Page 1 of 4 123 ... LastLast
Results 1 to 10 of 33
  1. #1
    Member
    Join Date
    May 2011
    Posts
    21
    Points
    0

    Default From lightning fast to dead slow to slower than dead.

    Hello -

    I'm hoping you can assist with this. I've tried a few things but gotten nowhere. But, first, the preliminaries.

    System:
    HP Pavilion a1240n, 3 GHz Hyperthreaded P4, 4 GB RAM, 150 GB disk available.
    Windows XP SP3 + all Microsoft system & security patches since SP3 was released.

    Microsoft Essentials Security installed. Updated regularly & system scanned
    periodically.

    My usual browser is:
    Firefox 3.6.17 + NoScript 2.1.0.3 + Adblock Plus 1.3.6 + BetterPrivacy 1.50 + Flashblock 1.5.4.2

    Alternate browser is:
    Microsoft Internet Explorer 7.0.5730.11
    (it's mostly used for downloading and updating from update.microsoft.com ).

    -----------
    The Problem

    Please excuse the length of this. But I'd rather err on the "more details than less".


    Sometime last week this computer went from nice & quick to dead slow to slower-than-dead.

    Boot time from power on to usable was on the order of a minute.

    It's now on the order of 20 minutes. During this time, the keyboard is near dead, ditto for the mouse, and the disk drive access light is solid ON. The heads can be heard running all over the drive; it's quite noisy doing this.

    If I CTRL-ALT-DEL just as the "Welcome" spash disappears, Task Manager can be started. While I'm watching the system boot up, the system idle process time goes to 99% ... the drive access light is ON and there is an enormous amount of activity.

    Eventually, desktop icons start to appear. First with default icons then slowwwwly the normal icons. Not all at once.. but in two's and three's. The Task Bar (at bottom) is completely blacked out then >WHAM< shows up. The Quick Launch icons slowly dribble in and finally the system tray at bottom right shows up.

    Around this time, Microsoft Essentials throws up a warning panel as to how the system is "at risk" and I should click on a button to start it. If that button isn't clicked on fast then the panel disappears in a few seconds (not a pull-down, it blanks off the display). The system has to be rebooted to get Essentials running (back to a 20 minute wait). That little red house completely disappears from the system tray. If the button is clicked quickly then the drive gets even more busy but finally the little green "house" icon appears.

    After about that 20 minutes, the system appears stable. Then Essentials starts doing .. something. That "something" chews up about 50% of the CPU and it's another few minutes until, suddenly, it's using zero time.

    The system is sort of usable after that. Everything is laggy. Left-clicking Start depresses the button but it's lots of disk noise for easily 30 seconds then the first level menus slowly crawl up. Hovering over All Programs.. there's time for coffee until the first pane appears. Lots of disk drive crunching going on; drive access light is full ON.

    ------
    What I've done so far:

    Trend Micro's Housecall has been run. It didn't find anything.

    Symmantec's network-based scanner was started. Something terminated it, too.

    CCleaner 3.0.6 was downloaded and run. It found a HUGE number of registry problems and offered to clean them up. A restore was saved at that point and the OK given to clean. It cleaned. Another "Analyze" found another list of problems and it offered to clean them up. Another restore was saved. Three cycles of this finally produced a clean list.

    Something has been busy in there. Most of the complaints had to do with software that was uncleanly uninstalled. References to non-existent DLL's, bad keys, etc.

    After all that, the system is still slower than dead.

    Found your site from the computer at work.

    ----

    Downloaded and installed SUPERAntispyware, MalwareBytes, and HiJackThis. Ran all of them and saved the logs. I *HOPE* they're attached to this note. Please let me know if not.

    Your time is appreciated.

    Mark


    ------
    mbam-log-2011-05-08 (19-34-58).txthijackthis.logSUPERAntiSpyware Scan Log - 05-08-2011 - 19-24-30.log
    ===========
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 05/08/2011 at 07:24 PM

    Application Version : 4.52.1000

    Core Rules Database Version : 7014
    Trace Rules Database Version: 4826

    Scan type : Quick Scan
    Total Scan Time : 01:10:16

    Memory items scanned : 417
    Memory threats detected : 0
    Registry items scanned : 1854
    Registry threats detected : 0
    File items scanned : 78908
    File threats detected : 0
    ==========================
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6534

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.11

    5/8/2011 7:34:58 PM
    mbam-log-2011-05-08 (19-34-58).txt

    Scan type: Quick scan
    Objects scanned: 194610
    Time elapsed: 6 minute(s), 49 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    ==============================
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:36:08 PM, on 5/8/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.17096)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\eHome\ehmsas.exe
    c:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\sol.exe
    C:\Documents and Settings\HP_Administrator\Desktop\ANTI MALWARE\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...rm1=seconduser
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wildtangent.com/webdriver_privacy/
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-21-2779701670-2549573690-2822649358-1017\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'UpdatusUser')
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.windowsupdate.com
    O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_se...zTCPConfig.CAB
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase6770.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188396583656
    O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
    O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...31/mcfscan.cab
    O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - file:///C:/PSDK/controls/sdkinst.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
    O23 - Service: OWMBK - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\OWMBK.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
    O23 - Service: RFOD - Unknown owner - C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\RFOD.exe (file missing)
    O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\system32\ZipToA.exe

    --
    End of file - 8590 bytes
    Last edited by Net_Surfer; 05-09-2011 at 01:12 AM. Reason: Please Copy and Paste report logs

  2. #2
    Member Net_Surfer's Avatar
    Join Date
    May 2008
    Location
    Paradise Ca.
    Posts
    1,179
    Points
    89
    Blog Entries
    4

    Default

    Hello MarkB and Welcome to the Help2Go Spyware Help Forum

    Sorry for the delay!!

    I hope your hard drive is not giving up on you...we will be checking your hard drive before we run fixing tools or is up to you and run the tools first
    .

    OK>.... take a note:

    Hard drives are about as dependable as a teenager promising to come home by midnight. :hysterical: The more you know about your drive--the brand-specific idiosyncrasies and the diagnostic sounds that drives produce--the better prepared you are for the inevitable crash.
    Hard Drive Inspector is a powerful, effective and easy-to-use program that monitors hard drive health. In many cases it is able to warn the user about forthcoming disk failure in advance, thus preventing information loss.Is a handy tool to monitor your drives for spin rate, seek time, and almost 20 other potential problem spots. The program also supplies specs--including drive model, firmware version, and serial number, all perfect when calling for warranty support.

    The drive's temperature is displayed in the system tray; if the drive gets too toasty (I have mine set for 120 degrees Fahrenheit), you can get an e-mail alert, or better, automatically put the computer in Standby mode. You can view a summary health report that's enough for most of us; the S.M.A.R.T. report has the details. Hard Drive Inspector costs $30, but you can download a 15-day trial version to give you a feel for the tool; the trial is fully functional, though limited to one drive. Nonetheless, it'll tell you everything you'll need to know about your drive.

    It's not as comprehensive as Hard Drive Inspector, but if you'd prefer a freebie (of course you would!), download CrystalDiskInfo. The tool will show you the number of hours logged on your hard drive and give you its health status. If you see caution or bad, cancel all your appointments and replace the drive, like, immediately, even if you don't hear any weird sounds from the drive.

    If you listen to your hard drive, all you should hear is a soothing, comforting hum. Yet drives often make weird sounds--thuds, screeches, knocking, or whining -- and determining if a sound means trouble can be, well, troubling.

    DataCent, a data-recovery company, has an extraordinarily helpful site that plays the actual sounds of flaky hard drives: stuck spindles, bad or unstable heads, bad bearings, and bad media, to name a few. You can listen to your specific drive brand, too. Even better, the data recovery company lists typical drive failures by manufacturer. Listen to a Seagate drive with bad heads making a clicking and knocking sound.

    ================***==================

    My nick is Net_Surfer and I will be helping you with your malware issues, this may or may not solve other issues you may have with your machine.

    Please note that whatever repairs we make, are for fixing "your computer problems only" and by no means should be used on another computer.

    I would also like to inform you that most of us here at Help2Go support forums offer our expert assistance out of the goodness of our hearts. [b][i]Please be courteous and appreciative for the assistance provided!


    Please be patient and I'd be grateful if you would note the following:

    The cleaning process is not instant. Combofix, OTL and hijackthis logs can take some time to research, Please be aware that I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.

    I use Google as resource to research what the problem is just to understand some of the infections that are infecting the computer and understand where I need to focus more on to ensure that the member get the best and honest service.

    so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.


