Author Topic: Virus or worm has disabled internet, hidden program and other files (Read 43737 times)

padraig · « **on:** August 18, 2012, 06:54:43 AM »

About two weeks ago I received a notification of a "serious error" or something to that affect. It has disabled my Internet Explorer and Firefox from connecting to the internet. It has also hidden Control Panel, all programs and virtually everything from my desktop.

I have run Malwarebytes and Super AntiSpyware and it located a worm and trojan virus, removed them but upon reboot the problem comes back. I read through other solutions that have you find and delete "autorun.ini" and "scvhost.exe" files from windows/system32 but those files are not located in that directory.

I am a novice and would really appreciate any assistance from anyone with some patience that can walk me through removing this virus.

System is Windows XP and I have been successful in resetting Control Panel so it is visible and "unhiding" all files but IE8 and Firefox are blocked, my PC Tools Firewall Plus takes about 30 minutes to "initiialize" and locks up the PC, DDS only runs in Safe Mode.

Is it time to reformat? If so, how can I backup my documents, photos and music?

DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Administrator at 16:58:16 on 2012-08-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.656 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.msn.com
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061220
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo\YontooIEClient.dll
TB: free-downloads.net Toolbar: {ecdee021-0d17-467f-a1ff-c7a115230949} - c:\program files\free-downloads.net\tbfree.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - No File
uRun: [OE_OEM] "c:\program files\trend micro\internet security 12\tmas_oe\TMAS_OEMon.exe"
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [00PCTFW] "c:\program files\pc tools firewall plus\FirewallGUI.exe" -s
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Autodesk] rundll32.exe "c:\documents and settings\patrick\local settings\application data\collectorz.com\autodesk\kzaayba.dll",CreateInstance
mExplorerRun: [NoActiveDesktopChanges] 00000000
mExplorerRun: [NoActiveDesktop] 0 (0x0)
mExplorerRun: [NoSaveSettings] 0 (0x0)
mExplorerRun: [ClassicShell] 0 (0x0)
uPolicies-system: NoDispBackgroundPage = 1 (0x1)
mPolicies-explorer: NoSimpleStartMenu = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_29.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341148687936
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{ADAF9F37-7BA6-4D33-8326-4BA6B12F9E72} : DhcpNameServer = 209.18.47.61 209.18.47.62
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\tfpwaynx.default\
.
============= SERVICES / DRIVERS ===============
.
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-7-11 116608]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2012-4-7 821592]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [2012-7-5 54144]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys --> c:\windows\system32\drivers\avgidshx.sys [?]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-3-27 233136]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-11-17 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-11-17 67664]
S2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [2006-7-14 13824]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\common files\intuit\update service v4\IntuitUpdateService.exe [2011-8-25 13672]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2010-3-27 88040]
S2 PCToolsFirewallPlus;PC Tools Firewall Plus;c:\program files\pc tools firewall plus\FWService.exe [2010-3-27 818432]
S2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [2006-7-14 13696]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys --> c:\windows\system32\drivers\avgidsshimx.sys [?]
S3 cpuz132;cpuz132;\??\c:\docume~1\patrick\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\patrick\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 dlci_device;dlci_device;c:\windows\system32\dlcicoms.exe -service --> c:\windows\system32\dlcicoms.exe -service [?]
S3 FileMonitor;FileMonitor;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\FileMonitor.sys [2012-4-7 246816]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-5-5 113120]
S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [2010-3-27 70664]
S3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [2010-3-27 58816]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2010-3-27 115216]
S3 RegFilter;RegFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\RegFilter.sys [2012-4-7 30368]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-11-17 12872]
S3 UrlFilter;UrlFilter;c:\program files\iobit\iobit malware fighter\drivers\wxp_x86\UrlFilter.sys [2012-4-7 16208]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2012-08-10 17:49:43 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla
2012-08-10 17:30:21 -------- d-----w- c:\documents and settings\administrator\application data\Windows Search
2012-08-10 14:50:57 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2012-08-10 14:50:36 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2012-08-05 21:12:25 68992 ----a-w- c:\windows\system32\drivers\ff82985559e36c89.sys
2012-08-05 20:25:55 340992 ----a-w- c:\documents and settings\all users\application data\bCwRoBpGTIRFPgh.exe
2012-08-05 15:49:26 -------- d-----w- c:\program files\DVD Decrypter
2012-07-29 21:20:58 1347344 ---ha-w- c:\windows\system32\MSVBVM50.dll
2012-07-28 21:19:11 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll
2012-07-28 21:19:11 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll
2012-07-14 12:55:16 -------- d-----w- c:\documents and settings\all users\application data\PC Utility Kit
.
==================== Find3M ====================
.
2012-08-05 15:39:48 70344 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-05 15:39:48 426184 ---ha-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ---ha-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ---ha-w- c:\windows\system32\msxml3.dll
2012-06-04 21:35:26 222448 ---ha-w- c:\windows\system32\muweb.dll
2012-06-04 04:32:08 152576 ---ha-w- c:\windows\system32\schannel.dll
2012-06-02 19:19:44 22040 ---ha-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ---ha-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ---ha-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ---ha-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ---ha-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58 275696 ---ha-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18:58 17136 ---ha-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ---ha-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ---ha-w- c:\windows\system32\wininet.dll
1997-06-23 1750 287504 --sha-w- c:\windows\system32\Msxbse35.dll
.
============= FINISH: 17:04:48.89 ===============

Allan · « **Reply #1 on:** August 18, 2012, 11:41:30 AM »

Please follow the instructions in the following link and post your logs:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

padraig · « **Reply #2 on:** August 18, 2012, 12:19:46 PM »

PC will not connect to internet and will not read USB flash drive to enable me to run any other scan from the sources listed in the instructions. Is there any other way to solve this without reformatting the hard drive? If not, how can I make sure that I do not lose all of my photos, documents and music?

SuperDave · « **Reply #3 on:** August 18, 2012, 04:56:24 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please physically disconnect your computer from the electrical plug for a few seconds and then reconnect it. Try your USB ports to see if they're working now. If they are still not working you could use a CD/DVD-RW to transfer the programs to the computer.
As soon as you are able to do so, please save all your important data to an external harddrive or DVD's. You can use RW's which are re-usable.
Also, as soon as you're able please run MBAM and SAS again and post the logs.

Please download Unhide by Grinler from here and save it to your desktop.
Double click unhide.exe to run the tool.
It will take some time to go through all your files, so please be patient.
If this tool doesn´t fix the problem, please let me know.

********************************************************
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 7 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* WiNlOgOn.exe
* uSeRiNiT.exe
* iExplore.exe
* eXplorer.exe
Once you've gotten one of them to run then try to immediately run the following.
********************************************************
•Please download Dial-A-Fix from one of the following mirrors:

Primary mirror
Secondary mirror

•Extract the zip file to your desktop.

•Double click Dial-a-Fix.exe to start the program. Dial-A-Fix might give you a lot errors, just ignore them and Click

to continue.

•Press the green double checkmark box (Looks like this:

UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:

•Click on Go

•Wait for Dial-A-Fix to finish (All the checks marks will be all gone)

•Close Dial-A-Fix.

padraig · « **Reply #4 on:** August 19, 2012, 04:55:00 PM »

Thanks for taking the time to assist me.

Here is what I have completed so far:

After another BSOD

I have saved photos and other documents to an external hard drive.

Ran Malwarebytes (log follows)

Ran SuperAntiSpyware (log follows)

Downloaded the Rkill and ran (log follows)

Downloaded Dial-a-Fix and ran (several error messages, especially dlls, as you warned)

FYI: my Startup has the programs listed but the shortcuts to the program executables are "empty"

Unhide by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Unhide.exe can be found at this link:
http://www.bleepingcomputer.com/forums/topic405109.html

Program started at: 08/19/2012 04:22:40 PM
Windows Version: Windows XP

Please be patient while your files are made visible again.

Processing the A:\ drive
Finished processing the A:\ drive. 0 files processed.

Processing the C:\ drive
Finished processing the C:\ drive. 168373 files processed.

Processing the D:\ drive
Finished processing the D:\ drive. 44292 files processed.

Processing the H:\ drive
Finished processing the H:\ drive. 3981 files processed.

Processing the I:\ drive
Finished processing the I:\ drive. 13593 files processed.

Processing the J:\ drive
Finished processing the J:\ drive. 126 files processed.

The C:\DOCUME~1\Patrick\LOCALS~1\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/forums/topic405109.html

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
- Checking HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
No registry changes detected.

Restarting Explorer.exe in order to apply changes.

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

8/19/2012 5:59:07 PM
mbam-log-2012-08-19 (17-59-07).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 294779
Time elapsed: 1 hour(s), 29 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/19/2012 at 06:40 PM

Application Version : 5.5.1012

Core Rules Database Version : 8324
Trace Rules Database Version: 6136

Scan type : Complete Scan
Total Scan Time : 02:09:20

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 484
Memory threats detected : 1
Registry items scanned : 38459
Registry threats detected : 8
File items scanned : 81293
File threats detected : 28

Adware.Tracking Cookie
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\Z5MHQWX0.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\GTRI8D6P.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\HTS8J24I.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\JBE9MDX2.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\T7O8V58S.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\YM140FQJ.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\DZSVHZ50.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\4XX04TPW.txt [ Cookie:[email protected]/cgi-bin ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\LNA4ALTW.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\HNOO22JJ.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\YBU3IZN2.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\0T0RVP6A.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\DI2BSNLJ.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\ENZ5SY9R.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\P6XO1EKW.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\2ZH8SOZ7.txt [ Cookie:[email protected]/ ]
   C:\DOCUMENTS AND SETTINGS\ANNA\Cookies\JLSW5SIY.txt [ Cookie:[email protected]/ ]
   .apmebf.com [ C:\DOCUMENTS AND SETTINGS\PATRICK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9X4XQV4C.DEFAULT-1344721266250\COOKIES.SQLITE ]
   .mediaplex.com [ C:\DOCUMENTS AND SETTINGS\PATRICK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9X4XQV4C.DEFAULT-1344721266250\COOKIES.SQLITE ]
   .mediaplex.com [ C:\DOCUMENTS AND SETTINGS\PATRICK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9X4XQV4C.DEFAULT-1344721266250\COOKIES.SQLITE ]
   .imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\PATRICK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9X4XQV4C.DEFAULT-1344721266250\COOKIES.SQLITE ]
   .imrworldwide.com [ C:\DOCUMENTS AND SETTINGS\PATRICK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9X4XQV4C.DEFAULT-1344721266250\COOKIES.SQLITE ]
   .doubleclick.net [ C:\DOCUMENTS AND SETTINGS\PATRICK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9X4XQV4C.DEFAULT-1344721266250\COOKIES.SQLITE ]
   .tribalfusion.com [ C:\DOCUMENTS AND SETTINGS\PATRICK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9X4XQV4C.DEFAULT-1344721266250\COOKIES.SQLITE ]
   .doubleclick.net [ C:\DOCUMENTS AND SETTINGS\PATRICK\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9X4XQV4C.DEFAULT-1344721266250\COOKIES.SQLITE ]

Trojan.Agent/Gen-6TO4EX
   HKLM\System\ControlSet003\Services\6TO4
   C:\WINDOWS\SYSTEM32\6TO4EX.DLL
   HKLM\System\ControlSet003\Enum\Root\LEGACY_6TO4
   HKLM\System\ControlSet004\Services\6TO4
   HKLM\System\ControlSet004\Enum\Root\LEGACY_6TO4
   HKLM\System\CurrentControlSet\Services\6TO4
   HKLM\System\CurrentControlSet\Enum\Root\LEGACY_6TO4
   C:\WINDOWS\SYSTEM32\6TO4EX.DLL

Worm.SYSHost
   HKLM\system\controlset003\services\syshost32
   C:\WINDOWS\INSTALLER\{21AFBFB6-53EF-36C2-120C-7E9BF1C4C429}\SYSHOST.EXE
   HKLM\system\controlset004\services\syshost32
   C:\WINDOWS\Prefetch\SYSHOST.EXE-21ACC27B.pf

Rkill 2.2.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 08/19/2012 06:46:09 PM in x86 mode.
Windows Version: Windows XP

Checking for Windows services to stop.

* No malware services found to stop.

Checking for processes to terminate.

* C:\WINDOWS\wanmpsvc.exe (PID: 1780) [WD-HEUR]
* C:\WINDOWS\System32\DLA\DLACTRLW.EXE (PID: 3112) [WD-HEUR]
* C:\Documents and Settings\Patrick\govkhca.exe (PID: 3180) [UP-HEUR]

3 proccesses terminated!

Checking Registry for malware related settings.

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
* HKLM\Software\Classes\.com "@" has been changed to ComFile!
* HKLM\Software\Classes\.com "@"was reset to comfile!

Performing miscellaneous checks.

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
* HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32 [ZA Reg Hijack]
* C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\ [ZA Dir]
* C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\@ [ZA File]
* C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\L\ [ZA Dir]
* C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n [ZA File]
* C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\ [ZA Dir]
* C:\WINDOWS\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\ [ZA Dir]
* C:\WINDOWS\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\@ [ZA File]
* C:\WINDOWS\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\L\ [ZA Dir]
* C:\WINDOWS\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\L\00000004.@ [ZA File]
* C:\WINDOWS\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n [ZA File]
* C:\WINDOWS\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\ [ZA Dir]
* C:\WINDOWS\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\00000004.@ [ZA File]
* C:\WINDOWS\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\00000008.@ [ZA File]
* C:\WINDOWS\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\000000cb.@ [ZA File]
* C:\WINDOWS\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\80000000.@ [ZA File]
* C:\WINDOWS\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\80000032.@ [ZA File]

Checking Windows Service Integrity:

* BITS [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]
* SharedAccess [Missing ImagePath]
* COMSysApp => %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} [Incorrect ImagePath]
* ImapiService => %systemroot%\system32\imapi.exe [Incorrect ImagePath]
* MSIServer => %systemroot%\system32\msiexec.exe /V [Incorrect ImagePath]
* atapi => \SystemRoot\system32\DRIVERS\atapi.sys [Incorrect ImagePath]
* srservice => %SystemRoot%\system32\srsvc.dll [Incorrect ServiceDLL]
* W32Time => %systemroot%\system32\w32time.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:
* No issues found.

Program finished at: 08/19/2012 06:46:26 PM
Execution time: 0 hours(s), 0 minute(s), and 16 seconds(s)

SuperDave · « **Reply #5 on:** August 19, 2012, 07:05:37 PM »

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory..
****************************************************************
Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

On completion of the scan click save log, save it to your desktop and post in your next reply.

padraig · « **Reply #6 on:** August 24, 2012, 10:18:38 AM »

okay, I downloaded both files and ran the TDSSKiller (log pasted below); the aswMBR will not run on my desktop under my log in nor as an Administrator

