Win64:Sirefef Infection

[dinosaur58]

HAVE SUBSCRIBED to this topic with instant notification.
Google getting hijacked, Avast blocking Win64:Sirefef variants every minute or so. hourglass cursor appears frequently, Taskmanager shows 9-35% CPU usage briefly with no visible process using it.
Followed advice @http://technojourney.com/google/easily-remove-google-redirect-virus-your-computer/
DLed and ran TDSS rootkit removing tool 2.7.45.0 failed to solve problem [Log follows DDS logs].
This is my only computer, so will stay offline other than this forum.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 9:19:52 on 2012-07-11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.2540 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast6\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Alwil Software\Avast6\avastUI.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
"C:\WINDOWS\System32\svchost.exe" -k LocalServiceDns
"C:\WINDOWS\System32\svchost.exe" -k LocalServiceDns
"C:\WINDOWS\System32\svchost.exe" -k LocalServiceDns
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [atwtusb] atwtusb.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast] "c:\program files\alwil software\avast6\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: NoLogoff = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
uPolicies-explorer: StartMenuLogOff = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206762645578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{4D24E198-7EA7-41BB-ABF0-0D5092022758} : DhcpNameServer = 192.168.1.254
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.computer\application data\mozilla\firefox\profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
============= SERVICES / DRIVERS ===============
.
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-21 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-7-1 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-9 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-9 337880]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-12-13 3968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-9 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast6\AvastSvc.exe [2011-12-9 44768]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-12-20 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-12-20 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2011-7-30 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2009-9-22 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2011-3-22 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-2-5 56992]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [2007-4-15 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys --> c:\windows\system32\drivers\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-2-5 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1e.tmp --> c:\windows\system32\1E.tmp [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2011-10-25 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
S4 WWMZYS;WWMZYS;c:\docume~1\admini~1.com\locals~1\temp\wwmzys.exe --> c:\docume~1\admini~1.com\locals~1\temp\WWMZYS.exe [?]
.
=============== Created Last 30 ================
.
2012-07-11 14:33:34 -------- d-----w- C:\TDSSKiller_Quarantine
.
==================== Find3M ====================
.
2012-07-11 14:37:55 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-07-05 13:32:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-05 13:32:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2004-04-09 22:13:00 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2006-05-03 18:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 9:20:32.03 ===============

