Computer Hope
Software => Computer viruses and spyware => Topic started by: diggerjoy on March 29, 2012, 09:03:36 AM
-
Computer slowed right down yesterday, wasn't working (IE was open), tried reboot, got The application or DLL not valid windows image, then when tried to open apps got that they aren't valid Win32 apps. Tried reboot. Get one chance to open 1 ap--only one that will open (after many tries at others) is IE. Then can only open one window, one tab. I've tried reboots. I used F10 and ran basic test and CPU/memory test (everything passed). I tried a system restore to an earlier point (Mar 9). Nothing helped. Can't open task manager with ctrl-alt-del to see what's going on. Zone alarm seems stuck in scan. I can't run any CCleaner, malwarebytes, nothing. (I was able to right-click spybot in tray and select exit spybot resident, but then couldn't do anything else). Can't do anything from control panel--can open ctrl panel, but can't add/remove programs or anything. Can't open new tabs or windows.
Running Windows XP media edition 2005 on HP Pavilion. I have an HP recovery tools CD and 3 recovery disks. Is there any save here? If not, how do I recover--just go to reboot, F10...?? I don't want to logout of CH until I have some idea of what to do because I may not get back on...will keep open...
-
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.
1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.
If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
First of all, please try re-booting your computer. Next, please try running this in Safe Mode with NetWorking. If it runs, please try to run it in Normal mode.
Here's (http://www.computerhope.com/issues/chsafe.htm) how to get into Safe Mode.
(http://i424.photobucket.com/albums/pp322/digistar/mbamicontw5.gif) Please download Malwarebytes Anti-Malware from here. (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Full Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
- Please save the log to a location you will remember.
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
-
hi superdave,
YOu helped me once before about 2 years ago. At that time you had directed me to the file on removing malware, and the steps included using CCleaner, Superantispyware, and then MBAM. It also explained about using safe mode, so I took a chance, shutdown and rebooted in safe mode using those instructions, and since things seemed to be working better (I could actually open Word, IE, WE, etc) I started the process--I ran CCleaner, and have SAS in process. It's been running an hour (nothing detected yet) so I figured it was better to keep going with SAS and run MBAM after..Is that OK? I will save the logs. Do you want Hijack This (I have it as sniper on my computer). I am not using my computer right now other than the scans; I am using another computer to check with you.
Question: could zone alarm security suite be causing this problem? That's the only thing I can think of is that maybe ZA ran an update just before things went bad. The only other thing I was doing was reading news reports from Yahoo... It seems when I boot in regular mode, I can open something but then ZA starts a scan and just sticks--keeps on scanning. I did have a problem with it freezing up once before (maybe the same time I got your help last time), so it was something I considered. Just something I wanted to throw out there.
I will finish running SAS and MBAM, and will post the logs. Thank you so much for your help!
-
Here are my logs: SAS, MBAM, Hijack this (thank you!)
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 03/29/2012 at 06:14 PM
Application Version : 4.56.1000
Core Rules Database Version : 6257
Trace Rules Database Version: 4069
Scan type : Complete Scan
Total Scan Time : 02:29:20
Memory items scanned : 268
Memory threats detected : 0
Registry items scanned : 7627
Registry threats detected : 0
File items scanned : 129299
File threats detected : 13
Adware.Tracking Cookie
cdn.tremormedia.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\UU5V5XP8 ]
crackle.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\UU5V5XP8 ]
objects.tremormedia.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\UU5V5XP8 ]
tag.2bluemedia.hiro.tv [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\UU5V5XP8 ]
cdn.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
cdn2.baronsmedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
core.insightexpressai.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
msnbcmedia.msn.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
tag.2bluemedia.hiro.tv [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org
Database version: v2012.03.29.09
Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
HP_Administrator :: HEATHER [administrator]
Protection: Disabled
3/29/2012 6:40:20 PM
mbam-log-2012-03-29 (18-40-20).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 338353
Time elapsed: 56 minute(s), 3 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\35\2c6ddfa3-2adaf9c3 (Trojan.Zbot) -> Quarantined and deleted successfully.
(end)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:55 PM, on 3/29/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = kav.zonealarm.com;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: ActiveGS.cab - http://activegs.freetoolsassociation.com/ActiveGS.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} (IBM Lotus iNotes 8.5 Control) - https://mail.esc.edu/dwa85W.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.esc.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - https://mail.esc.edu/download/dolcontrol.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} (IBM Lotus iNotes 8.5 Control) - https://mail.esc.edu/dwa85W.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://fowilh.dynalias.com:1258/activex/AMC.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 9922 bytes
-
could zone alarm security suite be causing this problem? That's the only thing I can think of is that maybe ZA ran an update just before things went bad.
I really doubt it but we'll know more after some more scans.
Please download aswMBR.exe (http://public.avast.com/%7Egmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
(http://i424.photobucket.com/albums/pp322/digistar/aswMBR_Scan.jpg)
Click the "Scan" button to start scan
Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives
(http://i424.photobucket.com/albums/pp322/digistar/aswMBR_SaveLog.png)
On completion of the scan click save log, save it to your desktop and post in your next reply.
*********************************************************
Download Combofix from any of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
To prevent your anti-virus application interfering with ComboFix we need to disable it. See here (http://www.pchelpforum.com/anti-virus/110194-how-disable-your-security-applications-4.html) for a tutorial regarding how to do so if you are unsure.
- Close any open windows and double click ComboFix.exe to run it.
You will see the following image:
(http://i424.photobucket.com/albums/pp322/digistar/NSIS_disclaimer_ENG.png)
Click I Agree to start the program.
ComboFix will then extract the necessary files and you will see this:
(http://i424.photobucket.com/albums/pp322/digistar/NSIS_extraction.png)
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7
It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If you did not have it installed, you will see the prompt below. Choose YES.
(http://i424.photobucket.com/albums/pp322/digistar/RcAuto1.gif)
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
(http://i424.photobucket.com/albums/pp322/digistar/whatnext.png)
Click on Yes, to continue scanning for malware.
When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.
Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
-
I ran aswMBR and ComboFix. One problem: I disabled teatimer and thought Zone Alarm wasn't running (it's icon wasn't in the tray). When I was running ComboFix, however, the icon appeared (I think it was in the 40s). I left everything alone, but everything seemed to stall in stage 48, so I took the chance and right clicked on ZA and exited. Everything seemed to progress normally after that. I hope I didn't screw anything up; sorry that I didn't realize it must have been booting or something. If I need to run anything again, I will. Neither program caused a reboot. Here are the logs.
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-30 07:00:37
-----------------------------
07:00:37.343 OS Version: Windows 5.1.2600 Service Pack 3
07:00:37.343 Number of processors: 2 586 0x407
07:00:37.343 ComputerName: HEATHER UserName:
07:02:55.578 Initialize success
07:04:41.968 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-30 07:00:37
-----------------------------
07:00:37.343 OS Version: Windows 5.1.2600 Service Pack 3
07:00:37.343 Number of processors: 2 586 0x407
07:00:37.343 ComputerName: HEATHER UserName:
07:02:55.578 Initialize success
07:04:41.968 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"
07:16:25.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
07:16:25.890 Disk 0 Vendor: WDC_WD2500JS-60NCB1 10.02E02 Size: 238475MB BusType: 3
07:16:25.906 Device \Driver\atapi -> DriverStartIo 8620d2c6
07:16:25.953 Disk 0 MBR read successfully
07:16:25.968 Disk 0 MBR scan
07:16:26.000 Disk 0 TDL4@MBR code has been found
07:16:26.015 Disk 0 MBR hidden
07:16:26.078 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 229655 MB offset 63
07:16:26.187 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 8809 MB offset 470351070
07:16:26.203 Disk 0 MBR [TDL4] **ROOTKIT**
07:16:26.218 Disk 0 trace - called modules:
07:16:26.250 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8620d49f]<<
07:16:26.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8637aab8]
07:16:27.609 3 CLASSPNP.SYS[f75cffd7] -> nt!IofCallDriver -> \Device\0000006e[0x863dfb58]
07:16:27.671 5 ACPI.sys[f7526620] -> nt!IofCallDriver -> [0x8637fd98]
07:16:27.734 \Driver\atapi[0x86275358] -> IRP_MJ_CREATE -> 0x8620d49f
07:16:27.812 Scan finished successfully
07:17:01.875 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat"
07:17:02.046 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"
ComboFix 12-03-30.06 - HP_Administrator 03/30/2012 9:33.2.2 - x86 NETWORK
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\g2mdlhlpx.exe
c:\documents and settings\HP_Administrator\WebVpnRegKey6-lime-esc-edu.dll
c:\documents and settings\HP_Administrator\WINDOWS
c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\etc\lmhosts
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-30 )))))))))))))))))))))))))))))))
.
.
2012-03-23 02:27 . 2012-03-23 02:27 -------- d-----w- c:\program files\Common Files\xing shared
2012-03-23 02:08 . 2012-03-23 02:08 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\RealNetworks
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 12:49 . 2011-05-18 11:55 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-09 21:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 21:18 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2004-08-09 21:00 139784 ------w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZon2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-05-09 09:49 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZon2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZon2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZon2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPWebCap"="c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2000-03-01 48128]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-10 73360]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-03-23 296056]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-2-16 209016]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-9 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-10-9 27136]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FreeFileViewer\\FFVCheckForUpdates.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 ATMhelpr;ATMhelpr;
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-03-26 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-07-22 67656]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2011-11-03 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2011-11-03 497280]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
R3 pmxscan;Visioneer USB Kernel;c:\windows\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-03-26 12872]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-10-14 11352]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - MDMXSDK
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-03-30 c:\windows\Tasks\Free File Viewer Update Checker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2010-09-27 15:25]
.
2012-03-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3569513725-2765621968-4288608965-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 21:45]
.
2012-03-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3569513725-2765621968-4288608965-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 21:45]
.
2012-03-29 c:\windows\Tasks\User_Feed_Synchronization-{F43CDC39-447B-4420-8864-9FA434243A35}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = kav.zonealarm.com;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://mail.esc.edu/dwa85W.cab
DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - hxxps://mail.esc.edu/download/dolcontrol.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://fowilh.dynalias.com:1258/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-30 11:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JS-60NCB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8620D2C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(544)
c:\windows\system32\WININET.dll
.