12:11:44.0390 2676 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
12:11:44.0437 2676 ============================================================
12:11:44.0437 2676 Current date / time: 2012/08/24 12:11:44.0437
12:11:44.0437 2676 SystemInfo:
12:11:44.0437 2676
12:11:44.0437 2676 OS Version: 5.1.2600 ServicePack: 3.0
12:11:44.0437 2676 Product type: Workstation
12:11:44.0437 2676 ComputerName: FAMILYROOM
12:11:44.0437 2676 UserName: Patrick
12:11:44.0437 2676 Windows directory: C:\WINDOWS
12:11:44.0437 2676 System windows directory: C:\WINDOWS
12:11:44.0437 2676 Processor architecture: Intel x86
12:11:44.0437 2676 Number of processors: 2
12:11:44.0437 2676 Page size: 0x1000
12:11:44.0437 2676 Boot type: Normal boot
12:11:44.0437 2676 ============================================================
12:11:47.0968 2676 !crdlk
12:11:47.0968 2676 Drive \Device\Harddisk0\DR0 - Size: 0x3A35000000 (232.83 Gb), SectorSize: 0x200, Cylinders: 0x76B9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
12:11:47.0984 2676 Drive \Device\Harddisk1\DR5 - Size: 0x7446E00000 (465.11 Gb), SectorSize: 0x200, Cylinders: 0xED2B, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
12:11:48.0015 2676 Drive \Device\Harddisk2\DR7 - Size: 0xE8DED00000 (931.48 Gb), SectorSize: 0x200, Cylinders: 0x1DAFD, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
12:11:48.0031 2676 Drive \Device\Harddisk3\DR9 - Size: 0x1E3000000 (7.55 Gb), SectorSize: 0x200, Cylinders: 0x3D9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
12:11:48.0031 2676 ============================================================
12:11:48.0031 2676 \Device\Harddisk0\DR0:
12:11:48.0031 2676 MBR partitions:
12:11:48.0031 2676 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1B747, BlocksNum 0x156DD1AB
12:11:48.0062 2676 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x156F8931, BlocksNum 0x7342164
12:11:48.0062 2676 \Device\Harddisk1\DR5:
12:11:48.0062 2676 MBR partitions:
12:11:48.0062 2676 \Device\Harddisk1\DR5\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A236FC0
12:11:48.0062 2676 \Device\Harddisk2\DR7:
12:11:48.0062 2676 MBR partitions:
12:11:48.0062 2676 \Device\Harddisk2\DR7\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x746F6000
12:11:48.0062 2676 \Device\Harddisk3\DR9:
12:11:48.0062 2676 MBR partitions:
12:11:48.0062 2676 \Device\Harddisk3\DR9\Partition1: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0xF17FC1
12:11:48.0062 2676 ============================================================
12:11:48.0093 2676 C: <-> \Device\Harddisk0\DR0\Partition1
12:11:48.0140 2676 D: <-> \Device\Harddisk0\DR0\Partition2
12:11:48.0171 2676 H: <-> \Device\Harddisk1\DR5\Partition1
12:11:48.0234 2676 I: <-> \Device\Harddisk2\DR7\Partition1
12:11:48.0234 2676 ============================================================
12:11:48.0234 2676 Initialize success
12:11:48.0234 2676 ============================================================
12:11:50.0234 1120 ============================================================
12:11:50.0234 1120 Scan started
12:11:50.0234 1120 Mode: Manual;
12:11:50.0234 1120 ============================================================
12:11:50.0421 1120 ================ Scan system memory ========================
12:11:50.0421 1120 System memory - ok
12:11:50.0421 1120 ================ Scan services =============================
12:11:50.0546 1120 [ C0393EB99A6C72C6BEF9BFC4A72B33A6 ] !SASCORE C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
12:11:50.0546 1120 !SASCORE - ok
12:11:50.0703 1120 [ 60335C9FC69E34A7CC68B496F402FB17 ] 6to4 C:\WINDOWS\system32\6to4ex.dll
12:11:50.0718 1120 6to4 - ok
12:11:50.0718 1120 Suspicious service (NoAccess): 9445fee0eea6d169
12:11:50.0765 1120 [ 7B35FA55C4E1D85B70BA0743D2DA9899 ] 9445fee0eea6d169 C:\WINDOWS\System32\Drivers\9445fee0eea6d169.sys
12:11:50.0765 1120 Suspicious file (NoAccess): C:\WINDOWS\System32\Drivers\9445fee0eea6d169.sys. md5: 7B35FA55C4E1D85B70BA0743D2DA9899
12:11:51.0437 1120 9445fee0eea6d169 ( Rootkit.Win32.Necurs.gen ) - infected
12:11:51.0437 1120 9445fee0eea6d169 - detected Rootkit.Win32.Necurs.gen (0)
12:11:51.0484 1120 Abiosdsk - ok
12:11:51.0531 1120 [ 6ABB91494FE6C59089B9336452AB2EA3 ] abp480n5 C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
12:11:51.0546 1120 abp480n5 - ok
12:11:51.0593 1120 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:11:51.0609 1120 ACPI - ok
12:11:51.0640 1120 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
12:11:51.0640 1120 ACPIEC - ok
12:11:51.0656 1120 [ 9A11864873DA202C996558B2106B0BBC ] adpu160m C:\WINDOWS\system32\DRIVERS\adpu160m.sys
12:11:51.0671 1120 adpu160m - ok
12:11:51.0703 1120 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
12:11:51.0703 1120 aec - ok
12:11:51.0734 1120 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
12:11:51.0734 1120 AFD - ok
12:11:51.0781 1120 [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
12:11:51.0796 1120 agp440 - ok
12:11:51.0796 1120 [ 03A7E0922ACFE1B07D5DB2EEB0773063 ] agpCPQ C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
12:11:51.0796 1120 agpCPQ - ok
12:11:51.0828 1120 [ C23EA9B5F46C7F7910DB3EAB648FF013 ] Aha154x C:\WINDOWS\system32\DRIVERS\aha154x.sys
12:11:51.0828 1120 Aha154x - ok
12:11:51.0843 1120 [ 19DD0FB48B0C18892F70E2E7D61A1529 ] aic78u2 C:\WINDOWS\system32\DRIVERS\aic78u2.sys
12:11:51.0875 1120 aic78u2 - ok
12:11:51.0890 1120 [ B7FE594A7468AA0132DEB03FB8E34326 ] aic78xx C:\WINDOWS\system32\DRIVERS\aic78xx.sys
12:11:51.0890 1120 aic78xx - ok
12:11:51.0921 1120 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
12:11:51.0921 1120 Alerter - ok
12:11:51.0937 1120 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
12:11:51.0937 1120 ALG - ok
12:11:51.0953 1120 [ 1140AB9938809700B46BB88E46D72A96 ] AliIde C:\WINDOWS\system32\DRIVERS\aliide.sys
12:11:51.0953 1120 AliIde - ok
12:11:51.0984 1120 [ CB08AED0DE2DD889A8A820CD8082D83C ] alim1541 C:\WINDOWS\system32\DRIVERS\alim1541.sys
12:11:51.0984 1120 alim1541 - ok
12:11:52.0000 1120 [ 95B4FB835E28AA1336CEEB07FD5B9398 ] amdagp C:\WINDOWS\system32\DRIVERS\amdagp.sys
12:11:52.0000 1120 amdagp - ok
12:11:52.0015 1120 [ 79F5ADD8D24BD6893F2903A3E2F3FAD6 ] amsint C:\WINDOWS\system32\DRIVERS\amsint.sys
12:11:52.0015 1120 amsint - ok
12:11:52.0062 1120 [ 85180CF88C5EBAD73B452A43A004CA51 ] AOL ACS C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
12:11:52.0062 1120 AOL ACS - ok
12:11:52.0109 1120 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
12:11:52.0125 1120 AppMgmt - ok
12:11:52.0156 1120 [ 62D318E9A0C8FC9B780008E724283707 ] asc C:\WINDOWS\system32\DRIVERS\asc.sys
12:11:52.0156 1120 asc - ok
12:11:52.0171 1120 [ 69EB0CC7714B32896CCBFD5EDCBEA447 ] asc3350p C:\WINDOWS\system32\DRIVERS\asc3350p.sys
12:11:52.0171 1120 asc3350p - ok
12:11:52.0203 1120 [ 5D8DE112AA0254B907861E9E9C31D597 ] asc3550 C:\WINDOWS\system32\DRIVERS\asc3550.sys
12:11:52.0203 1120 asc3550 - ok
12:11:52.0281 1120 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
12:11:52.0296 1120 aspnet_state - ok
12:11:52.0312 1120 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:11:52.0312 1120 AsyncMac - ok
12:11:52.0328 1120 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
12:11:52.0343 1120 atapi - ok
12:11:52.0343 1120 Atdisk - ok
12:11:52.0359 1120 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:11:52.0359 1120 Atmarpc - ok
12:11:52.0390 1120 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
12:11:52.0390 1120 AudioSrv - ok
12:11:52.0406 1120 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
12:11:52.0406 1120 audstub - ok
12:11:52.0406 1120 AVGIDSHX - ok
12:11:52.0421 1120 AVGIDSShim - ok
12:11:52.0453 1120 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
12:11:52.0453 1120 Beep - ok
12:11:52.0468 1120 [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser C:\WINDOWS\System32\browser.dll
12:11:52.0468 1120 Browser - ok
12:11:52.0484 1120 bvrp_pci - ok
12:11:52.0531 1120 catchme - ok
12:11:52.0546 1120 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
12:11:52.0546 1120 cbidf - ok
12:11:52.0562 1120 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
12:11:52.0562 1120 cbidf2k - ok
12:11:52.0578 1120 [ F3EC03299634490E97BBCE94CD2954C7 ] cd20xrnt C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
12:11:52.0578 1120 cd20xrnt - ok
12:11:52.0593 1120 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
12:11:52.0593 1120 Cdaudio - ok
12:11:52.0625 1120 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
12:11:52.0625 1120 Cdfs - ok
12:11:52.0640 1120 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:11:52.0640 1120 Cdrom - ok
12:11:52.0671 1120 CFcatchme - ok
12:11:52.0687 1120 Changer - ok
12:11:52.0718 1120 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
12:11:52.0718 1120 CiSvc - ok
12:11:52.0734 1120 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
12:11:52.0734 1120 ClipSrv - ok
12:11:52.0781 1120 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
12:11:52.0781 1120 clr_optimization_v2.0.50727_32 - ok
12:11:52.0812 1120 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
12:11:52.0812 1120 clr_optimization_v4.0.30319_32 - ok
12:11:52.0828 1120 [ E5DCB56C533014ECBC556A8357C929D5 ] CmdIde C:\WINDOWS\system32\DRIVERS\cmdide.sys
12:11:52.0828 1120 CmdIde - ok
12:11:52.0843 1120 COMSysApp - ok
12:11:52.0890 1120 [ 3EE529119EED34CD212A215E8C40D4B6 ] Cpqarray C:\WINDOWS\system32\DRIVERS\cpqarray.sys
12:11:52.0890 1120 Cpqarray - ok
12:11:52.0890 1120 cpuz132 - ok
12:11:52.0937 1120 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
12:11:52.0937 1120 CryptSvc - ok
12:11:52.0968 1120 [ E550E7418984B65A78299D248F0A7F36 ] dac2w2k C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
12:11:52.0968 1120 dac2w2k - ok
12:11:52.0984 1120 [ 683789CAA3864EB46125AE86FF677D34 ] dac960nt C:\WINDOWS\system32\DRIVERS\dac960nt.sys
12:11:52.0984 1120 dac960nt - ok
12:11:53.0046 1120 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
12:11:53.0078 1120 DcomLaunch - ok
12:11:53.0109 1120 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
12:11:53.0125 1120 Dhcp - ok
12:11:53.0140 1120 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
12:11:53.0140 1120 Disk - ok
12:11:53.0171 1120 [ E2D0DE31442390C35E3163C87CB6A9EB ] DLABOIOM C:\WINDOWS\system32\DLA\DLABOIOM.SYS
12:11:53.0171 1120 DLABOIOM - ok
12:11:53.0187 1120 [ D979BEBCF7EDCC9C9EE1857D1A68C67B ] DLACDBHM C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
12:11:53.0187 1120 DLACDBHM - ok
12:11:53.0203 1120 [ 83545593E297F50A8E2524B4C071A153 ] DLADResN C:\WINDOWS\system32\DLA\DLADResN.SYS
12:11:53.0203 1120 DLADResN - ok
12:11:53.0218 1120 [ 96E01D901CDC98C7817155CC057001BF ] DLAIFS_M C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
12:11:53.0218 1120 DLAIFS_M - ok
12:11:53.0234 1120 [ 0A60A39CC5E767980A31CA5D7238DFA9 ] DLAOPIOM C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
12:11:53.0234 1120 DLAOPIOM - ok
12:11:53.0250 1120 [ 9FE2B72558FC808357F427FD83314375 ] DLAPoolM C:\WINDOWS\system32\DLA\DLAPoolM.SYS
12:11:53.0250 1120 DLAPoolM - ok
12:11:53.0265 1120 [ 7EE0852AE8907689DF25049DCD2342E8 ] DLARTL_N C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
12:11:53.0265 1120 DLARTL_N - ok
12:11:53.0281 1120 [ F08E1DAFAC457893399E03430A6A1397 ] DLAUDFAM C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
12:11:53.0281 1120 DLAUDFAM - ok
12:11:53.0296 1120 [ E7D105ED1E694449D444A9933DF8E060 ] DLAUDF_M C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
12:11:53.0296 1120 DLAUDF_M - ok
12:11:53.0296 1120 dmadmin - ok
12:11:53.0359 1120 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
12:11:53.0390 1120 dmboot - ok
12:11:53.0437 1120 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
12:11:53.0437 1120 dmio - ok
12:11:53.0484 1120 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
12:11:53.0484 1120 dmload - ok
12:11:53.0515 1120 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
12:11:53.0515 1120 dmserver - ok
12:11:53.0531 1120 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
12:11:53.0531 1120 DMusic - ok
12:11:53.0562 1120 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
12:11:53.0562 1120 Dnscache - ok
12:11:53.0593 1120 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
12:11:53.0609 1120 Dot3svc - ok
12:11:53.0656 1120 [ 40F3B93B4E5B0126F2F5C0A7A5E22660 ] dpti2o C:\WINDOWS\system32\DRIVERS\dpti2o.sys
12:11:53.0656 1120 dpti2o - ok
12:11:53.0687 1120 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
12:11:53.0687 1120 drmkaud - ok
12:11:53.0687 1120 [ FD0F95981FEF9073659D8EC58E40AA3C ] DRVMCDB C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
12:11:53.0703 1120 DRVMCDB - ok
12:11:53.0703 1120 [ B4869D320428CDC5EC4D7F5E808E99B5 ] DRVNDDM C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
12:11:53.0703 1120 DRVNDDM - ok
12:11:53.0828 1120 [ 2AC2372FFAD9ADC85672CC8E8AE14BE9 ] DSproct C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys
12:11:53.0906 1120 DSproct - ok
12:11:53.0968 1120 [ 12986452237021FD48B08F8E23F6A7AB ] dvdfab C:\WINDOWS\system32\drivers\dvdfab.sys
12:11:53.0968 1120 dvdfab - ok
12:11:53.0984 1120 [ 3FCA03CBCA11269F973B70FA483C88EF ] E100B C:\WINDOWS\system32\DRIVERS\e100b325.sys
12:11:53.0984 1120 E100B - ok
12:11:54.0046 1120 [ 00192F0C612591D585594E9467E6CA8B ] e1express C:\WINDOWS\system32\DRIVERS\e1e5132.sys
12:11:54.0046 1120 e1express - ok
12:11:54.0078 1120 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
12:11:54.0078 1120 EapHost - ok
12:11:54.0125 1120 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
12:11:54.0125 1120 ERSvc - ok
12:11:54.0171 1120 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
12:11:54.0171 1120 Eventlog - ok
12:11:54.0234 1120 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
12:11:54.0250 1120 EventSystem - ok
12:11:54.0265 1120 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
12:11:54.0265 1120 Fastfat - ok
12:11:54.0312 1120 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
12:11:54.0312 1120 FastUserSwitchingCompatibility - ok
12:11:54.0343 1120 [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax C:\WINDOWS\system32\fxssvc.exe
12:11:54.0343 1120 Fax - ok
12:11:54.0359 1120 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
12:11:54.0375 1120 Fdc - ok
12:11:54.0453 1120 [ 9200A69413D69AB86ADD9BC81960BE7B ] FileMonitor C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys
12:11:54.0453 1120 FileMonitor - ok
12:11:54.0484 1120 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
12:11:54.0484 1120 Fips - ok
12:11:54.0531 1120 [ D60EF46DC0E757FE5EB579DB95B88954 ] FLEXnet Licensing Service C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
12:11:54.0546 1120 FLEXnet Licensing Service - ok
12:11:54.0578 1120 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
12:11:54.0578 1120 Flpydisk - ok
12:11:54.0609 1120 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
12:11:54.0609 1120 FltMgr - ok
12:11:54.0656 1120 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
12:11:54.0656 1120 FontCache3.0.0.0 - ok
12:11:54.0671 1120 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:11:54.0687 1120 Fs_Rec - ok
12:11:54.0703 1120 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:11:54.0703 1120 Ftdisk - ok
12:11:54.0734 1120 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:11:54.0734 1120 Gpc - ok
12:11:54.0781 1120 [ 751C1D2CA2ABF4A9F5A6B8D7D45B907C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
12:11:54.0812 1120 gusvc - ok
12:11:54.0890 1120 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
12:11:54.0890 1120 HDAudBus - ok
12:11:54.0984 1120 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
12:11:54.0984 1120 helpsvc - ok
12:11:55.0046 1120 HidServ - ok
12:11:55.0093 1120 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:11:55.0093 1120 HidUsb - ok
12:11:55.0125 1120 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
12:11:55.0125 1120 hkmsvc - ok
12:11:55.0171 1120 [ 55D7308E1437C629D2E52787BDA2CB45 ] hnmwrlspkt C:\WINDOWS\system32\DRIVERS\hnm_wrls_pkt.sys
12:11:55.0171 1120 hnmwrlspkt - ok
12:11:55.0187 1120 [ B028377DEA0546A5FCFBA928A8AEFAE0 ] hpn C:\WINDOWS\system32\DRIVERS\hpn.sys
12:11:55.0187 1120 hpn - ok
12:11:55.0234 1120 [ 77E4FF0B73BC0AEAAF39BF0C8104231F ] HSFHWBS2 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
12:11:55.0234 1120 HSFHWBS2 - ok
12:11:55.0265 1120 [ 60E1604729A15EF4A3B05F298427B3B1 ] HSF_DP C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
12:11:55.0296 1120 HSF_DP - ok
12:11:55.0359 1120 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
12:11:55.0359 1120 HTTP - ok
12:11:55.0406 1120 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
12:11:55.0406 1120 HTTPFilter - ok
12:11:55.0421 1120 [ 9368670BD426EBEA5E8B18A62416EC28 ] i2omgmt C:\WINDOWS\system32\drivers\i2omgmt.sys
12:11:55.0421 1120 i2omgmt - ok
12:11:55.0453 1120 [ F10863BF1CCC290BABD1A09188AE49E0 ] i2omp C:\WINDOWS\system32\DRIVERS\i2omp.sys
12:11:55.0453 1120 i2omp - ok
12:11:55.0468 1120 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:11:55.0468 1120 i8042prt - ok
12:11:55.0515 1120 [ B122BE74E283A2BC7FEBC180BFD2EFD5 ] IAANTMON C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
12:11:55.0515 1120 IAANTMON - ok
12:11:55.0546 1120 [ 019CF5F31C67030841233C545A0E217A ] iaStor C:\WINDOWS\system32\drivers\iaStor.sys
12:11:55.0546 1120 iaStor - ok
12:11:55.0609 1120 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
12:11:55.0656 1120 idsvc - ok
12:11:55.0671 1120 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
12:11:55.0671 1120 Imapi - ok
12:11:55.0703 1120 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
12:11:55.0703 1120 ImapiService - ok
12:11:55.0750 1120 [ 8AE99EBE30E8338907361018D9030835 ] IMFservice C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
12:11:55.0765 1120 IMFservice - ok
12:11:55.0812 1120 [ 4A40E045FAEE58631FD8D91AFC620719 ] ini910u C:\WINDOWS\system32\DRIVERS\ini910u.sys
12:11:55.0812 1120 ini910u - ok
12:11:55.0890 1120 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
12:11:55.0890 1120 IntelIde - ok
12:11:55.0953 1120 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:11:55.0953 1120 intelppm - ok
12:11:56.0015 1120 [ 3DC635B66DD7412E1C9C3A77B8D78F25 ] IntuitUpdateService C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
12:11:56.0015 1120 IntuitUpdateService - ok
12:11:56.0062 1120 [ 1663A135865F0BA6E853353E98E67F2A ] IntuitUpdateServiceV4 C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
12:11:56.0062 1120 IntuitUpdateServiceV4 - ok
12:11:56.0156 1120 [ B5A662956977407C6B9B88A846FEF9BD ] ioloSystemService C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
12:11:56.0187 1120 ioloSystemService - ok
12:11:56.0203 1120 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
12:11:56.0203 1120 Ip6Fw - ok
12:11:56.0218 1120 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:11:56.0218 1120 IpFilterDriver - ok
12:11:56.0250 1120 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:11:56.0250 1120 IpInIp - ok
12:11:56.0296 1120 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:11:56.0296 1120 IpNat - ok
12:11:56.0312 1120 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:11:56.0312 1120 IPSec - ok
12:11:56.0343 1120 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
12:11:56.0359 1120 IRENUM - ok
12:11:56.0375 1120 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:11:56.0375 1120 isapnp - ok
12:11:56.0453 1120 [ 381B25DC8E958D905B33130D500BBF29 ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
12:11:56.0453 1120 JavaQuickStarterService - ok
12:11:56.0484 1120 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:11:56.0484 1120 Kbdclass - ok
12:11:56.0515 1120 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
12:11:56.0515 1120 kbdhid - ok
12:11:56.0562 1120 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
12:11:56.0562 1120 kmixer - ok
12:11:56.0593 1120 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
12:11:56.0593 1120 KSecDD - ok
12:11:56.0640 1120 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
12:11:56.0640 1120 lanmanserver - ok
12:11:56.0687 1120 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
12:11:56.0687 1120 lanmanworkstation - ok
12:11:56.0687 1120 lbrtfdc - ok
12:11:56.0734 1120 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
12:11:56.0734 1120 LmHosts - ok
12:11:56.0796 1120 [ 11F714F85530A2BD134074DC30E99FCA ] MDM C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
12:11:56.0796 1120 MDM - ok
12:11:56.0812 1120 [ EEAEA6514BA7C9D273B5E87C4E1AAB30 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
12:11:56.0812 1120 mdmxsdk - ok
12:11:56.0875 1120 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
12:11:56.0906 1120 Messenger - ok
12:11:56.0968 1120 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
12:11:56.0984 1120 mnmdd - ok
12:11:57.0000 1120 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
12:11:57.0015 1120 mnmsrvc - ok
12:11:57.0062 1120 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
12:11:57.0062 1120 Modem - ok
12:11:57.0062 1120 [ 1992E0D143B09653AB0F9C5E04B0FD65 ] MODEMCSA C:\WINDOWS\system32\drivers\MODEMCSA.sys
12:11:57.0078 1120 MODEMCSA - ok
12:11:57.0078 1120 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:11:57.0078 1120 Mouclass - ok
