the first time, so I rebooted, waited for everything to load up and close, and then tried to run it again. It crashed at the same spot. I rebooted and waiting again but this time I used processexplorer to kill the rogue iexplore process first and then ran MBRCheck. It still crashed. I'll post the 3 logs anyway.

Then I downloaded aswMBR and ran it. It worked. You didnt say that I should download the avast scanner part and do that scan, so I didnt. I just did the standard mbr scan. I will post the log for that too. I can re-run it and have it do the AVAST scan if you like, just let me know.

Note: The d drive is a 2gig partition from Dell as a recovery option. I've never used it, but its been there since I bought this comp. The F drive is a second internal harddrive. No OS on it.

Logs:

MBRCheck attempt1:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows Vista Home Premium Edition

Windows Information: Service Pack 2 (build 6002), 64-bit

Base Board Manufacturer: Dell Inc

BIOS Manufacturer: Dell Inc.

System Manufacturer: Dell Inc

System Product Name: XPS 630i

Logical Drives Mask: 0x0000003c

Kernel Drivers (total 141):

0x00C56000 \SystemRoot\system32\ntoskrnl.exe

0x00C10000 \SystemRoot\system32\hal.dll

0x00600000 \SystemRoot\system32\kdcom.dll

0x00603000 \SystemRoot\system32\mcupdate_GenuineIntel.dll

0x0063E000 \SystemRoot\system32\PSHED.dll

0x00652000 \SystemRoot\system32\CLFS.SYS

0x006AF000 \SystemRoot\system32\CI.dll

0x0080B000 \SystemRoot\system32\drivers\Wdf01000.sys

0x008E5000 \SystemRoot\system32\drivers\WDFLDR.SYS

0x008F3000 \SystemRoot\system32\drivers\acpi.sys

0x00949000 \SystemRoot\system32\drivers\WMILIB.SYS

0x00952000 \SystemRoot\system32\drivers\msisadrv.sys

0x0095C000 \SystemRoot\system32\drivers\pci.sys

0x0098C000 \SystemRoot\System32\drivers\partmgr.sys

0x009A1000 \SystemRoot\system32\drivers\volmgr.sys

0x00761000 \SystemRoot\System32\drivers\volmgrx.sys

0x009B5000 \SystemRoot\system32\drivers\nvrd64.sys

0x007C7000 \SystemRoot\system32\drivers\CLASSPNP.SYS

0x009E1000 \SystemRoot\system32\drivers\pciide.sys

0x009E8000 \SystemRoot\system32\drivers\PCIIDEX.SYS

0x00A07000 \SystemRoot\System32\drivers\mountmgr.sys

0x00A1A000 \SystemRoot\system32\drivers\nvraid.sys

0x00A3D000 \SystemRoot\system32\drivers\atapi.sys

0x00A45000 \SystemRoot\system32\drivers\ataport.SYS

0x00A69000 \SystemRoot\system32\drivers\nvstor64.sys

0x00A94000 \SystemRoot\system32\drivers\storport.sys

0x00AF1000 \SystemRoot\system32\drivers\fltmgr.sys

0x00B38000 \SystemRoot\system32\drivers\fileinfo.sys

0x00B4C000 \SystemRoot\system32\drivers\mfehidk.sys

0x00BE7000 \SystemRoot\System32\Drivers\PxHlpa64.sys

0x00C08000 \SystemRoot\System32\Drivers\ksecdd.sys

0x00E0B000 \SystemRoot\system32\drivers\ndis.sys

0x00C8F000 \SystemRoot\system32\drivers\msrpc.sys

0x00CDF000 \SystemRoot\system32\drivers\NETIO.SYS

0x01007000 \SystemRoot\System32\Drivers\Ntfs.sys

0x01187000 \SystemRoot\system32\drivers\volsnap.sys

0x011CB000 \SystemRoot\System32\Drivers\spldr.sys

0x011D3000 \SystemRoot\System32\Drivers\mup.sys

0x00FCE000 \SystemRoot\System32\drivers\ecache.sys

0x011E5000 \SystemRoot\system32\drivers\disk.sys

0x00E00000 \SystemRoot\system32\drivers\crcdisk.sys

0x00D7B000 \SystemRoot\system32\DRIVERS\tunnel.sys

0x00D88000 \SystemRoot\system32\DRIVERS\tunmp.sys

0x00D91000 \SystemRoot\system32\DRIVERS\intelppm.sys

0x02E0D000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys

0x03A9F000 \SystemRoot\system32\DRIVERS\nvBridge.kmd

0x03AA1000 \SystemRoot\System32\drivers\dxgkrnl.sys

0x03B84000 \SystemRoot\System32\drivers\watchdog.sys

0x03B94000 \SystemRoot\system32\DRIVERS\fdc.sys

0x03BA1000 \SystemRoot\system32\DRIVERS\usbohci.sys

0x03BAC000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0x00DA4000 \SystemRoot\system32\DRIVERS\usbehci.sys

0x00DB5000 \SystemRoot\system32\DRIVERS\cdrom.sys

0x00DD1000 \SystemRoot\system32\DRIVERS\ohci1394.sys

0x00DE3000 \SystemRoot\system32\DRIVERS\1394BUS.SYS

0x03C02000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0x03E00000 \SystemRoot\system32\DRIVERS\nvmfdx64.sys

0x03F6A000 \SystemRoot\system32\DRIVERS\msiscsi.sys

0x03FA3000 \SystemRoot\system32\DRIVERS\TDI.SYS

0x03FB0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0x03FD3000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0x03CEF000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0x03FDF000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0x03D20000 \SystemRoot\system32\DRIVERS\raspptp.sys

0x03D3E000 \SystemRoot\system32\DRIVERS\rassstp.sys

0x03D56000 \SystemRoot\system32\DRIVERS\termdd.sys

0x03FEF000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0x03D69000 \SystemRoot\system32\DRIVERS\mouclass.sys

0x03FFD000 \SystemRoot\system32\DRIVERS\swenum.sys

0x03D75000 \SystemRoot\system32\DRIVERS\ks.sys

0x03DA9000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0x03DB4000 \SystemRoot\system32\DRIVERS\umbus.sys

0x04201000 \SystemRoot\system32\DRIVERS\usbhub.sys

0x04249000 \SystemRoot\System32\Drivers\NDProxy.SYS

0x0425D000 \SystemRoot\system32\drivers\RTKVHD64.sys

0x03DC4000 \SystemRoot\system32\drivers\portcls.sys

0x043C7000 \SystemRoot\system32\drivers\drmk.sys

0x043EA000 \SystemRoot\system32\drivers\ksthunk.sys

0x043F0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0x03BF2000 \SystemRoot\System32\Drivers\Null.SYS

0x00DF3000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0x04807000 \SystemRoot\System32\drivers\vga.sys

0x04815000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0x0483A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0x04843000 \SystemRoot\system32\drivers\rdpencdd.sys

0x0484C000 \SystemRoot\System32\Drivers\Msfs.SYS

0x04857000 \SystemRoot\System32\Drivers\Npfs.SYS

0x04868000 \SystemRoot\System32\DRIVERS\rasacd.sys

0x04871000 \SystemRoot\System32\drivers\tcpip.sys

0x04A01000 \SystemRoot\System32\drivers\fwpkclnt.sys

0x04A2D000 \SystemRoot\system32\drivers\mfewfpk.sys

0x04A71000 \SystemRoot\system32\DRIVERS\tdx.sys

0x04A8E000 \SystemRoot\system32\DRIVERS\smb.sys

0x04AA9000 \SystemRoot\System32\DRIVERS\netbt.sys

0x04AED000 \SystemRoot\system32\drivers\afd.sys

0x04B58000 \SystemRoot\system32\DRIVERS\pacer.sys

0x04B76000 \SystemRoot\system32\DRIVERS\mfenlfk.sys

0x04B87000 \SystemRoot\system32\DRIVERS\netbios.sys

0x04B96000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x04BB1000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x049E6000 \SystemRoot\system32\drivers\nsiproxy.sys

0x04C04000 \SystemRoot\System32\Drivers\dfsc.sys

0x04C21000 \SystemRoot\system32\drivers\mfeavfk.sys

0x04C57000 \SystemRoot\system32\drivers\mfefirek.sys

0x04CCB000 \SystemRoot\system32\DRIVERS\hidusb.sys

0x04CD4000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0x04CE6000 \SystemRoot\system32\DRIVERS\USBD.SYS

0x04CE8000 \SystemRoot\system32\DRIVERS\mouhid.sys

0x04CF3000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0x04D0F000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0x04D1A000 \SystemRoot\System32\Drivers\crashdmp.sys

0x04D28000 \SystemRoot\System32\Drivers\dump_diskdump.sys

0x04D32000 \SystemRoot\System32\Drivers\dump_nvstor64.sys

0x000E0000 \SystemRoot\System32\win32k.sys

0x04D5D000 \SystemRoot\System32\drivers\Dxapi.sys

0x04D69000 \SystemRoot\system32\DRIVERS\monitor.sys

0x004F0000 \SystemRoot\System32\TSDDD.dll

0x00670000 \SystemRoot\System32\cdd.dll

0x008E0000 \SystemRoot\System32\ATMFD.DLL

0x04D7C000 \SystemRoot\system32\drivers\luafv.sys

0x09002000 \SystemRoot\system32\drivers\spsys.sys

0x0909C000 \SystemRoot\system32\DRIVERS\lltdio.sys

0x090B0000 \SystemRoot\system32\DRIVERS\rspndr.sys

0x090C8000 \SystemRoot\system32\drivers\HTTP.sys

0x0916B000 \SystemRoot\System32\DRIVERS\srvnet.sys

0x09194000 \SystemRoot\system32\DRIVERS\bowser.sys

0x091B2000 \SystemRoot\System32\drivers\mpsdrv.sys

0x091CC000 \SystemRoot\system32\drivers\mrxdav.sys

0x04D9E000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0x09C09000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys

0x09C52000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys

0x09C71000 \SystemRoot\System32\DRIVERS\srv2.sys

0x09CA3000 \SystemRoot\System32\DRIVERS\srv.sys

0x09D36000 \SystemRoot\system32\drivers\peauth.sys

0x09DEC000 \SystemRoot\System32\Drivers\secdrv.SYS

0x04DC7000 \SystemRoot\System32\Drivers\fastfat.SYS

0x00D38000 \SystemRoot\System32\drivers\tcpipreg.sys

0x00D48000 \SystemRoot\system32\drivers\mfeapfk.sys

0x0BA04000 \SystemRoot\system32\drivers\cfwids.sys

0x0BA13000 \SystemRoot\system32\DRIVERS\cdfs.sys

0x77390000 \Windows\System32\ntdll.dll

Processes (total 67):

