# BIOS Hack?



## Zaq123

I'm running XP Pro with SP3. I don't know what evil genius is after me, but I have a trojan that is relentless. I have wiped my hard drive with DBN and reloaded several times. With a complete clean install and without ever connecting to the internet, I have had my administrator account hijacked and password protected and user password changed. I have the dell XP Pro disk with SP2, I burned an ISO of SP3 and use that. Ctfmon loads immediately as a trojan according to SB S&D. I have completely removed it. My machine is completely under control of this "thing." I found this:
** clients hxxp://127.0.0.1:21332/clients Text Doc integrity-local 
hxxp://127.0.0.1:21322/integrity-local
hxxp://127.0.0.1:21321/integrity-local 40b cache name integrity-local[1],txt *** (xx added by me)
in IE temp internet file. A search of this site brings up a page with a line of letters and nothing else. I cleaned all IE temps and it just comes right back. I cleaned every IE temp account and had it cleared out, and then I wiped the drive. When I turned my computer back on, my broadcom wireless was all disabled, all kinds of changes were made - it was not connected to the internet. I never know what new thing will be messed up every time I turn on my computer. When I loaded the OS this time I password protected the Supervisor and User passwords in the BIOS. I think this has stopped this "thing" from taking over the Admin account. Scotty keeps "it" from modifying c:\windows\system32\drivers\etc\hosts to a notepad file that reads: 127.0.0.1 localhost. 
I've scanned this computer with everything, Avira, Comodo, Malwarbytes, on and on and nothing is ever found. Trend micro rootkit found the rootkits but can not remove them. I had Trend Micro Housecall and rubotted, they disappeared after a reboot. This "thing" has complete control over task manager. I've run a combofix and it always removes two Vostro files. This vostro is the BIOS drive. I have an ISO copy of the Dell drivers. I don't know if it's possible to corrupt a SP3 downloaded from microsoft or the Dell drivers, downloaded from Dell. This "thing" is just unreal! How can it make changes even before a clean install has ever connected to the internet??
Here are the logs. I didn't zip attach.txt or ark.txt because they are so small - I assume they are usually very large and that is why they are zipped? Hope that's ok.

.
DDS (Ver_2011-08-26.01) - NTFSx86 
Internet Explorer: 8.0.6001.18702
Run by Owner at 18:16:54 on 2011-11-23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.577 [GMT -7:00]
.
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
.
============== Pseudo HJT Report ===============
.
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\bok3zs1f.default\
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2011-11-22 36000]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-11-22 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2011-11-22 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-11-22 74640]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-11-23 05:36:22 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-11-22 20:54:07 -------- d-----w- c:\windows\system32\NtmsData
2011-11-22 20:29:39 -------- d-----w- c:\documents and settings\owner\application data\Avira
2011-11-22 20:23:52 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-11-22 20:23:52 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2011-11-22 20:23:51 -------- d-----w- c:\program files\Avira
2011-11-22 20:23:51 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-11-22 13:29:59 -------- d-sha-r- C:\cmdcons
2011-11-22 13:28:16 98816 ----a-w- c:\windows\sed.exe
2011-11-22 13:28:16 518144 ----a-w- c:\windows\SWREG.exe
2011-11-22 13:28:16 256000 ----a-w- c:\windows\PEV.exe
2011-11-22 13:28:16 208896 ----a-w- c:\windows\MBR.exe
2011-11-22 13:08:26 -------- d-----w- c:\documents and settings\owner\local settings\application data\PCHealth
2011-11-22 13:04:35 -------- d-----w- C:\d09abc78b87bd6cf02
2011-11-22 12:54:58 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-22 11:16:47 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-22 09:40:09 388096 ----a-r- c:\documents and settings\owner\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-11-22 04:26:09 -------- d-----w- c:\program files\Trend Micro