12:11:57.0109 1120 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:11:57.0109 1120 mouhid - ok
12:11:57.0125 1120 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
12:11:57.0125 1120 MountMgr - ok
12:11:57.0156 1120 [ 46297FA8E30A6007F14118FC2B942FBC ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
12:11:57.0156 1120 MozillaMaintenance - ok
12:11:57.0187 1120 [ 3F4BB95E5A44F3BE34824E8E7CAF0737 ] mraid35x C:\WINDOWS\system32\DRIVERS\mraid35x.sys
12:11:57.0187 1120 mraid35x - ok
12:11:57.0218 1120 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:11:57.0218 1120 MRxDAV - ok
12:11:57.0281 1120 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:11:57.0281 1120 MRxSmb - ok
12:11:57.0328 1120 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
12:11:57.0328 1120 MSDTC - ok
12:11:57.0375 1120 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
12:11:57.0375 1120 Msfs - ok
12:11:57.0390 1120 MSIServer - ok
12:11:57.0406 1120 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:11:57.0406 1120 MSKSSRV - ok
12:11:57.0421 1120 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:11:57.0421 1120 MSPCLOCK - ok
12:11:57.0437 1120 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
12:11:57.0453 1120 MSPQM - ok
12:11:57.0468 1120 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:11:57.0468 1120 mssmbios - ok
12:11:57.0703 1120 [ 1B959A0614D575D0AB3B09095F0A8B83 ] MSSQL$MICROSOFTSMLBIZ C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
12:11:58.0015 1120 MSSQL$MICROSOFTSMLBIZ - ok
12:11:58.0062 1120 [ 1D1B22613EAB9287AF902398867BC93C ] MSSQLServerADHelper C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe
12:11:58.0062 1120 MSSQLServerADHelper - ok
12:11:58.0078 1120 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
12:11:58.0078 1120 Mup - ok
12:11:58.0125 1120 [ 1E59AAED42A5E3A5ED86EC403F9C0776 ] NAL C:\WINDOWS\system32\Drivers\iqvw32.sys
12:11:58.0125 1120 NAL - ok
12:11:58.0156 1120 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
12:11:58.0156 1120 napagent - ok
12:11:58.0203 1120 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
12:11:58.0203 1120 NDIS - ok
12:11:58.0234 1120 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:11:58.0234 1120 NdisTapi - ok
12:11:58.0250 1120 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:11:58.0250 1120 Ndisuio - ok
12:11:58.0265 1120 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:11:58.0281 1120 NdisWan - ok
12:11:58.0296 1120 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
12:11:58.0296 1120 NDProxy - ok
12:11:58.0312 1120 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
12:11:58.0312 1120 NetBIOS - ok
12:11:58.0343 1120 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
12:11:58.0343 1120 NetBT - ok
12:11:58.0390 1120 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
12:11:58.0390 1120 NetDDE - ok
12:11:58.0437 1120 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
12:11:58.0437 1120 NetDDEdsdm - ok
12:11:58.0453 1120 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
12:11:58.0453 1120 Netlogon - ok
12:11:58.0500 1120 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
12:11:58.0500 1120 Netman - ok
12:11:58.0531 1120 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
12:11:58.0562 1120 NetTcpPortSharing - ok
12:11:58.0593 1120 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
12:11:58.0609 1120 Nla - ok
12:11:58.0625 1120 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
12:11:58.0625 1120 Npfs - ok
12:11:58.0671 1120 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
12:11:58.0687 1120 Ntfs - ok
12:11:58.0703 1120 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
12:11:58.0703 1120 NtLmSsp - ok
12:11:58.0734 1120 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
12:11:58.0765 1120 NtmsSvc - ok
12:11:58.0781 1120 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
12:11:58.0781 1120 Null - ok
12:11:58.0968 1120 [ 5950E6CC9FB3FABB61604D395DBC8550 ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
12:11:59.0125 1120 nv - ok
12:11:59.0187 1120 [ 9FE764D5EECCA13B0932FAB81A4A5A6F ] NVSvc C:\WINDOWS\system32\nvsvc32.exe
12:11:59.0187 1120 NVSvc - ok
12:11:59.0218 1120 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:11:59.0218 1120 NwlnkFlt - ok
12:11:59.0234 1120 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:11:59.0234 1120 NwlnkFwd - ok
12:11:59.0281 1120 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
12:11:59.0281 1120 ose - ok
12:11:59.0312 1120 [ 9A7FD6B64E78A8A0D79F372CFCC43E19 ] Packet C:\WINDOWS\system32\DRIVERS\packet.sys
12:11:59.0312 1120 Packet - ok
12:11:59.0343 1120 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
12:11:59.0343 1120 Parport - ok
12:11:59.0343 1120 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
12:11:59.0343 1120 PartMgr - ok
12:11:59.0390 1120 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
12:11:59.0390 1120 ParVdm - ok
12:11:59.0390 1120 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
12:11:59.0390 1120 PCI - ok
12:11:59.0406 1120 PCIDump - ok
12:11:59.0421 1120 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
12:11:59.0421 1120 PCIIde - ok
12:11:59.0437 1120 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
12:11:59.0453 1120 Pcmcia - ok
12:11:59.0468 1120 [ 5B6C11DE7E839C05248CED8825470FEF ] pcouffin C:\WINDOWS\system32\Drivers\pcouffin.sys
12:11:59.0468 1120 pcouffin - ok
12:11:59.0500 1120 [ 7EA0EBD6E5AA687E116EB185A7CFB667 ] PCTAppEvent C:\WINDOWS\system32\drivers\PCTAppEvent.sys
12:11:59.0515 1120 PCTAppEvent - ok
12:11:59.0546 1120 [ 60AF5FA418EFE284FB81DBBF5A0391FB ] PCTFW-PacketFilter C:\WINDOWS\system32\drivers\pctNdis-PacketFilter.sys
12:11:59.0546 1120 PCTFW-PacketFilter - ok
12:11:59.0593 1120 [ 5BE722C8C9BBA995693C8CD524D83B27 ] pctgntdi C:\WINDOWS\system32\drivers\pctgntdi.sys
12:11:59.0609 1120 pctgntdi - ok
12:11:59.0640 1120 [ 3EC79CFB2E0E74AADA8B561ED8904577 ] pctNDIS C:\WINDOWS\system32\DRIVERS\pctNdis.sys
12:11:59.0640 1120 pctNDIS - ok
12:11:59.0703 1120 [ 86D511370A217B554916E3A45D091042 ] PCToolsFirewallPlus C:\Program Files\PC Tools Firewall Plus\FWService.exe
12:11:59.0718 1120 PCToolsFirewallPlus - ok
12:11:59.0750 1120 [ FE6803AF91DDB32FF8EDF5D6C0D370AF ] pctplfw C:\WINDOWS\system32\drivers\pctplfw.sys
12:11:59.0750 1120 pctplfw - ok
12:11:59.0781 1120 PDCOMP - ok
12:11:59.0796 1120 PDFRAME - ok
12:11:59.0812 1120 [ 40C611622882C3FCAFEB845C1E12A10F ] PDFsFilter C:\WINDOWS\system32\DRIVERS\PDFsFilter.sys
12:11:59.0812 1120 PDFsFilter - ok
12:11:59.0812 1120 PDRELI - ok
12:11:59.0828 1120 PDRFRAME - ok
12:11:59.0859 1120 [ 6C14B9C19BA84F73D3A86DBA11133101 ] perc2 C:\WINDOWS\system32\DRIVERS\perc2.sys
12:11:59.0859 1120 perc2 - ok
12:11:59.0921 1120 [ F50F7C27F131AFE7BEBA13E14A3B9416 ] perc2hib C:\WINDOWS\system32\DRIVERS\perc2hib.sys
12:11:59.0921 1120 perc2hib - ok
12:11:59.0984 1120 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
12:11:59.0984 1120 PlugPlay - ok
12:12:00.0015 1120 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
12:12:00.0031 1120 PolicyAgent - ok
12:12:00.0078 1120 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:12:00.0078 1120 PptpMiniport - ok
12:12:00.0093 1120 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
12:12:00.0093 1120 ProtectedStorage - ok
12:12:00.0109 1120 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
12:12:00.0109 1120 PSched - ok
12:12:00.0156 1120 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:12:00.0156 1120 Ptilink - ok
12:12:00.0203 1120 [ D86B4A68565E444D76457F14172C875A ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
12:12:00.0203 1120 PxHelp20 - ok
12:12:00.0234 1120 [ 0A63FB54039EB5662433CABA3B26DBA7 ] ql1080 C:\WINDOWS\system32\DRIVERS\ql1080.sys
12:12:00.0234 1120 ql1080 - ok
12:12:00.0234 1120 [ 6503449E1D43A0FF0201AD5CB1B8C706 ] Ql10wnt C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
12:12:00.0234 1120 Ql10wnt - ok
12:12:00.0250 1120 [ 156ED0EF20C15114CA097A34A30D8A01 ] ql12160 C:\WINDOWS\system32\DRIVERS\ql12160.sys
12:12:00.0250 1120 ql12160 - ok
12:12:00.0281 1120 [ 70F016BEBDE6D29E864C1230A07CC5E6 ] ql1240 C:\WINDOWS\system32\DRIVERS\ql1240.sys
12:12:00.0281 1120 ql1240 - ok
12:12:00.0296 1120 [ 907F0AEEA6BC451011611E732BD31FCF ] ql1280 C:\WINDOWS\system32\DRIVERS\ql1280.sys
12:12:00.0296 1120 ql1280 - ok
12:12:00.0312 1120 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:12:00.0312 1120 RasAcd - ok
12:12:00.0343 1120 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
12:12:00.0359 1120 RasAuto - ok
12:12:00.0375 1120 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:12:00.0375 1120 Rasl2tp - ok
12:12:00.0406 1120 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
12:12:00.0406 1120 RasMan - ok
12:12:00.0453 1120 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:12:00.0453 1120 RasPppoe - ok
12:12:00.0468 1120 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
12:12:00.0468 1120 Raspti - ok
12:12:00.0515 1120 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:12:00.0515 1120 Rdbss - ok
12:12:00.0531 1120 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:12:00.0531 1120 RDPCDD - ok
12:12:00.0546 1120 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:12:00.0546 1120 rdpdr - ok
12:12:00.0593 1120 [ 6589DB6E5969F8EEE594CF71171C5028 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
12:12:00.0609 1120 RDPWD - ok
12:12:00.0640 1120 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
12:12:00.0671 1120 RDSessMgr - ok
12:12:00.0703 1120 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
12:12:00.0703 1120 redbook - ok
12:12:00.0734 1120 [ 2CA761CE3ABB7BBBB9C5519B2FB54F5E ] RegFilter C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys
12:12:00.0734 1120 RegFilter - ok
12:12:00.0750 1120 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
12:12:00.0750 1120 RemoteAccess - ok
12:12:00.0781 1120 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
12:12:00.0781 1120 RemoteRegistry - ok
12:12:00.0796 1120 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
12:12:00.0796 1120 RpcLocator - ok
12:12:00.0843 1120 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
12:12:00.0859 1120 RpcSs - ok
12:12:00.0921 1120 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
12:12:00.0953 1120 RSVP - ok
12:12:01.0000 1120 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
12:12:01.0000 1120 SamSs - ok
12:12:01.0046 1120 [ 39763504067962108505BFF25F024345 ] SASDIFSV C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
12:12:01.0046 1120 SASDIFSV - ok
12:12:01.0078 1120 [ 7CE61C25C159F50F9EAF6D77FC83FA35 ] SASENUM C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
12:12:01.0078 1120 SASENUM - ok
12:12:01.0093 1120 [ 77B9FC20084B48408AD3E87570EB4A85 ] SASKUTIL C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
12:12:01.0093 1120 SASKUTIL - ok
12:12:01.0125 1120 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
12:12:01.0125 1120 SCardSvr - ok
12:12:01.0156 1120 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
12:12:01.0156 1120 Schedule - ok
12:12:01.0187 1120 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:12:01.0187 1120 Secdrv - ok
12:12:01.0234 1120 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
12:12:01.0234 1120 seclogon - ok
12:12:01.0250 1120 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
12:12:01.0250 1120 SENS - ok
12:12:01.0265 1120 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
12:12:01.0265 1120 serenum - ok
12:12:01.0281 1120 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
12:12:01.0281 1120 Serial - ok
12:12:01.0312 1120 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
12:12:01.0312 1120 Sfloppy - ok
12:12:01.0359 1120 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
12:12:01.0359 1120 ShellHWDetection - ok
12:12:01.0375 1120 Simbad - ok
12:12:01.0406 1120 [ 6B33D0EBD30DB32E27D1D78FE946A754 ] sisagp C:\WINDOWS\system32\DRIVERS\sisagp.sys
12:12:01.0406 1120 sisagp - ok
12:12:01.0437 1120 [ 83C0F71F86D3BDAF915685F3D568B20E ] Sparrow C:\WINDOWS\system32\DRIVERS\sparrow.sys
12:12:01.0437 1120 Sparrow - ok
12:12:01.0468 1120 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
12:12:01.0468 1120 splitter - ok
12:12:01.0500 1120 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
12:12:01.0500 1120 Spooler - ok
12:12:01.0546 1120 [ 0C1DAD75274CB6E31F053CE3E08BF9C3 ] sptd C:\WINDOWS\system32\Drivers\sptd.sys
12:12:01.0578 1120 sptd - ok
12:12:01.0625 1120 [ 352E375AB298C23B0F9BC307652C7F50 ] SQLAgent$MICROSOFTSMLBIZ C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE
12:12:01.0656 1120 SQLAgent$MICROSOFTSMLBIZ - ok
12:12:01.0687 1120 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
12:12:01.0687 1120 sr - ok
12:12:01.0718 1120 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
12:12:01.0718 1120 srservice - ok
12:12:01.0750 1120 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
12:12:01.0765 1120 Srv - ok
12:12:01.0796 1120 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
12:12:01.0796 1120 SSDPSRV - ok
12:12:01.0906 1120 [ 797FCC1D859B203958E915BB82528DA9 ] STHDA C:\WINDOWS\system32\drivers\sthda.sys
12:12:01.0937 1120 STHDA - ok
12:12:01.0984 1120 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
12:12:02.0062 1120 stisvc - ok
12:12:02.0109 1120 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
12:12:02.0109 1120 swenum - ok
12:12:02.0156 1120 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
12:12:02.0156 1120 swmidi - ok
12:12:02.0171 1120 SwPrv - ok
12:12:02.0187 1120 [ 1FF3217614018630D0A6758630FC698C ] symc810 C:\WINDOWS\system32\DRIVERS\symc810.sys
12:12:02.0187 1120 symc810 - ok
12:12:02.0218 1120 [ 070E001D95CF725186EF8B20335F933C ] symc8xx C:\WINDOWS\system32\DRIVERS\symc8xx.sys
12:12:02.0218 1120 symc8xx - ok
12:12:02.0234 1120 [ 80AC1C4ABBE2DF3B738BF15517A51F2C ] sym_hi C:\WINDOWS\system32\DRIVERS\sym_hi.sys
12:12:02.0234 1120 sym_hi - ok
12:12:02.0250 1120 [ BF4FAB949A382A8E105F46EBB4937058 ] sym_u3 C:\WINDOWS\system32\DRIVERS\sym_u3.sys
12:12:02.0250 1120 sym_u3 - ok
12:12:02.0265 1120 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
12:12:02.0265 1120 sysaudio - ok
12:12:02.0281 1120 Suspicious service (NoAccess): syshost32
12:12:02.0359 1120 [ 81F49679A3E51F10B1DD20BEFDEF7772 ] syshost32 C:\WINDOWS\Installer\{21AFBFB6-53EF-36C2-120C-7E9BF1C4C429}\syshost.exe
12:12:02.0359 1120 Suspicious file (NoAccess): C:\WINDOWS\Installer\{21AFBFB6-53EF-36C2-120C-7E9BF1C4C429}\syshost.exe. md5: 81F49679A3E51F10B1DD20BEFDEF7772
12:12:02.0453 1120 syshost32 ( Rootkit.Win32.Necurs.gen ) - infected
12:12:02.0453 1120 syshost32 - detected Rootkit.Win32.Necurs.gen (0)
12:12:02.0500 1120 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
12:12:02.0515 1120 SysmonLog - ok
12:12:02.0546 1120 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
12:12:02.0546 1120 TapiSrv - ok
12:12:02.0609 1120 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:12:02.0609 1120 Tcpip - ok
12:12:02.0656 1120 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
12:12:02.0656 1120 TDPIPE - ok
12:12:02.0671 1120 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
12:12:02.0671 1120 TDTCP - ok
12:12:02.0703 1120 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
12:12:02.0703 1120 TermDD - ok
12:12:02.0750 1120 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
12:12:02.0765 1120 TermService - ok
12:12:02.0781 1120 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
12:12:02.0781 1120 Themes - ok
12:12:02.0828 1120 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
12:12:02.0828 1120 TlntSvr - ok
12:12:02.0921 1120 [ F2790F6AF01321B172AA62F8E1E187D9 ] TosIde C:\WINDOWS\system32\DRIVERS\toside.sys
12:12:02.0921 1120 TosIde - ok
12:12:02.0984 1120 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
12:12:02.0984 1120 TrkWks - ok
12:12:03.0031 1120 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
12:12:03.0031 1120 Udfs - ok
12:12:03.0046 1120 [ 1B698A51CD528D8DA4FFAED66DFC51B9 ] ultra C:\WINDOWS\system32\DRIVERS\ultra.sys
12:12:03.0046 1120 ultra - ok
12:12:03.0078 1120 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
12:12:03.0093 1120 Update - ok
12:12:03.0125 1120 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
12:12:03.0156 1120 upnphost - ok
12:12:03.0187 1120 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
12:12:03.0187 1120 UPS - ok
12:12:03.0203 1120 [ 62551BA687F1D0F582810CFA37384BB0 ] UrlFilter C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys
12:12:03.0203 1120 UrlFilter - ok
12:12:03.0234 1120 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:12:03.0250 1120 usbccgp - ok
12:12:03.0265 1120 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:12:03.0265 1120 usbehci - ok
12:12:03.0281 1120 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:12:03.0281 1120 usbhub - ok
12:12:03.0312 1120 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:12:03.0312 1120 usbprint - ok
12:12:03.0343 1120 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:12:03.0343 1120 usbscan - ok
12:12:03.0359 1120 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:12:03.0359 1120 USBSTOR - ok
12:12:03.0375 1120 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:12:03.0375 1120 usbuhci - ok
12:12:03.0390 1120 [ B6CC50279D6CD28E090A5D33244ADC9A ] usb_rndisx C:\WINDOWS\system32\DRIVERS\usb8023x.sys
12:12:03.0390 1120 usb_rndisx - ok
12:12:03.0406 1120 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
12:12:03.0406 1120 VgaSave - ok
12:12:03.0421 1120 [ 754292CE5848B3738281B4F3607EAEF4 ] viaagp C:\WINDOWS\system32\DRIVERS\viaagp.sys
12:12:03.0421 1120 viaagp - ok
12:12:03.0437 1120 [ 3B3EFCDA263B8AC14FDF9CBDD0791B2E ] ViaIde C:\WINDOWS\system32\DRIVERS\viaide.sys
12:12:03.0437 1120 ViaIde - ok
12:12:03.0453 1120 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
12:12:03.0453 1120 VolSnap - ok
12:12:03.0468 1120 VPROEVENTMONITOR - ok
12:12:03.0468 1120 Vsapint - ok
12:12:03.0515 1120 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
12:12:03.0531 1120 VSS - ok
12:12:03.0562 1120 [ 54AF4B1D5459500EF0937F6D33B1914F ] w32time C:\WINDOWS\system32\w32time.dll
12:12:03.0562 1120 w32time - ok
12:12:03.0593 1120 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:12:03.0593 1120 Wanarp - ok
12:12:03.0640 1120 [ 0A716C08CB13C3A8F4F51E882DBF7416 ] wanatw C:\WINDOWS\system32\DRIVERS\wanatw4.sys
12:12:03.0640 1120 wanatw - ok
12:12:03.0656 1120 [ EB9A99AB5D17B1727034FF191E6448D7 ] WANMiniportService C:\WINDOWS\wanmpsvc.exe
12:12:03.0703 1120 WANMiniportService - ok
12:12:03.0734 1120 [ 46A247F6617526AFE38B6F12F5512120 ] wceusbsh C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
12:12:03.0734 1120 wceusbsh - ok
12:12:03.0750 1120 [ D6EFAF429FD30C5DF613D220E344CCE7 ] WDC_SAM C:\WINDOWS\system32\DRIVERS\wdcsam.sys
12:12:03.0750 1120 WDC_SAM - ok
12:12:03.0750 1120 WDICA - ok
12:12:03.0781 1120 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
12:12:03.0781 1120 wdmaud - ok
12:12:03.0796 1120 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
12:12:03.0812 1120 WebClient - ok
12:12:03.0843 1120 [ F59ED5A43B988A18EF582BB07B2327A7 ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
12:12:03.0859 1120 winachsf - ok
12:12:04.0000 1120 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
12:12:04.0000 1120 winmgmt - ok
12:12:04.0062 1120 [ 18F347402DA544A780949B8FDF83351B ] WinRM C:\WINDOWS\system32\WsmSvc.dll
12:12:04.0109 1120 WinRM - ok
12:12:04.0218 1120 [ 5144AE67D60EC653F97DDF3FEED29E77 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
12:12:04.0265 1120 wlidsvc - ok
12:12:04.0312 1120 [ 051B1BDECD6DEE18C771B5D5EC7F044D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
12:12:04.0312 1120 WmdmPmSN - ok
12:12:04.0359 1120 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
12:12:04.0390 1120 Wmi - ok
12:12:04.0437 1120 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
12:12:04.0437 1120 WmiApSrv - ok
12:12:04.0515 1120 [ 6BAB4DC65515A098505F8B3D01FB6FE5 ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
12:12:04.0546 1120 WMPNetworkSvc - ok
12:12:04.0562 1120 [ C60DC16D4E406810FAD54B98DC92D5EC ] WpdUsb C:\WINDOWS\system32\Drivers\wpdusb.sys
12:12:04.0562 1120 WpdUsb - ok
12:12:04.0671 1120 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
12:12:04.0750 1120 WPFFontCache_v0400 - ok
12:12:04.0796 1120 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
12:12:04.0796 1120 WS2IFSL - ok
12:12:04.0796 1120 WSearch - ok
12:12:04.0828 1120 [ E068D1F5D4ABC1111566BCEFE85F1AC2 ] wsppkt C:\WINDOWS\system32\DRIVERS\wsp_pkt.sys
12:12:04.0828 1120 wsppkt - ok
12:12:04.0875 1120 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
12:12:04.0921 1120 WudfPf - ok
12:12:05.0000 1120 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
12:12:05.0031 1120 WudfRd - ok
12:12:05.0062 1120 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
12:12:05.0078 1120 WudfSvc - ok
12:12:05.0156 1120 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
12:12:05.0171 1120 WZCSVC - ok
12:12:05.0234 1120 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
12:12:05.0234 1120 xmlprov - ok
12:12:05.0250 1120 ================ Scan global ===============================
12:12:05.0312 1120 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
12:12:05.0359 1120 [ 8C7DCA