Completion time: 2012-03-30 11:14:55
ComboFix-quarantined-files.txt 2012-03-30 15:14
ComboFix2.txt 2009-12-26 04:54
.
Pre-Run: 153,360,355,328 bytes free
Post-Run: 153,664,700,416 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - D6353CFCD5377E4E1949D4F4D3342133
-
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://img.photobucket.com/albums/v420/kdiamondkenny/Computer/TDSSKillernumber1.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://img.photobucket.com/albums/v420/kdiamondkenny/Computer/TDSSKillernumber2.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://img.photobucket.com/albums/v420/kdiamondkenny/Computer/TDSSKillernumber3.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://img.photobucket.com/albums/v420/kdiamondkenny/Computer/TDSSKillerlastone3.png)
- Click the Report button and copy/paste the contents of it into your next reply
Note:It will also create a log in the C:\ directory..
Please run aswMBR.exe again and post the log after doing the above.
-
Here are the TDSSKiller and aswMBR logs:
14:48:10.0750 2140 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
14:48:11.0390 2140 ============================================================
14:48:11.0390 2140 Current date / time: 2012/03/30 14:48:11.0390
14:48:11.0390 2140 SystemInfo:
14:48:11.0390 2140
14:48:11.0390 2140 OS Version: 5.1.2600 ServicePack: 3.0
14:48:11.0390 2140 Product type: Workstation
14:48:11.0390 2140 ComputerName: HEATHER
14:48:11.0390 2140 UserName: HP_Administrator
14:48:11.0390 2140 Windows directory: C:\WINDOWS
14:48:11.0390 2140 System windows directory: C:\WINDOWS
14:48:11.0390 2140 Processor architecture: Intel x86
14:48:11.0390 2140 Number of processors: 2
14:48:11.0390 2140 Page size: 0x1000
14:48:11.0390 2140 Boot type: Safe boot with network
14:48:11.0390 2140 ============================================================
14:48:17.0265 2140 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
14:48:17.0281 2140 \Device\Harddisk0\DR0:
14:48:17.0281 2140 MBR used
14:48:17.0281 2140 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1C08BDDE
14:48:17.0281 2140 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xC, StartLBA 0x1C08FCDE, BlocksNum 0x11348A3
14:48:17.0453 2140 Initialize success
14:48:17.0453 2140 ============================================================
14:48:39.0218 2428 ============================================================
14:48:39.0218 2428 Scan started
14:48:39.0218 2428 Mode: Manual;
14:48:39.0218 2428 ============================================================
14:48:43.0078 2428 Abiosdsk - ok
14:48:43.0203 2428 abp480n5 - ok
14:48:43.0484 2428 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:48:43.0500 2428 ACPI - ok
14:48:43.0593 2428 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:48:43.0593 2428 ACPIEC - ok
14:48:43.0656 2428 adpu160m - ok
14:48:43.0765 2428 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:48:43.0796 2428 aec - ok
14:48:43.0875 2428 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:48:43.0875 2428 AFD - ok
14:48:43.0890 2428 Aha154x - ok
14:48:43.0937 2428 aic78u2 - ok
14:48:43.0968 2428 aic78xx - ok
14:48:44.0046 2428 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
14:48:44.0046 2428 Alerter - ok
14:48:44.0093 2428 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
14:48:44.0125 2428 ALG - ok
14:48:44.0171 2428 AliIde - ok
14:48:44.0218 2428 amsint - ok
14:48:44.0531 2428 APC UPS Service (9106457d01655d38a9b9f6f822117160) C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
14:48:44.0531 2428 APC UPS Service - ok
14:48:44.0625 2428 Apple Mobile Device (5aa788d5a2c6737bb9c45933985bc1b8) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
14:48:44.0625 2428 Apple Mobile Device - ok
14:48:44.0812 2428 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
14:48:44.0828 2428 AppMgmt - ok
14:48:44.0937 2428 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys
14:48:44.0937 2428 aracpi - ok
14:48:45.0015 2428 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
14:48:45.0031 2428 arhidfltr - ok
14:48:45.0062 2428 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
14:48:45.0062 2428 arkbcfltr - ok
14:48:45.0109 2428 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
14:48:45.0109 2428 armoucfltr - ok
14:48:45.0218 2428 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:48:45.0218 2428 Arp1394 - ok
14:48:45.0296 2428 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys
14:48:45.0296 2428 ARPolicy - ok
14:48:45.0375 2428 ARSVC (9a0d9b2e263bede80fb79ddbad240ec1) C:\WINDOWS\arservice.exe
14:48:48.0703 2428 ARSVC - ok
14:48:48.0921 2428 asc - ok
14:48:49.0000 2428 asc3350p - ok
14:48:49.0046 2428 asc3550 - ok
14:48:49.0296 2428 aspnet_state (e1a1206a4fb19b675e947b29ccd25fba) C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
14:48:49.0312 2428 aspnet_state - ok
14:48:49.0390 2428 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:48:49.0390 2428 AsyncMac - ok
14:48:49.0468 2428 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:48:49.0468 2428 atapi - ok
14:48:49.0500 2428 Atdisk - ok
14:48:49.0593 2428 Ati HotKey Poller (5784a06fdc2ac7954225a1a79e1a8f00) C:\WINDOWS\system32\Ati2evxx.exe
14:48:49.0609 2428 Ati HotKey Poller - ok
14:48:49.0765 2428 ati2mtag (dd222ce49e79f15d2312a5e1f42e716e) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
14:48:49.0859 2428 ati2mtag - ok
14:48:49.0984 2428 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:48:50.0000 2428 Atmarpc - ok
14:48:50.0093 2428 ATMhelpr (3ef1db7f168851914517d4ed36b57c04) C:\WINDOWS\system32\drivers\ATMhelpr.sys
14:48:50.0093 2428 ATMhelpr - ok
14:48:50.0281 2428 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
14:48:50.0281 2428 AudioSrv - ok
14:48:50.0500 2428 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:48:50.0500 2428 audstub - ok
14:48:50.0781 2428 BBSvc (2ed050291bc1d7f9e322e328db3aaecf) C:\Program Files\Microsoft\BingBar\BBSvc.EXE
14:48:50.0781 2428 BBSvc - ok
14:48:50.0906 2428 BBUpdate (785de7abda13309d6065305542829e76) C:\Program Files\Microsoft\BingBar\SeaPort.EXE
14:48:50.0921 2428 BBUpdate - ok
14:48:50.0984 2428 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:48:50.0984 2428 Beep - ok
14:48:51.0109 2428 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
14:48:51.0265 2428 BITS - ok
14:48:51.0375 2428 Bonjour Service (f832f1505ad8b83474bd9a5b1b985e01) C:\Program Files\Bonjour\mDNSResponder.exe
14:48:51.0390 2428 Bonjour Service - ok
14:48:51.0578 2428 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
14:48:51.0593 2428 Browser - ok
14:48:51.0718 2428 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
14:48:51.0718 2428 BVRPMPR5 - ok
14:48:51.0875 2428 catchme - ok
14:48:51.0937 2428 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:48:51.0937 2428 cbidf2k - ok
14:48:51.0968 2428 cd20xrnt - ok
14:48:52.0031 2428 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:48:52.0031 2428 Cdaudio - ok
14:48:52.0109 2428 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:48:52.0140 2428 Cdfs - ok
14:48:52.0281 2428 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:48:52.0281 2428 Cdrom - ok
14:48:52.0312 2428 Changer - ok
14:48:52.0390 2428 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
14:48:52.0390 2428 CiSvc - ok
14:48:52.0500 2428 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
14:48:52.0500 2428 ClipSrv - ok
14:48:52.0531 2428 CmdIde - ok
14:48:52.0593 2428 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:48:52.0593 2428 Compbatt - ok
14:48:52.0625 2428 COMSysApp - ok
14:48:52.0718 2428 Cpqarray - ok
14:48:52.0796 2428 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
14:48:52.0796 2428 CryptSvc - ok
14:48:52.0828 2428 dac2w2k - ok
14:48:52.0859 2428 dac960nt - ok
14:48:52.0937 2428 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
14:48:53.0015 2428 DcomLaunch - ok
14:48:53.0093 2428 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
14:48:53.0109 2428 Dhcp - ok
14:48:53.0296 2428 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:48:53.0296 2428 Disk - ok
14:48:53.0359 2428 dmadmin - ok
14:48:53.0468 2428 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:48:53.0500 2428 dmboot - ok
14:48:53.0593 2428 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:48:53.0593 2428 dmio - ok
14:48:53.0625 2428 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:48:53.0625 2428 dmload - ok
14:48:53.0687 2428 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
14:48:53.0687 2428 dmserver - ok
14:48:53.0796 2428 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:48:53.0796 2428 DMusic - ok
14:48:53.0859 2428 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
14:48:53.0890 2428 Dnscache - ok
14:48:54.0046 2428 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
14:48:54.0046 2428 Dot3svc - ok
14:48:54.0078 2428 dpti2o - ok
14:48:54.0156 2428 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:48:54.0156 2428 drmkaud - ok
14:48:54.0250 2428 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
14:48:54.0250 2428 EapHost - ok
14:48:54.0406 2428 ehRecvr (5d1347aa5ae6e2f77d7f4f8372d95ac9) C:\WINDOWS\eHome\ehRecvr.exe
14:48:54.0406 2428 ehRecvr - ok
14:48:54.0562 2428 ehSched (a53243709439ac2a4c216b817f8d7411) C:\WINDOWS\eHome\ehSched.exe
14:48:54.0593 2428 ehSched - ok
14:48:54.0734 2428 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
14:48:54.0765 2428 ERSvc - ok
14:48:54.0828 2428 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
14:48:54.0859 2428 Eventlog - ok
14:48:54.0937 2428 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
14:48:54.0937 2428 EventSystem - ok
14:48:55.0062 2428 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:48:55.0062 2428 Fastfat - ok
14:48:55.0187 2428 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:48:55.0187 2428 FastUserSwitchingCompatibility - ok
14:48:55.0296 2428 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
14:48:55.0312 2428 Fax - ok
14:48:55.0406 2428 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:48:55.0406 2428 Fdc - ok
14:48:55.0484 2428 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:48:55.0500 2428 Fips - ok
14:48:55.0562 2428 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:48:55.0562 2428 Flpydisk - ok
14:48:55.0640 2428 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:48:55.0640 2428 FltMgr - ok
14:48:55.0718 2428 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:48:55.0718 2428 Fs_Rec - ok
14:48:55.0890 2428 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:48:55.0906 2428 Ftdisk - ok
14:48:55.0937 2428 ftsata2 - ok
14:48:56.0062 2428 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
14:48:56.0062 2428 GEARAspiWDM - ok
14:48:56.0171 2428 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:48:56.0171 2428 Gpc - ok
14:48:56.0265 2428 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:48:56.0265 2428 HDAudBus - ok
14:48:56.0406 2428 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
14:48:56.0406 2428 helpsvc - ok
14:48:56.0562 2428 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
14:48:56.0593 2428 HidBatt - ok
14:48:56.0671 2428 HidServ - ok
14:48:56.0937 2428 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:48:56.0937 2428 HidUsb - ok
14:48:57.0046 2428 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
14:48:57.0093 2428 hkmsvc - ok
14:48:57.0281 2428 hpn - ok
14:48:57.0437 2428 HSXHWBS2 (1f5c64b0c6b2e2f48735a77ae714ccb8) C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys
