Jump to content


Photo
- - - - -

Help Please


  • This topic is locked This topic is locked
45 replies to this topic

#1 RickWeaver

RickWeaver

    New Member

  • Members
  • Pip
  • 37 posts

Posted 03 March 2012 - 08:08 PM

I have MB Pro and have scanned and cleaned but I still have re-directs and other warnings. I am getting a lot of outgoing malicious websites being blocked.

Thanks for helping, here are the dds and attach logs:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 18:45:50 on 2012-03-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.480 [GMT -6:00]
.
AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Enabled/Outdated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\TRENDnet\TEW-649UB\WlanCU.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dogpile.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111018140631.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\trendnet\tew-649ub\WlanCU.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237586612703
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{281678F0-3FF4-427B-891A-6BFB7FD89A7D} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{3482D92F-2B8A-4733-A203-0658E54E932A} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D35D11C8-9B88-4D54-A627-5BD8E9C9A241} : DhcpNameServer = 192.168.0.8 192.168.0.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 66.197.194.231 www.google-analytics.com.
Hosts: 66.197.194.231 ad-emea.doubleclick.net.
Hosts: 66.197.194.231 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\4zhz37dx.default\
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-10-18 436728]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-10-18 88544]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-14 652360]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-10-18 159320]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-1-12 209760]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-10-18 145936]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2011-5-19 2519040]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [2012-3-3 20480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-14 20464]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-10-18 171296]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-10-18 58456]
R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [2012-3-3 588032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 WLSVC;WLSVC;c:\program files\trendnet\tew-649ub\WLSVC.exe [2012-3-3 167936]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-10-18 85152]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2011-12-20 50704]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-04 00:23:06 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2012-03-04 00:23:01 -------- d-----w- c:\program files\TRENDnet
2012-03-03 20:57:16 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2012-03-03 20:57:07 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys
2012-03-03 20:57:05 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys
2012-02-09 13:43:40 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-02-09 13:43:39 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-08 14:29:40 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Identities
2012-02-08 14:29:27 -------- d-----w- c:\documents and settings\administrator\application data\Omiv
2012-02-08 14:29:27 -------- d-----w- c:\documents and settings\administrator\application data\Inegy
2012-02-05 14:23:00 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
==================== Find3M ====================
.
2011-12-20 14:40:23 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2011-12-20 14:40:23 281104 ----a-w- c:\windows\system32\wpcap.dll
2011-12-20 14:40:23 100880 ----a-w- c:\windows\system32\Packet.dll
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xBA2ABFC0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A6C5AB8]
3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89DB6C78]
\Driver\00000796[0x89DB8880] -> IRP_MJ_CREATE -> 0xBA2ABFC0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89D3A2C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 18:48:16.48 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/20/2009 2:48:17 PM
System Uptime: 3/3/2012 6:16:06 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0HX555
Processor: Intel® Core™2 Duo CPU E6550 @ 2.33GHz | CPU | 2327/1333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 57.849 GiB free.
D: is CDROM (CDFS)
Z: is NetworkDisk (NTFS) - 931 GiB total, 508.82 GiB free.
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Intel® Active Management Technology - SOL
Device ID: PCI\VEN_8086&DEV_29B7&SUBSYS_02111028&REV_02\3&172E68DD&0&1B
Manufacturer: Intel
Name: Intel® Active Management Technology - SOL (COM3)
PNP Device ID: PCI\VEN_8086&DEV_29B7&SUBSYS_02111028&REV_02\3&172E68DD&0&1B
Service: Serial
.
Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Communications Port
Device ID: ACPI\PNP0501\1
Manufacturer: (Standard port types)
Name: Communications Port (COM1)
PNP Device ID: ACPI\PNP0501\1
Service: Serial
.
==== System Restore Points ===================
.
RP77: 12/5/2011 8:06:38 AM - System Checkpoint
RP78: 12/6/2011 8:55:45 AM - System Checkpoint
RP79: 12/7/2011 9:34:23 AM - System Checkpoint
RP80: 12/8/2011 11:06:35 AM - System Checkpoint
RP81: 12/9/2011 11:16:49 AM - System Checkpoint
RP82: 12/12/2011 8:10:50 AM - System Checkpoint
RP83: 12/13/2011 8:52:52 AM - System Checkpoint
RP84: 12/14/2011 8:58:43 AM - System Checkpoint
RP85: 12/15/2011 9:42:36 AM - System Checkpoint
RP86: 12/15/2011 4:27:16 PM - Software Distribution Service 3.0
RP87: 12/16/2011 12:31:17 PM - Software Distribution Service 3.0
RP88: 12/16/2011 2:57:16 PM - Restore Operation
RP89: 12/16/2011 3:09:12 PM - Restore Operation
RP90: 12/17/2011 9:47:42 AM - Restore Operation
RP91: 12/17/2011 9:49:49 AM - Restore Operation
RP92: 12/17/2011 11:55:13 AM - Software Distribution Service 3.0
RP93: 12/19/2011 9:25:43 AM - System Checkpoint
RP94: 12/20/2011 11:27:56 AM - System Checkpoint
RP95: 12/21/2011 11:56:46 AM - System Checkpoint
RP96: 12/27/2011 11:23:08 AM - System Checkpoint
RP97: 12/28/2011 1:45:29 PM - System Checkpoint
RP98: 12/29/2011 2:45:12 PM - System Checkpoint
RP99: 1/3/2012 10:49:09 AM - System Checkpoint
RP100: 1/5/2012 9:33:21 AM - System Checkpoint
RP101: 1/6/2012 9:49:42 AM - System Checkpoint
RP102: 1/9/2012 8:35:48 AM - System Checkpoint
RP103: 1/10/2012 4:23:16 PM - Software Distribution Service 3.0
RP104: 1/11/2012 7:36:38 AM - Software Distribution Service 3.0
RP105: 1/11/2012 4:34:33 PM - Software Distribution Service 3.0
RP106: 1/13/2012 2:20:07 PM - System Checkpoint
RP107: 1/16/2012 9:01:17 AM - System Checkpoint
RP108: 1/17/2012 2:04:06 PM - System Checkpoint
RP109: 1/17/2012 4:24:59 PM - Software Distribution Service 3.0
RP110: 1/19/2012 9:12:36 AM - System Checkpoint
RP111: 1/23/2012 10:00:50 AM - System Checkpoint
RP112: 1/25/2012 11:10:59 AM - System Checkpoint
RP113: 1/26/2012 12:01:32 PM - System Checkpoint
RP114: 1/30/2012 7:33:50 AM - System Checkpoint
RP115: 1/31/2012 1:43:49 PM - System Checkpoint
RP116: 2/2/2012 7:35:27 AM - System Checkpoint
RP117: 2/4/2012 7:58:58 AM - System Checkpoint
RP118: 2/4/2012 8:06:23 AM - Restore Operation
RP119: 2/9/2012 7:41:07 AM - Restore Operation
RP120: 2/9/2012 7:42:35 AM - Restore Operation
RP121: 2/13/2012 8:04:28 AM - Restore Operation
RP122: 3/3/2012 2:35:46 PM - Restore Operation
RP123: 3/3/2012 2:46:10 PM - Restore Operation
RP124: 3/3/2012 2:57:05 PM - Installed TRENDnet TEW-649UB Wireless N speed USB Adapter
RP125: 3/3/2012 2:59:18 PM - Unsigned driver install
RP126: 3/3/2012 6:22:22 PM - Removed TRENDnet TEW-649UB Wireless N speed USB Adapter
RP127: 3/3/2012 6:23:00 PM - Installed TRENDnet TEW-649UB Wireless N speed USB Adapter
RP128: 3/3/2012 6:24:19 PM - Unsigned driver install
.
==== Hosts File Hijack ======================
.
Hosts: 66.197.194.231 www.google-analytics.com.
Hosts: 66.197.194.231 ad-emea.doubleclick.net.
Hosts: 66.197.194.231 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
Hosts: 69.72.252.254 www.statcounter.com.
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader X (10.1.1)
Adobe Shockwave Player 11.5
AnalogX POW!
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Broadcom Gigabit Integrated Controller
CDBurnerXP
Cole2k Media - Codec Pack (Standard) 6.0.9
Critical Update for Windows Media Player 11 (KB959772)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Interface
Intel® PRO Network Connections Drivers
Intel® Active Management Technology
Java™ 6 Update 24
K-Lite Codec Pack 7.1.0 (Full)
Malwarebytes Anti-Malware version 1.60.1.1000
McAfee Agent
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 4.0.1 (x86 en-US)
OpenOffice.org 3.3
Picasa 3
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SoundMAX
TRENDnet TEW-649UB Wireless N speed USB Adapter
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.1.9
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell™ 1.0 MUI pack
WinRAR 4.00 (32-bit)
Yahoo! Detect
.
==== Event Viewer Messages From Past Week ========
.
3/3/2012 6:21:01 PM, error: Schedule [7901] - The At86.job command failed to start due to the following error: %%2147942402
3/3/2012 6:21:00 PM, error: Schedule [7901] - The At85.job command failed to start due to the following error: %%2147942402
3/3/2012 6:16:39 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
3/3/2012 5:21:00 PM, error: Schedule [7901] - The At84.job command failed to start due to the following error: %%2147942402
3/3/2012 5:21:00 PM, error: Schedule [7901] - The At83.job command failed to start due to the following error: %%2147942402
3/3/2012 4:21:00 PM, error: Schedule [7901] - The At82.job command failed to start due to the following error: %%2147942402
3/3/2012 4:21:00 PM, error: Schedule [7901] - The At81.job command failed to start due to the following error: %%2147942402
3/3/2012 3:21:00 PM, error: Schedule [7901] - The At80.job command failed to start due to the following error: %%2147942402
3/3/2012 3:21:00 PM, error: Schedule [7901] - The At79.job command failed to start due to the following error: %%2147942402
3/3/2012 2:52:46 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
3/3/2012 2:37:00 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/3/2012 2:36:58 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
3/3/2012 2:36:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The McAfee McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/3/2012 2:36:51 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
.
==== End Of File ===========================