    1. Please Read All Instructions Carefully and perform the steps fully and in the order they are written.
    2. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    3. Do not attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. Never will there be an all in one solution for repairing an infected computer. You must have a great arsenal of utilities that can take care of what another program may miss or isn't as specialized as another.
    4. In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.
    5. Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
    6. Please continue to review my answers until I tell you that your machine is clean and free of malware. (Absence of symptoms does not mean that everything is clear.
    Just because you can't see a problem doesn't mean it isn't there.

    If you can do these things, everything should go smoothly!


    OK..If you have a Vista or Win7 computer ensure that you right click on the tools and run them as an Admin. IF XP double click on the program to run them.

    Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
    Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.

    Please carefully follow the next set of steps:


    If you can not download and run the following tools, then I would like for you to try another approach:

    If you have the use of another computer please either use a Flash Drive or a CD to download the following and transfer them for use on the infected machine.
    Be sure you put them on the desktop of the infected computer.


    Step 1.

    System File Checker (sfc.exe)

    We need to check for corrupted files in your computer and we will be using the System File Checker (sfc.exe)
    (System File Checker gives an administrator the ability to scan all protected files to verify their versions. If System File Checker discovers that a protected file has been overwritten, it retrieves the correct version of the file from the cache folder (%Systemroot%\System32\Dllcache) or the Windows installation source files, and then replaces the incorrect file. System File Checker also checks and repopulates the cache folder. You must be logged on as an administrator or as a member of the Administrators group to run System File Checker. )


    Click Start >> Run >> Then enter sfc /scannow



    This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem.

    It will check your system files ( including the USERINIT.EXE one ) and replace any that don't match from the CD.

    In an ideal world that would be the end of the story... Any corrupt, missing or incorrect files would be replaced by this process.

    NEXT...
    Step 2.
    After this completes

    Click Start >> Run >> Then enter chkdsk /r

    After this completes

    Click Start >> Run >> Then enter chkdsk /f

    Let me know how you go..

    Step 3.

    * exeHelper by Raktor.

    Please download: exeHelper to your desktop.
    Double-click on exeHelper.com to run the fix.
    A black window should pop up, press any key to close once the fix is completed.
    Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Step 4.

    Download TDSSKiller.exe (v2.4.0.0) from Kaspersky Labs and save it to your desktop. <-Important!!!
    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension
    • Click the Start Scan button.
    • Do not use the computer during the scan.
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_14.17.05_log.txt) will be created and saved to the root directory ( usually Local Disk C ).
    * Post this log to your next message.

    If needed see the TDSS Rootkit Removing Tool website for detailed instructions on running TDSSkiller.
    ========

    Step 5.

    We will use ComboFix to install the Microsoft Recovery Console for windows XP

    - Recent trends appear to indicate that future infections will include attacks to the boot sector of the computer. The installation of the Recovery Console in the computer will be our only defense against this threat.

    Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

    * Please visit this webpage for instructions for downloading and running ComboFix if you have problems running it:

    Please download ComboFix from one of the following mirrors, and save it to your desktop.
    Warning: This tool is not a toy and not for everyday use!.
    Link 1
    Link 2
    Link 3
    • Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
    • Please insert all usb-drives before running Combofix
    • Close any open browsers.
    • Double click on your desktop.
      If using Vista/Win7, right-click and Run as Administrator...
    • Read and accept (Press Yes) to the disclaimer.
    • Follow the prompts...And allow the installation of the Recovery Console!!! <--IMPORTANT
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
      Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
      **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
    • *Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

      Post the log from ComboFix in your next reply.


    *EXTRA NOTES*

    * If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    * If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    * If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Summary of the logs I will need in your next reply:
    • ExeHelper log.
    • The TDSSKiller report log.
    • The ComboFix log.

    How are things your end ?


    Upon completing the above steps I will review your logs again and take the steps necessary with you to get your machine back in working order clean and free of malware.

    Again, Please DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean and free of malware!!!

    The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day then I will close the topic.

    Kind regards
    Net_Surfer
    Last edited by Net_Surfer; 05-09-2011 at 10:05 PM.
    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you kindly, Click here: >> Please Donate to the Forum <<


    "Obstacles are what you see when yo take your eyes off your Goals"

    Net_Surfer is a Graduate of BleepingComputer Malware Removal Training ProgramYou too could train to help others!.

  3. #3
    Member
    Join Date
    May 2011
    Posts
    21
    Points
    0

    Default

    Hello Net_Surfer -

    First: Thank you for your prompt response. Greatly appreciated.

    Started following your instructions and, unfortunately, ran into a problem with SFC.

    Launched SFC with "SFC /SCANNOW" from within a CMD window.

    It ran for awhile then popped up a panel:

    Files that are required for Windows to run properly have been
    replaced by unrecognized versions. To maintain system stability
    Windows must restore the original versions of these files.

    Insert your Windows XP Professional Service Pack 3 CD now.

    Three buttons: "Retry", "More Information", and "Cancel".

    This computer is not running XP Professional: it was loaded with XP Media Edition and My Computer --> Properties reflects that with "Media Center Edition" in the "System" information block.

    I do have Service Pack 3 burned to a CD and so inserted that into the drive. This is the same CD used to upgrade from Service Pack 2.

    SFC runs for a few moments then presents another pane with the message:

    The CD you provided is the wrong CD.
    Please insert the Windows XP Professional Service Pack 3
    CD into your CD-ROM drive.

    A few rounds of this and I'm getting nowhere. So this step was aborted. I've run an MD5 checksum of four files starting with SFC in C:\WINDOWS\SYSTEM32. Here are the MD5 sums:

    96e1c926f22ee1bfbae82901a35f6bf3 *sfc.dll
    18dbcdcafcd83e3a5646d359dcd03c93 *sfc.exe
    9dd07af82244867ca36681ea2d29ce79 *sfcfiles.dll
    6b5db6789177a4fd0debc248041d0739 *sfc_os.dll

    By chance, do you have MD5 sums for your versions of these files (assuming you're running WinXP SP3 + patches) ?

    The next step in your instructions was to run CHKDSK /r . That ran for a moment then presented a message indicating the volume could not be locked and would I like this to run on the next reboot. Gave the OK for that and CHKDSK output "this will be run at the next reboot."

    Rebooted the computer.

    Net_Surfer, CHKDSK took more than five hours to complete. It tested the filesystem structure (three segments of that) and the used and unused disk space. In all that, it found one bad block out of 250 GB of disk. It added the block to a bad blocks list somewhere. Good call.

    It is now 1:14 AM and I must get some sleep. The other programs mentioned in your post have been copied to the computer and will be run on my return from work Tuesday.

    MarkB

  4. #4
    Member Net_Surfer's Avatar
    Join Date
    May 2008
    Location
    Paradise Ca.
    Posts
    1,179
    Points
    89
    Blog Entries
    4

    Default

    Hi Mark

    Can you borrow a cd from a friend? If not we can manage later.

    I edited my first reply with more info.....check it out....you need to read the beginning of my reply to see it.

    I will wait for other report logs......Tdsskiller only takes three minutes and that tool may fix your problem.

    Regards
    Net_Surfer
    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you kindly, Click here: >> Please Donate to the Forum <<


    "Obstacles are what you see when yo take your eyes off your Goals"

    Net_Surfer is a Graduate of BleepingComputer Malware Removal Training ProgramYou too could train to help others!.

  5. #5
    Member
    Join Date
    May 2011
    Posts
    21
    Points
    0

    Default

    Hello Net_Surfer -

    Alright.. your quick reply is going to make me dead tired for work in the morning.

    I've run exeHelper, TDSSKiller.exe, and ComboFix. The logs should be attached.

    ComboFix tickled something in "PEV.EXE":

    The instruction at "0x0039a5e8" referenced memory at "0x0039a5e8". The memory could not be "written".

    That panel was up there for a bit of time... then something wiped it off the display.

    Interesting that the Repair Console was already installed (installed as part of the original OS installation) but that a fresh load was stored ..somewhere. Haven't rebooted yet.

    Oh yes: I wanted to write down the Safe Mode string at the top of the display:

    Microsoft (R) Windows XP (R) (Build 2600.xpsp_sp3_gdr.101209-1647: Service Pack 3)

    Hope these logs have been attached properly.