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

TDSS Log

08:30:36.0515 2756 TDSS rootkit removing tool 2.7.45.0 Jul 9 2012 12:46:35
08:30:36.0546 2756 ============================================================
08:30:36.0546 2756 Current date / time: 2012/07/11 08:30:36.0546
08:30:36.0546 2756 SystemInfo:
08:30:36.0546 2756
08:30:36.0546 2756 OS Version: 5.1.2600 ServicePack: 2.0
08:30:36.0546 2756 Product type: Workstation
08:30:36.0546 2756 ComputerName: COMPUTER
08:30:36.0546 2756 UserName: Administrator
08:30:36.0546 2756 Windows directory: C:\WINDOWS
08:30:36.0546 2756 System windows directory: C:\WINDOWS
08:30:36.0546 2756 Processor architecture: Intel x86
08:30:36.0546 2756 Number of processors: 4
08:30:36.0546 2756 Page size: 0x1000
08:30:36.0546 2756 Boot type: Normal boot
08:30:36.0546 2756 ============================================================
08:30:40.0265 2756 Drive \Device\Harddisk0\DR0 - Size: 0x15D50F66000 (1397.27 Gb), SectorSize: 0x200, Cylinders: 0x2C881, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:30:40.0265 2756 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:30:40.0281 2756 Drive \Device\Harddisk2\DR6 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
08:30:40.0281 2756 ============================================================
08:30:40.0281 2756 \Device\Harddisk0\DR0:
08:30:40.0281 2756 MBR partitions:
08:30:40.0281 2756 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x37F06434
08:30:40.0281 2756 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x37F06473, BlocksNum 0x76B802CE
08:30:40.0281 2756 \Device\Harddisk1\DR1:
08:30:40.0281 2756 MBR partitions:
08:30:40.0281 2756 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x65A06555
08:30:40.0281 2756 \Device\Harddisk2\DR6:
08:30:40.0281 2756 MBR partitions:
08:30:40.0281 2756 \Device\Harddisk2\DR6\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74705982
08:30:40.0281 2756 ============================================================
08:30:40.0312 2756 C: <-> \Device\Harddisk0\DR0\Partition0
08:30:40.0359 2756 D: <-> \Device\Harddisk0\DR0\Partition1
08:30:40.0375 2756 J: <-> \Device\Harddisk2\DR6\Partition0
08:30:40.0421 2756 E: <-> \Device\Harddisk1\DR1\Partition0
08:30:40.0421 2756 ============================================================
08:30:40.0421 2756 Initialize success
08:30:40.0421 2756 ============================================================
08:31:11.0468 3592 ============================================================
08:31:11.0468 3592 Scan started
08:31:11.0468 3592 Mode: Manual;
08:31:11.0468 3592 ============================================================
08:31:11.0953 3592 61883 (86d7b1e70661d754685b9ac6d749aae5) C:\WINDOWS\system32\DRIVERS\61883.sys
08:31:11.0953 3592 61883 - ok
08:31:11.0968 3592 Aavmker4 (473f97edc5a5312f3665ab2921196c0c) C:\WINDOWS\system32\drivers\Aavmker4.sys
08:31:11.0968 3592 Aavmker4 - ok
08:31:11.0968 3592 Abiosdsk - ok
08:31:11.0984 3592 abp480n5 - ok
08:31:12.0015 3592 ACDaemon - ok
08:31:12.0046 3592 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:31:12.0046 3592 ACPI - ok
08:31:12.0062 3592 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:31:12.0062 3592 ACPIEC - ok
08:31:12.0093 3592 AcrSch2Svc (4a00e527bb34fca0e458db1089f97b3b) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
08:31:12.0109 3592 AcrSch2Svc - ok
08:31:12.0125 3592 adpu160m - ok
08:31:12.0140 3592 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
08:31:12.0140 3592 aec - ok
08:31:12.0140 3592 Afc - ok
08:31:12.0171 3592 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
08:31:12.0171 3592 AFD - ok
08:31:12.0171 3592 Aha154x - ok
08:31:12.0171 3592 aic78u2 - ok
08:31:12.0187 3592 aic78xx - ok
08:31:12.0187 3592 aiptektp (14a9ba653838164a2ae148e362640197) C:\WINDOWS\system32\DRIVERS\aiptektp.sys
08:31:12.0187 3592 aiptektp - ok
08:31:12.0187 3592 ALCXWDM - ok
08:31:12.0218 3592 Alerter (c7ae0fd3867db0d42b03b73c18f3d671) C:\WINDOWS\system32\alrsvc.dll
08:31:12.0218 3592 Alerter - ok
08:31:12.0218 3592 ALG - ok
08:31:12.0234 3592 AliIde - ok
08:31:12.0312 3592 Ambfilt (267fc636801edc5ab28e14036349e3be) C:\WINDOWS\system32\drivers\Ambfilt.sys
08:31:12.0328 3592 Ambfilt - ok
08:31:12.0406 3592 AmdPPM (033448d435e65c4bd72e70521fd05c76) C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
08:31:12.0406 3592 AmdPPM - ok
08:31:12.0406 3592 amsint - ok
08:31:12.0421 3592 AnyDVD (cb5f75ea66bf555ba6dff01c1e63ab84) C:\WINDOWS\system32\Drivers\AnyDVD.sys
08:31:12.0421 3592 AnyDVD - ok
08:31:12.0437 3592 AppMgmt (9c3c12975c97119412802b181fbeeffe) C:\WINDOWS\System32\appmgmts.dll
08:31:12.0453 3592 AppMgmt - ok
08:31:12.0468 3592 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
08:31:12.0468 3592 Arp1394 - ok
08:31:12.0468 3592 asc - ok
08:31:12.0468 3592 asc3350p - ok
08:31:12.0484 3592 asc3550 - ok
08:31:12.0484 3592 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
08:31:12.0484 3592 Aspi32 - ok
08:31:12.0531 3592 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
08:31:12.0531 3592 aspnet_state - ok
08:31:12.0546 3592 aswFsBlk (0ae43c6c411254049279c2ee55630f95) C:\WINDOWS\system32\drivers\aswFsBlk.sys
08:31:12.0546 3592 aswFsBlk - ok
08:31:12.0546 3592 aswMon2 (8c30b7ddd2f1d8d138ebe40345af2b11) C:\WINDOWS\system32\drivers\aswMon2.sys
08:31:12.0546 3592 aswMon2 - ok
08:31:12.0562 3592 aswRdr (da12626fd9a67f4e917e2f2fbe1e1764) C:\WINDOWS\system32\drivers\aswRdr.sys
08:31:12.0562 3592 aswRdr - ok
08:31:12.0609 3592 aswSnx (dcb199b967375753b5019ec15f008f53) C:\WINDOWS\system32\drivers\aswSnx.sys
08:31:12.0625 3592 aswSnx - ok
08:31:12.0640 3592 aswSP (b32873e5a1443c0a1e322266e203bf10) C:\WINDOWS\system32\drivers\aswSP.sys
08:31:12.0640 3592 aswSP - ok
08:31:12.0656 3592 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:31:12.0656 3592 AsyncMac - ok
08:31:12.0671 3592 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:31:12.0671 3592 atapi - ok
08:31:12.0671 3592 Atdisk - ok
08:31:12.0687 3592 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:31:12.0687 3592 Atmarpc - ok
08:31:12.0703 3592 AudioSrv (db66db626e4882ebef55f136f12c1829) C:\WINDOWS\System32\audiosrv.dll
08:31:12.0703 3592 AudioSrv - ok
08:31:12.0703 3592 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:31:12.0718 3592 audstub - ok
08:31:12.0796 3592 avast! Antivirus (4041d31508a2a084dfb42c595854090f) C:\Program Files\Alwil Software\Avast6\AvastSvc.exe
08:31:12.0796 3592 avast! Antivirus - ok
08:31:12.0828 3592 Avc (87c223adb8f7596b31caae3c67b16ddd) C:\WINDOWS\system32\DRIVERS\avc.sys
08:31:12.0828 3592 Avc - ok
08:31:12.0859 3592 AVCSTRM (867d73a2e43b2ddaf0b0263f88e217ac) C:\WINDOWS\system32\DRIVERS\avcstrm.sys
08:31:12.0859 3592 AVCSTRM - ok
08:31:12.0859 3592 AVG Anti-Rootkit (e8054a423e5d2bdae6062bab6da159c4) C:\WINDOWS\system32\DRIVERS\avgarkt.sys
08:31:12.0859 3592 AVG Anti-Rootkit - ok
08:31:12.0875 3592 AvgArCln (ec08d1625f5c6cf2a57b79eb35186f8c) C:\WINDOWS\system32\DRIVERS\AvgArCln.sys
08:31:12.0875 3592 AvgArCln - ok
08:31:12.0906 3592 BCMNTIO (90a87d49205b3893281203a477f66fe5) C:\PROGRA~1\CHECKIT\DIAGNO~1\BCMNTIO.sys
08:31:12.0906 3592 BCMNTIO - ok
08:31:12.0906 3592 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:31:12.0906 3592 Beep - ok
08:31:12.0937 3592 BITS (2c69ec7e5a311334d10dd95f338fccea) C:\WINDOWS\system32\qmgr.dll
08:31:12.0953 3592 BITS - ok
08:31:12.0968 3592 Browser (e3cfccdda4edd1d0dc9168b2e18f27b8) C:\WINDOWS\System32\browser.dll
08:31:12.0968 3592 Browser - ok
08:31:12.0968 3592 catchme - ok
08:31:12.0984 3592 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:31:12.0984 3592 cbidf2k - ok
08:31:13.0000 3592 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:31:13.0000 3592 CCDECODE - ok
08:31:13.0000 3592 cd20xrnt - ok
08:31:13.0015 3592 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:31:13.0015 3592 Cdaudio - ok
08:31:13.0015 3592 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
08:31:13.0015 3592 Cdfs - ok
08:31:13.0031 3592 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:31:13.0031 3592 Cdrom - ok
08:31:13.0031 3592 Changer - ok
08:31:13.0031 3592 CiSvc (3192bd04d032a9c4a85a3278c268a13a) C:\WINDOWS\system32\cisvc.exe
08:31:13.0046 3592 CiSvc - ok
08:31:13.0046 3592 ClipSrv (c8dec22c4137d7a90f8bdf41ca4b82ae) C:\WINDOWS\system32\clipsrv.exe
08:31:13.0046 3592 ClipSrv - ok
08:31:13.0078 3592 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
08:31:13.0078 3592 clr_optimization_v2.0.50727_32 - ok
08:31:13.0093 3592 CmdIde - ok
08:31:13.0093 3592 COMSysApp - ok
08:31:13.0093 3592 Cpqarray - ok
08:31:13.0125 3592 CryptSvc (10654f9ddcea9c46cfb77554231be73b) C:\WINDOWS\System32\cryptsvc.dll
08:31:13.0125 3592 CryptSvc - ok
08:31:13.0125 3592 dac2w2k - ok
08:31:13.0125 3592 dac960nt - ok
08:31:13.0187 3592 DcomLaunch (01095febf33beea00c2a0730b9b3ec28) C:\WINDOWS\system32\rpcss.dll
08:31:13.0203 3592 DcomLaunch - ok
08:31:13.0218 3592 Dhcp (ef545e1a4b043da4c84e230dd471c55f) C:\WINDOWS\System32\dhcpcsvc.dll
08:31:13.0218 3592 Dhcp - ok
08:31:13.0218 3592 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
08:31:13.0218 3592 Disk - ok
08:31:13.0218 3592 dmadmin - ok
08:31:13.0265 3592 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
08:31:13.0265 3592 dmboot - ok
08:31:13.0281 3592 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
08:31:13.0281 3592 dmio - ok
08:31:13.0281 3592 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:31:13.0296 3592 dmload - ok
08:31:13.0296 3592 dmserver (1639d9964c9e1b2ecca95c8217d3e70d) C:\WINDOWS\System32\dmserver.dll
08:31:13.0296 3592 dmserver - ok
