Inactive Rogue.fakehdd rootkit.tdss exploit.drop

[Inactive] Rogue.fakehdd rootkit.tdss exploit.drop

Ouch. After several years of no virus problems, I downloaded and exploded a zip file that my comodo anti-virus program did not diagnose as contining a virus. My Xp SP3 computer got hit pretty hard and am in need of help from an expert. I followed the instructions for removal and will be posting the 4 logs in my next posts. Thank you for your assistance.

 

Malwarebytes Anti-Malware (Trial) 1.60.0.1800 (FIRST TIME I RAN MALWARE)
www.malwarebytes.org

Database version: v2012.01.05.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Brian Cumming :: BCA-C04-08 [administrator]

Protection: Enabled

1/4/2012 11:56:49 PM
mbam-log-2012-01-04 (23-56-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193986
Time elapsed: 12 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Documents and Settings\All Users\Application Data\rAYBrQVgIl.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brian Cumming\Local Settings\Temp\n.exn (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\hY8YaMcADc51Ze.exe.tmp (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wera0.5742702358393313.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wera0.7825826924076588.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\oiu0.5563577787773298.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.

(end)

 

Malwarebytes Anti-Malware (Trial) 1.60.0.1800 (SECOND TIME I RAN MALWARE DUE TO CONTINUED REBOOTING OF OPERATING SYSTEM WHEN NOT IN SAFE MODE)
www.malwarebytes.org

Database version: v2012.01.05.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode)
Internet Explorer 8.0.6001.18702
Brian Cumming :: BCA-C04-08 [administrator]

Protection: Disabled

1/5/2012 12:30:08 AM
mbam-log-2012-01-05 (00-30-08).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 310617
Time elapsed: 2 hour(s), 16 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\System Volume Information\_restore{72B5954A-731C-42F8-8AFB-DB334F41A107}\RP642\A0061980.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.

(end)

 

Malwarebytes Anti-Malware (Trial) 1.60.0.1800 (THIRD RUN IN SAFE MODE DUE TO CONTINUED AUTO REBOOTS WHEN TRYING TO RESTART COMPUTER)
www.malwarebytes.org

Database version: v2012.01.05.01

Windows XP Service Pack 3 x86 NTFS (Safe Mode)
Internet Explorer 8.0.6001.18702
Brian Cumming :: BCA-C04-08 [administrator]

Protection: Disabled

1/10/2012 8:31:46 PM
mbam-log-2012-01-10 (20-31-46).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 309822
Time elapsed: 2 hour(s), 17 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|uEwKkQfYkoLVFj.exe (Rogue.FakeHDD) -> Data: C:\Documents and Settings\All Users\Application Data\uEwKkQfYkoLVFj.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\All Users\Application Data\uEwKkQfYkoLVFj.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\tue0.3055874921395204.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.

(end)

 

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-10 23:58:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HDS721616PLA380 rev.P22OABEA
Running: ojuxst5u.exe; Driver: C:\DOCUME~1\BRIANC~1\LOCALS~1\Temp\pwddapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntdll.dll!NtClose 7C90CFEE 5 Bytes [E9, 9D, 86, 6F, 93] {JMP 0xffffffff936f86a2}
.text ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes [E9, 30, E2, 6E, 93] {JMP 0xffffffff936ee235}

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[244] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[244] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[244] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[244] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[244] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[244] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[244] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[244] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[244] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\winlogon.exe[244] ole32.dll!CoCreateInstanceEx 774FF154 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[244] ole32.dll!CoGetClassObject 775151F5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[292] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[292] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[292] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[292] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[292] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[292] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[292] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[292] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[292] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\services.exe[292] ole32.dll!CoCreateInstanceEx 774FF154 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[292] ole32.dll!CoGetClassObject 775151F5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[304] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[304] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[304] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[304] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[304] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[304] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[304] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[304] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[304] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\lsass.exe[304] ole32.dll!CoCreateInstanceEx 774FF154 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[304] ole32.dll!CoGetClassObject 775151F5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[468] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[468] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[468] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[468] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[468] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[468] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[468] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[468] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[468] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\svchost.exe[468] ole32.dll!CoCreateInstanceEx 774FF154 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[468] ole32.dll!CoGetClassObject 775151F5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[540] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[540] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[540] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[540] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[540] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[540] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[540] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\svchost.exe[540] ole32.dll!CoCreateInstanceEx 774FF154 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[540] ole32.dll!CoGetClassObject 775151F5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[600] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[600] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 0082000C
.text C:\WINDOWS\system32\svchost.exe[600] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 03BE000A
.text C:\WINDOWS\system32\svchost.exe[600] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 0467000A
.text C:\WINDOWS\system32\svchost.exe[600] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 0468000A
.text C:\WINDOWS\system32\svchost.exe[600] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[600] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[600] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[600] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[600] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[600] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[600] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\system32\svchost.exe[600] ole32.dll!CoCreateInstanceEx 774FF154 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[600] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 0145000A
.text C:\WINDOWS\system32\svchost.exe[600] ole32.dll!CoGetClassObject 775151F5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[944] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[944] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[944] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[944] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[944] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[944] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\WINDOWS\Explorer.EXE[944] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[944] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[944] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[944] ole32.dll!CoCreateInstanceEx 774FF154 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[944] ole32.dll!CoGetClassObject 775151F5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Brian Cumming\Desktop\ojuxst5u.exe[1312] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 10005690 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Brian Cumming\Desktop\ojuxst5u.exe[1312] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 100055C0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Brian Cumming\Desktop\ojuxst5u.exe[1312] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 10001860 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Brian Cumming\Desktop\ojuxst5u.exe[1312] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 10001230 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Brian Cumming\Desktop\ojuxst5u.exe[1312] GDI32.dll!CreateDCW 77F1BE38 2 Bytes JMP 100013C0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Brian Cumming\Desktop\ojuxst5u.exe[1312] GDI32.dll!CreateDCW + 3 77F1BE3B 2 Bytes [0E, 98] {PUSH CS; CWDE }
.text C:\Documents and Settings\Brian Cumming\Desktop\ojuxst5u.exe[1312] USER32.dll!EndTask 7E45A0A5 5 Bytes JMP 10005250 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Brian Cumming\Desktop\ojuxst5u.exe[1312] USER32.dll!mouse_event 7E46673F 5 Bytes JMP 100016D0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Brian Cumming\Desktop\ojuxst5u.exe[1312] USER32.dll!keybd_event 7E466783 5 Bytes JMP 10001550 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Brian Cumming\Desktop\ojuxst5u.exe[1312] ole32.dll!CoCreateInstanceEx 774FF154 5 Bytes JMP 10004F60 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Brian Cumming\Desktop\ojuxst5u.exe[1312] ole32.dll!CoGetClassObject 775151F5 5 Bytes JMP 100050E0 C:\WINDOWS\system32\guard32.dll