2011-11-21 18:04:54 -------- d-----w- c:\windows\system32\appmgmt
2011-11-21 17:50:13 -------- d-----w- c:\windows\SxsCaPendDel
2011-11-21 08:54:02 -------- d-----w- c:\documents and settings\owner\application data\GlarySoft
2011-11-21 03:16:28 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2011-11-21 03:16:28 -------- d-----w- c:\program files\common files\PC Tools
2011-11-21 03:16:27 -------- d-----w- c:\program files\PC Tools
2011-11-21 03:13:11 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-11-21 03:12:46 -------- d-----w- c:\documents and settings\owner\application data\TestApp
2011-11-20 06:35:40 -------- d-----w- c:\program files\Webroot
2011-11-20 06:23:12 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-11-20 06:18:36 -------- d-----w- c:\documents and settings\owner\application data\WinPatrol
2011-11-20 06:18:13 -------- d-----w- c:\program files\BillP Studios
2011-11-20 06:18:12 --------  d-----w- c:\documents and settings\all users\application data\InstallMate
2011-11-20 05:19:31 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-11-20 04:17:05 -------- d-----w- c:\documents and settings\owner\application data\QFX Software
2011-11-20 04:17:05 -------- d-----w- c:\documents and settings\all users\application data\QFX Software
2011-11-20 03:47:37 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-11-20 03:47:37 -------- d-----w- c:\windows\system32\winrm
2011-11-20 03:47:31 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-11-20 03:14:32 -------- d-----w- c:\documents and settings\owner\local settings\application data\ApplicationHistory
2011-11-20 03:11:48 99840 -c----w- c:\windows\system32\dllcache\srvsvc.dll
2011-11-20 03:11:46 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2011-11-20 03:11:45 265728 -c----w- c:\windows\system32\dllcache\http.sys
2011-11-20 03:11:45 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2011-11-20 00:59:31 -------- d-----w- c:\windows\system32\PreInstall
2011-11-20 00:56:44 -------- d-----w- c:\windows\system32\URTTEMP
2011-11-20 00:55:50 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-11-20 00:54:50 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2011-11-20 00:44:14 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-11-20 00:43:58 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-11-20 00:43:31 551936 -c----w- c:\windows\system32\dllcache\oleaut32.dll
2011-11-20 00:42:54 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-11-20 00:42:50 45568 -c----w- c:\windows\system32\dllcache\dnsrslvr.dll
2011-11-20 00:42:50 361600 -c----w- c:\windows\system32\dllcache\tcpip.sys
2011-11-20 00:42:50 245248 -c----w- c:\windows\system32\dllcache\mswsock.dll
2011-11-20 00:42:50 149504 -c----w- c:\windows\system32\dllcache\dnsapi.dll
2011-11-20 00:41:44 677888 -c----w- c:\windows\system32\dllcache\lhmstsc.exe
2011-11-20 00:41:43 2067456 -c----w- c:\windows\system32\dllcache\lhmstscx.dll
2011-11-20 00:41:32 270848 -c----w- c:\windows\system32\dllcache\sbe.dll
2011-11-20 00:41:32 186880 -c----w- c:\windows\system32\dllcache\encdec.dll
2011-11-20 00:40:20 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-11-20 00:40:16 92928 -c----w- c:\windows\system32\dllcache\ksecdd.sys
2011-11-20 00:40:16 54272 -c----w- c:\windows\system32\dllcache\wdigest.dll
2011-11-20 00:40:16 136192 -c----w- c:\windows\system32\dllcache\msv1_0.dll
2011-11-20 00:40:12 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2011-11-20 00:40:10 90112 -c----w- c:\windows\system32\dllcache\wshext.dll
2011-11-20 00:40:10 180224 -c----w- c:\windows\system32\dllcache\scrobj.dll
2011-11-20 00:40:10 172032 -c----w- c:\windows\system32\dllcache\scrrun.dll
2011-11-20 00:40:10 155648 -c----w- c:\windows\system32\dllcache\wscript.exe
2011-11-20 00:40:10 135168 -c----w- c:\windows\system32\dllcache\cscript.exe
2011-11-20 00:39:22 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2011-11-19 22:53:35 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2011-11-19 22:52:39 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-19 22:52:39 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-11-19 22:51:27 -------- d-----w- c:\documents and settings\owner\local settings\application data\Mozilla
2011-11-19 22:49:53 -------- d-----w- c:\program files\Glary Utilities
2011-11-19 22:49:17 -------- d-----w- c:\program files\CCleaner