08:31:13.0312 3592 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
08:31:13.0312 3592 DMusic - ok
08:31:13.0343 3592 Dnscache (aac8ffbfd61e784fa3bac851d4a0bd5f) C:\WINDOWS\System32\dnsrslvr.dll
08:31:13.0343 3592 Dnscache - ok
08:31:13.0343 3592 dpti2o - ok
08:31:13.0359 3592 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
08:31:13.0359 3592 drmkaud - ok
08:31:13.0375 3592 ElbyCDIO (178cc9403816c082d22a1d47fa1f9c85) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
08:31:13.0375 3592 ElbyCDIO - ok
08:31:13.0375 3592 ElbyDelay (e205c313417da6fa7afe85912a310a65) C:\WINDOWS\system32\Drivers\ElbyDelay.sys
08:31:13.0375 3592 ElbyDelay - ok
08:31:13.0375 3592 ERSvc (67dff7bbbd0e80aab7b3cf061448db8a) C:\WINDOWS\System32\ersvc.dll
08:31:13.0406 3592 ERSvc - ok
08:31:13.0421 3592 EuMusDesignVirtualAudioCableWdm (b27707bce98cb02eac9be5967096e75a) C:\WINDOWS\system32\DRIVERS\vrtaucbl.sys
08:31:13.0421 3592 EuMusDesignVirtualAudioCableWdm - ok
08:31:13.0437 3592 Eventlog (37561f8d4160d62da86d24ae41fae8de) C:\WINDOWS\system32\services.exe
08:31:13.0453 3592 Eventlog - ok
08:31:13.0468 3592 EventSystem (60d1a6342238378bfb7545c81ee3606c) C:\WINDOWS\system32\es.dll
08:31:13.0484 3592 EventSystem - ok
08:31:13.0500 3592 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
08:31:13.0500 3592 Fastfat - ok
08:31:13.0531 3592 FastUserSwitchingCompatibility (6815def9b810aefac107eeaf72da6f82) C:\WINDOWS\System32\shsvcs.dll
08:31:13.0531 3592 FastUserSwitchingCompatibility - ok
08:31:13.0531 3592 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
08:31:13.0531 3592 Fdc - ok
08:31:13.0546 3592 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
08:31:13.0546 3592 Fips - ok
08:31:13.0546 3592 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
08:31:13.0546 3592 Flpydisk - ok
08:31:13.0578 3592 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
08:31:13.0578 3592 FltMgr - ok
08:31:13.0593 3592 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
08:31:13.0593 3592 FontCache3.0.0.0 - ok
08:31:13.0687 3592 FreeAgentGoNext Service (eb1951e61c28b3b7d812a47adb976e60) C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
08:31:13.0703 3592 FreeAgentGoNext Service - ok
08:31:13.0703 3592 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:31:13.0703 3592 Fs_Rec - ok
08:31:13.0718 3592 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:31:13.0718 3592 Ftdisk - ok
08:31:13.0734 3592 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:31:13.0734 3592 Gpc - ok
08:31:13.0781 3592 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:31:13.0781 3592 HDAudBus - ok
08:31:13.0812 3592 helpsvc (8827911a8c37e40c027cbfc88e69d967) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
08:31:13.0812 3592 helpsvc - ok
08:31:13.0812 3592 HidServ - ok
08:31:13.0828 3592 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:31:13.0828 3592 hidusb - ok
08:31:13.0828 3592 hpn - ok
08:31:13.0921 3592 hpqcxs08 (f50f7984fdd151edd8a70a8dbd9e2a44) C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
08:31:13.0921 3592 hpqcxs08 - ok
08:31:13.0953 3592 hpqddsvc (df446ba625cc441617843e87798ce048) C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
08:31:13.0953 3592 hpqddsvc - ok
08:31:13.0968 3592 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
08:31:13.0968 3592 HPZid412 - ok
08:31:13.0984 3592 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
08:31:13.0984 3592 HPZipr12 - ok
08:31:13.0984 3592 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
08:31:14.0000 3592 HPZius12 - ok
08:31:14.0015 3592 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
08:31:14.0031 3592 HTTP - ok
08:31:14.0046 3592 HTTPFilter (064d8581adf77c25133e7d751d917d83) C:\WINDOWS\System32\w3ssl.dll
08:31:14.0062 3592 HTTPFilter - ok
08:31:14.0062 3592 i2omgmt - ok
08:31:14.0062 3592 i2omp - ok
08:31:14.0078 3592 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:31:14.0078 3592 i8042prt - ok
08:31:14.0125 3592 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
08:31:14.0140 3592 IDriverT - ok
08:31:14.0234 3592 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
08:31:14.0250 3592 idsvc - ok
08:31:14.0281 3592 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:31:14.0281 3592 Imapi - ok
08:31:14.0328 3592 ImapiService (fa788520bcac0f5d9d5cde5615c0d931) C:\WINDOWS\system32\imapi.exe
08:31:14.0328 3592 ImapiService - ok
08:31:14.0343 3592 ini910u - ok
08:31:14.0531 3592 IntcAzAudAddService (09e73e7455e7eac14e25739b30e16b52) C:\WINDOWS\system32\drivers\RtkHDAud.sys
08:31:14.0625 3592 IntcAzAudAddService - ok
08:31:14.0671 3592 IntelIde - ok
08:31:14.0687 3592 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
08:31:14.0687 3592 Ip6Fw - ok
08:31:14.0703 3592 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:31:14.0703 3592 IpFilterDriver - ok
08:31:14.0734 3592 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:31:14.0734 3592 IpInIp - ok
08:31:14.0765 3592 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:31:14.0781 3592 IpNat - ok
08:31:14.0796 3592 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:31:14.0796 3592 IPSec - ok
08:31:14.0812 3592 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:31:14.0812 3592 IRENUM - ok
08:31:14.0828 3592 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:31:14.0828 3592 isapnp - ok
08:31:14.0828 3592 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:31:14.0828 3592 Kbdclass - ok
08:31:14.0843 3592 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
08:31:14.0843 3592 kmixer - ok
08:31:14.0859 3592 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
08:31:14.0859 3592 KSecDD - ok
08:31:14.0890 3592 lanmanserver (0cb3af149a0bac0836022ca307c7a0f8) C:\WINDOWS\System32\srvsvc.dll
08:31:14.0890 3592 lanmanserver - ok
08:31:14.0906 3592 lanmanworkstation (e1f27cfcd114ec9f1e1f44674b2ff9f0) C:\WINDOWS\System32\wkssvc.dll
08:31:14.0921 3592 lanmanworkstation - ok
08:31:14.0921 3592 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
08:31:14.0921 3592 Lbd - ok
08:31:14.0921 3592 lbrtfdc - ok
08:31:14.0968 3592 LmHosts (b3eff6d938c572e90a07b3d87a3c7657) C:\WINDOWS\System32\lmhsvc.dll
08:31:14.0968 3592 LmHosts - ok
08:31:15.0015 3592 MAPMEM (61330a29bd4230505a7618bc41693cbb) C:\PROGRA~1\CHECKIT\DIAGNO~1\MAPMEM.sys
08:31:15.0031 3592 MAPMEM - ok
08:31:15.0046 3592 MDP100 (fbb9954bb0e54d77abdd78aba5572ba7) C:\WINDOWS\system32\DRIVERS\MDP100_XP.sys
08:31:15.0046 3592 MDP100 - ok
08:31:15.0062 3592 MEITUNER (1968aa72f5c23c5010a126b5ee0c3539) C:\WINDOWS\system32\DRIVERS\meistb.sys
08:31:15.0062 3592 MEITUNER - ok
08:31:15.0078 3592 MEMSWEEP2 - ok
08:31:15.0093 3592 Messenger (95fd808e4ac22aba025a7b3eac0375d2) C:\WINDOWS\System32\msgsvc.dll
08:31:15.0093 3592 Messenger - ok
08:31:15.0109 3592 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:31:15.0109 3592 mnmdd - ok
08:31:15.0125 3592 mnmsrvc (f6415361201915b9fe3896b0e4e724ff) C:\WINDOWS\system32\mnmsrvc.exe
08:31:15.0125 3592 mnmsrvc - ok
08:31:15.0140 3592 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
08:31:15.0140 3592 Modem - ok
08:31:15.0250 3592 Monfilt (c7d9f9717916b34c1b00dd4834af485c) C:\WINDOWS\system32\drivers\Monfilt.sys
08:31:15.0281 3592 Monfilt - ok
08:31:15.0343 3592 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:31:15.0343 3592 Mouclass - ok
08:31:15.0359 3592 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:31:15.0359 3592 mouhid - ok
08:31:15.0359 3592 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
08:31:15.0359 3592 MountMgr - ok
08:31:15.0359 3592 MPE (55a9a7e6bb297bf0f5b144029dcb79cc) C:\WINDOWS\system32\DRIVERS\MPE.sys
08:31:15.0359 3592 MPE - ok
08:31:15.0375 3592 mraid35x - ok
08:31:15.0390 3592 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:31:15.0390 3592 MRxDAV - ok
08:31:15.0421 3592 MRxSmb (629c6d19002911b807cf4d2a941bc251) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:31:15.0421 3592 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\mrxsmb.sys. Real md5: 629c6d19002911b807cf4d2a941bc251, Fake md5: fb6c89bb3ce282b08bdb1e3c179e1c39
08:31:15.0421 3592 MRxSmb ( Virus.Win32.ZAccess.aml ) - infected
08:31:15.0421 3592 MRxSmb - detected Virus.Win32.ZAccess.aml (0)
08:31:15.0453 3592 MSDTC (c7c3d89eb0a6f3dba622ea737fa335b1) C:\WINDOWS\system32\msdtc.exe
08:31:15.0453 3592 MSDTC - ok
08:31:15.0453 3592 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
08:31:15.0453 3592 Msfs - ok
08:31:15.0453 3592 MSIServer - ok
08:31:15.0468 3592 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:31:15.0468 3592 MSKSSRV - ok
08:31:15.0468 3592 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:31:15.0468 3592 MSPCLOCK - ok
08:31:15.0484 3592 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
08:31:15.0484 3592 MSPQM - ok
08:31:15.0484 3592 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:31:15.0484 3592 mssmbios - ok
08:31:15.0500 3592 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
08:31:15.0500 3592 MSTEE - ok
08:31:15.0515 3592 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
08:31:15.0515 3592 Mup - ok
08:31:15.0515 3592 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:31:15.0531 3592 NABTSFEC - ok
08:31:15.0640 3592 NBService (f46070ddada5c396b1f2ebf1c46dbb08) C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
08:31:15.0640 3592 NBService - ok
08:31:15.0656 3592 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
08:31:15.0656 3592 NDIS - ok
08:31:15.0671 3592 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:31:15.0671 3592 NdisIP - ok