    MarkB
    ===============
    ComboFix 11-05-09.02 - HP_Administrator 05/10/2011 1:48.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2942.2185 [GMT -4:00]
    Running from: c:\documents and settings\HP_Administrator\Desktop\ANTI MALWARE\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\WINDOWS
    c:\documents and settings\Default User\WINDOWS
    c:\documents and settings\HP_Administrator\Application Data\inst.exe
    c:\documents and settings\HP_Administrator\WINDOWS
    c:\documents and settings\UpdatusUser\WINDOWS
    c:\program files\INSTALL.LOG
    c:\windows\system\VI30AUT.DLL
    c:\windows\system32\config\systemprofile\WINDOWS
    c:\windows\system32\html
    c:\windows\system32\html\calendar.html
    c:\windows\system32\html\calendarbottom.html
    c:\windows\system32\html\calendartop.html
    c:\windows\system32\html\crystalexportdialog.htm
    c:\windows\system32\html\crystalprinthost.html
    c:\windows\system32\images
    c:\windows\system32\images\toolbar\calendar.gif
    c:\windows\system32\images\toolbar\crlogo.gif
    c:\windows\system32\images\toolbar\export.gif
    c:\windows\system32\images\toolbar\export_over.gif
    c:\windows\system32\images\toolbar\exportd.gif
    c:\windows\system32\images\toolbar\First.gif
    c:\windows\system32\images\toolbar\first_over.gif
    c:\windows\system32\images\toolbar\Firstd.gif
    c:\windows\system32\images\toolbar\gotopage.gif
    c:\windows\system32\images\toolbar\gotopage_over.gif
    c:\windows\system32\images\toolbar\gotopaged.gif
    c:\windows\system32\images\toolbar\grouptree.gif
    c:\windows\system32\images\toolbar\grouptree_over.gif
    c:\windows\system32\images\toolbar\grouptreed.gif
    c:\windows\system32\images\toolbar\grouptreepressed.gif
    c:\windows\system32\images\toolbar\Last.gif
    c:\windows\system32\images\toolbar\last_over.gif
    c:\windows\system32\images\toolbar\Lastd.gif
    c:\windows\system32\images\toolbar\Next.gif
    c:\windows\system32\images\toolbar\next_over.gif
    c:\windows\system32\images\toolbar\Nextd.gif
    c:\windows\system32\images\toolbar\Prev.gif
    c:\windows\system32\images\toolbar\prev_over.gif
    c:\windows\system32\images\toolbar\Prevd.gif
    c:\windows\system32\images\toolbar\print.gif
    c:\windows\system32\images\toolbar\print_over.gif
    c:\windows\system32\images\toolbar\printd.gif
    c:\windows\system32\images\toolbar\Refresh.gif
    c:\windows\system32\images\toolbar\refresh_over.gif
    c:\windows\system32\images\toolbar\refreshd.gif
    c:\windows\system32\images\toolbar\Search.gif
    c:\windows\system32\images\toolbar\search_over.gif
    c:\windows\system32\images\toolbar\searchd.gif
    c:\windows\system32\images\toolbar\up.gif
    c:\windows\system32\images\toolbar\up_over.gif
    c:\windows\system32\images\toolbar\upd.gif
    c:\windows\system32\images\tree\begindots.gif
    c:\windows\system32\images\tree\beginminus.gif
    c:\windows\system32\images\tree\beginplus.gif
    c:\windows\system32\images\tree\blank.gif
    c:\windows\system32\images\tree\blankdots.gif
    c:\windows\system32\images\tree\dots.gif
    c:\windows\system32\images\tree\lastdots.gif
    c:\windows\system32\images\tree\lastminus.gif
    c:\windows\system32\images\tree\lastplus.gif
    c:\windows\system32\images\tree\Magnify.gif
    c:\windows\system32\images\tree\minus.gif
    c:\windows\system32\images\tree\minusbox.gif
    c:\windows\system32\images\tree\plus.gif
    c:\windows\system32\images\tree\plusbox.gif
    c:\windows\system32\images\tree\singleminus.gif
    c:\windows\system32\images\tree\singleplus.gif
    c:\windows\system32\tmp.reg
    c:\windows\YAHELITE.INI
    D:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-10 01:16 . 2001-08-17 18:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
    2011-05-10 01:06 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{98A9BBDD-AE0D-4B95-92A4-533F76175DD7}\mpengine.dll
    2011-05-07 15:57 . 2011-05-07 16:00 -------- d-----w- C:\CCleaner Registry Backups
    2011-05-07 15:41 . 2011-05-07 15:41 -------- d-----w- c:\program files\CCleaner
    2011-05-07 09:15 . 2011-05-07 09:15 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2011-05-07 08:59 . 2011-05-07 09:00 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Tific
    2011-05-07 08:59 . 2011-05-07 08:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Tific
    2011-05-07 08:58 . 2011-05-07 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2011-05-03 02:39 . 2011-05-10 05:53 -------- d-----w- c:\documents and settings\UpdatusUser
    2011-05-03 02:39 . 2011-05-03 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
    2011-05-03 02:39 . 2011-05-03 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
    2011-05-03 02:35 . 2011-05-03 02:35 259604 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2011-05-03 02:35 . 2011-05-03 02:35 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2011-05-03 02:35 . 2011-05-03 02:35 259604 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2011-05-03 02:32 . 2011-04-08 05:14 4111232 ----a-w- c:\windows\system32\nv4_disp.dll
    2011-05-03 02:32 . 2011-04-08 05:14 4111232 ----a-w- c:\windows\system32\dllcache\nv4_disp.dll
    2011-05-03 02:31 . 2011-04-08 05:14 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2011-05-03 02:31 . 2011-04-08 05:14 14856192 ----a-w- c:\windows\system32\nvoglnt.dll
    2011-05-03 02:30 . 2011-04-08 05:14 944232 ----a-w- c:\windows\system32\nvdispco3220140.dll
    2011-05-03 02:30 . 2011-04-08 05:14 855656 ----a-w- c:\windows\system32\nvgenco322060.dll
    2011-05-03 02:30 . 2011-04-08 05:14 5210112 ----a-w- c:\windows\system32\nvcuda.dll
    2011-05-03 02:30 . 2011-04-08 05:14 2770536 ----a-w- c:\windows\system32\nvcuvid.dll
    2011-05-03 02:30 . 2011-04-08 05:14 2116894 ----a-w- c:\windows\system32\nvdata.bin
    2011-05-03 02:30 . 2011-04-08 05:14 2074216 ----a-w- c:\windows\system32\nvcuvenc.dll
    2011-05-03 02:30 . 2011-04-08 05:14 2027008 ----a-w- c:\windows\system32\nvapi.dll
    2011-05-03 02:30 . 2011-04-08 05:14 13000704 ----a-w- c:\windows\system32\nvcompiler.dll
    2011-04-24 05:09 . 2011-04-24 05:18 1424 ----a-w- C:\output.bat
    2011-04-20 02:25 . 2011-05-01 00:19 -------- d-----w- c:\program files\SecondLifeViewer2
    2011-04-17 02:55 . 2011-04-17 02:57 -------- d-----w- c:\program files\YahELite
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-13 04:10 . 2008-05-02 00:21 18368 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
    2011-04-13 04:10 . 2008-05-02 00:21 1721216 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
    2011-04-11 07:04 . 2009-11-04 12:49 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-04-08 05:14 . 2009-06-20 15:07 12501600 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
    2011-04-08 02:15 . 2011-04-08 02:15 81920 ----a-w- c:\windows\system32\nvwddi.dll
    2011-04-08 02:15 . 2011-04-08 02:15 580200 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
    2011-04-08 02:15 . 2011-04-08 02:15 277608 ----a-w- c:\windows\system32\nvmccs.dll
    2011-04-08 02:15 . 2011-04-08 02:15 13891176 ----a-w- c:\windows\system32\nvcpl.dll
    2011-04-08 02:15 . 2011-04-08 02:15 111208 ----a-w- c:\windows\system32\nvmctray.dll
    2011-04-08 02:15 . 2011-04-08 02:15 155752 ----a-w- c:\windows\system32\nvsvc32.exe
    2011-04-08 02:15 . 2011-04-08 02:15 145000 ----a-w- c:\windows\system32\nvcolor.exe
    2011-03-07 05:33 . 2007-08-29 04:26 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-03-04 06:45 . 2007-08-29 04:29 434176 ----a-w- c:\windows\system32\vbscript.dll
    2011-03-03 13:21 . 2007-08-29 04:29 1857920 ----a-w- c:\windows\system32\win32k.sys
    2011-02-17 19:00 . 2007-08-29 04:29 832512 ----a-w- c:\windows\system32\wininet.dll
    2011-02-17 19:00 . 2007-08-29 04:26 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-02-17 19:00 . 2007-08-29 04:26 78336 ----a-w- c:\windows\system32\ieencode.dll
    2011-02-17 19:00 . 2007-08-29 04:25 17408 ----a-w- c:\windows\system32\corpol.dll
    2011-02-17 13:18 . 2007-08-29 04:27 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-02-17 13:18 . 2007-08-29 04:28 357888 ----a-w- c:\windows\system32\drivers\srv.sys
    2011-02-17 12:32 . 2009-04-14 22:18 5120 ----a-w- c:\windows\system32\xpsp4res.dll
    2011-02-17 11:44 . 2007-08-29 04:26 389120 ----a-w- c:\windows\system32\html.iec
    2011-02-15 12:56 . 2007-08-29 04:25 290432 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-11 13:25 . 2008-05-11 01:03 229888 ----a-w- c:\windows\system32\fxscover.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
    "ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
    "Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
    "Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
    "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
    "SoundMan"="SOUNDMAN.EXE" [2005-09-21 86016]
    "HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-25 245760]
    "AlcWzrd"="ALCWZRD.EXE" [2005-09-21 2807808]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "NvMediaCenter"="NvMCTray.dll" [2011-04-08 111208]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-04-08 13891176]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2011-02-24 1753192]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-05-08 77824]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-08 22:07 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\pirch98\\pirch98.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
    "c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
    "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
    "c:\\WINDOWS\\system32\\rtcshare.exe"=
    "c:\\Program Files\\SecondLifeViewer2\\slplugin.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\SecondLife\\SecondLife.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\WINDOWS\\system32\\fxsclnt.exe"=
    "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
    "c:\\Program Files\\Hippo_OpenSim_Viewer\\SLVoice.exe"=
    "c:\\Program Files\\SecondLife\\SLVoice.exe"=
    "c:\\XX\\SLG2\\Release\\SLG2.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)
    "AllowInboundTimestampRequest"= 0 (0x0)
    "AllowInboundMaskRequest"= 0 (0x0)
    "AllowInboundRouterRequest"= 0 (0x0)
    "AllowOutboundDestinationUnreachable"= 0 (0x0)
    "AllowOutboundSourceQuench"= 0 (0x0)
    "AllowOutboundParameterProblem"= 0 (0x0)
    "AllowOutboundTimeExceeded"= 0 (0x0)
    "AllowRedirect"= 0 (0x0)
    "AllowOutboundPacketTooBig"= 0 (0x0)
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 67656]
    R2 DriverX;DriverX;c:\windows\system32\drivers\driverx.sys [3/30/2009 9:12 PM 234140]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [5/2/2011 10:39 PM 2218600]
    R2 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/29/2007 12:28 AM 14336]
    R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [4/9/2008 9:28 AM 80256]
    R3 nmserial;PCI Serial Port;c:\windows\system32\drivers\NmSerial.sys [4/4/2008 7:30 AM 70016]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S3 4mmdat;4mmdat;c:\windows\system32\drivers\4mmdat.sys [4/20/2009 7:49 PM 12288]
    S3 OWMBK;OWMBK;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\OWMBK.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\OWMBK.exe [?]
    S3 RFOD;RFOD;c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RFOD.exe --> c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RFOD.exe [?]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 12872]
    S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [10/11/2008 1:04 AM 11520]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - KLMD25
    *Deregistered* - klmd25
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WINRM REG_MULTI_SZ WINRM
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = about:blank
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.wildtangent.com/webdriver_privacy/
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel
    Trusted Zone: microsoft.com\*.windowsupdate
    Trusted Zone: windowsupdate.com
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
    FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\a0whf4qj.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - prefs.js: keyword.URL - hxxps://www.google.com/search?ZUGO&form=2GAADF&q=
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
    FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: BetterPrivacy: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3} - %profile%\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Notify-AtiExtEvent - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-10 01:54
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600
    .
    CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
    device: opened successfully
    user: error reading MBR
    kernel: MBR read successfully
    user != kernel MBR !!!
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
    "ImagePath"="\"\""
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(524)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-05-10 02:03:56
    ComboFix-quarantined-files.txt 2011-05-10 06:03
    .
    Pre-Run: 149,635,817,472 bytes free
    Post-Run: 150,082,170,880 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /fastdetect /usepmtimer /NoExecute=OptOut
    .
    - - End Of File - - 1CAFFE1ADF96235B487A88EB54496C32
    ================
    2011/05/10 01:34:17.0343 3248 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
    2011/05/10 01:34:18.0421 3248 ================================================================================
    2011/05/10 01:34:18.0421 3248 SystemInfo:
    2011/05/10 01:34:18.0421 3248
    2011/05/10 01:34:18.0421 3248 OS Version: 5.1.2600 ServicePack: 3.0
    2011/05/10 01:34:18.0421 3248 Product type: Workstation
    2011/05/10 01:34:18.0421 3248 ComputerName: P4_630
    2011/05/10 01:34:18.0421 3248 UserName: HP_Administrator
    2011/05/10 01:34:18.0421 3248 Windows directory: C:\WINDOWS
    2011/05/10 01:34:18.0421 3248 System windows directory: C:\WINDOWS
    2011/05/10 01:34:18.0421 3248 Processor architecture: Intel x86
    2011/05/10 01:34:18.0421 3248 Number of processors: 2
    2011/05/10 01:34:18.0421 3248 Page size: 0x1000