#2 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 06 March 2012 - 02:25 PM

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.
Click Scan to scan the system (don't run any other options)
Post back the report.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#3 RickWeaver

RickWeaver

    New Member

  • Members
  • Pip
  • 37 posts

Posted 10 March 2012 - 07:35 PM

MrC,

I have tried to run RogueKiller but it keeps rebooting the computer when it says it is reading the MBR. What should I try next?

#4 RickWeaver

RickWeaver

    New Member

  • Members
  • Pip
  • 37 posts

Posted 10 March 2012 - 07:55 PM

OK, I ran RogueKiller in Safe Mode and it completed with the following report:

RogueKiller V7.3.1 [03/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User: Administrator [Admin rights]
Mode: Scan -- Date: 03/10/2012 18:40:40
¤¤¤ Bad processes: 0 ¤¤¤
¤¤¤ Registry Entries: 1 ¤¤¤
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
[FAKED] afd.sys : c:\windows\system32\drivers\afd.sys --> CANNOT FIX
¤¤¤ Driver: [NOT LOADED] ¤¤¤
¤¤¤ Infection : Root.MBR|ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!
¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost
66.197.194.231 www.google-analytics.com.
66.197.194.231 ad-emea.doubleclick.net.
66.197.194.231 www.statcounter.com.
69.72.252.254 www.google-analytics.com.
69.72.252.254 ad-emea.doubleclick.net.
69.72.252.254 www.statcounter.com.

¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR] a456f312c0e435782971f94dba7cdfdf
[BSP] bec400d75a08f6cdd3306fcc22e6a067 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] c3cb072bf8e200fb802e1b0e690e1a00
[BSP] eee50617a5d37a043311c472ae6d4d37 : PiHar MBR Code!
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76293 Mo
Finished : << RKreport[1].txt >>
RKreport[1].txt

#5 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 11 March 2012 - 09:05 AM

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.
Read this warning and let me know what you would like to do.
Removing this infection can also disable the ability to connect to the internet which may result in a repair install.
-----------------------
If you wish to continue.............