2011-11-19 22:44:59 82016 ----a-w- c:\windows\system32\drivers\sfi.dat
2011-11-19 22:39:47 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-11-19 22:18:20 -------- d-sh--w- c:\documents and settings\owner\PrivacIE
2011-11-19 21:59:44 -------- d-----w- c:\windows\ie8updates
2011-11-19 21:55:59 79872 -c----w- c:\windows\system32\dllcache\raschap.dll
2011-11-19 21:48:24 -------- d-----w- c:\windows\system32\XPSViewer
2011-11-19 21:48:03 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-11-19 21:47:52 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-11-19 21:47:52 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-11-19 21:47:52 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-11-19 21:47:52 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-11-19 21:47:52 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-11-19 21:47:52 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-11-19 21:47:52 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-11-19 21:47:52 117760 ------w- c:\windows\system32\prntvpt.dll
2011-11-19 21:47:52 -------- d-----w- C:\a45514b98559813237f47e1c15
2011-11-19 21:42:35 -------- d-sh--w- c:\documents and settings\owner\IETldCache
2011-11-19 21:39:51 -------- d-----w- c:\program files\Windows Media Connect 2
2011-11-19 21:38:56 -------- d-----w- c:\windows\system32\LogFiles
2011-11-19 21:38:15 21728 ----a-w- c:\windows\system32\wucltui.dll.mui
2011-11-19 21:38:15 17632 ----a-w- c:\windows\system32\wuaueng.dll.mui
2011-11-19 21:38:15 15072 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2011-11-19 21:38:15 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-11-19 21:38:14 15064 ----a-w- c:\windows\system32\wuapi.dll.mui
2011-11-19 21:36:38 -------- dc-h--w- c:\windows\ie8
2011-11-19 21:27:01 32256 ----a-w- c:\windows\system32\drivers\rimmptsk.sys
2011-11-19 20:57:58 -------- d-----w- c:\documents and settings\owner\local settings\application data\SupportSoft
2011-11-19 20:57:34 -------- d-----w- c:\program files\Dell Support Center
2011-11-19 20:51:32 45568 ----a-r- c:\windows\system32\drivers\bcm4sbxp.sys
2011-11-19 20:50:26 -------- d-----w- c:\program files\Digital Line Detect
2011-11-19 20:49:17 217088 ----a-r- c:\windows\system32\UCI32M21.dll
2011-11-19 20:44:35 -------- d-----w- c:\documents and settings\owner\application data\Dell
2011-11-19 20:44:18 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS
2011-11-19 20:41:55 416 ----a-w- c:\windows\system32\vcredist_x86.bat
2011-11-19 20:41:55 2682880 ----a-w- c:\windows\system32\vcredist_x86.exe
2011-11-19 20:41:53 143360 ----a-w- c:\windows\system32\bcmwlapi.dll
2011-11-19 20:33:02 -------- d-----w- c:\documents and settings\owner\local settings\application data\ATI
2011-11-19 20:18:22 989952 ----a-r- c:\windows\system32\drivers\HSF_DPV.sys
2011-11-19 20:18:22 211200 ----a-r- c:\windows\system32\drivers\HSFHWAZL.sys
2011-11-19 20:18:22 172032 ----a-r- c:\windows\system32\Uci32114.dll
2011-11-19 20:18:22 -------- d-----w- c:\program files\CONEXANT
2011-11-19 20:18:21 731136 ----a-r- c:\windows\system32\drivers\HSF_CNXT.sys
2011-11-19 20:02:19 -------- d-----w- c:\program files\Broadcom
2011-11-19 20:01:06 -------- d-----w- c:\windows\Downloaded Installations
2011-11-19 19:53:07 202912 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-11-19 19:53:07 196608 ----a-w- c:\windows\system32\SynCtrl.dll
2011-11-19 19:53:07 163840 ----a-w- c:\windows\system32\SynCOM.dll
2011-11-19 19:53:07 143360 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-11-19 19:53:07 110592 ----a-w- c:\windows\system32\SynTPCo4.dll
2011-11-19 19:53:06 -------- d-----w- c:\program files\Synaptics
2011-11-19 19:50:10 -------- d-----w- c:\program files\ATI Technologies
2011-11-19 19:49:51 77824 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2011-11-19 19:49:51 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2011-11-19 19:49:51 225280 ----a-w- c:\program files\common files\installshield\iscript\iscript.dll
2011-11-19 19:49:51 176128 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2011-11-19 19:49:50 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2011-11-19 19:49:35 610436 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2011-11-19 19:20:51 45056 ----a-r- c:\documents and settings\owner\application data\microsoft\installer\{42929f0f-ce14-47af-9fc7-ff297a603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2011-11-19 18:58:05 666 ----a-w- c:\windows\speed.reg