    2011/05/10 01:34:18.0421 3248 Boot type: Normal boot
    2011/05/10 01:34:18.0421 3248 ================================================================================
    2011/05/10 01:34:19.0531 3248 Initialize success
    2011/05/10 01:34:24.0703 3264 ================================================================================
    2011/05/10 01:34:24.0703 3264 Scan started
    2011/05/10 01:34:24.0703 3264 Mode: Manual;
    2011/05/10 01:34:24.0703 3264 ================================================================================
    2011/05/10 01:34:25.0500 3264 4mmdat (7e14bad6cbc8ee6857902e33128e6df2) C:\WINDOWS\system32\DRIVERS\4mmdat.sys
    2011/05/10 01:34:25.0593 3264 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/05/10 01:34:25.0640 3264 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/05/10 01:34:25.0687 3264 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/05/10 01:34:25.0734 3264 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
    2011/05/10 01:34:25.0781 3264 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2011/05/10 01:34:25.0890 3264 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/05/10 01:34:26.0000 3264 aslm75 (71356a1370739e25375a1d17b6ae318f) C:\WINDOWS\system32\drivers\aslm75.sys
    2011/05/10 01:34:26.0046 3264 ASPI32 (20d04091eba710f6988f710507d85868) C:\WINDOWS\system32\drivers\ASPI32.sys
    2011/05/10 01:34:26.0078 3264 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/05/10 01:34:26.0109 3264 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/05/10 01:34:26.0156 3264 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/05/10 01:34:26.0203 3264 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/05/10 01:34:26.0218 3264 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/05/10 01:34:26.0265 3264 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/05/10 01:34:26.0312 3264 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/05/10 01:34:26.0343 3264 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/05/10 01:34:26.0359 3264 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/05/10 01:34:26.0390 3264 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/05/10 01:34:26.0546 3264 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/05/10 01:34:26.0609 3264 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/05/10 01:34:26.0671 3264 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/05/10 01:34:26.0703 3264 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/05/10 01:34:26.0750 3264 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/05/10 01:34:26.0828 3264 DriverX (d27a3a309da2f9122b64b556a9a2cc71) C:\WINDOWS\System32\Drivers\driverx.sys
    2011/05/10 01:34:26.0843 3264 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/05/10 01:34:26.0906 3264 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/05/10 01:34:26.0953 3264 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/05/10 01:34:26.0984 3264 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/05/10 01:34:27.0015 3264 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/05/10 01:34:27.0046 3264 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/05/10 01:34:27.0093 3264 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/05/10 01:34:27.0109 3264 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/05/10 01:34:27.0125 3264 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
    2011/05/10 01:34:27.0171 3264 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
    2011/05/10 01:34:27.0203 3264 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/05/10 01:34:27.0234 3264 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys
    2011/05/10 01:34:27.0281 3264 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/05/10 01:34:27.0312 3264 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/05/10 01:34:27.0375 3264 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/05/10 01:34:27.0453 3264 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/05/10 01:34:27.0531 3264 ialm (81efe1c5542afb2570758f39ae3b1151) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2011/05/10 01:34:27.0640 3264 iaStor (79ae2a97c120f282845d854d0f070ea9) C:\WINDOWS\system32\DRIVERS\iaStor.sys
    2011/05/10 01:34:27.0703 3264 ICAM3NT5 (673962b31666f877c283a81392eab199) C:\WINDOWS\system32\Drivers\ICAM3D2.SYS
    2011/05/10 01:34:27.0750 3264 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/05/10 01:34:27.0906 3264 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/05/10 01:34:28.0015 3264 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/05/10 01:34:28.0062 3264 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/05/10 01:34:28.0093 3264 iomdisk (9d7069d72c0c72952f05e1688a5ae89d) C:\WINDOWS\system32\DRIVERS\iomdisk.sys
    2011/05/10 01:34:28.0125 3264 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/05/10 01:34:28.0156 3264 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/05/10 01:34:28.0171 3264 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/05/10 01:34:28.0218 3264 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/05/10 01:34:28.0250 3264 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/05/10 01:34:28.0281 3264 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/05/10 01:34:28.0296 3264 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/05/10 01:34:28.0312 3264 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/05/10 01:34:28.0343 3264 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/05/10 01:34:28.0375 3264 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/05/10 01:34:28.0437 3264 ltmodem5 (9ee18a5a45552673a67532ea37370377) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
    2011/05/10 01:34:28.0515 3264 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
    2011/05/10 01:34:28.0562 3264 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
    2011/05/10 01:34:28.0609 3264 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/05/10 01:34:28.0640 3264 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/05/10 01:34:28.0671 3264 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2011/05/10 01:34:28.0703 3264 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/05/10 01:34:28.0765 3264 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/05/10 01:34:28.0796 3264 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/05/10 01:34:28.0828 3264 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
    2011/05/10 01:34:28.0968 3264 MpKslfd4f61f7 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{98A9BBDD-AE0D-4B95-92A4-533F76175DD7}\MpKslfd4f61f7.sys
    2011/05/10 01:34:29.0015 3264 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/05/10 01:34:29.0062 3264 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/05/10 01:34:29.0109 3264 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/05/10 01:34:29.0140 3264 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/05/10 01:34:29.0171 3264 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/05/10 01:34:29.0203 3264 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/05/10 01:34:29.0234 3264 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/05/10 01:34:29.0265 3264 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/05/10 01:34:29.0296 3264 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/05/10 01:34:29.0328 3264 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/05/10 01:34:29.0390 3264 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/05/10 01:34:29.0421 3264 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/05/10 01:34:29.0453 3264 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/05/10 01:34:29.0484 3264 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/05/10 01:34:29.0500 3264 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/05/10 01:34:29.0531 3264 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/05/10 01:34:29.0546 3264 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/05/10 01:34:29.0578 3264 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/05/10 01:34:29.0703 3264 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/05/10 01:34:29.0750 3264 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
    2011/05/10 01:34:29.0796 3264 NmPar (241c985de3ab9f73568fe3b181dc70f4) C:\WINDOWS\system32\DRIVERS\NmPar.sys
    2011/05/10 01:34:29.0812 3264 nmserial (6489dd8e27d70bee2897681b46b76bd1) C:\WINDOWS\system32\DRIVERS\nmserial.sys
    2011/05/10 01:34:29.0828 3264 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/05/10 01:34:29.0875 3264 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/05/10 01:34:29.0921 3264 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/05/10 01:34:30.0281 3264 nv (f1de35c89d98a883d1b4030dc9896855) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/05/10 01:34:30.0593 3264 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/05/10 01:34:30.0625 3264 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/05/10 01:34:30.0640 3264 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/05/10 01:34:30.0718 3264 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/05/10 01:34:30.0750 3264 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/05/10 01:34:30.0781 3264 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/05/10 01:34:30.0828 3264 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/05/10 01:34:30.0890 3264 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/05/10 01:34:30.0921 3264 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/05/10 01:34:31.0015 3264 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/05/10 01:34:31.0046 3264 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/05/10 01:34:31.0093 3264 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
    2011/05/10 01:34:31.0109 3264 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/05/10 01:34:31.0140 3264 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/05/10 01:34:31.0265 3264 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/05/10 01:34:31.0296 3264 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/05/10 01:34:31.0328 3264 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/05/10 01:34:31.0343 3264 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/05/10 01:34:31.0359 3264 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/05/10 01:34:31.0390 3264 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/05/10 01:34:31.0406 3264 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/05/10 01:34:31.0453 3264 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/05/10 01:34:31.0484 3264 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/05/10 01:34:31.0562 3264 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
    2011/05/10 01:34:31.0593 3264 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
    2011/05/10 01:34:31.0687 3264 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2011/05/10 01:34:31.0718 3264 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
    2011/05/10 01:34:31.0734 3264 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    2011/05/10 01:34:31.0812 3264 scsiscan (089870dab7aa277585c475ae09ee4c63) C:\WINDOWS\system32\DRIVERS\scsiscan.sys
    2011/05/10 01:34:31.0843 3264 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/05/10 01:34:31.0906 3264 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/05/10 01:34:31.0921 3264 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/05/10 01:34:31.0984 3264 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/05/10 01:34:32.0046 3264 SISNIC (3fbb6ef8b5a71a2fa11f5f461bb73219) C:\WINDOWS\system32\DRIVERS\sisnic.sys
    2011/05/10 01:34:32.0062 3264 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/05/10 01:34:32.0140 3264 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
    2011/05/10 01:34:32.0218 3264 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/05/10 01:34:32.0250 3264 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/05/10 01:34:32.0296 3264 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/05/10 01:34:32.0328 3264 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/05/10 01:34:32.0343 3264 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/05/10 01:34:32.0359 3264 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/05/10 01:34:32.0468 3264 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/05/10 01:34:32.0546 3264 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/05/10 01:34:32.0578 3264 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/05/10 01:34:32.0609 3264 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/05/10 01:34:32.0625 3264 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/05/10 01:34:32.0703 3264 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/05/10 01:34:32.0765 3264 umpusbxp (4685ca976167ef2bbab18694346062df) C:\WINDOWS\system32\DRIVERS\umpusbxp.sys
    2011/05/10 01:34:32.0812 3264 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/05/10 01:34:32.0875 3264 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/05/10 01:34:32.0921 3264 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/05/10 01:34:32.0968 3264 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2011/05/10 01:34:32.0984 3264 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/05/10 01:34:33.0015 3264 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/05/10 01:34:33.0062 3264 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/05/10 01:34:33.0093 3264 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/05/10 01:34:33.0109 3264 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/05/10 01:34:33.0156 3264 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/05/10 01:34:33.0187 3264 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/05/10 01:34:33.0312 3264 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/05/10 01:34:33.0343 3264 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/05/10 01:34:33.0359 3264 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/05/10 01:34:33.0515 3264 ================================================================================
    2011/05/10 01:34:33.0515 3264 Scan finished
    2011/05/10 01:34:33.0515 3264 ================================================================================
    Attached Files
    Last edited by Net_Surfer; 05-10-2011 at 03:43 AM.

