Trogan/virus

**bluefishbeagle** · 2012-01-12, 04:35

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 21:20:41 on 2012-01-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.270 [GMT -6:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\All Users\Documents\Norton\{3A7FA539-8005-4603-87D2-SOS1-NSS-v5}\Norton_Download_Manager[1].exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.prisonplanet.com/
uSearch Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.google.com/
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Norton Download Manager{3A7FA539-8005-4603-87D2-SOS1-NSS-v5}] c:\documents and settings\all users\documents\norton\{3a7fa539-8005-4603-87d2-sos1-nss-v5}\Norton_Download_Manager[1].exe /m
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Drag'n Drop CD] c:\program files\drag'n drop cd\binfiles\DragDrop.exe /StartUp
mRun: [ezShieldProtector for Px] c:\windows\system32\ezSP_Px.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ZoneAlarm Installer] "c:\program files\checkpoint\install\launcher.exe" "c:\program files\checkpoint\install\install.exe" /r download /c "c:\program files\checkpoint\install\Install.xml" /l /w
mRun: [AGRSMMSG] AGRSMMSG.exe
dRun: [ctfmon.exe] ctfmon.exe
dRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
dPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{9ADF5A28-6FA4-49BE-A8CA-D43D53EC830C} : DhcpNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: schannel.dll, credssp.dll, digest.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\yy1hez6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://prisonplanet.tv/
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
============= SERVICES / DRIVERS ===============
.
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2011-4-12 128016]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-4-12 317072]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-4-12 486280]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-1-11 40776]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-14 14336]
.
=============== Created Last 30 ================
.
2012-01-12 02:59:31 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-01-12 00:54:33 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-01-10 04:10:16 -------- d-----w- c:\windows\Options
2012-01-10 03:07:09 -------- d-----w- c:\program files\CheckPoint
2012-01-10 01:13:58 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-01-10 01:13:33 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-10 01:13:23 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-10 01:13:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-04 01:05:44 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Apple
2012-01-04 01:05:11 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Apple Computer
2012-01-04 00:05:53 -------- d-----w- c:\program files\VideoLAN
2011-12-14 01:24:05 1289216 ------w- c:\windows\system32\dllcache\ole32.dll
2011-12-14 01:24:02 186880 ------w- c:\windows\system32\dllcache\encdec.dll
2011-12-14 01:23:29 2148864 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-12-14 01:23:26 2192768 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2011-12-14 01:23:26 2027008 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
.
==================== Find3M ====================
.
2011-12-28 23:37:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:29:56 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:19:40 919552 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:19:40 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:19:40 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-01 16:05:38 1289216 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-26 00:22:34 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-25 13:34:49 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:01:01 385024 ----a-w- c:\windows\system32\html.iec
2011-10-24 20:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 20:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:12:37 186880 ----a-w- c:\windows\system32\encdec.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HITACHI_DK23EA-40 rev.00K3A0A6 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85DB249F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85db9738]; MOV EAX, [0x85db98ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8694CAB8]
3 CLASSPNP[0xF74E7FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000076[0x869C0F18]
5 ACPI[0xF7317620] -> nt!IofCallDriver[0x804E37D5] -> [0x8697B940]
\Driver\atapi[0x85EAB768] -> IRP_MJ_CREATE -> 0x85DB249F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x85DB22C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 21:23:27.18 ===============

Heres the other report:

**ken545** · 2012-01-19, 00:36

Please read Before You Post
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Running programs with Vista or Windows 7 , you need to Right Click on the program and select RUN AS ADMINISTATOR

Please download TDSSKiller.zip

Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)

**bluefishbeagle** · 2012-01-19, 16:17

Here is scan. Infected computer started doing crazy things after reboot. It won't let me into C/: except for program files and then only shows zone alarm. It want's to run a scan to fix host of problems: cannot read hard drive, bad sectors, slow HD speed, High HD speed, memory overspeed, Hard drive clusters are partly damaged. Segment olad failure etc. to name a few. It seems to want me to buy a program to fix these problems. Computer does not show any programs i.e. internet explorer. So I copied the scan file and and sending it on another laptop. Here it is;