14:48:57.0453 2428 HSXHWBS2 - ok
14:48:57.0531 2428 HSX_DP (a7f8c9228898a1e871d2ae7082f50ac3) C:\WINDOWS\system32\DRIVERS\HSX_DP.sys
14:48:57.0609 2428 HSX_DP - ok
14:48:57.0875 2428 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:48:57.0890 2428 HTTP - ok
14:48:58.0078 2428 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
14:48:58.0078 2428 HTTPFilter - ok
14:48:58.0328 2428 i2omgmt - ok
14:48:58.0390 2428 i2omp - ok
14:48:58.0609 2428 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:48:58.0609 2428 i8042prt - ok
14:48:59.0046 2428 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
14:48:59.0078 2428 IDriverT - ok
14:48:59.0218 2428 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:48:59.0234 2428 Imapi - ok
14:48:59.0468 2428 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
14:48:59.0468 2428 ImapiService - ok
14:48:59.0593 2428 ini910u - ok
14:48:59.0953 2428 IntcAzAudAddService (ab2fe0faa519880bd16e4a0792d633d2) C:\WINDOWS\system32\drivers\RtkHDAud.sys
14:49:00.0234 2428 IntcAzAudAddService - ok
14:49:00.0625 2428 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:49:00.0625 2428 IntelIde - ok
14:49:00.0750 2428 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:49:00.0750 2428 intelppm - ok
14:49:00.0828 2428 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:49:00.0859 2428 Ip6Fw - ok
14:49:00.0968 2428 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:49:00.0984 2428 IpFilterDriver - ok
14:49:01.0140 2428 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:49:01.0171 2428 IpInIp - ok
14:49:01.0234 2428 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:49:01.0281 2428 IpNat - ok
14:49:01.0546 2428 iPod Service (8e5e5a8cc84da3f683e3bbc045138d52) C:\Program Files\iPod\bin\iPodService.exe
14:49:01.0796 2428 iPod Service - ok
14:49:02.0125 2428 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:49:02.0156 2428 IPSec - ok
14:49:02.0468 2428 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:49:02.0500 2428 IRENUM - ok
14:49:02.0734 2428 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:49:02.0750 2428 isapnp - ok
14:49:03.0093 2428 ISWKL (08a811bfd207dfdec588881c18bacbaa) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
14:49:03.0109 2428 ISWKL - ok
14:49:03.0250 2428 IswSvc (5b2ccef06f96dfb22893ab8f0b3f891d) C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
14:49:03.0281 2428 IswSvc - ok
14:49:03.0625 2428 JavaQuickStarterService (9aa67569d5257462e230767510b0c815) C:\Program Files\Java\jre6\bin\jqs.exe
14:49:03.0750 2428 JavaQuickStarterService - ok
14:49:04.0031 2428 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:49:04.0031 2428 Kbdclass - ok
14:49:04.0500 2428 KL1 (94d67d49bd9503bb1d838405d80f2058) C:\WINDOWS\system32\DRIVERS\kl1.sys
14:49:04.0515 2428 KL1 - ok
14:49:04.0921 2428 kl2 (713576569667ac9e0f8556076004a96b) C:\WINDOWS\system32\DRIVERS\kl2.sys
14:49:04.0921 2428 kl2 - ok
14:49:06.0781 2428 KLIF (f934de04ac53b08457b92db6e4dee2e5) C:\WINDOWS\system32\DRIVERS\klif.sys
14:49:06.0796 2428 KLIF - ok
14:49:07.0093 2428 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:49:07.0125 2428 kmixer - ok
14:49:07.0250 2428 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:49:07.0250 2428 KSecDD - ok
14:49:07.0437 2428 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
14:49:07.0437 2428 lanmanserver - ok
14:49:07.0625 2428 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
14:49:07.0640 2428 lanmanworkstation - ok
14:49:07.0781 2428 lbrtfdc - ok
14:49:08.0031 2428 LightScribeService (5d4b38a8d8525356798f5e560c3a3090) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
14:49:08.0046 2428 LightScribeService - ok
14:49:08.0390 2428 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
14:49:08.0390 2428 LmHosts - ok
14:49:08.0593 2428 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
14:49:08.0609 2428 MBAMProtector - ok
14:49:08.0906 2428 MBAMService (056b19651bd7b7ce5f89a3ac46dbdc08) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
14:49:08.0921 2428 MBAMService - ok
14:49:09.0218 2428 McrdSvc (df0a511f38f16016bf658fca0090cb87) C:\WINDOWS\ehome\mcrdsvc.exe
14:49:09.0234 2428 McrdSvc - ok
14:49:09.0531 2428 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:49:09.0546 2428 mdmxsdk - ok
14:49:09.0937 2428 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
14:49:09.0984 2428 Messenger - ok
14:49:10.0250 2428 MHN (b7521f69c0a9b29d356157229376fb21) C:\WINDOWS\System32\mhn.dll
14:49:10.0281 2428 MHN - ok
14:49:10.0750 2428 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
14:49:10.0796 2428 MHNDRV - ok
14:49:11.0953 2428 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:49:12.0046 2428 mnmdd - ok
14:49:12.0875 2428 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
14:49:12.0937 2428 mnmsrvc - ok
14:49:15.0109 2428 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:49:15.0109 2428 Modem - ok
14:49:18.0390 2428 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:49:18.0390 2428 Mouclass - ok
14:49:19.0421 2428 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:49:19.0593 2428 MountMgr - ok
14:49:27.0515 2428 mraid35x - ok
14:49:30.0296 2428 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:49:32.0578 2428 MRxDAV - ok
14:49:32.0953 2428 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:49:33.0093 2428 MRxSmb - ok
14:49:33.0859 2428 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:49:33.0875 2428 Msfs - ok
14:49:34.0171 2428 MSIServer - ok
14:49:36.0109 2428 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:49:36.0265 2428 MSKSSRV - ok
14:49:37.0000 2428 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:49:37.0031 2428 MSPCLOCK - ok
14:49:38.0093 2428 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:49:38.0093 2428 MSPQM - ok
14:49:38.0546 2428 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:49:38.0578 2428 mssmbios - ok
14:49:39.0109 2428 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:49:39.0281 2428 Mup - ok
14:49:41.0375 2428 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
14:49:41.0984 2428 napagent - ok
14:49:46.0109 2428 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:49:46.0234 2428 NDIS - ok
14:49:47.0281 2428 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:49:47.0359 2428 NdisTapi - ok
14:49:57.0031 2428 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:49:57.0125 2428 Ndisuio - ok
14:50:15.0890 2428 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:50:15.0937 2428 NdisWan - ok
14:50:20.0937 2428 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:50:21.0000 2428 NDProxy - ok
14:50:26.0312 2428 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:50:26.0578 2428 NetBIOS - ok
14:50:31.0078 2428 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:50:34.0296 2428 NetBT - ok
14:50:35.0484 2428 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
14:50:36.0078 2428 NetDDE - ok
14:50:36.0187 2428 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
14:50:36.0187 2428 NetDDEdsdm - ok
14:50:37.0250 2428 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:50:37.0250 2428 Netlogon - ok
14:50:38.0187 2428 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
14:50:38.0203 2428 Netman - ok
14:50:39.0031 2428 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:50:39.0125 2428 NIC1394 - ok
14:50:41.0937 2428 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
14:50:42.0671 2428 Nla - ok
14:50:43.0343 2428 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:50:43.0453 2428 Npfs - ok
14:50:45.0734 2428 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:50:46.0531 2428 Ntfs - ok
14:50:47.0671 2428 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:50:47.0671 2428 NtLmSsp - ok
14:50:48.0453 2428 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
14:50:49.0953 2428 NtmsSvc - ok
14:50:50.0250 2428 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:50:50.0453 2428 Null - ok
14:50:51.0093 2428 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:50:51.0109 2428 NwlnkFlt - ok
14:50:52.0687 2428 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:50:52.0750 2428 NwlnkFwd - ok
14:50:53.0656 2428 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:50:53.0687 2428 ohci1394 - ok
14:50:53.0828 2428 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
14:50:53.0828 2428 ose - ok
14:50:54.0312 2428 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:50:54.0343 2428 Parport - ok
14:50:54.0593 2428 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:50:54.0609 2428 PartMgr - ok
14:50:54.0687 2428 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:50:54.0703 2428 ParVdm - ok
14:50:55.0000 2428 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:50:55.0390 2428 PCI - ok
14:50:57.0265 2428 PCIDump - ok
14:51:00.0234 2428 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:51:00.0453 2428 PCIIde - ok
14:51:05.0765 2428 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:51:06.0593 2428 Pcmcia - ok
14:51:07.0421 2428 PDCOMP - ok
14:51:07.0703 2428 PDFRAME - ok
14:51:08.0062 2428 PDRELI - ok
14:51:08.0171 2428 PDRFRAME - ok
14:51:08.0203 2428 perc2 - ok
14:51:08.0328 2428 perc2hib - ok
14:51:08.0578 2428 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
14:51:08.0578 2428 PlugPlay - ok
14:51:09.0296 2428 pmxscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:51:09.0312 2428 pmxscan - ok
14:51:09.0406 2428 Point32 (dcdf0421a1c14f2923e298a30fd7636d) C:\WINDOWS\system32\DRIVERS\point32.sys
14:51:09.0500 2428 Point32 - ok
14:51:09.0703 2428 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:51:09.0703 2428 PolicyAgent - ok
14:51:09.0968 2428 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:51:09.0984 2428 PptpMiniport - ok
14:51:10.0312 2428 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:51:10.0312 2428 ProtectedStorage - ok
14:51:10.0546 2428 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
14:51:10.0593 2428 Ps2 - ok
14:51:11.0171 2428 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:51:14.0281 2428 PSched - ok
14:51:14.0765 2428 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:51:15.0921 2428 Ptilink - ok
14:51:17.0890 2428 PxHelp20 (97b735de4e3cd44c71c8cb09bdbf07b7) C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:51:17.0953 2428 PxHelp20 - ok
14:51:19.0718 2428 ql1080 - ok
14:51:21.0406 2428 Ql10wnt - ok
14:51:22.0296 2428 ql12160 - ok
14:51:24.0156 2428 ql1240 - ok
14:51:25.0734 2428 ql1280 - ok
14:51:28.0000 2428 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:51:28.0000 2428 RasAcd - ok
14:51:31.0062 2428 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
14:51:31.0109 2428 RasAuto - ok
14:51:32.0046 2428 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:51:32.0078 2428 Rasl2tp - ok
14:51:33.0968 2428 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
14:51:35.0421 2428 RasMan - ok
14:51:36.0187 2428 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:51:36.0187 2428 RasPppoe - ok
14:51:36.0484 2428 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:51:36.0796 2428 Raspti - ok
14:51:37.0515 2428 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:51:37.0734 2428 Rdbss - ok
14:51:37.0984 2428 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:51:38.0000 2428 RDPCDD - ok
14:51:38.0875 2428 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:51:38.0906 2428 rdpdr - ok
14:51:39.0921 2428 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
14:51:40.0078 2428 RDPWD - ok
14:51:40.0781 2428 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