  6. #6
    Member Net_Surfer's Avatar
    Join Date
    May 2008
    Location
    Paradise Ca.
    Posts
    1,179
    Points
    89
    Blog Entries
    4

    Default

    Hi MarkB

    This kind of infection you have that is the TDL4 rootkit,,,Usually comes along while using file sharing programs like utorrent etc.

    P2P (File Sharing) Warning!

    P2P file sharing: >>> Know the risks <<<


    Going over your logs I noticed that you have been using P2P programs!!!

    Please note that as long as you're using any form of Peer-to-Peer networking (Morpheus, Ares, Limewire, Bit Torrent etc.) and downloading files from non-documented sources, you can expect infestations of malware to occur.

    Once upon a time, P2P file sharing was fairly safe. That is no longer true.
    P2P programmes form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

    Many of the programmes come bundled with other unwanted programmes, but even the ones free of any bundled software are not safe to use.
    When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

    There are some very good reasons for this, and they are for your protection:


    From a security standpoint, p2p forms a direct connection into your computer and circumvents or by passes most security, Anti-Malware and firewall software or hardware.

    Any type of security on these programs is poor at best and non existent on some, this could lead to Malware being downloaded into your computer without your knowledge.

    Additionally, in cases where the program has not been configured correctly, a lot more than your music files have finished up being shared with others.