SuperDave · « **Reply #7 on:** August 24, 2012, 04:41:04 PM »

Quote

the aswMBR will not run on my desktop under my log in nor as an Administrator

Do you get an error message?

Download RogueKiller on the desktop
Close all the running programs
Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
Otherwise just double-click on RogueKiller.exe
Pre-scan will start. Let it finish.
Click on SCAN button.
A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

************************************************************
Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

Link 1
Link 2
Link 3

•Double-click on MBRCheck.exe to run it.

•It will open a black window...please do not fix anything (if it gives you an option).

•When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.

•A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
•Please copy and paste the contents of that log in your next reply.

padraig · « **Reply #8 on:** August 24, 2012, 06:39:03 PM »

When trying to run the aswMBR application, it does not react, no application, no error message, etc.

here are the RogueKiller and MBRCheck reports:

RogueKiller V7.6.6 [08/10/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Patrick [Admin rights]
Mode: Scan -- Date: 08/24/2012 20:34:12

¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] govkhca.exe -- C:\Documents and Settings\Patrick\govkhca.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 12 ¤¤¤
[BLACKLIST DLL] HKCU\[...]\Run : Autodesk (rundll32.exe "C:\Documents and Settings\Patrick\Local Settings\Application Data\Collectorz.com\Autodesk\kzaayba.dll",CreateInstance) -> FOUND
[BLACKLIST DLL] HKUS\.DEFAULT[...]\Run : Autodesk (rundll32.exe "C:\Documents and Settings\Patrick\Local Settings\Application Data\Collectorz.com\Autodesk\kzaayba.dll",CreateInstance) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-21-2796421550-788906634-1267632633-1006[...]\Run : Autodesk (rundll32.exe "C:\Documents and Settings\Patrick\Local Settings\Application Data\Collectorz.com\Autodesk\kzaayba.dll",CreateInstance) -> FOUND
[BLACKLIST DLL] HKUS\S-1-5-18[...]\Run : Autodesk (rundll32.exe "C:\Documents and Settings\Patrick\Local Settings\Application Data\Collectorz.com\Autodesk\kzaayba.dll",CreateInstance) -> FOUND
[ZeroAccess] HKCR\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n.) -> FOUND
[ZeroAccess] HKLM\[...]\InprocServer32 : (\\.\globalroot\systemroot\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n.) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HIDDEN VAL] HKCU\[...]\Run : govShell (C:\Documents and Settings\Patrick\govkhca.exe) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] n : c:\windows\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n --> FOUND
[ZeroAccess][FILE] @ : c:\windows\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\windows\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\windows\installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\L --> FOUND
[ZeroAccess][FILE] n : c:\documents and settings\patrick\local settings\application data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n --> FOUND
[ZeroAccess][FILE] @ : c:\documents and settings\patrick\local settings\application data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\@ --> FOUND
[ZeroAccess][FOLDER] U : c:\documents and settings\patrick\local settings\application data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U --> FOUND
[ZeroAccess][FOLDER] L : c:\documents and settings\patrick\local settings\application data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : c:\windows\assembly\gac\desktop.ini --> FOUND

¤¤¤ Driver: [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ARRAY +++++
--- User ---
[MBR] 1774f3d5b49f9f2b75a45da1c8507bd6
[BSP] dfe4c0bfa859120fb83a6a1aa43abcee : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 175546 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 359631090 | Size: 59012 Mo
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 480488085 | Size: 3796 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 3ddd9a84be42a4625b85406fe08106cf
[BSP] 0006296a8c957eeb80ed14c405f8c64b : MaxSS MBR Code!
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112455 | Size: 175546 Mo
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 359631090 | Size: 59012 Mo
3 - [XXXXXX] UNKNOWN (0xdb) [VISIBLE] Offset (sectors): 480488085 | Size: 3796 Mo
Error reading LL2 MBR!

+++++ PhysicalDrive1: HP External HDD USB Device +++++
--- User ---
[MBR] 388d886274f3aa36ea2affb5823c2b27
[BSP] 0dd43184484a6815ab20400bf39e3619 : MBR Code unknown
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476269 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive2: WD My Passport 0740 USB Device +++++
--- User ---
[MBR] 10e93ad5e841512afefef1b41a97e15d
[BSP] a2afca834be8506a95112da9d22fbe5f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953836 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: PNY USB 2.0 FD USB Device +++++
--- User ---
[MBR] 3c31d08e3f9f8b450abd984fa861adc5
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 7727 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

+++++ PhysicalDrive4: WD 1200BEVExternal USB Device +++++
--- User ---
[MBR] 9f4041c9c71d2e55c9dc1d8d2a7e2e72
[BSP] d0ec2211ba2260ee6d54a28c5292c11f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 114470 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version:      Windows XP Professional
Windows Information:      Service Pack 3 (build 2600)
Logical Drives Mask:      0x000007fd

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7B44000 \WINDOWS\system32\KDCOM.DLL
0xF7A54000 \WINDOWS\system32\BOOTVID.dll
0x86F93000 9445fee0eea6d169.sys
0xF7520000 pci.sys
0xF7644000 isapnp.sys
0xF74F2000 ACPI.sys
0xF7B46000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7654000 MountMgr.sys
0xF74D3000 ftdisk.sys
0xF7B48000 dmload.sys
0xF74AD000 dmio.sys
0xF78C4000 PartMgr.sys
0xF7664000 VolSnap.sys
0xF73F6000 iaStor.sys
0xF7674000 disk.sys
0xF7684000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73D6000 fltmgr.sys
0xF73C4000 sr.sys
0xF73AE000 DRVMCDB.SYS
0xF7694000 PxHelp20.sys
0xF7397000 KSecDD.sys
0xF7384000 WudfPf.sys
0xF72F7000 Ntfs.sys
0xF72CA000 NDIS.sys
0xF72B0000 Mup.sys
0xF7784000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF6123000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF610F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF60D6000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xF7934000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF08AE000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7944000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF0886000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF0852000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF082F000 \SystemRoot\system32\DRIVERS\ks.sys
0xF0730000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF0689000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF795C000 \SystemRoot\System32\Drivers\Modem.SYS
0xF796C000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF76C4000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7BD8000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF76E4000 \SystemRoot\system32\drivers\dvdfab.sys
0xF76F4000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7734000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF0B22000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7894000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF0D06000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF1B6B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF1B4B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF1BC3000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xEBA40000 \SystemRoot\system32\DRIVERS\psched.sys
0xF1AEB000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF1BA3000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF1CA7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF1D18000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF20E9000 \SystemRoot\System32\Drivers\pcouffin.sys
0xEBA10000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF4634000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF1D10000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF1EC3000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B9A000 \SystemRoot\system32\DRIVERS\swenum.sys
0xEB9B2000 \SystemRoot\system32\DRIVERS\update.sys
0xF1617000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF160F000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF680D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF77C4000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF15DD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xEB2E2000 \SystemRoot\system32\drivers\sthda.sys
0xEB2BE000 \SystemRoot\system32\drivers\portcls.sys
0xF1484000 \SystemRoot\system32\drivers\drmk.sys
0xF1E69000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7B34000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF1CBF000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C26000 \SystemRoot\System32\Drivers\Null.SYS
0xF1CBB000 \SystemRoot\System32\Drivers\Beep.SYS
0xF1E49000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xF7994000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF79A4000 \SystemRoot\System32\drivers\vga.sys
0xF1CB7000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF1CB3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79B4000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF79C4000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7277000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEB28B000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEB232000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEB20A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7263000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEB1E8000 \SystemRoot\System32\drivers\afd.sys
0xF7854000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEB1C6000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0xF79DC000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEB19B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEB12B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF14B4000 \SystemRoot\System32\Drivers\Fips.SYS
0xF79E4000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF1B3B000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF6D53000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF1AFB000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF4C9E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF6D4F000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF6D47000 \SystemRoot\system32\DRIVERS\wdcsam.sys
0xEB074000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xED0ED000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7A1C000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C20000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF596000 \SystemRoot\System32\ATMFD.DLL
0xF0B35000 \SystemRoot\system32\DRIVERS\PDFsFilter.sys
0xF0B25000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xF41A7000 \SystemRoot\System32\DLA\DLADResN.SYS
0xBA589000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xF230C000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xF7BFA000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xF7A44000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xBA571000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xBA55B000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xEE2A9000 \SystemRoot\system32\DRIVERS\hnm_wrls_pkt.sys
0xED0E5000 \SystemRoot\system32\DRIVERS\packet.sys
0xEBFFF000 \SystemRoot\system32\DRIVERS\wsp_pkt.sys
0xF4345000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB9C6D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB9B75000 \SystemRoot\system32\DRIVERS\srv.sys
0xB9C29000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB96B0000 \SystemRoot\system32\drivers\wdmaud.sys
0xF1B2B000 \SystemRoot\system32\drivers\sysaudio.sys
0xB8337000 \SystemRoot\System32\Drivers\HTTP.sys
0xB824B000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB65D1000 \SystemRoot\System32\Drivers\Udfs.SYS
0xB65A6000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 40):
0 System Idle Process
4 System
324 C:\WINDOWS\system32\smss.exe
372 csrss.exe
396 C:\WINDOWS\system32\winlogon.exe
444 C:\WINDOWS\system32\services.exe
456 C:\WINDOWS\system32\lsass.exe
664 C:\WINDOWS\system32\svchost.exe
756 svchost.exe
796 C:\WINDOWS\system32\svchost.exe
832 C:\WINDOWS\system32\svchost.exe
936 svchost.exe
1000 svchost.exe
1088 C:\WINDOWS\system32\spoolsv.exe
1136 C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
1196 svchost.exe
1228 C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
1248 C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
1308 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
1324 C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
1364 C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
1432 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1464 C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
1500 C:\WINDOWS\system32\nvsvc32.exe
1516 C:\Program Files\PC Tools Firewall Plus\FWService.exe
1564 C:\WINDOWS\system32\svchost.exe
1592 C:\WINDOWS\Installer\{21AFBFB6-53EF-36C2-120C-7E9BF1C4C429}\syshost.exe
1704 C:\WINDOWS\wanmpsvc.exe
1792 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
1820 C:\WINDOWS\system32\searchindexer.exe
2292 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2720 C:\WINDOWS\explorer.exe
2896 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
2904 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
2916 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
2952 C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
3000 C:\WINDOWS\system32\ctfmon.exe
364 C:\WINDOWS\system32\searchprotocolhost.exe
3964 searchfilterhost.exe
3860 C:\Documents and Settings\Patrick\Desktop\MBRCheck.exe

\\.\C: --> error 5
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000002a`df126200 (NTFS)
\\.\H: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\I: --> \\.\PhysicalDrive2 at offset 0x00000000`00100000 (NTFS)
\\.\K: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number:
PhysicalDrive1 Model Number: HPExternal HDD, Rev: 1024
PhysicalDrive2 Model Number: WDMy Passport 0740, Rev: 1007
PhysicalDrive4 Model Number: WD1200BEVExternal, Rev: 1.02

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 320B4BB7E26AFF40A97FBDF13347B08E2C55A6F 7
465 GB \\.\PhysicalDrive1 RE: Unknown MBR code
SHA1: 6A37A193FEC4E5EEA53FC922E7D439AFEDE6B8D 2
931 GB \\.\PhysicalDrive2 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644 A
111 GB \\.\PhysicalDrive4 RE: Unknown MBR code
SHA1: 2BE9ACE700A45722604874D4A10E3B6A212931F 3

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

SuperDave · « **Reply #9 on:** August 25, 2012, 04:24:04 PM »

Download OTLPENet.exe to your desktop
Download Farbar Recovery Scan Tool and save it to a flash drive.
Ensure that you have a blank CD in the drive
Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

Insert the flash drive with FRST on it
Locate the flash drive and run FSRT
The tool will start to run.

When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

padraig · « **Reply #10 on:** August 25, 2012, 05:36:37 PM »

do you have another link for the OTLPENet.exe as the one above cannot be accessed

padraig · « **Reply #11 on:** August 26, 2012, 02:31:54 PM »

I downloaded OTLPENet.exe from another online resource and burnt the CD; the link to how to boot from the CD is dead and I made a guess and tried a few attempts only to get an error message "Forced network boot attempt failed, check cable and settings-strike F1 to retry boot, F2 for setup utility; I got nothing!

padraig · « **Reply #12 on:** August 26, 2012, 02:49:25 PM »

after much trial and error I was able to boot from the CD-ROM

; but I doubt that I could return the system to the correct order without help;

ran the FSRT and here is the log file:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 25-08-2012
Ran by SYSTEM at 26-08-2012 17:44:31
Running from G:\
Microsoft Windows XP (X86) OS Language: English(US)
The current controlset is ControlSet003

========================== Registry (Whitelisted) =============

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup [8491008 2007-09-17] (NVIDIA Corporation)
HKLM\...\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [151552 2006-07-06] (Intel Corporation)
HKLM\...\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE [122940 2005-09-08] (Sonic Solutions)
HKLM\...\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon [1983816 2009-07-26] (CANON INC.)
HKLM\...\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon [767312 2009-03-17] (CANON INC.)
HKLM\...\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s [2672600 2011-04-07] (PC Tools)
HKU\Administrator\...\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [20553 2005-08-15] (Trend Micro Inc.)
HKU\Administrator\...\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup [395776 2006-08-28] (Gteko Ltd.)
HKU\Administrator\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
HKU\Administrator\...\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [1289000 2006-11-13] (Microsoft Corporation)
HKU\Administrator\...\Policies\system: [NoDispBackgroundPage] 1
HKU\Anna\...\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [20553 2005-08-15] (Trend Micro Inc.)
HKU\Anna\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
HKU\Anna\...\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

HKU\Anna\...\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [1289000 2006-11-13] (Microsoft Corporation)
HKU\Anna\...\Policies\system: [NoDispScrSavPage] 0
HKU\Anna\...\Policies\system: [NoDispCPL] 0
HKU\Anna\...\Policies\system: [NoDispBackgroundPage] 1
HKU\Default User\...\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [20553 2005-08-15] (Trend Micro Inc.)
HKU\Default User\...\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup [395776 2006-08-28] (Gteko Ltd.)
HKU\Patrick\...\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [4777856 2012-07-27] (SUPERAntiSpyware.com)
HKU\Patrick\...\Run: [Autodesk] rundll32.exe "C:\Documents and Settings\Patrick\Local Settings\Application Data\Collectorz.com\Autodesk\kzaayba.dll",CreateInstance

HKU\Patrick\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-13] (Microsoft Corporation)
HKU\Patrick\...\Run: [govShell] C:\Documents and Settings\Patrick\govkhca.exe [157184 2012-08-12] (Teufel)
Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [X]
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Lsa: [Notification Packages]
scecli
HKLM\...\InprocServer32: [Default-wbem] \\.\globalroot\systemroot\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n. ATTENTION! ====> ZeroAccess

================================ Services (Whitelisted) ==================

2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE.EXE" [116608 2011-08-19] (SUPERAntiSpyware.com)
2 6to4; C:\WINDOWS\system32\6to4ex.dll [73748 2004-08-17] ()
2 AOL ACS; C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe [46640 2006-10-23] (AOL LLC)
2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
2 IMFservice; C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe [821592 2012-01-09] (IObit)
2 ioloSystemService; "C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe" [1027792 2012-08-02] (iolo technologies, LLC)
2 MSSQL$MICROSOFTSMLBIZ; "C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ [9158656 2008-12-18] (Microsoft Corporation)
3 MSSQLServerADHelper; "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe" [73728 2005-05-03] (Microsoft Corporation)
2 PCToolsFirewallPlus; C:\Program Files\PC Tools Firewall Plus\FWService.exe [286000 2011-01-24] (PC Tools)
3 SQLAgent$MICROSOFTSMLBIZ; "C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ [323584 2005-05-03] (Microsoft Corporation)
2 syshost32; "C:\WINDOWS\Installer\{21AFBFB6-53EF-36C2-120C-7E9BF1C4C429}\syshost.exe" /service [347648 2012-08-16] (Kupa Kreative Tech)
2 WANMiniportService; "C:\WINDOWS\wanmpsvc.exe" [65536 2003-08-27] (America Online, Inc.)
4 HidServ; C:\Windows\System32\hidserv.dll

4 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

========================== Drivers (Whitelisted) =============

0 9445fee0eea6d169; C:\Windows\System32\Drivers\9445fee0eea6d169.sys [70272 2012-08-12] () ATTENTION =====> Rootkit?
2 DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [25628 2005-09-08] (Sonic Solutions)
1 DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [5628 2005-08-25] (Sonic Solutions)
2 DLADResN; C:\Windows\System32\DLA\DLADResN.SYS [2496 2005-09-08] (Sonic Solutions)
2 DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [86524 2005-09-08] (Sonic Solutions)
2 DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [14684 2005-09-08] (Sonic Solutions)
2 DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [6364 2005-09-08] (Sonic Solutions)
1 DLARTL_N; C:\Windows\System32\Drivers\DLARTL_N.SYS [22684 2005-08-25] (Sonic Solutions)
2 DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [94332 2005-09-08] (Sonic Solutions)
2 DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [87036 2005-09-08] (Sonic Solutions)
2 DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [40544 2005-08-12] (Sonic Solutions)
3 DSproct; \??\C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys [4864 2006-01-10] (GTek Technologies Ltd.)
3 dvdfab; C:\Windows\System32\drivers\dvdfab.sys [54144 2011-08-15] (Fengtao Software Inc.)
3 FileMonitor; \??\C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [246816 2012-01-05] (IObit)
3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows (R) Server 2003 DDK provider)
2 hnmwrlspkt; C:\Windows\System32\DRIVERS\hnm_wrls_pkt.sys [13824 2006-07-14] (SingleClick Systems)
3 NAL; \??\C:\WINDOWS\system32\Drivers\iqvw32.sys [24064 2006-06-05] (Intel Corporation )
2 Packet; C:\Windows\System32\DRIVERS\packet.sys [11136 2006-10-15] (SingleClick Systems)
3 pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [47360 2011-07-02] (VSO Software)
2 PCTAppEvent; \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys [160576 2011-03-02] (PC Tools)
3 PCTFW-PacketFilter; \??\C:\WINDOWS\system32\drivers\pctNdis-PacketFilter.sys [89472 2011-01-12] (PC Tools)
1 pctgntdi; \??\C:\WINDOWS\system32\drivers\pctgntdi.sys [251560 2011-01-17] (PC Tools)
3 pctNDIS; C:\Windows\System32\DRIVERS\pctNdis.sys [57536 2010-07-08] (PC Tools)
3 pctplfw; \??\C:\WINDOWS\system32\drivers\pctplfw.sys [125248 2011-01-17] (PC Tools)
2 PDFsFilter; C:\Windows\System32\DRIVERS\PDFsFilter.sys [68464 2012-08-02] (Raxco Software, Inc.)
0 PxHelp20; C:\Windows\System32\Drivers\PxHelp20.sys [43528 2009-09-25] (Sonic Solutions)
3 RegFilter; \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys [30368 2011-09-20] (IObit.com)
1 SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-08-05] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
3 SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [12872 2010-04-03] ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
1 SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [67664 2011-08-05] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
4 sptd; C:\Windows\System32\Drivers\sptd.sys [715248 2008-12-31] (Duplex Secure Ltd.)
3 STHDA; C:\Windows\System32\drivers\sthda.sys [1156648 2006-07-24] (SigmaTel, Inc.)
3 UrlFilter; \??\C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys [16208 2011-09-20] (IObit.com)
3 wanatw; C:\Windows\System32\DRIVERS\wanatw4.sys [33588 2003-01-10] (America Online, Inc.)
3 wceusbsh; C:\Windows\System32\DRIVERS\wceusbsh.sys [28672 2006-11-06] (Microsoft Corporation)
2 wsppkt; C:\Windows\System32\DRIVERS\wsp_pkt.sys [13696 2006-07-14] (SingleClick Systems)
4 Abiosdsk;

