Solved Unresponsive Computer

twofanman · 2012/10/22

[Resolved] Unresponsive Computer

Hello,

Wife's desktop computer. Running Windows XP Pro. She clicked on what I believe was a phishing message and downloaded a trojan and/or malware. Computer will start but is unresponsive once booted.

Was able to start in safe mode but only without network access and only in "Administrator" area. Downloaded all 4 recommended diagnostic tools from another computer onto a jump drive and was able to run them on infected computer from jump drive.......but, without updating MalwareBytes signature.

Ran all 4 diagnostics. MalwareBytes found 1 trojan. Logs attached.

Then, tried resarting computer. Still won't run in normal mode. But was able this time to start in Safe Mode with network access (again in Administrator area). Reran MalwareBytes with updated signature. No new threats noted. Log attached.

Now posting from another computer. Thanks in advance for your help.

***********************************************
1st Malwarebyte scan (without update - database 22 days old)

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.09.29.05

Windows XP Service Pack 3 x86 NTFS (Safe Mode)
Internet Explorer 8.0.6001.18702
Administrator :: COBRA-018AFF514 [administrator]

10/22/2012 11:15:29 AM
mbam-log-2012-10-22 (11-15-29).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208499
Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Cobra\Local Settings\Temp\6DC.tmp (Trojan.Agent.MRGGen) -> Quarantined and deleted successfully.

(end)
****************************************************
2nd Malwarebytes scan (with udate)

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.22.04

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
Administrator :: COBRA-018AFF514 [administrator]

10/22/2012 12:12:18 PM
mbam-log-2012-10-22 (12-12-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 208376
Time elapsed: 2 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
************************************************
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-22 11:51:17
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 ST3320620AS rev.3.AAK
Running: xsuififi.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kfxyikod.sys

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[708] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 001A3AA9
.text C:\WINDOWS\system32\svchost.exe[708] ntdll.dll!RtlRaiseException 7C90E528 5 Bytes JMP 001A3CC9
.text C:\WINDOWS\system32\svchost.exe[708] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\WINDOWS\system32\svchost.exe[708] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 001A45B6
.text C:\WINDOWS\system32\svchost.exe[708] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 001A4617
.text C:\WINDOWS\system32\svchost.exe[708] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 001A4687
.text C:\WINDOWS\system32\svchost.exe[708] USER32.dll!IsWindowVisible 7E429E3D 5 Bytes JMP 001A46BA
.text C:\WINDOWS\system32\svchost.exe[708] USER32.dll!MessageBoxIndirectW 7E4664D5 6 Bytes [33, C0, 40, C2, 04, 00] {XOR EAX, EAX; INC EAX; RET 0x4}
.text C:\WINDOWS\system32\svchost.exe[708] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 001A4820
.text C:\WINDOWS\system32\svchost.exe[708] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 001A47F6
.text C:\WINDOWS\system32\svchost.exe[708] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 001A4518

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T0L0-12 8A0092E2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A0092E2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A0092E2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A0092E2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A0092E2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-7 8A0092E2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 8A0092E2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 8A0092E2

