Author Topic: "..." not a valid Win32 application, The application or DLL not valid windows im (Read 30198 times)

diggerjoy · « **on:** March 29, 2012, 09:03:36 AM »

Computer slowed right down yesterday, wasn't working (IE was open), tried reboot, got The application or DLL not valid windows image, then when tried to open apps got that they aren't valid Win32 apps. Tried reboot. Get one chance to open 1 ap--only one that will open (after many tries at others) is IE. Then can only open one window, one tab. I've tried reboots. I used F10 and ran basic test and CPU/memory test (everything passed). I tried a system restore to an earlier point (Mar 9). Nothing helped. Can't open task manager with ctrl-alt-del to see what's going on. Zone alarm seems stuck in scan. I can't run any CCleaner, malwarebytes, nothing. (I was able to right-click spybot in tray and select exit spybot resident, but then couldn't do anything else). Can't do anything from control panel--can open ctrl panel, but can't add/remove programs or anything. Can't open new tabs or windows.
Running Windows XP media edition 2005 on HP Pavilion. I have an HP recovery tools CD and 3 recovery disks. Is there any save here? If not, how do I recover--just go to reboot, F10...?? I don't want to logout of CH until I have some idea of what to do because I may not get back on...will keep open...

SuperDave · « **Reply #1 on:** March 29, 2012, 01:10:53 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
First of all, please try re-booting your computer. Next, please try running this in Safe Mode with NetWorking. If it runs, please try to run it in Normal mode.
Here's how to get into Safe Mode.

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

diggerjoy · « **Reply #2 on:** March 29, 2012, 03:04:11 PM »

hi superdave,
YOu helped me once before about 2 years ago. At that time you had directed me to the file on removing malware, and the steps included using CCleaner, Superantispyware, and then MBAM. It also explained about using safe mode, so I took a chance, shutdown and rebooted in safe mode using those instructions, and since things seemed to be working better (I could actually open Word, IE, WE, etc) I started the process--I ran CCleaner, and have SAS in process. It's been running an hour (nothing detected yet) so I figured it was better to keep going with SAS and run MBAM after..Is that OK? I will save the logs. Do you want Hijack This (I have it as sniper on my computer). I am not using my computer right now other than the scans; I am using another computer to check with you.

Question: could zone alarm security suite be causing this problem? That's the only thing I can think of is that maybe ZA ran an update just before things went bad. The only other thing I was doing was reading news reports from Yahoo... It seems when I boot in regular mode, I can open something but then ZA starts a scan and just sticks--keeps on scanning. I did have a problem with it freezing up once before (maybe the same time I got your help last time), so it was something I considered. Just something I wanted to throw out there.

I will finish running SAS and MBAM, and will post the logs. Thank you so much for your help!

diggerjoy · « **Reply #3 on:** March 29, 2012, 06:06:30 PM »

Here are my logs: SAS, MBAM, Hijack this (thank you!)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/29/2012 at 06:14 PM

Application Version : 4.56.1000

Core Rules Database Version : 6257
Trace Rules Database Version: 4069

Scan type : Complete Scan
Total Scan Time : 02:29:20

Memory items scanned : 268
Memory threats detected : 0
Registry items scanned : 7627
Registry threats detected : 0
File items scanned : 129299
File threats detected : 13

Adware.Tracking Cookie
   cdn.tremormedia.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\UU5V5XP8 ]
   crackle.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\UU5V5XP8 ]
   objects.tremormedia.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\UU5V5XP8 ]
   tag.2bluemedia.hiro.tv [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\UU5V5XP8 ]
   cdn.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
   cdn2.baronsmedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
   core.insightexpressai.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
   media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
   media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
   msnbcmedia.msn.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
   objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
   secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]
   tag.2bluemedia.hiro.tv [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\X57EAZD4 ]

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.29.09

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
HP_Administrator :: HEATHER [administrator]

Protection: Disabled

3/29/2012 6:40:20 PM
mbam-log-2012-03-29 (18-40-20).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 338353
Time elapsed: 56 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\35\2c6ddfa3-2adaf9c3 (Trojan.Zbot) -> Quarantined and deleted successfully.

(end)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:55 PM, on 3/29/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = kav.zonealarm.com;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: ZoneAlarm Security - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files\ZoneAlarm_Security\prxtbZon2.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKLM\..\Run: [ISW] "C:\Program Files\CheckPoint\ZAForceField\ForceField.exe" /icon="hidden"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: ActiveGS.cab - http://activegs.freetoolsassociation.com/ActiveGS.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} (IBM Lotus iNotes 8.5 Control) - https://mail.esc.edu/dwa85W.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.esc.edu/iNotes6W.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {5BDBA960-6534-11D3-97C7-00500422B550} (LotusDRSControl Class) - https://mail.esc.edu/download/dolcontrol.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {75AA409D-05F9-4F27-BD53-C7339D4B1D0A} (IBM Lotus iNotes 8.5 Control) - https://mail.esc.edu/dwa85W.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://fowilh.dynalias.com:1258/activex/AMC.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9922 bytes

SuperDave · « **Reply #4 on:** March 29, 2012, 06:57:32 PM »

Quote

could zone alarm security suite be causing this problem? That's the only thing I can think of is that maybe ZA ran an update just before things went bad.

I really doubt it but we'll know more after some more scans.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

On completion of the scan click save log, save it to your desktop and post in your next reply.
*********************************************************
Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click ComboFix.exe to run it.

You will see the following image:

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

diggerjoy · « **Reply #5 on:** March 30, 2012, 09:27:19 AM »

I ran aswMBR and ComboFix. One problem: I disabled teatimer and thought Zone Alarm wasn't running (it's icon wasn't in the tray). When I was running ComboFix, however, the icon appeared (I think it was in the 40s). I left everything alone, but everything seemed to stall in stage 48, so I took the chance and right clicked on ZA and exited. Everything seemed to progress normally after that. I hope I didn't screw anything up; sorry that I didn't realize it must have been booting or something. If I need to run anything again, I will. Neither program caused a reboot. Here are the logs.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-30 07:00:37
-----------------------------
07:00:37.343 OS Version: Windows 5.1.2600 Service Pack 3
07:00:37.343 Number of processors: 2 586 0x407
07:00:37.343 ComputerName: HEATHER UserName:
07:02:55.578 Initialize success
07:04:41.968 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-30 07:00:37
-----------------------------
07:00:37.343 OS Version: Windows 5.1.2600 Service Pack 3
07:00:37.343 Number of processors: 2 586 0x407
07:00:37.343 ComputerName: HEATHER UserName:
07:02:55.578 Initialize success
07:04:41.968 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"
07:16:25.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
07:16:25.890 Disk 0 Vendor: WDC_WD2500JS-60NCB1 10.02E02 Size: 238475MB BusType: 3
07:16:25.906 Device \Driver\atapi -> DriverStartIo 8620d2c6
07:16:25.953 Disk 0 MBR read successfully
07:16:25.968 Disk 0 MBR scan
07:16:26.000 Disk 0 TDL4@MBR code has been found
07:16:26.015 Disk 0 MBR hidden
07:16:26.078 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 229655 MB offset 63
07:16:26.187 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 8809 MB offset 470351070
07:16:26.203 Disk 0 MBR [TDL4] **ROOTKIT**
07:16:26.218 Disk 0 trace - called modules:
07:16:26.250 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8620d49f]<<
07:16:26.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8637aab8]
07:16:27.609 3 CLASSPNP.SYS[f75cffd7] -> nt!IofCallDriver -> \Device\0000006e[0x863dfb58]
07:16:27.671 5 ACPI.sys[f7526620] -> nt!IofCallDriver -> [0x8637fd98]
07:16:27.734 \Driver\atapi[0x86275358] -> IRP_MJ_CREATE -> 0x8620d49f
07:16:27.812 Scan finished successfully
07:17:01.875 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat"
07:17:02.046 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"

ComboFix 12-03-30.06 - HP_Administrator 03/30/2012 9:33.2.2 - x86 NETWORK
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\HP_Administrator\g2mdlhlpx.exe
c:\documents and settings\HP_Administrator\WebVpnRegKey6-lime-esc-edu.dll
c:\documents and settings\HP_Administrator\WINDOWS
c:\windows\HPCPCUninstaller-6.3.2.116-9972322.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\drivers\etc\lmhosts
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-30 )))))))))))))))))))))))))))))))
.
.
2012-03-23 02:27 . 2012-03-23 02:27   --------   d-----w-   c:\program files\Common Files\xing shared
2012-03-23 02:08 . 2012-03-23 02:08   --------   d-----w-   c:\documents and settings\HP_Administrator\Application Data\RealNetworks
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 12:49 . 2011-05-18 11:55   414368   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-08-09 21:00   1860096   ----a-w-   c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 21:18   3072   ------w-   c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2004-08-09 21:00   139784   ------w-   c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZon2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-05-09 09:49   176936   ----a-w-   c:\program files\ZoneAlarm_Security\prxtbZon2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZon2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZon2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPWebCap"="c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2000-03-01 48128]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 77312]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-10 73360]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-11-22 842584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-03-23 296056]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2008-2-16 209016]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-10-9 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-10-9 27136]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FreeFileViewer\\FFVCheckForUpdates.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 ATMhelpr;ATMhelpr;

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-03-26 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-07-22 67656]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-06-15 249648]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [2011-11-03 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [2011-11-03 497280]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-07-07 195336]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
R3 pmxscan;Visioneer USB Kernel;c:\windows\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-03-26 12872]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-10-14 11352]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - MDMXSDK
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-03-30 c:\windows\Tasks\Free File Viewer Update Checker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2010-09-27 15:25]
.
2012-03-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3569513725-2765621968-4288608965-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 21:45]
.
2012-03-29 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3569513725-2765621968-4288608965-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-01-30 21:45]
.
2012-03-29 c:\windows\Tasks\User_Feed_Synchronization-{F43CDC39-447B-4420-8864-9FA434243A35}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = kav.zonealarm.com;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab
DPF: {0F2AAAE3-7E9E-4B64-AB5D-1CA24C6ACB9C} - hxxps://mail.esc.edu/dwa85W.cab
DPF: {5BDBA960-6534-11D3-97C7-00500422B550} - hxxps://mail.esc.edu/download/dolcontrol.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://fowilh.dynalias.com:1258/activex/AMC.cab
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-30 11:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JS-60NCB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8620D2C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(544)
c:\windows\system32\WININET.dll
.
Completion time: 2012-03-30 11:14:55
ComboFix-quarantined-files.txt 2012-03-30 15:14
ComboFix2.txt 2009-12-26 04:54
.
Pre-Run: 153,360,355,328 bytes free
Post-Run: 153,664,700,416 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - D6353CFCD5377E4E1949D4F4D3342133

SuperDave · « **Reply #6 on:** March 30, 2012, 11:11:14 AM »

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory..