    Passwords, PIN numbers, bank accounts, and other personal details have been harvested by the unscrupulous for their own gain at your expense.

    Have a read of the below article to see where that happened:

    Update: Seattle man arrested for p-to-p ID theft | InfoWorld | News | 2007-09-06 | By Robert McMillan, IDG News Service


    Peer-to-peer file sharing, or P2P, has become enormously popular because it allows users to easily exchange music and video files over the Internet. Tens of millions of people use P2P applications such as Limewire, eDonkey and BearShare to fill their MP3 players and hard Are You Leaking Your "State Secrets" Over P2P? drives with all the music and movies they want, all for free. But even "free" has a cost.

    In addition to violating copyright laws, there are other potential dangers when downloading files via P2P. For instance, hackers know that source files on P2P networks are not being validated, so it's easy to trick you into downloading a virus or spyware instead of the Justin Beiber video you thought you were getting.

    The other major issue is the simple fact that P2P programs share your data with all of the other P2P users in cyberspace. Because of this, there is a good chance you might unknowingly share your most precious and private data with the rest of the world. During installation P2P programs scan your hard drive, looking for files to share. If you do not exercise caution, your entire hard drive, including any confidential documents it may contain, could be left wide open for anyone to access. Think about the files you have on your PC right now. Are you storing documents that have your passwords, Social Security number, or bank account information? If you have P2P software on your PC, you could be targeted for identity theft.

    A criminal hacker can locate sensitive information on other P2P users' PCs by performing a quick search for a few keywords: "passwords," "taxes," "banking," etc. The search turns up documents that the hacker can download. It's that simple.

    Digging through P2P networks for my own research, I've uncovered tax returns, student loan applications, credit reports, and Social Security numbers. I've found love letters, private photos, videos, and just about anything else that can be saved as a digital file. P2P networks have even exposed details on a U.S. Secret Service safe house for the president and his family, and revealed blueprints for President Obama's private helicopter. While you probably don't have state secrets stored on your PC, you should still take care to keep your sensitive files safe.

    Here are some tips to protect you from accidentally sharing data on a P2P network:

    * The smartest way to stay safe is not to install P2P software on your computer in the first place
    * If you think a family member may have installed P2P software on their computer, check for new, unfamiliar applications. A look at your "All Programs Menu" will show nearly every program on your computer. If you see one you don't recognize, do an online search to see if it is a P2P application
    * Set administrative privileges on your computer to prevent the installation of new software without your knowledge
    * Use comprehensive security software such as McAfeeŽ Total Protection and keep it up to date
    * Make sure your firewall is enabled, and if an application asks you to change your settings to enable access to the Internet, don't allow it

    To protect your identity, use McAfee Identity Protection which continually monitors your information and works to proactively protect you and will be there to assist you in the event that your identity is compromised.

    P2P file sharing can be tempting, but in most cases, the costly dangers just aren't worth it.

    Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

    It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.



    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, GMER - Rootkit Detector and Remover
    Windows 5.1.2600
    .
    CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
    device: opened successfully
    user: error reading MBR
    kernel: MBR read successfully
    user != kernel MBR !!!
    You do have the TDL4 rootkit...TDSSKiller failed to detect it on your system...That is the main reason of your problems.

    We need to give you the standard "compromised system" schpeel before we go on:
    IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

    If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read "How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?"

    Although we MIGHT be able to remove the rootkit, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that IF the rootkit can be removed the computer will then be secure.

    In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

    Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let us know how you wish to proceed.

    If you will like to continue cleaning your system...Please follow up the next set of steps:


    Please carefully follow my next set of steps:

    Step 1.

    Download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it


    Click the "Scan" button to start scan



    On completion of the scan click save log, save it to your desktop and post in your next reply.

    Step 2.

    Please download GMER from one of the following locations and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zipped Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.
    -- If you encounter any problems, try running GMER in Safe Mode.

    Step 3.

    Please right click on the tddskiller.exe on your desktop and select delete...We will use a new version of the tool:

    Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
    Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
    • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • If TDSSKiller does not run, try renaming it.
    • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
    • Click the Start Scan button.
    • Do not use the computer during the scan
    • If the scan completes with nothing found, click Close to exit.
    • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C.
    • Copy and paste the contents of that file in your next reply.





    Please do not attach the report logs........just copy and paste please.

    Regards
    Net_Surfer
    Last edited by Net_Surfer; 05-10-2011 at 04:15 AM.
    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you kindly, Click here: >> Please Donate to the Forum <<


    "Obstacles are what you see when yo take your eyes off your Goals"

    Net_Surfer is a Graduate of BleepingComputer Malware Removal Training ProgramYou too could train to help others!.

  7. #7
    Member
    Join Date
    May 2011
    Posts
    21
    Points
    0

    Default

    Hello Net_Surfer -

    In a few moments I'll be starting in on the latest set of instructions.

    However...

    I've lost Safe Mode. The computer starts up, I whap F8 a few times, up pops the menu of ways to start. I select any of the Safe Mode boots.

    The screen blanks for a moment then the computer crashes down to the BIOS. The system restarts as if I had turned the computer on.

    Will let you know how it goes.

    MarkB

    P.S. Per the usual, I haven't found my WinXP install CD. Not yet. I'm still looking.

  8. #8
    Member Net_Surfer's Avatar
    Join Date
    May 2008
    Location
    Paradise Ca.
    Posts
    1,179
    Points
    89
    Blog Entries
    4

    Default

    Hi MarKB

    Try to use the tools in normal mode then...
    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you kindly, Click here: >> Please Donate to the Forum <<


    "Obstacles are what you see when yo take your eyes off your Goals"

    Net_Surfer is a Graduate of BleepingComputer Malware Removal Training ProgramYou too could train to help others!.

  9. #9
    Member
    Join Date
    May 2011
    Posts
    21
    Points
    0

    Default

    Hello Net_Surfer -

    There should be a "warning" about GMER. Not as in, "this program might take a while to run." More like, "GMER can take hours to run." It just finished a few minutes ago.

    I found my installation CD's. It's a 2 DVD set.

    After some reading, I tried bringing up the Restore console, just to see if I could. That trundles along for a few moments then I'm presented with:

    AIC78XX.SY_ is corrupted

    Press any key to reboot

    Hmm.. it's corrupt, all right. Here's the directory entry:
    C:\>dir c:\cmdcons\AIC78XX.SY_
    Volume in drive C is HP_PAVILION
    Volume Serial Number is A89A-D603

    Directory of c:\cmdcons

    05/10/2011 01:43 AM 345 AIC78XX.SY_
    1 File(s) 345 bytes


    345 bytes??

    I ran a binary-to-text dumper on C:\CMDCONS\AIC78XX.SY_ and here is what I got:
    Turbo Dump Version 1.0 Copyright (c) 1988 Borland International

    Display of File CMDCONS\AIC78XX.SY_

    000000: 3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31 <?xml version="1
    000010: 2E 30 22 20 65 6E 63 6F 64 69 6E 67 3D 22 69 73 .0" encoding="is
    000020: 6F 2D 38 38 35 39 2D 31 22 3F 3E 0A 3C 21 44 4F o-8859-1"?>.<!DO
    000030: 43 54 59 50 45 20 68 74 6D 6C 20 50 55 42 4C 49 CTYPE html PUBLI
    000040: 43 20 22 2D 2F 2F 57 33 43 2F 2F 44 54 44 20 58 C "-//W3C//DTD X
    000050: 48 54 4D 4C 20 31 2E 30 20 54 72 61 6E 73 69 74 HTML 1.0 Transit
    000060: 69 6F 6E 61 6C 2F 2F 45 4E 22 0A 20 20 20 20 20 ional//EN".
    000070: 20 20 20 20 22 68 74 74 70 3A 2F 2F 77 77 77 2E "http://www.
    000080: 77 33 2E 6F 72 67 2F 54 52 2F 78 68 74 6D 6C 31 w3.org/TR/xhtml1
    000090: 2F 44 54 44 2F 78 68 74 6D 6C 31 2D 74 72 61 6E /DTD/xhtml1-tran
    0000A0: 73 69 74 69 6F 6E 61 6C 2E 64 74 64 22 3E 0A 3C sitional.dtd">.<
    0000B0: 68 74 6D 6C 20 78 6D 6C 6E 73 3D 22 68 74 74 70 html xmlns="http
    0000C0: 3A 2F 2F 77 77 77 2E 77 33 2E 6F 72 67 2F 31 39 ://www.w3.org/19
    0000D0: 39 39 2F 78 68 74 6D 6C 22 20 78 6D 6C 3A 6C 61 99/xhtml" xml:la
    0000E0: 6E 67 3D 22 65 6E 22 20 6C 61 6E 67 3D 22 65 6E ng="en" lang="en
    0000F0: 22 3E 0A 20 3C 68 65 61 64 3E 0A 20 20 3C 74 69 ">. <head>. <ti
    000100: 74 6C 65 3E 34 30 34 20 2D 20 4E 6F 74 20 46 6F tle>404 - Not Fo
    000110: 75 6E 64 3C 2F 74 69 74 6C 65 3E 0A 20 3C 2F 68 und</title>. </h
    000120: 65 61 64 3E 0A 20 3C 62 6F 64 79 3E 0A 20 20 3C ead>. <body>. <
    000130: 68 31 3E 34 30 34 20 2D 20 4E 6F 74 20 46 6F 75 h1>404 - Not Fou
    000140: 6E 64 3C 2F 68 31 3E 0A 20 3C 2F 62 6F 64 79 3E nd</h1>. </body>
    000150: 0A 3C 2F 68 74 6D 6C 3E 0A .</html>.