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A7932C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A7932C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A7932C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A7932C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A7932C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A7932C6

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

 

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-10 23:59:49
-----------------------------
23:59:49.921 OS Version: Windows 5.1.2600 Service Pack 3
23:59:49.921 Number of processors: 2 586 0x6B02
23:59:49.921 ComputerName: BCA-C04-08 UserName:
23:59:51.921 Initialize success
00:00:17.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
00:00:17.218 Disk 0 Vendor: Hitachi_HDS721616PLA380 P22OABEA Size: 152627MB BusType: 3
00:00:17.250 Device \Driver\atapi -> DriverStartIo 8a7932c6
00:00:17.265 Disk 0 MBR read successfully
00:00:17.281 Disk 0 MBR scan
00:00:17.312 Disk 0 TDL4@MBR code has been found
00:00:17.328 Disk 0 MBR hidden
00:00:17.359 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 5992 MB offset 63
00:00:17.390 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 73069 MB offset 12273660
00:00:17.437 Disk 0 Partition 3 00 0C FAT32 LBA MSWIN4.1 73563 MB offset 161919135
00:00:17.468 Disk 0 MBR [TDL4] **ROOTKIT**
00:00:17.500 Disk 0 trace - called modules:
00:00:17.515 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a79349f]<<
00:00:17.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a94e9c0]
00:00:17.578 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006b[0x8a9619e8]
00:00:17.671 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8a9c4940]
00:00:17.765 \Driver\atapi[0x8a7b0658] -> IRP_MJ_CREATE -> 0x8a79349f
00:00:17.875 Scan finished successfully
00:02:04.390 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Brian Cumming\Desktop\MBR.dat "
00:02:04.484 The log file has been saved successfully to "C:\Documents and Settings\Brian Cumming\Desktop\aswMBR.txt "

 

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by Brian Cumming at 0:03:14 on 2012-01-11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1242 [GMT -5:00]
.
AV: COMODO Antivirus *Enabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe "
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe "
mRun: [Acer Empowering Technology Monitor] c:\windows\system32\SysMonitor.exe
mRun: [eLockMonitor] c:\acer\empowering technology\elock\monitor\LaunchMonitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe 0
mRun: [installnet.exe] "c:\acer\lanscope agent\installnet.exe" "c:\acer\lanscope agent\
mRun: [AdminWorks Tray] "c:\acer\lanscope agent\awtray.exe "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [COMODO SafeSurf] "c:\program files\comodo\safesurf\cssurf.exe" -s
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe "
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe "
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\brianc~1\startm~1\programs\startup\update~1.lnk - c:\program files\officegt\WiseUpdt.exe
dPolicies-explorer: NoDesktop = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: suntrust.com\www
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxps://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient1.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265352576406
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265352561859
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP31-13320/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{873D6BDF-CA1C-4526-9608-1731ADB90714} : NameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll c:\windows\system32\cssdll32.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-11-6 99856]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-11-6 31504]
S2 AWService;AdminWorks Agent X6;c:\acer\lanscope agent\awServ.exe [2007-4-26 75032]
S2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2008-11-6 614136]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;c:\windows\system32\eLock2BurnerLockDriver.sys [2006-6-8 17664]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;c:\windows\system32\eLock2FSCTLDriver.sys [2006-6-6 90112]
S2 LockServ;LockServ;c:\acer\empowering technology\elock\lockserv.exe -p --> c:\acer\empowering technology\elock\LockServ.exe -p [?]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-4 652872]
S2 netlimiter;netlimiter;c:\windows\system32\drivers\NetLimiter.sys [2006-10-3 18072]
S2 netlock;netlock;c:\windows\system32\drivers\NetLock.sys [2007-5-30 14616]
S3 Acer ODDSpeedControl;Acer ODDSpeedControl;c:\acer\empowering technology\eacoustics\oddspeedctl\speedcontrol.exe [2005-2-15 81920]
S3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2005-2-2 9344]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-4 20464]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2011-10-22 30576]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
.
=============== Created Last 30 ================
.
2012-01-05 04:54:33 -------- d--h--w- c:\documents and settings\brian cumming\application data\Malwarebytes
2012-01-05 04:53:47 -------- d--h--w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-05 04:53:45 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-05 04:53:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDS721616PLA380 rev.P22OABEA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A79349F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a79a738]; MOV EAX, [0x8a79a8ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A94E9C0]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006b[0x8A9619E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A9C4940]
\Driver\atapi[0x8A7B0658] -> IRP_MJ_CREATE -> 0x8A79349F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A7932C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 0:04:39.14 ===============