14:51:40.0828 2428 RDSessMgr - ok
14:51:41.0171 2428 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:51:41.0937 2428 redbook - ok
14:51:42.0375 2428 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
14:51:42.0375 2428 RemoteAccess - ok
14:51:43.0000 2428 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
14:51:43.0031 2428 RemoteRegistry - ok
14:51:43.0312 2428 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
14:51:43.0312 2428 RpcLocator - ok
14:51:43.0421 2428 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
14:51:43.0437 2428 RpcSs - ok
14:51:43.0656 2428 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
14:51:43.0656 2428 RSVP - ok
14:51:44.0046 2428 RTL8023xp (8e34400ffc7d647946d9c820678775af) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
14:51:44.0046 2428 RTL8023xp - ok
14:51:44.0125 2428 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
14:51:44.0125 2428 rtl8139 - ok
14:51:44.0984 2428 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:51:44.0984 2428 SamSs - ok
14:51:45.0265 2428 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
14:51:45.0296 2428 SASDIFSV - ok
14:51:45.0703 2428 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
14:51:45.0781 2428 SASENUM - ok
14:51:46.0062 2428 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
14:51:46.0234 2428 SASKUTIL - ok
14:51:48.0000 2428 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
14:51:48.0078 2428 SCardSvr - ok
14:51:49.0406 2428 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
14:51:49.0765 2428 Schedule - ok
14:51:52.0703 2428 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:51:52.0703 2428 Secdrv - ok
14:51:52.0968 2428 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
14:51:53.0031 2428 seclogon - ok
14:51:54.0078 2428 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
14:51:55.0781 2428 SENS - ok
14:51:56.0562 2428 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
14:51:56.0687 2428 Serial - ok
14:51:57.0046 2428 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:51:57.0046 2428 Sfloppy - ok
14:51:57.0234 2428 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
14:51:57.0265 2428 SharedAccess - ok
14:51:57.0406 2428 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:51:57.0406 2428 ShellHWDetection - ok
14:51:57.0906 2428 Simbad - ok
14:51:58.0125 2428 Sparrow - ok
14:51:58.0203 2428 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:51:58.0203 2428 splitter - ok
14:51:58.0546 2428 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
14:51:58.0593 2428 Spooler - ok
14:51:59.0171 2428 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:51:59.0171 2428 sr - ok
14:52:01.0015 2428 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
14:52:01.0296 2428 srservice - ok
14:52:11.0312 2428 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:52:11.0453 2428 Srv - ok
14:52:13.0046 2428 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
14:52:13.0187 2428 SSDPSRV - ok
14:52:14.0125 2428 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
14:52:14.0140 2428 stisvc - ok
14:52:15.0062 2428 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:52:15.0078 2428 swenum - ok
14:52:15.0515 2428 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:52:15.0687 2428 swmidi - ok
14:52:16.0265 2428 SwPrv - ok
14:52:17.0046 2428 symc810 - ok
14:52:17.0984 2428 symc8xx - ok
14:52:19.0000 2428 sym_hi - ok
14:52:24.0531 2428 sym_u3 - ok
14:52:25.0312 2428 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:52:25.0359 2428 sysaudio - ok
14:52:25.0765 2428 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
14:52:25.0859 2428 SysmonLog - ok
14:52:27.0296 2428 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
14:52:27.0734 2428 TapiSrv - ok
14:52:32.0000 2428 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:52:32.0500 2428 Tcpip - ok
14:52:32.0968 2428 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:52:33.0000 2428 TDPIPE - ok
14:52:33.0421 2428 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:52:33.0562 2428 TDTCP - ok
14:52:34.0203 2428 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:52:34.0218 2428 TermDD - ok
14:52:34.0734 2428 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
14:52:35.0156 2428 TermService - ok
14:52:35.0953 2428 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:52:35.0953 2428 Themes - ok
14:52:36.0171 2428 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
14:52:36.0171 2428 TlntSvr - ok
14:52:36.0968 2428 TosIde - ok
14:52:37.0187 2428 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
14:52:37.0187 2428 TrkWks - ok
14:52:37.0796 2428 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:52:37.0890 2428 Udfs - ok
14:52:39.0031 2428 ultra - ok
14:52:39.0421 2428 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:52:39.0859 2428 Update - ok
14:52:40.0968 2428 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
14:52:41.0125 2428 upnphost - ok
14:52:42.0062 2428 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
14:52:42.0171 2428 UPS - ok
14:52:44.0125 2428 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:52:44.0125 2428 usbehci - ok
14:52:46.0281 2428 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:52:46.0281 2428 usbhub - ok
14:52:48.0187 2428 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
14:52:48.0187 2428 usbohci - ok
14:52:51.0812 2428 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:52:51.0812 2428 usbprint - ok
14:52:52.0093 2428 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:52:52.0140 2428 usbstor - ok
14:52:52.0984 2428 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:52:53.0109 2428 usbuhci - ok
14:52:56.0843 2428 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:52:56.0921 2428 VgaSave - ok
14:52:57.0859 2428 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
14:52:57.0890 2428 ViaIde - ok
14:52:59.0265 2428 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:52:59.0265 2428 VolSnap - ok
14:53:00.0843 2428 Vsdatant (558cee3d9c470651f1843d51b42d761b) C:\WINDOWS\system32\vsdatant.sys
14:53:01.0953 2428 Vsdatant - ok
14:53:02.0234 2428 vsmon - ok
14:53:02.0750 2428 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
14:53:02.0828 2428 VSS - ok
14:53:03.0328 2428 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
14:53:03.0421 2428 W32Time - ok
14:53:05.0203 2428 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:53:05.0203 2428 Wanarp - ok
14:53:06.0156 2428 WDICA - ok
14:53:07.0125 2428 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:53:07.0140 2428 wdmaud - ok
14:53:08.0296 2428 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
14:53:08.0484 2428 WebClient - ok
14:53:12.0140 2428 winachsx (11ec1afceb5c917ce73d3c301ff4291e) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
14:53:12.0234 2428 winachsx - ok
14:53:16.0062 2428 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
14:53:16.0562 2428 winmgmt - ok
14:53:21.0109 2428 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
14:53:21.0140 2428 WmdmPmSN - ok
14:53:24.0218 2428 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
14:53:25.0156 2428 Wmi - ok
14:53:30.0687 2428 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
14:53:30.0812 2428 WmiApSrv - ok
14:53:31.0171 2428 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
14:53:32.0015 2428 WMPNetworkSvc - ok
14:53:32.0906 2428 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:53:32.0921 2428 WS2IFSL - ok
14:53:33.0203 2428 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
14:53:33.0312 2428 wscsvc - ok
14:53:34.0296 2428 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
14:53:34.0359 2428 wuauserv - ok
14:53:37.0109 2428 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:53:37.0296 2428 WudfPf - ok
14:53:40.0671 2428 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:53:40.0937 2428 WudfRd - ok
14:53:42.0656 2428 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
14:53:42.0671 2428 WudfSvc - ok
14:53:43.0828 2428 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
14:53:43.0984 2428 WZCSVC - ok
14:53:44.0281 2428 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
14:53:44.0500 2428 xmlprov - ok
14:53:45.0640 2428 YahooAUService (dd0042f0c3b606a6a8b92d49afb18ad6) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
14:53:46.0171 2428 YahooAUService - ok
14:53:46.0453 2428 MBR (0x1B8) (cb3cc5e3bfdf0a25babd81b4d610f0e7) \Device\Harddisk0\DR0
14:53:46.0625 2428 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
14:53:46.0625 2428 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
14:53:46.0875 2428 Boot (0x1200) (a2c137e4c6acac455d5a5029f70b034d) \Device\Harddisk0\DR0\Partition0
14:53:47.0062 2428 \Device\Harddisk0\DR0\Partition0 - ok
14:53:47.0187 2428 Boot (0x1200) (c7eafd29abeaa13e437796e0e2979905) \Device\Harddisk0\DR0\Partition1
14:53:47.0296 2428 \Device\Harddisk0\DR0\Partition1 - ok
14:53:47.0296 2428 ============================================================
14:53:47.0296 2428 Scan finished
14:53:47.0296 2428 ============================================================
14:53:47.0515 2420 Detected object count: 1
14:53:47.0515 2420 Actual detected object count: 1
14:54:39.0968 2420 \Device\Harddisk0\DR0\# - copied to quarantine
14:54:39.0968 2420 \Device\Harddisk0\DR0 - copied to quarantine
14:54:40.0031 2420 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
14:54:40.0234 2420 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
14:54:40.0281 2420 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
14:54:40.0515 2420 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
14:54:40.0703 2420 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
14:54:41.0250 2420 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
14:54:42.0281 2420 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
14:54:42.0281 2420 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
14:54:42.0296 2420 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
14:54:42.0359 2420 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
14:54:42.0375 2420 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
14:54:42.0390 2420 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
14:54:42.0500 2420 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
14:54:42.0500 2420 \Device\Harddisk0\DR0 - ok
14:54:42.0531 2420 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
14:55:53.0671 2120 Deinitialize success
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-30 15:02:44
-----------------------------
15:02:44.093 OS Version: Windows 5.1.2600 Service Pack 3
15:02:44.093 Number of processors: 2 586 0x407
15:02:44.093 ComputerName: HEATHER UserName:
15:02:44.640 Initialize success
15:04:33.609 AVAST engine defs: 12033000
15:04:46.140 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
15:04:46.140 Disk 0 Vendor: WDC_WD2500JS-60NCB1 10.02E02 Size: 238475MB BusType: 3
15:04:46.187 Disk 0 MBR read successfully
15:04:46.203 Disk 0 MBR scan
15:04:46.250 Disk 0 unknown MBR code
15:04:46.250 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 229655 MB offset 63
15:04:46.296 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 8809 MB offset 470351070
15:04:46.312 Disk 0 scanning sectors +488392065
15:04:46.390 Disk 0 scanning C:\WINDOWS\system32\drivers
15:05:00.765 Service scanning
15:05:25.281 Modules scanning
15:05:30.375 Disk 0 trace - called modules:
15:05:30.421 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:05:30.437 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86383ab8]