    (I can't get that '.</html>.' text to move over. It's supposed to be on the right
    under the rest of the ASCII text.).

    I can't find (in this page of this thread) the spot where I was asked to install an updated version of the Restore console. I do remember there being a note that it was an SP2 console, not an SP3. Not sure if that's relevent. However...

    Know where I can find a fresh copy of AIC78XX.SY_ ? Because I'm pretty sure the Restore mechanism doesn't know what to do with HTML code.

    Here are the CMDCONS entries that were updated on 5/10:


    05/10/2011 01:43 AM 345 AIC78XX.SY_ <--- Bad
    05/10/2011 01:43 AM 85,369 FTTXR52P.SY_
    05/10/2011 01:43 AM <DIR> SYSTEM32
    05/10/2011 01:43 AM 473,546 txtsetup.sif
    05/10/2011 01:44 AM 8,192 bootsect.dat
    05/10/2011 01:44 AM 33,433 migrate.inf
    05/10/2011 01:44 AM 438 winnt.sif


    Can you verify the sizes? I'm a little concerned.

    You wrote:
    >
    > [ cut and paste here, don't attach ]
    >

    OK. Here goes. How about some color-coding to separate the blocks?

    =====================================================
    First up is the log from aswMBR.
    =========================================================

    aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
    Run date: 2011-05-10 22:23:58
    -----------------------------
    22:23:58.468 OS Version: Windows 5.1.2600 Service Pack 3
    22:23:58.468 Number of processors: 2 586 0x403
    22:23:58.468 ComputerName: P4_630 UserName:
    22:24:12.125 Initialize success
    22:24:22.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-18
    22:24:22.500 Disk 0 Vendor: WDC_WD2500KS-00MJB0 02.01C03 Size: 238475MB BusType: 3
    22:24:22.531 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-20
    22:24:22.531 Disk 1 Vendor: WDC_WD5000AAKS-00D2B0 12.01C02 Size: 476940MB BusType: 3
    22:24:25.406 Disk 0 MBR read successfully
    22:24:25.406 Disk 0 MBR scan
    22:24:25.406 Disk 0 Windows XP default MBR code
    22:24:27.500 Disk 0 scanning sectors +488376000
    22:24:27.531 Disk 0 scanning C:\WINDOWS\system32\drivers
    22:24:49.234 Service scanning
    22:24:52.734 Disk 0 trace - called modules:
    22:24:53.375 ntkrnlpa.exe CLASSPNP.SYS disk.sys iomdisk.sys hal.dll atapi.sys intelide.sys
    22:24:53.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b08eab8]
    22:24:53.375 3 CLASSPNP.SYS[b8118fd7] -> nt!IofCallDriver -> [0x8b08f920]
    22:24:53.375 5 iomdisk.sys[b8338bc3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-18[0x8b09ab00]
    22:24:53.375 Scan finished successfully
    22:25:17.093 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat"
    22:25:17.093 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"
    =====================================================
    Here is the GMER log.
    =========================================================

    GMER 1.0.15.15627 - GMER - Rootkit Detector and Remover
    Rootkit scan 2011-05-11 02:35:44
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-18 WDC_WD2500KS-00MJB0 rev.02.01C03
    Running: r8wzzt37.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\kxldapog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB66463A0, 0x83C195, 0xE8000020]
    init C:\WINDOWS\System32\Drivers\driverx.sys entry point in "init" section [0xA2C11256]
    ? C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[164] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 3000141E C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
    .text C:\WINDOWS\Explorer.EXE[164] SHELL32.dll!SHFileOperation 7CA70B88 5 Bytes JMP 30001430 C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
    .text C:\Program Files\Iomega\DriveIcons\ImgIcon.exe[2224] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 3000141E C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
    .text C:\Program Files\Iomega\DriveIcons\ImgIcon.exe[2224] SHELL32.dll!SHFileOperation 7CA70B88 5 Bytes JMP 30001430 C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
    .text C:\Documents and Settings\HP_Administrator\Desktop\ANTI MALWARE\r8wzzt37.exe[4028] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 3000141E C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
    .text C:\Documents and Settings\HP_Administrator\Desktop\ANTI MALWARE\r8wzzt37.exe[4028] SHELL32.dll!SHFileOperation 7CA70B88 5 Bytes JMP 30001430 C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
    =====================================================
    Lastly the log from TDSSKiller 2.5
    =========================================================