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----
**********************************************************
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-10-22 11:54:49
-----------------------------
11:54:49.750 OS Version: Windows 5.1.2600 Service Pack 3
11:54:49.750 Number of processors: 2 586 0xF0B
11:54:49.750 ComputerName: COBRA-018AFF514 UserName: Administrator
11:54:51.468 Initialize success
11:55:14.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
11:55:14.656 Disk 0 Vendor: ST3320620AS 3.AAK Size: 305245MB BusType: 3
11:55:14.671 Device \Driver\atapi -> DriverStartIo 8a0092e2
11:55:14.671 Disk 0 MBR read successfully
11:55:14.687 Disk 0 MBR scan
11:55:14.687 Disk 0 Windows XP default MBR code
11:55:14.703 Disk 0 MBR hidden
11:55:14.703 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 100006 MB offset 63
11:55:14.734 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 205236 MB offset 204812685
11:55:14.765 Disk 0 scanning sectors +625137345
11:55:14.890 Disk 0 scanning C:\WINDOWS\system32\drivers
11:55:30.875 Service scanning
11:55:51.921 Modules scanning
11:56:00.937 Disk 0 trace - called modules:
11:56:00.968 ntoskrnl.exe CLASSPNP.SYS disk.sys vsflt53.sys hal.dll >>UNKNOWN [0x8a0094b1]<<
11:56:01.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a147ab8]
11:56:01.015 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> [0x8a123f10]
11:56:01.046 5 vsflt53.sys[f74efc2b] -> nt!IofCallDriver -> [0x8a153b00]
11:56:01.078 \Driver\atapi[0x8a0df400] -> IRP_MJ_CREATE -> 0x8a0094b1
11:56:01.093 Scan finished successfully
11:56:49.703 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat "
11:56:49.718 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR20121022.txt "
**********************************************************
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/9/2011 7:01:50 PM
System Uptime: 10/22/2012 11:33:53 AM (0 hours ago)
.
Motherboard: Intel Corporation | | DG43GT
Processor: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz | PROCESSOR | 2666/333mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 98 GiB total, 75.668 GiB free.
D: is CDROM ()
E: is Removable
L: is FIXED (NTFS) - 200 GiB total, 200.357 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP489: 7/18/2012 8:03:39 AM - System Checkpoint
RP490: 7/19/2012 8:58:20 AM - System Checkpoint
RP491: 7/20/2012 9:53:01 AM - System Checkpoint
RP492: 7/21/2012 10:47:39 AM - System Checkpoint
RP493: 7/22/2012 11:44:01 AM - System Checkpoint
RP494: 7/23/2012 12:37:29 PM - System Checkpoint
RP495: 7/24/2012 1:32:10 PM - System Checkpoint
RP496: 7/25/2012 2:36:20 PM - System Checkpoint
RP497: 7/26/2012 3:21:32 PM - System Checkpoint
RP498: 7/27/2012 4:17:18 PM - System Checkpoint
RP499: 7/28/2012 4:27:35 PM - System Checkpoint
RP500: 7/29/2012 5:03:47 PM - System Checkpoint
RP501: 7/30/2012 6:07:08 PM - System Checkpoint
RP502: 7/31/2012 6:53:06 PM - System Checkpoint
RP503: 8/1/2012 7:48:52 PM - System Checkpoint
RP504: 8/2/2012 8:42:27 PM - System Checkpoint
RP505: 8/3/2012 9:37:09 PM - System Checkpoint
RP506: 8/4/2012 10:31:48 PM - System Checkpoint
RP507: 8/5/2012 11:26:29 PM - System Checkpoint
RP508: 8/7/2012 12:21:10 AM - System Checkpoint
RP509: 8/8/2012 1:15:50 AM - System Checkpoint
RP510: 8/9/2012 2:10:30 AM - System Checkpoint
RP511: 8/10/2012 3:04:06 AM - System Checkpoint
RP512: 8/11/2012 3:59:06 AM - System Checkpoint
RP513: 8/12/2012 4:53:48 AM - System Checkpoint
RP514: 8/13/2012 5:48:26 AM - System Checkpoint
RP515: 8/14/2012 6:43:07 AM - System Checkpoint
RP516: 8/15/2012 7:37:49 AM - System Checkpoint
RP517: 8/16/2012 3:00:17 AM - Software Distribution Service 3.0
RP518: 8/17/2012 3:18:11 AM - System Checkpoint
RP519: 8/18/2012 4:13:53 AM - System Checkpoint
RP520: 8/19/2012 5:08:40 AM - System Checkpoint
RP521: 8/20/2012 6:08:33 AM - System Checkpoint
RP522: 8/21/2012 6:13:34 AM - System Checkpoint
RP523: 8/22/2012 8:05:02 AM - System Checkpoint
RP524: 8/23/2012 8:47:38 AM - System Checkpoint
RP525: 8/24/2012 9:40:52 AM - System Checkpoint
RP526: 8/25/2012 10:35:38 AM - System Checkpoint
RP527: 8/26/2012 11:30:28 AM - System Checkpoint
RP528: 8/27/2012 12:25:19 PM - System Checkpoint
RP529: 8/28/2012 1:20:10 PM - System Checkpoint
RP530: 8/29/2012 2:14:59 PM - System Checkpoint
RP531: 8/30/2012 3:09:48 PM - System Checkpoint
RP532: 8/31/2012 4:04:50 PM - System Checkpoint
RP533: 9/1/2012 4:59:37 PM - System Checkpoint
RP534: 9/2/2012 5:55:21 PM - System Checkpoint
RP535: 9/3/2012 6:50:08 PM - System Checkpoint
RP536: 9/4/2012 7:44:55 PM - System Checkpoint
RP537: 9/5/2012 8:37:07 PM - System Checkpoint
RP538: 9/6/2012 9:33:09 PM - System Checkpoint
RP539: 9/7/2012 10:28:32 PM - System Checkpoint
RP540: 9/8/2012 11:23:20 PM - System Checkpoint
RP541: 9/10/2012 12:18:09 AM - System Checkpoint
RP542: 9/11/2012 1:12:56 AM - System Checkpoint
RP543: 9/12/2012 2:07:42 AM - System Checkpoint
RP544: 9/12/2012 3:00:14 AM - Software Distribution Service 3.0
RP545: 9/13/2012 3:02:29 AM - System Checkpoint
RP546: 9/14/2012 3:57:03 AM - System Checkpoint
RP547: 9/15/2012 4:52:15 AM - System Checkpoint
RP548: 9/16/2012 5:47:00 AM - System Checkpoint
RP549: 9/17/2012 6:41:47 AM - System Checkpoint
RP550: 9/18/2012 7:36:35 AM - System Checkpoint
RP551: 9/19/2012 8:31:22 AM - System Checkpoint
RP552: 9/20/2012 9:26:12 AM - System Checkpoint
RP553: 9/21/2012 10:21:23 AM - System Checkpoint
RP554: 9/22/2012 11:16:01 AM - System Checkpoint
RP555: 9/23/2012 3:00:13 AM - Software Distribution Service 3.0
RP556: 9/24/2012 3:15:58 AM - System Checkpoint
RP557: 9/25/2012 4:10:55 AM - System Checkpoint
RP558: 9/26/2012 5:05:41 AM - System Checkpoint
RP559: 9/27/2012 6:00:35 AM - System Checkpoint
RP560: 9/28/2012 6:05:44 AM - System Checkpoint
RP561: 9/29/2012 6:52:40 AM - System Checkpoint
RP562: 9/30/2012 7:48:26 AM - System Checkpoint
RP563: 10/1/2012 8:42:10 AM - System Checkpoint
RP564: 10/2/2012 9:37:05 AM - System Checkpoint
RP565: 10/3/2012 10:32:01 AM - System Checkpoint
RP566: 10/4/2012 11:26:59 AM - System Checkpoint
RP567: 10/5/2012 12:20:53 PM - System Checkpoint
RP568: 10/6/2012 1:15:36 PM - System Checkpoint
RP569: 10/7/2012 2:10:19 PM - System Checkpoint
RP570: 10/8/2012 3:05:12 PM - System Checkpoint
RP571: 10/9/2012 3:07:33 PM - System Checkpoint
RP572: 10/10/2012 3:00:17 AM - Software Distribution Service 3.0
RP573: 10/11/2012 3:18:10 AM - System Checkpoint
RP574: 10/12/2012 4:12:37 AM - System Checkpoint
RP575: 10/13/2012 5:08:24 AM - System Checkpoint
RP576: 10/14/2012 6:03:02 AM - System Checkpoint
RP577: 10/15/2012 6:58:45 AM - System Checkpoint
.
==== Installed Programs ======================
.
Acronis True Image WD*Edition
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.3)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Coupon Printer for Windows
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
Intel(R) Network Connections 15.1.29.0
iTunes
Java Auto Updater
Java(TM) 7 Update 4
JavaFX 2.1.0
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
QuickTime
Realtek High Definition Audio Driver
Safari
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687314) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2687315) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687407) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 8
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
10/22/2012 11:30:28 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
10/20/2012 6:28:16 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/20/2012 1:43:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
10/20/2012 1:43:33 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
10/20/2012 1:43:33 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/20/2012 1:43:33 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/20/2012 1:43:33 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
10/20/2012 1:43:33 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/20/2012 1:43:33 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/20/2012 1:43:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/20/2012 1:42:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
.
==== End Of File ===========================
**********************************************************
DDS (Ver_2012-10-19.01) - NTFS_x86 MINIMAL
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by Administrator at 11:57:24 on 2012-10-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3035.2694 [GMT -6:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
mRun: [TrueImageMonitor.exe] "c:\program files\acronis\trueimagehome\TrueImageMonitor.exe "
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe "
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1302398797234
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{6E96A92C-BD92-4DD3-9080-93D97EC04A7C} : DHCPNameServer = 75.75.75.75 75.75.76.76
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 vididr;Acronis Virtual Disk;c:\windows\system32\drivers\vididr.sys [2011-11-14 125472]
R0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\drivers\vsflt53.sys [2011-11-14 83392]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-4-9 1684736]
S3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2011-4-9 241880]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2011-4-9 116224]
.
=============== Created Last 30 ================
.
2012-10-22 17:15:09 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2012-10-22 17:14:42 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-10-22 17:14:41 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-22 17:14:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-22 17:13:27 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Temp
2012-10-22 17:13:27 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Adobe
2012-10-11 01:17:47 230840 ----a-r- c:\windows\cpnprt2.cid
.
==================== Find3M ====================
.
2012-10-11 01:17:47 230840 ------w- c:\windows\system32\cpnprt2.cid
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ------w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:09 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-17 16:16:09 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-17 16:16:09 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320620AS rev.3.AAK -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys vsflt53.sys hal.dll >>UNKNOWN [0x8A0094B1]<<
c:\windows\system32\drivers\vsflt53.sys Acronis Acronis Virtual Disk
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a01093c]; MOV EAX, [0x8a010ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A147AB8]
3 CLASSPNP[0xF7657FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A123F10]
5 vsflt53[0xF74EFC2B] -> nt!IofCallDriver[0x804E13B9] -> [0x8A153B00]
\Driver\atapi[0x8A0DF400] -> IRP_MJ_CREATE -> 0x8A0094B1
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A0092E2
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:58:02.68 ===============
**********************************************************

broni · 2012/10/22

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===========================================

You abandoned this topic in the past: http://www.windowsbbs.com/malware-v...ogle-redirect-trojan-happili-trojan-zbot.html
If it happens again you won't be eligible to receive any more help in malware removal forum.

========================================

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

twofanman · 2012/10/22

Thank you for your response broni. I do apologize for not finishing the last thread. I did the best I could with the limited amaount of time I had.