08:31:15.0671 3592 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:31:15.0671 3592 NdisTapi - ok
08:31:15.0671 3592 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:31:15.0671 3592 Ndisuio - ok
08:31:15.0687 3592 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:31:15.0687 3592 NdisWan - ok
08:31:15.0703 3592 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
08:31:15.0703 3592 NDProxy - ok
08:31:15.0718 3592 Net Driver HPZ12 (51c6d8bfbd4ea5b62a1ba7f4469250d3) C:\WINDOWS\system32\HPZinw12.dll
08:31:15.0718 3592 Net Driver HPZ12 - ok
08:31:15.0734 3592 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:31:15.0734 3592 NetBIOS - ok
08:31:15.0734 3592 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:31:15.0750 3592 NetBT - ok
08:31:15.0765 3592 NetDDE (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
08:31:15.0765 3592 NetDDE - ok
08:31:15.0765 3592 NetDDEdsdm (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
08:31:15.0765 3592 NetDDEdsdm - ok
08:31:15.0796 3592 Netlogon (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
08:31:15.0796 3592 Netlogon - ok
08:31:15.0812 3592 Netman (36739b39267914ba69ad0610a0299732) C:\WINDOWS\System32\netman.dll
08:31:15.0812 3592 Netman - ok
08:31:15.0890 3592 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
08:31:15.0890 3592 NetTcpPortSharing - ok
08:31:15.0906 3592 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
08:31:15.0906 3592 NIC1394 - ok
08:31:15.0937 3592 Nla (097722f235a1fb698bf9234e01b52637) C:\WINDOWS\System32\mswsock.dll
08:31:15.0953 3592 Nla - ok
08:31:16.0000 3592 NMIndexingService (433049770b810d7c83c5c94cdb3e09d2) C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
08:31:16.0000 3592 NMIndexingService - ok
08:31:16.0015 3592 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
08:31:16.0015 3592 Npfs - ok
08:31:16.0046 3592 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
08:31:16.0062 3592 Ntfs - ok
08:31:16.0062 3592 NtLmSsp (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
08:31:16.0062 3592 NtLmSsp - ok
08:31:16.0093 3592 NtmsSvc (b62f29c00ac55a761b2e45877d85ea0f) C:\WINDOWS\system32\ntmssvc.dll
08:31:16.0109 3592 NtmsSvc - ok
08:31:16.0156 3592 nTuneService - ok
08:31:16.0156 3592 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:31:16.0156 3592 Null - ok
08:31:16.0453 3592 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
08:31:16.0578 3592 nv - ok
08:31:16.0656 3592 NVENETFD (5110ccb98c9883177754549f033f7f89) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
08:31:16.0656 3592 NVENETFD - ok
08:31:16.0687 3592 NVHDA (d8d01cb94e1312bb64f78392d9617714) C:\WINDOWS\system32\drivers\nvhda32.sys
08:31:16.0703 3592 NVHDA - ok
08:31:16.0718 3592 nvnetbus (a5f0ee23d37e375d2f93691b6eeff7a0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
08:31:16.0718 3592 nvnetbus - ok
08:31:16.0734 3592 nvsmu (f13618f0cb1e95232f4c2401592a59e9) C:\WINDOWS\system32\DRIVERS\nvsmu.sys
08:31:16.0734 3592 nvsmu - ok
08:31:16.0765 3592 nvsvc (a2322c6207ebb0761a6c8cc9003ebacf) C:\WINDOWS\system32\nvsvc32.exe
08:31:16.0765 3592 nvsvc - ok
08:31:16.0796 3592 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:31:16.0796 3592 NwlnkFlt - ok
08:31:16.0796 3592 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:31:16.0812 3592 NwlnkFwd - ok
08:31:16.0812 3592 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
08:31:16.0828 3592 ohci1394 - ok
08:31:16.0843 3592 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
08:31:16.0843 3592 Parport - ok
08:31:16.0859 3592 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
08:31:16.0859 3592 PartMgr - ok
08:31:16.0875 3592 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:31:16.0875 3592 ParVdm - ok
08:31:16.0875 3592 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
08:31:16.0875 3592 PCI - ok
08:31:16.0875 3592 PCIDump - ok
08:31:16.0890 3592 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:31:16.0890 3592 PCIIde - ok
08:31:16.0906 3592 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
08:31:16.0906 3592 Pcmcia - ok
08:31:16.0906 3592 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
08:31:16.0921 3592 pcouffin - ok
08:31:16.0921 3592 PDCOMP - ok
08:31:16.0921 3592 PDFRAME - ok
08:31:16.0921 3592 PDRELI - ok
08:31:16.0937 3592 PDRFRAME - ok
08:31:16.0937 3592 perc2 - ok
08:31:16.0937 3592 perc2hib - ok
08:31:16.0968 3592 PlugPlay (37561f8d4160d62da86d24ae41fae8de) C:\WINDOWS\system32\services.exe
08:31:16.0984 3592 PlugPlay - ok
08:31:17.0000 3592 Pml Driver HPZ12 (79834aa2fbf9fe81eebb229024f6f7fc) C:\WINDOWS\system32\HPZipm12.dll
08:31:17.0000 3592 Pml Driver HPZ12 - ok
08:31:17.0015 3592 Pnp680r (a1d7a9214b71ebbb6f31cb84aac15525) C:\WINDOWS\system32\DRIVERS\pnp680r.sys
08:31:17.0015 3592 Pnp680r - ok
08:31:17.0046 3592 PolicyAgent (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
08:31:17.0046 3592 PolicyAgent - ok
08:31:17.0046 3592 portD - ok
08:31:17.0046 3592 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:31:17.0062 3592 PptpMiniport - ok
08:31:17.0062 3592 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
08:31:17.0062 3592 Processor - ok
08:31:17.0078 3592 ProtectedStorage (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
08:31:17.0078 3592 ProtectedStorage - ok
08:31:17.0078 3592 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
08:31:17.0078 3592 PSched - ok
08:31:17.0093 3592 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:31:17.0093 3592 Ptilink - ok
08:31:17.0093 3592 ql1080 - ok
08:31:17.0093 3592 Ql10wnt - ok
08:31:17.0109 3592 ql12160 - ok
08:31:17.0109 3592 ql1240 - ok
08:31:17.0109 3592 ql1280 - ok
08:31:17.0125 3592 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\RASACD.SYS
08:31:17.0125 3592 RasAcd - ok
08:31:17.0140 3592 RasAuto (44db7a9bdd2fb58747d123fbf1d35adb) C:\WINDOWS\System32\rasauto.dll
08:31:17.0140 3592 RasAuto - ok
08:31:17.0156 3592 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:31:17.0156 3592 Rasl2tp - ok
08:31:17.0171 3592 RasMan (49b5eed5fb89d39456a2f616ccd8ba5d) C:\WINDOWS\System32\rasmans.dll
08:31:17.0187 3592 RasMan - ok
08:31:17.0187 3592 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:31:17.0187 3592 RasPppoe - ok
08:31:17.0203 3592 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:31:17.0203 3592 Raspti - ok
08:31:17.0218 3592 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:31:17.0218 3592 Rdbss - ok
08:31:17.0218 3592 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:31:17.0218 3592 RDPCDD - ok
08:31:17.0250 3592 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:31:17.0250 3592 rdpdr - ok
08:31:17.0265 3592 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
08:31:17.0265 3592 RDPWD - ok
08:31:17.0296 3592 RDSessMgr (729798e0933076b8fcfcd9934698f164) C:\WINDOWS\system32\sessmgr.exe
08:31:17.0296 3592 RDSessMgr - ok
08:31:17.0296 3592 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:31:17.0312 3592 redbook - ok
08:31:17.0328 3592 RemoteAccess (3046db917e3cfa040632799dd9b14865) C:\WINDOWS\System32\mprdim.dll
08:31:17.0328 3592 RemoteAccess - ok
08:31:17.0343 3592 RemoteRegistry (3151427db7d87107d1c5be58fac53960) C:\WINDOWS\system32\regsvc.dll
08:31:17.0343 3592 RemoteRegistry - ok
08:31:17.0375 3592 RpcLocator (793f04a09b15e7c6c11dbdffaf06c0ab) C:\WINDOWS\system32\locator.exe
08:31:17.0375 3592 RpcLocator - ok
08:31:17.0406 3592 RpcSs (01095febf33beea00c2a0730b9b3ec28) C:\WINDOWS\System32\rpcss.dll
08:31:17.0406 3592 RpcSs - ok
08:31:17.0421 3592 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
08:31:17.0437 3592 RSVP - ok
08:31:17.0437 3592 SamSs (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
08:31:17.0437 3592 SamSs - ok
08:31:17.0453 3592 SBKUPNT (729248b54aff21e740054acebfdbcb1c) C:\WINDOWS\system32\Drivers\SBKUPNT.SYS
08:31:17.0453 3592 SBKUPNT - ok
08:31:17.0453 3592 SCardSvr (25d8de134df108e3dbc8d7d23b1aa58e) C:\WINDOWS\System32\SCardSvr.exe
08:31:17.0468 3592 SCardSvr - ok
08:31:17.0500 3592 Schedule (92360854316611f6cc471612213c3d92) C:\WINDOWS\system32\schedsvc.dll
08:31:17.0500 3592 Schedule - ok
08:31:17.0515 3592 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:31:17.0515 3592 Secdrv - ok
08:31:17.0515 3592 seclogon (b1e0ce09895376871746f36dc5773b4f) C:\WINDOWS\System32\seclogon.dll
08:31:17.0531 3592 seclogon - ok
08:31:17.0546 3592 SENS (dfd9870cf39c791d86c4c209da9fa919) C:\WINDOWS\system32\sens.dll
08:31:17.0546 3592 SENS - ok
08:31:17.0546 3592 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
08:31:17.0546 3592 serenum - ok
08:31:17.0562 3592 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
08:31:17.0562 3592 Serial - ok
08:31:17.0578 3592 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:31:17.0578 3592 Sfloppy - ok
08:31:17.0593 3592 ShellHWDetection (6815def9b810aefac107eeaf72da6f82) C:\WINDOWS\System32\shsvcs.dll
08:31:17.0593 3592 ShellHWDetection - ok
08:31:17.0593 3592 Simbad - ok
08:31:17.0609 3592 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:31:17.0609 3592 SLIP - ok
08:31:17.0640 3592 snapman (c3bf55189aa92b8f919108ef9e4accae) C:\WINDOWS\system32\DRIVERS\snapman.sys
08:31:17.0640 3592 snapman - ok
08:31:17.0640 3592 Sparrow - ok
08:31:17.0656 3592 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
08:31:17.0656 3592 splitter - ok
08:31:17.0656 3592 Spooler (da81ec57acd4cdc3d4c51cf3d409af9f) C:\WINDOWS\system32\spoolsv.exe
08:31:17.0671 3592 Spooler - ok
08:31:17.0671 3592 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
08:31:17.0671 3592 sr - ok
08:31:17.0703 3592 srservice (92bdf74f12d6cbec43c94d4b7f804838) C:\WINDOWS\system32\srsvc.dll
08:31:17.0718 3592 srservice - ok