Please run aswMBR.exe again and post the log after doing the above.

diggerjoy · « **Reply #7 on:** March 30, 2012, 01:21:31 PM »

Here are the TDSSKiller and aswMBR logs:

14:48:10.0750 2140   TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
14:48:11.0390 2140   ============================================================
14:48:11.0390 2140   Current date / time: 2012/03/30 14:48:11.0390
14:48:11.0390 2140   SystemInfo:
14:48:11.0390 2140
14:48:11.0390 2140   OS Version: 5.1.2600 ServicePack: 3.0
14:48:11.0390 2140   Product type: Workstation
14:48:11.0390 2140   ComputerName: HEATHER
14:48:11.0390 2140   UserName: HP_Administrator
14:48:11.0390 2140   Windows directory: C:\WINDOWS
14:48:11.0390 2140   System windows directory: C:\WINDOWS
14:48:11.0390 2140   Processor architecture: Intel x86
14:48:11.0390 2140   Number of processors: 2
14:48:11.0390 2140   Page size: 0x1000
14:48:11.0390 2140   Boot type: Safe boot with network
14:48:11.0390 2140   ============================================================
14:48:17.0265 2140   Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
14:48:17.0281 2140   \Device\Harddisk0\DR0:
14:48:17.0281 2140   MBR used
14:48:17.0281 2140   \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1C08BDDE
14:48:17.0281 2140   \Device\Harddisk0\DR0\Partition1: MBR, Type 0xC, StartLBA 0x1C08FCDE, BlocksNum 0x11348A3
14:48:17.0453 2140   Initialize success
14:48:17.0453 2140   ============================================================
14:48:39.0218 2428   ============================================================
14:48:39.0218 2428   Scan started
14:48:39.0218 2428   Mode: Manual;
14:48:39.0218 2428   ============================================================
14:48:43.0078 2428   Abiosdsk - ok
14:48:43.0203 2428   abp480n5 - ok
14:48:43.0484 2428   ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:48:43.0500 2428   ACPI - ok
14:48:43.0593 2428   ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:48:43.0593 2428   ACPIEC - ok
14:48:43.0656 2428   adpu160m - ok
14:48:43.0765 2428   aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:48:43.0796 2428   aec - ok
14:48:43.0875 2428   AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:48:43.0875 2428   AFD - ok
14:48:43.0890 2428   Aha154x - ok
14:48:43.0937 2428   aic78u2 - ok
14:48:43.0968 2428   aic78xx - ok
14:48:44.0046 2428   Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
14:48:44.0046 2428   Alerter - ok
14:48:44.0093 2428   ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
14:48:44.0125 2428   ALG - ok
14:48:44.0171 2428   AliIde - ok
14:48:44.0218 2428   amsint - ok
14:48:44.0531 2428   APC UPS Service (9106457d01655d38a9b9f6f822117160) C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
14:48:44.0531 2428   APC UPS Service - ok
14:48:44.0625 2428   Apple Mobile Device (5aa788d5a2c6737bb9c45933985bc1b8) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
14:48:44.0625 2428   Apple Mobile Device - ok
14:48:44.0812 2428   AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
14:48:44.0828 2428   AppMgmt - ok
14:48:44.0937 2428   aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys
14:48:44.0937 2428   aracpi - ok
14:48:45.0015 2428   arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
14:48:45.0031 2428   arhidfltr - ok
14:48:45.0062 2428   arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
14:48:45.0062 2428   arkbcfltr - ok
14:48:45.0109 2428   armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
14:48:45.0109 2428   armoucfltr - ok
14:48:45.0218 2428   Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:48:45.0218 2428   Arp1394 - ok
14:48:45.0296 2428   ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys
14:48:45.0296 2428   ARPolicy - ok
14:48:45.0375 2428   ARSVC (9a0d9b2e263bede80fb79ddbad240ec1) C:\WINDOWS\arservice.exe
14:48:48.0703 2428   ARSVC - ok
14:48:48.0921 2428   asc - ok
14:48:49.0000 2428   asc3350p - ok
14:48:49.0046 2428   asc3550 - ok
14:48:49.0296 2428   aspnet_state (e1a1206a4fb19b675e947b29ccd25fba) C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
14:48:49.0312 2428   aspnet_state - ok
14:48:49.0390 2428   AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:48:49.0390 2428   AsyncMac - ok
14:48:49.0468 2428   atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:48:49.0468 2428   atapi - ok
14:48:49.0500 2428   Atdisk - ok
14:48:49.0593 2428   Ati HotKey Poller (5784a06fdc2ac7954225a1a79e1a8f00) C:\WINDOWS\system32\Ati2evxx.exe
14:48:49.0609 2428   Ati HotKey Poller - ok
14:48:49.0765 2428   ati2mtag (dd222ce49e79f15d2312a5e1f42e716e) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
14:48:49.0859 2428   ati2mtag - ok
14:48:49.0984 2428   Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:48:50.0000 2428   Atmarpc - ok
14:48:50.0093 2428   ATMhelpr (3ef1db7f168851914517d4ed36b57c04) C:\WINDOWS\system32\drivers\ATMhelpr.sys
14:48:50.0093 2428   ATMhelpr - ok
14:48:50.0281 2428   AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
14:48:50.0281 2428   AudioSrv - ok
14:48:50.0500 2428   audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:48:50.0500 2428   audstub - ok
14:48:50.0781 2428   BBSvc (2ed050291bc1d7f9e322e328db3aaecf) C:\Program Files\Microsoft\BingBar\BBSvc.EXE
14:48:50.0781 2428   BBSvc - ok
14:48:50.0906 2428   BBUpdate (785de7abda13309d6065305542829e76) C:\Program Files\Microsoft\BingBar\SeaPort.EXE
14:48:50.0921 2428   BBUpdate - ok
14:48:50.0984 2428   Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:48:50.0984 2428   Beep - ok
14:48:51.0109 2428   BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
14:48:51.0265 2428   BITS - ok
14:48:51.0375 2428   Bonjour Service (f832f1505ad8b83474bd9a5b1b985e01) C:\Program Files\Bonjour\mDNSResponder.exe
14:48:51.0390 2428   Bonjour Service - ok
14:48:51.0578 2428   Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
14:48:51.0593 2428   Browser - ok
14:48:51.0718 2428   BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
14:48:51.0718 2428   BVRPMPR5 - ok
14:48:51.0875 2428   catchme - ok
14:48:51.0937 2428   cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:48:51.0937 2428   cbidf2k - ok
14:48:51.0968 2428   cd20xrnt - ok
14:48:52.0031 2428   Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:48:52.0031 2428   Cdaudio - ok
14:48:52.0109 2428   Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:48:52.0140 2428   Cdfs - ok
14:48:52.0281 2428   Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:48:52.0281 2428   Cdrom - ok
14:48:52.0312 2428   Changer - ok
14:48:52.0390 2428   CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
14:48:52.0390 2428   CiSvc - ok
14:48:52.0500 2428   ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
14:48:52.0500 2428   ClipSrv - ok
14:48:52.0531 2428   CmdIde - ok
14:48:52.0593 2428   Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:48:52.0593 2428   Compbatt - ok
14:48:52.0625 2428   COMSysApp - ok
14:48:52.0718 2428   Cpqarray - ok
14:48:52.0796 2428   CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
14:48:52.0796 2428   CryptSvc - ok
14:48:52.0828 2428   dac2w2k - ok
14:48:52.0859 2428   dac960nt - ok
14:48:52.0937 2428   DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
14:48:53.0015 2428   DcomLaunch - ok
14:48:53.0093 2428   Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
14:48:53.0109 2428   Dhcp - ok
14:48:53.0296 2428   Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:48:53.0296 2428   Disk - ok
14:48:53.0359 2428   dmadmin - ok
14:48:53.0468 2428   dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:48:53.0500 2428   dmboot - ok
14:48:53.0593 2428   dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:48:53.0593 2428   dmio - ok
14:48:53.0625 2428   dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:48:53.0625 2428   dmload - ok
14:48:53.0687 2428   dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
14:48:53.0687 2428   dmserver - ok
14:48:53.0796 2428   DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:48:53.0796 2428   DMusic - ok
14:48:53.0859 2428   Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
14:48:53.0890 2428   Dnscache - ok
14:48:54.0046 2428   Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
14:48:54.0046 2428   Dot3svc - ok
14:48:54.0078 2428   dpti2o - ok
14:48:54.0156 2428   drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:48:54.0156 2428   drmkaud - ok
14:48:54.0250 2428   EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
14:48:54.0250 2428   EapHost - ok
14:48:54.0406 2428   ehRecvr (5d1347aa5ae6e2f77d7f4f8372d95ac9) C:\WINDOWS\eHome\ehRecvr.exe
14:48:54.0406 2428   ehRecvr - ok
14:48:54.0562 2428   ehSched (a53243709439ac2a4c216b817f8d7411) C:\WINDOWS\eHome\ehSched.exe
14:48:54.0593 2428   ehSched - ok
14:48:54.0734 2428   ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
14:48:54.0765 2428   ERSvc - ok
14:48:54.0828 2428   Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
14:48:54.0859 2428   Eventlog - ok
14:48:54.0937 2428   EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
14:48:54.0937 2428   EventSystem - ok
14:48:55.0062 2428   Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:48:55.0062 2428   Fastfat - ok
14:48:55.0187 2428   FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:48:55.0187 2428   FastUserSwitchingCompatibility - ok
14:48:55.0296 2428   Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
14:48:55.0312 2428   Fax - ok
14:48:55.0406 2428   Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:48:55.0406 2428   Fdc - ok
14:48:55.0484 2428   Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:48:55.0500 2428   Fips - ok
14:48:55.0562 2428   Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:48:55.0562 2428   Flpydisk - ok
14:48:55.0640 2428   FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:48:55.0640 2428   FltMgr - ok
14:48:55.0718 2428   Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:48:55.0718 2428   Fs_Rec - ok
14:48:55.0890 2428   Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:48:55.0906 2428   Ftdisk - ok
14:48:55.0937 2428   ftsata2 - ok
14:48:56.0062 2428   GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
14:48:56.0062 2428   GEARAspiWDM - ok
14:48:56.0171 2428   Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:48:56.0171 2428   Gpc - ok
14:48:56.0265 2428   HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:48:56.0265 2428   HDAudBus - ok
14:48:56.0406 2428   helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
14:48:56.0406 2428   helpsvc - ok
14:48:56.0562 2428   HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
14:48:56.0593 2428   HidBatt - ok
14:48:56.0671 2428   HidServ - ok
14:48:56.0937 2428   HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:48:56.0937 2428   HidUsb - ok
14:48:57.0046 2428   hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
14:48:57.0093 2428   hkmsvc - ok
14:48:57.0281 2428   hpn - ok
14:48:57.0437 2428   HSXHWBS2 (1f5c64b0c6b2e2f48735a77ae714ccb8) C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys
14:48:57.0453 2428   HSXHWBS2 - ok
14:48:57.0531 2428   HSX_DP (a7f8c9228898a1e871d2ae7082f50ac3) C:\WINDOWS\system32\DRIVERS\HSX_DP.sys
14:48:57.0609 2428   HSX_DP - ok
14:48:57.0875 2428   HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:48:57.0890 2428   HTTP - ok
14:48:58.0078 2428   HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
14:48:58.0078 2428   HTTPFilter - ok
14:48:58.0328 2428   i2omgmt - ok
14:48:58.0390 2428   i2omp - ok
14:48:58.0609 2428   i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:48:58.0609 2428   i8042prt - ok
14:48:59.0046 2428   IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
14:48:59.0078 2428   IDriverT - ok
14:48:59.0218 2428   Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:48:59.0234 2428   Imapi - ok
14:48:59.0468 2428   ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
14:48:59.0468 2428   ImapiService - ok
14:48:59.0593 2428   ini910u - ok
14:48:59.0953 2428   IntcAzAudAddService (ab2fe0faa519880bd16e4a0792d633d2) C:\WINDOWS\system32\drivers\RtkHDAud.sys
14:49:00.0234 2428   IntcAzAudAddService - ok
14:49:00.0625 2428   IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:49:00.0625 2428   IntelIde - ok
14:49:00.0750 2428   intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:49:00.0750 2428   intelppm - ok
14:49:00.0828 2428   Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:49:00.0859 2428   Ip6Fw - ok
14:49:00.0968 2428   IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:49:00.0984 2428   IpFilterDriver - ok
14:49:01.0140 2428   IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:49:01.0171 2428   IpInIp - ok
14:49:01.0234 2428   IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:49:01.0281 2428   IpNat - ok
14:49:01.0546 2428   iPod Service (8e5e5a8cc84da3f683e3bbc045138d52) C:\Program Files\iPod\bin\iPodService.exe
14:49:01.0796 2428   iPod Service - ok
14:49:02.0125 2428   IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:49:02.0156 2428   IPSec - ok
14:49:02.0468 2428   IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:49:02.0500 2428   IRENUM - ok
14:49:02.0734 2428   isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:49:02.0750 2428   isapnp - ok
14:49:03.0093 2428   ISWKL (08a811bfd207dfdec588881c18bacbaa) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
14:49:03.0109 2428   ISWKL - ok
14:49:03.0250 2428   IswSvc (5b2ccef06f96dfb22893ab8f0b3f891d) C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
14:49:03.0281 2428   IswSvc - ok
14:49:03.0625 2428   JavaQuickStarterService (9aa67569d5257462e230767510b0c815) C:\Program Files\Java\jre6\bin\jqs.exe
14:49:03.0750 2428   JavaQuickStarterService - ok
14:49:04.0031 2428   Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:49:04.0031 2428   Kbdclass - ok
14:49:04.0500 2428   KL1 (94d67d49bd9503bb1d838405d80f2058) C:\WINDOWS\system32\DRIVERS\kl1.sys
14:49:04.0515 2428   KL1 - ok
14:49:04.0921 2428   kl2 (713576569667ac9e0f8556076004a96b) C:\WINDOWS\system32\DRIVERS\kl2.sys
14:49:04.0921 2428   kl2 - ok
14:49:06.0781 2428   KLIF (f934de04ac53b08457b92db6e4dee2e5) C:\WINDOWS\system32\DRIVERS\klif.sys
14:49:06.0796 2428   KLIF - ok
14:49:07.0093 2428   kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:49:07.0125 2428   kmixer - ok
14:49:07.0250 2428   KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:49:07.0250 2428   KSecDD - ok
14:49:07.0437 2428   lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
14:49:07.0437 2428   lanmanserver - ok
14:49:07.0625 2428   lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
14:49:07.0640 2428   lanmanworkstation - ok
14:49:07.0781 2428   lbrtfdc - ok
14:49:08.0031 2428   LightScribeService (5d4b38a8d8525356798f5e560c3a3090) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
14:49:08.0046 2428   LightScribeService - ok
14:49:08.0390 2428   LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
14:49:08.0390 2428   LmHosts - ok
14:49:08.0593 2428   MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
14:49:08.0609 2428   MBAMProtector - ok
14:49:08.0906 2428   MBAMService (056b19651bd7b7ce5f89a3ac46dbdc08) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
14:49:08.0921 2428   MBAMService - ok
14:49:09.0218 2428   McrdSvc (df0a511f38f16016bf658fca0090cb87) C:\WINDOWS\ehome\mcrdsvc.exe
14:49:09.0234 2428   McrdSvc - ok
14:49:09.0531 2428   mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:49:09.0546 2428   mdmxsdk - ok
14:49:09.0937 2428   Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
14:49:09.0984 2428   Messenger - ok
14:49:10.0250 2428   MHN (b7521f69c0a9b29d356157229376fb21) C:\WINDOWS\System32\mhn.dll
14:49:10.0281 2428   MHN - ok
14:49:10.0750 2428   MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
14:49:10.0796 2428   MHNDRV - ok
14:49:11.0953 2428   mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:49:12.0046 2428   mnmdd - ok
14:49:12.0875 2428   mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
14:49:12.0937 2428   mnmsrvc - ok
14:49:15.0109 2428   Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:49:15.0109 2428   Modem - ok
14:49:18.0390 2428   Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:49:18.0390 2428   Mouclass - ok
14:49:19.0421 2428   MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:49:19.0593 2428   MountMgr - ok
14:49:27.0515 2428   mraid35x - ok
14:49:30.0296 2428   MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:49:32.0578 2428   MRxDAV - ok
14:49:32.0953 2428   MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:49:33.0093 2428   MRxSmb - ok
14:49:33.0859 2428   Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:49:33.0875 2428   Msfs - ok
14:49:34.0171 2428   MSIServer - ok
14:49:36.0109 2428   MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:49:36.0265 2428   MSKSSRV - ok
14:49:37.0000 2428   MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:49:37.0031 2428   MSPCLOCK - ok