Here is the TDSSKiller log. I had 1 "High Risk" threat which required a reboot to cure.
**********************************************************
16:27:25.0468 1204 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
16:27:25.0500 1204 ============================================================
16:27:25.0500 1204 Current date / time: 2012/10/22 16:27:25.0500
16:27:25.0500 1204 SystemInfo:
16:27:25.0500 1204
16:27:25.0500 1204 OS Version: 5.1.2600 ServicePack: 3.0
16:27:25.0500 1204 Product type: Workstation
16:27:25.0500 1204 ComputerName: COBRA-018AFF514
16:27:25.0500 1204 UserName: Administrator
16:27:25.0500 1204 Windows directory: C:\WINDOWS
16:27:25.0500 1204 System windows directory: C:\WINDOWS
16:27:25.0500 1204 Processor architecture: Intel x86
16:27:25.0500 1204 Number of processors: 2
16:27:25.0500 1204 Page size: 0x1000
16:27:25.0500 1204 Boot type: Safe boot
16:27:25.0500 1204 ============================================================
16:27:28.0859 1204 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
16:27:28.0859 1204 Drive \Device\Harddisk1\DR3 - Size: 0x778000000 (29.88 Gb), SectorSize: 0x200, Cylinders: 0xF3B, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
16:27:28.0859 1204 ============================================================
16:27:28.0859 1204 \Device\Harddisk0\DR0:
16:27:28.0859 1204 MBR partitions:
16:27:28.0859 1204 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xC35314E
16:27:28.0859 1204 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0xC35318D, BlocksNum 0x190DA534
16:27:28.0859 1204 \Device\Harddisk1\DR3:
16:27:28.0859 1204 MBR partitions:
16:27:28.0859 1204 \Device\Harddisk1\DR3\Partition1: MBR, Type 0xC, StartLBA 0x88E0, BlocksNum 0x3BB7720
16:27:28.0859 1204 ============================================================
16:27:28.0921 1204 C: <-> \Device\Harddisk0\DR0\Partition1
16:27:28.0953 1204 L: <-> \Device\Harddisk0\DR0\Partition2
16:27:29.0000 1204 ============================================================
16:27:29.0000 1204 Initialize success
16:27:29.0000 1204 ============================================================
16:27:35.0718 1220 ============================================================
16:27:35.0718 1220 Scan started
16:27:35.0718 1220 Mode: Manual;
16:27:35.0718 1220 ============================================================
16:27:37.0406 1220 ================ Scan system memory ========================
16:27:37.0406 1220 System memory - ok
16:27:37.0406 1220 ================ Scan services =============================
16:27:37.0703 1220 Abiosdsk - ok
16:27:37.0703 1220 abp480n5 - ok
16:27:37.0796 1220 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:27:37.0875 1220 ACPI - ok
16:27:37.0906 1220 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
16:27:37.0906 1220 ACPIEC - ok
16:27:38.0234 1220 [ AF6481C648EA9A76569AACB73EAC286A ] AcrSch2Svc C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
16:27:38.0546 1220 AcrSch2Svc - ok
16:27:38.0546 1220 adpu160m - ok
16:27:38.0625 1220 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
16:27:38.0671 1220 aec - ok
16:27:38.0750 1220 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
16:27:38.0796 1220 AFD - ok
16:27:38.0812 1220 Aha154x - ok
16:27:38.0812 1220 aic78u2 - ok
16:27:38.0828 1220 aic78xx - ok
16:27:38.0859 1220 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
16:27:38.0875 1220 Alerter - ok
16:27:38.0906 1220 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
16:27:38.0921 1220 ALG - ok
16:27:38.0921 1220 AliIde - ok
16:27:39.0500 1220 [ F6AF59D6EEE5E1C304F7F73706AD11D8 ] Ambfilt C:\WINDOWS\system32\drivers\Ambfilt.sys
16:27:40.0078 1220 Ambfilt - ok
16:27:40.0078 1220 amsint - ok
16:27:40.0203 1220 [ 7EF47644B74EBE721CC32211D3C35E76 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
16:27:40.0234 1220 Apple Mobile Device - ok
16:27:40.0328 1220 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
16:27:40.0375 1220 AppMgmt - ok
16:27:40.0437 1220 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
16:27:40.0468 1220 Arp1394 - ok
16:27:40.0468 1220 asc - ok
16:27:40.0484 1220 asc3350p - ok
16:27:40.0500 1220 asc3550 - ok
16:27:40.0593 1220 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
16:27:40.0609 1220 aspnet_state - ok
16:27:40.0640 1220 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:27:40.0640 1220 AsyncMac - ok
16:27:40.0703 1220 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
16:27:40.0703 1220 atapi - ok
16:27:40.0703 1220 Atdisk - ok
16:27:40.0765 1220 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:27:40.0781 1220 Atmarpc - ok
16:27:40.0828 1220 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
16:27:40.0843 1220 AudioSrv - ok
16:27:40.0906 1220 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
16:27:40.0906 1220 audstub - ok
16:27:40.0937 1220 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
16:27:40.0937 1220 Beep - ok
16:27:41.0078 1220 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
16:27:41.0281 1220 BITS - ok
16:27:41.0484 1220 [ DB5BEA73EDAF19AC68B2C0FAD0F92B1A ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
16:27:41.0609 1220 Bonjour Service - ok
16:27:41.0671 1220 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
16:27:41.0703 1220 Browser - ok
16:27:41.0718 1220 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
16:27:41.0734 1220 cbidf2k - ok
16:27:41.0734 1220 cd20xrnt - ok
16:27:41.0765 1220 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
16:27:41.0781 1220 Cdaudio - ok
16:27:41.0828 1220 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
16:27:41.0843 1220 Cdfs - ok
16:27:41.0890 1220 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:27:41.0906 1220 Cdrom - ok
16:27:41.0906 1220 Changer - ok
16:27:41.0953 1220 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
16:27:41.0953 1220 CiSvc - ok
16:27:41.0984 1220 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
16:27:42.0000 1220 ClipSrv - ok
16:27:42.0046 1220 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
16:27:42.0093 1220 clr_optimization_v2.0.50727_32 - ok
16:27:42.0093 1220 CmdIde - ok
16:27:42.0109 1220 COMSysApp - ok
16:27:42.0140 1220 Cpqarray - ok
16:27:42.0171 1220 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
16:27:42.0187 1220 CryptSvc - ok
16:27:42.0187 1220 dac2w2k - ok
16:27:42.0203 1220 dac960nt - ok
16:27:42.0375 1220 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
16:27:42.0500 1220 DcomLaunch - ok
16:27:42.0593 1220 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
16:27:42.0625 1220 Dhcp - ok
16:27:42.0656 1220 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
16:27:42.0671 1220 Disk - ok
16:27:42.0687 1220 dmadmin - ok
16:27:42.0953 1220 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
16:27:43.0234 1220 dmboot - ok
16:27:43.0281 1220 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
16:27:43.0328 1220 dmio - ok
16:27:43.0375 1220 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
16:27:43.0375 1220 dmload - ok
16:27:43.0406 1220 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
16:27:43.0406 1220 dmserver - ok
16:27:43.0437 1220 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
16:27:43.0453 1220 DMusic - ok
16:27:43.0515 1220 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
16:27:43.0531 1220 Dnscache - ok
16:27:43.0609 1220 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
16:27:43.0656 1220 Dot3svc - ok
16:27:43.0656 1220 dpti2o - ok
16:27:43.0687 1220 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
16:27:43.0687 1220 drmkaud - ok
16:27:43.0796 1220 [ 00043180E141111E91F008D6D86A0BBC ] e1yexpress C:\WINDOWS\system32\DRIVERS\e1y5132.sys
16:27:43.0875 1220 e1yexpress - ok
16:27:43.0906 1220 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
16:27:43.0921 1220 EapHost - ok
16:27:43.0953 1220 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
16:27:43.0968 1220 ERSvc - ok
16:27:44.0031 1220 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
16:27:44.0046 1220 Eventlog - ok
16:27:44.0156 1220 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
16:27:44.0234 1220 EventSystem - ok
16:27:44.0312 1220 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
16:27:44.0375 1220 Fastfat - ok
16:27:44.0468 1220 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
16:27:44.0515 1220 FastUserSwitchingCompatibility - ok
16:27:44.0546 1220 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
16:27:44.0546 1220 Fdc - ok
16:27:44.0578 1220 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
16:27:44.0593 1220 Fips - ok
16:27:44.0609 1220 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
16:27:44.0625 1220 Flpydisk - ok
16:27:44.0671 1220 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
16:27:44.0718 1220 FltMgr - ok
16:27:44.0781 1220 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
16:27:44.0812 1220 FontCache3.0.0.0 - ok
16:27:44.0812 1220 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:27:44.0812 1220 Fs_Rec - ok
16:27:44.0859 1220 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:27:44.0906 1220 Ftdisk - ok
16:27:44.0937 1220 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
16:27:44.0937 1220 GEARAspiWDM - ok
16:27:44.0968 1220 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:27:44.0984 1220 Gpc - ok
16:27:45.0031 1220 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
16:27:45.0046 1220 HDAudBus - ok
16:27:45.0078 1220 [ 88A67C34E37186665E916FD347B50D19 ] HECI C:\WINDOWS\system32\DRIVERS\HECI.sys
16:27:45.0093 1220 HECI - ok
16:27:45.0171 1220 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
16:27:45.0171 1220 helpsvc - ok
16:27:45.0218 1220 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
16:27:45.0218 1220 HidServ - ok
16:27:45.0234 1220 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:27:45.0234 1220 hidusb - ok
16:27:45.0296 1220 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
16:27:45.0312 1220 hkmsvc - ok
16:27:45.0328 1220 hpn - ok
16:27:45.0437 1220 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
16:27:45.0531 1220 HTTP - ok
16:27:45.0562 1220 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
16:27:45.0578 1220 HTTPFilter - ok
16:27:45.0578 1220 i2omgmt - ok
16:27:45.0593 1220 i2omp - ok
16:27:45.0640 1220 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\drivers\i8042prt.sys
16:27:45.0656 1220 i8042prt - ok