08:31:17.0750 3592 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
08:31:17.0750 3592 Srv - ok
08:31:17.0765 3592 SSDPSRV (4b8d61792f7175bed48859cc18ce4e38) C:\WINDOWS\System32\ssdpsrv.dll
08:31:17.0765 3592 SSDPSRV - ok
08:31:17.0796 3592 stisvc (b6763f8534ac547cf1af98afdff2edc8) C:\WINDOWS\system32\wiaservc.dll
08:31:17.0812 3592 stisvc - ok
08:31:17.0828 3592 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:31:17.0828 3592 streamip - ok
08:31:17.0859 3592 SWDUMon (ab7f6435b3dc381919c3e2cb4d94c7fb) C:\WINDOWS\system32\DRIVERS\SWDUMon.sys
08:31:17.0859 3592 SWDUMon - ok
08:31:17.0859 3592 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:31:17.0859 3592 swenum - ok
08:31:17.0875 3592 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
08:31:17.0875 3592 swmidi - ok
08:31:17.0875 3592 SwPrv - ok
08:31:17.0875 3592 symc810 - ok
08:31:17.0875 3592 symc8xx - ok
08:31:17.0890 3592 sym_hi - ok
08:31:17.0890 3592 sym_u3 - ok
08:31:17.0906 3592 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
08:31:17.0906 3592 sysaudio - ok
08:31:17.0906 3592 SysmonLog (8b54aa346d1b1b113ffaa75501b8b1b2) C:\WINDOWS\system32\smlogsvc.exe
08:31:17.0921 3592 SysmonLog - ok
08:31:17.0953 3592 TapiSrv (fb78839b36025aa286a51289ed28b73e) C:\WINDOWS\System32\tapisrv.dll
08:31:17.0953 3592 TapiSrv - ok
08:31:18.0000 3592 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:31:18.0000 3592 Tcpip - ok
08:31:18.0015 3592 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:31:18.0031 3592 TDPIPE - ok
08:31:18.0046 3592 tdrpman (3b7b6779eb231f731bba8f9fe67aadfc) C:\WINDOWS\system32\DRIVERS\tdrpman.sys
08:31:18.0062 3592 tdrpman - ok
08:31:18.0062 3592 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
08:31:18.0062 3592 TDTCP - ok
08:31:18.0062 3592 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:31:18.0078 3592 TermDD - ok
08:31:18.0093 3592 TermService (b60c877d16d9c880b952fda04adf16e6) C:\WINDOWS\System32\termsrv.dll
08:31:18.0093 3592 TermService - ok
08:31:18.0109 3592 Themes (6815def9b810aefac107eeaf72da6f82) C:\WINDOWS\System32\shsvcs.dll
08:31:18.0125 3592 Themes - ok
08:31:18.0125 3592 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
08:31:18.0125 3592 tifsfilter - ok
08:31:18.0171 3592 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys
08:31:18.0187 3592 timounter - ok
08:31:18.0187 3592 TlntSvr (37db0a7d097310e8b4de803fc3119c78) C:\WINDOWS\system32\tlntsvr.exe
08:31:18.0203 3592 TlntSvr - ok
08:31:18.0203 3592 TosIde - ok
08:31:18.0218 3592 TrkWks (6d9ac544b30f96c57f8206566c1fb6a1) C:\WINDOWS\system32\trkwks.dll
08:31:18.0234 3592 TrkWks - ok
08:31:18.0312 3592 TryAndDecideService (bc236bbb0b16049392e020e53f17d04c) C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
08:31:18.0312 3592 TryAndDecideService - ok
08:31:18.0328 3592 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
08:31:18.0328 3592 Udfs - ok
08:31:18.0343 3592 ultra - ok
08:31:18.0359 3592 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
08:31:18.0375 3592 Update - ok
08:31:18.0406 3592 upnphost (aca5d98663d879c6baafcea7e2f1b710) C:\WINDOWS\System32\upnphost.dll
08:31:18.0421 3592 upnphost - ok
08:31:18.0421 3592 UPS (3f5df65b0758675f95a2d43918a740a3) C:\WINDOWS\System32\ups.exe
08:31:18.0421 3592 UPS - ok
08:31:18.0437 3592 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:31:18.0437 3592 usbccgp - ok
08:31:18.0453 3592 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:31:18.0453 3592 usbehci - ok
08:31:18.0468 3592 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:31:18.0468 3592 usbhub - ok
08:31:18.0484 3592 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
08:31:18.0484 3592 usbohci - ok
08:31:18.0500 3592 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
08:31:18.0500 3592 usbprint - ok
08:31:18.0500 3592 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:31:18.0500 3592 usbscan - ok
08:31:18.0515 3592 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:31:18.0515 3592 USBSTOR - ok
08:31:18.0531 3592 VClone (e986f81fa0b3aed21f188a0fd044d80e) C:\WINDOWS\system32\DRIVERS\VClone.sys
08:31:18.0531 3592 VClone - ok
08:31:18.0531 3592 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
08:31:18.0531 3592 VgaSave - ok
08:31:18.0531 3592 ViaIde - ok
08:31:18.0546 3592 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
08:31:18.0546 3592 VolSnap - ok
08:31:18.0578 3592 VSS (3ee00364ae0fd8d604f46cbaf512838a) C:\WINDOWS\System32\vssvc.exe
08:31:18.0593 3592 VSS - ok
08:31:18.0625 3592 W32Time (2b281958f5d0cf99ed626e3ef39d5c8d) C:\WINDOWS\system32\w32time.dll
08:31:18.0625 3592 W32Time - ok
08:31:18.0640 3592 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:31:18.0640 3592 Wanarp - ok
08:31:18.0640 3592 WDICA - ok
08:31:18.0656 3592 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
08:31:18.0656 3592 wdmaud - ok
08:31:18.0687 3592 WebClient (265f534ef76832435afbf771ec97176d) C:\WINDOWS\System32\webclnt.dll
08:31:18.0687 3592 WebClient - ok
08:31:18.0734 3592 winmgmt (f399242a80c4066fd155efa4cf96658e) C:\WINDOWS\system32\wbem\WMIsvc.dll
08:31:18.0734 3592 winmgmt - ok
08:31:18.0750 3592 WmdmPmSN (482069cda24aa0e94b1351e30eb3d01f) C:\WINDOWS\system32\MsPMSNSv.dll
08:31:18.0750 3592 WmdmPmSN - ok
08:31:18.0812 3592 Wmi (1081c185aed0660b2b5f173c3e023b23) C:\WINDOWS\System32\advapi32.dll
08:31:18.0828 3592 Wmi - ok
08:31:18.0859 3592 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
08:31:18.0859 3592 WmiAcpi - ok
08:31:18.0875 3592 WmiApSrv (ba8cecc3e813e1f7c441b20393d4f86c) C:\WINDOWS\system32\wbem\wmiapsrv.exe
08:31:18.0875 3592 WmiApSrv - ok
08:31:18.0890 3592 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:31:18.0890 3592 WSTCODEC - ok
08:31:18.0921 3592 wuauserv (13d72740963cba12d9ff76a7f218bcd8) C:\WINDOWS\system32\wuauserv.dll
08:31:18.0921 3592 wuauserv - ok
08:31:19.0015 3592 WWMZYS - ok
08:31:19.0031 3592 WZCSVC (5a91e6feab9f901302fa7ff768c0120f) C:\WINDOWS\System32\wzcsvc.dll
08:31:19.0046 3592 WZCSVC - ok
08:31:19.0062 3592 xmlprov (eef46dab68229a14da3d8e73c99e2959) C:\WINDOWS\System32\xmlprov.dll
08:31:19.0062 3592 xmlprov - ok
08:31:19.0078 3592 MBR (0x1B8) (fca24a102012d6b4252520fb84559228) \Device\Harddisk0\DR0
08:31:19.0375 3592 \Device\Harddisk0\DR0 - ok
08:31:19.0390 3592 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR1
08:31:19.0421 3592 \Device\Harddisk1\DR1 - ok
08:31:19.0421 3592 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR6
08:31:19.0421 3592 \Device\Harddisk2\DR6 - ok
08:31:19.0437 3592 Boot (0x1200) (c6c99e8c3ff41dc545b4bb0dd3b48a79) \Device\Harddisk0\DR0\Partition0
08:31:19.0437 3592 \Device\Harddisk0\DR0\Partition0 - ok
08:31:19.0453 3592 Boot (0x1200) (cea2f4d045e7becf063f70c01281788c) \Device\Harddisk0\DR0\Partition1
08:31:19.0453 3592 \Device\Harddisk0\DR0\Partition1 - ok
08:31:19.0453 3592 Boot (0x1200) (aa987f9837d2e10da6067fa316b3a8b1) \Device\Harddisk1\DR1\Partition0
08:31:19.0453 3592 \Device\Harddisk1\DR1\Partition0 - ok
08:31:19.0453 3592 Boot (0x1200) (228c3e157765f831952081ec4c264158) \Device\Harddisk2\DR6\Partition0
08:31:19.0468 3592 \Device\Harddisk2\DR6\Partition0 - ok
08:31:19.0468 3592 ============================================================
08:31:19.0468 3592 Scan finished
08:31:19.0468 3592 ============================================================
08:31:19.0468 2716 Detected object count: 1
08:31:19.0468 2716 Actual detected object count: 1
08:33:34.0734 2716 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - copied to quarantine
08:33:34.0765 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\@ - copied to quarantine
08:33:34.0828 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\Desktop.ini - copied to quarantine
08:33:34.0843 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\L\00000004.@ - copied to quarantine
08:33:34.0843 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\L\201d3dde - copied to quarantine
08:33:34.0859 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\L\waknjude - copied to quarantine
08:33:34.0859 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\00000004.@ - copied to quarantine
08:33:35.0062 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\00000008.@ - copied to quarantine
08:33:35.0062 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\000000cb.@ - copied to quarantine
08:33:35.0078 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\80000000.@ - copied to quarantine
08:33:35.0078 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\80000032.@ - copied to quarantine
08:33:35.0593 2716 Backup copy found, using it..
08:33:35.0609 2716 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys - will be cured on reboot
08:33:36.0250 2716 C:\WINDOWS\$NtUninstallKB14732$\2034695612 - will be deleted on reboot
08:33:36.0250 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\@ - will be deleted on reboot
08:33:36.0250 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\Desktop.ini - will be deleted on reboot
08:33:36.0265 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\00000004.@ - will be deleted on reboot
08:33:36.0265 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\00000008.@ - will be deleted on reboot
08:33:36.0265 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\000000cb.@ - will be deleted on reboot
08:33:36.0265 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\80000000.@ - will be deleted on reboot
08:33:36.0265 2716 C:\WINDOWS\$NtUninstallKB14732$\2870514324\U\80000032.@ - will be deleted on reboot
08:33:36.0265 2716 MRxSmb ( Virus.Win32.ZAccess.aml ) - User select action: Cure