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/3/2008 5:24:56 PM
System Uptime: 1/10/2012 11:11:25 PM (1 hours ago)
.
Motherboard: Acer | | F690GVM
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ | Socket AM2 | 2593/199mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 71 GiB total, 37.18 GiB free.
D: is FIXED (FAT32) - 72 GiB total, 71.739 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP599: 10/6/2011 6:54:16 PM - System Checkpoint
RP600: 10/7/2011 11:42:45 PM - System Checkpoint
RP601: 10/9/2011 11:24:37 AM - System Checkpoint
RP602: 10/11/2011 12:41:00 AM - System Checkpoint
RP603: 10/13/2011 1:52:30 AM - System Checkpoint
RP604: 10/17/2011 9:01:44 PM - System Checkpoint
RP605: 10/20/2011 11:59:54 PM - System Checkpoint
RP606: 10/22/2011 9:34:34 AM - System Checkpoint
RP607: 10/22/2011 4:41:52 PM - Installed DirectX
RP608: 10/23/2011 5:34:33 PM - System Checkpoint
RP609: 10/27/2011 3:04:08 AM - System Checkpoint
RP610: 10/29/2011 8:05:00 PM - System Checkpoint
RP611: 10/30/2011 8:09:51 PM - System Checkpoint
RP612: 10/31/2011 8:51:37 PM - System Checkpoint
RP613: 11/4/2011 8:52:43 PM - System Checkpoint
RP614: 11/6/2011 8:15:41 PM - System Checkpoint
RP615: 11/11/2011 8:23:03 PM - System Checkpoint
RP616: 11/12/2011 8:52:33 PM - System Checkpoint
RP617: 11/13/2011 9:23:47 PM - System Checkpoint
RP618: 11/14/2011 10:21:31 PM - System Checkpoint
RP619: 11/19/2011 8:07:21 AM - System Checkpoint
RP620: 11/20/2011 4:03:03 PM - System Checkpoint
RP621: 11/24/2011 6:13:48 PM - System Checkpoint
RP622: 11/25/2011 10:03:54 PM - System Checkpoint
RP623: 11/25/2011 10:47:47 PM - Software Distribution Service 3.0
RP624: 11/27/2011 2:20:09 AM - System Checkpoint
RP625: 12/1/2011 9:22:41 AM - System Checkpoint
RP626: 12/3/2011 3:23:41 PM - System Checkpoint
RP627: 12/4/2011 4:12:16 PM - System Checkpoint
RP628: 12/5/2011 10:28:08 PM - System Checkpoint
RP629: 12/7/2011 10:40:37 PM - System Checkpoint
RP630: 12/8/2011 10:52:44 PM - System Checkpoint
RP631: 12/10/2011 2:03:26 PM - System Checkpoint
RP632: 12/11/2011 2:37:24 PM - System Checkpoint
RP633: 12/12/2011 8:15:07 PM - System Checkpoint
RP634: 12/14/2011 5:45:51 PM - System Checkpoint
RP635: 12/18/2011 9:45:32 PM - System Checkpoint
RP636: 12/26/2011 9:50:02 AM - System Checkpoint
RP637: 12/27/2011 6:16:14 PM - System Checkpoint
RP638: 12/28/2011 11:45:20 PM - System Checkpoint
RP639: 12/30/2011 2:20:52 AM - System Checkpoint
RP640: 1/2/2012 5:33:40 PM - System Checkpoint
RP641: 1/3/2012 7:35:28 PM - System Checkpoint
RP642: 1/4/2012 11:20:48 PM - Restore Operation
.
==== Installed Programs ======================
.
2007 Microsoft Office system
32 Bit HP BiDi Channel Components Installer
Acer eAcoustics Management
Acer eDataSecurity Management
Acer eDataSecurity Management 2.0.4093
Acer eLock Management
Acer Empowering Technology
Acer eProtection
Acer eSettings Management
Acer LANScope Agent
Activation Assistant for the 2007 Microsoft Office suites
Addison Select
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
ATI Display Driver
Audacity 1.2.6
Bonjour
Business Contact Manager for Outlook 2007 SP2
CodeCharge Studio 4
commercial
COMODO Internet Security
COMODO SafeSurf
CutePDF Writer 2.8
eSobi v2
EZ Vinyl Converter 2.0.0 by MixMeister
GoToMeeting 4.0.0.320
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Image Zone 4.7
HP Managed Printing Admin
HP Officejet Pro 8500 A910 Basic Device Software
HP Officejet Pro 8500 A910 Help
HP Update
hppIOFiles
I.R.I.S. OCR
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 17
Java(TM) 6 Update 7
LightScribe 1.4.142.1
Malwarebytes Anti-Malware version 1.60.0.1800
McAfee Security Scan Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Corporation
Microsoft Expression Web
Microsoft Expression Web MUI (English)
Microsoft Expression Web Service Pack 1 (SP1)
Microsoft IntelliPoint 7.1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft LifeCam
Microsoft Money Plus
Microsoft Money Shared Libraries
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Accounting 2007
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Accounting Equifax Addin
Microsoft Office Accounting Fixed Asset Manager
Microsoft Office Accounting PayPal Addin
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Project 2007 Service Pack 2 (SP2)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
Microsoft Office Small Business Connectivity Components
Microsoft Office Visio 2007 Service Pack 2 (SP2)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
MSXML 6.0 Parser (KB933579)
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
OCA Client history tool install
Octoshape Streaming Services
OfficeGT Client
OfficeGT Server
OGA Notifier 2.0.0048.0
PowerDVD
QFolder
QuickTime
Realtek High Definition Audio Driver
Safari
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio 2007 (KB982127)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SendSave
Skype™ 3.8
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Outlook 2007 Junk Email Filter (kb2410711)
Update for Windows Internet Explorer 8 (KB2362765)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Management Framework Core
Windows Search 4.0
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
1/8/2012 8:53:14 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cmdGuard Fips Processor
1/5/2012 8:35:08 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
1/5/2012 8:25:49 AM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 b9f1571d, parameter3 9b848508, parameter4 00000000.
1/5/2012 8:23:19 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
1/5/2012 12:29:05 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
1/5/2012 12:28:57 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/5/2012 12:28:51 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD cmdGuard cmdHlp Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
1/5/2012 12:28:51 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
1/5/2012 12:28:51 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/5/2012 12:28:51 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/5/2012 12:28:51 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
1/5/2012 12:28:51 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/5/2012 12:28:51 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
1/4/2012 11:20:25 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the AdminWorks Agent X6 service to connect.
1/10/2012 11:15:26 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
.
==== End Of File ===========================