16:27:46.0343 1220 [ BB7A533765E5578D22C388F2EC828ED6 ] ialm C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
16:27:47.0015 1220 ialm - ok
16:27:47.0375 1220 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
16:27:47.0656 1220 idsvc - ok
16:27:47.0718 1220 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
16:27:47.0718 1220 Imapi - ok
16:27:47.0828 1220 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
16:27:47.0875 1220 ImapiService - ok
16:27:47.0890 1220 ini910u - ok
16:27:49.0906 1220 [ 3D3F703B44A26D9C676EC3E2A03BA811 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
16:27:51.0937 1220 IntcAzAudAddService - ok
16:27:51.0984 1220 [ F5C70E41B19D33CC764998786AB74165 ] IntcHdmiAddService C:\WINDOWS\system32\drivers\IntcHdmi.sys
16:27:52.0015 1220 IntcHdmiAddService - ok
16:27:52.0031 1220 IntelIde - ok
16:27:52.0625 1220 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:27:52.0640 1220 intelppm - ok
16:27:52.0687 1220 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
16:27:52.0703 1220 Ip6Fw - ok
16:27:52.0750 1220 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:27:52.0750 1220 IpFilterDriver - ok
16:27:52.0796 1220 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:27:52.0796 1220 IpInIp - ok
16:27:52.0875 1220 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:27:52.0937 1220 IpNat - ok
16:27:53.0234 1220 [ 57EDB35EA2FECA88F8B17C0C095C9A56 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
16:27:53.0515 1220 iPod Service - ok
16:27:53.0578 1220 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:27:53.0593 1220 IPSec - ok
16:27:53.0640 1220 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
16:27:53.0640 1220 IRENUM - ok
16:27:53.0687 1220 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:27:53.0703 1220 isapnp - ok
16:27:53.0828 1220 [ 5472D771C0197355C1D347F20392B982 ] JavaQuickStarterService C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
16:27:53.0890 1220 JavaQuickStarterService - ok
16:27:53.0921 1220 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:27:53.0921 1220 Kbdclass - ok
16:27:53.0937 1220 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
16:27:53.0953 1220 kbdhid - ok
16:27:54.0031 1220 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
16:27:54.0078 1220 kmixer - ok
16:27:54.0125 1220 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
16:27:54.0156 1220 KSecDD - ok
16:27:54.0218 1220 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
16:27:54.0250 1220 lanmanserver - ok
16:27:54.0328 1220 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
16:27:54.0375 1220 lanmanworkstation - ok
16:27:54.0390 1220 lbrtfdc - ok
16:27:54.0437 1220 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
16:27:54.0437 1220 LmHosts - ok
16:27:54.0468 1220 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
16:27:54.0484 1220 Messenger - ok
16:27:54.0515 1220 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
16:27:54.0515 1220 mnmdd - ok
16:27:54.0546 1220 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
16:27:54.0562 1220 mnmsrvc - ok
16:27:54.0578 1220 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
16:27:54.0593 1220 Modem - ok
16:27:55.0062 1220 [ 9FA7207D1B1ADEAD88AE8EED9CDBBAA5 ] Monfilt C:\WINDOWS\system32\drivers\Monfilt.sys
16:27:55.0546 1220 Monfilt - ok
16:27:55.0578 1220 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:27:55.0593 1220 Mouclass - ok
16:27:55.0609 1220 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:27:55.0625 1220 mouhid - ok
16:27:55.0656 1220 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
16:27:55.0671 1220 MountMgr - ok
16:27:55.0671 1220 mraid35x - ok
16:27:55.0750 1220 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:27:55.0812 1220 MRxDAV - ok
16:27:56.0000 1220 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:27:56.0140 1220 MRxSmb - ok
16:27:56.0187 1220 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
16:27:56.0187 1220 MSDTC - ok
16:27:56.0203 1220 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
16:27:56.0218 1220 Msfs - ok
16:27:56.0218 1220 MSIServer - ok
16:27:56.0250 1220 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:27:56.0250 1220 MSKSSRV - ok
16:27:56.0296 1220 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:27:56.0296 1220 MSPCLOCK - ok
16:27:56.0328 1220 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
16:27:56.0328 1220 MSPQM - ok
16:27:56.0343 1220 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:27:56.0359 1220 mssmbios - ok
16:27:56.0421 1220 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
16:27:56.0453 1220 Mup - ok
16:27:56.0515 1220 [ 7F16EE8322EBDF3C3B2D1A69F8030FD4 ] NAL C:\WINDOWS\system32\Drivers\iqvw32.sys
16:27:56.0515 1220 NAL - ok
16:27:56.0656 1220 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
16:27:56.0750 1220 napagent - ok
16:27:56.0843 1220 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
16:27:56.0906 1220 NDIS - ok
16:27:56.0953 1220 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:27:56.0953 1220 NdisTapi - ok
16:27:57.0000 1220 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:27:57.0015 1220 Ndisuio - ok
16:27:57.0046 1220 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:27:57.0078 1220 NdisWan - ok
16:27:57.0125 1220 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
16:27:57.0140 1220 NDProxy - ok
16:27:57.0187 1220 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
16:27:57.0203 1220 NetBIOS - ok
16:27:57.0265 1220 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
16:27:57.0312 1220 NetBT - ok
16:27:57.0390 1220 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
16:27:57.0421 1220 NetDDE - ok
16:27:57.0468 1220 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
16:27:57.0468 1220 NetDDEdsdm - ok
16:27:57.0500 1220 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
16:27:57.0500 1220 Netlogon - ok
16:27:57.0593 1220 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
16:27:57.0656 1220 Netman - ok
16:27:57.0734 1220 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
16:27:57.0781 1220 NetTcpPortSharing - ok
16:27:57.0828 1220 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
16:27:57.0859 1220 NIC1394 - ok
16:27:57.0953 1220 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
16:27:58.0031 1220 Nla - ok
16:27:58.0078 1220 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
16:27:58.0093 1220 Npfs - ok
16:27:58.0281 1220 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
16:27:58.0468 1220 Ntfs - ok
16:27:58.0484 1220 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
16:27:58.0484 1220 NtLmSsp - ok
16:27:58.0656 1220 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
16:27:58.0796 1220 NtmsSvc - ok
16:27:58.0828 1220 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
16:27:58.0828 1220 Null - ok
16:27:58.0859 1220 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:27:58.0875 1220 NwlnkFlt - ok
16:27:58.0890 1220 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:27:58.0906 1220 NwlnkFwd - ok
16:27:59.0125 1220 [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
16:27:59.0296 1220 odserv - ok
16:27:59.0328 1220 [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
16:27:59.0359 1220 ohci1394 - ok
16:27:59.0437 1220 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
16:27:59.0500 1220 ose - ok
16:27:59.0562 1220 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
16:27:59.0593 1220 Parport - ok
16:27:59.0609 1220 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
16:27:59.0609 1220 PartMgr - ok
16:27:59.0656 1220 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
16:27:59.0656 1220 ParVdm - ok
16:27:59.0687 1220 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
16:27:59.0718 1220 PCI - ok
16:27:59.0718 1220 PCIDump - ok
16:27:59.0750 1220 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
16:27:59.0750 1220 PCIIde - ok
16:27:59.0812 1220 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
16:27:59.0843 1220 Pcmcia - ok
16:27:59.0859 1220 PDCOMP - ok
16:27:59.0875 1220 PDFRAME - ok
16:27:59.0875 1220 PDRELI - ok
16:27:59.0890 1220 PDRFRAME - ok
16:27:59.0906 1220 perc2 - ok
16:27:59.0921 1220 perc2hib - ok
16:28:00.0000 1220 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
16:28:00.0000 1220 PlugPlay - ok
16:28:00.0015 1220 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
16:28:00.0015 1220 PolicyAgent - ok
16:28:00.0046 1220 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:28:00.0062 1220 PptpMiniport - ok
16:28:00.0078 1220 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
16:28:00.0078 1220 ProtectedStorage - ok
16:28:00.0109 1220 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
16:28:00.0140 1220 PSched - ok
16:28:00.0156 1220 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:28:00.0171 1220 Ptilink - ok
16:28:00.0171 1220 ql1080 - ok
16:28:00.0187 1220 Ql10wnt - ok
16:28:00.0203 1220 ql12160 - ok
16:28:00.0203 1220 ql1240 - ok
16:28:00.0218 1220 ql1280 - ok
16:28:00.0234 1220 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:28:00.0250 1220 RasAcd - ok
16:28:00.0296 1220 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
16:28:00.0328 1220 RasAuto - ok
16:28:00.0359 1220 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:28:00.0375 1220 Rasl2tp - ok
16:28:00.0484 1220 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
16:28:00.0546 1220 RasMan - ok
16:28:00.0562 1220 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:28:00.0578 1220 RasPppoe - ok
16:28:00.0593 1220 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
16:28:00.0609 1220 Raspti - ok
16:28:00.0687 1220 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:28:00.0734 1220 Rdbss - ok
16:28:00.0750 1220 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:28:00.0765 1220 RDPCDD - ok
16:28:00.0828 1220 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:28:00.0890 1220 rdpdr - ok
16:28:00.0984 1220 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
16:28:01.0031 1220 RDPWD - ok
16:28:01.0109 1220 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
16:28:01.0156 1220 RDSessMgr - ok
16:28:01.0203 1220 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
16:28:01.0218 1220 redbook - ok
16:28:01.0250 1220 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
16:28:01.0281 1220 RemoteAccess - ok
16:28:01.0343 1220 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