0 System Idle Process

4 System

584 C:\Windows\System32\smss.exe

652 csrss.exe

696 C:\Windows\System32\wininit.exe

716 csrss.exe

752 C:\Windows\System32\services.exe

768 C:\Windows\System32\lsass.exe

776 C:\Windows\System32\lsm.exe

936 C:\Windows\System32\svchost.exe

996 C:\Windows\System32\winlogon.exe

1020 C:\Windows\System32\nvvsvc.exe

360 C:\Windows\System32\svchost.exe

596 C:\Windows\System32\svchost.exe

616 C:\Windows\System32\svchost.exe

592 C:\Windows\System32\svchost.exe

556 C:\Windows\System32\audiodg.exe

1044 C:\Windows\System32\svchost.exe

1060 C:\Windows\System32\SLsvc.exe

1088 C:\Windows\System32\svchost.exe

1200 C:\Program Files\Dell\DellDock\DockLogin.exe

1320 C:\Windows\System32\nvvsvc.exe

1352 C:\Windows\System32\svchost.exe

1584 C:\Windows\System32\spoolsv.exe

1608 C:\Windows\System32\svchost.exe

1884 C:\Windows\System32\svchost.exe

1912 C:\Program Files (x86)\Bonjour\mDNSResponder.exe

1956 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

1052 C:\Windows\System32\mfevtps.exe

1104 C:\Windows\System32\rundll32.exe

1424 C:\Windows\SysWOW64\rundll32.exe

1928 C:\Windows\System32\svchost.exe

2076 C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

2252 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

2272 C:\Windows\System32\svchost.exe

2304 C:\Windows\System32\svchost.exe

2356 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

2384 C:\Windows\System32\SearchIndexer.exe

2436 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

2500 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

2604 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

772 C:\Windows\System32\taskeng.exe

1700 C:\Windows\System32\dwm.exe

560 C:\Windows\explorer.exe

3092 C:\Windows\System32\taskeng.exe

3592 C:\Windows\RAVCpl64.exe

3612 C:\Windows\System32\nvraidservice.exe

3628 C:\Program Files (x86)\Steam\steam.exe

3636 C:\Windows\ehome\ehtray.exe

3664 WmiPrvSE.exe

3700 C:\Windows\ehome\ehmsas.exe

3844 C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe

2956 C:\Program Files\Windows Media Player\wmpnscfg.exe

1528 C:\Program Files\Windows Media Player\wmpnetwk.exe

3492 C:\Program Files\McAfee.com\Agent\mcagent.exe

3556 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

1248 C:\Program Files (x86)\Internet Explorer\iexplore.exe

1736 C:\Windows\System32\wbem\unsecapp.exe

2832 C:\Windows\System32\svchost.exe

944 C:\Program Files\Internet Explorer\iexplore.exe

2472 C:\Users\Vorlock\Desktop\procexp64.exe

2152 C:\Windows\System32\SearchProtocolHost.exe

1680 C:\Windows\System32\SearchFilterHost.exe

5028 C:\Program Files (x86)\Common Files\Steam\SteamService.exe

5100 C:\Program Files\Common Files\McAfee\Core\mchost.exe

3408 WmiPrvSE.exe

4272 C:\Users\Vorlock\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`84700000 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`04700000 (NTFS)

\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: ST3500620AS, Rev: DE12

PhysicalDrive1 Model Number: ST3120026AS, Rev: 8.05

Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive0 RE: Windows Vista MBR code detected

SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

111 GB \\.\PhysicalDrive1

MBRCheck attempt2:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows Vista Home Premium Edition

Windows Information: Service Pack 2 (build 6002), 64-bit

Base Board Manufacturer: Dell Inc

BIOS Manufacturer: Dell Inc.

System Manufacturer: Dell Inc

System Product Name: XPS 630i

Logical Drives Mask: 0x0000003c

Kernel Drivers (total 141):

0x00C4F000 \SystemRoot\system32\ntoskrnl.exe

0x00C09000 \SystemRoot\system32\hal.dll

0x00608000 \SystemRoot\system32\kdcom.dll

0x0060B000 \SystemRoot\system32\mcupdate_GenuineIntel.dll

0x00646000 \SystemRoot\system32\PSHED.dll

0x0065A000 \SystemRoot\system32\CLFS.SYS

0x006B7000 \SystemRoot\system32\CI.dll

0x00800000 \SystemRoot\system32\drivers\Wdf01000.sys

0x008DA000 \SystemRoot\system32\drivers\WDFLDR.SYS

0x008E8000 \SystemRoot\system32\drivers\acpi.sys

0x0093E000 \SystemRoot\system32\drivers\WMILIB.SYS

0x00947000 \SystemRoot\system32\drivers\msisadrv.sys

0x00951000 \SystemRoot\system32\drivers\pci.sys

0x00981000 \SystemRoot\System32\drivers\partmgr.sys

0x00996000 \SystemRoot\system32\drivers\volmgr.sys

0x00769000 \SystemRoot\System32\drivers\volmgrx.sys

0x009AA000 \SystemRoot\system32\drivers\nvrd64.sys

0x007CF000 \SystemRoot\system32\drivers\CLASSPNP.SYS

0x009D6000 \SystemRoot\system32\drivers\pciide.sys

0x009DD000 \SystemRoot\system32\drivers\PCIIDEX.SYS

0x009ED000 \SystemRoot\System32\drivers\mountmgr.sys

0x00A03000 \SystemRoot\system32\drivers\nvraid.sys

0x00A26000 \SystemRoot\system32\drivers\atapi.sys

0x00A2E000 \SystemRoot\system32\drivers\ataport.SYS

0x00A52000 \SystemRoot\system32\drivers\nvstor64.sys

0x00A7D000 \SystemRoot\system32\drivers\storport.sys

0x00ADA000 \SystemRoot\system32\drivers\fltmgr.sys

0x00B21000 \SystemRoot\system32\drivers\fileinfo.sys

0x00B35000 \SystemRoot\system32\drivers\mfehidk.sys

0x00BD0000 \SystemRoot\System32\Drivers\PxHlpa64.sys

0x00C02000 \SystemRoot\System32\Drivers\ksecdd.sys

0x00E01000 \SystemRoot\system32\drivers\ndis.sys

0x00C89000 \SystemRoot\system32\drivers\msrpc.sys

0x00CD9000 \SystemRoot\system32\drivers\NETIO.SYS

0x01001000 \SystemRoot\System32\Drivers\Ntfs.sys

0x01181000 \SystemRoot\system32\drivers\volsnap.sys

0x011C5000 \SystemRoot\System32\Drivers\spldr.sys

0x011CD000 \SystemRoot\System32\Drivers\mup.sys

0x00FC4000 \SystemRoot\System32\drivers\ecache.sys

0x011DF000 \SystemRoot\system32\drivers\disk.sys

0x011F3000 \SystemRoot\system32\drivers\crcdisk.sys

0x00D67000 \SystemRoot\system32\DRIVERS\tunnel.sys

0x00D74000 \SystemRoot\system32\DRIVERS\tunmp.sys

0x00D7D000 \SystemRoot\system32\DRIVERS\intelppm.sys

0x02E05000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys

0x03A97000 \SystemRoot\system32\DRIVERS\nvBridge.kmd

0x03A99000 \SystemRoot\System32\drivers\dxgkrnl.sys

0x03B7C000 \SystemRoot\System32\drivers\watchdog.sys

0x03B8C000 \SystemRoot\system32\DRIVERS\fdc.sys

0x03B99000 \SystemRoot\system32\DRIVERS\usbohci.sys

0x03BA4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0x03BEA000 \SystemRoot\system32\DRIVERS\usbehci.sys

0x00D90000 \SystemRoot\system32\DRIVERS\cdrom.sys

0x00DAC000 \SystemRoot\system32\DRIVERS\ohci1394.sys

0x00DBE000 \SystemRoot\system32\DRIVERS\1394BUS.SYS

0x03E0C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0x04007000 \SystemRoot\system32\DRIVERS\nvmfdx64.sys

0x04171000 \SystemRoot\system32\DRIVERS\msiscsi.sys

0x041AA000 \SystemRoot\system32\DRIVERS\TDI.SYS

0x041B7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0x041DA000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0x03EF9000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0x041E6000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0x03F2A000 \SystemRoot\system32\DRIVERS\raspptp.sys

0x03F48000 \SystemRoot\system32\DRIVERS\rassstp.sys

0x03F60000 \SystemRoot\system32\DRIVERS\termdd.sys

0x03F73000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0x03F81000 \SystemRoot\system32\DRIVERS\mouclass.sys

0x041F6000 \SystemRoot\system32\DRIVERS\swenum.sys

0x03F8D000 \SystemRoot\system32\DRIVERS\ks.sys

0x03FC1000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0x03FCC000 \SystemRoot\system32\DRIVERS\umbus.sys

0x0420C000 \SystemRoot\system32\DRIVERS\usbhub.sys

0x04254000 \SystemRoot\System32\Drivers\NDProxy.SYS

0x04268000 \SystemRoot\system32\drivers\RTKVHD64.sys

0x04604000 \SystemRoot\system32\drivers\portcls.sys

0x0463F000 \SystemRoot\system32\drivers\drmk.sys

0x04662000 \SystemRoot\system32\drivers\ksthunk.sys

0x04668000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0x04672000 \SystemRoot\System32\Drivers\Null.SYS

0x04686000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0x0468E000 \SystemRoot\System32\drivers\vga.sys

0x0469C000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0x046C1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0x046CA000 \SystemRoot\system32\drivers\rdpencdd.sys

0x046D3000 \SystemRoot\System32\Drivers\Msfs.SYS

0x046DE000 \SystemRoot\System32\Drivers\Npfs.SYS

0x046EF000 \SystemRoot\System32\DRIVERS\rasacd.sys

0x04A06000 \SystemRoot\System32\drivers\tcpip.sys

0x04B7B000 \SystemRoot\System32\drivers\fwpkclnt.sys

0x04BA7000 \SystemRoot\system32\drivers\mfewfpk.sys

0x046F8000 \SystemRoot\system32\DRIVERS\tdx.sys

0x04715000 \SystemRoot\system32\DRIVERS\smb.sys

0x04730000 \SystemRoot\System32\DRIVERS\netbt.sys

0x04774000 \SystemRoot\system32\drivers\afd.sys

0x047DF000 \SystemRoot\system32\DRIVERS\pacer.sys

0x04BEB000 \SystemRoot\system32\DRIVERS\mfenlfk.sys

0x043D2000 \SystemRoot\system32\DRIVERS\netbios.sys

0x043E1000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x04C0B000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x04C58000 \SystemRoot\system32\drivers\nsiproxy.sys

0x04C64000 \SystemRoot\System32\Drivers\dfsc.sys

0x04C81000 \SystemRoot\system32\drivers\mfeavfk.sys

0x04CB7000 \SystemRoot\system32\drivers\mfefirek.sys

0x04D2B000 \SystemRoot\System32\Drivers\crashdmp.sys

0x04D39000 \SystemRoot\System32\Drivers\dump_diskdump.sys

0x04D43000 \SystemRoot\System32\Drivers\dump_nvstor64.sys

0x04D6E000 \SystemRoot\system32\DRIVERS\hidusb.sys

0x04D77000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0x04D89000 \SystemRoot\system32\DRIVERS\USBD.SYS

0x04D8B000 \SystemRoot\system32\DRIVERS\mouhid.sys

0x04D96000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0x04DB2000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0x000B0000 \SystemRoot\System32\win32k.sys

0x04DBD000 \SystemRoot\System32\drivers\Dxapi.sys

0x04DC9000 \SystemRoot\system32\DRIVERS\monitor.sys

0x00490000 \SystemRoot\System32\TSDDD.dll

0x006E0000 \SystemRoot\System32\cdd.dll

0x008A0000 \SystemRoot\System32\ATMFD.DLL

0x04DDC000 \SystemRoot\system32\drivers\luafv.sys

0x09000000 \SystemRoot\system32\drivers\spsys.sys

0x0909A000 \SystemRoot\system32\DRIVERS\lltdio.sys

0x090AE000 \SystemRoot\system32\DRIVERS\rspndr.sys

0x090C6000 \SystemRoot\system32\drivers\HTTP.sys

0x09169000 \SystemRoot\System32\DRIVERS\srvnet.sys

0x09192000 \SystemRoot\system32\DRIVERS\bowser.sys

0x091B0000 \SystemRoot\System32\drivers\mpsdrv.sys

0x091CA000 \SystemRoot\system32\drivers\mrxdav.sys

0x00DCE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0x09E03000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys

0x09E4C000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys

0x09E6B000 \SystemRoot\System32\DRIVERS\srv2.sys

0x09E9D000 \SystemRoot\System32\DRIVERS\srv.sys

0x09F30000 \SystemRoot\system32\drivers\peauth.sys

0x09FE6000 \SystemRoot\System32\Drivers\secdrv.SYS

0x03FDC000 \SystemRoot\System32\drivers\tcpipreg.sys

0x00D32000 \SystemRoot\System32\Drivers\fastfat.SYS

0x0B60B000 \SystemRoot\system32\drivers\mfeapfk.sys

0x0B630000 \SystemRoot\system32\drivers\cfwids.sys

0x0B63F000 \SystemRoot\system32\DRIVERS\cdfs.sys

0x77660000 \Windows\System32\ntdll.dll

Processes (total 65):

0 System Idle Process

4 System

580 C:\Windows\System32\smss.exe

652 csrss.exe

696 C:\Windows\System32\wininit.exe

716 csrss.exe

752 C:\Windows\System32\services.exe

768 C:\Windows\System32\lsass.exe

776 C:\Windows\System32\lsm.exe

932 C:\Windows\System32\svchost.exe

992 C:\Windows\System32\winlogon.exe

1016 C:\Windows\System32\nvvsvc.exe

352 C:\Windows\System32\svchost.exe

588 C:\Windows\System32\svchost.exe

616 C:\Windows\System32\svchost.exe

740 C:\Windows\System32\svchost.exe

644 C:\Windows\System32\audiodg.exe

1048 C:\Windows\System32\svchost.exe

1064 C:\Windows\System32\SLsvc.exe

1104 C:\Windows\System32\svchost.exe

1172 C:\Program Files\Dell\DellDock\DockLogin.exe

1316 C:\Windows\System32\nvvsvc.exe

1328 C:\Windows\System32\svchost.exe

1584 C:\Windows\System32\spoolsv.exe

1612 C:\Windows\System32\svchost.exe

2020 C:\Windows\System32\dwm.exe

2032 C:\Windows\System32\taskeng.exe

708 C:\Windows\explorer.exe

2064 C:\Windows\System32\svchost.exe

2076 C:\Program Files (x86)\Bonjour\mDNSResponder.exe

2116 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

2204 C:\Windows\System32\mfevtps.exe

2280 C:\Windows\System32\svchost.exe

2392 C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

2404 C:\Windows\System32\rundll32.exe

2424 C:\Windows\SysWOW64\rundll32.exe

2500 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

2532 C:\Windows\System32\svchost.exe

2584 C:\Windows\System32\svchost.exe

2632 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

2676 C:\Windows\System32\SearchIndexer.exe

2728 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

2780 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

2792 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

2936 C:\Windows\System32\taskeng.exe

3452 C:\Program Files (x86)\Internet Explorer\iexplore.exe

3568 WmiPrvSE.exe

3676 C:\Windows\System32\svchost.exe

3816 C:\Windows\RAVCpl64.exe

3892 C:\Windows\System32\nvraidservice.exe

3908 C:\Windows\ehome\ehtray.exe

3960 C:\Windows\ehome\ehmsas.exe

2216 WmiPrvSE.exe

3340 C:\Program Files\Windows Media Player\wmpnscfg.exe

1192 C:\Program Files\Windows Media Player\wmpnetwk.exe

1816 C:\Windows\System32\wbem\unsecapp.exe

1184 C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe

3048 C:\Program Files\McAfee.com\Agent\mcagent.exe

3412 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

4056 C:\Windows\System32\SearchProtocolHost.exe

1964 C:\Windows\System32\SearchFilterHost.exe

3316 C:\Windows\System32\SearchProtocolHost.exe

4060 dllhost.exe

4612 dllhost.exe

1056 C:\Users\Vorlock\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`84700000 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`04700000 (NTFS)

\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: ST3500620AS, Rev: DE12

PhysicalDrive1 Model Number: ST3120026AS, Rev: 8.05

Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive0 RE: Windows Vista MBR code detected

SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

111 GB \\.\PhysicalDrive1

MBRCheck attempt 3:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows Vista Home Premium Edition

Windows Information: Service Pack 2 (build 6002), 64-bit

Base Board Manufacturer: Dell Inc

BIOS Manufacturer: Dell Inc.

System Manufacturer: Dell Inc

System Product Name: XPS 630i

Logical Drives Mask: 0x0000003c

Kernel Drivers (total 141):

0x00C04000 \SystemRoot\system32\ntoskrnl.exe

0x0111C000 \SystemRoot\system32\hal.dll

0x0060E000 \SystemRoot\system32\kdcom.dll

0x00611000 \SystemRoot\system32\mcupdate_GenuineIntel.dll

0x0064C000 \SystemRoot\system32\PSHED.dll

0x00660000 \SystemRoot\system32\CLFS.SYS

0x006BD000 \SystemRoot\system32\CI.dll

0x00801000 \SystemRoot\system32\drivers\Wdf01000.sys

0x008DB000 \SystemRoot\system32\drivers\WDFLDR.SYS

0x008E9000 \SystemRoot\system32\drivers\acpi.sys

0x0093F000 \SystemRoot\system32\drivers\WMILIB.SYS

0x00948000 \SystemRoot\system32\drivers\msisadrv.sys

0x00952000 \SystemRoot\system32\drivers\pci.sys

0x00982000 \SystemRoot\System32\drivers\partmgr.sys

0x00997000 \SystemRoot\system32\drivers\volmgr.sys

0x0076F000 \SystemRoot\System32\drivers\volmgrx.sys

0x009AB000 \SystemRoot\system32\drivers\nvrd64.sys

0x00A01000 \SystemRoot\system32\drivers\CLASSPNP.SYS

0x00A2D000 \SystemRoot\system32\drivers\pciide.sys

0x00A34000 \SystemRoot\system32\drivers\PCIIDEX.SYS

0x00A44000 \SystemRoot\System32\drivers\mountmgr.sys

0x00A57000 \SystemRoot\system32\drivers\nvraid.sys

0x00A7A000 \SystemRoot\system32\drivers\atapi.sys

0x00A82000 \SystemRoot\system32\drivers\ataport.SYS

0x00AA6000 \SystemRoot\system32\drivers\nvstor64.sys

0x00AD1000 \SystemRoot\system32\drivers\storport.sys

0x00B2E000 \SystemRoot\system32\drivers\fltmgr.sys

0x00B75000 \SystemRoot\system32\drivers\fileinfo.sys

0x00C0D000 \SystemRoot\system32\drivers\mfehidk.sys

0x00CA8000 \SystemRoot\System32\Drivers\PxHlpa64.sys

0x00CB4000 \SystemRoot\System32\Drivers\ksecdd.sys

0x00E0E000 \SystemRoot\system32\drivers\ndis.sys

0x00D3B000 \SystemRoot\system32\drivers\msrpc.sys

0x00D8B000 \SystemRoot\system32\drivers\NETIO.SYS

0x01001000 \SystemRoot\System32\Drivers\Ntfs.sys

0x01181000 \SystemRoot\system32\drivers\volsnap.sys

0x011C5000 \SystemRoot\System32\Drivers\spldr.sys

0x011CD000 \SystemRoot\System32\Drivers\mup.sys

0x00FD1000 \SystemRoot\System32\drivers\ecache.sys

0x011DF000 \SystemRoot\system32\drivers\disk.sys

0x011F3000 \SystemRoot\system32\drivers\crcdisk.sys

0x00DEE000 \SystemRoot\system32\DRIVERS\tunnel.sys

0x00C00000 \SystemRoot\system32\DRIVERS\tunmp.sys

0x00BB4000 \SystemRoot\system32\DRIVERS\intelppm.sys

0x02E04000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys

0x03A96000 \SystemRoot\system32\DRIVERS\nvBridge.kmd

0x03A98000 \SystemRoot\System32\drivers\dxgkrnl.sys

0x03B7B000 \SystemRoot\System32\drivers\watchdog.sys

0x03B8B000 \SystemRoot\system32\DRIVERS\fdc.sys

0x03B98000 \SystemRoot\system32\DRIVERS\usbohci.sys

0x03BA3000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0x03BE9000 \SystemRoot\system32\DRIVERS\usbehci.sys

0x00BC7000 \SystemRoot\system32\DRIVERS\cdrom.sys

0x00BE3000 \SystemRoot\system32\DRIVERS\ohci1394.sys

0x009D7000 \SystemRoot\system32\DRIVERS\1394BUS.SYS

0x03C0A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0x03E0D000 \SystemRoot\system32\DRIVERS\nvmfdx64.sys

0x03F77000 \SystemRoot\system32\DRIVERS\msiscsi.sys

0x03FB0000 \SystemRoot\system32\DRIVERS\TDI.SYS

0x03FBD000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0x03FE0000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0x03CF7000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0x03FEC000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0x03D28000 \SystemRoot\system32\DRIVERS\raspptp.sys

0x03D46000 \SystemRoot\system32\DRIVERS\rassstp.sys

0x03D5E000 \SystemRoot\system32\DRIVERS\termdd.sys

0x03D71000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0x03E00000 \SystemRoot\system32\DRIVERS\mouclass.sys

0x03FFC000 \SystemRoot\system32\DRIVERS\swenum.sys

0x03D7F000 \SystemRoot\system32\DRIVERS\ks.sys

0x03DB3000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0x03DBE000 \SystemRoot\system32\DRIVERS\umbus.sys

0x04206000 \SystemRoot\system32\DRIVERS\usbhub.sys

0x0424E000 \SystemRoot\System32\Drivers\NDProxy.SYS

0x04262000 \SystemRoot\system32\drivers\RTKVHD64.sys

0x0480A000 \SystemRoot\system32\drivers\portcls.sys

0x04845000 \SystemRoot\system32\drivers\drmk.sys

0x04868000 \SystemRoot\system32\drivers\ksthunk.sys

0x0486E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0x04878000 \SystemRoot\System32\Drivers\Null.SYS

0x0488C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0x04894000 \SystemRoot\System32\drivers\vga.sys

0x048A2000 \SystemRoot\System32\drivers\VIDEOPRT.SYS

0x048C7000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0x048D0000 \SystemRoot\system32\drivers\rdpencdd.sys