08:44:53.0930 2624 TDSS rootkit removing tool 2.7.5.0 Jan 18 2012 09:26:24
08:44:55.0402 2624 ============================================================
08:44:55.0402 2624 Current date / time: 2012/01/19 08:44:55.0402
08:44:55.0402 2624 SystemInfo:
08:44:55.0402 2624
08:44:55.0402 2624 OS Version: 5.1.2600 ServicePack: 3.0
08:44:55.0402 2624 Product type: Workstation
08:44:55.0402 2624 ComputerName: HASSELCOMPUTER
08:44:55.0402 2624 UserName: Administrator
08:44:55.0402 2624 Windows directory: C:\WINDOWS
08:44:55.0402 2624 System windows directory: C:\WINDOWS
08:44:55.0402 2624 Processor architecture: Intel x86
08:44:55.0402 2624 Number of processors: 1
08:44:55.0402 2624 Page size: 0x1000
08:44:55.0402 2624 Boot type: Normal boot
08:44:55.0402 2624 ============================================================
08:44:59.0638 2624 Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:44:59.0668 2624 Initialize success
08:45:15.0411 3536 ============================================================
08:45:15.0411 3536 Scan started
08:45:15.0411 3536 Mode: Manual;
08:45:15.0411 3536 ============================================================
08:45:16.0863 3536 Abiosdsk - ok
08:45:16.0903 3536 abp480n5 - ok
08:45:16.0963 3536 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:45:16.0973 3536 ACPI - ok
08:45:17.0153 3536 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:45:17.0153 3536 ACPIEC - ok
08:45:17.0364 3536 adpu160m - ok
08:45:17.0494 3536 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:45:17.0504 3536 aec - ok
08:45:17.0694 3536 AFD (f6b7b1ecd7b41736bdb6ff4b092bcb79) C:\WINDOWS\System32\drivers\afd.sys
08:45:17.0704 3536 AFD - ok
08:45:18.0075 3536 AgereSoftModem (55188b7c84a4c5e73e0680f744c4561d) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
08:45:18.0145 3536 AgereSoftModem - ok
08:45:18.0415 3536 Aha154x - ok
08:45:18.0595 3536 aic78u2 - ok
08:45:18.0685 3536 aic78xx - ok
08:45:18.0886 3536 AliIde - ok
08:45:18.0906 3536 amsint - ok
08:45:18.0996 3536 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
08:45:18.0996 3536 Arp1394 - ok
08:45:19.0176 3536 asc - ok
08:45:19.0366 3536 asc3350p - ok
08:45:19.0396 3536 asc3550 - ok
08:45:19.0487 3536 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\Aspi32.sys
08:45:19.0487 3536 Aspi32 - ok
08:45:19.0647 3536 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:45:19.0647 3536 AsyncMac - ok
08:45:19.0897 3536 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:45:19.0897 3536 atapi - ok
08:45:20.0108 3536 Atdisk - ok
08:45:20.0448 3536 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:45:20.0458 3536 Atmarpc - ok
08:45:20.0678 3536 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:45:20.0678 3536 audstub - ok
08:45:20.0899 3536 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:45:20.0909 3536 Beep - ok
08:45:21.0169 3536 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:45:21.0179 3536 cbidf2k - ok
08:45:21.0419 3536 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:45:21.0419 3536 CCDECODE - ok
08:45:21.0580 3536 cd20xrnt - ok
08:45:21.0680 3536 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:45:21.0690 3536 Cdaudio - ok
08:45:21.0860 3536 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:45:21.0880 3536 Cdfs - ok
08:45:22.0080 3536 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:45:22.0090 3536 Cdrom - ok
08:45:22.0351 3536 Changer - ok
08:45:22.0441 3536 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
08:45:22.0441 3536 CmBatt - ok
08:45:22.0581 3536 CmdIde - ok
08:45:22.0711 3536 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
08:45:22.0711 3536 Compbatt - ok
08:45:22.0791 3536 Cpqarray - ok
08:45:22.0932 3536 dac2w2k - ok
08:45:22.0992 3536 dac960nt - ok
08:45:23.0122 3536 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
08:45:23.0152 3536 Disk - ok
08:45:23.0492 3536 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:45:23.0532 3536 dmboot - ok