16:28:01.0375 1220 RemoteRegistry - ok
16:28:01.0421 1220 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
16:28:01.0437 1220 RpcLocator - ok
16:28:01.0609 1220 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\system32\rpcss.dll
16:28:01.0609 1220 RpcSs - ok
16:28:01.0718 1220 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
16:28:01.0750 1220 RSVP - ok
16:28:01.0781 1220 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
16:28:01.0781 1220 SamSs - ok
16:28:01.0828 1220 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
16:28:01.0859 1220 SCardSvr - ok
16:28:01.0937 1220 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
16:28:02.0000 1220 Schedule - ok
16:28:02.0031 1220 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:28:02.0046 1220 Secdrv - ok
16:28:02.0078 1220 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
16:28:02.0078 1220 seclogon - ok
16:28:02.0109 1220 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
16:28:02.0125 1220 SENS - ok
16:28:02.0140 1220 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
16:28:02.0156 1220 serenum - ok
16:28:02.0171 1220 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
16:28:02.0203 1220 Serial - ok
16:28:02.0234 1220 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
16:28:02.0234 1220 Sfloppy - ok
16:28:02.0375 1220 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
16:28:02.0484 1220 SharedAccess - ok
16:28:02.0562 1220 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
16:28:02.0562 1220 ShellHWDetection - ok
16:28:02.0562 1220 Simbad - ok
16:28:02.0656 1220 [ 98B44C15B4EED76AA8DCCB64A4CA11AF ] snapman C:\WINDOWS\system32\DRIVERS\snapman.sys
16:28:02.0734 1220 snapman - ok
16:28:02.0734 1220 Sparrow - ok
16:28:02.0765 1220 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
16:28:02.0765 1220 splitter - ok
16:28:02.0812 1220 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
16:28:02.0843 1220 Spooler - ok
16:28:02.0875 1220 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
16:28:02.0890 1220 sr - ok
16:28:02.0984 1220 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
16:28:03.0031 1220 srservice - ok
16:28:03.0156 1220 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
16:28:03.0265 1220 Srv - ok
16:28:03.0328 1220 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
16:28:03.0359 1220 SSDPSRV - ok
16:28:03.0500 1220 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
16:28:03.0609 1220 stisvc - ok
16:28:03.0640 1220 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
16:28:03.0640 1220 swenum - ok
16:28:03.0703 1220 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
16:28:03.0718 1220 swmidi - ok
16:28:03.0734 1220 SwPrv - ok
16:28:03.0765 1220 symc810 - ok
16:28:03.0765 1220 symc8xx - ok
16:28:03.0781 1220 sym_hi - ok
16:28:03.0796 1220 sym_u3 - ok
16:28:03.0843 1220 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
16:28:03.0859 1220 sysaudio - ok
16:28:03.0921 1220 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
16:28:03.0953 1220 SysmonLog - ok
16:28:04.0062 1220 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
16:28:04.0156 1220 TapiSrv - ok
16:28:04.0328 1220 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:28:04.0437 1220 Tcpip - ok
16:28:04.0484 1220 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
16:28:04.0484 1220 TDPIPE - ok
16:28:04.0531 1220 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
16:28:04.0531 1220 TDTCP - ok
16:28:04.0562 1220 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
16:28:04.0578 1220 TermDD - ok
16:28:04.0687 1220 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
16:28:04.0796 1220 TermService - ok
16:28:04.0859 1220 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
16:28:04.0859 1220 Themes - ok
16:28:05.0078 1220 [ D8A96D0E25D43FDAC3BED09ADF39FDE9 ] timounter C:\WINDOWS\system32\DRIVERS\timntr.sys
16:28:05.0281 1220 timounter - ok
16:28:05.0328 1220 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
16:28:05.0359 1220 TlntSvr - ok
16:28:05.0375 1220 TosIde - ok
16:28:05.0437 1220 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
16:28:05.0468 1220 TrkWks - ok
16:28:05.0531 1220 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
16:28:05.0546 1220 Udfs - ok
16:28:05.0562 1220 ultra - ok
16:28:05.0703 1220 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
16:28:05.0828 1220 Update - ok
16:28:05.0921 1220 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
16:28:05.0984 1220 upnphost - ok
16:28:06.0015 1220 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
16:28:06.0031 1220 UPS - ok
16:28:06.0078 1220 [ EAFE1E00739AFE6C51487A050E772E17 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
16:28:06.0109 1220 USBAAPL - ok
16:28:06.0156 1220 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:28:06.0156 1220 usbccgp - ok
16:28:06.0203 1220 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:28:06.0218 1220 usbehci - ok
16:28:06.0250 1220 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:28:06.0265 1220 usbhub - ok
16:28:06.0296 1220 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:28:06.0312 1220 usbprint - ok
16:28:06.0359 1220 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
16:28:06.0390 1220 usbscan - ok
16:28:06.0421 1220 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:28:06.0437 1220 USBSTOR - ok
16:28:06.0453 1220 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:28:06.0453 1220 usbuhci - ok
16:28:06.0500 1220 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
16:28:06.0515 1220 VgaSave - ok
16:28:06.0515 1220 ViaIde - ok
16:28:06.0593 1220 [ 149EC3E217F9D11E9CA6C54CE3D70C73 ] vididr C:\WINDOWS\system32\DRIVERS\vididr.sys
16:28:06.0640 1220 vididr - ok
16:28:06.0671 1220 [ E31E9CD40677B84B3ADAA7A0D80DC439 ] vidsflt53 C:\WINDOWS\system32\DRIVERS\vsflt53.sys
16:28:06.0703 1220 vidsflt53 - ok
16:28:06.0718 1220 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
16:28:06.0750 1220 VolSnap - ok
16:28:06.0859 1220 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
16:28:06.0953 1220 VSS - ok
16:28:07.0046 1220 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
16:28:07.0093 1220 W32Time - ok
16:28:07.0140 1220 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:28:07.0156 1220 Wanarp - ok
16:28:07.0171 1220 WDICA - ok
16:28:07.0218 1220 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
16:28:07.0250 1220 wdmaud - ok
16:28:07.0312 1220 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
16:28:07.0343 1220 WebClient - ok
16:28:07.0500 1220 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
16:28:07.0546 1220 winmgmt - ok
16:28:08.0156 1220 [ C7E39EA41233E9F5B86C8DA3A9F1E4A8 ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
16:28:08.0171 1220 WmdmPmSN - ok
16:28:08.0421 1220 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
16:28:08.0593 1220 Wmi - ok
16:28:08.0671 1220 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
16:28:08.0718 1220 WmiApSrv - ok
16:28:08.0796 1220 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
16:28:08.0828 1220 wscsvc - ok
16:28:08.0859 1220 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
16:28:08.0859 1220 wuauserv - ok
16:28:09.0062 1220 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
16:28:09.0218 1220 WZCSVC - ok
16:28:09.0281 1220 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
16:28:09.0328 1220 xmlprov - ok
16:28:09.0343 1220 ================ Scan global ===============================
16:28:09.0421 1220 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
16:28:09.0562 1220 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
16:28:09.0750 1220 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
16:28:09.0812 1220 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
16:28:09.0812 1220 [Global] - ok
16:28:09.0812 1220 ================ Scan MBR ==================================
16:28:09.0828 1220 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
16:28:09.0828 1220 Suspicious mbr (Forged): \Device\Harddisk0\DR0
16:28:09.0843 1220 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
16:28:09.0843 1220 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
16:28:09.0859 1220 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk1\DR3
16:28:11.0812 1220 \Device\Harddisk1\DR3 - ok
16:28:11.0812 1220 ================ Scan VBR ==================================
16:28:11.0812 1220 [ 15DFA82ECD1D65E20D447CB91EE2C6DF ] \Device\Harddisk0\DR0\Partition1
16:28:11.0812 1220 \Device\Harddisk0\DR0\Partition1 - ok
16:28:11.0843 1220 [ 131A80252E554022EA77C163A18557B2 ] \Device\Harddisk0\DR0\Partition2
16:28:11.0843 1220 \Device\Harddisk0\DR0\Partition2 - ok
16:28:11.0859 1220 [ FD3DE37AD37A2D3A4FB767F69DFCB784 ] \Device\Harddisk1\DR3\Partition1
16:28:11.0859 1220 \Device\Harddisk1\DR3\Partition1 - ok
16:28:11.0859 1220 ============================================================
16:28:11.0859 1220 Scan finished
16:28:11.0859 1220 ============================================================
16:28:11.0875 1212 Detected object count: 1
16:28:11.0875 1212 Actual detected object count: 1
16:28:43.0796 1212 \Device\Harddisk0\DR0\# - copied to quarantine
16:28:43.0796 1212 \Device\Harddisk0\DR0 - copied to quarantine
16:28:43.0875 1212 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
16:28:43.0890 1212 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
16:28:43.0906 1212 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
16:28:43.0921 1212 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
16:28:43.0937 1212 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
16:28:43.0968 1212 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
16:28:43.0984 1212 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
16:28:43.0984 1212 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
16:28:43.0984 1212 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
16:28:43.0984 1212 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
16:28:43.0984 1212 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
16:28:43.0984 1212 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
16:28:44.0031 1212 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
16:28:44.0031 1212 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
16:28:44.0031 1212 \Device\Harddisk0\DR0 - ok
16:28:44.0046 1212 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
16:28:55.0218 1196 Deinitialize success