[Blade81]

Hi,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread.

Please uninstall the programs listed above (in red). Post fresh DDS logs after that.

[dinosaur58]

First of all thanks for such prompt reply. No problem dumping Utorrent, only ever used it when I missed episodes of TV shows. Haven't used it since getting my DVR [more than a year ago] - I can program/record as many events/series as I want.
A couple of questions:
1] Can I send emails to friends etc. as long as no attachments without risking infecting their PCs?
2] Is it better to leave my machine running [every 60 seconds there is a series of system sounds - open/close program] or should I shut down any time I'm not using it. The last shutdown/startup cycle the virus took down my website access [ALL sites = 'server not found']. I'm only back online because of restore using the ERUNT backup your site recommends. When not online I disconnect my modem/router.
FYI-
Avast [I set the realtime shields to highest levels of protection] has been detecting the following malware activity:
Object: C:\WINDOWS\assembly\GAC\Desktop.ini
Win64:Sirefef-PL [Rtk]
Process: C:\WINDOWS\Explorer.EXE

Others include JS:ScriptlP-inf [Trj] and Win64:Sirefef-A [Trj]. Infections detected in svchost processes.
It seems like any program I run except anti-malware will show up as infected. I have not used anything but Exlporer.exe, Notepad{getting DEP closings}, Winrar{clean so far}, Photoshop{already infected anyway} and various anti-malware progs since infected.
As a last resort I have a 15 month old full backup. Unfortunately it is for C: partition only. I only found out that restore from these backups formats and repartitions the drive, after the new machine was up and running with 650 Gb copied to the D: partition [too big to back up - it's data only, no software so small risk of infection]. If we can get this infection cleared up I will buy a drive for C: [OS and other software, currently only 65 Gb - easy to backup] and keep up-to-date backups. Have been meaning to do this - Duh.
Thanks again for helping me. DDS log follows.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 9:58:27 on 2012-07-14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.2765 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Alwil Software\Avast6\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Alwil Software\Avast6\avastUI.exe
C:\WINDOWS\system32\TBLMOUSE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_3_300_262_Plugin.exe -update plugin
mRun: [atwtusb] atwtusb.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast] "c:\program files\alwil software\avast6\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: NoLogoff = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
uPolicies-explorer: StartMenuLogOff = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206762645578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.computer\application data\mozilla\firefox\profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
============= SERVICES / DRIVERS ===============
.
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-21 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-7-1 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-9 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-9 337880]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-12-13 3968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-9 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast6\AvastSvc.exe [2011-12-9 44768]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-12-20 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-12-20 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2011-7-30 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2009-9-22 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2011-3-22 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-2-5 56992]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [2007-4-15 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys --> c:\windows\system32\drivers\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-2-5 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1e.tmp --> c:\windows\system32\1E.tmp [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2011-10-25 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
S4 WWMZYS;WWMZYS;c:\docume~1\admini~1.com\locals~1\temp\wwmzys.exe --> c:\docume~1\admini~1.com\locals~1\temp\WWMZYS.exe [?]
.
=============== Created Last 30 ================
.
2012-07-11 14:33:34 -------- d-----w- C:\TDSSKiller_Quarantine
.
==================== Find3M ====================
.
2012-07-11 14:37:55 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-07-05 13:32:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-05 13:32:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2004-04-09 22:13:00 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2006-05-03 18:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 9:59:12.85 ===============

[Blade81]

Hi,

I think it's ok to say 'yes' to both your questions above



Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[dinosaur58]

Looks like I should have checked back sooner. I've been afraid to get online often knowing that someone has a backdoor. I am beginning the Combofix run now, but I work nights, snd so must get some sleep. I will post the log in about 6 hours when I get up. I'll have to go to work an hour later and not back for 10 hours, but then I'll have some time.

[Blade81]

That's ok. I won't be back here checking in next 10hrs either

[dinosaur58]

I notice in the Combofix log entries referring to a search toolbar. I never had one [?] so no problem if these are gone.
I also noticed the following deletions:
c:\windows\system32\Filters\ffdshow\ffdshow.ax
c:\windows\system32\Filters\ffdshow\ffdshow.ax.manifest
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1028.tc
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1029.cz
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1031.de
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1033.en
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1034.es
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1036.fr
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1038.hu
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1040.it
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1041.ja
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1041.jp
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1045.pl
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1046.br
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1049.ru
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1051.sk
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1053.se
c:\windows\system32\Filters\ffdshow\languages\ffdshow.2052.sc
c:\windows\system32\Filters\ffdshow\libavcodec.dll
c:\windows\system32\Filters\ffdshow\libmpeg2_ff.dll
c:\windows\system32\Filters\ffdshow\libmplayer.dll
c:\windows\system32\Filters\ffdshow\reg\ffdshow.reg
c:\windows\system32\Filters\ffdshow\reg\reg.exe
c:\windows\system32\Filters\ffdshow\reg\rempc.reg
c:\windows\system32\Filters\ffdshow\TomsMoComp_ff.dll
c:\windows\system32\Filters\FLVSplitter.ax
c:\windows\system32\Filters\MatroskaSplitter.ax
c:\windows\system32\Filters\MP4Splitter.ax
c:\windows\system32\Filters\Quicktime.ax
c:\windows\system32\Filters\RealMediaSplitter.ax

These are used to play/edit various video files [I do some video mixing]. Would it be a problem to restore any of these after we are finished? No more systmem sounds [previously mentioned]. No more Avast pop-ups.
I'll be back Sunday morning [USA Mountain Time]
Did not attach file Attach.txt [zip] as you did not request it, other logs follow.