 

one last detail/clue - I am posting on a computer other than the infected computer for the purpose of accessing the internet. Seems like virus re-emerges on the infected machine everytime I try to log on in regular mode (non-safe mode) and then try to access the internet via my IE browser.... I am able to transfer files to the infected computer via a flash drive while remaining in safe mode.

 

Here is the results of the TDSSKiller.exe run

22:43:15.0171 1260 TDSS rootkit removing tool 2.7.0.0 Jan 10 2012 09:14:26
22:43:15.0250 1260 ============================================================
22:43:15.0250 1260 Current date / time: 2012/01/11 22:43:15.0250
22:43:15.0250 1260 SystemInfo:
22:43:15.0250 1260
22:43:15.0250 1260 OS Version: 5.1.2600 ServicePack: 3.0
22:43:15.0250 1260 Product type: Workstation
22:43:15.0250 1260 ComputerName: BCA-C04-08
22:43:15.0250 1260 UserName: Brian Cumming
22:43:15.0250 1260 Windows directory: C:\WINDOWS
22:43:15.0250 1260 System windows directory: C:\WINDOWS
22:43:15.0250 1260 Processor architecture: Intel x86
22:43:15.0250 1260 Number of processors: 2
22:43:15.0250 1260 Page size: 0x1000
22:43:15.0250 1260 Boot type: Safe boot
22:43:15.0250 1260 ============================================================
22:43:21.0296 1260 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000, SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
22:43:21.0296 1260 Drive \Device\Harddisk1\DR4 - Size: 0x1E3000000, SectorSize: 0x200, Cylinders: 0x3D9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
22:43:21.0578 1260 Initialize success
22:43:27.0390 1296 ============================================================
22:43:27.0390 1296 Scan started
22:43:27.0390 1296 Mode: Manual;
22:43:27.0390 1296 ============================================================
22:43:29.0390 1296 Abiosdsk - ok
22:43:29.0937 1296 abp480n5 - ok
22:43:30.0625 1296 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:43:30.0765 1296 ACPI - ok
22:43:31.0359 1296 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
22:43:31.0375 1296 ACPIEC - ok
22:43:31.0859 1296 adpu160m - ok
22:43:32.0640 1296 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:43:32.0718 1296 aec - ok
22:43:33.0390 1296 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
22:43:33.0484 1296 AFD - ok
22:43:34.0062 1296 Aha154x - ok
22:43:34.0640 1296 aic78u2 - ok
22:43:35.0125 1296 aic78xx - ok
22:43:35.0656 1296 AliIde - ok
22:43:36.0140 1296 amsint - ok
22:43:36.0812 1296 asc - ok
22:43:37.0296 1296 asc3350p - ok
22:43:38.0031 1296 asc3550 - ok
22:43:38.0609 1296 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:43:38.0625 1296 AsyncMac - ok
22:43:39.0171 1296 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:43:39.0171 1296 atapi - ok
22:43:39.0781 1296 Atdisk - ok
22:43:41.0781 1296 ati2mtag (cd5c874245435c9ce7e347e28cf3c6b5) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
22:43:43.0125 1296 ati2mtag - ok
22:43:43.0843 1296 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:43:43.0875 1296 Atmarpc - ok
22:43:44.0468 1296 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:43:44.0468 1296 audstub - ok
22:43:45.0109 1296 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:43:45.0109 1296 Beep - ok
22:43:45.0781 1296 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:43:45.0781 1296 cbidf2k - ok
22:43:46.0453 1296 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:43:46.0468 1296 CCDECODE - ok
22:43:46.0984 1296 cd20xrnt - ok
22:43:47.0562 1296 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:43:47.0562 1296 Cdaudio - ok
22:43:48.0125 1296 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:43:48.0171 1296 Cdfs - ok
22:43:48.0781 1296 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:43:48.0828 1296 Cdrom - ok
22:43:49.0328 1296 Changer - ok
22:43:50.0062 1296 cmdGuard (c3d7d699430061382a79f916ff7f814e) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
22:43:50.0125 1296 cmdGuard - ok
22:43:50.0812 1296 cmdHlp (170ca882dc7f0a0d8a0cf511159d344a) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
22:43:50.0828 1296 cmdHlp - ok
22:43:51.0375 1296 CmdIde - ok
22:43:51.0968 1296 Cpqarray - ok
22:43:52.0531 1296 dac2w2k - ok
22:43:53.0031 1296 dac960nt - ok
22:43:53.0703 1296 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:43:53.0718 1296 Disk - ok
22:43:54.0812 1296 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:43:55.0312 1296 dmboot - ok
22:43:55.0984 1296 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:43:56.0078 1296 dmio - ok
22:43:56.0625 1296 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:43:56.0625 1296 dmload - ok
22:43:57.0281 1296 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:43:57.0312 1296 DMusic - ok
22:43:57.0890 1296 Dot4Scan (bd05306428da63369692477ddc0f6f5f) C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
22:43:57.0906 1296 Dot4Scan - ok
22:43:58.0437 1296 dpti2o - ok
22:43:59.0015 1296 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:43:59.0031 1296 drmkaud - ok
22:43:59.0578 1296 eLock2BurnerLockDriver (70f3d2751ba8877ee06becfc59bd77f1) C:\WINDOWS\system32\eLock2BurnerLockDriver.sys
22:43:59.0609 1296 eLock2BurnerLockDriver - ok
22:44:00.0203 1296 eLock2FSCTLDriver (8a24dcb29abc693f1d3085a69239e84b) C:\WINDOWS\system32\eLock2FSCTLDriver.sys