08:45:23.0733 3536 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:45:23.0743 3536 dmio - ok
08:45:23.0943 3536 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:45:23.0953 3536 dmload - ok
08:45:24.0173 3536 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:45:24.0203 3536 DMusic - ok
08:45:24.0364 3536 dpti2o - ok
08:45:24.0434 3536 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:45:24.0444 3536 drmkaud - ok
08:45:24.0674 3536 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
08:45:24.0684 3536 exFat - ok
08:45:24.0884 3536 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:45:24.0884 3536 Fastfat - ok
08:45:25.0085 3536 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:45:25.0095 3536 Fdc - ok
08:45:25.0445 3536 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:45:25.0445 3536 Fips - ok
08:45:25.0625 3536 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:45:25.0635 3536 Flpydisk - ok
08:45:25.0856 3536 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
08:45:25.0866 3536 FltMgr - ok
08:45:26.0076 3536 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:45:26.0076 3536 Fs_Rec - ok
08:45:26.0477 3536 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:45:26.0487 3536 Ftdisk - ok
08:45:26.0777 3536 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:45:26.0777 3536 Gpc - ok
08:45:26.0967 3536 hpn - ok
08:45:27.0118 3536 HTTP (937031c085718c1c04a9c0864625ec6b) C:\WINDOWS\system32\Drivers\HTTP.sys
08:45:27.0128 3536 HTTP - ok
08:45:27.0338 3536 i2omgmt - ok
08:45:27.0488 3536 i2omp - ok
08:45:27.0598 3536 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:45:27.0598 3536 i8042prt - ok
08:45:27.0809 3536 ialm (1b49ec451363cbbf8d0549d4fd78072c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
08:45:27.0819 3536 ialm - ok
08:45:28.0039 3536 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:45:28.0039 3536 Imapi - ok
08:45:28.0620 3536 ini910u - ok
08:45:28.0850 3536 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
08:45:28.0850 3536 IntelIde - ok
08:45:29.0040 3536 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:45:29.0050 3536 intelppm - ok
08:45:29.0471 3536 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
08:45:29.0481 3536 Ip6Fw - ok
08:45:29.0691 3536 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:45:29.0691 3536 IpFilterDriver - ok
08:45:29.0922 3536 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:45:29.0922 3536 IpInIp - ok
08:45:30.0162 3536 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:45:30.0162 3536 IpNat - ok
08:45:30.0763 3536 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:45:30.0763 3536 IPSec - ok
08:45:30.0983 3536 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
08:45:30.0993 3536 irda - ok
08:45:31.0213 3536 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:45:31.0223 3536 IRENUM - ok
08:45:31.0494 3536 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:45:31.0504 3536 isapnp - ok
08:45:31.0794 3536 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:45:31.0794 3536 Kbdclass - ok
08:45:31.0995 3536 kl1 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\kl1.sys
08:45:32.0005 3536 kl1 - ok
08:45:32.0335 3536 KLIF (a11c971434468fa05815eec8228d63fd) C:\WINDOWS\system32\DRIVERS\klif.sys
08:45:32.0345 3536 KLIF - ok
08:45:32.0535 3536 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:45:32.0545 3536 kmixer - ok
08:45:32.0806 3536 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
08:45:32.0816 3536 KSecDD - ok
08:45:32.0996 3536 lbrtfdc - ok
08:45:33.0216 3536 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:45:33.0226 3536 mnmdd - ok
08:45:33.0607 3536 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:45:33.0607 3536 Modem - ok
08:45:33.0877 3536 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:45:33.0887 3536 Mouclass - ok
08:45:34.0118 3536 MountMgr (1a1faa5102466f418494e94ff9b0b091) C:\WINDOWS\system32\drivers\MountMgr.sys
08:45:34.0118 3536 MountMgr - ok