4 Atdisk;

0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys

3 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys

3 bvrp_pci;

3 catchme; \??\C:\DOCUME~1\Patrick\LOCALS~1\Temp\catchme.sys

3 CFcatchme; \??\C:\PCHelpForum\CFcatchme.sys

1 Changer;

3 cpuz132; \??\C:\DOCUME~1\Patrick\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys

1 lbrtfdc;

1 PCIDump;

3 PDCOMP;

3 PDFRAME;

3 PDRELI;

3 PDRFRAME;

4 Simbad;

3 VPROEVENTMONITOR; \??\C:\WINDOWS\system32\drivers\VProEventMonitor.sys

2 Vsapint; C:\Windows\System32\drivers\Vsapint.sys

3 WDICA;

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-08-26 16:20 - 2012-08-26 16:20 - 127231689 ____A (Igor Pavlov) C:\Documents and Settings\Patrick\Desktop\OTLPENet.exe
2012-08-24 20:35 - 2012-08-24 20:36 - 00010142 ____A C:\Documents and Settings\Patrick\Desktop\MBRCheck_08.24.12_20.35.45.txt
2012-08-24 20:34 - 2012-08-24 20:34 - 00005623 ____A C:\Documents and Settings\Patrick\Desktop\RKreport[1].txt
2012-08-24 20:33 - 2012-08-24 20:34 - 01558528 ____A C:\Documents and Settings\Patrick\Desktop\RogueKiller.exe
2012-08-24 20:33 - 2012-08-24 20:34 - 00080384 ____A C:\Documents and Settings\Patrick\Desktop\MBRCheck.exe
2012-08-24 20:33 - 2012-08-24 20:34 - 00000000 ____D C:\Documents and Settings\Patrick\Desktop\RK_Quarantine
2012-08-24 12:11 - 2012-08-24 12:11 - 00000000 ____D C:\Documents and Settings\Patrick\Desktop\tdsskiller
2012-08-24 12:11 - 2012-08-24 09:06 - 04731392 ____A (AVAST Software) C:\Documents and Settings\Patrick\Desktop\aswMBR.exe
2012-08-24 12:11 - 2012-08-24 09:06 - 02193184 ____A C:\Documents and Settings\Patrick\Desktop\tdsskiller.zip
2012-08-19 19:05 - 2012-08-19 19:03 - 00324589 ____A C:\Documents and Settings\Patrick\Desktop\winxp-pro-32bit-sm-reset.exe
2012-08-19 18:50 - 2012-08-19 18:50 - 00003278 ____A C:\Windows\bitssetup.log
2012-08-19 18:46 - 2012-08-19 18:46 - 00007264 ____A C:\Documents and Settings\Patrick\Desktop\Rkill.txt
2012-08-19 18:46 - 2012-08-19 18:46 - 00000000 ____D C:\Documents and Settings\Patrick\Desktop\Dial-a-fix-v0.60.0.24
2012-08-19 16:23 - 2012-08-19 16:10 - 00335992 ____A C:\Documents and Settings\Patrick\Desktop\Dial-a-fix-v0.60.0.24.zip
2012-08-19 16:23 - 2012-08-19 16:09 - 01545120 ____A (Bleeping Computer, LLC) C:\Documents and Settings\Patrick\Desktop\rkill.exe
2012-08-19 16:22 - 2012-08-19 16:08 - 00399264 ____A (Bleeping Computer, LLC) C:\Documents and Settings\Patrick\Desktop\unhide.exe
2012-08-19 16:09 - 2012-08-19 16:09 - 00090112 ____A C:\Windows\Minidump\Mini081912-01.dmp
2012-08-18 08:03 - 2012-08-18 07:45 - 00607260 ____R (Swearware) C:\Documents and Settings\Patrick\Desktop\dds.exe
2012-08-18 08:00 - 2012-08-10 14:34 - 00607260 ___RA (Swearware) C:\Documents and Settings\Patrick\My Documents\dds.scr
2012-08-18 07:40 - 2012-08-18 07:40 - 00090112 ____A C:\Windows\Minidump\Mini081812-01.dmp
2012-08-17 17:31 - 2012-08-25 07:11 - 00052443 ____A C:\Documents and Settings\Patrick\govlog.dat
2012-08-12 21:27 - 2012-08-12 21:27 - 00070272 ____A C:\Windows\System32\Drivers\9445fee0eea6d169.sys
2012-08-12 21:26 - 2012-08-12 21:26 - 00157184 ____A (Teufel) C:\Documents and Settings\Patrick\govkhca.exe
2012-08-12 18:37 - 2012-08-12 18:37 - 00000000 ____D C:\Windows\System32\config\Original
2012-08-12 18:30 - 2012-08-12 18:30 - 00001689 ____A C:\Documents and Settings\Patrick\Desktop\System Mechanic.lnk
2012-08-12 18:30 - 2012-08-12 18:30 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\iolo
2012-08-12 18:30 - 2012-08-02 12:45 - 00040504 ____A (iolo technologies, LLC) C:\Windows\System32\iolobtdfg.exe
2012-08-12 18:30 - 2012-08-02 12:45 - 00022456 ____A (iolo technologies, LLC) C:\Windows\System32\smrgdf.exe
2012-08-12 18:30 - 2012-08-02 11:27 - 02096360 ____A (iolo technologies, LLC) C:\Windows\System32\Incinerator32.dll
2012-08-12 18:30 - 2012-08-02 11:21 - 00068464 ____A (Raxco Software, Inc.) C:\Windows\System32\Drivers\PDFsFilter.sys
2012-08-12 18:30 - 2012-08-02 11:21 - 00056200 ____A (Microsoft Corporation) C:\Windows\System32\offreg.dll
2012-08-12 18:26 - 2012-08-12 21:31 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\iolo
2012-08-12 18:26 - 2012-08-12 18:36 - 00000000 ____D C:\Documents and Settings\Patrick\Application Data\iolo
2012-08-12 18:26 - 2012-08-12 18:26 - 00074703 ____A C:\Windows\System32\mfc45.dat
2012-08-12 18:26 - 2012-08-12 18:26 - 00065536 ____A C:\Windows\System32\config\iolo App.evt
2012-08-12 18:20 - 2012-08-12 18:20 - 00074744 ____A C:\Windows\KB2699988-IE8.log
2012-08-12 18:19 - 2012-08-12 18:20 - 00078460 ____A C:\Windows\KB2618444-IE8.log
2012-08-12 18:19 - 2012-08-12 18:19 - 00070842 ____A C:\Windows\KB2598845-IE8.log
2012-08-12 18:18 - 2012-08-12 18:22 - 00006923 ____A C:\Windows\spupdsvc.log
2012-08-12 18:18 - 2012-08-12 18:20 - 00033457 ____A C:\Windows\iis6.log
2012-08-12 18:18 - 2012-08-12 18:20 - 00030798 ____A C:\Windows\FaxSetup.log
2012-08-12 18:18 - 2012-08-12 18:20 - 00014780 ____A C:\Windows\ocgen.log
2012-08-12 18:18 - 2012-08-12 18:20 - 00014105 ____A C:\Windows\tsoc.log
2012-08-12 18:18 - 2012-08-12 18:20 - 00009474 ____A C:\Windows\msmqinst.log
2012-08-12 18:18 - 2012-08-12 18:20 - 00006207 ____A C:\Windows\ntdtcsetup.log
2012-08-12 18:18 - 2012-08-12 18:20 - 00005415 ____A C:\Windows\netfxocm.log
2012-08-12 18:18 - 2012-08-12 18:20 - 00002125 ____A C:\Windows\MedCtrOC.log
2012-08-12 18:18 - 2012-08-12 18:20 - 00001710 ____A C:\Windows\ocmsn.log
2012-08-12 18:18 - 2012-08-12 18:20 - 00001555 ____A C:\Windows\tabletoc.log
2012-08-12 18:18 - 2012-08-12 18:20 - 00001515 ____A C:\Windows\msgsocm.log
2012-08-12 18:18 - 2012-08-12 18:20 - 00001374 ____A C:\Windows\imsins.log
2012-08-12 18:18 - 2012-08-12 18:19 - 00091059 ____A C:\Windows\KB982381-IE8.log
2012-08-12 18:18 - 2012-08-12 18:18 - 00000000 ____A C:\Windows\setuperr.log
2012-08-12 18:18 - 2012-08-12 18:18 - 00000000 ____A C:\Windows\setupact.log
2012-08-12 18:17 - 2012-08-12 18:17 - 00000000 ___DC C:\Windows\ie8
2012-08-12 18:16 - 2012-08-12 18:18 - 00083130 ____A C:\Windows\ie8.log
2012-08-12 18:05 - 2012-08-12 18:20 - 00127300 ____A C:\Windows\ie8_main.log
2012-08-12 18:05 - 2012-08-12 18:20 - 00084347 ____A C:\Windows\updspapi.log
2012-08-12 18:05 - 2012-08-12 18:06 - 00045362 ____A C:\Windows\ie8Uninst.log
2012-08-12 16:35 - 2012-08-19 17:10 - 00003606 ____A C:\Documents and Settings\Patrick\Desktop\unhide.txt
2012-08-11 19:46 - 2012-08-11 19:46 - 00015410 ____A C:\ComboFix.txt
2012-08-11 18:38 - 2012-08-11 18:38 - 00000000 RASHD C:\cmdcons
2012-08-11 18:34 - 2012-08-11 19:47 - 00000000 ____D C:\PCHelpForum6050P
2012-08-11 18:22 - 2012-08-11 18:22 - 00109892 ____A C:\Documents and Settings\Patrick\Desktop\OTL.Txt
2012-08-11 18:22 - 2012-08-11 18:22 - 00048674 ____A C:\Documents and Settings\Patrick\Desktop\Extras.Txt
2012-08-11 18:16 - 2012-08-10 16:26 - 00596480 ____A (OldTimer Tools) C:\Documents and Settings\Patrick\Desktop\OTL.exe
2012-08-11 17:53 - 2012-08-11 17:53 - 00000495 ____A C:\Windows\nsw.log
2012-08-10 20:46 - 2012-08-10 20:46 - 00008192 ____A C:\Windows\System32\config\SECURITY.tmp.LOG
2012-08-10 20:46 - 2012-08-10 20:46 - 00000000 ____A C:\Windows\System32\config\SYSTEM.tmp.LOG
2012-08-10 20:46 - 2012-08-10 20:46 - 00000000 ____A C:\Windows\System32\config\SOFTWARE.tmp.LOG
2012-08-10 20:46 - 2012-08-10 20:46 - 00000000 ____A C:\Windows\System32\config\SAM.tmp.LOG
2012-08-10 20:46 - 2012-08-10 20:46 - 00000000 ____A C:\Windows\System32\config\DEFAULT.tmp.LOG
2012-08-10 19:45 - 2011-06-26 02:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-10 19:45 - 2010-11-07 13:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-10 19:45 - 2009-04-20 00:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-10 19:45 - 2000-08-30 20:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-10 19:45 - 2000-08-30 20:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-10 19:45 - 2000-08-30 20:00 - 00212480 ____A (SteelWerX) C:\Windows\SWXCACLS.exe
2012-08-10 19:45 - 2000-08-30 20:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-10 19:45 - 2000-08-30 20:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-10 19:45 - 2000-08-30 20:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-10 19:43 - 2012-08-10 21:18 - 00000000 ____D C:\PCHelpForum
2012-08-10 19:20 - 2012-08-10 18:59 - 04728003 ____R (Swearware) C:\Documents and Settings\Patrick\Desktop\PCHelpForum.exe
2012-08-10 19:06 - 2012-08-10 19:43 - 00000000 ____D C:\ComboFix
2012-08-10 19:01 - 2012-08-11 19:46 - 00000000 ___AD C:\Qoobox
2012-08-10 18:54 - 2012-08-11 17:50 - 00000000 ____D C:\Documents and Settings\Patrick\Application Data\PCToolsFirewallPlus
2012-08-10 18:52 - 2012-08-10 18:52 - 00000000 ____D C:\Program Files\Common Files\PC Tools
2012-08-10 18:52 - 2011-03-02 12:40 - 00160576 ____A (PC Tools) C:\Windows\System32\Drivers\PCTAppEvent.sys
2012-08-10 18:52 - 2011-01-17 09:10 - 00251560 ____A (PC Tools) C:\Windows\System32\Drivers\pctgntdi.sys
2012-08-10 18:52 - 2011-01-12 10:36 - 00089472 ____A (PC Tools) C:\Windows\System32\Drivers\pctNdis-PacketFilter.sys
2012-08-10 18:52 - 2010-07-08 08:49 - 00057536 ____A (PC Tools) C:\Windows\System32\Drivers\pctNdis.sys
2012-08-10 18:52 - 2010-03-29 11:06 - 00218592 ____A (PC Tools) C:\Windows\System32\Drivers\PCTCore.sys
2012-08-10 18:52 - 2010-02-05 08:26 - 00032808 ____A (PC Tools) C:\Windows\System32\Drivers\pctNdis-DNS.sys
2012-08-10 18:51 - 2012-08-13 00:24 - 00000000 ____D C:\Program Files\PC Tools Firewall Plus
2012-08-10 18:51 - 2011-01-17 08:11 - 00125248 ____A (PC Tools) C:\Windows\System32\Drivers\pctplfw.sys
2012-08-10 18:48 - 2012-08-10 18:48 - 00000088 ____A C:\Windows\System32\-1
2012-08-10 18:47 - 2012-08-10 18:47 - 00205072 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmcomm.sys
2012-08-10 18:22 - 2012-08-19 15:08 - 00032392 ____A C:\Windows\setupapi.log
2012-08-10 17:54 - 2012-08-26 16:24 - 00000339 ____A C:\Windows\wiadebug.log
2012-08-10 17:10 - 2012-08-10 18:52 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\PCToolsFirewallPlus
2012-08-10 17:07 - 2012-08-10 17:07 - 00012410 ____A C:\Documents and Settings\Administrator\Desktop\dds.txt
2012-08-10 16:31 - 2012-08-10 16:31 - 00129244 ____A C:\Documents and Settings\Administrator\Desktop\OTL.Txt
2012-08-10 16:31 - 2012-08-10 16:31 - 00046014 ____A C:\Documents and Settings\Administrator\Desktop\Extras.Txt
2012-08-10 16:24 - 2012-08-10 16:26 - 00596480 ____A (OldTimer Tools) C:\Documents and Settings\Administrator\Desktop\OTL.exe
2012-08-10 16:17 - 2012-08-10 16:18 - 02136664 ____A (Kaspersky Lab ZAO) C:\Documents and Settings\Administrator\Desktop\tdsskiller.exe
2012-08-10 14:34 - 2012-08-10 14:34 - 00302592 ____A C:\Documents and Settings\Administrator\Desktop\k6rtwke4.exe
2012-08-10 14:33 - 2012-08-10 14:35 - 16373192 ____A (Microsoft Corporation) C:\Documents and Settings\Administrator\Desktop\Windows-KB890830-V4.10.exe
2012-08-10 14:33 - 2012-08-10 14:34 - 00607260 ____R (Swearware) C:\Documents and Settings\Administrator\Desktop\dds.scr
2012-08-10 14:33 - 2012-08-10 14:33 - 00050688 ____A (Atribune.org) C:\Documents and Settings\Administrator\Desktop\ATF-Cleaner.exe
2012-08-10 13:49 - 2012-08-10 13:49 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
2012-08-10 13:49 - 2012-08-10 13:49 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Mozilla
2012-08-10 13:30 - 2012-08-10 13:30 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Windows Search
2012-08-10 10:50 - 2012-08-10 10:50 - 00000000 __SHD C:\Documents and Settings\Administrator\PrivacIE
2012-08-10 10:50 - 2012-08-10 10:50 - 00000000 __SHD C:\Documents and Settings\Administrator\IETldCache
2012-08-10 10:49 - 2012-08-10 10:49 - 00383224 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-10 10:41 - 2012-08-26 16:24 - 00544987 ____A C:\Windows\WindowsUpdate.log
2012-08-05 20:53 - 2008-04-13 20:12 - 00146432 ____A (Microsoft Corporation) C:\Documents and Settings\Patrick\Desktop\regedit.exe
2012-08-05 16:58 - 2012-08-05 16:58 - 00000000 ____D C:\Documents and Settings\NetworkService\Application Data\Adobe
2012-08-05 16:32 - 2012-08-05 16:32 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Macromedia
2012-08-05 16:30 - 2012-08-05 16:30 - 00000000 ____D C:\Documents and Settings\LocalService\Application Data\Adobe
2012-08-05 11:49 - 2012-08-05 11:49 - 00001635 ____A C:\Documents and Settings\Patrick\Desktop\DVD Decrypter.lnk
2012-08-05 11:49 - 2012-08-05 11:49 - 00000000 ____D C:\Program Files\DVD Decrypter
2012-07-29 17:20 - 1997-07-19 16:55 - 01347344 ____A (Microsoft Corporation) C:\Windows\System32\MSVBVM50.dll
2012-07-29 16:38 - 2012-07-29 16:38 - 20689176 ____A (Upperspace ) C:\Documents and Settings\Patrick\Desktop\Q_Landscape.exe
2012-07-29 16:30 - 2012-07-29 16:34 - 00000000 ____D C:\Documents and Settings\Patrick\Desktop\3
2012-07-29 13:51 - 2012-07-29 13:52 - 00000000 ____D C:\Documents and Settings\Patrick\Application Data\SmartDraw