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

Posted Image

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

Posted Image

------------------------

Click the Start Scan button.

Posted Image

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue

Posted Image

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


Posted Image


--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#6 RickWeaver

RickWeaver

    New Member

  • Members
  • Pip
  • 37 posts

Posted 11 March 2012 - 09:49 AM

Again I had to run in Safe Mode (The "Internet Security" Fake Alert keeps popping up and no executables will run)

Here is the log report:

09:36:11.0578 1916 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
09:36:11.0625 1916 ============================================================
09:36:11.0625 1916 Current date / time: 2012/03/11 09:36:11.0625
09:36:11.0625 1916 SystemInfo:
09:36:11.0625 1916
09:36:11.0625 1916 OS Version: 5.1.2600 ServicePack: 3.0
09:36:11.0625 1916 Product type: Workstation
09:36:11.0625 1916 ComputerName: VALUED-CUSTOMER
09:36:11.0625 1916 UserName: Administrator
09:36:11.0625 1916 Windows directory: C:\WINDOWS
09:36:11.0625 1916 System windows directory: C:\WINDOWS
09:36:11.0625 1916 Processor architecture: Intel x86
09:36:11.0625 1916 Number of processors: 2
09:36:11.0625 1916 Page size: 0x1000
09:36:11.0625 1916 Boot type: Safe boot with network
09:36:11.0625 1916 ============================================================
09:36:13.0234 1916 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
09:36:13.0234 1916 Drive \Device\Harddisk1\DR2 - Size: 0xF4FD1C00 (3.83 Gb), SectorSize: 0x200, Cylinders: 0x1F3, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
09:36:13.0234 1916 \Device\Harddisk0\DR0:
09:36:13.0234 1916 MBR used
09:36:13.0234 1916 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950283F
09:36:13.0234 1916 \Device\Harddisk1\DR2:
09:36:13.0234 1916 MBR used
09:36:13.0234 1916 \Device\Harddisk1\DR2\Partition0: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0x7A7E4F
09:36:13.0281 1916 Initialize success
09:36:13.0281 1916 ============================================================
09:36:25.0234 1468 ============================================================
09:36:25.0234 1468 Scan started
09:36:25.0234 1468 Mode: Manual; SigCheck; TDLFS;
09:36:25.0234 1468 ============================================================
09:36:26.0312 1468 Abiosdsk - ok
09:36:26.0328 1468 abp480n5 - ok
09:36:26.0390 1468 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\drivers\ACPI.sys
09:36:26.0625 1468 ACPI - ok
09:36:26.0687 1468 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:36:26.0765 1468 ACPIEC - ok
09:36:26.0828 1468 ADIHdAudAddService (307f5e03b02a3022d664c36d1ea25f2c) C:\WINDOWS\system32\drivers\ADIHdAud.sys
09:36:26.0890 1468 ADIHdAudAddService - ok
09:36:26.0906 1468 adpu160m - ok
09:36:26.0968 1468 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
09:36:27.0046 1468 aec - ok
09:36:27.0078 1468 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
09:36:27.0093 1468 AegisP ( UnsignedFile.Multi.Generic ) - warning
09:36:27.0093 1468 AegisP - detected UnsignedFile.Multi.Generic (1)
09:36:27.0140 1468 AFD (1d495ee1d3a836801d1fd816ff4a93f9) C:\WINDOWS\System32\drivers\afd.sys
09:36:27.0140 1468 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: 1d495ee1d3a836801d1fd816ff4a93f9, Fake md5: 1e44bc1e83d8fd2305f8d452db109cf9
09:36:27.0140 1468 AFD ( Virus.Win32.ZAccess.c ) - infected
09:36:27.0140 1468 AFD - detected Virus.Win32.ZAccess.c (0)
09:36:27.0156 1468 Aha154x - ok
09:36:27.0171 1468 aic78u2 - ok
09:36:27.0187 1468 aic78xx - ok
09:36:27.0203 1468 AliIde - ok
09:36:27.0218 1468 amsint - ok
09:36:27.0250 1468 asc - ok
09:36:27.0265 1468 asc3350p - ok
09:36:27.0265 1468 asc3550 - ok
09:36:27.0359 1468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:36:27.0437 1468 AsyncMac - ok
09:36:27.0515 1468 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
09:36:27.0578 1468 atapi - ok
09:36:27.0593 1468 Atdisk - ok
09:36:27.0687 1468 ati2mtag (f5fc6ac1e7bc776871361d463fc86be2) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
09:36:27.0812 1468 ati2mtag - ok
09:36:27.0953 1468 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:36:28.0031 1468 Atmarpc - ok
09:36:28.0093 1468 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:36:28.0171 1468 audstub - ok
09:36:28.0218 1468 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
09:36:28.0265 1468 b57w2k - ok
09:36:28.0312 1468 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:36:28.0375 1468 Beep - ok
09:36:28.0437 1468 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
09:36:28.0484 1468 BrScnUsb - ok
09:36:28.0500 1468 BrSerIf (1a5fc78e41840edf79d65ec16eff2787) C:\WINDOWS\system32\Drivers\BrSerIf.sys
09:36:28.0562 1468 BrSerIf - ok
09:36:28.0578 1468 BrUsbSer (a24c7b39602218f8dbdb2b6704325fc7) C:\WINDOWS\system32\Drivers\BrUsbSer.sys
09:36:28.0578 1468 BrUsbSer - ok
09:36:28.0609 1468 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:36:28.0703 1468 cbidf2k - ok
09:36:28.0718 1468 cd20xrnt - ok
09:36:28.0765 1468 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:36:28.0843 1468 Cdaudio - ok
09:36:28.0859 1468 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
09:36:28.0953 1468 Cdfs - ok
09:36:29.0000 1468 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:36:29.0078 1468 Cdrom - ok
09:36:29.0093 1468 Changer - ok
09:36:29.0125 1468 CmdIde - ok
09:36:29.0156 1468 Cpqarray - ok
09:36:29.0187 1468 dac2w2k - ok
09:36:29.0203 1468 dac960nt - ok
09:36:29.0250 1468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
09:36:29.0312 1468 Disk - ok