0x048D9000 \SystemRoot\System32\Drivers\Msfs.SYS

0x048E4000 \SystemRoot\System32\Drivers\Npfs.SYS

0x048F5000 \SystemRoot\System32\DRIVERS\rasacd.sys

0x04A00000 \SystemRoot\System32\drivers\tcpip.sys

0x04B75000 \SystemRoot\System32\drivers\fwpkclnt.sys

0x04BA1000 \SystemRoot\system32\drivers\mfewfpk.sys

0x048FE000 \SystemRoot\system32\DRIVERS\tdx.sys

0x04BE5000 \SystemRoot\system32\DRIVERS\smb.sys

0x0491B000 \SystemRoot\System32\DRIVERS\netbt.sys

0x0495F000 \SystemRoot\system32\drivers\afd.sys

0x049CA000 \SystemRoot\system32\DRIVERS\pacer.sys

0x049E8000 \SystemRoot\system32\DRIVERS\mfenlfk.sys

0x043CC000 \SystemRoot\system32\DRIVERS\netbios.sys

0x043DB000 \SystemRoot\system32\DRIVERS\wanarp.sys

0x04C0E000 \SystemRoot\system32\DRIVERS\rdbss.sys

0x04C5B000 \SystemRoot\system32\drivers\nsiproxy.sys

0x04C67000 \SystemRoot\System32\Drivers\dfsc.sys

0x04C84000 \SystemRoot\system32\drivers\mfeavfk.sys

0x04CBA000 \SystemRoot\system32\drivers\mfefirek.sys

0x04D2E000 \SystemRoot\system32\DRIVERS\hidusb.sys

0x04D37000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0x04D49000 \SystemRoot\system32\DRIVERS\USBD.SYS

0x04D4B000 \SystemRoot\System32\Drivers\crashdmp.sys

0x04D59000 \SystemRoot\System32\Drivers\dump_diskdump.sys

0x04D63000 \SystemRoot\System32\Drivers\dump_nvstor64.sys

0x04D8E000 \SystemRoot\system32\DRIVERS\mouhid.sys

0x04D99000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0x04DB5000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0x00060000 \SystemRoot\System32\win32k.sys

0x04DC0000 \SystemRoot\System32\drivers\Dxapi.sys

0x04DCC000 \SystemRoot\system32\DRIVERS\monitor.sys

0x00420000 \SystemRoot\System32\TSDDD.dll

0x00670000 \SystemRoot\System32\cdd.dll

0x00800000 \SystemRoot\System32\ATMFD.DLL

0x03DCE000 \SystemRoot\system32\drivers\luafv.sys

0x0900E000 \SystemRoot\system32\drivers\spsys.sys

0x090A8000 \SystemRoot\system32\DRIVERS\lltdio.sys

0x090BC000 \SystemRoot\system32\DRIVERS\rspndr.sys

0x090D4000 \SystemRoot\system32\drivers\HTTP.sys

0x09177000 \SystemRoot\System32\DRIVERS\srvnet.sys

0x091A0000 \SystemRoot\system32\DRIVERS\bowser.sys

0x091BE000 \SystemRoot\System32\drivers\mpsdrv.sys

0x091D8000 \SystemRoot\system32\drivers\mrxdav.sys

0x00B89000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0x09E09000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys

0x09E52000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys

0x09E71000 \SystemRoot\System32\DRIVERS\srv2.sys

0x09EA3000 \SystemRoot\System32\DRIVERS\srv.sys

0x09F36000 \SystemRoot\system32\drivers\peauth.sys

0x09FEC000 \SystemRoot\System32\Drivers\secdrv.SYS

0x08002000 \SystemRoot\System32\Drivers\fastfat.SYS

0x08037000 \SystemRoot\System32\drivers\tcpipreg.sys

0x0807D000 \SystemRoot\system32\drivers\mfeapfk.sys

0x080A2000 \SystemRoot\system32\drivers\cfwids.sys

0x080B1000 \SystemRoot\system32\DRIVERS\cdfs.sys

0x76D70000 \Windows\System32\ntdll.dll

Processes (total 61):

0 System Idle Process

4 System

540 C:\Windows\System32\smss.exe

652 csrss.exe

696 C:\Windows\System32\wininit.exe

716 csrss.exe

752 C:\Windows\System32\services.exe

768 C:\Windows\System32\lsass.exe

776 C:\Windows\System32\lsm.exe

928 C:\Windows\System32\svchost.exe

964 C:\Windows\System32\winlogon.exe

1012 C:\Windows\System32\nvvsvc.exe

304 C:\Windows\System32\svchost.exe

552 C:\Windows\System32\svchost.exe

616 C:\Windows\System32\svchost.exe

548 C:\Windows\System32\svchost.exe

912 C:\Windows\System32\audiodg.exe

1076 C:\Windows\System32\svchost.exe

1104 C:\Windows\System32\SLsvc.exe

1124 C:\Windows\System32\svchost.exe

1252 C:\Windows\System32\nvvsvc.exe

1264 C:\Program Files\Dell\DellDock\DockLogin.exe

1352 C:\Windows\System32\svchost.exe

1520 C:\Windows\System32\spoolsv.exe

1548 C:\Windows\System32\svchost.exe

1996 C:\Windows\System32\taskeng.exe

2036 C:\Windows\System32\dwm.exe

720 C:\Windows\explorer.exe

1768 C:\Windows\System32\taskeng.exe

2184 C:\Windows\RAVCpl64.exe

2208 C:\Windows\System32\nvraidservice.exe

2224 C:\Windows\ehome\ehtray.exe

2252 C:\Windows\ehome\ehmsas.exe

2428 C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe

2548 C:\Program Files\McAfee.com\Agent\mcagent.exe

2644 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

2676 C:\Windows\System32\svchost.exe

2692 C:\Program Files (x86)\Bonjour\mDNSResponder.exe

2740 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

2828 C:\Windows\System32\mfevtps.exe

2988 C:\Windows\System32\rundll32.exe

3008 C:\Windows\SysWOW64\rundll32.exe

3016 C:\Windows\System32\svchost.exe

3028 C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

1860 C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

1928 C:\Windows\System32\svchost.exe

2376 C:\Windows\System32\svchost.exe

1168 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

2424 C:\Windows\System32\SearchIndexer.exe

1048 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

2904 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

3124 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

3672 C:\Windows\System32\svchost.exe

3752 C:\Program Files\Windows Media Player\wmpnscfg.exe

3800 C:\Program Files\Windows Media Player\wmpnetwk.exe

3832 WmiPrvSE.exe

4000 C:\Windows\System32\wbem\unsecapp.exe

3324 WmiPrvSE.exe

1580 dllhost.exe

1948 dllhost.exe

4188 C:\Users\Vorlock\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`84700000 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`04700000 (NTFS)

\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: ST3500620AS, Rev: DE12

PhysicalDrive1 Model Number: ST3120026AS, Rev: 8.05

Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive0 RE: Windows Vista MBR code detected

SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

111 GB \\.\PhysicalDrive1

aswMBR.txt

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software

Run date: 2011-11-14 20:57:46

-----------------------------

20:57:46.767 OS Version: Windows x64 6.0.6002 Service Pack 2

20:57:46.767 Number of processors: 2 586 0x1706

20:57:46.767 ComputerName: XPS-PC UserName:

20:57:47.859 Initialize success

20:58:07.910 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000052

20:58:07.910 Disk 0 Vendor: ST350062 DE12 Size: 476940MB BusType: 8

20:58:07.926 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000054

20:58:07.926 Disk 1 Vendor: ST312002 8.05 Size: 114440MB BusType: 8

20:58:09.985 Disk 0 MBR read successfully

20:58:09.985 Disk 0 MBR scan

20:58:09.985 Disk 0 Windows VISTA default MBR code

20:58:09.985 Service scanning

20:58:11.092 Modules scanning

20:58:11.092 Disk 0 trace - called modules:

20:58:11.108 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys >>UNKNOWN [0xfffffa8004b6d334]<<

20:58:11.124 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b20790]

20:58:11.124 3 CLASSPNP.SYS[fffffa60007c8c33] -> nt!IofCallDriver -> [0xfffffa800485a950]

20:58:11.124 5 acpi.sys[fffffa60008f3fde] -> nt!IofCallDriver -> \Device\00000052[0xfffffa800487d060]

20:58:11.124 \Driver\nvstor64[0xfffffa8003da5960] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8004b6d334

20:58:11.124 Scan finished successfully

20:58:30.237 Disk 0 MBR has been saved successfully to "C:\Users\Vorlock\Desktop\MBR.dat"

20:58:30.237 The log file has been saved successfully to "C:\Users\Vorlock\Desktop\aswMBR.txt"

Link to post
Share on other sites

Hi there,

I ran MBAM over night. I disabled active scan from mcafee, installed mbam, checked for updates, and then ran it. Since the iexplore process was running and i didnt want it to be downloading additional viruses all night, i unplugged from the network once mbam got its updates and was running. The iexplore process continued to hang out. At one point it went away and then respawned without me touching it. It is still here this morning and mbam didnt find anything. Here is the log.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8164

Windows 6.0.6002 Service Pack 2

Internet Explorer 9.0.8112.16421

11/15/2011 12:26:34 AM

mbam-log-2011-11-15 (00-26-33).txt

Scan type: Full scan (C:\|D:\|F:\|)

Objects scanned: 420842

Time elapsed: 1 hour(s), 15 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

My sincerest apologies for the delay.

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::

szkg5

is3srv

File::

c:\windows\SySWOW64\DRIVERS\szkg64.sys

c:\windows\SySWOW64\drivers\is3srv64.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now ;)

Link to post
Share on other sites

Did as you requested. Computer still seems to be infected since the rogue iexplore process is still running under the svchost process.

During the running of combofix, the following noteworthy events happened:

1-After I dragged the file onto combo fix, it said there was a new version and did I want to use it? I chose yes, so it ran the new version.

2-After all the stages, it rebooted. When the computer rebooted, I logged in. The combofix box was there, and 2 or 3 other dos like windows were open for a short time. I didnt get to see what they were. While it was preparing its logs, another windows type box popped up briefly. I think it might have said something about a registry key but I didnt get a chance to read it.

Here are the logs:

ComboFix 11-11-15.06 - Vorlock 11/15/2011 18:21:32.2.2 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4093.2663 [GMT -5:00]

Running from: c:\users\Vorlock\Desktop\ComboFix.exe

Command switches used :: c:\users\Vorlock\Desktop\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\windows\SySWOW64\drivers\is3srv64.sys"

"c:\windows\SySWOW64\DRIVERS\szkg64.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_SZKG5

-------\Service_is3srv

-------\Service_szkg5

.

.

((((((((((((((((((((((((( Files Created from 2011-10-15 to 2011-11-15 )))))))))))))))))))))))))))))))

.

.