08:45:34.0378 3536 mraid35x - ok
08:45:34.0488 3536 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
08:45:34.0488 3536 MREMP50 - ok
08:45:34.0528 3536 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
08:45:34.0528 3536 MRESP50 - ok
08:45:34.0769 3536 MRxDAV (4fefd389d71126ee581b9f9cb2918be4) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:45:34.0769 3536 MRxDAV - ok
08:45:34.0999 3536 MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:45:35.0019 3536 MRxSmb - ok
08:45:35.0219 3536 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:45:35.0229 3536 Msfs - ok
08:45:35.0420 3536 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:45:35.0420 3536 MSKSSRV - ok
08:45:35.0530 3536 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:45:35.0530 3536 MSPCLOCK - ok
08:45:35.0660 3536 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:45:35.0660 3536 MSPQM - ok
08:45:35.0820 3536 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:45:35.0820 3536 mssmbios - ok
08:45:36.0040 3536 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
08:45:36.0040 3536 MSTEE - ok
08:45:36.0321 3536 Mup (f7b1ad991491f02af6da70b00b8bf114) C:\WINDOWS\system32\drivers\Mup.sys
08:45:36.0321 3536 Mup - ok
08:45:36.0531 3536 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:45:36.0531 3536 NABTSFEC - ok
08:45:36.0852 3536 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:45:36.0862 3536 NDIS - ok
08:45:37.0062 3536 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:45:37.0062 3536 NdisIP - ok
08:45:37.0412 3536 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:45:37.0412 3536 NdisTapi - ok
08:45:37.0753 3536 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:45:37.0753 3536 Ndisuio - ok
08:45:37.0983 3536 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:45:37.0993 3536 NdisWan - ok
08:45:38.0224 3536 NDProxy (816460bd4b4acd27937d1d0813e2e9e9) C:\WINDOWS\system32\drivers\NDProxy.sys
08:45:38.0244 3536 NDProxy - ok
08:45:38.0584 3536 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:45:38.0584 3536 NetBIOS - ok
08:45:38.0844 3536 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:45:38.0854 3536 NetBT - ok
08:45:39.0105 3536 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
08:45:39.0115 3536 NIC1394 - ok
08:45:39.0335 3536 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:45:39.0345 3536 Npfs - ok
08:45:39.0606 3536 Ntfs (4c51d5275ae8a16999edfe7e647d00de) C:\WINDOWS\system32\drivers\Ntfs.sys
08:45:39.0626 3536 Ntfs - ok
08:45:39.0816 3536 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:45:39.0836 3536 Null - ok
08:45:40.0046 3536 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:45:40.0056 3536 NwlnkFlt - ok
08:45:40.0317 3536 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:45:40.0337 3536 NwlnkFwd - ok
08:45:40.0577 3536 ohci1394 (2553f7c60b8d291b5a812245e6d4da6e) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
08:45:40.0577 3536 ohci1394 - ok
08:45:40.0857 3536 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
08:45:40.0877 3536 Parport - ok
08:45:41.0098 3536 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:45:41.0108 3536 PartMgr - ok
08:45:41.0418 3536 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:45:41.0418 3536 ParVdm - ok
08:45:41.0648 3536 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:45:41.0658 3536 PCI - ok
08:45:41.0909 3536 PCIDump - ok
08:45:42.0059 3536 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:45:42.0059 3536 PCIIde - ok
08:45:42.0189 3536 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
08:45:42.0199 3536 Pcmcia - ok
08:45:42.0430 3536 PDCOMP - ok
08:45:42.0510 3536 PDFRAME - ok
08:45:42.0650 3536 PDRELI - ok
08:45:42.0810 3536 PDRFRAME - ok
08:45:42.0840 3536 perc2 - ok
08:45:42.0860 3536 perc2hib - ok
08:45:43.0161 3536 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:45:43.0161 3536 PptpMiniport - ok
08:45:43.0471 3536 PSched (d8e11d311785f89f1d70a28b0e879127) C:\WINDOWS\system32\DRIVERS\psched.sys