09:36:29.0359 1468 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
09:36:29.0468 1468 dmboot - ok
09:36:29.0500 1468 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
09:36:29.0578 1468 dmio - ok
09:36:29.0578 1468 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:36:29.0656 1468 dmload - ok
09:36:29.0734 1468 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
09:36:29.0812 1468 DMusic - ok
09:36:29.0828 1468 dpti2o - ok
09:36:29.0875 1468 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
09:36:29.0937 1468 drmkaud - ok
09:36:29.0984 1468 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
09:36:30.0187 1468 e1express - ok
09:36:30.0328 1468 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
09:36:30.0406 1468 Fastfat - ok
09:36:30.0453 1468 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
09:36:30.0531 1468 Fdc - ok
09:36:30.0578 1468 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
09:36:30.0656 1468 Fips - ok
09:36:30.0671 1468 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
09:36:30.0750 1468 Flpydisk - ok
09:36:30.0796 1468 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
09:36:30.0875 1468 FltMgr - ok
09:36:30.0906 1468 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:36:31.0000 1468 Fs_Rec - ok
09:36:31.0046 1468 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:36:31.0125 1468 Ftdisk - ok
09:36:31.0140 1468 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:36:31.0203 1468 Gpc - ok
09:36:31.0265 1468 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
09:36:31.0328 1468 HDAudBus - ok
09:36:31.0375 1468 HECI (0bf1d760b05caaaf231123d53c4789e2) C:\WINDOWS\system32\DRIVERS\HECI.sys
09:36:31.0421 1468 HECI - ok
09:36:31.0468 1468 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
09:36:31.0546 1468 hidusb - ok
09:36:31.0562 1468 hpn - ok
09:36:31.0625 1468 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
09:36:31.0687 1468 HTTP - ok
09:36:31.0703 1468 i2omgmt - ok
09:36:31.0718 1468 i2omp - ok
09:36:31.0781 1468 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
09:36:31.0859 1468 i8042prt - ok
09:36:32.0062 1468 ialm (bd9462e346229f37fd5b95fbcb6d3d34) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
09:36:32.0406 1468 ialm - ok
09:36:32.0546 1468 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:36:32.0625 1468 Imapi - ok
09:36:32.0640 1468 ini910u - ok
09:36:32.0671 1468 IntelIde - ok
09:36:32.0718 1468 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\drivers\intelppm.sys
09:36:32.0796 1468 intelppm - ok
09:36:32.0828 1468 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
09:36:32.0890 1468 Ip6Fw - ok
09:36:32.0937 1468 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:36:33.0015 1468 IpFilterDriver - ok
09:36:33.0015 1468 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:36:33.0093 1468 IpInIp - ok
09:36:33.0109 1468 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:36:33.0187 1468 IpNat - ok
09:36:33.0250 1468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:36:33.0312 1468 IPSec - ok
09:36:33.0359 1468 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:36:33.0406 1468 IRENUM - ok
09:36:33.0437 1468 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\drivers\isapnp.sys
09:36:33.0531 1468 isapnp - ok
09:36:33.0546 1468 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:36:33.0625 1468 Kbdclass - ok
09:36:33.0640 1468 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
09:36:33.0703 1468 kbdhid - ok
09:36:33.0765 1468 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
09:36:33.0843 1468 kmixer - ok
09:36:33.0875 1468 KMWDFILTER (566c5fd480fdbce3ba5cf9fbcffaea9a) C:\WINDOWS\system32\DRIVERS\KMWDFILTER.sys
09:36:33.0953 1468 KMWDFILTER - ok
09:36:33.0984 1468 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
09:36:34.0062 1468 KSecDD - ok
09:36:34.0078 1468 lbrtfdc - ok
09:36:34.0140 1468 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
09:36:34.0156 1468 MBAMProtector - ok
09:36:34.0250 1468 mfeapfk (c0d975d64c1af8057f2d75b1297a6979) C:\WINDOWS\system32\drivers\mfeapfk.sys
09:36:34.0265 1468 mfeapfk - ok
09:36:34.0312 1468 mfeavfk (c169326049a8a03d5f905b34f5a65f8c) C:\WINDOWS\system32\drivers\mfeavfk.sys
09:36:34.0328 1468 mfeavfk - ok
09:36:34.0343 1468 mfebopk (50b0253b2484a306a20d8695c5ae5858) C:\WINDOWS\system32\drivers\mfebopk.sys
09:36:34.0359 1468 mfebopk - ok
09:36:34.0500 1468 mfehidk (188b40866db2ab8ef262febc65291687) C:\WINDOWS\system32\drivers\mfehidk.sys
09:36:34.0531 1468 mfehidk - ok
09:36:34.0562 1468 mferkdet (c1b30af2e18e69bf8ceb39b33f32d3c1) C:\WINDOWS\system32\drivers\mferkdet.sys
09:36:34.0578 1468 mferkdet - ok
09:36:34.0625 1468 mfetdi2k (97ef4ca122ddda4781ff557e65dfb262) C:\WINDOWS\system32\drivers\mfetdi2k.sys
09:36:34.0640 1468 mfetdi2k - ok
09:36:34.0703 1468 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:36:34.0765 1468 mnmdd - ok
09:36:34.0812 1468 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
09:36:34.0906 1468 Modem - ok
09:36:34.0921 1468 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:36:35.0015 1468 Mouclass - ok
09:36:35.0062 1468 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:36:35.0140 1468 mouhid - ok
09:36:35.0156 1468 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
09:36:35.0218 1468 MountMgr - ok
09:36:35.0234 1468 mraid35x - ok
09:36:35.0265 1468 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:36:35.0328 1468 MRxDAV - ok
09:36:35.0390 1468 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:36:35.0468 1468 MRxSmb - ok
09:36:35.0531 1468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
09:36:35.0593 1468 Msfs - ok
09:36:35.0625 1468 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:36:35.0687 1468 MSKSSRV - ok