============ 3 Months Modified Files ========================

2012-08-26 16:24 - 2012-08-10 17:54 - 00000339 ____A C:\Windows\wiadebug.log
2012-08-26 16:24 - 2012-08-10 10:41 - 00544987 ____A C:\Windows\WindowsUpdate.log
2012-08-26 16:24 - 2004-08-11 19:20 - 00032644 ____A C:\Windows\SchedLgU.Txt
2012-08-26 16:24 - 2004-08-11 19:20 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-26 16:20 - 2012-08-26 16:20 - 127231689 ____A (Igor Pavlov) C:\Documents and Settings\Patrick\Desktop\OTLPENet.exe
2012-08-26 12:19 - 2012-07-03 22:37 - 00002497 ____A C:\Documents and Settings\Patrick\Desktop\Microsoft Office Word 2003.lnk
2012-08-25 07:11 - 2012-08-17 17:31 - 00052443 ____A C:\Documents and Settings\Patrick\govlog.dat
2012-08-25 07:11 - 2006-12-24 14:51 - 00000062 __ASH C:\Documents and Settings\Patrick\Local Settings\desktop.ini
2012-08-25 07:11 - 2004-08-11 19:20 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2012-08-25 07:11 - 2004-08-11 19:20 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2012-08-25 07:11 - 2004-08-11 19:09 - 00000049 ____A C:\Windows\wiaservc.log
2012-08-25 07:11 - 2004-08-11 19:00 - 00002206 ____A C:\Windows\System32\wpa.dbl
2012-08-24 20:36 - 2012-08-24 20:35 - 00010142 ____A C:\Documents and Settings\Patrick\Desktop\MBRCheck_08.24.12_20.35.45.txt
2012-08-24 20:34 - 2012-08-24 20:34 - 00005623 ____A C:\Documents and Settings\Patrick\Desktop\RKreport[1].txt
2012-08-24 20:34 - 2012-08-24 20:33 - 01558528 ____A C:\Documents and Settings\Patrick\Desktop\RogueKiller.exe
2012-08-24 20:34 - 2012-08-24 20:33 - 00080384 ____A C:\Documents and Settings\Patrick\Desktop\MBRCheck.exe
2012-08-24 12:17 - 2004-08-11 19:20 - 00000178 __ASH C:\Documents and Settings\Administrator\ntuser.ini
2012-08-24 12:17 - 2004-08-11 19:20 - 00000062 __ASH C:\Documents and Settings\Administrator\Local Settings\desktop.ini
2012-08-24 09:06 - 2012-08-24 12:11 - 04731392 ____A (AVAST Software) C:\Documents and Settings\Patrick\Desktop\aswMBR.exe
2012-08-24 09:06 - 2012-08-24 12:11 - 02193184 ____A C:\Documents and Settings\Patrick\Desktop\tdsskiller.zip
2012-08-19 19:03 - 2012-08-19 19:05 - 00324589 ____A C:\Documents and Settings\Patrick\Desktop\winxp-pro-32bit-sm-reset.exe
2012-08-19 18:51 - 2010-10-03 08:31 - 00023392 ____A C:\Windows\System32\nscompat.tlb
2012-08-19 18:51 - 2010-10-03 08:31 - 00016832 ____A C:\Windows\System32\amcompat.tlb
2012-08-19 18:50 - 2012-08-19 18:50 - 00003278 ____A C:\Windows\bitssetup.log
2012-08-19 18:46 - 2012-08-19 18:46 - 00007264 ____A C:\Documents and Settings\Patrick\Desktop\Rkill.txt
2012-08-19 17:10 - 2012-08-12 16:35 - 00003606 ____A C:\Documents and Settings\Patrick\Desktop\unhide.txt
2012-08-19 16:10 - 2012-08-19 16:23 - 00335992 ____A C:\Documents and Settings\Patrick\Desktop\Dial-a-fix-v0.60.0.24.zip
2012-08-19 16:09 - 2012-08-19 16:23 - 01545120 ____A (Bleeping Computer, LLC) C:\Documents and Settings\Patrick\Desktop\rkill.exe
2012-08-19 16:09 - 2012-08-19 16:09 - 00090112 ____A C:\Windows\Minidump\Mini081912-01.dmp
2012-08-19 16:08 - 2012-08-19 16:22 - 00399264 ____A (Bleeping Computer, LLC) C:\Documents and Settings\Patrick\Desktop\unhide.exe
2012-08-19 15:08 - 2012-08-10 18:22 - 00032392 ____A C:\Windows\setupapi.log
2012-08-18 07:45 - 2012-08-18 08:03 - 00607260 ____R (Swearware) C:\Documents and Settings\Patrick\Desktop\dds.exe
2012-08-18 07:40 - 2012-08-18 07:40 - 00090112 ____A C:\Windows\Minidump\Mini081812-01.dmp
2012-08-12 21:27 - 2012-08-12 21:27 - 00070272 ____A C:\Windows\System32\Drivers\9445fee0eea6d169.sys
2012-08-12 21:26 - 2012-08-12 21:26 - 00157184 ____A (Teufel) C:\Documents and Settings\Patrick\govkhca.exe
2012-08-12 21:26 - 2010-05-01 07:32 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
2012-08-12 21:05 - 2004-08-11 19:07 - 00631476 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-12 18:30 - 2012-08-12 18:30 - 00001689 ____A C:\Documents and Settings\Patrick\Desktop\System Mechanic.lnk
2012-08-12 18:26 - 2012-08-12 18:26 - 00074703 ____A C:\Windows\System32\mfc45.dat
2012-08-12 18:26 - 2012-08-12 18:26 - 00065536 ____A C:\Windows\System32\config\iolo App.evt
2012-08-12 18:22 - 2012-08-12 18:18 - 00006923 ____A C:\Windows\spupdsvc.log
2012-08-12 18:20 - 2012-08-12 18:20 - 00074744 ____A C:\Windows\KB2699988-IE8.log
2012-08-12 18:20 - 2012-08-12 18:19 - 00078460 ____A C:\Windows\KB2618444-IE8.log
2012-08-12 18:20 - 2012-08-12 18:18 - 00033457 ____A C:\Windows\iis6.log
2012-08-12 18:20 - 2012-08-12 18:18 - 00030798 ____A C:\Windows\FaxSetup.log
2012-08-12 18:20 - 2012-08-12 18:18 - 00014780 ____A C:\Windows\ocgen.log
2012-08-12 18:20 - 2012-08-12 18:18 - 00014105 ____A C:\Windows\tsoc.log
2012-08-12 18:20 - 2012-08-12 18:18 - 00009474 ____A C:\Windows\msmqinst.log
2012-08-12 18:20 - 2012-08-12 18:18 - 00006207 ____A C:\Windows\ntdtcsetup.log
2012-08-12 18:20 - 2012-08-12 18:18 - 00005415 ____A C:\Windows\netfxocm.log
2012-08-12 18:20 - 2012-08-12 18:18 - 00002125 ____A C:\Windows\MedCtrOC.log
2012-08-12 18:20 - 2012-08-12 18:18 - 00001710 ____A C:\Windows\ocmsn.log
2012-08-12 18:20 - 2012-08-12 18:18 - 00001555 ____A C:\Windows\tabletoc.log
2012-08-12 18:20 - 2012-08-12 18:18 - 00001515 ____A C:\Windows\msgsocm.log
2012-08-12 18:20 - 2012-08-12 18:18 - 00001374 ____A C:\Windows\imsins.log
2012-08-12 18:20 - 2012-08-12 18:05 - 00127300 ____A C:\Windows\ie8_main.log
2012-08-12 18:20 - 2012-08-12 18:05 - 00084347 ____A C:\Windows\updspapi.log
2012-08-12 18:20 - 2006-12-24 14:51 - 00000278 ___SH C:\Documents and Settings\Patrick\ntuser.ini
2012-08-12 18:19 - 2012-08-12 18:19 - 00070842 ____A C:\Windows\KB2598845-IE8.log
2012-08-12 18:19 - 2012-08-12 18:18 - 00091059 ____A C:\Windows\KB982381-IE8.log
2012-08-12 18:18 - 2012-08-12 18:18 - 00000000 ____A C:\Windows\setuperr.log
2012-08-12 18:18 - 2012-08-12 18:18 - 00000000 ____A C:\Windows\setupact.log
2012-08-12 18:18 - 2012-08-12 18:16 - 00083130 ____A C:\Windows\ie8.log
2012-08-12 18:06 - 2012-08-12 18:05 - 00045362 ____A C:\Windows\ie8Uninst.log
2012-08-12 12:46 - 2004-08-11 19:13 - 00000749 ___RA C:\Windows\WindowsShell.Manifest
2012-08-12 12:46 - 2004-08-11 19:13 - 00000749 ___RA C:\Windows\System32\wuaucpl.cpl.manifest
2012-08-12 12:46 - 2004-08-11 19:13 - 00000749 ___RA C:\Windows\System32\sapi.cpl.manifest
2012-08-12 12:46 - 2004-08-11 19:13 - 00000749 ___RA C:\Windows\System32\nwc.cpl.manifest
2012-08-12 12:46 - 2004-08-11 19:13 - 00000749 ___RA C:\Windows\System32\ncpa.cpl.manifest
2012-08-12 12:46 - 2004-08-11 19:13 - 00000749 ___RA C:\Windows\System32\cdplayer.exe.manifest
2012-08-12 11:52 - 2006-12-28 16:50 - 00000062 __ASH C:\Documents and Settings\Anna\Local Settings\desktop.ini
2012-08-11 19:46 - 2012-08-11 19:46 - 00015410 ____A C:\ComboFix.txt
2012-08-11 19:29 - 2004-08-11 19:00 - 00000000 ____A C:\Windows\system.ini
2012-08-11 18:38 - 2004-08-11 19:00 - 00000327 ___SH C:\boot.ini
2012-08-11 18:22 - 2012-08-11 18:22 - 00109892 ____A C:\Documents and Settings\Patrick\Desktop\OTL.Txt
2012-08-11 18:22 - 2012-08-11 18:22 - 00048674 ____A C:\Documents and Settings\Patrick\Desktop\Extras.Txt
2012-08-11 17:53 - 2012-08-11 17:53 - 00000495 ____A C:\Windows\nsw.log
2012-08-10 20:46 - 2012-08-10 20:46 - 00008192 ____A C:\Windows\System32\config\SECURITY.tmp.LOG
2012-08-10 20:46 - 2012-08-10 20:46 - 00000000 ____A C:\Windows\System32\config\SYSTEM.tmp.LOG
2012-08-10 20:46 - 2012-08-10 20:46 - 00000000 ____A C:\Windows\System32\config\SOFTWARE.tmp.LOG
2012-08-10 20:46 - 2012-08-10 20:46 - 00000000 ____A C:\Windows\System32\config\SAM.tmp.LOG
2012-08-10 20:46 - 2012-08-10 20:46 - 00000000 ____A C:\Windows\System32\config\DEFAULT.tmp.LOG
2012-08-10 18:59 - 2012-08-10 19:20 - 04728003 ____R (Swearware) C:\Documents and Settings\Patrick\Desktop\PCHelpForum.exe
2012-08-10 18:56 - 2004-08-11 19:20 - 00000178 ___SH C:\Documents and Settings\NetworkService\ntuser.ini
2012-08-10 18:56 - 2004-08-11 19:20 - 00000178 ___SH C:\Documents and Settings\LocalService\ntuser.ini
2012-08-10 18:48 - 2012-08-10 18:48 - 00000088 ____A C:\Windows\System32\-1
2012-08-10 18:47 - 2012-08-10 18:47 - 00205072 ____A (Trend Micro Inc.) C:\Windows\System32\Drivers\tmcomm.sys
2012-08-10 17:43 - 2004-08-11 19:00 - 00014336 ____A (Microsoft Corporation) C:\Windows\System32\svchost.exe
2012-08-10 17:07 - 2012-08-10 17:07 - 00012410 ____A C:\Documents and Settings\Administrator\Desktop\dds.txt
2012-08-10 16:31 - 2012-08-10 16:31 - 00129244 ____A C:\Documents and Settings\Administrator\Desktop\OTL.Txt
2012-08-10 16:31 - 2012-08-10 16:31 - 00046014 ____A C:\Documents and Settings\Administrator\Desktop\Extras.Txt
2012-08-10 16:26 - 2012-08-11 18:16 - 00596480 ____A (OldTimer Tools) C:\Documents and Settings\Patrick\Desktop\OTL.exe
2012-08-10 16:26 - 2012-08-10 16:24 - 00596480 ____A (OldTimer Tools) C:\Documents and Settings\Administrator\Desktop\OTL.exe
2012-08-10 16:18 - 2012-08-10 16:17 - 02136664 ____A (Kaspersky Lab ZAO) C:\Documents and Settings\Administrator\Desktop\tdsskiller.exe
2012-08-10 14:35 - 2012-08-10 14:33 - 16373192 ____A (Microsoft Corporation) C:\Documents and Settings\Administrator\Desktop\Windows-KB890830-V4.10.exe
2012-08-10 14:34 - 2012-08-18 08:00 - 00607260 ___RA (Swearware) C:\Documents and Settings\Patrick\My Documents\dds.scr
2012-08-10 14:34 - 2012-08-10 14:34 - 00302592 ____A C:\Documents and Settings\Administrator\Desktop\k6rtwke4.exe
2012-08-10 14:34 - 2012-08-10 14:33 - 00607260 ____R (Swearware) C:\Documents and Settings\Administrator\Desktop\dds.scr
2012-08-10 14:33 - 2012-08-10 14:33 - 00050688 ____A (Atribune.org) C:\Documents and Settings\Administrator\Desktop\ATF-Cleaner.exe
2012-08-10 10:49 - 2012-08-10 10:49 - 00383224 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-05 16:34 - 2011-02-25 09:56 - 25740256 ____A (Microsoft Corporation) C:\Documents and Settings\Patrick\Desktop\wmp11-windowsxp-x86-enu.exe
2012-08-05 11:49 - 2012-08-05 11:49 - 00001635 ____A C:\Documents and Settings\Patrick\Desktop\DVD Decrypter.lnk
2012-08-05 11:39 - 2012-04-16 20:04 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
2012-08-05 11:39 - 2011-05-14 16:03 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
2012-08-03 09:49 - 2009-01-31 16:57 - 00000440 _RASH C:\Documents and Settings\Patrick\ntuser.pol
2012-08-03 08:37 - 2009-01-31 15:30 - 00000440 _RASH C:\Documents and Settings\Anna\ntuser.pol
2012-08-02 12:45 - 2012-08-12 18:30 - 00040504 ____A (iolo technologies, LLC) C:\Windows\System32\iolobtdfg.exe
2012-08-02 12:45 - 2012-08-12 18:30 - 00022456 ____A (iolo technologies, LLC) C:\Windows\System32\smrgdf.exe
2012-08-02 11:27 - 2012-08-12 18:30 - 02096360 ____A (iolo technologies, LLC) C:\Windows\System32\Incinerator32.dll
2012-08-02 11:21 - 2012-08-12 18:30 - 00068464 ____A (Raxco Software, Inc.) C:\Windows\System32\Drivers\PDFsFilter.sys
2012-08-02 11:21 - 2012-08-12 18:30 - 00056200 ____A (Microsoft Corporation) C:\Windows\System32\offreg.dll
2012-07-29 16:38 - 2012-07-29 16:38 - 20689176 ____A (Upperspace ) C:\Documents and Settings\Patrick\Desktop\Q_Landscape.exe
2012-07-15 18:35 - 2012-07-15 18:35 - 02135640 ____A (Kaspersky Lab ZAO) C:\Documents and Settings\All Users\Documents\tdsskiller.exe
2012-07-15 17:36 - 2012-07-15 17:36 - 00004450 ____A C:\Documents and Settings\Patrick\My Documents\startup.txt
2012-07-15 17:35 - 2012-07-15 17:35 - 00376744 ____A C:\Documents and Settings\Patrick\My Documents\cc_20120715_173529.reg
2012-07-14 12:30 - 2012-07-14 12:30 - 00027520 ____A C:\Documents and Settings\Patrick\Local Settings\Application Data\dt.dat
2012-07-06 17:03 - 2006-12-20 12:35 - 00112200 ____A C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-07-05 13:47 - 2012-07-05 13:47 - 00000728 ____A C:\Documents and Settings\Patrick\Desktop\DVDFab Profile Editor.lnk
2012-07-05 13:47 - 2012-07-05 13:47 - 00000691 ____A C:\Documents and Settings\Patrick\Desktop\DVDFab 8 Qt.lnk
2012-07-05 13:43 - 2012-07-05 13:43 - 00000749 ____A C:\Documents and Settings\Patrick\Desktop\DVDFab Passkey 8.lnk
2012-07-05 09:28 - 2004-08-11 19:00 - 00000289 ____A C:\Windows\win.ini
2012-07-05 09:20 - 2012-07-03 22:37 - 00002537 ____A C:\Documents and Settings\Patrick\Desktop\Microsoft Office Access 2003.lnk
2012-07-03 22:36 - 2012-07-03 22:22 - 00002495 ____A C:\Documents and Settings\Patrick\Desktop\Microsoft Office Excel 2003.lnk
2012-07-03 22:24 - 2006-12-20 12:31 - 00000376 ____A C:\Windows\ODBC.INI
2012-07-03 22:22 - 2012-07-03 22:37 - 00002016 ____A C:\Documents and Settings\Patrick\Desktop\Microsoft Office PowerPoint 2003.lnk
2012-07-03 03:13 - 2007-12-25 08:23 - 57442464 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-24 15:40 - 2012-06-24 15:40 - 00000000 ____A C:\Windows\mtstack16.INI
2012-06-16 19:05 - 2009-10-25 13:11 - 00019968 ____A C:\Documents and Settings\All Users\Documents\Assets.xls
2012-06-13 09:19 - 2008-10-15 22:50 - 01866112 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\win32k.sys
2012-06-13 09:19 - 2004-08-11 19:00 - 01866112 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-09 18:41 - 2012-06-09 18:41 - 14415306 ____A C:\Documents and Settings\Patrick\Desktop\Dinosaur-Jr.-Freak-Scene.mp4
2012-06-08 10:26 - 2008-06-17 15:02 - 08462848 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\shell32.dll
2012-06-08 10:26 - 2004-08-11 19:00 - 08462848 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-05 11:50 - 2008-08-17 14:02 - 01372672 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\msxml6.dll
2012-06-05 11:50 - 2008-08-17 14:02 - 01372672 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 11:50 - 2006-09-13 01:01 - 01172480 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\msxml3.dll
2012-06-05 11:50 - 2004-08-11 19:00 - 01172480 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-04 17:35 - 2009-08-06 19:23 - 00222448 ____A (Microsoft Corporation) C:\Windows\System32\muweb.dll
2012-06-04 00:32 - 2008-12-05 02:54 - 00152576 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\schannel.dll
2012-06-04 00:32 - 2004-08-11 19:00 - 00152576 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-02 15:19 - 2007-06-21 21:57 - 00022040 ____A (Microsoft Corporation) C:\Windows\System32\wucltui.dll.mui
2012-06-02 15:19 - 2007-06-21 21:57 - 00017944 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll.mui
2012-06-02 15:19 - 2007-06-21 21:57 - 00015384 ____A (Microsoft Corporation) C:\Windows\System32\wuaucpl.cpl.mui
2012-06-02 15:19 - 2007-06-21 21:57 - 00015384 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll.mui
2012-06-02 15:19 - 2005-05-26 05:16 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 15:19 - 2004-08-11 19:12 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 15:19 - 2004-08-11 19:12 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\dllcache\wuaueng.dll
2012-06-02 15:19 - 2004-08-11 19:12 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 15:19 - 2004-08-11 19:12 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\dllcache\wuapi.dll
2012-06-02 15:19 - 2004-08-11 19:12 - 00329240 ____A (Microsoft Corporation) C:\Windows\System32\wucltui.dll
2012-06-02 15:19 - 2004-08-11 19:12 - 00329240 ____A (Microsoft Corporation) C:\Windows\System32\dllcache\wucltui.dll
2012-06-02 15:19 - 2004-08-11 19:12 - 00219160 ____A (Microsoft Corporation) C:\Windows\System32\wuaucpl.cpl
2012-06-02 15:19 - 2004-08-11 19:12 - 00219160 ____A (Microsoft Corporation) C:\Windows\System32\dllcache\wuaucpl.cpl
2012-06-02 15:19 - 2004-08-11 19:12 - 00210968 ____A (Microsoft Corporation) C:\Windows\System32\wuweb.dll
2012-06-02 15:19 - 2004-08-11 19:12 - 00210968 ____A (Microsoft Corporation) C:\Windows\System32\dllcache\wuweb.dll
2012-06-02 15:19 - 2004-08-11 19:12 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 15:19 - 2004-08-11 19:12 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\dllcache\wuauclt.exe
2012-06-02 15:19 - 2004-08-11 19:12 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 15:19 - 2004-08-11 19:12 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\dllcache\wups.dll
2012-06-02 15:19 - 2004-08-11 19:00 - 00097304 ____A (Microsoft Corporation) C:\Windows\System32\dllcache\cdm.dll
2012-06-02 15:19 - 2004-08-11 19:00 - 00097304 ____A (Microsoft Corporation) C:\Windows\System32\cdm.dll
2012-06-02 15:18 - 2010-05-11 11:20 - 00275696 ____A (Microsoft Corporation) C:\Windows\System32\mucltui.dll
2012-06-02 15:18 - 2010-05-11 11:20 - 00017136 ____A (Microsoft Corporation) C:\Windows\System32\mucltui.dll.mui
2012-05-31 09:22 - 2011-09-09 05:12 - 00599040 ____N (Microsoft Corporation) C:\Windows\System32\dllcache\crypt32.dll
2012-05-31 09:22 - 2004-08-11 19:00 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll

ZeroAccess:
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\@
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\L
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\L\00000004.@
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\00000004.@
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\00000008.@
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\000000cb.@
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\80000000.@
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\80000032.@

ZeroAccess:
C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}
C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\@
C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\L
C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n
C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

========================= Known DLLs (Whitelisted) ============

========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2012-08-26 12:57 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP764

RP: -> 2012-08-25 12:14 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP763

RP: -> 2012-08-24 11:47 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP762

RP: -> 2012-08-23 10:47 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP761

RP: -> 2012-08-22 09:47 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP760

RP: -> 2012-08-21 08:47 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP759

RP: -> 2012-08-20 07:47 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP758

RP: -> 2012-08-19 07:05 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP757

RP: -> 2012-08-18 06:05 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP756

RP: -> 2012-08-17 05:30 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP755

RP: -> 2012-08-16 04:24 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP754

RP: -> 2012-08-15 03:42 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP753

RP: -> 2012-08-13 22:09 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP752

RP: -> 2012-08-12 21:02 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP751

RP: -> 2012-08-12 20:12 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP750

RP: -> 2012-08-12 18:18 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP749

RP: -> 2012-08-12 18:17 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP748

RP: -> 2012-08-04 20:28 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP746

RP: -> 2012-08-03 20:04 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP745

RP: -> 2012-08-02 19:26 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP744

RP: -> 2012-08-01 18:25 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP743

RP: -> 2012-07-31 18:20 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP742

RP: -> 2012-07-30 17:13 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP741

RP: -> 2012-07-29 16:45 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP740

RP: -> 2012-07-28 20:27 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP739

RP: -> 2012-07-27 20:04 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP738

RP: -> 2012-07-26 19:13 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP737

RP: -> 2012-07-25 18:13 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP736

RP: -> 2012-07-24 17:13 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP735

RP: -> 2012-07-23 16:44 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP734

RP: -> 2012-07-22 03:48 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP733

RP: -> 2012-07-21 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP732

RP: -> 2012-07-20 15:53 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP731

RP: -> 2012-07-16 19:43 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP730

RP: -> 2012-07-15 18:52 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP729

RP: -> 2012-07-14 20:17 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP728

RP: -> 2012-07-14 17:32 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP727

RP: -> 2012-07-14 15:17 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP726

RP: -> 2012-07-14 12:36 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP725

RP: -> 2012-07-14 11:19 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP724

RP: -> 2012-07-14 11:19 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP723

RP: -> 2012-07-13 18:16 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP722

RP: -> 2012-07-08 02:54 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP721

RP: -> 2012-07-07 16:06 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP720

RP: -> 2012-07-07 15:15 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP719

RP: -> 2012-07-07 13:24 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP718

RP: -> 2012-07-07 12:47 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP717

RP: -> 2012-07-07 10:44 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP716

RP: -> 2012-07-06 17:21 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP715

RP: -> 2012-07-06 15:36 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP714

RP: -> 2012-07-05 14:24 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP713

RP: -> 2012-07-05 13:45 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP712

RP: -> 2012-07-05 10:21 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP711

RP: -> 2012-07-05 09:05 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP710

RP: -> 2012-07-04 20:51 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP709

RP: -> 2012-07-04 17:50 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP708

RP: -> 2012-07-04 16:27 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP707

RP: -> 2012-07-04 13:21 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP706

RP: -> 2012-07-04 11:52 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP705

RP: -> 2012-07-04 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP704

RP: -> 2012-07-03 22:20 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP703

RP: -> 2012-07-03 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP702

RP: -> 2012-07-02 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP701

RP: -> 2012-07-01 21:03 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP700

RP: -> 2012-07-01 20:50 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP699

RP: -> 2012-07-01 18:44 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP698

RP: -> 2012-07-01 18:21 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP697

RP: -> 2012-07-01 17:10 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP696

RP: -> 2012-07-01 09:51 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP695

RP: -> 2012-07-01 09:17 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP694

RP: -> 2012-07-01 09:08 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP693

RP: -> 2012-07-01 09:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP692

RP: -> 2012-07-01 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP691

RP: -> 2012-06-30 13:51 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP690

RP: -> 2012-06-25 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP689

RP: -> 2012-06-24 17:45 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP688

RP: -> 2012-06-24 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP687

RP: -> 2012-06-23 08:38 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP686

RP: -> 2012-06-23 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP685

RP: -> 2012-06-22 22:45 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP684

RP: -> 2012-06-21 22:43 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP683

RP: -> 2012-06-21 21:40 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP682

RP: -> 2012-06-21 21:23 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP681

RP: -> 2012-06-14 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP680

RP: -> 2012-06-10 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP679

RP: -> 2012-06-09 19:37 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP678

RP: -> 2012-06-07 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP677

RP: -> 2012-06-04 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP676

RP: -> 2012-06-03 15:33 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP675

RP: -> 2012-06-03 14:41 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP674

RP: -> 2012-06-03 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP673

RP: -> 2012-06-02 06:54 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP672

RP: -> 2012-06-02 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP671

RP: -> 2012-06-01 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP670

RP: -> 2012-05-31 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP669

RP: -> 2012-05-30 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP668

RP: -> 2012-05-29 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP667

===================== Memory info ==========================

Percentage of memory in use: 23%
Total physical RAM: 1021.85 MB
Available physical RAM: 777.55 MB
Total Pagefile: 905.54 MB
Available Pagefile: 841.31 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.18 MB

===================== Partitions ===========================

2 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
3 Drive c: () (Fixed) (Total:171.43 GB) (Free:110.74 GB) NTFS ==>[Drive with boot components (Windows XP)]
4 Drive d: (HP SimpleSave) (Fixed) (Total:465.11 GB) (Free:265.42 GB) NTFS
5 Drive e: (My Passport) (Fixed) (Total:931.48 GB) (Free:539.2 GB) NTFS
6 Drive f: (Backup) (Fixed) (Total:57.63 GB) (Free:23 GB) NTFS
7 Drive g: (USB20FD) (Removable) (Total:7.53 GB) (Free:6.61 GB) FAT32
10 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 233 GB 0 B
Disk 1 Online 465 GB 0 B
Disk 3 Online 931 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 55 MB 32 KB
Partition 2 Primary 171 GB 55 MB
Partition 3 Extended 58 GB 171 GB
Partition 4 Logical 58 GB 171 GB
Partition 5 Unknown 3797 MB 229 GB
==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 FAT Partition 55 MB Healthy
==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 C NTFS Partition 171 GB Healthy
==================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 F Backup NTFS Partition 58 GB Healthy
==================================================================================

Disk: 0
Partition 5
Type : DB
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 FAT32 Partition 3797 MB Healthy
==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 465 GB 32 KB
==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 7 D HP SimpleSa NTFS Partition 465 GB Healthy
==================================================================================

Partitions of Disk 3:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 931 GB 1024 KB
==================================================================================

Disk: 3
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 9 E My Passport NTFS Partition 931 GB Healthy
==================================================================================
======================= End Of Log ==========================

SuperDave · « **Reply #13 on:** August 26, 2012, 06:10:41 PM »

Good job in getting that scan to run. I apologize for the dead links. This is the first time I've used this tool and I didn't test it.

FRST Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

Quote

start
HKLM\...\InprocServer32: [Default-wbem] \\.\globalroot\systemroot\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n. ATTENTION! ====> ZeroAccess
0 9445fee0eea6d169; C:\Windows\System32\Drivers\9445fee0eea6d169.sys [70272 2012-08-12] () ATTENTION =====> Rootkit?
ZeroAccess:
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\@
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\L
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\L\00000004.@
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\00000004.@
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\00000008.@
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\000000cb.@
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\80000000.@
C:\Windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\80000032.@
ZeroAccess:
C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}
C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\@
C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\L
C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n
C:\Documents and Settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U
ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.

padraig · « **Reply #14 on:** August 26, 2012, 06:38:55 PM »

Notepad not available with Reatogo desktop
Did a cold reboot then received:
Error message: No boot device available- strike F1 to retry boot, F2 for setup utility

dead in the water here

padraig · « **Reply #15 on:** August 26, 2012, 06:49:03 PM »

tried to "reconfigure" the order in which it is booted....now able to get my desktop back; however how and/or where do I get "Now, please enter System Recovery Options then select Command Prompt.
"??

is this a new program that I have to download? can you tell me where I can find it?

padraig · « **Reply #16 on:** August 26, 2012, 06:57:34 PM »

sorry, tried everything including a Windows search for this System Recovery Options on my PC and it is not present.

I am out of town for five days that starts with my 9PM (EST) departure in which I will not have access to the infected PC.

sorry to leave you hanging on this one, but I will be offline until Friday PM. if this thread is closed then I will have to try it again or something else.

SuperDave · « **Reply #17 on:** August 27, 2012, 04:22:15 PM »

No problem. This is a new infection and I really want to put a licking on it. See you on Friday.

padraig · « **Reply #18 on:** September 02, 2012, 12:27:00 PM »

how and/or where do I get "Now, please enter System Recovery Options then select Command Prompt.
"??

SuperDave · « **Reply #19 on:** September 02, 2012, 04:40:20 PM »

Ok. Let's try to fix that problem. Please make sure that you install the Recovery Console when you run ComboFix below.

Download Combofix from any of the links below, and save it to your DESKTOP.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

Close any open windows and double click ComboFix.exe to run it.

You will see the following image:

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

padraig · « **Reply #20 on:** September 02, 2012, 04:57:53 PM »

combofix ran through it's routine and then nothing, no prompts, no scan, nothing

now what do i do???

padraig · « **Reply #21 on:** September 02, 2012, 05:01:21 PM »

sorry, i guess that it is still running but about 10 minutes after i ran ComboFix I keep getting this error message :

"AVG Anti-Virus Free Edition 2012 is running"

I do not have this software on this PC!!!!!

SuperDave · « **Reply #22 on:** September 02, 2012, 05:15:09 PM »

Please us the AVG Removal tool below then try CF again.

AVG Antivirus - AVG Antivirus Remover utility

padraig · « **Reply #23 on:** September 02, 2012, 06:08:00 PM »

reboot after combofix results in BSOD

SuperDave · « **Reply #24 on:** September 02, 2012, 07:39:34 PM »

Please try running CF in Safe mode.

padraig · « **Reply #25 on:** September 02, 2012, 07:54:01 PM »

ran AVG removal again (third time for this)

RUNDLL error message still present on reboot

Changed local time to GMT -3, instead of EDT (GMT -4); bloody *censored*

reran CF

CF error message: "ComboFix has detected AVG AntiVirus Free Edition 2012"

here is the log:

ComboFix 12-09-01.01 - Patrick 09/02/2012 21:30:23.10.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.567 [GMT -4:00]
Running from: c:\documents and settings\Patrick\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *Enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Installer\{21AFBFB6-53EF-36C2-120C-7E9BF1C4C429}\syshost.exe
.
---- Previous Run -------
.
c:\documents and settings\Patrick\govkhca.exe
c:\documents and settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\@
c:\documents and settings\Patrick\Local Settings\Application Data\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n
c:\windows\assembly\GAC\Desktop.ini
c:\windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\@
c:\windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\L\00000004.@
c:\windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\n
c:\windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\00000004.@
c:\windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\00000008.@
c:\windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\000000cb.@
c:\windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\80000000.@
c:\windows\Installer\{9cf427f7-c6f7-dc16-f24c-8f732255a696}\U\80000032.@
c:\windows\system32\6to4ex.dll
c:\windows\system32\drivers\9445fee0eea6d169.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_SYSHOST32
-------\Service_6to4
-------\Service_syshost32
-------\Legacy_9445fee0eea6d169
-------\Service_9445fee0eea6d169
.
.
((((((((((((((((((((((((( Files Created from 2012-08-03 to 2012-09-03 )))))))))))))))))))))))))))))))
.
.
2012-09-03 01:04 . 2012-09-03 01:15   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2012-08-26 21:44 . 2012-08-26 21:44   --------   d-----w-   C:\FRST
2012-08-19 22:50 . 2012-09-03 01:08   --------   d-----w-   c:\windows\system32\CatRoot2
2012-08-12 22:30 . 2012-08-12 22:30   --------   d-----w-   c:\documents and settings\LocalService\Application Data\iolo
2012-08-12 22:30 . 2012-08-02 15:21   511328   ----a-w-   c:\program files\Common Files\Microsoft Shared\CAPICOM\CAPICOM.DLL
2012-08-12 22:30 . 2012-08-02 15:27   2096360   ----a-w-   c:\windows\system32\Incinerator32.dll
2012-08-12 22:30 . 2012-08-02 16:45   40504   ----a-w-   c:\windows\system32\iolobtdfg.exe
2012-08-12 22:30 . 2012-08-02 16:45   22456   ----a-w-   c:\windows\system32\smrgdf.exe
2012-08-12 22:30 . 2012-08-02 15:21   68464   ----a-w-   c:\windows\system32\drivers\PDFsFilter.sys
2012-08-12 22:30 . 2012-08-02 15:21   56200   ----a-w-   c:\windows\system32\offreg.dll
2012-08-12 22:26 . 2012-08-13 01:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\iolo
2012-08-12 22:26 . 2012-08-12 22:36   --------   d-----w-   c:\documents and settings\Patrick\Application Data\iolo
2012-08-12 22:26 . 2012-08-12 22:26   74703   ----a-w-   c:\windows\system32\mfc45.dat
2012-08-12 22:17 . 2012-08-12 22:17   --------   dc----w-   c:\windows\ie8
2012-08-10 23:43 . 2012-08-11 01:18   --------   d-----w-   C:\PCHelpForum
2012-08-10 22:54 . 2012-08-11 21:50   --------   d-----w-   c:\documents and settings\Patrick\Application Data\PCToolsFirewallPlus
2012-08-10 22:52 . 2011-03-02 16:40   160576   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2012-08-10 22:52 . 2010-03-29 15:06   218592   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2012-08-10 22:52 . 2011-01-17 13:10   251560   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2012-08-10 22:52 . 2012-08-10 22:52   --------   d-----w-   c:\program files\Common Files\PC Tools
2012-08-10 22:52 . 2011-01-12 14:36   89472   ----a-w-   c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2012-08-10 22:52 . 2010-07-08 12:49   57536   ----a-w-   c:\windows\system32\drivers\pctNdis.sys
2012-08-10 22:52 . 2010-02-05 12:26   32808   ----a-w-   c:\windows\system32\drivers\pctNdis-DNS.sys
2012-08-10 22:51 . 2011-01-17 12:11   125248   ----a-w-   c:\windows\system32\drivers\pctplfw.sys
2012-08-10 22:51 . 2012-08-13 04:24   --------   d-----w-   c:\program files\PC Tools Firewall Plus
2012-08-10 22:47 . 2012-08-10 22:47   205072   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2012-08-10 21:10 . 2012-08-10 22:52   --------   d-----w-   c:\documents and settings\Administrator\Application Data\PCToolsFirewallPlus
2012-08-10 17:49 . 2012-08-10 17:49   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-08-10 17:30 . 2012-08-10 17:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Windows Search
2012-08-10 14:50 . 2012-08-10 14:50   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2012-08-10 14:50 . 2012-08-10 14:50   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2012-08-05 15:49 . 2012-08-05 15:49   --------   d-----w-   c:\program files\DVD Decrypter
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-10 21:43 . 2004-08-11 23:00   14336   ----a-w-   c:\windows\system32\svchost.exe
2012-08-05 15:39 . 2012-04-17 00:04   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-08-05 15:39 . 2011-05-14 20:03   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19 . 2004-08-11 23:00   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-08-17 18:02   1372672   ----a-w-   c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-11 23:00   1172480   ----a-w-   c:\windows\system32\msxml3.dll
2012-07-29 13:39 . 2012-02-12 23:34   136672   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
1997-06-23 17:06   287504   --sha-w-   c:\windows\system32\Msxbse35.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-07-27 4777856]
"Autodesk"="c:\documents and settings\Patrick\Local Settings\Application Data\Collectorz.com\Autodesk\kzaayba.dll" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-26 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2011-04-07 2672600]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Autodesk"="c:\documents and settings\Patrick\Local Settings\Application Data\Collectorz.com\Autodesk\kzaayba.dll" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-05 113024]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-04-03 22:43   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-phishing Domain Advisor]
2011-07-29 20:45   217256   ----a-w-   c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50   71216   ----a-w-   c:\program files\Common Files\AOL\ACS\AOLDial.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDFab Passkey]
2012-06-28 18:51   1389088   ----a-w-   c:\program files\DVDFab Passkey\DVDFabPasskey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 17:39   1289000   ----a-w-   c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52   50736   ----a-w-   c:\program files\Common Files\AOL\1172251831\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [8/10/2012 6:52 PM 251560]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 3:11 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 3:11 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/11/2010 7:03 PM 116608]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [7/14/2006 3:01 AM 13824]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [4/7/2012 6:27 PM 821592]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/12/2012 6:30 PM 1027792]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [8/10/2012 6:52 PM 160576]
R2 PDFsFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [8/12/2012 6:30 PM 68464]
R2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [7/14/2006 3:02 AM 13696]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [7/5/2012 1:44 PM 54144]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [8/15/2010 8:55 AM 47360]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [8/10/2012 6:52 PM 89472]
R3 pctNDIS;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [8/10/2012 6:52 PM 57536]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [8/10/2012 6:51 PM 125248]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys --> c:\windows\system32\DRIVERS\avgidshx.sys [?]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys --> c:\windows\system32\DRIVERS\avgidsshimx.sys [?]
S3 CFcatchme;CFcatchme;\??\c:\combofix\CFcatchme.sys --> c:\combofix\CFcatchme.sys [?]
S3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [4/7/2012 6:27 PM 246816]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/5/2012 5:37 AM 113120]
S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [4/7/2012 6:27 PM 30368]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 3:11 PM 12872]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [4/7/2012 6:27 PM 16208]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/31/2008 8:57 PM 715248]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\khir2fy2.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.type - 0
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
Toolbar-{ecdee021-0d17-467f-a1ff-c7a115230949} - (no file)
WebBrowser-{ECDEE021-0D17-467F-A1FF-C7A115230949} - (no file)
HKCU-Run-govShell - c:\documents and settings\Patrick\govkhca.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-02 22:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1396)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-09-02 22:31:15
ComboFix-quarantined-files.txt 2012-09-03 02:30
ComboFix2.txt 2012-08-11 23:46
ComboFix3.txt 2012-08-11 01:17
ComboFix4.txt 2010-04-25 02:03
.
Pre-Run: 119,937,191,936 bytes free
Post-Run: 119,915,249,664 bytes free
.
- - End Of File - - 0BE5D27752058E14782DE24AC8EA5851

padraig · « **Reply #26 on:** September 03, 2012, 06:44:22 AM »

thanks for sticking with e through this mess

loggen in as Administrator in Safe Mode

ran AVG removal again

reran CF

CF error message: "ComboFix has detected AVG AntiVirus Free Edition 2012"

here is the log:

ComboFix 12-09-01.01 - Administrator 09/02/2012 23:13:04.11.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.725 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *Enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-08-03 to 2012-09-03 )))))))))))))))))))))))))))))))
.
.
2012-09-03 03:20 . 2012-09-03 03:20   --------   d-----w-   c:\documents and settings\Administrator\Application Data\iolo
2012-09-03 02:55 . 2012-09-03 02:55   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\iolo
2012-08-26 21:44 . 2012-08-26 21:44   --------   d-----w-   C:\FRST
2012-08-19 22:50 . 2012-09-03 03:08   --------   d-----w-   c:\windows\system32\CatRoot2
2012-08-12 22:30 . 2012-08-02 15:21   511328   ----a-w-   c:\program files\Common Files\Microsoft Shared\CAPICOM\CAPICOM.DLL
2012-08-12 22:30 . 2012-08-02 15:27   2096360   ----a-w-   c:\windows\system32\Incinerator32.dll
2012-08-12 22:30 . 2012-08-02 16:45   40504   ----a-w-   c:\windows\system32\iolobtdfg.exe
2012-08-12 22:30 . 2012-08-02 16:45   22456   ----a-w-   c:\windows\system32\smrgdf.exe
2012-08-12 22:30 . 2012-08-02 15:21   68464   ----a-w-   c:\windows\system32\drivers\PDFsFilter.sys
2012-08-12 22:30 . 2012-08-02 15:21   56200   ----a-w-   c:\windows\system32\offreg.dll
2012-08-12 22:26 . 2012-08-13 01:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\iolo
2012-08-12 22:26 . 2012-08-12 22:36   --------   d-----w-   c:\documents and settings\Patrick\Application Data\iolo
2012-08-12 22:26 . 2012-08-12 22:26   74703   ----a-w-   c:\windows\system32\mfc45.dat
2012-08-12 22:17 . 2012-08-12 22:17   --------   dc----w-   c:\windows\ie8
2012-08-10 23:43 . 2012-08-11 01:18   --------   d-----w-   C:\PCHelpForum
2012-08-10 22:54 . 2012-08-11 21:50   --------   d-----w-   c:\documents and settings\Patrick\Application Data\PCToolsFirewallPlus
2012-08-10 22:52 . 2011-03-02 16:40   160576   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2012-08-10 22:52 . 2010-03-29 15:06   218592   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2012-08-10 22:52 . 2011-01-17 13:10   251560   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2012-08-10 22:52 . 2012-08-10 22:52   --------   d-----w-   c:\program files\Common Files\PC Tools
2012-08-10 22:52 . 2011-01-12 14:36   89472   ----a-w-   c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2012-08-10 22:52 . 2010-07-08 12:49   57536   ----a-w-   c:\windows\system32\drivers\pctNdis.sys
2012-08-10 22:52 . 2010-02-05 12:26   32808   ----a-w-   c:\windows\system32\drivers\pctNdis-DNS.sys
2012-08-10 22:51 . 2011-01-17 12:11   125248   ----a-w-   c:\windows\system32\drivers\pctplfw.sys
2012-08-10 22:51 . 2012-08-13 04:24   --------   d-----w-   c:\program files\PC Tools Firewall Plus
2012-08-10 22:47 . 2012-08-10 22:47   205072   ----a-w-   c:\windows\system32\drivers\tmcomm.sys
2012-08-10 21:10 . 2012-08-10 22:52   --------   d-----w-   c:\documents and settings\Administrator\Application Data\PCToolsFirewallPlus
2012-08-10 17:49 . 2012-08-10 17:49   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2012-08-10 17:30 . 2012-08-10 17:30   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Windows Search
2012-08-10 14:50 . 2012-08-10 14:50   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2012-08-10 14:50 . 2012-08-10 14:50   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2012-08-05 15:49 . 2012-08-05 15:49   --------   d-----w-   c:\program files\DVD Decrypter
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-10 21:43 . 2004-08-11 23:00   14336   ----a-w-   c:\windows\system32\svchost.exe
2012-08-05 15:39 . 2012-04-17 00:04   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-08-05 15:39 . 2011-05-14 20:03   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19 . 2004-08-11 23:00   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-08-17 18:02   1372672   ----a-w-   c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2004-08-11 23:00   1172480   ----a-w-   c:\windows\system32\msxml3.dll
2012-07-29 13:39 . 2012-02-12 23:34   136672   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
1997-06-23 17:06   287504   --sha-w-   c:\windows\system32\Msxbse35.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="c:\program files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-15 20553]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-26 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2011-04-07 2672600]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Autodesk"="c:\documents and settings\Patrick\Local Settings\Application Data\Collectorz.com\Autodesk\kzaayba.dll" [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-05 113024]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-04-03 22:43   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-phishing Domain Advisor]
2011-07-29 20:45   217256   ----a-w-   c:\documents and settings\All Users\Application Data\Anti-phishing Domain Advisor\visicom_antiphishing.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50   71216   ----a-w-   c:\program files\Common Files\AOL\ACS\AOLDial.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDFab Passkey]
2012-06-28 18:51   1389088   ----a-w-   c:\program files\DVDFab Passkey\DVDFabPasskey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 17:39   1289000   ----a-w-   c:\program files\Microsoft ActiveSync\wcescomm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52   50736   ----a-w-   c:\program files\Common Files\AOL\1172251831\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/11/2010 7:03 PM 116608]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [4/7/2012 6:27 PM 821592]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [8/12/2012 6:30 PM 1027792]
R3 dvdfab;dvdfab;c:\windows\system32\drivers\dvdfab.sys [7/5/2012 1:44 PM 54144]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys --> c:\windows\system32\DRIVERS\avgidshx.sys [?]
S1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [8/10/2012 6:52 PM 251560]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/17/2008 3:11 PM 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/17/2008 3:11 PM 67664]
S2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:\windows\system32\drivers\hnm_wrls_pkt.sys [7/14/2006 3:01 AM 13824]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]
S2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [8/10/2012 6:52 PM 160576]
S2 PDFsFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [8/12/2012 6:30 PM 68464]
S2 wsppkt;Wireless Security Protocol;c:\windows\system32\drivers\wsp_pkt.sys [7/14/2006 3:02 AM 13696]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys --> c:\windows\system32\DRIVERS\avgidsshimx.sys [?]
S3 CFcatchme;CFcatchme;\??\c:\combofix\CFcatchme.sys --> c:\combofix\CFcatchme.sys [?]
S3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [4/7/2012 6:27 PM 246816]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/5/2012 5:37 AM 113120]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [8/15/2010 8:55 AM 47360]
S3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [8/10/2012 6:52 PM 89472]
S3 pctNDIS;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [8/10/2012 6:52 PM 57536]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [8/10/2012 6:51 PM 125248]
S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [4/7/2012 6:27 PM 30368]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/17/2008 3:11 PM 12872]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [4/7/2012 6:27 PM 16208]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/31/2008 8:57 PM 715248]
.
.
------- Supplementary Scan -------
.
uStart Page = www.msn.com
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\tfpwaynx.default\
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-02 23:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2796421550-788906634-1267632633-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,92,62,f9,83,a0,c5,46,a8,5a,a9,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,39,92,62,f9,83,a0,c5,46,a8,5a,a9,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(304)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\l3codeca.acm
.
- - - - - - - > 'explorer.exe'(1244)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
.
Completion time: 2012-09-03 00:02:20
ComboFix-quarantined-files.txt 2012-09-03 04:01
ComboFix2.txt 2012-09-03 02:31
ComboFix3.txt 2012-08-11 23:46
ComboFix4.txt 2012-08-11 01:17
ComboFix5.txt 2012-09-03 03:04
.
Pre-Run: 121,009,709,056 bytes free
Post-Run: 120,988,876,800 bytes free
.
- - End Of File - - 1D82410EDBB2FBBC05A11D08574283C1

SuperDave · « **Reply #27 on:** September 03, 2012, 04:20:21 PM »

According to the CF log, AVG is the only AV you have on your computer. Do you want to get rid of it?

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*****************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select the following items.

Process << Selected
Kernel Modules << Selected
SSDT << Selected
Kernel Hooks << Selected
IRP Hooks << NOT Selected
Ports << NOT Selected
Hidden Files << Selected

At the bottom of the page

Hidden Objects Only << Selected

Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

padraig · « **Reply #28 on:** September 03, 2012, 05:01:37 PM »

FYI: USB flashdrive still cannot be ejected "safely"

FYI: the security check file saved as exe extension and would not run on the desktop. I renamed it to *.bat to enable it

No checkup.txt created on PC

Antirootkit log pasted below:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: EBD57000
Module End: EBE0E000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwTerminateProcess
Address: EDFEF640
Driver Base: EDFE5000
Driver End: EE007000
Driver Name: \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\3baa40c85193c289d25516fa\1025\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1025\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1028\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1028\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1029\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1029\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1030\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1030\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1031\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1031\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1032\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1032\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1033\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1033\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1035\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1035\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1036\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1036\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1037\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1037\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1038\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1038\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1040\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1040\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1041\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1041\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1042\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1042\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1043\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1043\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1044\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1044\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1045\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1045\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1046\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1046\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1049\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1049\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1053\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1053\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1055\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\1055\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\2052\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\2052\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\2070\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\2070\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\3076\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\3076\HotFixInstallerUI.dll
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\3082\eula.rtf
Status: Access denied

Object: C:\3baa40c85193c289d25516fa\3082\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1025\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1025\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1028\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1028\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1029\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1029\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1030\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1030\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1031\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1031\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1032\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1032\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1033\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1033\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1035\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1035\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1036\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1036\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1037\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1037\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1038\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1038\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1040\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1040\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1041\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1041\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1042\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1042\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1043\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1043\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1044\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1044\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1045\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1045\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1046\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1046\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1049\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1049\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1053\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1053\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1055\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\1055\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\2052\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\2052\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\2070\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\2070\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\3076\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\3076\HotFixInstallerUI.dll
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\3082\eula.rtf
Status: Access denied

Object: C:\ad55f1e90f161b8a6b9f9d3b96cf\3082\HotFixInstallerUI.dll
Status: Access denied

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

SuperDave · « **Reply #29 on:** September 03, 2012, 05:32:57 PM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

padraig · « **Reply #30 on:** September 04, 2012, 06:28:40 AM »

I am sorry but since the PC will not connect to the internet I cannot run an online scan

I receive an error message "no connection to the internet is currently available." work offline is the only option

Do I have to wipe this PC "clean" and start from scratch?

I reran Security Check 317 and here is the log:

Results of screen317's Security Check version 0.99.50
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````[/u]
Windows Firewall Disabled!
AVG Anti-Virus Free Edition 2012
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````[/u]
SpywareBlaster 4.4
SUPERAntiSpyware Free Edition
CCleaner
Java(TM) 6 Update 29
Java version out of Date!
Adobe Flash Player 11.3.300.270
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````[/u]
IObit IObit Malware Fighter IMFsrv.exe
PC Tools Firewall Plus FWService.exe
PC Tools Firewall Plus FirewallGUI.exe
iolo Common Lib ioloServiceManager.exe
`````````````````System Health check`````````````````[/u]
Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````[/u]

SuperDave · « **Reply #31 on:** September 04, 2012, 04:15:51 PM »

Quote

I am sorry but since the PC will not connect to the internet I cannot run an online scan

I receive an error message "no connection to the internet is currently available." work offline is the only option

Do I have to wipe this PC "clean" and start from scratch?

Let's see if we can fix the connectin problem.

Please download MiniToolBox to Desktop and run it.

Checkmark the following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
List content of Hosts
List IP Configuration
Lst Last 10 Event Viewer Errors
List Users, Partitions and Memory Size
[/b]
Click Go and copy/paste the log (Result.txt) into your next post.
**************************************************************
Please download Farbar Service Scanner and run it on the computer with the issue.

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

*******************************************************
Total Fragmentation on Drive C:: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
Please take time to defrag your harddrive.

padraig · « **Reply #32 on:** September 04, 2012, 04:33:47 PM »

how do I "defrag"?

here is the minitoolbox log:

MiniToolBox by Farbar Version: 23-07-2012
Ran by Patrick (administrator) on 04-09-2012 at 19:29:46
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Intel(R) 82566DC Gigabit Network Connection = Local Area Connection (Media disconnected)

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip

# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

popd
# End of interface IP configuration

Windows IP Configuration

Host Name . . . . . . . . . . . . : FamilyRoom

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel(R) 82566DC Gigabit Network Connection

Physical Address. . . . . . . . . : 00-19-D1-1A-C7-71

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 19 d1 1a c7 71 ...... Intel(R) 82566DC Gigabit Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 2 1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (09/03/2012 07:59:11 PM) (Source: Application Hang) (User: )
Description: Hanging application SysProt.exe, version 1.0.1.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (09/03/2012 10:08:05 AM) (Source: MsiInstaller) (User: FAMILYROOM)FAMILYROOM
Description: Product: Microsoft Office Professional 2007 -- Error 1706.Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see SETUP.CHM.(NULL)(NULL)(NULL)(NULL)

Error: (09/01/2012 08:28:00 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/28/2012 00:56:36 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/26/2012 09:40:27 PM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

Error: (08/26/2012 00:36:41 PM) (Source: MsiInstaller) (User: FAMILYROOM)FAMILYROOM
Description: Product: Microsoft Office Professional 2007 -- Error 1706.Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see SETUP.CHM.(NULL)(NULL)(NULL)(NULL)

Error: (08/26/2012 00:36:12 PM) (Source: Application Hang) (User: )
Description: Hanging application WINWORD.EXE, version 11.0.8345.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/26/2012 00:35:44 PM) (Source: MsiInstaller) (User: FAMILYROOM)FAMILYROOM
Description: Product: Microsoft Office Professional 2007 -- Error 1706.Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see SETUP.CHM.(NULL)(NULL)(NULL)(NULL)

Error: (08/26/2012 00:24:31 PM) (Source: MsiInstaller) (User: FAMILYROOM)FAMILYROOM
Description: Product: Microsoft Office Professional 2007 -- Error 1706.Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see SETUP.CHM.(NULL)(NULL)(NULL)(NULL)

Error: (08/25/2012 07:11:09 AM) (Source: WinMgmt) (User: )
Description: WinMgmt could not initialize the core parts. This could be due to a badly installed version of WinMgmt, WinMgmt repository upgrade failure, insufficient disk space or insufficient memory.

System errors:
=============
Error: (09/04/2012 03:19:03 PM) (Source: Service Control Manager) (User: )
Description: The crd service failed to start due to the following error:
%%1053

Error: (09/04/2012 03:19:03 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the crd service to connect.

Error: (09/03/2012 09:51:37 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AVGIDSHX

Error: (09/03/2012 09:51:31 AM) (Source: Service Control Manager) (User: )
Description: The Vsapint service failed to start due to the following error:
%%2

Error: (09/03/2012 09:50:34 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (09/03/2012 09:40:15 AM) (Source: DCOM) (User: FAMILYROOM)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (09/03/2012 09:40:09 AM) (Source: DCOM) (User: FAMILYROOM)
Description: DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error: (09/03/2012 09:39:53 AM) (Source: DCOM) (User: FAMILYROOM)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (09/03/2012 09:39:40 AM) (Source: DCOM) (User: FAMILYROOM)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error: (09/02/2012 10:59:39 PM) (Source: DCOM) (User: FAMILYROOM)
Description: DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Microsoft Office Sessions:
=========================

========================= Memory info: ===================================

Percentage of memory in use: 52%
Total physical RAM: 1021.83 MB
Available physical RAM: 484.08 MB
Total Pagefile: 2458.33 MB
Available Pagefile: 1795.52 MB
Total Virtual: 2047.88 MB
Available Virtual: 1966.93 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:171.43 GB) (Free:111.66 GB) NTFS
3 Drive d: (Backup) (Fixed) (Total:57.63 GB) (Free:23 GB) NTFS
7 Drive h: (HP SimpleSave) (Fixed) (Total:465.11 GB) (Free:261.06 GB) NTFS
8 Drive i: (My Passport) (Fixed) (Total:931.48 GB) (Free:547.54 GB) NTFS
9 Drive j: (USB20FD) (Removable) (Total:7.53 GB) (Free:6.6 GB) FAT32

========================= Users: ========================================

User accounts for \\FAMILYROOM

Administrator Anna Guest
HelpAssistant Patrick SUPPORT_388945a0

**** End of log ****

and the FSS log:

Farbar Service Scanner Version: 06-08-2012
Ran by Patrick (administrator) on 04-09-2012 at 19:30:38
Running from "C:\Documents and Settings\Patrick\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo IP returned error: Yahoo IP is unreachable
Attempt to access Yahoo.com returned error: Other errors

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) hnmwrlspkt(9) IPSec(4) NetBT(5) Packet(

pctgntdi(12) pctNDIS(11) PSched(7) Tcpip(3) wsppkt(10)
0x0F00000004000000010000000200000003000 0000C0000000D0000000E0000000F0000000500 0000060000000700000008000000090000000A0 000000B000000
IpSec Tag value is correct.

**** End of log ****

padraig · « **Reply #33 on:** September 04, 2012, 05:58:40 PM »

after a search on how to do it, I am defragmenting the hard drive

padraig · « **Reply #34 on:** September 04, 2012, 06:01:44 PM »

my employment takes me out of town for these next three days in which I will not have access to the infected PC.

I will be offline until Friday PM.

SuperDave · « **Reply #35 on:** September 05, 2012, 05:04:43 PM »

Quote from: padraig on September 04, 2012, 06:01:44 PM

my employment takes me out of town for these next three days in which I will not have access to the infected PC.

I will be offline until Friday PM.

Ok. Is this computer hardwired to the modem? Did you try re-setting the modem? Disconnect the power supply for 30 secs. and then connect it.

padraig · « **Reply #36 on:** September 08, 2012, 04:22:22 AM »

PC and the laptop that I am using to post to this thread are hard cabled to ubee modem. Time Warner Cable replaced modem two weeks ago to restore telephone service. This was no less than two weeks after the virus blocked access to the internet for the PC only. I did disconnect the power supply to the new modem, waited about 1 minute, reconnected and internet service was restored to the laptop only. The PC will not connect to internet through IE8 or Firefox.

C: defragmentation has been completed.

SuperDave · « **Reply #37 on:** September 08, 2012, 12:08:38 PM »

Quote

The PC will not connect to internet through IE8 or Firefox.

Did you try another cable?

You will have to download this on your laptop and transfer it to your PC using a memory stick or disk.

Please download LSPFix © 2002-2006 Cexx.org.
Save it to your desktop. Alternate download site available here
Run LSPFix - Repair LSP Chain
PRINT these instructions... then disconnect from the Internet and close all browser windows.

Double click the LSPFix.exe icon on your desktop.
If you had to use the alternate download...double click the "lspfix.zip" file on your desktop.
Use XPs Compressed File Extraction Wizard or your own 3rd party zip file program.
Extract the "LSPFix.exe" file to your desktop... double click to start the program.
Press the "Finish... button.
Now...Reboot your computer, normally, to complete the process.

padraig · « **Reply #38 on:** September 08, 2012, 03:02:10 PM »

internet connection has been restored!!!

padraig · « **Reply #39 on:** September 08, 2012, 04:26:19 PM »

Super Anti-Spy scan returned 33 threats, all Adware, no trojan or worm found

still have issue with empty program list or "shortcuts" in start menu and USB drive not able to stop to safely eject

SuperDave · « **Reply #40 on:** September 09, 2012, 05:14:16 PM »

Good news and bad news. It's good that your internet access is repaired. You could try running Rkill again. And now, the bad news. I'm required to give you this warning.

It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

Computer Hope Forum

News:

Author Topic: Virus or worm has disabled internet, hidden program and other files (Read 43737 times)

padraig

Allan

padraig

SuperDave

padraig

SuperDave

padraig

SuperDave

padraig

SuperDave

padraig

padraig

padraig

SuperDave

padraig

padraig

padraig

SuperDave

padraig

SuperDave

padraig

padraig

SuperDave

padraig

SuperDave

padraig

padraig

SuperDave

padraig

SuperDave

padraig

SuperDave

padraig

padraig

padraig

SuperDave

padraig

SuperDave

padraig

padraig

SuperDave