2011-11-15 23:54 . 2011-11-15 23:54 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-11-15 04:09 . 2011-11-15 04:09 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2011-11-12 14:36 . 2011-11-12 14:36 -------- d-----w- c:\users\Vorlock\AppData\Local\Adobe

2011-11-12 01:51 . 2011-11-12 01:51 525544 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-12 01:51 . 2011-11-12 01:51 -------- d-----w- c:\program files\Java

2011-11-12 01:47 . 2011-11-12 01:47 -------- d-----w- c:\program files (x86)\Common Files\Java

2011-11-12 01:45 . 2011-11-12 01:45 -------- d-----w- c:\program files (x86)\Java

2011-11-12 00:36 . 2011-11-12 00:36 -------- d-----w- C:\!KillBox

2011-11-12 00:02 . 2011-11-12 00:02 16200 ----a-w- c:\windows\GetSusp.sys

2011-11-11 21:59 . 2011-11-11 21:59 -------- d-----w- c:\programdata\Kaspersky Lab

2011-11-11 04:47 . 2011-11-11 04:47 -------- d-----w- c:\program files\CCleaner

2011-11-09 12:18 . 2011-09-20 21:06 1426304 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-09 12:18 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2011-11-09 12:18 . 2011-10-17 11:41 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat

2011-11-09 12:17 . 2011-09-30 16:16 893440 ----a-w- c:\program files\Common Files\System\wab32.dll

2011-11-09 12:17 . 2011-09-30 16:16 50688 ----a-w- c:\program files\Windows Mail\wabimp.dll

2011-11-09 12:17 . 2011-09-30 15:57 707584 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll

2011-11-08 01:29 . 2011-11-08 03:23 -------- d-----w- C:\More Stuff

2011-10-27 23:09 . 2011-10-29 16:04 -------- d-----w- c:\program files (x86)\LitexMedia

2011-10-27 22:49 . 2011-10-28 15:56 -------- d-----w- c:\users\Vorlock\AppData\Roaming\WinFF

2011-10-27 22:49 . 2011-10-27 22:49 -------- d-----w- c:\program files (x86)\WinFF

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-12 01:45 . 2010-05-18 02:13 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2011-11-10 21:09 . 2009-03-29 21:54 467744 ----a-w- c:\programdata\Microsoft\VWDExpress\9.0\1033\ResourceCache.dll

2011-10-20 11:11 . 2011-05-19 11:35 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-09-06 13:56 . 2011-10-12 02:56 2764288 ----a-w- c:\windows\system32\win32k.sys

2011-09-01 05:24 . 2011-10-12 11:14 2309120 ----a-w- c:\windows\system32\jscript9.dll

2011-09-01 05:17 . 2011-10-12 11:14 1389056 ----a-w- c:\windows\system32\wininet.dll

2011-09-01 05:12 . 2011-10-12 11:14 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-09-01 02:35 . 2011-10-12 11:14 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll

2011-09-01 02:28 . 2011-10-12 11:14 1126912 ----a-w- c:\windows\SysWow64\wininet.dll

2011-09-01 02:22 . 2011-10-12 11:14 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-08-31 22:00 . 2011-09-15 13:02 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-25 16:20 . 2011-10-12 02:56 735744 ----a-w- c:\windows\system32\UIAutomationCore.dll

2011-08-25 16:19 . 2011-10-12 02:56 332288 ----a-w- c:\windows\system32\oleacc.dll

2011-08-25 16:19 . 2011-10-12 02:56 847360 ----a-w- c:\windows\system32\oleaut32.dll

2011-08-25 16:15 . 2011-10-12 02:56 555520 ----a-w- c:\windows\SysWow64\UIAutomationCore.dll

2011-08-25 16:14 . 2011-10-12 02:56 563712 ----a-w- c:\windows\SysWow64\oleaut32.dll

2011-08-25 16:14 . 2011-10-12 02:56 238080 ----a-w- c:\windows\SysWow64\oleacc.dll

2011-08-25 13:54 . 2011-10-12 02:55 4096 ----a-w- c:\windows\system32\oleaccrc.dll

2011-08-25 13:31 . 2011-10-12 02:55 4096 ----a-w- c:\windows\SysWow64\oleaccrc.dll

2011-08-19 19:59 . 2011-09-16 01:53 158832 ----a-w- c:\windows\system32\mfevtps.exe

.

.

((((((((((((((((((((((((((((( SnapShot@2011-11-15_00.21.14 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-01-21 02:23 . 2011-11-15 23:03 61854 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2006-11-02 15:45 . 2011-11-15 23:59 80380 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin

+ 2009-02-07 22:35 . 2011-11-15 23:59 27378 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1874400647-2923675086-486371788-1000_UserData.bin

- 2009-02-07 22:32 . 2011-11-14 23:52 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-02-07 22:32 . 2011-11-15 23:26 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

- 2009-02-07 22:32 . 2011-11-14 23:52 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-07 22:32 . 2011-11-15 23:26 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-07 22:32 . 2011-11-15 23:26 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2009-02-07 22:32 . 2011-11-14 23:52 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2011-11-15 00:19 . 2011-11-15 00:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2011-11-15 23:57 . 2011-11-15 23:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2011-11-15 23:57 . 2011-11-15 23:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2011-11-15 00:19 . 2011-11-15 00:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2006-11-02 12:46 . 2011-11-14 23:07 701528 c:\windows\system32\perfh009.dat

+ 2006-11-02 12:46 . 2011-11-15 01:59 701528 c:\windows\system32\perfh009.dat

- 2006-11-02 12:46 . 2011-11-14 23:07 140494 c:\windows\system32\perfc009.dat

+ 2006-11-02 12:46 . 2011-11-15 01:59 140494 c:\windows\system32\perfc009.dat

- 2010-04-27 03:29 . 2011-11-15 00:18 321288 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2010-04-27 03:29 . 2011-11-15 23:56 321288 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2010-04-27 13:04 . 2011-11-15 23:56 4955368 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1874400647-2923675086-486371788-1000-8192.dat

- 2010-04-27 13:04 . 2011-11-15 00:18 4955368 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1874400647-2923675086-486371788-1000-8192.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

"igndlm.exe"="c:\program files (x86)\Download Manager\DLM.exe" [2009-05-15 1103216]

"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2010-09-17 2969496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1674896]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

.

c:\users\Vorlock\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Impulse Now.lnk - c:\program files (x86)\Stardock\Impulse\Now\ImpulseNow.exe [2009-7-3 419104]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 GetSusp;GetSusp;c:\windows\GetSusp.sys [2011-11-12 16200]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]

S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]

S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]

S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]

S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-08-19 208272]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]

S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

iissvcs REG_MULTI_SZ w3svc was

apphost REG_MULTI_SZ apphostsvc

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RAVCpl64.exe" [2008-08-18 6440480]

"Skytel"="Skytel.exe" [2008-08-18 1833504]

"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-19 333344]

"combofix"="c:\combofix\CF12269.3XE" [2008-01-21 363008]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://my.yahoo.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 192.168.0.1

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

.

- - - - ORPHANS REMOVED - - - -

.

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.10"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

@Denied: (A 2) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

@="Shockwave Flash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

@Denied: (A 2) (Everyone)

@=""

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

@="FlashBroker"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Bonjour\mDNSResponder.exe

c:\windows\SysWOW64\rundll32.exe

c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\program files (x86)\Internet Explorer\iexplore.exe

.

**************************************************************************

.

Completion time: 2011-11-15 19:18:36 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-16 00:18

ComboFix2.txt 2011-11-15 00:42

.

Pre-Run: 345,698,422,784 bytes free

Post-Run: 345,422,172,160 bytes free

.

- - End Of File - - 9136520E68C3DE2E6F3711D6D9C4BF52

Link to post
Share on other sites

Hello again,

Do you recognize the following folder?

  • C:\More Stuff\

Please let me know :).
------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    iexplore.exe


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt

------

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats is Unchecked and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

------

Download the latest version of Kaspersky Virus Removal Tool

  • Close all other applications and double-click and run the installer.
  • When the Kaspersky Virus Removal Tool starts, to the right of Security Level click Recommended, and select Settings.
  • In the window that opens (Autoscan), in the Scope tab place a checkmark to the left of Parse email formats.
  • Click the Additional tab and click to place a checkmark to the left of Deep scan, and click OK.
  • Select all the scanable items except for CD-ROM drives and click the Start scan button.
    6zvqld.gif
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply.

------

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Reglock::

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now ;)

------

In your next reply, please include:

  • If you recognize that folder
  • SystemLook log
  • ESET Online Scan log
  • Kaspersky AVP Tool log
  • The newly-created C:\ComboFix.txt

Also, please let me know how things are running now. :)

Link to post
Share on other sites

During the running of SystemLook, an ie window opened (visible) showing google feedburner. Then it changed to about:blank. I havent seen this behavior before.

Note that at the beginning of the log you see 3 files called iExplore.exe in unusual locations, c:\Users\Vorlock\Desktop\To Fight\, and the subdirs Installers and Downloads. These are actually rkill, renamed. When I was fighting the original infection I downloaded these files and the virus would not let me run them. The directions for the tools said to rename them to iexplore to get around the virus, which worked. I kept the files in case I needed to continue using them to fight, thus the "to fight" directory. Just to be perfectly explicit, I am talking about the 3rd, 4th, and 5th lines after "Searching for "iexplore.exe" in the file.

Here is the SystemLook log.

SystemLook 30.07.11 by jpshortstuff

Log created at 23:07 on 15/11/2011 by Vorlock

Administrator - Elevation successful

========== filefind ==========

Searching for "iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe --a---- 754480 bytes [02:15 07/07/2011] [02:15 07/07/2011] F1424C1B9B1813BF825E45DF3790BC8A

C:\Program Files (x86)\Internet Explorer\iexplore.exe --a---- 748336 bytes [02:15 07/07/2011] [02:15 07/07/2011] 904E13BA41AF2E353A32CF351CA53639

C:\Users\Vorlock\Desktop\To Fight\iExplore.exe --a---- 1008092 bytes [02:37 11/11/2011] [02:13 11/11/2011] 645A8F39A10306D50382EB49A6C49AAB

C:\Users\Vorlock\Desktop\To Fight\Downloads\iExplore.exe --a---- 1008092 bytes [02:13 11/11/2011] [02:13 11/11/2011] 645A8F39A10306D50382EB49A6C49AAB

C:\Users\Vorlock\Desktop\To Fight\Installers\iExplore.exe --a---- 1008092 bytes [18:34 11/11/2011] [02:13 11/11/2011] 645A8F39A10306D50382EB49A6C49AAB

C:\Windows\ERDNT\cache86\iexplore.exe --a---- 748336 bytes [00:30 15/11/2011] [02:15 07/07/2011] 904E13BA41AF2E353A32CF351CA53639

C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_9.1.8112.16421_none_b4c832cda4077f1c\iexplore.exe --a---- 754480 bytes [02:15 07/07/2011] [02:15 07/07/2011] F1424C1B9B1813BF825E45DF3790BC8A

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16643_none_89721e14d5531cd7\iexplore.exe --a---- 701440 bytes [07:10 04/02/2009] [07:10 04/02/2009] 31705413C889C5503F564C642D83C282

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16681_none_8944ddd0d57559ed\iexplore.exe --a---- 701440 bytes [07:09 04/02/2009] [07:09 04/02/2009] 699D1D2EAF5C80E7361809B0ED8AE773

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16711_none_89908f2ad53c937d\iexplore.exe --a---- 701440 bytes [07:06 04/02/2009] [07:06 04/02/2009] 88BC0B30EE1C0344119778A6E8F2509F

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16757_none_896b5136d5579b4b\iexplore.exe --a---- 709408 bytes [07:00 04/02/2009] [07:00 04/02/2009] FF441810C3CA6DC897CB322F60A6902F

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16764_none_895d806cd5626b37\iexplore.exe --a---- 709800 bytes [06:54 04/02/2009] [06:54 04/02/2009] 20B5615A7F3EB138651CE1B60C625D76

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16809_none_89a3634cd52d3f6b\iexplore.exe --a---- 709800 bytes [04:14 11/02/2009] [04:50 15/01/2009] D6F4816C6B7BE9A125E138B903C2B0EF

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16830_none_8979f0eed54daf2f\iexplore.exe --a---- 712888 bytes [22:19 14/04/2009] [04:41 03/03/2009] 57731E60EA98B8C279DCB5BBB82B68B7

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16851_none_89655160d55d0068\iexplore.exe --a---- 711432 bytes [11:19 10/06/2009] [16:32 24/04/2009] 8679C8CD9690758AF0984290A1843E72