09:36:35.0703 1468 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:36:35.0765 1468 MSPCLOCK - ok
09:36:35.0781 1468 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
09:36:35.0875 1468 MSPQM - ok
09:36:35.0921 1468 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:36:36.0000 1468 mssmbios - ok
09:36:36.0031 1468 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
09:36:36.0062 1468 Mup - ok
09:36:36.0078 1468 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
09:36:36.0171 1468 NDIS - ok
09:36:36.0218 1468 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:36:36.0250 1468 NdisTapi - ok
09:36:36.0296 1468 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:36:36.0390 1468 Ndisuio - ok
09:36:36.0390 1468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:36:36.0500 1468 NdisWan - ok
09:36:36.0609 1468 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
09:36:36.0687 1468 NDProxy - ok
09:36:36.0734 1468 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:36:36.0812 1468 NetBIOS - ok
09:36:36.0875 1468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:36:36.0953 1468 NetBT - ok
09:36:37.0062 1468 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys
09:36:37.0078 1468 NPF - ok
09:36:37.0093 1468 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
09:36:37.0156 1468 Npfs - ok
09:36:37.0203 1468 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
09:36:37.0281 1468 Ntfs - ok
09:36:37.0343 1468 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:36:37.0406 1468 Null - ok
09:36:37.0468 1468 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:36:37.0546 1468 NwlnkFlt - ok
09:36:37.0562 1468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:36:37.0656 1468 NwlnkFwd - ok
09:36:37.0687 1468 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
09:36:37.0765 1468 Parport - ok
09:36:37.0781 1468 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
09:36:37.0843 1468 PartMgr - ok
09:36:37.0906 1468 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:36:38.0000 1468 ParVdm - ok
09:36:38.0031 1468 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\drivers\pci.sys
09:36:38.0093 1468 PCI - ok
09:36:38.0109 1468 PCIDump - ok
09:36:38.0125 1468 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\pciide.sys
09:36:38.0187 1468 PCIIde - ok
09:36:38.0218 1468 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
09:36:38.0296 1468 Pcmcia - ok
09:36:38.0312 1468 PDCOMP - ok
09:36:38.0328 1468 PDFRAME - ok
09:36:38.0343 1468 PDRELI - ok
09:36:38.0359 1468 PDRFRAME - ok
09:36:38.0359 1468 perc2 - ok
09:36:38.0375 1468 perc2hib - ok
09:36:38.0453 1468 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:36:38.0531 1468 PptpMiniport - ok
09:36:38.0546 1468 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
09:36:38.0625 1468 PSched - ok
09:36:38.0671 1468 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:36:38.0750 1468 Ptilink - ok
09:36:38.0765 1468 ql1080 - ok
09:36:38.0781 1468 Ql10wnt - ok
09:36:38.0796 1468 ql12160 - ok
09:36:38.0796 1468 ql1240 - ok
09:36:38.0812 1468 ql1280 - ok
09:36:38.0828 1468 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:36:38.0906 1468 RasAcd - ok
09:36:38.0921 1468 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:36:39.0000 1468 Rasl2tp - ok
09:36:39.0015 1468 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:36:39.0093 1468 RasPppoe - ok
09:36:39.0203 1468 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:36:39.0265 1468 Raspti - ok
09:36:39.0296 1468 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:36:39.0375 1468 Rdbss - ok
09:36:39.0390 1468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:36:39.0453 1468 RDPCDD - ok
09:36:39.0500 1468 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
09:36:39.0578 1468 rdpdr - ok
09:36:39.0625 1468 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
09:36:39.0703 1468 RDPWD - ok
09:36:39.0750 1468 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:36:39.0812 1468 redbook - ok
09:36:39.0890 1468 RTL8192su (7bfdf13721f0366212ab8e94361a05bd) C:\WINDOWS\system32\DRIVERS\RTL8192su.sys
09:36:39.0921 1468 RTL8192su ( UnsignedFile.Multi.Generic ) - warning
09:36:39.0921 1468 RTL8192su - detected UnsignedFile.Multi.Generic (1)
09:36:39.0984 1468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:36:40.0015 1468 Secdrv - ok
09:36:40.0031 1468 senfilt - ok
09:36:40.0046 1468 SenFiltService - ok
09:36:40.0109 1468 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
09:36:40.0187 1468 serenum - ok
09:36:40.0203 1468 Serial - ok
09:36:40.0265 1468 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
09:36:40.0343 1468 Sfloppy - ok
09:36:40.0375 1468 Simbad - ok
09:36:40.0437 1468 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
09:36:40.0515 1468 smwdm - ok
09:36:40.0515 1468 Sparrow - ok
09:36:40.0562 1468 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
09:36:40.0625 1468 splitter - ok
09:36:40.0687 1468 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
09:36:40.0734 1468 sr - ok
09:36:40.0796 1468 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
09:36:40.0875 1468 Srv - ok
09:36:41.0000 1468 StarOpen (e57b778208c783d8debab320c16a1b82) C:\WINDOWS\system32\drivers\StarOpen.sys
09:36:41.0000 1468 StarOpen ( UnsignedFile.Multi.Generic ) - warning
09:36:41.0000 1468 StarOpen - detected UnsignedFile.Multi.Generic (1)
09:36:41.0015 1468 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:36:41.0125 1468 swenum - ok
09:36:41.0140 1468 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
09:36:41.0218 1468 swmidi - ok
09:36:41.0234 1468 symc810 - ok
09:36:41.0250 1468 symc8xx - ok
09:36:41.0265 1468 sym_hi - ok
09:36:41.0281 1468 sym_u3 - ok