14:49:38.0093 2428   MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:49:38.0093 2428   MSPQM - ok
14:49:38.0546 2428   mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:49:38.0578 2428   mssmbios - ok
14:49:39.0109 2428   Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:49:39.0281 2428   Mup - ok
14:49:41.0375 2428   napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
14:49:41.0984 2428   napagent - ok
14:49:46.0109 2428   NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:49:46.0234 2428   NDIS - ok
14:49:47.0281 2428   NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:49:47.0359 2428   NdisTapi - ok
14:49:57.0031 2428   Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:49:57.0125 2428   Ndisuio - ok
14:50:15.0890 2428   NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:50:15.0937 2428   NdisWan - ok
14:50:20.0937 2428   NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:50:21.0000 2428   NDProxy - ok
14:50:26.0312 2428   NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:50:26.0578 2428   NetBIOS - ok
14:50:31.0078 2428   NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:50:34.0296 2428   NetBT - ok
14:50:35.0484 2428   NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
14:50:36.0078 2428   NetDDE - ok
14:50:36.0187 2428   NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
14:50:36.0187 2428   NetDDEdsdm - ok
14:50:37.0250 2428   Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:50:37.0250 2428   Netlogon - ok
14:50:38.0187 2428   Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
14:50:38.0203 2428   Netman - ok
14:50:39.0031 2428   NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:50:39.0125 2428   NIC1394 - ok
14:50:41.0937 2428   Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
14:50:42.0671 2428   Nla - ok
14:50:43.0343 2428   Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:50:43.0453 2428   Npfs - ok
14:50:45.0734 2428   Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:50:46.0531 2428   Ntfs - ok
14:50:47.0671 2428   NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:50:47.0671 2428   NtLmSsp - ok
14:50:48.0453 2428   NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
14:50:49.0953 2428   NtmsSvc - ok
14:50:50.0250 2428   Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:50:50.0453 2428   Null - ok
14:50:51.0093 2428   NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:50:51.0109 2428   NwlnkFlt - ok
14:50:52.0687 2428   NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:50:52.0750 2428   NwlnkFwd - ok
14:50:53.0656 2428   ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:50:53.0687 2428   ohci1394 - ok
14:50:53.0828 2428   ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
14:50:53.0828 2428   ose - ok
14:50:54.0312 2428   Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:50:54.0343 2428   Parport - ok
14:50:54.0593 2428   PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:50:54.0609 2428   PartMgr - ok
14:50:54.0687 2428   ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:50:54.0703 2428   ParVdm - ok
14:50:55.0000 2428   PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:50:55.0390 2428   PCI - ok
14:50:57.0265 2428   PCIDump - ok
14:51:00.0234 2428   PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:51:00.0453 2428   PCIIde - ok
14:51:05.0765 2428   Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
14:51:06.0593 2428   Pcmcia - ok
14:51:07.0421 2428   PDCOMP - ok
14:51:07.0703 2428   PDFRAME - ok
14:51:08.0062 2428   PDRELI - ok
14:51:08.0171 2428   PDRFRAME - ok
14:51:08.0203 2428   perc2 - ok
14:51:08.0328 2428   perc2hib - ok
14:51:08.0578 2428   PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
14:51:08.0578 2428   PlugPlay - ok
14:51:09.0296 2428   pmxscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:51:09.0312 2428   pmxscan - ok
14:51:09.0406 2428   Point32 (dcdf0421a1c14f2923e298a30fd7636d) C:\WINDOWS\system32\DRIVERS\point32.sys
14:51:09.0500 2428   Point32 - ok
14:51:09.0703 2428   PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:51:09.0703 2428   PolicyAgent - ok
14:51:09.0968 2428   PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:51:09.0984 2428   PptpMiniport - ok
14:51:10.0312 2428   ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:51:10.0312 2428   ProtectedStorage - ok
14:51:10.0546 2428   Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
14:51:10.0593 2428   Ps2 - ok
14:51:11.0171 2428   PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:51:14.0281 2428   PSched - ok
14:51:14.0765 2428   Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:51:15.0921 2428   Ptilink - ok
14:51:17.0890 2428   PxHelp20 (97b735de4e3cd44c71c8cb09bdbf07b7) C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:51:17.0953 2428   PxHelp20 - ok
14:51:19.0718 2428   ql1080 - ok
14:51:21.0406 2428   Ql10wnt - ok
14:51:22.0296 2428   ql12160 - ok
14:51:24.0156 2428   ql1240 - ok
14:51:25.0734 2428   ql1280 - ok
14:51:28.0000 2428   RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:51:28.0000 2428   RasAcd - ok
14:51:31.0062 2428   RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
14:51:31.0109 2428   RasAuto - ok
14:51:32.0046 2428   Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:51:32.0078 2428   Rasl2tp - ok
14:51:33.0968 2428   RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
14:51:35.0421 2428   RasMan - ok
14:51:36.0187 2428   RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:51:36.0187 2428   RasPppoe - ok
14:51:36.0484 2428   Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:51:36.0796 2428   Raspti - ok
14:51:37.0515 2428   Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:51:37.0734 2428   Rdbss - ok
14:51:37.0984 2428   RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:51:38.0000 2428   RDPCDD - ok
14:51:38.0875 2428   rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:51:38.0906 2428   rdpdr - ok
14:51:39.0921 2428   RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
14:51:40.0078 2428   RDPWD - ok
14:51:40.0781 2428   RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
14:51:40.0828 2428   RDSessMgr - ok
14:51:41.0171 2428   redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:51:41.0937 2428   redbook - ok
14:51:42.0375 2428   RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
14:51:42.0375 2428   RemoteAccess - ok
14:51:43.0000 2428   RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
14:51:43.0031 2428   RemoteRegistry - ok
14:51:43.0312 2428   RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
14:51:43.0312 2428   RpcLocator - ok
14:51:43.0421 2428   RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
14:51:43.0437 2428   RpcSs - ok
14:51:43.0656 2428   RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
14:51:43.0656 2428   RSVP - ok
14:51:44.0046 2428   RTL8023xp (8e34400ffc7d647946d9c820678775af) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
14:51:44.0046 2428   RTL8023xp - ok
14:51:44.0125 2428   rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
14:51:44.0125 2428   rtl8139 - ok
14:51:44.0984 2428   SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:51:44.0984 2428   SamSs - ok
14:51:45.0265 2428   SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
14:51:45.0296 2428   SASDIFSV - ok
14:51:45.0703 2428   SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
14:51:45.0781 2428   SASENUM - ok
14:51:46.0062 2428   SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
14:51:46.0234 2428   SASKUTIL - ok
14:51:48.0000 2428   SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
14:51:48.0078 2428   SCardSvr - ok
14:51:49.0406 2428   Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
14:51:49.0765 2428   Schedule - ok
14:51:52.0703 2428   Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:51:52.0703 2428   Secdrv - ok
14:51:52.0968 2428   seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
14:51:53.0031 2428   seclogon - ok
14:51:54.0078 2428   SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
14:51:55.0781 2428   SENS - ok
14:51:56.0562 2428   Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
14:51:56.0687 2428   Serial - ok
14:51:57.0046 2428   Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:51:57.0046 2428   Sfloppy - ok
14:51:57.0234 2428   SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
14:51:57.0265 2428   SharedAccess - ok
14:51:57.0406 2428   ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:51:57.0406 2428   ShellHWDetection - ok
14:51:57.0906 2428   Simbad - ok
14:51:58.0125 2428   Sparrow - ok
14:51:58.0203 2428   splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:51:58.0203 2428   splitter - ok
14:51:58.0546 2428   Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
14:51:58.0593 2428   Spooler - ok
14:51:59.0171 2428   sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:51:59.0171 2428   sr - ok
14:52:01.0015 2428   srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
14:52:01.0296 2428   srservice - ok
14:52:11.0312 2428   Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:52:11.0453 2428   Srv - ok
14:52:13.0046 2428   SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
14:52:13.0187 2428   SSDPSRV - ok
14:52:14.0125 2428   stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
14:52:14.0140 2428   stisvc - ok
14:52:15.0062 2428   swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:52:15.0078 2428   swenum - ok
14:52:15.0515 2428   swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:52:15.0687 2428   swmidi - ok
14:52:16.0265 2428   SwPrv - ok
14:52:17.0046 2428   symc810 - ok
14:52:17.0984 2428   symc8xx - ok
14:52:19.0000 2428   sym_hi - ok
14:52:24.0531 2428   sym_u3 - ok
14:52:25.0312 2428   sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:52:25.0359 2428   sysaudio - ok
14:52:25.0765 2428   SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
14:52:25.0859 2428   SysmonLog - ok
14:52:27.0296 2428   TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
14:52:27.0734 2428   TapiSrv - ok
14:52:32.0000 2428   Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:52:32.0500 2428   Tcpip - ok
14:52:32.0968 2428   TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:52:33.0000 2428   TDPIPE - ok
14:52:33.0421 2428   TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:52:33.0562 2428   TDTCP - ok
14:52:34.0203 2428   TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:52:34.0218 2428   TermDD - ok
14:52:34.0734 2428   TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
14:52:35.0156 2428   TermService - ok
14:52:35.0953 2428   Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:52:35.0953 2428   Themes - ok
14:52:36.0171 2428   TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
14:52:36.0171 2428   TlntSvr - ok
14:52:36.0968 2428   TosIde - ok
14:52:37.0187 2428   TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
14:52:37.0187 2428   TrkWks - ok
14:52:37.0796 2428   Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:52:37.0890 2428   Udfs - ok
14:52:39.0031 2428   ultra - ok
14:52:39.0421 2428   Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:52:39.0859 2428   Update - ok
14:52:40.0968 2428   upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
14:52:41.0125 2428   upnphost - ok
14:52:42.0062 2428   UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
14:52:42.0171 2428   UPS - ok
14:52:44.0125 2428   usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:52:44.0125 2428   usbehci - ok
14:52:46.0281 2428   usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:52:46.0281 2428   usbhub - ok
14:52:48.0187 2428   usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
14:52:48.0187 2428   usbohci - ok
14:52:51.0812 2428   usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:52:51.0812 2428   usbprint - ok
14:52:52.0093 2428   usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:52:52.0140 2428   usbstor - ok
14:52:52.0984 2428   usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:52:53.0109 2428   usbuhci - ok
14:52:56.0843 2428   VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:52:56.0921 2428   VgaSave - ok
14:52:57.0859 2428   ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
14:52:57.0890 2428   ViaIde - ok
14:52:59.0265 2428   VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:52:59.0265 2428   VolSnap - ok
14:53:00.0843 2428   Vsdatant (558cee3d9c470651f1843d51b42d761b) C:\WINDOWS\system32\vsdatant.sys
14:53:01.0953 2428   Vsdatant - ok
14:53:02.0234 2428   vsmon - ok
14:53:02.0750 2428   VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
14:53:02.0828 2428   VSS - ok
14:53:03.0328 2428   W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
14:53:03.0421 2428   W32Time - ok
14:53:05.0203 2428   Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:53:05.0203 2428   Wanarp - ok
14:53:06.0156 2428   WDICA - ok
14:53:07.0125 2428   wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:53:07.0140 2428   wdmaud - ok
14:53:08.0296 2428   WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
14:53:08.0484 2428   WebClient - ok
14:53:12.0140 2428   winachsx (11ec1afceb5c917ce73d3c301ff4291e) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
14:53:12.0234 2428   winachsx - ok
14:53:16.0062 2428   winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
14:53:16.0562 2428   winmgmt - ok
14:53:21.0109 2428   WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
14:53:21.0140 2428   WmdmPmSN - ok
14:53:24.0218 2428   Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
14:53:25.0156 2428   Wmi - ok
14:53:30.0687 2428   WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
14:53:30.0812 2428   WmiApSrv - ok
14:53:31.0171 2428   WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
14:53:32.0015 2428   WMPNetworkSvc - ok
14:53:32.0906 2428   WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:53:32.0921 2428   WS2IFSL - ok
14:53:33.0203 2428   wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
14:53:33.0312 2428   wscsvc - ok
14:53:34.0296 2428   wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
14:53:34.0359 2428   wuauserv - ok
14:53:37.0109 2428   WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:53:37.0296 2428   WudfPf - ok
14:53:40.0671 2428   WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:53:40.0937 2428   WudfRd - ok
14:53:42.0656 2428   WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
14:53:42.0671 2428   WudfSvc - ok
14:53:43.0828 2428   WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
14:53:43.0984 2428   WZCSVC - ok
14:53:44.0281 2428   xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
14:53:44.0500 2428   xmlprov - ok
14:53:45.0640 2428   YahooAUService (dd0042f0c3b606a6a8b92d49afb18ad6) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
14:53:46.0171 2428   YahooAUService - ok
14:53:46.0453 2428   MBR (0x1B8) (cb3cc5e3bfdf0a25babd81b4d610f0e7) \Device\Harddisk0\DR0
14:53:46.0625 2428   \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
14:53:46.0625 2428   \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
14:53:46.0875 2428   Boot (0x1200) (a2c137e4c6acac455d5a5029f70b034d) \Device\Harddisk0\DR0\Partition0
14:53:47.0062 2428   \Device\Harddisk0\DR0\Partition0 - ok
14:53:47.0187 2428   Boot (0x1200) (c7eafd29abeaa13e437796e0e2979905) \Device\Harddisk0\DR0\Partition1
14:53:47.0296 2428   \Device\Harddisk0\DR0\Partition1 - ok
14:53:47.0296 2428   ============================================================
14:53:47.0296 2428   Scan finished
14:53:47.0296 2428   ============================================================
14:53:47.0515 2420   Detected object count: 1
14:53:47.0515 2420   Actual detected object count: 1
14:54:39.0968 2420   \Device\Harddisk0\DR0\# - copied to quarantine
14:54:39.0968 2420   \Device\Harddisk0\DR0 - copied to quarantine
14:54:40.0031 2420   \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
14:54:40.0234 2420   \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
14:54:40.0281 2420   \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
14:54:40.0515 2420   \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
14:54:40.0703 2420   \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
14:54:41.0250 2420   \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
14:54:42.0281 2420   \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
14:54:42.0281 2420   \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
14:54:42.0296 2420   \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
14:54:42.0359 2420   \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
14:54:42.0375 2420   \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
14:54:42.0390 2420   \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
14:54:42.0500 2420   \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
14:54:42.0500 2420   \Device\Harddisk0\DR0 - ok
14:54:42.0531 2420   \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
14:55:53.0671 2120   Deinitialize success