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20777_none_89df4c43ee8575d0\iexplore.exe --a---- 701440 bytes [07:10 04/02/2009] [07:10 04/02/2009] 2EEE7F65B04F759FE7D238AD6EAB90B7

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20823_none_8a115c9dee6081e6\iexplore.exe --a---- 701440 bytes [07:09 04/02/2009] [07:09 04/02/2009] 1ACD856D345FA54F89335C793B2B0874

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20868_none_89eb1e5fee7c705d\iexplore.exe --a---- 701440 bytes [07:06 04/02/2009] [07:06 04/02/2009] D5A7B74CA0826CF5BCE4AE0152231A9B

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20927_none_8a155fabee5ce469\iexplore.exe --a---- 709408 bytes [07:00 04/02/2009] [07:00 04/02/2009] 8BC05A19FA4C19025D564A2201709F70

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20937_none_8a0a8fbfee65005a\iexplore.exe --a---- 709800 bytes [06:54 04/02/2009] [06:54 04/02/2009] C06D959943F4E6CEC8FF0484B1440F84

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20996_none_89c8afedee968ea9\iexplore.exe --a---- 709800 bytes [04:14 11/02/2009] [04:59 15/01/2009] 724BC813643C688280F353EC23128A66

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21023_none_8a1136a5ee60b24f\iexplore.exe --a---- 712888 bytes [22:19 14/04/2009] [04:36 03/03/2009] AA8005889396DF530BCDF0E2AA0E7A04

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21046_none_89fe97abee6e3636\iexplore.exe --a---- 711432 bytes [11:19 10/06/2009] [16:27 24/04/2009] 6B9F780596A6FA37909A1E17B13DB8F3

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_8b809b8cd25bf1ff\iexplore.exe --a---- 701952 bytes [02:50 21/01/2008] [02:50 21/01/2008] AC2C3BAFD177B60C3B5E4DDBCC2C2DB3

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18226_none_8b71013cd266bc39\iexplore.exe --a---- 712888 bytes [22:19 14/04/2009] [04:58 03/03/2009] 4F49A46AB978ED80D536E25FC87AF3F5

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18248_none_8b5d61f8d27526c9\iexplore.exe --a---- 711448 bytes [11:19 10/06/2009] [16:23 24/04/2009] FD4E1EF226A34D093AAD475B94C5E36E

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22389_none_8bbcbf5debb24fae\iexplore.exe --a---- 712872 bytes [22:19 14/04/2009] [05:02 03/03/2009] D7379B3EF7C87578F8966FF5C7B46E9D

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22418_none_8c07706deb7a6fe7\iexplore.exe --a---- 711432 bytes [11:19 10/06/2009] [16:07 24/04/2009] 3319AE709DEAA8539AB3B4110C3C675D

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6002.18005_none_8d6c1498cf7dbd4b\iexplore.exe --a---- 712864 bytes [03:23 30/12/2009] [07:11 11/04/2009] 58136AB5A3DF2D44BBB483629188584A

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18702_none_6e6bbde6e827625c\iexplore.exe --a---- 661344 bytes [11:11 18/06/2009] [21:09 08/03/2009] 7A81E0CECAE7B98459A073981F0124D5

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18813_none_6e61f02ae82e94cb\iexplore.exe --a---- 660744 bytes [11:13 29/07/2009] [22:12 21/07/2009] C45FA4DA458E0B3C9636B09488029BDD

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18828_none_6e5c21b0e8322f6f\iexplore.exe --a---- 660760 bytes [03:20 15/10/2009] [05:52 27/08/2009] 51BDD4A648CD937BC7111D09930114C3

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18865_none_6e2de122e855532e\iexplore.exe --a---- 660760 bytes [04:54 10/12/2009] [06:53 21/11/2009] 8ADB04E86E8A38307D0663CD002BFFD1

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18882_none_6e15406ce8683f0b\iexplore.exe --a---- 660760 bytes [22:56 21/01/2010] [07:09 02/01/2010] C9256212D298D96FE0F63D69ECD9CE97

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18904_none_6e6dc246e8258f58\iexplore.exe --a---- 660760 bytes [23:12 30/03/2010] [07:03 23/02/2010] 81AF4A1549710310E56B43C4D3F3657C

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18928_none_6e5c2396e8322c96\iexplore.exe --a---- 660760 bytes [22:01 10/06/2010] [06:57 04/05/2010] 6E4A7132FE953AFFAE00B15835404564

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18943_none_6e41824ce846e5c5\iexplore.exe --a---- 660760 bytes [22:57 11/08/2010] [06:31 26/06/2010] E9D8A71AFDCA528A184C1498E22A8241

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18975_none_6e23131ce85d6c46\iexplore.exe --a---- 660760 bytes [22:21 13/10/2010] [06:49 08/09/2010] 827BE3F3C80787B00F19E36B19531197

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18999_none_6e11746ce86a0984\iexplore.exe --a---- 660760 bytes [13:32 15/12/2010] [06:29 02/11/2010] 37302FCB9B7D54B0DBB43624E7A21B3C

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19019_none_6e67cbeee8295d3e\iexplore.exe --a---- 660760 bytes [03:17 09/02/2011] [06:56 18/12/2010] 8F69AE4F1AC2E1D2C34348D519007A2C

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19048_none_6e465be0e84297ba\iexplore.exe --a---- 660760 bytes [17:26 15/04/2011] [06:50 22/02/2011] 2E70FE17239DFCA6209FD698D0F18C61

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19088_none_6e1b1c30e863077e\iexplore.exe --a---- 660760 bytes [21:26 15/06/2011] [06:24 28/05/2011] CF331868494D0527484520912736518E

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22903_none_6ef65ce2014418a4\iexplore.exe --a---- 660744 bytes [11:13 29/07/2009] [06:30 22/07/2009] FDCF656D4B4E116D9C932AD2868FD811

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22918_none_6ef08e680147b348\iexplore.exe --a---- 660744 bytes [03:20 15/10/2009] [14:04 27/08/2009] CBDEB65EDCC5E574F43F1EF79E54C8A1

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22956_none_6ec34e240169f05e\iexplore.exe --a---- 660760 bytes [04:54 10/12/2009] [15:04 21/11/2009] 1B5572B8B9CD678E814F57B245400F64

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22973_none_6eaaad6e017cdc3b\iexplore.exe --a---- 660760 bytes [22:56 21/01/2010] [15:15 02/01/2010] B7ECFA3A546360E2A39ADBE1D773F3DC

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22995_none_6e970e2a018b46cb\iexplore.exe --a---- 660760 bytes [23:12 30/03/2010] [16:03 23/02/2010] D1978C9901DAA9A1C2EE78A707B1449A

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23019_none_6ef166d40146ffe1\iexplore.exe --a---- 660760 bytes [22:01 10/06/2010] [06:59 04/05/2010] 9D0512508DBDD31DA29BC05941417101

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23040_none_6ec7f47601676fa5\iexplore.exe --a---- 660760 bytes [22:57 11/08/2010] [18:17 28/06/2010] F896A6A9965B9C64061BE97F6D84B075

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23067_none_6eb956a4017158e8\iexplore.exe --a---- 660760 bytes [22:21 13/10/2010] [07:28 08/09/2010] D93AB1673986658EF1931FA751BCCF69

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23091_none_6e92e524018f14b1\iexplore.exe --a---- 660760 bytes [13:32 15/12/2010] [07:42 02/11/2010] F686191623AC22EE2521C2D17157B199

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23111_none_6ee9666a014e3250\iexplore.exe --a---- 660760 bytes [03:17 09/02/2011] [07:54 18/12/2010] FC6DC0E786A4D2E7DA6E9C012ED2E64F

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23143_none_6ecaf73a0164b8d1\iexplore.exe --a---- 660760 bytes [17:26 15/04/2011] [07:54 22/02/2011] E79C480F9DCD7512AAB9727A533CB152

C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23181_none_6e9db6f60186f5e7\iexplore.exe --a---- 660760 bytes [21:26 15/06/2011] [07:46 28/05/2011] 947A0CEFBB04E0DD2741AD1060B2B287

C:\Windows\winsxs\wow64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_9.1.8112.16421_none_bf1cdd1fd8684117\iexplore.exe --a---- 748336 bytes [02:15 07/07/2011] [02:15 07/07/2011] 904E13BA41AF2E353A32CF351CA53639

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16643_none_93c6c86709b3ded2\iexplore.exe --a---- 625664 bytes [07:10 04/02/2009] [07:10 04/02/2009] 9437CA21CD48C9B6BFD6F5AC0143D251

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16681_none_9399882309d61be8\iexplore.exe --a---- 625664 bytes [07:09 04/02/2009] [07:09 04/02/2009] 07ED775D6DB4BFA96D7CFB09EB228418

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16711_none_93e5397d099d5578\iexplore.exe --a---- 625664 bytes [07:06 04/02/2009] [07:06 04/02/2009] 157F8DE991396C536820D7FA5C8DCF7D

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16757_none_93bffb8909b85d46\iexplore.exe --a---- 633632 bytes [07:00 04/02/2009] [07:00 04/02/2009] 19403B64906C9EAC627E3C10847B0FDA

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16764_none_93b22abf09c32d32\iexplore.exe --a---- 634024 bytes [06:54 04/02/2009] [06:54 04/02/2009] D762642A109433EEDCD332B0A9511137

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16809_none_93f80d9f098e0166\iexplore.exe --a---- 634024 bytes [04:14 11/02/2009] [04:14 15/01/2009] 0844F5B9CB3BB85A917D347EF1565B6C

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16830_none_93ce9b4109ae712a\iexplore.exe --a---- 636072 bytes [22:19 14/04/2009] [04:22 03/03/2009] EA4BE33726155F89D89A3FE7142878E0

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16851_none_93b9fbb309bdc263\iexplore.exe --a---- 634648 bytes [11:19 10/06/2009] [16:25 24/04/2009] 1F44940EF1D07D0BDAF80E55853DFBD0

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20777_none_9433f69622e637cb\iexplore.exe --a---- 625664 bytes [07:10 04/02/2009] [07:10 04/02/2009] 182CAF7403705ACCB51211A761080B8F

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20823_none_946606f022c143e1\iexplore.exe --a---- 625664 bytes [07:09 04/02/2009] [07:09 04/02/2009] 9F1427F203CA078005C9943800929640

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20868_none_943fc8b222dd3258\iexplore.exe --a---- 625664 bytes [07:06 04/02/2009] [07:06 04/02/2009] 4DBD95312B1C96C5285D38F1D748CD4D

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20927_none_946a09fe22bda664\iexplore.exe --a---- 633632 bytes [07:00 04/02/2009] [07:00 04/02/2009] 6655B851D9EEF7C83395EE52D551B448

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20937_none_945f3a1222c5c255\iexplore.exe --a---- 634024 bytes [06:54 04/02/2009] [06:54 04/02/2009] 4CBA2F58668F2D5F3259CBE73E227F25

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20996_none_941d5a4022f750a4\iexplore.exe --a---- 634024 bytes [04:14 11/02/2009] [04:18 15/01/2009] F0B1CA517977BA2FF6DA33F1B966C488

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21023_none_9465e0f822c1744a\iexplore.exe --a---- 636072 bytes [22:19 14/04/2009] [04:18 03/03/2009] 1DD66A2851DACDEC32EAE8F9A8865ABD

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.21046_none_945341fe22cef831\iexplore.exe --a---- 634648 bytes [11:19 10/06/2009] [16:03 24/04/2009] D5271AC4A06AD9D1E2EA0151B79B2657