09:36:41.0296 1468 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
09:36:41.0359 1468 sysaudio - ok
09:36:41.0437 1468 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:36:41.0515 1468 Tcpip - ok
09:36:41.0562 1468 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:36:41.0671 1468 TDPIPE - ok
09:36:41.0687 1468 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
09:36:41.0765 1468 TDTCP - ok
09:36:41.0796 1468 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:36:41.0859 1468 TermDD - ok
09:36:41.0890 1468 TosIde - ok
09:36:41.0953 1468 TrueSight (0455d57c7fdb1252784202f2f7deb1d5) c:\windows\system32\drivers\TrueSight.sys
09:36:41.0968 1468 TrueSight ( UnsignedFile.Multi.Generic ) - warning
09:36:41.0968 1468 TrueSight - detected UnsignedFile.Multi.Generic (1)
09:36:42.0015 1468 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
09:36:42.0109 1468 Udfs - ok
09:36:42.0125 1468 ultra - ok
09:36:42.0187 1468 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
09:36:42.0265 1468 Update - ok
09:36:42.0312 1468 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:36:42.0390 1468 usbccgp - ok
09:36:42.0437 1468 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:36:42.0500 1468 usbehci - ok
09:36:42.0515 1468 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:36:42.0593 1468 usbhub - ok
09:36:42.0640 1468 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:36:42.0718 1468 usbprint - ok
09:36:42.0781 1468 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:36:42.0843 1468 USBSTOR - ok
09:36:42.0890 1468 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:36:42.0968 1468 usbuhci - ok
09:36:43.0015 1468 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
09:36:43.0093 1468 VgaSave - ok
09:36:43.0187 1468 ViaIde - ok
09:36:43.0250 1468 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
09:36:43.0328 1468 VolSnap - ok
09:36:43.0375 1468 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:36:43.0437 1468 Wanarp - ok
09:36:43.0453 1468 WDICA - ok
09:36:43.0500 1468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
09:36:43.0578 1468 wdmaud - ok
09:36:43.0671 1468 WLNdis50 (bb2c5a7a555b387b85481b8bde5370d7) C:\WINDOWS\system32\DRIVERS\wlndis50.sys
09:36:43.0671 1468 WLNdis50 ( UnsignedFile.Multi.Generic ) - warning
09:36:43.0671 1468 WLNdis50 - detected UnsignedFile.Multi.Generic (1)
09:36:43.0796 1468 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
09:36:43.0890 1468 WudfPf - ok
09:36:43.0921 1468 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
09:36:43.0937 1468 WudfRd - ok
09:36:43.0984 1468 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
09:36:44.0015 1468 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
09:36:44.0015 1468 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
09:36:44.0031 1468 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
09:36:44.0031 1468 \Device\Harddisk0\DR0 - detected TDSS File System (1)
09:36:44.0062 1468 Boot (0x1200) (694888c52288f863f3f9db47415c92fa) \Device\Harddisk0\DR0\Partition0
09:36:44.0062 1468 \Device\Harddisk0\DR0\Partition0 - ok
09:36:44.0078 1468 ============================================================
09:36:44.0078 1468 Scan finished
09:36:44.0078 1468 ============================================================
09:36:44.0203 1344 Detected object count: 8
09:36:44.0203 1344 Actual detected object count: 8
09:39:36.0234 1344 AegisP ( UnsignedFile.Multi.Generic ) - skipped by user
09:39:36.0234 1344 AegisP ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:39:36.0375 1344 C:\WINDOWS\System32\drivers\afd.sys - copied to quarantine
09:39:36.0500 1344 Backup copy found, using it..
09:39:36.0515 1344 C:\WINDOWS\System32\drivers\afd.sys - will be cured on reboot
09:39:38.0562 1344 AFD ( Virus.Win32.ZAccess.c ) - User select action: Cure
09:39:38.0562 1344 RTL8192su ( UnsignedFile.Multi.Generic ) - skipped by user
09:39:38.0562 1344 RTL8192su ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:39:38.0562 1344 StarOpen ( UnsignedFile.Multi.Generic ) - skipped by user
09:39:38.0562 1344 StarOpen ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:39:38.0578 1344 TrueSight ( UnsignedFile.Multi.Generic ) - skipped by user
09:39:38.0578 1344 TrueSight ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:39:38.0578 1344 WLNdis50 ( UnsignedFile.Multi.Generic ) - skipped by user
09:39:38.0578 1344 WLNdis50 ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:39:39.0046 1344 \Device\Harddisk0\DR0\# - copied to quarantine
09:39:39.0046 1344 \Device\Harddisk0\DR0 - copied to quarantine
09:39:39.0062 1344 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
09:39:39.0109 1344 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
09:39:39.0109 1344 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
09:39:39.0109 1344 \Device\Harddisk0\DR0\TDLFS\xh.dll - copied to quarantine
09:39:39.0109 1344 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
09:39:39.0125 1344 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
09:39:39.0125 1344 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
09:39:39.0125 1344 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
09:39:39.0187 1344 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
09:39:39.0187 1344 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
09:39:39.0187 1344 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
09:39:39.0234 1344 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
09:39:39.0234 1344 \Device\Harddisk0\DR0 - ok
09:39:39.0234 1344 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
09:39:39.0234 1344 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
09:39:39.0234 1344 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
09:39:47.0343 1848 Deinitialize success