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-30 15:02:44
-----------------------------
15:02:44.093 OS Version: Windows 5.1.2600 Service Pack 3
15:02:44.093 Number of processors: 2 586 0x407
15:02:44.093 ComputerName: HEATHER UserName:
15:02:44.640 Initialize success
15:04:33.609 AVAST engine defs: 12033000
15:04:46.140 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
15:04:46.140 Disk 0 Vendor: WDC_WD2500JS-60NCB1 10.02E02 Size: 238475MB BusType: 3
15:04:46.187 Disk 0 MBR read successfully
15:04:46.203 Disk 0 MBR scan
15:04:46.250 Disk 0 unknown MBR code
15:04:46.250 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 229655 MB offset 63
15:04:46.296 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 8809 MB offset 470351070
15:04:46.312 Disk 0 scanning sectors +488392065
15:04:46.390 Disk 0 scanning C:\WINDOWS\system32\drivers
15:05:00.765 Service scanning
15:05:25.281 Modules scanning
15:05:30.375 Disk 0 trace - called modules:
15:05:30.421 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:05:30.437 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86383ab8]
15:05:30.500 3 CLASSPNP.SYS[f75cffd7] -> nt!IofCallDriver -> \Device\00000070[0x8637e0c8]
15:05:30.546 5 ACPI.sys[f7526620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x86300940]
15:05:31.078 AVAST engine scan C:\WINDOWS
15:05:44.593 AVAST engine scan C:\WINDOWS\system32
15:10:52.437 AVAST engine scan C:\WINDOWS\system32\drivers
15:11:18.031 AVAST engine scan C:\Documents and Settings\HP_Administrator
15:18:25.890 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\MBR.dat"
15:18:25.968 The log file has been saved successfully to "C:\Documents and Settings\HP_Administrator\Desktop\aswMBR.txt"