22:44:00.0250 1296 eLock2FSCTLDriver - ok
22:44:00.0984 1296 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:44:01.0062 1296 Fastfat - ok
22:44:01.0703 1296 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:44:01.0718 1296 Fdc - ok
22:44:02.0312 1296 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:44:02.0343 1296 Fips - ok
22:44:02.0906 1296 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:44:02.0921 1296 Flpydisk - ok
22:44:03.0562 1296 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:44:03.0640 1296 FltMgr - ok
22:44:04.0250 1296 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:44:04.0265 1296 Fs_Rec - ok
22:44:04.0859 1296 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:44:04.0937 1296 Ftdisk - ok
22:44:05.0500 1296 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
22:44:05.0500 1296 GEARAspiWDM - ok
22:44:06.0062 1296 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:44:06.0078 1296 Gpc - ok
22:44:06.0781 1296 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:44:06.0781 1296 HDAudBus - ok
22:44:07.0468 1296 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:44:07.0484 1296 hidusb - ok
22:44:08.0046 1296 hpn - ok
22:44:08.0562 1296 HPPLSBULK (32fe92018e28df54bf94d41fc7ff92ac) C:\WINDOWS\system32\drivers\hpplsbulk.sys
22:44:08.0578 1296 HPPLSBULK - ok
22:44:09.0234 1296 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
22:44:09.0265 1296 HPZid412 - ok
22:44:09.0906 1296 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
22:44:09.0906 1296 HPZipr12 - ok
22:44:10.0500 1296 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
22:44:10.0515 1296 HPZius12 - ok
22:44:11.0312 1296 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:44:11.0468 1296 HTTP - ok
22:44:12.0031 1296 i2omgmt - ok
22:44:12.0562 1296 i2omp - ok
22:44:13.0156 1296 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:44:13.0187 1296 i8042prt - ok
22:44:13.0875 1296 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:44:13.0906 1296 Imapi - ok
22:44:14.0468 1296 ini910u - ok
22:44:15.0046 1296 Inspect (a087839586682e38360d0df78658e255) C:\WINDOWS\system32\DRIVERS\inspect.sys
22:44:15.0093 1296 Inspect - ok
22:44:15.0703 1296 int15 (f8f75594c17fe7bce1b4045bb7199868) C:\WINDOWS\system32\drivers\int15.sys
22:44:15.0718 1296 int15 - ok
22:44:19.0750 1296 IntcAzAudAddService (c4006af18682fca0d8a011a0a21070f8) C:\WINDOWS\system32\drivers\RtkHDAud.sys
22:44:22.0500 1296 IntcAzAudAddService - ok
22:44:23.0062 1296 IntelIde - ok
22:44:23.0671 1296 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:44:23.0703 1296 Ip6Fw - ok
22:44:24.0250 1296 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:44:24.0265 1296 IpFilterDriver - ok
22:44:24.0859 1296 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:44:24.0875 1296 IpInIp - ok
22:44:25.0484 1296 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:44:25.0578 1296 IpNat - ok
22:44:26.0218 1296 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:44:26.0265 1296 IPSec - ok
22:44:26.0875 1296 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:44:26.0875 1296 IRENUM - ok
22:44:27.0468 1296 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:44:27.0500 1296 isapnp - ok
22:44:28.0125 1296 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:44:28.0140 1296 Kbdclass - ok
22:44:28.0718 1296 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:44:28.0734 1296 kbdhid - ok
22:44:29.0390 1296 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:44:29.0500 1296 kmixer - ok
22:44:30.0125 1296 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:44:30.0171 1296 KSecDD - ok
22:44:30.0718 1296 lbrtfdc - ok
22:44:31.0312 1296 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
22:44:31.0328 1296 MBAMProtector - ok
22:44:31.0953 1296 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:44:31.0968 1296 mnmdd - ok
22:44:32.0531 1296 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:44:32.0562 1296 Modem - ok
22:44:33.0218 1296 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:44:33.0234 1296 Mouclass - ok
22:44:33.0875 1296 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:44:33.0890 1296 mouhid - ok
22:44:34.0484 1296 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:44:34.0515 1296 MountMgr - ok
22:44:35.0109 1296 mraid35x - ok
22:44:35.0812 1296 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:44:35.0937 1296 MRxDAV - ok
22:44:36.0828 1296 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:44:37.0109 1296 MRxSmb - ok
22:44:37.0734 1296 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:44:37.0750 1296 Msfs - ok
22:44:38.0343 1296 MSHUSBVideo (7a0f9cbdbdb135113b9a3c138e20c85d) C:\WINDOWS\system32\Drivers\nx6000.sys
22:44:38.0359 1296 MSHUSBVideo - ok
22:44:39.0031 1296 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:44:39.0046 1296 MSKSSRV - ok
22:44:39.0609 1296 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:44:39.0625 1296 MSPCLOCK - ok
22:44:40.0203 1296 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:44:40.0218 1296 MSPQM - ok
22:44:40.0828 1296 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:44:40.0828 1296 mssmbios - ok
22:44:41.0546 1296 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
22:44:41.0562 1296 MSTEE - ok
22:44:42.0171 1296 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