#7 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 11 March 2012 - 09:57 AM

Please download and run ComboFix.
The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#8 RickWeaver

RickWeaver

    New Member

  • Members
  • Pip
  • 37 posts

Posted 11 March 2012 - 10:23 AM

Is it OK to run ComboFix in Safe Mode? I can't get anything to run in Windows Full Mode.

#9 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 11 March 2012 - 10:43 AM

Yes it is, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#10 RickWeaver

RickWeaver

    New Member

  • Members
  • Pip
  • 37 posts

Posted 11 March 2012 - 11:29 AM

ComboFix detected the rootkit and warned that it was going to reboot the computer and now I've had the Black Safe Mode screen with no taskbar or icons for almost 20 minutes. Is this normal?

#11 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 11 March 2012 - 11:34 AM

Give it 15 more minutes then reboot the computer and run ComboFix again.

I warned you about this infection up front......it's nasty!!

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#12 RickWeaver

RickWeaver

    New Member

  • Members
  • Pip
  • 37 posts

Posted 11 March 2012 - 12:30 PM

When I powered off and rebooted, ComboFix continued and I will paste the results below. I got numerous errors about can't find 'NIRKMD' but it continued when I closed the alert. I could not disable McAfee in Safe Mode and had no internet access in Safe Mode.

Thanks MrC

ComboFix 12-03-10.02 - Administrator 03/11/2012 11:39:13.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1515 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active
.
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\mapbin.exe
c:\documents and settings\All Users\Application Data\isecurity.exe
c:\documents and settings\All Users\imigdevice.exe
c:\windows\$NtUninstallKB21571$\1802059562\@
c:\windows\$NtUninstallKB21571$\1802059562\cfg.ini
c:\windows\$NtUninstallKB21571$\1802059562\Desktop.ini
c:\windows\$NtUninstallKB21571$\1802059562\L\nqegsstu
c:\windows\$NtUninstallKB21571$\3947074288
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
.
Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\drivers\Serial.sys was missing
Restored copy from - c:\system volume information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP91\A0012325.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
.
.
2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes
2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d00
2012-03-10 15:48 . 2012-03-11 00:38 16256 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca3
2012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad1
2012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet
2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys
2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec
2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]
R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ATKFUSService
ScanUSBEMPIA
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dogpile.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Internet Security - c:\documents and settings\All Users\Application Data\isecurity.exe
HKCU-Run-imigdevice - c:\documents and settings\All Users\imigdevice.exe
HKCU-Run-mapbin - c:\documents and settings\Administrator\Application Data\mapbin.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKLM-Run-imigdevice - c:\documents and settings\All Users\imigdevice.exe
HKLM-Run-mapbin - c:\documents and settings\Administrator\Application Data\mapbin.exe
HKLM-Run-dplaysvr - c:\documents and settings\Administrator\Application Data\dplaysvr.exe
HKU-Default-Run-imigdevice - c:\documents and settings\All Users\imigdevice.exe
HKU-Default-Run-mapbin - c:\documents and settings\Administrator\Application Data\mapbin.exe
HKU-Default-Run-dplaysvr - c:\documents and settings\Administrator\Application Data\dplaysvr.exe
SafeBoot-86601328.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-11 12:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB21571$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\
.
[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2824)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2012-03-11 12:19:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-11 17:19
.
Pre-Run: 60,895,137,792 bytes free
Post-Run: 62,333,325,312 bytes free
.
- - End Of File - - 96C79734B862A48748B31C6DAB906FAF

#13 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 11 March 2012 - 12:35 PM

See if you can run ComboFix again, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#14 RickWeaver

RickWeaver

    New Member

  • Members
  • Pip
  • 37 posts

Posted 11 March 2012 - 01:21 PM

ComboFix ran successfully and rebooted. I still have no Internect Access so the Windows Recovery Console could not be loaded. Here is the Log. Thanks again:

ComboFix 12-03-10.02 - Administrator 03/11/2012 13:01:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1441 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB21571$\2983939250
c:\windows\$NtUninstallKB21571$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
.
.
2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes
2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d00
2012-03-10 15:48 . 2012-03-11 00:38 16256 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca3
2012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad1
2012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet
2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys
2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec
2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-11 18:10 . 2012-03-11 18:10 16384 c:\windows\Temp\Perflib_Perfdata_760.dat
- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll
+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll
+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll
- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll
- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll
+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll
+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll
- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]
R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ATKFUSService
ScanUSBEMPIA
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dogpile.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-11 13:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\
.
[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3568)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2012-03-11 13:15:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-11 18:15
ComboFix2.txt 2012-03-11 17:19
.
Pre-Run: 62,330,703,872 bytes free
Post-Run: 62,323,326,976 bytes free
.
- - End Of File - - 94B90A52137D4E8E13E79D261E6B2F07

#15 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 11 March 2012 - 04:27 PM

Please delete your copy of ComboFix and download and run a fresh one.

MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#16 RickWeaver

RickWeaver

    New Member

  • Members
  • Pip
  • 37 posts

Posted 11 March 2012 - 06:01 PM

I installed the Windows Recovery Console from my XP Pro CD, Dleted ComboFix.exe and replaced it with a fresh copy. ComboFix again detected the RootKit and restarted then completed with no further alerts or errors. Here is the log:

ComboFix 12-03-10.02 - Administrator 03/11/2012 13:01:36.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1441 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB21571$\2983939250
c:\windows\$NtUninstallKB21571$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
.
.
2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes
2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d00
2012-03-10 15:48 . 2012-03-11 00:38 16256 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca3
2012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad1
2012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet
2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys
2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec
2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-11 18:10 . 2012-03-11 18:10 16384 c:\windows\Temp\Perflib_Perfdata_760.dat
- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll
+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll
+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll
- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll
- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll
+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll
+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll
- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]
R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ATKFUSService
ScanUSBEMPIA
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dogpile.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-11 13:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\
.
[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3568)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\McAfee\VirusScan Enterprise\mfeann.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2012-03-11 13:15:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-11 18:15
ComboFix2.txt 2012-03-11 17:19
.
Pre-Run: 62,330,703,872 bytes free
Post-Run: 62,323,326,976 bytes free
.
- - End Of File - - 94B90A52137D4E8E13E79D261E6B2F07

#17 RickWeaver

RickWeaver

    New Member

  • Members
  • Pip
  • 37 posts

Posted 11 March 2012 - 06:11 PM

Disregard previous post that was the wrong file (2nd one run today. I am reposting the correct most recent log file. Sorry, MrC