    2011/05/11 02:42:08.0078 2656 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
    2011/05/11 02:42:08.0625 2656 ================================================================================
    2011/05/11 02:42:08.0625 2656 SystemInfo:
    2011/05/11 02:42:08.0625 2656
    2011/05/11 02:42:08.0625 2656 OS Version: 5.1.2600 ServicePack: 3.0
    2011/05/11 02:42:08.0625 2656 Product type: Workstation
    2011/05/11 02:42:08.0625 2656 ComputerName: P4_630
    2011/05/11 02:42:08.0625 2656 UserName: HP_Administrator
    2011/05/11 02:42:08.0625 2656 Windows directory: C:\WINDOWS
    2011/05/11 02:42:08.0625 2656 System windows directory: C:\WINDOWS
    2011/05/11 02:42:08.0625 2656 Processor architecture: Intel x86
    2011/05/11 02:42:08.0625 2656 Number of processors: 2
    2011/05/11 02:42:08.0625 2656 Page size: 0x1000
    2011/05/11 02:42:08.0625 2656 Boot type: Normal boot
    2011/05/11 02:42:08.0625 2656 ================================================================================
    2011/05/11 02:42:13.0828 2656 Initialize success
    2011/05/11 02:42:16.0203 1904 ================================================================================
    2011/05/11 02:42:16.0203 1904 Scan started
    2011/05/11 02:42:16.0203 1904 Mode: Manual;
    2011/05/11 02:42:16.0203 1904 ================================================================================
    2011/05/11 02:42:17.0312 1904 4mmdat (7e14bad6cbc8ee6857902e33128e6df2) C:\WINDOWS\system32\DRIVERS\4mmdat.sys
    2011/05/11 02:42:18.0109 1904 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/05/11 02:42:18.0437 1904 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/05/11 02:42:18.0593 1904 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/05/11 02:42:18.0640 1904 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
    2011/05/11 02:42:19.0281 1904 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2011/05/11 02:42:19.0390 1904 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/05/11 02:42:20.0078 1904 aslm75 (71356a1370739e25375a1d17b6ae318f) C:\WINDOWS\system32\drivers\aslm75.sys
    2011/05/11 02:42:20.0156 1904 ASPI32 (20d04091eba710f6988f710507d85868) C:\WINDOWS\system32\drivers\ASPI32.sys
    2011/05/11 02:42:20.0218 1904 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/05/11 02:42:20.0234 1904 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/05/11 02:42:20.0828 1904 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/05/11 02:42:20.0921 1904 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/05/11 02:42:20.0953 1904 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/05/11 02:42:21.0078 1904 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/05/11 02:42:21.0125 1904 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/05/11 02:42:21.0171 1904 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/05/11 02:42:21.0187 1904 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/05/11 02:42:21.0796 1904 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/05/11 02:42:21.0968 1904 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/05/11 02:42:22.0031 1904 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/05/11 02:42:22.0062 1904 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/05/11 02:42:22.0093 1904 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/05/11 02:42:22.0125 1904 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/05/11 02:42:22.0203 1904 DriverX (d27a3a309da2f9122b64b556a9a2cc71) C:\WINDOWS\System32\Drivers\driverx.sys
    2011/05/11 02:42:22.0250 1904 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/05/11 02:42:22.0859 1904 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/05/11 02:42:22.0906 1904 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/05/11 02:42:22.0937 1904 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/05/11 02:42:22.0968 1904 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/05/11 02:42:22.0984 1904 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/05/11 02:42:23.0015 1904 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/05/11 02:42:23.0046 1904 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/05/11 02:42:23.0062 1904 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
    2011/05/11 02:42:23.0140 1904 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
    2011/05/11 02:42:23.0156 1904 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/05/11 02:42:23.0218 1904 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys
    2011/05/11 02:42:23.0265 1904 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/05/11 02:42:23.0859 1904 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/05/11 02:42:24.0218 1904 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/05/11 02:42:24.0859 1904 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/05/11 02:42:24.0953 1904 ialm (81efe1c5542afb2570758f39ae3b1151) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2011/05/11 02:42:25.0031 1904 iaStor (79ae2a97c120f282845d854d0f070ea9) C:\WINDOWS\system32\DRIVERS\iaStor.sys
    2011/05/11 02:42:25.0109 1904 ICAM3NT5 (673962b31666f877c283a81392eab199) C:\WINDOWS\system32\Drivers\ICAM3D2.SYS
    2011/05/11 02:42:25.0156 1904 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/05/11 02:42:25.0921 1904 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/05/11 02:42:26.0062 1904 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/05/11 02:42:26.0093 1904 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/05/11 02:42:26.0125 1904 iomdisk (9d7069d72c0c72952f05e1688a5ae89d) C:\WINDOWS\system32\DRIVERS\iomdisk.sys
    2011/05/11 02:42:26.0171 1904 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/05/11 02:42:26.0218 1904 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/05/11 02:42:26.0828 1904 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/05/11 02:42:26.0859 1904 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/05/11 02:42:26.0906 1904 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/05/11 02:42:26.0937 1904 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/05/11 02:42:26.0968 1904 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/05/11 02:42:26.0984 1904 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/05/11 02:42:27.0031 1904 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/05/11 02:42:27.0062 1904 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/05/11 02:42:27.0156 1904 ltmodem5 (9ee18a5a45552673a67532ea37370377) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
    2011/05/11 02:42:27.0234 1904 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
    2011/05/11 02:42:27.0250 1904 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
    2011/05/11 02:42:27.0296 1904 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/05/11 02:42:27.0328 1904 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/05/11 02:42:27.0937 1904 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2011/05/11 02:42:27.0953 1904 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/05/11 02:42:28.0031 1904 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/05/11 02:42:28.0062 1904 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/05/11 02:42:28.0093 1904 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
    2011/05/11 02:42:28.0234 1904 MpKsl1e51e47c (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1FCE7199-71F5-41CD-82C2-26F1D56A0F7B}\MpKsl1e51e47c.sys
    2011/05/11 02:42:28.0890 1904 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/05/11 02:42:28.0953 1904 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/05/11 02:42:29.0046 1904 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/05/11 02:42:29.0078 1904 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/05/11 02:42:29.0125 1904 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/05/11 02:42:29.0140 1904 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/05/11 02:42:29.0203 1904 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/05/11 02:42:29.0812 1904 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/05/11 02:42:29.0843 1904 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/05/11 02:42:29.0875 1904 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/05/11 02:42:29.0921 1904 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/05/11 02:42:29.0953 1904 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/05/11 02:42:29.0984 1904 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/05/11 02:42:30.0015 1904 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/05/11 02:42:30.0046 1904 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/05/11 02:42:30.0078 1904 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/05/11 02:42:30.0093 1904 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/05/11 02:42:30.0140 1904 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/05/11 02:42:30.0187 1904 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/05/11 02:42:30.0250 1904 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
    2011/05/11 02:42:30.0296 1904 NmPar (241c985de3ab9f73568fe3b181dc70f4) C:\WINDOWS\system32\DRIVERS\NmPar.sys
    2011/05/11 02:42:30.0312 1904 nmserial (6489dd8e27d70bee2897681b46b76bd1) C:\WINDOWS\system32\DRIVERS\nmserial.sys
    2011/05/11 02:42:30.0343 1904 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/05/11 02:42:30.0890 1904 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/05/11 02:42:30.0953 1904 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/05/11 02:42:31.0312 1904 nv (f1de35c89d98a883d1b4030dc9896855) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/05/11 02:42:36.0343 1904 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/05/11 02:42:36.0390 1904 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/05/11 02:42:36.0453 1904 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/05/11 02:42:36.0531 1904 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/05/11 02:42:36.0562 1904 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/05/11 02:42:36.0593 1904 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/05/11 02:42:36.0609 1904 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/05/11 02:42:37.0765 1904 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/05/11 02:42:37.0796 1904 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/05/11 02:42:38.0421 1904 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/05/11 02:42:38.0484 1904 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/05/11 02:42:39.0078 1904 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
    2011/05/11 02:42:39.0093 1904 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/05/11 02:42:39.0125 1904 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/05/11 02:42:39.0796 1904 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/05/11 02:42:39.0843 1904 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/05/11 02:42:39.0875 1904 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/05/11 02:42:39.0890 1904 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/05/11 02:42:39.0921 1904 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/05/11 02:42:39.0937 1904 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/05/11 02:42:39.0968 1904 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/05/11 02:42:40.0000 1904 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/05/11 02:42:40.0062 1904 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/05/11 02:42:40.0140 1904 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
    2011/05/11 02:42:40.0171 1904 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
    2011/05/11 02:42:40.0265 1904 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2011/05/11 02:42:40.0281 1904 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
    2011/05/11 02:42:40.0296 1904 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    2011/05/11 02:42:40.0968 1904 scsiscan (089870dab7aa277585c475ae09ee4c63) C:\WINDOWS\system32\DRIVERS\scsiscan.sys
    2011/05/11 02:42:40.0984 1904 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/05/11 02:42:41.0031 1904 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/05/11 02:42:41.0062 1904 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/05/11 02:42:41.0109 1904 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/05/11 02:42:41.0156 1904 SISNIC (3fbb6ef8b5a71a2fa11f5f461bb73219) C:\WINDOWS\system32\DRIVERS\sisnic.sys
    2011/05/11 02:42:41.0187 1904 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/05/11 02:42:41.0843 1904 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
    2011/05/11 02:42:41.0875 1904 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/05/11 02:42:41.0921 1904 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/05/11 02:42:41.0953 1904 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/05/11 02:42:42.0015 1904 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/05/11 02:42:42.0062 1904 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/05/11 02:42:42.0078 1904 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/05/11 02:42:42.0187 1904 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/05/11 02:42:42.0828 1904 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/05/11 02:42:42.0921 1904 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/05/11 02:42:42.0937 1904 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/05/11 02:42:42.0968 1904 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/05/11 02:42:43.0062 1904 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/05/11 02:42:43.0140 1904 umpusbxp (4685ca976167ef2bbab18694346062df) C:\WINDOWS\system32\DRIVERS\umpusbxp.sys
    2011/05/11 02:42:43.0312 1904 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/05/11 02:42:43.0937 1904 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/05/11 02:42:43.0984 1904 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/05/11 02:42:44.0031 1904 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2011/05/11 02:42:44.0078 1904 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/05/11 02:42:44.0109 1904 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/05/11 02:42:44.0140 1904 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/05/11 02:42:44.0156 1904 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/05/11 02:42:44.0187 1904 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/05/11 02:42:44.0812 1904 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/05/11 02:42:44.0828 1904 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/05/11 02:42:44.0968 1904 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/05/11 02:42:45.0000 1904 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/05/11 02:42:45.0031 1904 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/05/11 02:42:45.0250 1904 ================================================================================
    2011/05/11 02:42:45.0250 1904 Scan finished
    2011/05/11 02:42:45.0250 1904 ================================================================================

  10. #10
    Member
    Join Date
    May 2011
    Posts
    21
    Points
    0

    Default

    Hello Net_Surfer -

    I have no idea why I pulled down a copy of that Restore console installer. A search through the thread didn't produce a reference.. and so it looks like I've fouled up.

    Apologies. I'll see if I can find a proper copy of the AIC78XX.SY_ file.

    MarkB


    Apologies.

Page 1 of 4 123 ... LastLast