SuperDave · « **Reply #8 on:** March 31, 2012, 12:56:18 PM »

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

•Double-click on MBRCheck.exe to run it.

•It will open a black window...please do not fix anything (if it gives you an option).

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.

diggerjoy · « **Reply #9 on:** March 31, 2012, 01:44:03 PM »

Hi SuperDave,

I just ran the check and will post the report, but before I do, I wanted you to know that this morning I tried logging on in normal mode and still had all the same problems, so then I figured what the heck--I tried logging on in normal mode again, but as soon as the Zone Alarm icon appeared in the tray, I right-clicked and exited. Since then, I have been working in normal mode and so far, no problems. I have been burning all of my music and data to CD's, figured I'd better get started, just in case...still quite a bit more to burn, so I don't want to do anything that might cause me to lose the functionality I have right now, but thought you should know that exiting ZA seemed to make a difference. Don't know if there are still other underlying problems as well...anyway, here's the report:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows XP Professional
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x00000f1c

Kernel Drivers (total 145):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7A3C000 \WINDOWS\system32\KDCOM.DLL
0xF794C000 \WINDOWS\system32\BOOTVID.dll
0xF740D000 ACPI.sys
0xF7A3E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF73FC000 pci.sys
0xF753C000 isapnp.sys
0xF754C000 ohci1394.sys
0xF755C000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7950000 compbatt.sys
0xF7954000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B04000 pciide.sys
0xF77BC000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A40000 viaide.sys
0xF7A42000 intelide.sys
0xF756C000 MountMgr.sys
0xF73DD000 ftdisk.sys
0xF7A44000 dmload.sys
0xF73B7000 dmio.sys
0xF77C4000 PartMgr.sys
0xF757C000 VolSnap.sys
0xF739F000 atapi.sys
0xF758C000 disk.sys
0xF759C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF737F000 fltmgr.sys
0xF736D000 sr.sys
0xF75AC000 PxHelp20.sys
0xF7356000 KSecDD.sys
0xF72C9000 Ntfs.sys
0xF729C000 NDIS.sys
0xF7282000 Mup.sys
0xF6D60000 kl1.sys
0xF772C000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6270000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF625C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7934000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6238000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF793C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF773C000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF774C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF775C000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6215000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7944000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF61ED000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF77D4000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF61D9000 \SystemRoot\system32\DRIVERS\parport.sys
0xF776C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7814000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF781C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A80000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xF7824000 \SystemRoot\system32\DRIVERS\point32.sys
0xF782C000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A82000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xF7834000 \SystemRoot\system32\DRIVERS\aracpi.sys
0xF6194000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0xF609D000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0xF5FE7000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xF783C000 \SystemRoot\System32\Drivers\Modem.SYS
0xF5FD3000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF777C000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6D3C000 \SystemRoot\system32\DRIVERS\arpolicy.sys
0xF7BCA000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF778C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6D38000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5FBC000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF779C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF77AC000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7844000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5FAB000 \SystemRoot\system32\DRIVERS\psched.sys
0xF761C000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF784C000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7854000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5F7B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF762C000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A84000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5F1D000 \SystemRoot\system32\DRIVERS\update.sys
0xF6D1C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF66AA000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF667A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A92000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF198B000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF1967000 \SystemRoot\system32\drivers\portcls.sys
0xF664A000 \SystemRoot\system32\drivers\drmk.sys
0xF18D0000 \SystemRoot\system32\DRIVERS\klif.sys
0xF7A9E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B21000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AA0000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7B24000 \SystemRoot\System32\Drivers\ATMhelpr.SYS
0xF786C000 \SystemRoot\System32\drivers\vga.sys
0xF7AA2000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7AA4000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7874000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF787C000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A20000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF7884000 \SystemRoot\system32\DRIVERS\kl2.sys
0xF7A30000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF1875000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF181C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF17F4000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF1775000 \SystemRoot\System32\vsdatant.sys
0xF174F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF662A000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF5F19000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF661A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF789C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF78A4000 \SystemRoot\system32\DRIVERS\arhidfltr.sys
0xF764C000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF78AC000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF78B4000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF5F11000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF16DD000 \SystemRoot\System32\drivers\afd.sys
0xF765C000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF16BB000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF78BC000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF1690000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF15F8000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF766C000 \SystemRoot\System32\Drivers\Fips.SYS
0xF15D4000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF15BC000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AD4000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF18C8000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78CC000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B17000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09A000 \SystemRoot\System32\atikvmag.dll
0xBF0D0000 \SystemRoot\System32\ati3duag.dll
0xBF362000 \SystemRoot\System32\ativvaxx.dll
0xBF4BA000 \SystemRoot\System32\ATMFD.DLL
0xEF3EC000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xEF360000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF1717000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
0xEEDD7000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xEED72000 \SystemRoot\system32\drivers\wdmaud.sys
0xF76AC000 \SystemRoot\system32\drivers\sysaudio.sys
0xEEB7B000 \SystemRoot\System32\Drivers\HTTP.sys
0xEEAD3000 \SystemRoot\system32\DRIVERS\srv.sys
0xEEB5B000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEE623000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEE25B000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xEDDAF000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 57):
0 System Idle Process
4 System
552 C:\WINDOWS\system32\smss.exe
628 csrss.exe
656 C:\WINDOWS\system32\winlogon.exe
700 C:\WINDOWS\system32\services.exe
712 C:\WINDOWS\system32\lsass.exe
868 C:\WINDOWS\system32\ati2evxx.exe
884 C:\WINDOWS\system32\svchost.exe
956 svchost.exe
996 C:\WINDOWS\system32\svchost.exe
1068 svchost.exe
1100 svchost.exe
1148 C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
1400 C:\WINDOWS\system32\ati2evxx.exe
1492 C:\WINDOWS\explorer.exe
1752 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
1856 C:\WINDOWS\system32\spoolsv.exe
1904 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
1996 svchost.exe
2044 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
168 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
232 C:\WINDOWS\arservice.exe
424 C:\Program Files\Microsoft\BingBar\SeaPort.EXE
460 C:\Program Files\Bonjour\mDNSResponder.exe
496 C:\WINDOWS\ehome\ehrecvr.exe
540 C:\WINDOWS\ehome\ehSched.exe
112 C:\Program Files\Java\jre6\bin\jqs.exe
1024 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1252 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
1548 svchost.exe
1664 C:\WINDOWS\system32\svchost.exe
2112 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
2188 mcrdsvc.exe
2440 C:\WINDOWS\system32\dllhost.exe
2576 alg.exe
3244 C:\WINDOWS\ehome\ehtray.exe
3360 C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
3412 C:\WINDOWS\arpwrmsg.exe
3572 C:\WINDOWS\ehome\ehmsas.exe
3688 C:\Program Files\iTunes\iTunesHelper.exe
3884 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
3976 C:\Program Files\Common Files\Java\Java Update\jusched.exe
4036 C:\Program Files\real\realplayer\Update\realsched.exe
164 C:\PROGRA~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE
2700 C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
3036 C:\Program Files\iPod\bin\iPodService.exe
3628 C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
1932 C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
2012 C:\hp\KBD\kbd.exe
3732 C:\WINDOWS\system\hpsysdrv.exe
780 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
4508 C:\WINDOWS\system32\wuauclt.exe
5900 C:\Program Files\real\realplayer\realplay.exe
4348 C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe
5856 <unknown>
588 <unknown>