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18000_none_95d545df06bcb3fa\iexplore.exe --a---- 625664 bytes [02:48 21/01/2008] [02:48 21/01/2008] 5B92133D3E7FB2644677686305E29E81

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18226_none_95c5ab8f06c77e34\iexplore.exe --a---- 636072 bytes [22:19 14/04/2009] [04:40 03/03/2009] 9E6C1527D9A2C64BFD780AA23075380F

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.18248_none_95b20c4b06d5e8c4\iexplore.exe --a---- 634632 bytes [11:19 10/06/2009] [16:08 24/04/2009] F294D8EEB05C835EC44A12CE0A1DFE7A

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22389_none_961169b0201311a9\iexplore.exe --a---- 636072 bytes [22:19 14/04/2009] [04:32 03/03/2009] 8BA2B7A05F88BE0D45237A0994AD8366

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6001.22418_none_965c1ac01fdb31e2\iexplore.exe --a---- 634648 bytes [11:19 10/06/2009] [16:01 24/04/2009] D6157423C117F24D24695866A1D0A93F

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6002.18005_none_97c0beeb03de7f46\iexplore.exe --a---- 636080 bytes [03:23 30/12/2009] [06:27 11/04/2009] 2C5168C856455CC43C4B4E1CC1920001

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18702_none_78c068391c882457\iexplore.exe --a---- 638816 bytes [11:11 18/06/2009] [21:09 08/03/2009] B60DDDD2D63CE41CB8C487FCFBB6419E

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18813_none_78b69a7d1c8f56c6\iexplore.exe --a---- 638216 bytes [11:13 29/07/2009] [21:53 21/07/2009] C33BD196A0301F9B23D9A003D30ED8B0

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18828_none_78b0cc031c92f16a\iexplore.exe --a---- 638232 bytes [03:20 15/10/2009] [05:23 27/08/2009] 2E48756F12C21F46895036AC089AAD97

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18865_none_78828b751cb61529\iexplore.exe --a---- 638232 bytes [04:54 10/12/2009] [06:42 21/11/2009] 1B6362BB14FCEB9E76BCF9A953B04788

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18882_none_7869eabf1cc90106\iexplore.exe --a---- 638216 bytes [22:56 21/01/2010] [06:40 02/01/2010] 88BD42DAE7CFFEB256CA7145A15E4843

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18904_none_78c26c991c865153\iexplore.exe --a---- 638232 bytes [23:12 30/03/2010] [06:39 23/02/2010] 9F52FBE99C749E3F32C75124F09F1B03

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18928_none_78b0cde91c92ee91\iexplore.exe --a---- 638232 bytes [22:01 10/06/2010] [06:00 04/05/2010] 5C9B1062EA7A44E8F6BFDE994B68C7AA

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18943_none_78962c9f1ca7a7c0\iexplore.exe --a---- 638232 bytes [22:57 11/08/2010] [06:06 26/06/2010] 7420BE0E7D3D1320054F7ACA0594953D

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18975_none_7877bd6f1cbe2e41\iexplore.exe --a---- 638232 bytes [22:21 13/10/2010] [06:02 08/09/2010] D5A730DFDEAE005373E62BC2A866E3BB

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.18999_none_78661ebf1ccacb7f\iexplore.exe --a---- 638232 bytes [13:32 15/12/2010] [06:03 02/11/2010] 5AB037B17F8A87D052F5A88E0D29A3C8

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19019_none_78bc76411c8a1f39\iexplore.exe --a---- 638232 bytes [03:17 09/02/2011] [06:28 18/12/2010] B988D7F127B94BD5BF8356FE81B985C4

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19048_none_789b06331ca359b5\iexplore.exe --a---- 638232 bytes [17:26 15/04/2011] [06:21 22/02/2011] C1D36A2CBE0CEC4DF593DB1288CF586E

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.19088_none_786fc6831cc3c979\iexplore.exe --a---- 638232 bytes [21:26 15/06/2011] [06:09 28/05/2011] ED65737D70FDEAC29F738E77D2496EE5

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22903_none_794b073435a4da9f\iexplore.exe --a---- 638232 bytes [11:13 29/07/2009] [06:04 22/07/2009] 4B5AEA50CE77FBA4C2D169622DC9B489

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22918_none_794538ba35a87543\iexplore.exe --a---- 638216 bytes [03:20 15/10/2009] [13:31 27/08/2009] 7DD482E4A2E3CBB0A72F718C342F5B75

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22956_none_7917f87635cab259\iexplore.exe --a---- 638232 bytes [04:54 10/12/2009] [15:05 21/11/2009] E7F8DF50E483D165BB01F367D3519AA7

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22973_none_78ff57c035dd9e36\iexplore.exe --a---- 638216 bytes [22:56 21/01/2010] [14:58 02/01/2010] 3D8DA00B028DEA9517066F1CECBFC4A2

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.22995_none_78ebb87c35ec08c6\iexplore.exe --a---- 638232 bytes [23:12 30/03/2010] [15:06 23/02/2010] 25DB705A7DC85C208B3CF2D20F118AA7

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23019_none_7946112635a7c1dc\iexplore.exe --a---- 638232 bytes [22:01 10/06/2010] [06:32 04/05/2010] 48A6109E8DF0365195298CC527B7426A

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23040_none_791c9ec835c831a0\iexplore.exe --a---- 638232 bytes [22:57 11/08/2010] [06:52 26/06/2010] F05B3A2C6CB319DD1377AD566CF5ECE5

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23067_none_790e00f635d21ae3\iexplore.exe --a---- 638232 bytes [22:21 13/10/2010] [06:26 08/09/2010] 4A719476A6393B1DCACFEB4F3AC6599C

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23091_none_78e78f7635efd6ac\iexplore.exe --a---- 638232 bytes [13:32 15/12/2010] [07:13 02/11/2010] 92A17B0A89D14815AACC62CD190B6CE3

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23111_none_793e10bc35aef44b\iexplore.exe --a---- 638232 bytes [03:17 09/02/2011] [07:19 18/12/2010] 7852371DA9EFBC17B645558E23780EAC

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23143_none_791fa18c35c57acc\iexplore.exe --a---- 638232 bytes [17:26 15/04/2011] [07:18 22/02/2011] 9CE5543464432CA73134F170FA2BF823

C:\Windows\winsxs\wow64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_8.0.6001.23181_none_78f2614835e7b7e2\iexplore.exe --a---- 638232 bytes [21:26 15/06/2011] [07:09 28/05/2011] 7EE10C5413AD7ED1AF9E8FAE1B58FC3E

-= EOF =-

Link to post
Share on other sites

I am running the ESET scanner now but I will have to stop it to go to bed. I dont feel comfortable leaving the computer online unattended overnight. (It has run for 34 minutes, says 99% done, step 3 out of 4, but is only at program files (x86) so far, so it has a ways to go. So far it says no threats found.)

As the scanner was running, a new internet explorer window opened and went to heyzap.com. It went to a few pages on that site, then went to twitter/heyzap, then a few random twitter pages, then went to about:blank, and eventually went away.

Tomorrow I will run those other things. But your animated picture showing what to do with the Kaspersky's tool does not match the text directions you said. The picture is setting a slider to deep scan, checking the signature scan of vulnerabilities (which you didnt mention), and doesnt have the email thing checked, which you did say to do. So I am wondering which to do, what the text you wrote, or what the picture is doing. Please clarify what you would like me to do. (If I dont hear from you before I get around to doing this, I am likely to do the email and the slider, basically do it all.)

Thank you very much for your time and efforts.

Link to post
Share on other sites

I am running the ESET scanner now but I will have to stop it to go to bed. I dont feel comfortable leaving the computer online unattended overnight. (It has run for 34 minutes, says 99% done, step 3 out of 4, but is only at program files (x86) so far, so it has a ways to go. So far it says no threats found.)

I understand, no worries. I will be calling it a night as well :).

But your animated picture showing what to do with the Kaspersky's tool does not match the text directions you said. The picture is setting a slider to deep scan, checking the signature scan of vulnerabilities (which you didnt mention), and doesnt have the email thing checked, which you did say to do. So I am wondering which to do, what the text you wrote, or what the picture is doing. Please clarify what you would like me to do. (If I dont hear from you before I get around to doing this, I am likely to do the email and the slider, basically do it all.)

My apologies, it appears that the picture is outdated. If you could please open Settings (found on the "gear-shaped" tab) make sure that there are check boxes by Heuristic Analysis, Signature Scan of Vulnerabilities, Rootkit Scan & Deep Scan, and then move the slider to the Deep Scan setting. That should be all you need. I hope this helps :)

Link to post
Share on other sites

Ran ESET Scanner but it didnt find anything. I cant find the log.txt file you said to post. It took about 2 hrs to run. After it is done it asks if you want to uninstall and I said yes. I dont know if that is why the log file is not there. Hopefully, since it didnt find any threats, I havent lost any important log info for you. I will now go on to the next step.

Link to post
Share on other sites

Ran ESET Scanner but it didnt find anything. I cant find the log.txt file you said to post. It took about 2 hrs to run. After it is done it asks if you want to uninstall and I said yes. I dont know if that is why the log file is not there. Hopefully, since it didnt find any threats, I havent lost any important log info for you. I will now go on to the next step.

Sounds good. Thank you for letting me know :)

Link to post
Share on other sites

Ran kasperspy tool. It found some stuff but iexplore is still running and doing its thing.

It took over 5 hrs to run the tool, and it did not say it was going to uninstall itself when I closed it.

There were 2 logs. One was very very large and did not have a detected section. The other was very small and showed just the threats it found/dealt with. That is the one I am including below.

Status: Disinfected (events: 2)

11/16/2011 8:26:42 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.er File C:\Documents and Settings\Vorlock\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\592131b8-78a356b0/json/ Search.class High

11/16/2011 8:26:42 PM Disinfected Trojan program Exploit.Java.CVE-2010-0840.er File C:\Documents and Settings\Vorlock\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\ 592131b8-78a356b0 High

Status: Vulnerability (events: 3)

11/16/2011 9:46:33 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/42014 File C:\Program Files (x86)\Teamspeak2_RC2\ TeamSpeak.exe Low

11/16/2011 11:27:37 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/46113 File C:\Windows\SysWOW64\Macromed\Flash\ NPSWF32.dll Low

11/17/2011 1:25:51 AM Vulnerability vulnerability http://www.securelist.com/en/advisories/42014 File c:\Program Files (x86)\Teamspeak2_RC2\ TeamSpeak.exe Low

Status: Deleted (events: 2)

11/17/2011 1:17:12 AM Deleted Trojan program Trojan.Win32.Vilsel.amnb File C:\Xfer\downloads and hacks\CoffeeFreeFTPInstaller.exe// FreeFTP.exe High

11/17/2011 1:17:12 AM Deleted Trojan program Trojan.Win32.Vilsel.amnb File C:\Xfer\downloads and hacks\ CoffeeFreeFTPInstaller.exe High

END OF LOG

Notes: The 1st 2 items happened while I was watching it and I pushed delete to kill them, as instructed. The vulnerabilities happened when I wasnt watching and there was no option to do anything about them. The final 2 events happened overnight when I was not watching, and the program seemed to delete them without asking me. Those last 2 files have been around for a very long time on my computer, and in fact were transfered to the computer perhaps 3 years ago from my old computer and left untouched since. I dont know if it is a false positive or they somehow got infected since then.