22:44:42.0234 1296 Mup - ok
22:44:42.0937 1296 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:44:43.0000 1296 NABTSFEC - ok
22:44:43.0750 1296 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:44:43.0843 1296 NDIS - ok
22:44:44.0484 1296 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:44:44.0500 1296 NdisIP - ok
22:44:45.0078 1296 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:44:45.0093 1296 NdisTapi - ok
22:44:45.0687 1296 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:44:45.0687 1296 Ndisuio - ok
22:44:46.0328 1296 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:44:46.0390 1296 NdisWan - ok
22:44:46.0968 1296 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
22:44:47.0000 1296 NDProxy - ok
22:44:47.0593 1296 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:44:47.0609 1296 NetBIOS - ok
22:44:48.0312 1296 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:44:48.0406 1296 NetBT - ok
22:44:49.0000 1296 netlimiter (d494f43bc88d43f5ae4223dca86fde0f) C:\WINDOWS\system32\drivers\netlimiter.sys
22:44:49.0015 1296 netlimiter - ok
22:44:49.0593 1296 netlock (edea4e28290ca075f79bff1eca7a61f4) C:\WINDOWS\system32\drivers\netlock.sys
22:44:49.0593 1296 netlock - ok
22:44:50.0265 1296 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:44:50.0281 1296 Npfs - ok
22:44:51.0171 1296 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:44:51.0515 1296 Ntfs - ok
22:44:52.0125 1296 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
22:44:52.0140 1296 NTIDrvr - ok
22:44:52.0718 1296 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:44:52.0718 1296 Null - ok
22:44:53.0250 1296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:44:53.0265 1296 NwlnkFlt - ok
22:44:53.0781 1296 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:44:53.0796 1296 NwlnkFwd - ok
22:44:54.0390 1296 OsaFsLoc (635495e3258dfb252b5feee59fa2d5a3) C:\WINDOWS\system32\drivers\OsaFsLoc.sys
22:44:54.0406 1296 OsaFsLoc - ok
22:44:55.0031 1296 osaio (18e841bac9b822fac99d828ee95f0df3) C:\WINDOWS\system32\drivers\osaio.sys
22:44:55.0046 1296 osaio - ok
22:44:55.0578 1296 osanbm (dda8baa7e1b99c6cbd9dcb7621fb727e) C:\WINDOWS\system32\drivers\osanbm.sys
22:44:55.0593 1296 osanbm - ok
22:44:56.0312 1296 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
22:44:56.0390 1296 Parport - ok
22:44:57.0000 1296 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:44:57.0015 1296 PartMgr - ok
22:44:57.0546 1296 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:44:57.0562 1296 ParVdm - ok
22:44:58.0203 1296 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:44:58.0234 1296 PCI - ok
22:44:58.0750 1296 PCIDump - ok
22:44:59.0328 1296 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:44:59.0343 1296 PCIIde - ok
22:44:59.0937 1296 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:45:00.0015 1296 Pcmcia - ok
22:45:00.0546 1296 PDCOMP - ok
22:45:01.0078 1296 PDFRAME - ok
22:45:01.0593 1296 PDRELI - ok
22:45:02.0078 1296 PDRFRAME - ok
22:45:02.0562 1296 perc2 - ok
22:45:03.0046 1296 perc2hib - ok
22:45:03.0703 1296 Point32 (273afc65fabf97326aa78ffe38b1e071) C:\WINDOWS\system32\DRIVERS\point32.sys
22:45:03.0703 1296 Point32 - ok
22:45:04.0328 1296 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:45:04.0359 1296 PptpMiniport - ok
22:45:04.0875 1296 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
22:45:04.0906 1296 Processor - ok
22:45:05.0468 1296 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:45:05.0500 1296 PSched - ok
22:45:06.0125 1296 psdfilter (85e295efc530743bbd6165a63b3daaed) C:\WINDOWS\system32\Drivers\psdfilter.sys
22:45:06.0140 1296 psdfilter - ok
22:45:06.0750 1296 psdvdisk (5edb31248c84bf524a72b9b97011d91c) C:\WINDOWS\system32\Drivers\psdvdisk.sys
22:45:06.0796 1296 psdvdisk - ok
22:45:07.0328 1296 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:45:07.0343 1296 Ptilink - ok
22:45:07.0890 1296 ql1080 - ok
22:45:08.0375 1296 Ql10wnt - ok
22:45:08.0859 1296 ql12160 - ok
22:45:09.0437 1296 ql1240 - ok
22:45:10.0062 1296 ql1280 - ok
22:45:10.0625 1296 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:45:10.0625 1296 RasAcd - ok
22:45:11.0250 1296 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:45:11.0281 1296 Rasl2tp - ok
22:45:11.0843 1296 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:45:11.0875 1296 RasPppoe - ok
22:45:12.0390 1296 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:45:12.0406 1296 Raspti - ok
22:45:13.0000 1296 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:45:13.0109 1296 Rdbss - ok
22:45:13.0640 1296 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:45:13.0640 1296 RDPCDD - ok
22:45:14.0359 1296 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:45:14.0468 1296 rdpdr - ok
22:45:15.0109 1296 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
22:45:15.0187 1296 RDPWD - ok
22:45:15.0828 1296 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:45:15.0875 1296 redbook - ok
22:45:16.0625 1296 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:45:16.0640 1296 Secdrv - ok
22:45:17.0234 1296 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
22:45:17.0234 1296 serenum - ok
22:45:17.0828 1296 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
22:45:17.0875 1296 Serial - ok
22:45:18.0484 1296 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:45:18.0500 1296 Sfloppy - ok