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000038`11f9bc00 (FAT32)

PhysicalDrive0 Model Number: WDCWD2500JS-60NCB1, Rev: 10.02E02

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 4A3BF69CA3259413E25A52D6E01242850E3B0E3 A

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

SuperDave · « **Reply #10 on:** March 31, 2012, 05:02:40 PM »

Quote

I have been burning all of my music and data to CD's, figured I'd better get started, just in case...still quite a bit more to burn, so I don't want to do anything that might cause me to lose the functionality I have right now,

Good idea to back up all your important data.When you're finished with that please do the following.

Earlier on ComboFix installed the Recovery Console. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

When you get to the above screen, take note of the number that references your operating system.

If it's '1' like the picture above, type 1 and press Enter

Next type FIXMBR

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

With that done, please run MBRCheck.exe again and post the log.

diggerjoy · « **Reply #11 on:** April 02, 2012, 05:01:38 AM »

Questions: Should I be doing this on a normal boot, or SafeMode? (Does it matter?)

Does it matter that I have Windows XP Media Center version for Recovery console? (When ComboFix installed the recovery console, it only asked if I was running home edition and I said no--and then what it downloaded it seemed to download a home edition. ) Is there a way to check that I have the right recovery console before we do this, or doesn't it matter?

Is this going to do any kind of destructive recovery, or is it just fixing something from MBR? (I realize with computers there's no guarantee that something won't be destructive, but what are we hoping will happen?)

I know this whole process is trial-and-error, looking for a needle in a haystack, but knowing where we stand at this point helps...

Sorry to be so anxious, but I work from home so I can care for my disabled husband, and this computer is vital to me doing that. This is our only income, so it's a little anxiety-producing...(the organization I work for doesn't provide any support--or anything else for that matter, except a job. Their philosophy is f I can't do it, they'll give it to someone else who can.) I feel like we're getting close--I seem to have full functionality right now (I realize that doesn't mean that there still aren't underlying issues). Just want to make sure I don't mess anything up at this point... Sorry for being an old lady about this at this point...Thanks!

SuperDave · « **Reply #12 on:** April 02, 2012, 12:35:59 PM »

Quote

Should I be doing this on a normal boot, or SafeMode

In Normal mode.

Quote

Is there a way to check that I have the right recovery console before we do this, or doesn't it matter?

You should see the Recovery Console when you boot your computer but it's only there for a few seconds.

Quote

Is there a way to check that I have the right recovery console before we do this, or doesn't it matter?

No, just fixing the MBR.

Quote

Just want to make sure I don't mess anything up at this point... Sorry for being an old lady about this at this point...Thanks!

If the RC is installed, it should just fix the MBR.

diggerjoy · « **Reply #13 on:** April 03, 2012, 05:55:57 AM »

OK, I know you said if it asks if I want to write a new MBR to say yes, but I want to make sure it's OK given the warning message I received. When I put in fixMBR, I got the message that "This computer appears to have a non-standard or invalid Master Boot Record. FixMBR may damage your partition tables if you proceed. This could cause all the partitions on the current hard disk to become inaccessible. If you are not having problems acessing your drive, do not continue. Are you sure you want to write a new MBR?"

Just want to make sure the answer is still yes, even with this warning...don't want to mess up now...Thanks!

SuperDave · « **Reply #14 on:** April 03, 2012, 12:51:47 PM »

Quote

When I put in fixMBR, I got the message that "This computer appears to have a non-standard or invalid Master Boot Record. FixMBR may damage your partition tables if you proceed. This could cause all the partitions on the current hard disk to become inaccessible.

Ok. Let's try this to see if you get the same message.

Please Boot to the System Recovery Options
If you have Windows 7 installation disc, just insert a DVD to the drive, restart computer and it should load automatically (option two presented in the article).
It's possible also that your computer has a pre-installed recovery partition instead - in such a case use a method one (by pressing F8 before Windows starts loading)...
NOTE. If none of the above apply you can create System Repair Disc (link in "Option two") and boot from it.

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

Choose Command Prompt
You should see X:\SOURCES>...

Execute the following commands in bold.
Press Enter after every one of them.

bootrec /fixmbr (<--- there is a "space" after "bootrec")

bootrec /fixboot (<--- there is a "space" after "bootrec")

exit

Restart computer.

diggerjoy · « **Reply #15 on:** April 03, 2012, 02:40:12 PM »

Hi SD,
Not trying to be difficult, but those instructions were for Windows 7, and I have Windows XP Media Center Edition 2005. I did try looking for how to boot to systems recovery options on my own though, and it seemed they were saying to just go to Safe Mode to get Safe Mode with command prompt. I did that, went through the process of selecting my user name (HP_Administrator), got C:\Documents and Settings\HP_Administrator> Tried entering bootrec /fixmbr (I remembered to include the space). Got the message that bootrec was not recognized as an internal or external command, operable program, or batch file. So I typed exit, and then just got the black screen with safe mode in the 4 corners. Didn't know how to get out of that, so I just turned off the computer with the power button.

I do have a disk my daughter made when we got this computer, it is labeled "HP Recovery Tools CD". I looked at the contents with WinExplorer: it has a lot of language file folders, some file folders that begin with R and a number, some files that are labeled bootfont with a different extensions (they seem to correspond to the languages), and some files labeled WIN51, WIN51.B@, WIN511C, etc.

I also have a set of 3 recovery disks she made when we got the computer, I'm assuming they are for a destructive recovery? I have not looked at them.

Also, under My Computer, C is my hard drive, but there is also a D drive labeled HP_Recovery. I don't know if any of this info helps you decide what to do next. As I said, I'm not trying to be difficult, but want to make sure I'm doing the right thing. Thanks.

After writing all this, I found this site on line that appears to say to ignore the error message for Windows 2000 (but it doesn't say for XP): should I just ignore the error message ?

http://support.microsoft.com/kb/266745

I also found this site that says it also applies to XP:

http://www.tomshardware.com/forum/87475-45-fixmbr-dont

I'm not trying to undermine or second-guess you, just trying to help with research (I don't expect you to know everything. :>). I won't do anything that you haven't checked and said I should do. If you say go ahead then I'll do it. Thanks!

SuperDave · « **Reply #16 on:** April 04, 2012, 12:02:31 PM »

Quote

Also, under My Computer, C is my hard drive, but there is also a D drive labeled HP_Recovery

Yes, that's the recovery console we're trying to get into.

Quote

After writing all this, I found this site on line that appears to say to ignore the error message for Windows 2000 (but it doesn't say for XP): should I just ignore the error message ?

I would say just ignore the warning as MS stated in their article. But first, you should save all your important data just in case we have to use the Recovery disks.

diggerjoy · « **Reply #17 on:** April 04, 2012, 03:55:02 PM »

Wow--that was QUICK! No problems. Here's the log from MBRcheck:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows XP Professional
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x00000f1c