ComboFix 12-03-10.02 - Administrator 03/11/2012 17:41:07.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2005.1461 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise+AntiSpyware Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-11 to 2012-03-11 )))))))))))))))))))))))))))))))
.
.
2012-03-11 17:01 . 2008-04-14 05:45 64512 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-03-11 16:18 . 2008-04-14 00:10 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2012-03-11 16:05 . 2012-03-11 16:05 -------- d-----w- C:\Malwarebytes
2012-03-11 14:39 . 2012-03-11 14:39 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-10 15:53 . 2012-03-10 15:53 -------- d-----w- C:\db7192cfa1af5015e0615d00
2012-03-10 15:48 . 2012-03-11 00:38 16256 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2012-03-10 15:33 . 2012-03-10 15:33 -------- d-----w- C:\6e08c0a2436134c4733bee5ca36ca3
2012-03-04 09:01 . 2012-03-04 09:01 -------- d-----w- C:\433ac744c28f5b209cd11ad1
2012-03-04 00:23 . 2012-03-04 00:23 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2012-03-04 00:23 . 2012-03-04 00:23 -------- d-----w- c:\program files\TRENDnet
2012-03-03 21:03 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2012-03-03 21:03 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-03 20:57 . 2012-03-04 00:23 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2012-03-03 20:57 . 2008-02-27 16:54 20480 ----a-w- c:\windows\system32\drivers\WLNdis50.sys
2012-03-03 20:57 . 2009-08-06 04:23 588032 ----a-w- c:\windows\system32\drivers\RTL8192su.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-11 14:40 . 2008-04-14 05:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-12 16:53 . 2008-04-14 06:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46 . 2008-04-14 10:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-17 19:46 . 2008-04-14 10:42 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46 . 2008-04-14 10:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-16 12:22 . 2008-04-14 05:07 385024 ----a-w- c:\windows\system32\html.iec
2011-04-14 16:26 . 2011-05-19 15:26 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-11_17.05.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-11 22:40 . 2012-03-11 22:40 16384 c:\windows\Temp\Perflib_Perfdata_758.dat
- 2009-03-20 22:32 . 2003-02-21 01:09 77824 c:\windows\system32\URTTemp\mscorsn.dll
+ 2009-03-20 22:32 . 2003-02-21 00:09 77824 c:\windows\system32\URTTemp\mscorsn.dll
+ 2009-03-20 22:32 . 2003-02-21 00:06 155648 c:\windows\system32\URTTemp\mscoree.dll
- 2009-03-20 22:32 . 2003-02-21 01:06 155648 c:\windows\system32\URTTemp\mscoree.dll
- 2009-03-20 22:32 . 2003-02-21 01:06 282624 c:\windows\system32\URTTemp\fusion.dll
+ 2009-03-20 22:32 . 2003-02-21 00:06 282624 c:\windows\system32\URTTemp\fusion.dll
+ 2009-03-20 22:32 . 2003-02-21 00:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll
- 2009-03-20 22:32 . 2003-02-21 01:08 2482176 c:\windows\system32\URTTemp\mscorwks.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-05-30 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-05-30 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-05-30 141848]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2009-12-01 401408]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-06-22 1044480]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-12 215360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility.lnk - c:\program files\TRENDnet\TEW-649UB\WlanCU.exe [2012-3-3 368640]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/18/2011 2:06 PM 88544]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/14/2011 12:02 PM 652360]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/18/2011 2:06 PM 145936]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [5/19/2011 12:40 PM 2519040]
R2 WLNdis50;Wireless Lan NDIS Protocol I/O Control;c:\windows\system32\drivers\WLNdis50.sys [3/3/2012 3:57 PM 20480]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/14/2011 12:02 PM 20464]
R3 RTL8192su;TRENDnet 300Mbps Wireless N USB Adapter;c:\windows\system32\drivers\RTL8192su.sys [3/3/2012 3:57 PM 588032]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 WLSVC;WLSVC;c:\program files\TRENDnet\TEW-649UB\WLSVC.exe [3/3/2012 7:23 PM 167936]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/18/2011 2:06 PM 85152]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ATKFUSService
ScanUSBEMPIA
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-11 c:\windows\Tasks\User_Feed_Synchronization-{EA4F660E-E6D3-46ED-8BBF-99549F8DE551}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dogpile.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4zhz37dx.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-11 17:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,25,59,62,67,0e,b3,a8,48,a0,ea,eb,\
.
[HKEY_USERS\S-1-5-21-1844237615-507921405-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d9,63,21,3d,2a,43,36,4a,9f,68,37,\
.
Completion time: 2012-03-11 17:50:27
ComboFix-quarantined-files.txt 2012-03-11 22:50
ComboFix2.txt 2012-03-11 18:15
ComboFix3.txt 2012-03-11 17:19
.
Pre-Run: 62,297,968,640 bytes free
Post-Run: 62,295,277,568 bytes free
.
- - End Of File - - 934F747B7AFD96936BF73BBE49EF0EAE

#18 MrCharlie

MrCharlie

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 28,188 posts
  • Gender:Male
  • Location:So. Plainfield, New Jersey, USA

Posted 11 March 2012 - 08:00 PM

Update and run a quick scan with MB.

Let me know how it is, MrC

Malware Removal Expert


Posted Image


I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated.

Posted Image Thanks MrC & crew

#19 RickWeaver

RickWeaver

    New Member

  • Members
  • Pip
  • 37 posts

Posted 11 March 2012 - 09:07 PM

I still don't have internet connectivity but my Malware Bytes was last updated 3/10/12 so I ran a full scan, removed all malware and rebooted. Here is the log:

Malwarebytes Anti-Malware (PRO) 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.10.05
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: VALUED-CUSTOMER [administrator]
Protection: Disabled
3/11/2012 8:09:01 PM
mbam-log-2012-03-11 (20-09-01).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217953
Time elapsed: 24 minute(s), 35 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 14
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\mapbin.exe.vir (Trojan.Agent.UAGen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\imigdevice.exe.vir (Trojan.Agent.UAGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP117\A0029789.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP118\A0031866.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP118\A0032890.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP123\A0041067.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP123\A0041068.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP123\A0041069.exe (Backdoor.Agent.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054186.exe (Trojan.Zbot.CBCGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054182.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054187.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054188.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054189.exe (Trojan.Agent.UAGen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{91B3DA99-3A16-4D62-A2FD-FBE8B7928A08}\RP132\A0054191.exe (Trojan.Agent.UAGen) -> Quarantined and deleted successfully.
(end)

#20 RickWeaver

RickWeaver

    New Member

  • Members
  • Pip
  • 37 posts

Posted 11 March 2012 - 09:52 PM

MrC - Thanks for all of your help today. I'm gonna call it a day. I have to get up at 4:30AM Central and won't be back at the infected computer until I get home from work tomorrow afternoon. I just didn't want you waiting for a response.

Thanks,
Rick




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users