08:45:43.0481 3536 PSched - ok
08:45:43.0611 3536 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:45:43.0621 3536 Ptilink - ok
08:45:43.0731 3536 PxHelp20 (42d4c34300405d9f377e55f5ddadd720) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
08:45:43.0741 3536 PxHelp20 - ok
08:45:43.0912 3536 ql1080 - ok
08:45:43.0962 3536 Ql10wnt - ok
08:45:43.0992 3536 ql12160 - ok
08:45:44.0022 3536 ql1240 - ok
08:45:44.0052 3536 ql1280 - ok
08:45:44.0102 3536 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:45:44.0102 3536 RasAcd - ok
08:45:44.0523 3536 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
08:45:44.0533 3536 Rasirda - ok
08:45:44.0713 3536 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:45:44.0723 3536 Rasl2tp - ok
08:45:44.0943 3536 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:45:44.0973 3536 RasPppoe - ok
08:45:45.0194 3536 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:45:45.0204 3536 Raspti - ok
08:45:45.0624 3536 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:45:45.0634 3536 Rdbss - ok
08:45:45.0824 3536 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:45:45.0824 3536 RDPCDD - ok
08:45:45.0965 3536 rdpdr (47ea20320e3d6fdc7b7bb22b2b881ca6) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:45:45.0985 3536 rdpdr - ok
08:45:46.0105 3536 RDPWD (3348e61a78ba4f79c795aad6565d3b6f) C:\WINDOWS\system32\drivers\RDPWD.sys
08:45:46.0115 3536 RDPWD - ok
08:45:46.0405 3536 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:45:46.0415 3536 redbook - ok
08:45:46.0666 3536 RTL8023xp (cf84b1f0e8b14d4120aaf9cf35cbb265) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
08:45:46.0676 3536 RTL8023xp - ok
08:45:46.0936 3536 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:45:46.0936 3536 Secdrv - ok
08:45:47.0186 3536 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
08:45:47.0186 3536 serenum - ok
08:45:47.0487 3536 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
08:45:47.0487 3536 Serial - ok
08:45:47.0707 3536 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:45:47.0707 3536 Sfloppy - ok
08:45:47.0948 3536 Si3112 (f459dd5ee69d4b68cb6767c9731b5faf) C:\WINDOWS\system32\drivers\Si3112.sys
08:45:47.0958 3536 Si3112 - ok
08:45:48.0148 3536 Simbad - ok
08:45:48.0418 3536 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:45:48.0418 3536 SLIP - ok
08:45:48.0709 3536 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
08:45:48.0719 3536 SMCIRDA - ok
08:45:48.0889 3536 Sparrow - ok
08:45:49.0119 3536 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:45:49.0119 3536 splitter - ok
08:45:49.0560 3536 sptd (ca9a2690a2b53662565654b48f7ae68f) C:\WINDOWS\System32\Drivers\sptd.sys
08:45:49.0560 3536 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\sptd.sys. md5: ca9a2690a2b53662565654b48f7ae68f
08:45:49.0570 3536 sptd ( LockedFile.Multi.Generic ) - warning
08:45:49.0570 3536 sptd - detected LockedFile.Multi.Generic (1)
08:45:49.0810 3536 Sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:45:49.0820 3536 Sr - ok
08:45:50.0101 3536 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
08:45:50.0121 3536 Srv - ok
08:45:50.0401 3536 STAC97 (94958b68384bb931f571cd35bb65028d) C:\WINDOWS\system32\drivers\STAC97.sys
08:45:50.0411 3536 STAC97 - ok
08:45:50.0641 3536 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:45:50.0651 3536 streamip - ok
08:45:50.0862 3536 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:45:50.0872 3536 swenum - ok
08:45:51.0142 3536 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:45:51.0142 3536 swmidi - ok
08:45:51.0453 3536 symc810 - ok
08:45:51.0543 3536 symc8xx - ok
08:45:51.0653 3536 sym_hi - ok
08:45:51.0863 3536 sym_u3 - ok
08:45:52.0003 3536 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:45:52.0003 3536 sysaudio - ok
08:45:52.0364 3536 Tcpip (474d3dccb57defcd917311eec47204b9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:45:52.0384 3536 Tcpip - ok