15:05:30.500 3 CLASSPNP.SYS[f75cffd7] -> nt!IofCallDriver -> \Device\00000070[0x8637e0c8]
15:05:30.546 5 ACPI.sys[f7526620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x86300940]
15:05:31.078 AVAST engine scan C:\WINDOWS
15:05:44.593 AVAST engine scan C:\WINDOWS\system32
15:10:52.437 AVAST engine scan C:\WINDOWS\system32\drivers
15:11:18.031 AVAST engine scan C:\Documents and Settings\HP_Administrator
15:18:25.890 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat"
15:18:25.968 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"
-
Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe)
Link 2 (http://ad13.geekstogo.com/MBRCheck.exe)
Link 3 (http://www.kernelmode.info/MBRCheck.exe)
•Double-click on MBRCheck.exe to run it.
•It will open a black window...please do not fix anything (if it gives you an option).
•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.
-
Hi SuperDave,
I just ran the check and will post the report, but before I do, I wanted you to know that this morning I tried logging on in normal mode and still had all the same problems, so then I figured what the heck--I tried logging on in normal mode again, but as soon as the Zone Alarm icon appeared in the tray, I right-clicked and exited. Since then, I have been working in normal mode and so far, no problems. I have been burning all of my music and data to CD's, figured I'd better get started, just in case...still quite a bit more to burn, so I don't want to do anything that might cause me to lose the functionality I have right now, but thought you should know that exiting ZA seemed to make a difference. Don't know if there are still other underlying problems as well...anyway, here's the report:
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000f1c
Kernel Drivers (total 145):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7A3C000 \WINDOWS\system32\KDCOM.DLL
0xF794C000 \WINDOWS\system32\BOOTVID.dll
0xF740D000 ACPI.sys
0xF7A3E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF73FC000 pci.sys
0xF753C000 isapnp.sys
0xF754C000 ohci1394.sys
0xF755C000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7950000 compbatt.sys
0xF7954000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B04000 pciide.sys
0xF77BC000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A40000 viaide.sys
0xF7A42000 intelide.sys
0xF756C000 MountMgr.sys
0xF73DD000 ftdisk.sys
0xF7A44000 dmload.sys
0xF73B7000 dmio.sys
0xF77C4000 PartMgr.sys
0xF757C000 VolSnap.sys
0xF739F000 atapi.sys
0xF758C000 disk.sys
0xF759C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF737F000 fltmgr.sys
0xF736D000 sr.sys
0xF75AC000 PxHelp20.sys
0xF7356000 KSecDD.sys
0xF72C9000 Ntfs.sys
0xF729C000 NDIS.sys
0xF7282000 Mup.sys
0xF6D60000 kl1.sys
0xF772C000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6270000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF625C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7934000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6238000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF793C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF773C000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF774C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF775C000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6215000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7944000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF61ED000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF77D4000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF61D9000 \SystemRoot\system32\DRIVERS\parport.sys
0xF776C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7814000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF781C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A80000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xF7824000 \SystemRoot\system32\DRIVERS\point32.sys
0xF782C000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A82000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xF7834000 \SystemRoot\system32\DRIVERS\aracpi.sys
0xF6194000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0xF609D000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0xF5FE7000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xF783C000 \SystemRoot\System32\Drivers\Modem.SYS
0xF5FD3000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF777C000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6D3C000 \SystemRoot\system32\DRIVERS\arpolicy.sys
0xF7BCA000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF778C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6D38000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5FBC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF779C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF77AC000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7844000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5FAB000 \SystemRoot\system32\DRIVERS\psched.sys
0xF761C000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF784C000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7854000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5F7B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF762C000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A84000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5F1D000 \SystemRoot\system32\DRIVERS\update.sys
0xF6D1C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF66AA000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF667A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A92000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF198B000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF1967000 \SystemRoot\system32\drivers\portcls.sys
0xF664A000 \SystemRoot\system32\drivers\drmk.sys
0xF18D0000 \SystemRoot\system32\DRIVERS\klif.sys
0xF7A9E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B21000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AA0000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7B24000 \SystemRoot\System32\Drivers\ATMhelpr.SYS
0xF786C000 \SystemRoot\System32\drivers\vga.sys
0xF7AA2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7AA4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7874000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF787C000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A20000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF7884000 \SystemRoot\system32\DRIVERS\kl2.sys
0xF7A30000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF1875000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF181C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF17F4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF1775000 \SystemRoot\System32\vsdatant.sys
0xF174F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF662A000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF5F19000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF661A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF789C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF78A4000 \SystemRoot\system32\DRIVERS\arhidfltr.sys
0xF764C000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF78AC000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF78B4000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF5F11000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF16DD000 \SystemRoot\System32\drivers\afd.sys
0xF765C000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF16BB000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF78BC000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF1690000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF15F8000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF766C000 \SystemRoot\System32\Drivers\Fips.SYS
0xF15D4000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF15BC000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AD4000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF18C8000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78CC000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B17000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09A000 \SystemRoot\System32\atikvmag.dll
0xBF0D0000 \SystemRoot\System32\ati3duag.dll
0xBF362000 \SystemRoot\System32\ativvaxx.dll
0xBF4BA000 \SystemRoot\System32\ATMFD.DLL
0xEF3EC000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xEF360000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF1717000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
0xEEDD7000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xEED72000 \SystemRoot\system32\drivers\wdmaud.sys
0xF76AC000 \SystemRoot\system32\drivers\sysaudio.sys
0xEEB7B000 \SystemRoot\System32\Drivers\HTTP.sys
0xEEAD3000 \SystemRoot\system32\DRIVERS\srv.sys
0xEEB5B000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEE623000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEE25B000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xEDDAF000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 57):
0 System Idle Process
4 System
552 C:\WINDOWS\system32\smss.exe
628 csrss.exe
656 C:\WINDOWS\system32\winlogon.exe
700 C:\WINDOWS\system32\services.exe
712 C:\WINDOWS\system32\lsass.exe
868 C:\WINDOWS\system32\ati2evxx.exe
884 C:\WINDOWS\system32\svchost.exe
956 svchost.exe
996 C:\WINDOWS\system32\svchost.exe
1068 svchost.exe
1100 svchost.exe
1148 C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
1400 C:\WINDOWS\system32\ati2evxx.exe
1492 C:\WINDOWS\explorer.exe
1752 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
1856 C:\WINDOWS\system32\spoolsv.exe
1904 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
1996 svchost.exe
2044 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
168 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
232 C:\WINDOWS\arservice.exe
424 C:\Program Files\Microsoft\BingBar\SeaPort.EXE
460 C:\Program Files\Bonjour\mDNSResponder.exe
496 C:\WINDOWS\ehome\ehrecvr.exe
540 C:\WINDOWS\ehome\ehSched.exe
112 C:\Program Files\Java\jre6\bin\jqs.exe
1024 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1252 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
1548 svchost.exe
1664 C:\WINDOWS\system32\svchost.exe
2112 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
2188 mcrdsvc.exe
2440 C:\WINDOWS\system32\dllhost.exe
2576 alg.exe
3244 C:\WINDOWS\ehome\ehtray.exe
3360 C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
3412 C:\WINDOWS\arpwrmsg.exe
3572 C:\WINDOWS\ehome\ehmsas.exe
3688 C:\Program Files\iTunes\iTunesHelper.exe
3884 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3976 C:\Program Files\Common Files\Java\Java Update\jusched.exe
4036 C:\Program Files\real\realplayer\Update\realsched.exe
164 C:\PROGRA~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE
2700 C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
3036 C:\Program Files\iPod\bin\iPodService.exe
3628 C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
1932 C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
2012 C:\hp\KBD\kbd.exe
3732 C:\WINDOWS\system\hpsysdrv.exe
780 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
4508 C:\WINDOWS\system32\wuauclt.exe
5900 C:\Program Files\real\realplayer\realplay.exe
4348 C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe
5856 <unknown>
588 <unknown>
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000038`11f9bc00 (FAT32)
PhysicalDrive0 Model Number: WDCWD2500JS-60NCB1, Rev: 10.02E02
Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 4A3BF69CA3259413E25A52D6E01242850E3B0E3 A
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Done!