ComboFix 12-07-14.01 - Administrator 07/14/2012 21:31:32.18.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.3065 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country10.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\searchplugins\bing-zugo.xml
c:\documents and settings\Administrator.COMPUTER\Application Data\vso_ts_preview.xml
c:\documents and settings\Administrator.COMPUTER\Desktop\-.lnk
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\@
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\L\00000004.@
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\n
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\U\00000004.@
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\U\00000008.@
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\U\000000cb.@
c:\documents and settings\Administrator.COMPUTER\Local Settings\Application Data\{cc67cdb6-5a41-d556-a43b-bd5fc73e94ed}\U\80000032.@
c:\documents and settings\Administrator.COMPUTER\WINDOWS
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\0C232DFB.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\1CA73D29.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\403EAC7C.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\4BF2F6B5.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\5C321E34.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\BFE23423.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\C7D0F96D.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\D1AB3412.TMP
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP\D5876FBA.TMP
c:\program files\Downloaded Installers
c:\program files\Downloaded Installers\{67cdd5a0-c572-4d2c-a354-6492b51f4138}\setup.msi
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\system32\asw3B.tmp
c:\windows\system32\Bass.dll
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\system32\drivers\tcpip.copy
c:\windows\system32\Filters
c:\windows\system32\Filters\AviSplitter.ax
c:\windows\system32\Filters\ffdshow\custom matrices\andreas_78er.matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\andreas_doppelte_99er.matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\andreas_einfache_99er.matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Bulletproof's Heavy Compression Matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Bulletproof's High Quality Matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\CG-Animation Matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\hvs-best-picture.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\hvs-better-picture.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\hvs-good-picture.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Low Bitrate Matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\MPEG.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\pvcd.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Soulhunters V3.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Soulhunters V5.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Standard.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Ultimate Matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Ultra Low Bitrate Matrix.xcm
c:\windows\system32\Filters\ffdshow\custom matrices\Very Low Bitrate Matrix.xcm
c:\windows\system32\Filters\ffdshow\dict\Czech.dic
c:\windows\system32\Filters\ffdshow\dict\dicts.txt
c:\windows\system32\Filters\ffdshow\dict\Greek.dic
c:\windows\system32\Filters\ffdshow\dict\Polski.dic
c:\windows\system32\Filters\ffdshow\ff_kernelDeint.dll
c:\windows\system32\Filters\ffdshow\ff_liba52.dll
c:\windows\system32\Filters\ffdshow\ff_libdts.dll
c:\windows\system32\Filters\ffdshow\ff_libfaad2.dll
c:\windows\system32\Filters\ffdshow\ff_libmad.dll
c:\windows\system32\Filters\ffdshow\ff_realaac.dll
c:\windows\system32\Filters\ffdshow\ff_samplerate.dll
c:\windows\system32\Filters\ffdshow\ff_theora.dll
c:\windows\system32\Filters\ffdshow\ff_tremor.dll
c:\windows\system32\Filters\ffdshow\ff_unrar.dll
c:\windows\system32\Filters\ffdshow\ff_wmv9.dll
c:\windows\system32\Filters\ffdshow\ff_x264.dll
c:\windows\system32\Filters\ffdshow\ffdshow.ax
c:\windows\system32\Filters\ffdshow\ffdshow.ax.manifest
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1028.tc
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1029.cz
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1031.de
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1033.en
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1034.es
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1036.fr
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1038.hu
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1040.it
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1041.ja
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1041.jp
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1045.pl
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1046.br
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1049.ru
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1051.sk
c:\windows\system32\Filters\ffdshow\languages\ffdshow.1053.se
c:\windows\system32\Filters\ffdshow\languages\ffdshow.2052.sc
c:\windows\system32\Filters\ffdshow\libavcodec.dll
c:\windows\system32\Filters\ffdshow\libmpeg2_ff.dll
c:\windows\system32\Filters\ffdshow\libmplayer.dll
c:\windows\system32\Filters\ffdshow\reg\ffdshow.reg
c:\windows\system32\Filters\ffdshow\reg\reg.exe
c:\windows\system32\Filters\ffdshow\reg\rempc.reg
c:\windows\system32\Filters\ffdshow\TomsMoComp_ff.dll
c:\windows\system32\Filters\FLVSplitter.ax
c:\windows\system32\Filters\MatroskaSplitter.ax
c:\windows\system32\Filters\MP4Splitter.ax
c:\windows\system32\Filters\Quicktime.ax
c:\windows\system32\Filters\RealMediaSplitter.ax
c:\windows\system32\Filters\VSFilter.dll
c:\windows\system32\MSMAsk32.ocx
c:\windows\system32\NEW11.tmp
c:\windows\system32\NEW12.tmp
c:\windows\system32\NEW26.tmp
c:\windows\system32\NEW2E.tmp
c:\windows\system32\NEW2F.tmp
c:\windows\system32\NEWB.tmp
J:\Autorun.inf
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-15 to 2012-07-15 )))))))))))))))))))))))))))))))
.
.
2012-07-11 14:33 . 2012-07-11 14:33 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 14:37 . 2007-12-14 01:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-07-05 13:32 . 2012-04-05 13:33 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-05 13:32 . 2011-05-24 12:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2004-04-09 22:13 . 2007-10-23 23:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast6\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe" [2007-03-21 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"RTHDCPL"="RTHDCPL.EXE" [2000-01-01 20064872]
"avast"="c:\program files\Alwil Software\Avast6\avastUI.exe" [2012-03-06 4241512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MyIRC.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\MyIRC.lnk
backup=c:\windows\pss\MyIRC.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TotalMedia BackUp & Recorder Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TotalMedia BackUp & Recorder Monitor.lnk
backup=c:\windows\pss\TotalMedia BackUp & Recorder Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinTV Recording Status..lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinTV Recording Status..lnk
backup=c:\windows\pss\WinTV Recording Status..lnkCommon Startup
.
[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 03:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 03:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 09:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 22:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-05 02:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 03:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"ACDaemon"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeBridge"=
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"RTHDCPL"=RTHDCPL.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2010 03:29 AM 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 11:33 PM 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/9/2011 09:10 AM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/9/2011 09:10 AM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/9/2011 09:10 AM 20696]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 05:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 05:11 AM 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [7/30/2011 09:57 PM 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 04:59 AM 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [3/22/2011 01:55 AM 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/5/2011 02:31 PM 56992]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\PCOUFFIN.SYS [3/3/2009 12:43 AM 47360]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [4/15/2007 09:17 PM 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/5/2011 02:30 PM 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [10/25/2011 02:36 AM 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 05:31 PM 161064]
S4 WWMZYS;WWMZYS;c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\WWMZYS.exe --> c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\WWMZYS.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-16507403.sys
MSConfigStartUp-ArcSoft Connection Service - c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
MSConfigStartUp-LoginScreen - c:\windows\aIg.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-14 21:42
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abnllihdbjplkgkdpkebpdfihejcgiaodb"=hex:61,62,6c,65,69,61,66,69,69,68,6d,65,
63,6d,6c,6e,63,67,63,66,6d,6a,6b,63,64,6d,67,61,68,66,62,70,65,61,00,00
"bbnllihdbjplkgkdpkfbdachibjdfkjonkac"=hex:61,62,67,67,63,64,64,61,65,69,68,62,
66,6d,63,70,63,64,65,68,6d,67,6e,6c,65,67,6a,6e,70,67,6e,6d,6f,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3740)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast6\AvastSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2012-07-14 21:45:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-15 03:45
ComboFix2.txt 2010-12-30 20:21
.
Pre-Run: 412,054,997,504 bytes free
Post-Run: 412,079,539,712 bytes free
.
- - End Of File - - D160B9B213AA34D55F4E0B0841104C87

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 21:59:31 on 2012-07-14
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.2916 [GMT -6:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast6\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Alwil Software\Avast6\avastUI.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\FIREFOX.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [atwtusb] atwtusb.exe
mRun: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [avast] "c:\program files\alwil software\avast6\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: NoLogoff = 01000000
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206762645578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.computer\application data\mozilla\firefox\profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
============= SERVICES / DRIVERS ===============
.
R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-12-21 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [2008-7-1 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-12-9 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-12-9 337880]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2007-12-13 3968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-12-9 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast6\AvastSvc.exe [2011-12-9 44768]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2007-12-20 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2007-12-20 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2011-7-30 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2009-9-22 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [2011-3-22 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2011-2-5 56992]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [2007-4-15 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys --> c:\windows\system32\drivers\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-2-5 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1e.tmp --> c:\windows\system32\1E.tmp [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [2011-10-25 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-1-16 161064]
S4 WWMZYS;WWMZYS;c:\docume~1\admini~1.com\locals~1\temp\wwmzys.exe --> c:\docume~1\admini~1.com\locals~1\temp\WWMZYS.exe [?]
.
=============== Created Last 30 ================
.
2012-07-14 21:38:32 98816 ----a-w- c:\windows\sed.exe
2012-07-14 21:38:32 518144 ----a-w- c:\windows\SWREG.exe
2012-07-14 21:38:32 256000 ----a-w- c:\windows\PEV.exe
2012-07-14 21:38:32 208896 ----a-w- c:\windows\MBR.exe
2012-07-11 14:33:34 -------- d-----w- C:\TDSSKiller_Quarantine
.
==================== Find3M ====================
.
2012-07-11 14:37:55 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2012-07-05 13:32:46 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-05 13:32:46 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2004-04-09 22:13:00 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2006-05-03 18:06:54 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30:52 216064 --sha-r- c:\windows\system32\nbDX.dll
.
============= FINISH: 22:00:04.18 ===============

[Blade81]

Hi again,

These are used to play/edit various video files [I do some video mixing]. Would it be a problem to restore any of these after we are finished?

We can restore those a bit later.