08:45:52.0564 3536 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:45:52.0564 3536 TDPIPE - ok
08:45:52.0744 3536 TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys
08:45:52.0744 3536 TDTCP - ok
08:45:52.0995 3536 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:45:53.0005 3536 TermDD - ok
08:45:53.0205 3536 TosIde - ok
08:45:53.0546 3536 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:45:53.0566 3536 Udfs - ok
08:45:53.0716 3536 ultra - ok
08:45:53.0816 3536 UnlockerDriver5 (bb879dcfd22926efbeb3298129898cbb) C:\Program Files\Unlocker\UnlockerDriver5.sys
08:45:53.0816 3536 UnlockerDriver5 - ok
08:45:54.0046 3536 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:45:54.0066 3536 Update - ok
08:45:54.0487 3536 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:45:54.0487 3536 usbccgp - ok
08:45:54.0717 3536 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:45:54.0717 3536 usbehci - ok
08:45:54.0948 3536 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:45:54.0958 3536 usbhub - ok
08:45:55.0168 3536 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:45:55.0168 3536 usbscan - ok
08:45:55.0558 3536 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:45:55.0558 3536 USBSTOR - ok
08:45:55.0799 3536 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:45:55.0809 3536 usbuhci - ok
08:45:56.0039 3536 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
08:45:56.0039 3536 usbvideo - ok
08:45:56.0450 3536 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:45:56.0460 3536 VgaSave - ok
08:45:56.0630 3536 ViaIde - ok
08:45:56.0960 3536 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:45:56.0971 3536 VolSnap - ok
08:45:57.0141 3536 vsdatant (1045d05bbd5170565927d7653346c961) C:\WINDOWS\system32\vsdatant.sys
08:45:57.0161 3536 vsdatant - ok
08:45:57.0712 3536 w70n51 (8e5cf571c00c806ed7c08dbb74356646) C:\WINDOWS\system32\DRIVERS\w70n51.sys
08:45:57.0732 3536 w70n51 - ok
08:45:57.0952 3536 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:45:57.0962 3536 Wanarp - ok
08:45:58.0132 3536 WDICA - ok
08:45:58.0312 3536 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:45:58.0312 3536 wdmaud - ok
08:45:58.0593 3536 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:45:58.0593 3536 WSTCODEC - ok
08:45:58.0793 3536 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:45:58.0803 3536 WudfPf - ok
08:45:59.0023 3536 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:45:59.0033 3536 WudfRd - ok
08:45:59.0364 3536 {6080A529-897E-4629-A488-ABA0C29B635E} (a7ab6e6fcb5d9276160d9998593638e3) C:\WINDOWS\system32\drivers\ialmsbw.sys
08:45:59.0384 3536 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
08:45:59.0614 3536 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d9c1c60a4e414052e30dbb2800f0893a) C:\WINDOWS\system32\drivers\ialmkchw.sys
08:45:59.0634 3536 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
08:45:59.0664 3536 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
08:45:59.0684 3536 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
08:45:59.0684 3536 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
08:45:59.0704 3536 Boot (0x1200) (ca4c82ff5ce81bf5e3b095fdd0b5f4fa) \Device\Harddisk0\DR0\Partition0
08:45:59.0704 3536 \Device\Harddisk0\DR0\Partition0 - ok
08:45:59.0714 3536 ============================================================
08:45:59.0714 3536 Scan finished
08:45:59.0714 3536 ============================================================
08:45:59.0744 3532 Detected object count: 2
08:45:59.0744 3532 Actual detected object count: 2
08:48:01.0650 3532 sptd ( LockedFile.Multi.Generic ) - skipped by user
08:48:01.0650 3532 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
08:48:01.0680 3532 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
08:48:01.0690 3532 \Device\Harddisk0\DR0 - ok
08:48:01.0690 3532 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
08:48:12.0325 2528 Deinitialize success