-
I have been burning all of my music and data to CD's, figured I'd better get started, just in case...still quite a bit more to burn, so I don't want to do anything that might cause me to lose the functionality I have right now,
Good idea to back up all your important data.When you're finished with that please do the following.
Earlier on ComboFix installed the Recovery Console. We're going to use that now.
Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)
(http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RC_BootMenu.gif)
(http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RConsole_Fixmbr.png)
When you get to the above screen, take note of the number that references your operating system.
If it's '1' like the picture above, type 1 and press Enter
(http://i582.photobucket.com/albums/ss269/Cat_Byte/images/RConsole_A.png)
Next type FIXMBR
If it ask if you're sure you want to write a new MBR, answer 'Y'
Then type EXIT to reboot the machine.
With that done, please run MBRCheck.exe again and post the log.
-
Questions: Should I be doing this on a normal boot, or SafeMode? (Does it matter?)
Does it matter that I have Windows XP Media Center version for Recovery console? (When ComboFix installed the recovery console, it only asked if I was running home edition and I said no--and then what it downloaded it seemed to download a home edition. ) Is there a way to check that I have the right recovery console before we do this, or doesn't it matter?
Is this going to do any kind of destructive recovery, or is it just fixing something from MBR? (I realize with computers there's no guarantee that something won't be destructive, but what are we hoping will happen?) :) I know this whole process is trial-and-error, looking for a needle in a haystack, but knowing where we stand at this point helps...
Sorry to be so anxious, but I work from home so I can care for my disabled husband, and this computer is vital to me doing that. This is our only income, so it's a little anxiety-producing...(the organization I work for doesn't provide any support--or anything else for that matter, except a job. Their philosophy is f I can't do it, they'll give it to someone else who can.) I feel like we're getting close--I seem to have full functionality right now (I realize that doesn't mean that there still aren't underlying issues). Just want to make sure I don't mess anything up at this point... Sorry for being an old lady about this at this point...Thanks!
-
Should I be doing this on a normal boot, or SafeMode
In Normal mode.
Is there a way to check that I have the right recovery console before we do this, or doesn't it matter?
You should see the Recovery Console when you boot your computer but it's only there for a few seconds.
Is there a way to check that I have the right recovery console before we do this, or doesn't it matter?
No, just fixing the MBR.
Just want to make sure I don't mess anything up at this point... Sorry for being an old lady about this at this point...Thanks!
If the RC is installed, it should just fix the MBR.
-
OK, I know you said if it asks if I want to write a new MBR to say yes, but I want to make sure it's OK given the warning message I received. When I put in fixMBR, I got the message that "This computer appears to have a non-standard or invalid Master Boot Record. FixMBR may damage your partition tables if you proceed. This could cause all the partitions on the current hard disk to become inaccessible. If you are not having problems acessing your drive, do not continue. Are you sure you want to write a new MBR?"
Just want to make sure the answer is still yes, even with this warning...don't want to mess up now...Thanks!
-
When I put in fixMBR, I got the message that "This computer appears to have a non-standard or invalid Master Boot Record. FixMBR may damage your partition tables if you proceed. This could cause all the partitions on the current hard disk to become inaccessible.
Ok. Let's try this to see if you get the same message.
Please Boot to the System Recovery Options (http://www.sevenforums.com/tutorials/668-system-recovery-options.html)
If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...
NOTE. If none of the above apply you can create System Repair Disc (link in "Option two") and boot from it.
On the System Recovery Options menu you will get the following options:
- Startup Repair
- System Restore
- Windows Complete PC Restore
- Windows Memory Diagnostic Tool
- Command Prompt
Choose Command Prompt
You should see X:\SOURCES>...
Execute the following commands in bold.
Press Enter after every one of them.
bootrec /fixmbr (<--- there is a "space" after "bootrec")
bootrec /fixboot (<--- there is a "space" after "bootrec")
exit
Restart computer.
-
Hi SD,
Not trying to be difficult, but those instructions were for Windows 7, and I have Windows XP Media Center Edition 2005. I did try looking for how to boot to systems recovery options on my own though, and it seemed they were saying to just go to Safe Mode to get Safe Mode with command prompt. I did that, went through the process of selecting my user name (HP_Administrator), got C:\Documents and Settings\HP_Administrator> Tried entering bootrec /fixmbr (I remembered to include the space). Got the message that bootrec was not recognized as an internal or external command, operable program, or batch file. So I typed exit, and then just got the black screen with safe mode in the 4 corners. Didn't know how to get out of that, so I just turned off the computer with the power button.
I do have a disk my daughter made when we got this computer, it is labeled "HP Recovery Tools CD". I looked at the contents with WinExplorer: it has a lot of language file folders, some file folders that begin with R and a number, some files that are labeled bootfont with a different extensions (they seem to correspond to the languages), and some files labeled WIN51, WIN51.B@, WIN511C, etc.
I also have a set of 3 recovery disks she made when we got the computer, I'm assuming they are for a destructive recovery? I have not looked at them.
Also, under My Computer, C is my hard drive, but there is also a D drive labeled HP_Recovery. I don't know if any of this info helps you decide what to do next. As I said, I'm not trying to be difficult, but want to make sure I'm doing the right thing. Thanks.
After writing all this, I found this site on line that appears to say to ignore the error message for Windows 2000 (but it doesn't say for XP): should I just ignore the error message ?
http://support.microsoft.com/kb/266745
I also found this site that says it also applies to XP:
http://www.tomshardware.com/forum/87475-45-fixmbr-dont
I'm not trying to undermine or second-guess you, just trying to help with research (I don't expect you to know everything. :>). I won't do anything that you haven't checked and said I should do. If you say go ahead then I'll do it. Thanks!
-
Also, under My Computer, C is my hard drive, but there is also a D drive labeled HP_Recovery
Yes, that's the recovery console we're trying to get into.
After writing all this, I found this site on line that appears to say to ignore the error message for Windows 2000 (but it doesn't say for XP): should I just ignore the error message ?
I would say just ignore the warning as MS stated in their article. But first, you should save all your important data just in case we have to use the Recovery disks.
-
Wow--that was QUICK! No problems. Here's the log from MBRcheck:
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000f1c
Kernel Drivers (total 143):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7A3C000 \WINDOWS\system32\KDCOM.DLL
0xF794C000 \WINDOWS\system32\BOOTVID.dll
0xF740D000 ACPI.sys
0xF7A3E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF73FC000 pci.sys
0xF753C000 isapnp.sys
0xF754C000 ohci1394.sys
0xF755C000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7950000 compbatt.sys
0xF7954000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B04000 pciide.sys
0xF77BC000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A40000 viaide.sys
0xF7A42000 intelide.sys
0xF756C000 MountMgr.sys
0xF73DD000 ftdisk.sys
0xF7A44000 dmload.sys
0xF73B7000 dmio.sys
0xF77C4000 PartMgr.sys
0xF757C000 VolSnap.sys
0xF739F000 atapi.sys
0xF758C000 disk.sys
0xF759C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF737F000 fltmgr.sys
0xF736D000 sr.sys
0xF75AC000 PxHelp20.sys
0xF7356000 KSecDD.sys
0xF72C9000 Ntfs.sys
0xF729C000 NDIS.sys
0xF7282000 Mup.sys
0xF6D60000 kl1.sys
0xF76FC000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF631D000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6309000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7914000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF62E5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF791C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF770C000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF771C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF772C000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF62C2000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7924000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF629A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF792C000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF6286000 \SystemRoot\system32\DRIVERS\parport.sys
0xF773C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7934000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF793C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A78000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xF7944000 \SystemRoot\system32\DRIVERS\point32.sys
0xF77D4000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A7A000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xF7814000 \SystemRoot\system32\DRIVERS\aracpi.sys
0xF6241000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0xF614A000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0xF6094000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xF781C000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6080000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF774C000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7A28000 \SystemRoot\system32\DRIVERS\arpolicy.sys
0xF7C8D000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF775C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A2C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6069000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF776C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF777C000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7824000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6058000 \SystemRoot\system32\DRIVERS\psched.sys
0xF778C000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF782C000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7834000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6000000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF779C000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A7C000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5FA2000 \SystemRoot\system32\DRIVERS\update.sys
0xF6D30000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF77AC000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF763C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A7E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF1A0B000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF19E7000 \SystemRoot\system32\drivers\portcls.sys
0xF766C000 \SystemRoot\system32\drivers\drmk.sys
0xF1970000 \SystemRoot\system32\DRIVERS\klif.sys
0xF7A8A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C12000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A8C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7C14000 \SystemRoot\System32\Drivers\ATMhelpr.SYS
0xF784C000 \SystemRoot\System32\drivers\vga.sys
0xF7A8E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A90000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7854000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF785C000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6040000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF7864000 \SystemRoot\system32\DRIVERS\kl2.sys
0xF6030000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF1915000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF18BC000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF1894000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF1815000 \SystemRoot\System32\vsdatant.sys
0xF17EF000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF6513000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF5F9E000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF6503000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF786C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7874000 \SystemRoot\system32\DRIVERS\arhidfltr.sys
0xF64F3000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF787C000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF5F92000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF17CD000 \SystemRoot\System32\drivers\afd.sys
0xF64E3000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF17AB000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF7884000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF1730000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF1698000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF64D3000 \SystemRoot\System32\Drivers\Fips.SYS
0xF788C000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF1674000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF165C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AC0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF19CB000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78B4000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C3A000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09A000 \SystemRoot\System32\atikvmag.dll
0xBF0D0000 \SystemRoot\System32\ati3duag.dll
0xBF362000 \SystemRoot\System32\ativvaxx.dll
0xBF4BA000 \SystemRoot\System32\ATMFD.DLL
0xEF490000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xEF428000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF789C000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
0xEEE67000 \SystemRoot\system32\drivers\wdmaud.sys
0xEF3B4000 \SystemRoot\system32\drivers\sysaudio.sys
0xEECFC000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xEEB53000 \SystemRoot\System32\Drivers\HTTP.sys
0xEEAD3000 \SystemRoot\system32\DRIVERS\srv.sys
0xEEB4F000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEE713000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 56):
0 System Idle Process
4 System
548 C:\WINDOWS\system32\smss.exe
620 csrss.exe
648 C:\WINDOWS\system32\winlogon.exe
692 C:\WINDOWS\system32\services.exe
704 C:\WINDOWS\system32\lsass.exe
860 C:\WINDOWS\system32\ati2evxx.exe
876 C:\WINDOWS\system32\svchost.exe
948 svchost.exe
1016 C:\WINDOWS\system32\svchost.exe
1104 svchost.exe
1160 svchost.exe
1204 C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
1472 C:\WINDOWS\system32\ati2evxx.exe
1564 C:\WINDOWS\explorer.exe
1868 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
2004 C:\WINDOWS\system32\spoolsv.exe
164 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
1044 svchost.exe
1100 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
1176 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1304 C:\WINDOWS\arservice.exe
1340 C:\Program Files\Microsoft\BingBar\SeaPort.EXE
1416 C:\Program Files\Bonjour\mDNSResponder.exe
1348 C:\WINDOWS\ehome\ehrecvr.exe
1732 C:\WINDOWS\ehome\ehSched.exe
1884 C:\Program Files\Java\jre6\bin\jqs.exe
2056 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2164 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
2296 svchost.exe
2352 C:\WINDOWS\system32\svchost.exe
2440 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
2504 mcrdsvc.exe
2584 C:\WINDOWS\system32\wuauclt.exe
3000 C:\WINDOWS\system32\dllhost.exe
3264 alg.exe
3280 wmiprvse.exe
3352 C:\WINDOWS\ehome\ehtray.exe
3368 C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
3428 C:\WINDOWS\arpwrmsg.exe
3596 C:\WINDOWS\ehome\ehmsas.exe
3776 C:\Program Files\iTunes\iTunesHelper.exe
4008 C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
4072 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
208 C:\Program Files\Common Files\Java\Java Update\jusched.exe
584 C:\Program Files\real\realplayer\Update\realsched.exe
1488 C:\PROGRA~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE
2816 C:\Program Files\iPod\bin\iPodService.exe
2932 C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
2952 C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
3248 C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
3748 C:\hp\KBD\kbd.exe
3880 C:\WINDOWS\system\hpsysdrv.exe
1528 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
2236 C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000038`11f9bc00 (FAT32)
PhysicalDrive0 Model Number: WDCWD2500JS-60NCB1, Rev: 10.02E02
Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A
Done!