broni · 2012/10/22

See if you can restart in normal mode, update and run MBAM.
If so, post new log.

Then...

Download RogueKiller on the desktop

Close all the running programs

Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator

Otherwise just double-click on RogueKiller.exe

Pre-scan will start. Let it finish.

Click on SCAN button.

Wait until the Status box shows Scan Finished

Click on Delete.

Wait until the Status box shows Deleting Finished.

Click on Report and copy/paste the content of the Notepad into your next reply.

RKreport.txt could also be found on your desktop.

If more than one log is produced post all logs.

If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

twofanman · 2012/10/22

K. Started in normal mode. No weirdess detected. Seems to be running well AFAICT.

Here is mbam rerun and RogueKiller report after that.
*******************************************
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.22.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Cobra :: COBRA-018AFF514 [administrator]

10/22/2012 6:34:39 PM
mbam-log-2012-10-22 (18-34-39).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 209752
Time elapsed: 2 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
*********************************************
RogueKiller V8.1.1 [10/01/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Cobra [Admin rights]
Mode : Remove -- Date : 10/22/2012 18:44:52

¤¤¤ Bad processes : 1 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\04228943 (system32\drivers\48806430.sys) -> DELETED
[Services][ROGUE ST] HKLM\[...]\ControlSet003\Services\04228943 (system32\drivers\48806430.sys) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320620AS +++++
--- User ---
[MBR] 8fac501a8df935fe155398a35347ad25
[BSP] 6b840e5226bc68bb5fd8872c91a688a0 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 100006 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 204812685 | Size: 205236 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: Lexar Echo USB Device +++++
--- User ---
[MBR] 3eb54862b182814a597c1ce3b797bf1f
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 35040 | Size: 30574 Mo
User = LL1 ... OK!
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

************************************

broni · 2012/10/22

Good

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.

twofanman · 2012/10/22

No problems running ComboFix. Here is the log.
*********************************
ComboFix 12-10-22.02 - Cobra 10/22/2012 19:34:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3035.2565 [GMT -6:00]
Running from: c:\documents and settings\Cobra\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-09-23 to 2012-10-23 )))))))))))))))))))))))))))))))
.
.
2012-10-23 00:34 . 2012-10-23 00:34 -------- d-----w- c:\documents and settings\Cobra\Application Data\Malwarebytes
2012-10-22 22:28 . 2012-10-22 22:28 -------- d-----w- C:\TDSSKiller_Quarantine
2012-10-22 17:14 . 2012-10-22 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-10-22 17:14 . 2012-10-23 00:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-10-22 17:14 . 2012-09-30 01:54 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-22 17:12 . 2012-10-22 17:12 -------- d-----w- c:\documents and settings\Administrator
2012-10-11 01:17 . 2012-10-11 01:17 230840 ----a-r- c:\windows\cpnprt2.cid
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-11 01:17 . 2011-08-06 15:34 230840 ------w- c:\windows\system32\cpnprt2.cid
2012-08-28 15:14 . 2007-07-27 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2007-07-27 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2007-07-27 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2007-07-27 12:00 385024 ------w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2007-07-27 12:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2007-07-27 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-08-03 22:59 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-17 16:16 . 2012-05-27 13:07 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-17 16:16 . 2011-06-22 14:12 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL "= "RTHDCPL.EXE" [2009-10-16 18782720]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2010-04-05 141848]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2010-04-05 174616]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2010-04-05 145432]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"TrueImageMonitor.exe "= "c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2011-06-22 2637824]
"Acronis Scheduler2 Service "= "c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2011-06-22 395392]
"APSDaemon "= "c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
.
R0 vididr;Acronis Virtual Disk;c:\windows\system32\drivers\vididr.sys [11/14/2011 7:23 AM 125472]
R0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\drivers\vsflt53.sys [11/14/2011 7:23 AM 83392]
R3 e1yexpress;Intel(R) Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [4/9/2011 7:17 PM 241880]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [4/9/2011 7:16 PM 116224]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/9/2011 7:12 PM 1684736]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-04228943.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-22 19:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3820)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-10-22 19:38:03
ComboFix-quarantined-files.txt 2012-10-23 01:37
.
Pre-Run: 83,290,370,048 bytes free
Post-Run: 83,641,184,256 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - C070B31D6ED364CB273B6DFD27D775C5

broni · 2012/10/22

Looks good

Any current issues?

=========================

I don't see any AV program running.
Install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php

Next...

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

twofanman · 2012/10/23

broni,

Thanks so much for your help so far. It looks like it's running very well. It's back to being responsive and quick. I checked CPU usage and it's way down to zero or close after loading a web page - it was bouncing around above 20%.

I did see one issue that I hope you can help me with and I have one question.

The issue is with Microsoft Outlook. The current problem started when my wife clicked through a phishing e-mail sent (spoofed) from one of her favorite retailers. After doing all the repairs you've helped me with, I got a message when I started Outlook that said "Outlook experienced a serious problem with the Microsoft Office Sharepoint Server Colleague Import add-in. If you have seen this message multiple times, you should disable this add-in and check to see if an update is available. Do you want to disable this add-in?" I clicked yes to disable. Now, many of the e-mails do not show html content. I spent a bit of time poking around to see how to fix this but didn't see an obvious solution to re-establish the add-in. If you have any guidance on this, it would be appreciated.

Finally, I wanted to ask for some advice on the antivirus software. Is there an FAQ somewhere that describes the various choices? I'm looking for one will use the least amount of overhead resources and be the least intrusive to use.

Thanks again.

broni · 2012/10/23

Outlook issue will a subject to a different forum.