22:45:19.0093 1296 Simbad - ok
22:45:19.0718 1296 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:45:19.0718 1296 SLIP - ok
22:45:20.0515 1296 Sparrow - ok
22:45:21.0093 1296 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:45:21.0109 1296 splitter - ok
22:45:21.0828 1296 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:45:21.0875 1296 sr - ok
22:45:22.0656 1296 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
22:45:22.0859 1296 Srv - ok
22:45:23.0453 1296 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
22:45:23.0468 1296 StillCam - ok
22:45:24.0062 1296 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:45:24.0078 1296 streamip - ok
22:45:24.0703 1296 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:45:24.0718 1296 swenum - ok
22:45:25.0312 1296 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:45:25.0343 1296 swmidi - ok
22:45:25.0937 1296 symc810 - ok
22:45:26.0468 1296 symc8xx - ok
22:45:27.0000 1296 sym_hi - ok
22:45:27.0468 1296 sym_u3 - ok
22:45:28.0031 1296 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:45:28.0078 1296 sysaudio - ok
22:45:28.0906 1296 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:45:29.0109 1296 Tcpip - ok
22:45:29.0687 1296 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:45:29.0703 1296 TDPIPE - ok
22:45:30.0312 1296 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:45:30.0312 1296 TDTCP - ok
22:45:30.0937 1296 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:45:30.0968 1296 TermDD - ok
22:45:31.0546 1296 TosIde - ok
22:45:32.0171 1296 tvicport (97dd70feca64fb4f63de7bb7e66a80b1) C:\WINDOWS\system32\drivers\tvicport.sys
22:45:32.0187 1296 tvicport - ok
22:45:32.0734 1296 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\WINDOWS\system32\drivers\UBHelper.sys
22:45:32.0765 1296 UBHelper - ok
22:45:33.0359 1296 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:45:33.0406 1296 Udfs - ok
22:45:34.0015 1296 ultra - ok
22:45:34.0859 1296 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:45:35.0078 1296 Update - ok
22:45:35.0781 1296 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
22:45:35.0812 1296 USBAAPL - ok
22:45:36.0468 1296 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
22:45:36.0500 1296 usbaudio - ok
22:45:37.0156 1296 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:45:37.0187 1296 usbccgp - ok
22:45:37.0765 1296 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:45:37.0796 1296 usbehci - ok
22:45:38.0421 1296 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:45:38.0453 1296 usbhub - ok
22:45:39.0000 1296 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
22:45:39.0015 1296 usbohci - ok
22:45:39.0656 1296 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:45:39.0671 1296 usbprint - ok
22:45:40.0250 1296 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:45:40.0265 1296 usbscan - ok
22:45:40.0843 1296 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:45:40.0859 1296 USBSTOR - ok
22:45:41.0484 1296 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
22:45:41.0562 1296 usbvideo - ok
22:45:42.0218 1296 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:45:42.0234 1296 VgaSave - ok
22:45:42.0734 1296 ViaIde - ok
22:45:43.0390 1296 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:45:43.0421 1296 VolSnap - ok
22:45:44.0015 1296 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:45:44.0031 1296 Wanarp - ok
22:45:44.0625 1296 WDICA - ok
22:45:45.0234 1296 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:45:45.0296 1296 wdmaud - ok
22:45:46.0156 1296 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:45:46.0171 1296 WSTCODEC - ok
22:45:46.0953 1296 yukonwxp (2b77c863552ea9cdb989d484143ed016) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
22:45:47.0109 1296 yukonwxp - ok
22:45:47.0703 1296 zntport (40ac8590cc9006dbb99ffcb37879d4c6) C:\WINDOWS\system32\drivers\zntport.sys
22:45:47.0703 1296 zntport - ok
22:45:47.0765 1296 MBR (0x1B8) (c249687691fae9455120f86391536eed) \Device\Harddisk0\DR0
22:45:47.0796 1296 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
22:45:47.0796 1296 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
22:45:47.0812 1296 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR4
22:45:50.0812 1296 \Device\Harddisk1\DR4 - ok
22:45:50.0843 1296 Boot (0x1200) (4c48fdf0bd6e561a55f39ee3fec13c3a) \Device\Harddisk0\DR0\Partition0
22:45:50.0843 1296 \Device\Harddisk0\DR0\Partition0 - ok
22:45:50.0890 1296 Boot (0x1200) (24c72702aa65a48796a39f25dc62d0e2) \Device\Harddisk0\DR0\Partition1
22:45:50.0890 1296 \Device\Harddisk0\DR0\Partition1 - ok
22:45:50.0906 1296 Boot (0x1200) (5c612605bdf6ab49beaf1b053489d944) \Device\Harddisk1\DR4\Partition0
22:45:50.0906 1296 \Device\Harddisk1\DR4\Partition0 - ok
22:45:50.0906 1296 ============================================================
22:45:50.0906 1296 Scan finished
22:45:50.0906 1296 ============================================================
22:45:50.0953 1288 Detected object count: 1
22:45:50.0953 1288 Actual detected object count: 1
22:47:27.0562 1288 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
22:47:27.0562 1288 \Device\Harddisk0\DR0 - ok
22:47:27.0562 1288 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
22:47:35.0187 1252 Deinitialize success