-
Ok, the MBR has been fixed. That's a major step.
SysProt Antirootkit
Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).
http://sites.google.com/site/sysprotantirootkit/ (http://sites.google.com/site/sysprotantirootkit/)
Unzip it into a folder on your desktop.
- Double click Sysprot.exe to start the program.
- Click on the Log tab.
- In the Write to log box select the following items.
- Process << Selected
- Kernel Modules << Selected
- SSDT << Selected
- Kernel Hooks << Selected
- IRP Hooks << NOT Selected
- Ports << NOT Selected
- Hidden Files << Selected
- At the bottom of the page
- Hidden Objects Only << Selected
- Click on the Create Log button on the bottom right.
- After a few seconds a new window should appear.
- Select Scan Root Drive. Click on the Start button.
- When it is complete a new window will appear to indicate that the scan is finished.
- The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
-
I probably should have thought to ask this earlier: has my information been vulnerable during this infection/invasion? In otherwords, paying bills on-line (at secure sites) or entering private info on the same sites, is there any chance that info has been compromised? :'(
Here's the scan (thank you for all this help, BTW):
SysProt AntiRootkit v1.0.1.0
by swatkat
******************************************************************************************
******************************************************************************************
No Hidden Processes found
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F15A0000
Module End: F15B8000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7AC2000
Module End: F7AC4000
Hidden: Yes
******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: F18D466E
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwClose
Address: F18D4F02
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwConnectPort
Address: F177A2F4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwCreateEvent
Address: F18D57D0
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwCreateFile
Address: F17745CA
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwCreateKey
Address: F179358A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwCreateMutant
Address: F18D56A8
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwCreateNamedPipeFile
Address: F18D4274
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwCreatePort
Address: F177AA80
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwCreateProcess
Address: F178DE4E
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwCreateProcessEx
Address: F178E23C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwCreateSection
Address: F17976F6
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwCreateSemaphore
Address: F18D5902
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwCreateSymbolicLinkObject
Address: F18D758C
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwCreateThread
Address: F18D4BA0
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwCreateWaitablePort
Address: F177ABB6
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwDebugActiveProcess
Address: F18D6F36
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwDeleteFile
Address: F17751E0
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwDeleteKey
Address: F1794E3C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwDeleteValueKey
Address: F17947B2
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwDeviceIoControlFile
Address: F18D5178
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwDuplicateObject
Address: F178CD8A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwEnumerateKey
Address: F18D3FAC
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwEnumerateValueKey
Address: F18D4056
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwFsControlFile
Address: F18D4F84
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwLoadDriver
Address: F176FE88
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwLoadKey
Address: F1795794
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwLoadKey2
Address: F179599C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwMapViewOfSection
Address: F1797A5E
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwNotifyChangeKey
Address: F18D41A2
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwOpenEvent
Address: F18D5872
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwOpenFile
Address: F1774DF2
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwOpenKey
Address: F18D36BE
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwOpenMutant
Address: F18D5740
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwOpenProcess
Address: F1790160
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwOpenSection
Address: F18D75B6
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwOpenSemaphore
Address: F18D59A4
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwOpenThread
Address: F178FD8A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwProtectVirtualMemory
Address: F17A4090
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwQueryKey
Address: F18D4100
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwQueryMultipleValueKey
Address: F18D3D28
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwQuerySection
Address: F18D7958
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwQueryValueKey
Address: F18D3978
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwQueueApcThread
Address: F18D72A6
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwRenameKey
Address: F179672A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwReplaceKey
Address: F1796060
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwReplyPort
Address: F18D5D2E
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwReplyWaitReceivePort
Address: F18D5BF4
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwRequestWaitReplyPort
Address: F1779EC4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwRestoreKey
Address: F17970FC
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwResumeThread
Address: F18D7E30
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwSaveKey
Address: F18D332A
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwSecureConnectPort
Address: F177A59C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwSetContextThread
Address: F18D4DBE
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwSetInformationFile
Address: F17755A4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwSetInformationObject
Address: F17A3F7C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwSetInformationToken
Address: F18D6586
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwSetSecurityObject
Address: F1796C6A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwSetSystemInformation
Address: F176F648
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwSetValueKey
Address: F1793F72
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwSuspendProcess
Address: F18D7B7C
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwSuspendThread
Address: F18D7CA4
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwSystemDebugControl
Address: F178EEA4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwTerminateProcess
Address: F178EC20
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwTerminateThread
Address: F18D4956
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwUnloadDriver
Address: F177029C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys
Function Name: ZwUnmapViewOfSection
Address: F18D780E
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
Function Name: ZwWriteVirtualMemory
Address: F18D4AE0
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys
******************************************************************************************
******************************************************************************************
No Kernel Hooks found
******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied
Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied
-
has my information been vulnerable during this infection/invasion? In otherwords, paying bills on-line (at secure sites) or entering private info on the same sites, is there any chance that info has been compromised?
Well, you did have a rootkit which could have compromised your computer. Here's what you should do just to be safe.
Do you have ZoneAlarm Firewall?
It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.
Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.
Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:
What danger is presented by rootkits? (http://www.pandasecurity.com/homeusers/security-info/types-malware/rootkit/#e2)
Rootkits and how to combat them (http://www.viruslist.com/en/analysis?pubid=168740859)
r00tkit Analysis: What Is A Rootkit (http://www.omninerd.com/articles/r00tkit_Analysis_What_Is_A_Rootkit)
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
What Should I Do If I've Become A Victim Of Identity Theft? (http://www.usdoj.gov/criminal/fraud/websites/idtheft.html#whatifvictim)
Identity Theft Victims Guide - What to do (http://www.privacyrights.org/fs/fs17a.htm)
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Help: I Got Hacked. Now What Do I Do? (http://technet.microsoft.com/en-us/library/cc512587.aspx)
Help: I Got Hacked. Now What Do I Do? Part II (http://technet.microsoft.com/en-us/library/cc512595.aspx)
Where to draw the line? When to recommend a format and reinstall? (http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html)
Guides for format and reinstall: (http://www.GeekPolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115)
how-to-reformat-and-reinstall-your-operating-system-the-easy-way (http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143)
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.
Should you have any questions, please feel free to ask.
*****************************************************
I'd like to scan your machine with ESET OnlineScan
•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstall.png) to download the ESET Smart Installer. Save it to your desktop.
- Double click on the (http://i424.photobucket.com/albums/pp322/digistar/esetSmartInstallDesktopIcon-1.png) icon on your desktop.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
-
Hi Dave,
Well, now that I’m thoroughly sick, I have questions, and I hope you can help and don’t mind continuing to help me
.
I run Zone Alarm Security Suite and the teatimer program (is it SAS, or Spybot? I’ve had it on my computer since you helped me a couple of years ago.) I also have WOT. I periodically update and run CCleaner, SAS, Spybot, Spyware Blaster, MBAM, although unfortunately I’ll admit it’s probably been 6 months. Why didn’t ZA or teatimer catch this stuff coming in? Do you think they prevented anything going out?
I tried reading all the links you provided; frankly, I was way in over my head and didn’t understand a good deal of it. I got the idea that rootkits can sometimes be purposely installed for legitimate use. In December I had problems logging into one of the servers at work through the internet, and the tech people said they had to remotely access my computer to fix the problem. They sent me an “invitation” I had to accept so they could gain remote access. Is there any chance that’s where the rootkits came from and they’re harmless? Is there any way to tell where they came from and what they did--or are doing?