Please continue with my previous reply.

twofanman · 2012/10/24

Finally got the OTL scan done. Logs below.
*************************************************************
OTL logfile created on: 10/23/2012 10:28:24 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Cobra\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 2.55 Gb Available Physical Memory | 86.04% Memory free
4.80 Gb Paging File | 4.57 Gb Available in Paging File | 95.08% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 78.07 Gb Free Space | 79.93% Space Free | Partition Type: NTFS
Drive L: | 200.43 Gb Total Space | 200.36 Gb Free Space | 99.97% Space Free | Partition Type: NTFS

Computer Name: COBRA-018AFF514 | User Name: Cobra | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/10/23 22:27:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cobra\Desktop\OTL.exe
PRC - [2012/04/04 18:47:32 | 000,161,664 | ---- | M] (Oracle Corporation) -- C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
PRC - [2012/01/17 11:07:58 | 000,505,736 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2011/06/22 12:17:14 | 000,395,392 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2011/06/22 12:17:08 | 000,846,056 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2011/06/22 12:15:44 | 002,637,824 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll

========== Services (SafeList) ==========

SRV - [2012/04/04 18:47:32 | 000,161,664 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2011/06/22 12:17:08 | 000,846,056 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Cobra\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2011/11/14 07:23:08 | 000,601,408 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\timntr.sys -- (timounter)
DRV - [2011/11/14 07:23:04 | 000,125,472 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\vididr.sys -- (vididr)
DRV - [2011/11/14 07:23:03 | 000,083,392 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\vsflt53.sys -- (vidsflt53)
DRV - [2011/11/14 07:23:02 | 000,169,088 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\snapman.sys -- (snapman)
DRV - [2010/01/12 16:24:00 | 000,030,880 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
DRV - [2009/10/21 08:28:42 | 005,934,592 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2009/10/19 23:10:30 | 000,241,880 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress)
DRV - [2009/06/23 14:28:12 | 000,040,832 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI)
DRV - [2009/04/08 04:32:50 | 000,116,224 | R--- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV - [2008/08/05 06:10:12 | 001,684,736 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2006/01/04 01:41:48 | 001,389,056 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1078081533-287218729-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
IE - HKU\S-1-5-21-1078081533-287218729-725345543-1003\..\SearchScopes,DefaultScope = {F005D5DB-D97C-4DDA-B259-F3A195F18F6D}
IE - HKU\S-1-5-21-1078081533-287218729-725345543-1003\..\SearchScopes\{ACD275F7-7055-4C09-9A71-0B79ECF00912}: "URL" = http://www.bing.com/search?q={searchTerms}&form=IE8SRC&src=IE-SearchBox
IE - HKU\S-1-5-21-1078081533-287218729-725345543-1003\..\SearchScopes\{C14B19F7-6075-450C-A42D-AD211EE15A37}: "URL" = http://en.wikipedia.org/w/index.php?title=Special:Search&search={searchTerms}
IE - HKU\S-1-5-21-1078081533-287218729-725345543-1003\..\SearchScopes\{F005D5DB-D97C-4DDA-B259-F3A195F18F6D}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
IE - HKU\S-1-5-21-1078081533-287218729-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1078081533-287218729-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

O1 HOSTS File: ([2007/07/27 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1078081533-287218729-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1078081533-287218729-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1078081533-287218729-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1078081533-287218729-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1302398797234 (WUWebControl Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6E96A92C-BD92-4DD3-9080-93D97EC04A7C}: DhcpNameServer = 75.75.75.75 75.75.76.76
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Cobra\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Cobra\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/04/09 19:00:17 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/23 22:27:23 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Cobra\Desktop\OTL.exe
[2012/10/22 19:33:44 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/10/22 19:30:05 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/10/22 19:30:05 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/10/22 19:30:05 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/10/22 19:30:04 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/10/22 19:29:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/10/22 19:29:55 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Cobra\My Documents\My Videos
[2012/10/22 19:29:55 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Cobra\Start Menu\Programs\Administrative Tools
[2012/10/22 19:29:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2012/10/22 19:26:36 | 004,987,615 | R--- | C] (Swearware) -- C:\Documents and Settings\Cobra\Desktop\ComboFix.exe
[2012/10/22 18:44:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cobra\Desktop\RK_Quarantine
[2012/10/22 18:34:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Cobra\Application Data\Malwarebytes
[2012/10/22 16:28:43 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/10/22 11:14:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/10/22 11:14:41 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/10/22 11:14:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/10/22 11:09:47 | 010,669,952 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Cobra\Desktop\malbite.exe
[2012/10/22 11:08:49 | 010,669,952 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Cobra\Desktop\mbam-setup-1.65.1.1000.exe
[2012/10/22 11:08:49 | 000,687,724 | ---- | C] (Swearware) -- C:\Documents and Settings\Cobra\Desktop\dds.com
[2012/10/20 18:25:32 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/10/16 07:32:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/10/16 07:32:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/10/15 13:52:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/10/15 13:51:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/10/10 19:17:47 | 000,230,840 | R--- | C] (Coupons, Inc.) -- C:\WINDOWS\cpnprt2.cid
[2012/10/10 03:01:08 | 000,000,000 | ---D | C] -- C:\Config.Msi
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/10/23 22:27:24 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Cobra\Desktop\OTL.exe
[2012/10/23 22:26:24 | 000,002,533 | ---- | M] () -- C:\Documents and Settings\Cobra\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2007.lnk
[2012/10/23 01:00:54 | 000,002,539 | ---- | M] () -- C:\Documents and Settings\Cobra\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook 2007.lnk
[2012/10/23 00:54:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/10/22 19:33:47 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/10/22 19:29:22 | 004,987,615 | R--- | M] (Swearware) -- C:\Documents and Settings\Cobra\Desktop\ComboFix.exe
[2012/10/22 18:42:02 | 001,425,920 | ---- | M] () -- C:\Documents and Settings\Cobra\Desktop\RogueKiller.exe
[2012/10/22 18:34:01 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/22 18:32:16 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/10/22 11:02:30 | 000,687,724 | ---- | M] (Swearware) -- C:\Documents and Settings\Cobra\Desktop\dds.com
[2012/10/22 11:02:10 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Cobra\Desktop\xsuififi.exe
[2012/10/22 11:01:46 | 010,669,952 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Cobra\Desktop\mbam-setup-1.65.1.1000.exe
[2012/10/22 11:01:46 | 010,669,952 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Cobra\Desktop\malbite.exe
[2012/10/10 19:17:47 | 000,230,840 | R--- | M] (Coupons, Inc.) -- C:\WINDOWS\cpnprt2.cid
[2012/10/10 19:17:47 | 000,230,840 | ---- | M] (Coupons, Inc.) -- C:\WINDOWS\System32\cpnprt2.cid
[2012/10/10 03:01:21 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/10/08 16:06:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/09/30 17:02:39 | 000,002,491 | ---- | M] () -- C:\Documents and Settings\Cobra\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2007.lnk
[2012/09/29 19:54:26 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/10/22 19:33:47 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/10/22 19:33:44 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/10/22 19:30:05 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/10/22 19:30:05 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/10/22 19:30:05 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/10/22 19:30:05 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/10/22 19:30:05 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/10/22 18:43:44 | 001,425,920 | ---- | C] () -- C:\Documents and Settings\Cobra\Desktop\RogueKiller.exe
[2012/10/22 12:11:41 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/10/22 11:08:49 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Cobra\Desktop\xsuififi.exe
[2012/02/16 00:23:04 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/10/17 16:51:51 | 000,056,532 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/04/10 08:05:35 | 000,003,584 | ---- | C] () -- C:\Documents and Settings\Cobra\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/09 19:12:21 | 000,004,096 | R--- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
[2011/04/09 19:12:21 | 000,000,151 | R--- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
[2011/04/09 19:12:20 | 000,982,240 | R--- | C] () -- C:\WINDOWS\System32\igkrng500.bin
[2011/04/09 19:12:20 | 000,439,308 | R--- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
[2011/04/09 19:01:52 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/04/09 18:57:47 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/04/09 12:49:44 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/04/09 12:48:05 | 000,267,800 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== ZeroAccess Check ==========

[2011/04/09 19:10:46 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
" " = %SystemRoot%\system32\shdocvw.dll -- [2010/12/20 16:15:52 | 001,510,400 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
" " = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 06:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
" " = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 18:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2011/11/14 07:23:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2011/05/17 14:00:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/11/14 07:23:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Cobra\Application Data\Acronis
[2012/05/27 07:07:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Cobra\Application Data\Oracle

========== Purity Check ==========

< End of report >
******************************************************
OTL Extras logfile created on: 10/23/2012 10:28:24 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Cobra\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.96 Gb Total Physical Memory | 2.55 Gb Available Physical Memory | 86.04% Memory free
4.80 Gb Paging File | 4.57 Gb Available in Paging File | 95.08% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.66 Gb Total Space | 78.07 Gb Free Space | 79.93% Space Free | Partition Type: NTFS
Drive L: | 200.43 Gb Total Space | 200.36 Gb Free Space | 99.97% Space Free | Partition Type: NTFS