I have to go to work now so ComboFix will have to wait till later.

Link to post
Share on other sites

My apologies for the delay,

please try the following:

The Kaspersky Rescue Disk is a bootable CD based version of Kaspersky Antivirus.

The download is in ISO format.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Download the Kaspersky Rescue Disk:

http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/ .

  • Burn the Kaspersky Rescue Disk ISO image to CD.
  • Insert the Kaspersky Rescue Disk CD into your CD/DVD drive and boot the computer (you may need to change the boot sequence in your system's BIOS to boot from the CD/DVD drive).
  • Follow the instructions in the initial text screen to press Enter to start Kaspersky AntiVirus.
  • Select your language (or wait a few seconds for the default English to load).
  • Your screen may go blank for several minutes while the program loads.
  • After the Kaspersky Rescue Disk loads, the database will be updated (if you have network connectivity)
    • Click the Update tab to view the update progress.
    • When the update has completed, click the Scan tab.

    [*]Place a checkmark in all the available drives to scan the entire system.

    [*]Click the "Security level" option, and select options.

    • Make sure "All Files" is selected
    • Under "Scan of compound files" ensure all options are selected and click the OK button.

    [*]Click the "On threat detection" option

    • Select "Do not prompt", "Disinfect", and "Delete if disinfection fails".

    [*]Click the "Start scan" button.

    [*]When the scan has completed, click the Reports button.

    • Click the Save button, and select your System drive (normally your C: drive)
    • In the "File name" box, name the file krd-log and click the Save button.
    • Click Close to close the Reports window.

    [*]Click the Exit button to close the Rescue Disk program and confirm.

    In the lower left of the screen, left-click the red K button, select Logout, and confirm.

    [*]The computer will shut down.

    [*]Restart the computer and reboot normally.

    [*]Please post the log (krd-log.txt) in your next reply.

Link to post
Share on other sites

Here is the combofix log. There were some interesting errors during its running, a few times it said pev stopped working.

I am now going to go on to the rescue disk item.

ComboFix 11-11-15.06 - Vorlock 11/17/2011 17:22:42.3.2 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4093.2818 [GMT -5:00]

Running from: c:\users\Vorlock\Desktop\ComboFix.exe

Command switches used :: c:\users\Vorlock\Desktop\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}

FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2011-10-17 to 2011-11-17 )))))))))))))))))))))))))))))))

.

.

2011-11-17 22:55 . 2011-11-17 22:55 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-11-15 04:09 . 2011-11-15 04:09 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2011-11-12 14:36 . 2011-11-12 14:36 -------- d-----w- c:\users\Vorlock\AppData\Local\Adobe

2011-11-12 01:51 . 2011-11-12 01:51 525544 ----a-w- c:\windows\system32\deployJava1.dll

2011-11-12 01:51 . 2011-11-12 01:51 -------- d-----w- c:\program files\Java

2011-11-12 01:47 . 2011-11-12 01:47 -------- d-----w- c:\program files (x86)\Common Files\Java

2011-11-12 01:45 . 2011-11-12 01:45 -------- d-----w- c:\program files (x86)\Java

2011-11-12 00:02 . 2011-11-12 00:02 16200 ----a-w- c:\windows\GetSusp.sys

2011-11-11 21:59 . 2011-11-11 21:59 -------- d-----w- c:\programdata\Kaspersky Lab

2011-11-11 04:47 . 2011-11-11 04:47 -------- d-----w- c:\program files\CCleaner

2011-11-09 12:18 . 2011-09-20 21:06 1426304 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-11-09 12:18 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2011-11-09 12:18 . 2011-10-17 11:41 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat

2011-11-09 12:17 . 2011-09-30 16:16 893440 ----a-w- c:\program files\Common Files\System\wab32.dll

2011-11-09 12:17 . 2011-09-30 16:16 50688 ----a-w- c:\program files\Windows Mail\wabimp.dll

2011-11-09 12:17 . 2011-09-30 15:57 707584 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll

2011-11-08 01:29 . 2011-11-08 03:23 -------- d-----w- C:\More Stuff

2011-10-27 23:09 . 2011-10-29 16:04 -------- d-----w- c:\program files (x86)\LitexMedia

2011-10-27 22:49 . 2011-10-28 15:56 -------- d-----w- c:\users\Vorlock\AppData\Roaming\WinFF

2011-10-27 22:49 . 2011-10-27 22:49 -------- d-----w- c:\program files (x86)\WinFF

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-11-12 01:45 . 2010-05-18 02:13 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll

2011-11-10 21:09 . 2009-03-29 21:54 467744 ----a-w- c:\programdata\Microsoft\VWDExpress\9.0\1033\ResourceCache.dll

2011-10-20 11:11 . 2011-05-19 11:35 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2011-09-06 13:56 . 2011-10-12 02:56 2764288 ----a-w- c:\windows\system32\win32k.sys

2011-09-01 05:24 . 2011-10-12 11:14 2309120 ----a-w- c:\windows\system32\jscript9.dll

2011-09-01 05:17 . 2011-10-12 11:14 1389056 ----a-w- c:\windows\system32\wininet.dll

2011-09-01 05:12 . 2011-10-12 11:14 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2011-09-01 02:35 . 2011-10-12 11:14 1798144 ----a-w- c:\windows\SysWow64\jscript9.dll

2011-09-01 02:28 . 2011-10-12 11:14 1126912 ----a-w- c:\windows\SysWow64\wininet.dll

2011-09-01 02:22 . 2011-10-12 11:14 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

2011-08-31 22:00 . 2011-09-15 13:02 25416 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-08-25 16:20 . 2011-10-12 02:56 735744 ----a-w- c:\windows\system32\UIAutomationCore.dll

2011-08-25 16:19 . 2011-10-12 02:56 332288 ----a-w- c:\windows\system32\oleacc.dll

2011-08-25 16:19 . 2011-10-12 02:56 847360 ----a-w- c:\windows\system32\oleaut32.dll

2011-08-25 16:15 . 2011-10-12 02:56 555520 ----a-w- c:\windows\SysWow64\UIAutomationCore.dll

2011-08-25 16:14 . 2011-10-12 02:56 563712 ----a-w- c:\windows\SysWow64\oleaut32.dll

2011-08-25 16:14 . 2011-10-12 02:56 238080 ----a-w- c:\windows\SysWow64\oleacc.dll

2011-08-25 13:54 . 2011-10-12 02:55 4096 ----a-w- c:\windows\system32\oleaccrc.dll

2011-08-25 13:31 . 2011-10-12 02:55 4096 ----a-w- c:\windows\SysWow64\oleaccrc.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-11-15_00.21.14 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-01-21 02:23 . 2011-11-17 23:00 62196 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2006-11-02 15:45 . 2011-11-17 23:00 80498 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin

+ 2009-02-07 22:35 . 2011-11-17 23:00 27414 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1874400647-2923675086-486371788-1000_UserData.bin

- 2009-02-07 22:32 . 2011-11-14 23:52 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-02-07 22:32 . 2011-11-17 22:29 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat

+ 2009-02-07 22:32 . 2011-11-17 22:29 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

- 2009-02-07 22:32 . 2011-11-14 23:52 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-07 22:32 . 2011-11-17 22:29 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2009-02-07 22:32 . 2011-11-14 23:52 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

- 2011-11-15 00:19 . 2011-11-15 00:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2011-11-17 22:57 . 2011-11-17 22:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2011-11-17 22:57 . 2011-11-17 22:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

- 2011-11-15 00:19 . 2011-11-15 00:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2006-11-02 12:46 . 2011-11-15 01:59 701528 c:\windows\system32\perfh009.dat

- 2006-11-02 12:46 . 2011-11-14 23:07 701528 c:\windows\system32\perfh009.dat

- 2006-11-02 12:46 . 2011-11-14 23:07 140494 c:\windows\system32\perfc009.dat

+ 2006-11-02 12:46 . 2011-11-15 01:59 140494 c:\windows\system32\perfc009.dat

+ 2010-04-27 03:29 . 2011-11-17 22:56 321288 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

- 2010-04-27 03:29 . 2011-11-15 00:18 321288 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2010-04-27 13:04 . 2011-11-17 22:57 5293396 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1874400647-2923675086-486371788-1000-8192.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]

"igndlm.exe"="c:\program files (x86)\Download Manager\DLM.exe" [2009-05-15 1103216]

"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2010-09-17 2969496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1674896]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]

.

c:\users\Vorlock\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Impulse Now.lnk - c:\program files (x86)\Stardock\Impulse\Now\ImpulseNow.exe [2009-7-3 419104]

.

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 GetSusp;GetSusp;c:\windows\GetSusp.sys [2011-11-12 16200]

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [x]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]

S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [x]

S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [x]

S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]

S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]

S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]

S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-08-19 208272]

S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [x]

S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]

S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [x]

S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [x]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]

iissvcs REG_MULTI_SZ w3svc was

apphost REG_MULTI_SZ apphostsvc

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RtHDVCpl"="RAVCpl64.exe" [2008-08-18 6440480]

"Skytel"="Skytel.exe" [2008-08-18 1833504]

"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-19 333344]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

uStart Page = hxxp://my.yahoo.com/

mLocal Page = c:\windows\SysWOW64\blank.htm

uInternet Settings,ProxyOverride = *.local

Trusted Zone: internet

Trusted Zone: mcafee.com

TCP: DhcpNameServer = 192.168.0.1

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

.

- - - - ORPHANS REMOVED - - - -

.

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)

ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]

"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\Bonjour\mDNSResponder.exe

c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

c:\windows\SysWOW64\rundll32.exe

c:\program files (x86)\Internet Explorer\iexplore.exe

c:\windows\SysWOW64\Macromed\Flash\FlashUtil11c_ActiveX.exe

c:\program files (x86)\Common Files\Steam\SteamService.exe

.

**************************************************************************

.

Completion time: 2011-11-17 18:20:35 - machine was rebooted

ComboFix-quarantined-files.txt 2011-11-17 23:20

ComboFix2.txt 2011-11-16 00:18

ComboFix3.txt 2011-11-15 00:42

.

Pre-Run: 325,421,748,224 bytes free

Post-Run: 325,449,068,544 bytes free

.

- - End Of File - - 9DA7755E69630175716BBA131597A979

Link to post
Share on other sites

Finally, seemingly we have success. Here is the log:

Objects Scan: completed 4 minutes ago (events: 5, objects: 818147, time: 02:30:26)

11/17/11 7:10 PM Task started

11/17/11 7:10 PM Detected: Rootkit.Boot.SST.b /dev/sda

11/17/11 7:10 PM Disinfected: Rootkit.Boot.SST.b /dev/sda

11/17/11 7:10 PM Disinfected: Rootkit.Boot.SST.b /dev/sda

11/17/11 9:40 PM Task completed

The system seemed to boot much faster now. I can also see my 2nd internal hard drive, which used to sometimes disappear. And there is no iexplore process running in the background so far. Looks like this might be it.

Thank you very much for your help.

Link to post
Share on other sites

That is excellent news! :)

Before we move on to the next step, let's run an online scan to verify that there aren't any traces left which may reinfect your system:

Please go HERE to run Panda ActiveScan 2.0

  • Click the big green Scan now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Once the scan is completed, please hit the notepad icon next to the text Export to:
  • Save it to a convenient location such as your Desktop
  • Post the contents of the ActiveScan.txt in your next reply

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.