I read also that malware can be downloaded to your computer through image files. Unfortunately, I have downloaded LOTS of image files--I draw as a hobby and when I see a picture I like, I download it to use as a reference. I have hundreds of pictures. I backed them all up to CD along with my other files when I did the back-ups this week. Would they have been scanned when downloaded? Would something have shown up if there was something in them? Could they/should they be scanned now on the CD? (I’d like to keep them if I could, but if there’s any chance they’ll do harm, I won’t keep them--but is it safe to get my other files off the disk now?)
Are there any other types of files malware could now be hiding in--word or excel files, for example..
I read that the only way to be sure my computer is clean is to reformat completely and reinstall the disks. I’m not sure I could handle that, even if I bought the disks (could it be done from the recovery disks, or does reformatting require original installation disks?) Besides, how safe is it really for how long--if this stuff got in once, why couldn’t it get in again the first time I went on-line? Is it really a fail-safe?
I don’t save/remember passwords, not even in Outlook for e-mail; I don’t keep password lists on my computer--but I do have a document I save to flash-drive with passwords. Is it possible my passwords are compromised anyway--could the info be stolen when I had the file open while working in it? Same with account #s--the only time they’re on my computer is when I type them in on a “secure” site. Wouldn’t that require a program to log keystrokes, and is there any way to tell if that happened? (I e-filed my taxes, all our taxes, on-line about a month ago. I shudder to think that I typed in social security #s and everything. Is this info vulnerable?)
One of the articles mentioned something about changing passwords if you use a router. We have a router; this computer is attached to the router through a line, but my daughter’s laptop is wireless. This computer is the administrator for the router. Is her computer in danger? Do I need to change the password? (And if I do, how do I know it’s safe to do it now?)
I had ZA off for about a day when it seemed to be causing the problem (I exited from the task tray; does that turn off the firewall too, or just the antivirus?) It’s been back on most of the time since then though. But teatimer resident is still off--I turned it off when your instructions said to. Should I turn it back on yet?
ZA scanned while ESET was scanning, and it came up with 4 items--but when I looked at them, it appeared they were all items quarantined by TDSSKiller. I’m assuming they’re nothing to worry about now. Is that correct?
Last thing: In prepping ESET to scan, the instructions said to check “scan archives”. When I checked that box, there was another box above it checked, the one for fix problems. Since the instructions didn’t say to check that box, I unchecked it. Should I have left it checked? Should I run ESET again with it checked?
My big fear is having done the income taxes and paying bills on-line, wondering how much of a possibility there is that my information was compromised. I thought as I was on a secure site there was nothing to worry about. Is there no way to determine if anything was stolen?
I apologize for all the questions; this really just has me sick. Here’s the scan; I appreciate anything you can do to help or any information you can give me.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ee88f3395f713448af264009a4a0aa3e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-04-06 02:22:58
# local_time=2012-04-05 10:22:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 71250665 71250665 0 0
# compatibility_mode=8192 67108863 100 0 70886976 70886976 0 0
# compatibility_mode=9217 16776533 100 13 2026307 11854075 0 0
# scanned=153944
# found=4
# cleaned=0
# scan_time=20021
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AG trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.KS trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AF trojan (unable to clean) 00000000000000000000000000000000 I
-
I run Zone Alarm Security Suite and the teatimer program (is it SAS, or Spybot?
Is your Zone Alarm Security Suite firewall enabled? TeaTimer belongs to Spybot.
Why didn’t ZA or teatimer catch this stuff coming in? Do you think they prevented anything going out?
If your Firewall is like mine I would imagine it caught the out-going traffic.
They sent me an “invitation” I had to accept so they could gain remote access. Is there any chance that’s where the rootkits came from and they’re harmless? Is there any way to tell where they came from and what they did--or are doing?
It's almost impossible to determine where the rootkit came from.
I read also that malware can be downloaded to your computer through image files. Unfortunately, I have downloaded LOTS of image files--I draw as a hobby and when I see a picture I like, I download it to use as a reference. I have hundreds of pictures. I backed them all up to CD along with my other files when I did the back-ups this week. Would they have been scanned when downloaded? Would something have shown up if there was something in them? Could they/should they be scanned now on the CD? (I’d like to keep them if I could, but if there’s any chance they’ll do harm, I won’t keep them--but is it safe to get my other files off the disk now?)
I really depends where you downloaded them from. I really can't say if they had been scanned but I would imagine they were. They should be scanned before replacing them on your computer. Scan them with your AV and also MBAM.
Are there any other types of files malware could now be hiding in--word or excel files, for example..
Not likely unless you received a file from someone who was infected.
I read that the only way to be sure my computer is clean is to reformat completely and reinstall the disks. I’m not sure I could handle that, even if I bought the disks (could it be done from the recovery disks, or does reformatting require original installation disks?) Besides, how safe is it really for how long--if this stuff got in once, why couldn’t it get in again the first time I went on-line? Is it really a fail-safe?
That's really the safest way to go and it is fail-safe
I don’t save/remember passwords, not even in Outlook for e-mail; I don’t keep password lists on my computer--but I do have a document I save to flash-drive with passwords. Is it possible my passwords are compromised anyway--could the info be stolen when I had the file open while working in it? Same with account #s--the only time they’re on my computer is when I type them in on a “secure” site. Wouldn’t that require a program to log keystrokes, and is there any way to tell if that happened? (I e-filed my taxes, all our taxes, on-line about a month ago. I shudder to think that I typed in social security #s and everything. Is this info vulnerable?)
That could only be done if a keylogger was put on your computer and there was no evidence of that.
One of the articles mentioned something about changing passwords if you use a router. We have a router; this computer is attached to the router through a line, but my daughter’s laptop is wireless. This computer is the administrator for the router. Is her computer in danger? Do I need to change the password? (And if I do, how do I know it’s safe to do it now?)
Some modems do have passwords on them and some don't. I probably wouldn't hurt to change it.
I had ZA off for about a day when it seemed to be causing the problem (I exited from the task tray; does that turn off the firewall too, or just the antivirus?) It’s been back on most of the time since then though. But teatimer resident is still off--I turned it off when your instructions said to. Should I turn it back on yet?
I'm not sure how ZoneAlarm works. You should turn on teatimer again.
ZA scanned while ESET was scanning, and it came up with 4 items--but when I looked at them, it appeared they were all items quarantined by TDSSKiller. I’m assuming they’re nothing to worry about now. Is that correct?
As soon as TDSSKiller is removed, they will be gone.
My big fear is having done the income taxes and paying bills on-line, wondering how much of a possibility there is that my information was compromised. I thought as I was on a secure site there was nothing to worry about. Is there no way to determine if anything was stolen?
I highly doubt it especially if you have the ZoneAlarm Firewall enabled.
Let's do some cleanup
To uninstall ComboFix
- Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
- In the field, type in ComboFix /uninstall
(http://i424.photobucket.com/albums/pp322/digistar/Combofix_uninstall_image.jpg)
(Note: Make sure there's a space between the word ComboFix and the forward-slash.)
- Then, press Enter, or click OK.
- This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
*****************************************************
Clean out your temporary internet files and temp files.
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.
Double-click TFC.exe to run it.
Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.
Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*****************************************************
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
•Click Start Now
•Check the box next to Enable thorough system inspection.
•Click Start
•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------
Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
I suggest using WOT - Web of Trust (http://www.mywot.com/). WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer (http://www.bleepingcomputer.com/forums/tutorial49.html) from Spyware and Malware
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. (http://www.safer-networking.org/en/spybotsd/index.html) Guide: Use Spybot's Immunize Feature (http://www.bleepingcomputer.com/tutorials/tutorial43.html#immunize) to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ (http://www.safer-networking.org/en/faq/index.html)
Check out Keeping Yourself Safe On The Web (http://evilfantasy.wordpress.com/2008/05/20/keeping-yourself-safe-on-the-web/) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It may not be Malware (http://evilfantasy.wordpress.com/2008/05/24/slow-computer-it-may-not-be-malware/) for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!
-
Hi Superdave,
I can't thank you enough, both for helping me and for having the patience to answer all my questions (and address my fears!). I ran the scans you recommended. I have just a couple more questions:
I have been running Zone Alarm suite, spybot, and SAS for a couple of years; I update them periodically (I have to get back onto a schedule again, I admit) and also do scans with MBAM, CCleaner, Spyware Blaster...should I keep doing all of this, or are any of them not really necessary? I was thinking I should add TFC (or is CCleaner enough), ESET, Securia occasionally...should I? Should I also be running anything else on a regular basis (like TDSSkiller?) or are these better left to only when there are problems and someone who actually knows what they're doing is supervising their use?
Should I now delete all of the programs we used in this fix and their logs from my desktop, or just move them to a folder and keep them?
Secunia listed 4 instances of Java; I checked Java's website and they said delete older versions, so I'm just updating the latest.
Are we all done now, and would it be OK to defrag? With all the stuff I've removed, I'm sure it needs it.
Again, Thank you for all you've done; I can't imagine how I would have handled this without you. As I said, this computer is my livelihood and my family's sole income and source of security. What you've done is extremely important. Thank you again!
-
I have been running Zone Alarm suite, spybot, and SAS for a couple of years; I update them periodically (I have to get back onto a schedule again, I admit) and also do scans with MBAM, CCleaner, Spyware Blaster...should I keep doing all of this, or are any of them not really necessary?
It's probably not necessary but if you have the time it wouldn't hurt.
I was thinking I should add TFC (or is CCleaner enough), ESET, Securia occasionally...should I?
Wouldn't hurt.
Should I also be running anything else on a regular basis (like TDSSkiller?) or are these better left to only when there are problems and someone who actually knows what they're doing is supervising their use?
No, that's not necessary.
Should I now delete all of the programs we used in this fix and their logs from my desktop, or just move them to a folder and keep them?
Not necessary. You probably won't need them again.
Are we all done now, and would it be OK to defrag? With all the stuff I've removed, I'm sure it needs it.
It's a good idea to do that about once a month.
You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.