Computer Name: COBRA-018AFF514 | User Name: Cobra | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1 ",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1 ",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1 "
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service -- (Apple Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0BBBA9A9-02E8-467D-BE57-4797A50F7861}" = Intel(R) Network Connections 15.1.29.0
"{1111706F-666A-4037-7777-210328764D10}" = JavaFX 2.1.0
"{23B8A91D-680B-462B-87AD-3D70F7341731}" = iTunes
"{26A24AE4-039D-4CA4-87B4-2F83217004FF}" = Java(TM) 7 Update 4
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6D172D0A-B9F1-4046-AFAB-8599288545BF}" = Safari
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{9B683A28-2172-4CF1-B85D-41375E80652A}" = Acronis True Image WD*Edition
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.3)
"{AFF7E080-1974-45BF-9310-10DE1A1F5ED0}" = Adobe AIR
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}" = Apple Application Support
"{EFC04D3F-A152-47E7-8517-EE0F6201AFEF}" = Apple Mobile Device Support
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Graphics Media Accelerator Driver
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"HECI" = Intel(R) Management Engine Interface
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.65.1.1000
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"PROR" = Microsoft Office Professional 2007
"WIC" = Windows Imaging Component
"Windows XP Service Pack" = Windows XP Service Pack 3
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 10/17/2011 6:51:55 PM | Computer Name = COBRA-018AFF514 | Source = Bonjour Service | ID = 100
Description = 212: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 1/30/2012 9:01:04 PM | Computer Name = COBRA-018AFF514 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/7/2012 1:09:23 AM | Computer Name = COBRA-018AFF514 | Source = Bonjour Service | ID = 100
Description = 216: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 4/7/2012 1:09:23 AM | Computer Name = COBRA-018AFF514 | Source = Bonjour Service | ID = 100
Description = 504: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 4/7/2012 1:09:23 AM | Computer Name = COBRA-018AFF514 | Source = Bonjour Service | ID = 100
Description = 520: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

[ System Events ]
Error - 10/22/2012 6:31:49 PM | Computer Name = COBRA-018AFF514 | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 10/22/2012 6:31:49 PM | Computer Name = COBRA-018AFF514 | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 10/22/2012 6:31:49 PM | Computer Name = COBRA-018AFF514 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 10/22/2012 6:31:49 PM | Computer Name = COBRA-018AFF514 | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 10/22/2012 6:31:49 PM | Computer Name = COBRA-018AFF514 | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 10/22/2012 6:31:49 PM | Computer Name = COBRA-018AFF514 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 10/22/2012 6:31:49 PM | Computer Name = COBRA-018AFF514 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT ohci1394 RasAcd Rdbss Tcpip vididr

Error - 10/22/2012 6:31:52 PM | Computer Name = COBRA-018AFF514 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 10/22/2012 6:34:10 PM | Computer Name = COBRA-018AFF514 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 10/22/2012 6:34:43 PM | Computer Name = COBRA-018AFF514 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

< End of report >

broni · 2012/10/24

Run OTL
Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following
Code:
:OTL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[2011/04/09 19:10:46 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
" " = %SystemRoot%\system32\shdocvw.dll -- [2010/12/20 16:15:52 | 001,510,400 | ---- | M] (Microsoft Corporation)
 "ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
" " = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 06:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
 "ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
" " = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 18:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
 "ThreadingModel" = Both

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
Then click the [color= "#FF0000"]Run Fix[/color] button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.
NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

==================================

I don't see any AV program running.
Install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php
Update, run full scan, report on any findings.

=================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:

Internet Services

Windows Firewall

System Restore

Security Center

Windows Update

Windows Defender

Press "Scan ".

It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

3. Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.

Double click on adwcleaner.exe to run the tool.

Click on Delete.

Confirm each time with Ok.

Your computer will be rebooted automatically. A text file will open after the restart.

Please post the contents of that logfile with your next reply.

You can find the logfile at C:\AdwCleaner[S1].txt as well.

Next...

Double click on adwcleaner.exe to run the tool.

Click on Uninstall.

Confirm with yes.

4. Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

5. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, click on List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.

broni · 2012/10/29

Still with me?

twofanman · 2012/10/29

yes. I'll try to run the last scans tonight and tomorrow. Thanks again

broni · 2012/10/29

Ok...

twofanman · 2012/10/30

results of custom OTL scan follows. Other scans coming next.
************************************
All processes killed
========== OTL ==========
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\WINDOWS\assembly\Desktop.ini moved successfully.
File EY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.
File EY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] not found.
File EY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] not found.
Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]\ not found.
Folder EY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56466 bytes

User: All Users

User: Cobra
->Temp folder emptied: 1247042 bytes
->Temporary Internet Files folder emptied: 120498117 bytes
->Apple Safari cache emptied: 4361216 bytes
->Flash cache emptied: 65662 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56466 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 49286 bytes
->Flash cache emptied: 492 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 666169 bytes
->Flash cache emptied: 610 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2190207 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 123.00 mb

[EMPTYJAVA]

User: Administrator

User: All Users

User: Cobra

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Cobra
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService
->Flash cache emptied: 0 bytes

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 10302012_162750

Files\Folders moved on Reboot...
C:\Documents and Settings\Cobra\Local Settings\Temp\REG65.tmp moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temp\REG66.tmp moved successfully.
File\Folder C:\Documents and Settings\Cobra\Local Settings\Temp\~DFC297.tmp not found!
File\Folder C:\Documents and Settings\Cobra\Local Settings\Temp\~DFC2A2.tmp not found!
File\Folder C:\Documents and Settings\Cobra\Local Settings\Temp\~DFC2FA.tmp not found!
File\Folder C:\Documents and Settings\Cobra\Local Settings\Temp\~DFC305.tmp not found!
File\Folder C:\Documents and Settings\Cobra\Local Settings\Temp\~DFC335.tmp not found!
File\Folder C:\Documents and Settings\Cobra\Local Settings\Temp\~DFC340.tmp not found!
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\ZU77VL0G\like[1].htm moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\Q4CCZI04\427472283@x87[1].htm moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\Q4CCZI04\adTag[1].htm moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\Q4CCZI04\xd_arbiter[1].htm moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\P4MC8RML\adTag[1].htm moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\P4MC8RML\adTag[2].htm moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\P4MC8RML\fastbutton[1].htm moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\P4MC8RML\frame[1].htm moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\P4MC8RML\frame[2].htm moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\P4MC8RML\na[1].htm moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\CLLVRD2N\103932-active-unresponsive-computer[1].html moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\CLLVRD2N\xd_arbiter[1].htm moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\Content.IE5\2LTJ3E1T\p-01-0VIaSjnOLg[1].gif moved successfully.
C:\Documents and Settings\Cobra\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

twofanman · 2012/10/30

log from Security Check scan
******************************
Results of screen317's Security Check version 0.99.54
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Please wait while WMIC compiles updated MOF files.
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.65.1.1000
JavaFX 2.1.0
Java(TM) 7 Update 4
Java version out of Date!
Adobe Reader X 10.1.3 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 22% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

twofanman · 2012/10/31

AdwCleaner log.............
******************************
# AdwCleaner v2.006 - Logfile created 10/31/2012 at 08:33:31
# Updated 30/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Cobra - COBRA-018AFF514
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Cobra\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKCU\Software\Ask.com.tmp
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2D360201-FFF5-11D1-8D03-00A0C959BC0A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2D360201-FFF5-11D1-8D03-00A0C959BC0A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [1366 octets] - [31/10/2012 08:33:31]

########## EOF - C:\AdwCleaner[S1].txt - [1426 octets] ##########

twofanman · 2012/10/31

K I'm done. FYI the Farber Service Scanner link you gave loaded a bunch of unwanted Yahoo toolbars and changed the browser homepage. After a struggling with the 7-zip stuff, i'm not even sure the scan ran. I uninstalled all the yahoo stuff that got loaded. Also, I'm getting warnings that the windows firewall is not enabled - when I try to enable it in control panel security it says there is an unknown error. So I have no firewall running now

twofanman · 2012/10/31

OK - nevermind the firewall problem. I rebooted the computer and the firewall came up ok. All is well

Log in or Sign up

Solved Unresponsive Computer

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

twofanman Inactive Thread Starter

twofanman Inactive Thread Starter

twofanman Inactive Thread Starter

twofanman Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Unresponsive Computer

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

broni Moderator Malware Analyst

twofanman Inactive Thread Starter

twofanman Inactive Thread Starter

twofanman Inactive Thread Starter

twofanman Inactive Thread Starter

twofanman Inactive Thread Starter

Share This Page

Useful Searches