Kernel Drivers (total 143):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7A3C000 \WINDOWS\system32\KDCOM.DLL
0xF794C000 \WINDOWS\system32\BOOTVID.dll
0xF740D000 ACPI.sys
0xF7A3E000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF73FC000 pci.sys
0xF753C000 isapnp.sys
0xF754C000 ohci1394.sys
0xF755C000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7950000 compbatt.sys
0xF7954000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7B04000 pciide.sys
0xF77BC000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7A40000 viaide.sys
0xF7A42000 intelide.sys
0xF756C000 MountMgr.sys
0xF73DD000 ftdisk.sys
0xF7A44000 dmload.sys
0xF73B7000 dmio.sys
0xF77C4000 PartMgr.sys
0xF757C000 VolSnap.sys
0xF739F000 atapi.sys
0xF758C000 disk.sys
0xF759C000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF737F000 fltmgr.sys
0xF736D000 sr.sys
0xF75AC000 PxHelp20.sys
0xF7356000 KSecDD.sys
0xF72C9000 Ntfs.sys
0xF729C000 NDIS.sys
0xF7282000 Mup.sys
0xF6D60000 kl1.sys
0xF76FC000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF631D000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF6309000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7914000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF62E5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF791C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF770C000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF771C000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF772C000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF62C2000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7924000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF629A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF792C000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF6286000 \SystemRoot\system32\DRIVERS\parport.sys
0xF773C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7934000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF793C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7A78000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xF7944000 \SystemRoot\system32\DRIVERS\point32.sys
0xF77D4000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A7A000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xF7814000 \SystemRoot\system32\DRIVERS\aracpi.sys
0xF6241000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
0xF614A000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
0xF6094000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xF781C000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6080000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF774C000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7A28000 \SystemRoot\system32\DRIVERS\arpolicy.sys
0xF7C8D000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF775C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7A2C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6069000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF776C000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF777C000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7824000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6058000 \SystemRoot\system32\DRIVERS\psched.sys
0xF778C000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF782C000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7834000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF6000000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF779C000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7A7C000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5FA2000 \SystemRoot\system32\DRIVERS\update.sys
0xF6D30000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF77AC000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF763C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A7E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF1A0B000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF19E7000 \SystemRoot\system32\drivers\portcls.sys
0xF766C000 \SystemRoot\system32\drivers\drmk.sys
0xF1970000 \SystemRoot\system32\DRIVERS\klif.sys
0xF7A8A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C12000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A8C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7C14000 \SystemRoot\System32\Drivers\ATMhelpr.SYS
0xF784C000 \SystemRoot\System32\drivers\vga.sys
0xF7A8E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A90000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7854000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF785C000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6040000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF7864000 \SystemRoot\system32\DRIVERS\kl2.sys
0xF6030000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF1915000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF18BC000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF1894000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF1815000 \SystemRoot\System32\vsdatant.sys
0xF17EF000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF6513000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF5F9E000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF6503000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF786C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7874000 \SystemRoot\system32\DRIVERS\arhidfltr.sys
0xF64F3000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF787C000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF5F92000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF17CD000 \SystemRoot\System32\drivers\afd.sys
0xF64E3000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF17AB000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF7884000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF1730000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF1698000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF64D3000 \SystemRoot\System32\Drivers\Fips.SYS
0xF788C000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF1674000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF165C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AC0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF19CB000 \SystemRoot\System32\drivers\Dxapi.sys
0xF78B4000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C3A000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09A000 \SystemRoot\System32\atikvmag.dll
0xBF0D0000 \SystemRoot\System32\ati3duag.dll
0xBF362000 \SystemRoot\System32\ativvaxx.dll
0xBF4BA000 \SystemRoot\System32\ATMFD.DLL
0xEF490000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xEF428000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF789C000 \??\C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
0xEEE67000 \SystemRoot\system32\drivers\wdmaud.sys
0xEF3B4000 \SystemRoot\system32\drivers\sysaudio.sys
0xEECFC000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xEEB53000 \SystemRoot\System32\Drivers\HTTP.sys
0xEEAD3000 \SystemRoot\system32\DRIVERS\srv.sys
0xEEB4F000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEE713000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 56):
0 System Idle Process
4 System
548 C:\WINDOWS\system32\smss.exe
620 csrss.exe
648 C:\WINDOWS\system32\winlogon.exe
692 C:\WINDOWS\system32\services.exe
704 C:\WINDOWS\system32\lsass.exe
860 C:\WINDOWS\system32\ati2evxx.exe
876 C:\WINDOWS\system32\svchost.exe
948 svchost.exe
1016 C:\WINDOWS\system32\svchost.exe
1104 svchost.exe
1160 svchost.exe
1204 C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
1472 C:\WINDOWS\system32\ati2evxx.exe
1564 C:\WINDOWS\explorer.exe
1868 C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
2004 C:\WINDOWS\system32\spoolsv.exe
164 C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
1044 svchost.exe
1100 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
1176 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1304 C:\WINDOWS\arservice.exe
1340 C:\Program Files\Microsoft\BingBar\SeaPort.EXE
1416 C:\Program Files\Bonjour\mDNSResponder.exe
1348 C:\WINDOWS\ehome\ehrecvr.exe
1732 C:\WINDOWS\ehome\ehSched.exe
1884 C:\Program Files\Java\jre6\bin\jqs.exe
2056 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2164 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
2296 svchost.exe
2352 C:\WINDOWS\system32\svchost.exe
2440 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
2504 mcrdsvc.exe
2584 C:\WINDOWS\system32\wuauclt.exe
3000 C:\WINDOWS\system32\dllhost.exe
3264 alg.exe
3280 wmiprvse.exe
3352 C:\WINDOWS\ehome\ehtray.exe
3368 C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
3428 C:\WINDOWS\arpwrmsg.exe
3596 C:\WINDOWS\ehome\ehmsas.exe
3776 C:\Program Files\iTunes\iTunesHelper.exe
4008 C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
4072 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
208 C:\Program Files\Common Files\Java\Java Update\jusched.exe
584 C:\Program Files\real\realplayer\Update\realsched.exe
1488 C:\PROGRA~1\ScanSoft\PAPERP~1\PPWEBCAP.EXE
2816 C:\Program Files\iPod\bin\iPodService.exe
2932 C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
2952 C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
3248 C:\Program Files\CheckPoint\ZoneAlarm\MailFrontier\mantispm.exe
3748 C:\hp\KBD\kbd.exe
3880 C:\WINDOWS\system\hpsysdrv.exe
1528 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
2236 C:\Documents and Settings\HP_Administrator\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000038`11f9bc00 (FAT32)

PhysicalDrive0 Model Number: WDCWD2500JS-60NCB1, Rev: 10.02E02

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A

Done!

SuperDave · « **Reply #18 on:** April 04, 2012, 04:38:01 PM »

Ok, the MBR has been fixed. That's a major step.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

diggerjoy · « **Reply #19 on:** April 04, 2012, 09:28:42 PM »

I probably should have thought to ask this earlier: has my information been vulnerable during this infection/invasion? In otherwords, paying bills on-line (at secure sites) or entering private info on the same sites, is there any chance that info has been compromised?

Here's the scan (thank you for all this help, BTW):

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F15A0000
Module End: F15B8000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7AC2000
Module End: F7AC4000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: F18D466E
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwClose
Address: F18D4F02
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwConnectPort
Address: F177A2F4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateEvent
Address: F18D57D0
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateFile
Address: F17745CA
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateKey
Address: F179358A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateMutant
Address: F18D56A8
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateNamedPipeFile
Address: F18D4274
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreatePort
Address: F177AA80
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcess
Address: F178DE4E
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateProcessEx
Address: F178E23C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSection
Address: F17976F6
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwCreateSemaphore
Address: F18D5902
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateSymbolicLinkObject
Address: F18D758C
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateThread
Address: F18D4BA0
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwCreateWaitablePort
Address: F177ABB6
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDebugActiveProcess
Address: F18D6F36
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDeleteFile
Address: F17751E0
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteKey
Address: F1794E3C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeleteValueKey
Address: F17947B2
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwDeviceIoControlFile
Address: F18D5178
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwDuplicateObject
Address: F178CD8A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwEnumerateKey
Address: F18D3FAC
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwEnumerateValueKey
Address: F18D4056
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwFsControlFile
Address: F18D4F84
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwLoadDriver
Address: F176FE88
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey
Address: F1795794
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwLoadKey2
Address: F179599C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwMapViewOfSection
Address: F1797A5E
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwNotifyChangeKey
Address: F18D41A2
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenEvent
Address: F18D5872
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenFile
Address: F1774DF2
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenKey
Address: F18D36BE
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenMutant
Address: F18D5740
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenProcess
Address: F1790160
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwOpenSection
Address: F18D75B6
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenSemaphore
Address: F18D59A4
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwOpenThread
Address: F178FD8A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwProtectVirtualMemory
Address: F17A4090
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwQueryKey
Address: F18D4100
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryMultipleValueKey
Address: F18D3D28
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQuerySection
Address: F18D7958
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueryValueKey
Address: F18D3978
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwQueueApcThread
Address: F18D72A6
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRenameKey
Address: F179672A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwReplaceKey
Address: F1796060
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwReplyPort
Address: F18D5D2E
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwReplyWaitReceivePort
Address: F18D5BF4
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwRequestWaitReplyPort
Address: F1779EC4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwRestoreKey
Address: F17970FC
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwResumeThread
Address: F18D7E30
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSaveKey
Address: F18D332A
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSecureConnectPort
Address: F177A59C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetContextThread
Address: F18D4DBE
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetInformationFile
Address: F17755A4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetInformationObject
Address: F17A3F7C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetInformationToken
Address: F18D6586
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSetSecurityObject
Address: F1796C6A
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetSystemInformation
Address: F176F648
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSetValueKey
Address: F1793F72
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwSuspendProcess
Address: F18D7B7C
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSuspendThread
Address: F18D7CA4
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwSystemDebugControl
Address: F178EEA4
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwTerminateProcess
Address: F178EC20
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwTerminateThread
Address: F18D4956
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwUnloadDriver
Address: F177029C
Driver Base: F1759000
Driver End: F17D8000
Driver Name: \SystemRoot\System32\vsdatant.sys

Function Name: ZwUnmapViewOfSection
Address: F18D780E
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

Function Name: ZwWriteVirtualMemory
Address: F18D4AE0
Driver Base: F18B4000
Driver End: F1903000
Driver Name: \SystemRoot\system32\DRIVERS\klif.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

SuperDave · « **Reply #20 on:** April 05, 2012, 12:15:48 PM »

Quote

has my information been vulnerable during this infection/invasion? In otherwords, paying bills on-line (at secure sites) or entering private info on the same sites, is there any chance that info has been compromised?

Well, you did have a rootkit which could have compromised your computer. Here's what you should do just to be safe.
Do you have ZoneAlarm Firewall?

It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Should you have any questions, please feel free to ask.
*****************************************************
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

diggerjoy · « **Reply #21 on:** April 05, 2012, 09:09:08 PM »

Hi Dave,

Well, now that I’m thoroughly sick, I have questions, and I hope you can help and don’t mind continuing to help me
.
I run Zone Alarm Security Suite and the teatimer program (is it SAS, or Spybot? I’ve had it on my computer since you helped me a couple of years ago.) I also have WOT. I periodically update and run CCleaner, SAS, Spybot, Spyware Blaster, MBAM, although unfortunately I’ll admit it’s probably been 6 months. Why didn’t ZA or teatimer catch this stuff coming in? Do you think they prevented anything going out?

I tried reading all the links you provided; frankly, I was way in over my head and didn’t understand a good deal of it. I got the idea that rootkits can sometimes be purposely installed for legitimate use. In December I had problems logging into one of the servers at work through the internet, and the tech people said they had to remotely access my computer to fix the problem. They sent me an “invitation” I had to accept so they could gain remote access. Is there any chance that’s where the rootkits came from and they’re harmless? Is there any way to tell where they came from and what they did--or are doing?