**ken545** · 2012-01-19, 18:20

Looks like your Hard disk is infected , possibly the Master boot Record. What you have is fairly new and appears to cause some damage upon its removal.

See if you can run this program, you can download it via a known clean computer and transfer by disk to the infected one.

Just want to point out also that this is a very serious infection, even when its cleaned it could leave your computer compromised, what that means is it can never be trusted to do any online transactions. I would strongly suggest that you reformat this drive and reinstall windows

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

**bluefishbeagle** · 2012-01-19, 19:46

Did as instructed, back on infected machine now. Boot was normal, can access files on HD. Here's the combo fix txt log:

ComboFix 12-01-19.01 - Administrator 01/19/2012 12:11:26.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.640 [GMT -6:00]
Running from: E:\ComboFix.exe

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Administrator\Desktop\System Check.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\System Check
C:\Documents and Settings\Administrator\Start Menu\Programs\System Check\System Check.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\System Check\Uninstall System Check.lnk
C:\Documents and Settings\All Users\Application Data\~CI7L91pcnJdaiT
C:\Documents and Settings\All Users\Application Data\~CI7L91pcnJdaiTr
C:\Documents and Settings\All Users\Application Data\CI7L91pcnJdaiT
C:\Documents and Settings\All Users\Application Data\CI7L91pcnJdaiT.exe
C:\Documents and Settings\All Users\Application Data\QimMTimICgL.exe
C:\Program Files\Toolbar

((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))

2012-01-12 03:19:24 . 2012-01-12 03:19:34 -------- d--h--w- C:\Program Files\ERUNT
2012-01-12 00:54:33 . 2012-01-19 14:30:05 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Norton
2012-01-10 04:10:16 . 2012-01-10 04:10:16 -------- d--h--w- C:\WINDOWS\Options
2012-01-10 03:07:09 . 2012-01-12 00:41:30 -------- d--h--w- C:\Program Files\CheckPoint
2012-01-10 01:13:58 . 2012-01-10 01:13:58 -------- d--h--w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2012-01-10 01:13:33 . 2012-01-10 01:13:33 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2012-01-10 01:13:23 . 2011-12-10 21:24:06 20464 ---ha-w- C:\WINDOWS\system32\drivers\mbam.sys
2012-01-10 01:13:20 . 2012-01-10 01:13:46 -------- d--h--w- C:\Program Files\Malwarebytes' Anti-Malware
2012-01-07 18:17:40 . 2012-01-07 18:17:40 -------- d-sh--w- C:\Documents and Settings\LocalService\IETldCache
2012-01-07 03:00:49 . 2012-01-10 02:27:37 -------- d--h--w- C:\WINDOWS\Sun
2012-01-04 01:11:52 . 2012-01-04 16:52:55 -------- d--h--w- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2012-01-04 01:06:37 . 2012-01-04 01:06:37 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Apple Computer
2012-01-04 01:06:04 . 2012-01-04 01:06:04 -------- d--h--w- C:\Program Files\Common Files\Apple
2012-01-04 01:05:44 . 2012-01-04 01:05:44 -------- d--h--w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple
2012-01-04 01:05:38 . 2012-01-04 01:05:39 -------- d--h--w- C:\Program Files\Apple Software Update
2012-01-04 01:05:38 . 2012-01-04 01:05:38 -------- d--h--w- C:\Documents and Settings\All Users\Application Data\Apple
2012-01-04 01:05:11 . 2012-01-04 01:05:11 -------- d--h--w- C:\Documents and Settings\Administrator\Local Settings\Application Data\Apple Computer
2012-01-04 00:14:05 . 2012-01-04 00:14:05 -------- d--h--w- C:\Documents and Settings\Administrator\Application Data\vlc
2012-01-04 00:05:53 . 2012-01-04 00:22:39 -------- d--h--w- C:\Program Files\VideoLAN
.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-12-28 23:37:14 . 2011-06-02 15:24:06 414368 ---ha-w- C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:29:56 . 2010-12-31 12:14:45 1868544 ---ha-w- C:\WINDOWS\system32\win32k.sys
2011-11-04 19:19:40 . 2011-04-10 17:19:32 1469440 ---ha-w- C:\WINDOWS\system32\inetcpl.cpl
2011-11-04 19:19:40 . 2010-12-20 22:58:53 919552 ---ha-w- C:\WINDOWS\system32\wininet.dll
2011-11-04 19:19:40 . 2010-12-20 22:58:52 43520 ---ha-w- C:\WINDOWS\system32\licmgr10.dll
2011-11-01 16:05:38 . 2010-07-16 11:04:26 1289216 ---ha-w- C:\WINDOWS\system32\ole32.dll
2011-10-28 05:31:00 . 2010-12-09 13:29:00 33280 ---ha-w- C:\WINDOWS\system32\csrsrv.dll
2011-10-26 00:22:34 . 2010-12-10 01:39:28 2069376 ---ha-w- C:\WINDOWS\system32\ntkrnlpa.exe
2011-10-25 13:34:49 . 2010-12-09 12:43:18 2192768 ---ha-w- C:\WINDOWS\system32\ntoskrnl.exe
2011-10-25 12:01:01 . 2010-12-20 11:29:19 385024 ---ha-w- C:\WINDOWS\system32\html.iec
2011-10-24 20:29:02 . 2011-10-24 20:29:02 94208 ---ha-w- C:\WINDOWS\system32\QuickTimeVR.qtx
2011-10-24 20:29:02 . 2011-10-24 20:29:02 69632 ---ha-w- C:\WINDOWS\system32\QuickTime.qts
2011-11-24 02:12:46 . 2011-04-12 22:46:38 134104 ---ha-w- C:\Program Files\mozilla firefox\components\browsercomps.dll