 

Booted in Normal Mode and ran MBAM

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.24.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Brian Cumming :: BCA-C04-08 [administrator]

Protection: Enabled

1/11/2012 11:32:44 PM
mbam-log-2012-01-11 (23-32-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 189870
Time elapsed: 13 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

Ran aswMBR and seems clean

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-11 23:53:19
-----------------------------
23:53:19.156 OS Version: Windows 5.1.2600 Service Pack 3
23:53:19.156 Number of processors: 2 586 0x6B02
23:53:19.156 ComputerName: BCA-C04-08 UserName:
23:53:28.015 Initialize success
23:53:49.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
23:53:49.281 Disk 0 Vendor: Hitachi_HDS721616PLA380 P22OABEA Size: 152627MB BusType: 3
23:53:49.296 Disk 0 MBR read successfully
23:53:49.296 Disk 0 MBR scan
23:53:49.296 Disk 0 unknown MBR code
23:53:49.296 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 5992 MB offset 63
23:53:49.312 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 73069 MB offset 12273660
23:53:49.343 Disk 0 Partition 3 00 0C FAT32 LBA MSWIN4.1 73563 MB offset 161919135
23:53:49.343 Disk 0 scanning sectors +312576705
23:53:49.406 Disk 0 scanning C:\WINDOWS\system32\drivers
23:54:10.015 Service scanning
23:54:11.296 Modules scanning
23:54:17.656 Disk 0 trace - called modules:
23:54:17.687 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
23:54:17.703 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a977ab8]
23:54:17.703 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006b[0x8a985f18]
23:54:17.703 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a95bd98]
23:54:17.703 Scan finished successfully
23:54:42.828 Disk 0 MBR has been saved successfully to "F:\Results\MBR.dat "
23:54:42.859 The log file has been saved successfully to "F:\Results\aswMBR Last.txt "

 

In looking over my computer files, it appears the following has happened as a result of the virus:
1. all files and folders in MyDocuments are non-existent. Is there any way to retrieve them?

2. My list of Start> All Programs in the Start menu are completely gone. The c:\Program Files\ folder structure has all the program folders and files, but the shortcuts in the All programs is gone. Is there any way or tools to retrieve this Start>All Programs> menu list?

Thanks soooo much for your help.