I read also that malware can be downloaded to your computer through image files. Unfortunately, I have downloaded LOTS of image files--I draw as a hobby and when I see a picture I like, I download it to use as a reference. I have hundreds of pictures. I backed them all up to CD along with my other files when I did the back-ups this week. Would they have been scanned when downloaded? Would something have shown up if there was something in them? Could they/should they be scanned now on the CD? (I’d like to keep them if I could, but if there’s any chance they’ll do harm, I won’t keep them--but is it safe to get my other files off the disk now?)

Are there any other types of files malware could now be hiding in--word or excel files, for example..

I read that the only way to be sure my computer is clean is to reformat completely and reinstall the disks. I’m not sure I could handle that, even if I bought the disks (could it be done from the recovery disks, or does reformatting require original installation disks?) Besides, how safe is it really for how long--if this stuff got in once, why couldn’t it get in again the first time I went on-line? Is it really a fail-safe?

I don’t save/remember passwords, not even in Outlook for e-mail; I don’t keep password lists on my computer--but I do have a document I save to flash-drive with passwords. Is it possible my passwords are compromised anyway--could the info be stolen when I had the file open while working in it? Same with account #s--the only time they’re on my computer is when I type them in on a “secure” site. Wouldn’t that require a program to log keystrokes, and is there any way to tell if that happened? (I e-filed my taxes, all our taxes, on-line about a month ago. I shudder to think that I typed in social security #s and everything. Is this info vulnerable?)

One of the articles mentioned something about changing passwords if you use a router. We have a router; this computer is attached to the router through a line, but my daughter’s laptop is wireless. This computer is the administrator for the router. Is her computer in danger? Do I need to change the password? (And if I do, how do I know it’s safe to do it now?)

I had ZA off for about a day when it seemed to be causing the problem (I exited from the task tray; does that turn off the firewall too, or just the antivirus?) It’s been back on most of the time since then though. But teatimer resident is still off--I turned it off when your instructions said to. Should I turn it back on yet?

ZA scanned while ESET was scanning, and it came up with 4 items--but when I looked at them, it appeared they were all items quarantined by TDSSKiller. I’m assuming they’re nothing to worry about now. Is that correct?

Last thing: In prepping ESET to scan, the instructions said to check “scan archives”. When I checked that box, there was another box above it checked, the one for fix problems. Since the instructions didn’t say to check that box, I unchecked it. Should I have left it checked? Should I run ESET again with it checked?

My big fear is having done the income taxes and paying bills on-line, wondering how much of a possibility there is that my information was compromised. I thought as I was on a secure site there was nothing to worry about. Is there no way to determine if anything was stolen?

I apologize for all the questions; this really just has me sick. Here’s the scan; I appreciate anything you can do to help or any information you can give me.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=ee88f3395f713448af264009a4a0aa3e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-04-06 02:22:58
# local_time=2012-04-05 10:22:58 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 71250665 71250665 0 0
# compatibility_mode=8192 67108863 100 0 70886976 70886976 0 0
# compatibility_mode=9217 16776533 100 13 2026307 11854075 0 0
# scanned=153944
# found=4
# cleaned=0
# scan_time=20021
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0002.dta   Win64/Olmarik.AD trojan (unable to clean)   00000000000000000000000000000000   I
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0004.dta   Win64/Olmarik.AG trojan (unable to clean)   00000000000000000000000000000000   I
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0005.dta   a variant of Win32/Rootkit.Kryptik.KS trojan (unable to clean)   00000000000000000000000000000000   I
C:\TDSSKiller_Quarantine\30.03.2012_14.48.11\mbr0000\tdlfs0000\tsk0006.dta   Win64/Olmarik.AF trojan (unable to clean)   00000000000000000000000000000000   I

SuperDave · « **Reply #22 on:** April 06, 2012, 11:35:07 AM »

Quote

I run Zone Alarm Security Suite and the teatimer program (is it SAS, or Spybot?

Is your Zone Alarm Security Suite firewall enabled? TeaTimer belongs to Spybot.

Quote

Why didn’t ZA or teatimer catch this stuff coming in? Do you think they prevented anything going out?

If your Firewall is like mine I would imagine it caught the out-going traffic.

Quote

They sent me an “invitation” I had to accept so they could gain remote access. Is there any chance that’s where the rootkits came from and they’re harmless? Is there any way to tell where they came from and what they did--or are doing?

It's almost impossible to determine where the rootkit came from.

Quote

I read also that malware can be downloaded to your computer through image files. Unfortunately, I have downloaded LOTS of image files--I draw as a hobby and when I see a picture I like, I download it to use as a reference. I have hundreds of pictures. I backed them all up to CD along with my other files when I did the back-ups this week. Would they have been scanned when downloaded? Would something have shown up if there was something in them? Could they/should they be scanned now on the CD? (I’d like to keep them if I could, but if there’s any chance they’ll do harm, I won’t keep them--but is it safe to get my other files off the disk now?)

I really depends where you downloaded them from. I really can't say if they had been scanned but I would imagine they were. They should be scanned before replacing them on your computer. Scan them with your AV and also MBAM.

Quote

Are there any other types of files malware could now be hiding in--word or excel files, for example..

Not likely unless you received a file from someone who was infected.

Quote

I read that the only way to be sure my computer is clean is to reformat completely and reinstall the disks. I’m not sure I could handle that, even if I bought the disks (could it be done from the recovery disks, or does reformatting require original installation disks?) Besides, how safe is it really for how long--if this stuff got in once, why couldn’t it get in again the first time I went on-line? Is it really a fail-safe?

That's really the safest way to go and it is fail-safe

Quote

I don’t save/remember passwords, not even in Outlook for e-mail; I don’t keep password lists on my computer--but I do have a document I save to flash-drive with passwords. Is it possible my passwords are compromised anyway--could the info be stolen when I had the file open while working in it? Same with account #s--the only time they’re on my computer is when I type them in on a “secure” site. Wouldn’t that require a program to log keystrokes, and is there any way to tell if that happened? (I e-filed my taxes, all our taxes, on-line about a month ago. I shudder to think that I typed in social security #s and everything. Is this info vulnerable?)

That could only be done if a keylogger was put on your computer and there was no evidence of that.

Quote

One of the articles mentioned something about changing passwords if you use a router. We have a router; this computer is attached to the router through a line, but my daughter’s laptop is wireless. This computer is the administrator for the router. Is her computer in danger? Do I need to change the password? (And if I do, how do I know it’s safe to do it now?)

Some modems do have passwords on them and some don't. I probably wouldn't hurt to change it.

Quote

I had ZA off for about a day when it seemed to be causing the problem (I exited from the task tray; does that turn off the firewall too, or just the antivirus?) It’s been back on most of the time since then though. But teatimer resident is still off--I turned it off when your instructions said to. Should I turn it back on yet?

I'm not sure how ZoneAlarm works. You should turn on teatimer again.

Quote

ZA scanned while ESET was scanning, and it came up with 4 items--but when I looked at them, it appeared they were all items quarantined by TDSSKiller. I’m assuming they’re nothing to worry about now. Is that correct?

As soon as TDSSKiller is removed, they will be gone.

Quote

My big fear is having done the income taxes and paying bills on-line, wondering how much of a possibility there is that my information was compromised. I thought as I was on a secure site there was nothing to worry about. Is there no way to determine if anything was stolen?

I highly doubt it especially if you have the ZoneAlarm Firewall enabled.
Let's do some cleanup

To uninstall ComboFix

Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

Then, press Enter, or click OK.
This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

*****************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
*****************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

diggerjoy · « **Reply #23 on:** April 07, 2012, 12:03:18 PM »

Hi Superdave,
I can't thank you enough, both for helping me and for having the patience to answer all my questions (and address my fears!). I ran the scans you recommended. I have just a couple more questions:

I have been running Zone Alarm suite, spybot, and SAS for a couple of years; I update them periodically (I have to get back onto a schedule again, I admit) and also do scans with MBAM, CCleaner, Spyware Blaster...should I keep doing all of this, or are any of them not really necessary? I was thinking I should add TFC (or is CCleaner enough), ESET, Securia occasionally...should I? Should I also be running anything else on a regular basis (like TDSSkiller?) or are these better left to only when there are problems and someone who actually knows what they're doing is supervising their use?

Should I now delete all of the programs we used in this fix and their logs from my desktop, or just move them to a folder and keep them?

Secunia listed 4 instances of Java; I checked Java's website and they said delete older versions, so I'm just updating the latest.

Are we all done now, and would it be OK to defrag? With all the stuff I've removed, I'm sure it needs it.

Again, Thank you for all you've done; I can't imagine how I would have handled this without you. As I said, this computer is my livelihood and my family's sole income and source of security. What you've done is extremely important. Thank you again!

SuperDave · « **Reply #24 on:** April 07, 2012, 12:37:21 PM »

Quote

I have been running Zone Alarm suite, spybot, and SAS for a couple of years; I update them periodically (I have to get back onto a schedule again, I admit) and also do scans with MBAM, CCleaner, Spyware Blaster...should I keep doing all of this, or are any of them not really necessary?

It's probably not necessary but if you have the time it wouldn't hurt.

Quote

I was thinking I should add TFC (or is CCleaner enough), ESET, Securia occasionally...should I?

Wouldn't hurt.

Quote

Should I also be running anything else on a regular basis (like TDSSkiller?) or are these better left to only when there are problems and someone who actually knows what they're doing is supervising their use?

No, that's not necessary.

Quote

Should I now delete all of the programs we used in this fix and their logs from my desktop, or just move them to a folder and keep them?

Not necessary. You probably won't need them again.

Quote

Are we all done now, and would it be OK to defrag? With all the stuff I've removed, I'm sure it needs it.

It's a good idea to do that about once a month.

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

Computer Hope Forum

News:

Author Topic: "..." not a valid Win32 application, The application or DLL not valid windows im (Read 30198 times)

diggerjoy

SuperDave

diggerjoy

diggerjoy

SuperDave

diggerjoy

SuperDave

diggerjoy

SuperDave

diggerjoy

SuperDave

diggerjoy

SuperDave

diggerjoy

SuperDave

diggerjoy

SuperDave

diggerjoy

SuperDave

diggerjoy

SuperDave

diggerjoy

SuperDave

diggerjoy

SuperDave