------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[-] 2011-03-09 07:29:49 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009 (xpsp_sp3_qfe.100708-1621)] . . C:\WINDOWS\system32\drivers\tcpip.sys
[7] 2008-06-20 11:59:02 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625 (xpsp_sp3_qfe.080620-1309)] . . C:\WINDOWS\system32\dllcache\tcpip.sys

C:\WINDOWS\System32\spoolsv.exe ... is missing !!
C:\WINDOWS\System32\wscntfy.exe ... is missing !!

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2011-10-13 14:27:14 17351304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-05-29 09:14:24 114688]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-16 22:39:40 1037192]
"IJNetworkScanUtility"="C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 06:11:28 206240]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 17:55:28 937920]
"Drag'n Drop CD"="C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-08-22 19:36:18 802816]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 01:29:26 40960]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 17:53:08 2567272]
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 13:22:28 59240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2011-10-24 20:28:52 421888]
"AGRSMMSG"="AGRSMMSG.exe" [2002-11-21 04:17:54 87751]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [2008-04-14 11:00:00 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 19:32:48 128512]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;C:\WINDOWS\System32\svchost.exe -k nosGetPlusHelper [4/14/2008 5:00:00 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

Contents of the 'Scheduled Tasks' folder

2012-01-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57:16 . 2011-06-01 23:57:16]

------- Supplementary Scan -------

uStart Page = hxxp://www.prisonplanet.com/
uDefault_Search_URL = hxxp://www.google.com/
TCP: DhcpNameServer = 192.168.1.1 67.142.160.8 67.142.160.9
FF - ProfilePath - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yy1hez6e.default\
FF - prefs.js: browser.startup.homepage - hxxp://prisonplanet.tv/

- - - - ORPHANS REMOVED - - - -

HKLM-Run-ZoneAlarm Installer - C:\Program Files\CheckPoint\Install\Launcher.exe
HKLM-Run-QimMTimICgL.exe - C:\Documents and Settings\All Users\Application Data\QimMTimICgL.exe
HKU-Default-Run-IDMan - C:\Program Files\Internet Download Manager\IDMan.exe
AddRemove-File Download ActiveX - C:\WINDOWS\system32\uninst.exe

**ken545** · 2012-01-19, 19:51

Great,

We have some things to fix and I need to go over your CF log real close, in the meantime do this please.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
spoolsv.exe 
wscntfy.exe
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Please download Malwarebytes from Here or Here

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Post the report please

**bluefishbeagle** · 2012-01-19, 20:08

Cannot run System Look. I'm getting an error: Box pops up saying "System Look error, script required"

**bluefishbeagle** · 2012-01-19, 21:05

Here is Malware scan log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.19.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: HASSELCOMPUTER [administrator]

1/19/2012 1:16:59 PM
mbam-log-2012-01-19 (13-16-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 163739
Time elapsed: 10 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

**ken545** · 2012-01-19, 22:12

Are you entering this script ?

:filefind
spoolsv.exe
wscntfy.exe

If it still doesn't work than drag it to the trash and redownload it from the second location

**bluefishbeagle** · 2012-01-19, 22:56

No sorry I wasn't entering the scrip

Had to reboot, got the "blue" screen. Tried again, windows loaded however the virus is back, I began losing control as before.

Should I run comboFix again?

Thread: Trogan/virus

Thread Tools

Display

Trogan/virus

Posting Permissions