Open notepad and copy/paste the text in the codebox below into it:

Code:

@echo off
for %%g in (
c:\qoobox\quarantine\c\windows\system32\Bass.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\AviSplitter.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\andreas_78er.matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\andreas_doppelte_99er.matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\andreas_einfache_99er.matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Bulletproof's Heavy Compression Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Bulletproof's High Quality Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\CG-Animation Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\hvs-best-picture.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\hvs-better-picture.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\hvs-good-picture.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Low Bitrate Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\MPEG.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\pvcd.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Soulhunters V3.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Soulhunters V5.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Standard.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Ultimate Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Ultra Low Bitrate Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\custom matrices\Very Low Bitrate Matrix.xcm.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\dict\Czech.dic.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\dict\dicts.txt.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\dict\Greek.dic.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\dict\Polski.dic.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_kernelDeint.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_liba52.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_libdts.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_libfaad2.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_libmad.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_realaac.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_samplerate.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_theora.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_tremor.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_unrar.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_wmv9.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ff_x264.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ffdshow.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\ffdshow.ax.manifest.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1028.tc.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1029.cz.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1031.de.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1033.en.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1034.es.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1036.fr.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1038.hu.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1040.it.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1041.ja.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1041.jp.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1045.pl.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1046.br.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1049.ru.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1051.sk.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.1053.se.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\languages\ffdshow.2052.sc.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\libavcodec.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\libmpeg2_ff.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\libmplayer.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\reg\ffdshow.reg.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\reg\reg.exe.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\reg\rempc.reg.vir
c:\qoobox\quarantine\c\windows\system32\Filters\ffdshow\TomsMoComp_ff.dll.vir
c:\qoobox\quarantine\c\windows\system32\Filters\FLVSplitter.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\MatroskaSplitter.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\MP4Splitter.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\Quicktime.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\RealMediaSplitter.ax.vir
c:\qoobox\quarantine\c\windows\system32\Filters\VSFilter.dll.vir
c:\qoobox\quarantine\c\windows\system32\MSMAsk32.ocx.vir
) do zip Files_for_submission %%g
del %0

Save this as grab.bat
Choose to Save type as - All Files
Save it on your desktop.
It should look like this:
Double click on grab.bat & allow it to run

A file, Files_for_submission.zip will be created on your desktop.



Please upload that zip file to this website. Kindly include a link to this topic in the message.


I see there's still ancient Internet Explorer 6 version installed. Is there anything preventing upgrading to version 8 (a bit later)?


----------------




Open notepad and copy/paste the text in the quotebox below into it:

Code:

Firefox::
FF - ProfilePath - c:\documents and settings\administrator.computer\application data\mozilla\firefox\profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
File::
c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\WWMZYS.exe
Driver::
WWMZYS
RegNull::
[HKEY_USERS\S-1-5-21-1454471165-1979792683-725345543-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08437B63-CA86-7C11-1E25-5A214BD5C952}*]

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one (Adobe Reader 10.1 and separate 10.1.1, 10.1.2 & 10.1.3 updates for it) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.

Uninstall your current Adobe shockwave player and get the fresh one here if needed.

Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 7 Update 5.
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-7u5-windows-i586.exe to install the newest version.

* Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
• Click Scan
• Wait for the scan to finish.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

[dinosaur58]

A few problems. The 'files for submission.zip' file turned out 5.3 mb - just over the 5 mb limit for file size, so it will have to be split up? Uninstalled Adobe [Reader, Flash, Shockwave] Plus Java before running Combofix with script - have not installed new versions yet. Both runs of Combofix [forgot to tell you last time - oops] encountered a problem at stage 2 with PEV.3xe but continued to run after Windows closed this application. Combofix still reports infected with Rootkit Zero-access.
As for IExplorer, no special reason [it's unnecessarily huge and acts like it wants to take over everything]. I NEVER use it except for when absolutely required by totally trusted sites [I think just Microsoft.com].
Re ESET online test. I already have Trend Micro online tester installed on my system. I could run one of their scans sooner and with less system clutter if that's ok. If you feel that ESET is substantially better I will install that.
Figured there was no point in running a DDS scan untill these issues were resolved. Combofix log follows:

ComboFix 12-07-14.01 - Administrator 07/15/2012 11:38:04.19.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3455.3061 [GMT -6:00]
Running from: c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\Country10.exe
Command switches used :: c:\documents and settings\Administrator.COMPUTER\My Documents\Anti-Smitfraud\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\docume~1\ADMINI~1.COM\LOCALS~1\Temp\WWMZYS.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_WWMZYS
-------\Service_WWMZYS
.
.
((((((((((((((((((((((((( Files Created from 2012-06-15 to 2012-07-15 )))))))))))))))))))))))))))))))
.
.
2012-07-11 14:33 . 2012-07-11 14:33 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-11 14:37 . 2007-12-14 01:00 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2004-04-09 22:13 . 2007-10-23 23:35 114688 ----a-w- c:\program files\NETGEAR DG632 USB Driveruninstalldrv.exe
2006-05-03 18:06 163328 --sha-r- c:\windows\system32\flvDX.dll
2007-02-21 19:47 31232 --sha-r- c:\windows\system32\msfDX.dll
2008-03-16 21:30 216064 --sha-r- c:\windows\system32\nbDX.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-15_03.42.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-23 22:42 . 2012-07-15 17:41 82954 c:\windows\system32\perfc009.dat
- 2007-10-23 22:42 . 2012-07-15 03:34 82954 c:\windows\system32\perfc009.dat
+ 2007-12-14 01:00 . 2004-08-04 08:00 44544 c:\windows\system32\alg.exe
+ 2007-10-23 22:42 . 2012-07-15 17:41 466936 c:\windows\system32\perfh009.dat
- 2007-10-23 22:42 . 2012-07-15 03:34 466936 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\Alwil Software\Avast6\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atwtusb"="atwtusb.exe" [2007-03-21 315392]
"Tweak UI"="TWEAKUI.CPL" [1997-11-08 87312]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-10 153136]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"RTHDCPL"="RTHDCPL.EXE" [2000-01-01 20064872]
"avast"="c:\program files\Alwil Software\Avast6\avastUI.exe" [2012-03-06 4241512]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk.disabled]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk.disabled
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.disabledCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^MyIRC.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\MyIRC.lnk
backup=c:\windows\pss\MyIRC.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^TotalMedia BackUp & Recorder Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\TotalMedia BackUp & Recorder Monitor.lnk
backup=c:\windows\pss\TotalMedia BackUp & Recorder Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^WinTV Recording Status..lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\WinTV Recording Status..lnk
backup=c:\windows\pss\WinTV Recording Status..lnkCommon Startup
.
[HKLM\~\startupfolder\C:^DOCUME~1^ADMINI~1.COM^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
path=c:\docume~1\ADMINI~1.COM\Start Menu\Programs\Startup\QuickShelf 2000.lnk
backup=c:\windows\pss\QuickShelf 2000.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 03:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2008-04-10 03:23 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-01-16 23:31 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-07-09 22:24 13923432 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
2007-09-05 02:25 81920 ----a-w- c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 23:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 03:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)
"ACDaemon"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdobeBridge"=
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"VirtualCloneDrive"="c:\program files\VirtualCloneDrive\VCDDaemon.exe" /s
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"hpqSRMon"=c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
"SoundMan"=SOUNDMAN.EXE
"nwiz"=c:\program files\NVIDIA Corporation\nView\nwiz.exe /install
"RTHDCPL"=RTHDCPL.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/21/2010 03:29 AM 64288]
R1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys [7/1/2008 11:33 PM 22528]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [12/9/2011 09:10 AM 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/9/2011 09:10 AM 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/9/2011 09:10 AM 20696]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CHECKIT\DIAGNO~1\BCMNTIO.sys [12/20/2007 05:11 AM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CHECKIT\DIAGNO~1\MAPMEM.sys [12/20/2007 05:11 AM 3904]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [7/30/2011 09:57 PM 14976]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [9/22/2009 04:59 AM 50944]
R3 MEITUNER;FireBus MPEG2TS Tuner Subunit Device;c:\windows\system32\drivers\meistb.sys [3/22/2011 01:55 AM 22891]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/5/2011 02:31 PM 56992]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\PCOUFFIN.SYS [3/3/2009 12:43 AM 47360]
S2 MDP100;MDP100 Video Capture;c:\windows\system32\drivers\MDP100_XP.sys [4/15/2007 09:17 PM 611360]
S2 portD;CMS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/5/2011 02:30 PM 1691480]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E.tmp --> c:\windows\system32\1E.tmp [?]
S3 SWDUMon;SWDUMon;c:\windows\system32\drivers\SWDUMon.sys [10/25/2011 02:36 AM 12984]
S4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [1/16/2009 05:31 PM 161064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator.COMPUTER\Application Data\Mozilla\Firefox\Profiles\bvvl5608.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - blank
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
AddRemove-KB923789 - c:\windows\system32\MacroMed\Flash\genuinst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-15 11:46
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2452)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast6\AvastSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2012-07-15 11:49:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-15 17:49
ComboFix2.txt 2012-07-15 03:45
ComboFix3.txt 2010-12-30 20:21
.
Pre-Run: 412,165,657,088 bytes free
Post-Run: 412,106,697,216 bytes free
.
- - End Of File - - BEFA14583C764203915D27261DEA2848

[Blade81]

Hi,

I will find out if all those samples need to be uploaded or if we can create a smaller zip. I'll let you know asap.