2011-11-19 18:58:05 -------- d-----w- c:\program files\Dell
2011-11-19 18:47:39 26368 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2011-11-19 05:09:13 79872 -c----w- c:\windows\system32\dllcache\msxml6r.dll
2011-11-19 05:09:12 79872 ------w- c:\windows\system32\msxml6r.dll
2011-11-19 05:09:12 1372672 -c----w- c:\windows\system32\dllcache\msxml6.dll
2011-11-19 05:09:12 1372672 ------w- c:\windows\system32\msxml6.dll
2011-11-19 05:07:12 -------- d-----w- c:\windows\ServicePackFiles
2011-11-19 05:06:57 294912 ------w- c:\program files\windows media player\dlimport.exe
2011-11-19 05:06:53 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2011-11-19 05:03:41 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-11-19 05:03:35 26144 ----a-w- c:\windows\system32\spupdsvc.exe
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 18:17:50.34 ===============


GMER 1.0.15.15641 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-11-23 19:52:08
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BEVS-75RST0 rev.04.01G04
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fxliakob.sys


---- System - GMER 1.0.15 ----

SSDT F7B2891C ZwClose
SSDT F7B288D6 ZwCreateKey
SSDT F7B28926 ZwCreateSection
SSDT F7B288CC ZwCreateThread
SSDT F7B288DB ZwDeleteKey
SSDT F7B288E5 ZwDeleteValueKey
SSDT F7B28917 ZwDuplicateObject
SSDT F7B288EA ZwLoadKey
SSDT F7B288B8 ZwOpenProcess
SSDT F7B288BD ZwOpenThread
SSDT F7B2893F ZwQueryValueKey
SSDT F7B288F4 ZwReplaceKey
SSDT F7B28930 ZwRequestWaitReplyPort
SSDT F7B288EF ZwRestoreKey
SSDT F7B2892B ZwSetContextThread
SSDT F7B28935 ZwSetSecurityObject
SSDT F7B288E0 ZwSetValueKey
SSDT F7B2893A ZwSystemDebugControl
SSDT F7B288C7 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 250C 80501D44 4 Bytes [EA, 88, B2, F7]
? C:\DOCUME~1\Owner\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/18/2011 9:51:23 PM
System Uptime: 11/23/2011 6:10:07 PM (0 hours ago)
.
Motherboard: Dell Inc. | | 0WY383
Processor: Mobile AMD Sempron(tm) Processor 3600+ | Socket M2/S1G1 | 1595/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 75 GiB total, 65.679 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell Wireless 1395 WLAN Mini-Card
Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000B1028&REV_01\4&232B014&0&0030
Manufacturer: Broadcom
Name: Dell Wireless 1395 WLAN Mini-Card
PNP Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000B1028&REV_01\4&232B014&0&0030
Service: BCM43XX
.
==== System Restore Points ===================
.
RP1: 11/22/2011 6:28:22 AM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player 11 Plugin
AMD Processor Driver
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Avira Free Antivirus
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
CCleaner
Conexant HDA D330 MDC V.92 Modem
Dell Touchpad
Dell Wireless WLAN Card Utility
Digital Line Detect
Glary Utilities 2.39.0.1310
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 8.0 (x86 en-US)
QuickSet
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows XP (KB923789)
SigmaTel Audio
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Windows Internet Explorer 8 (KB2598845)
WebFldrs XP
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPatrol
WinRAR 4.01 (32-bit)
.
==== Event Viewer Messages From Past Week ========
.
11/21/2011 10:55:30 AM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\system32\WLTRAY.exe. Reference error message: The operation completed successfully. .
11/21/2011 10:55:25 AM, error: Service Control Manager [7022] - The Dell Wireless WLAN Tray Service service hung on starting.
11/21/2011 10:54:13 AM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\System32\BCMLogon.dll. Reference error message: The operation completed successfully. .
11/21/2011 10:54:01 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error message: The referenced assembly is not installed on your system. .
11/21/2011 10:54:01 AM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\System32\bcmwltry.exe. Reference error message: The operation completed successfully. .
11/21/2011 10:54:01 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
11/21/2011 10:42:34 AM, error: System Error [1003] - Error code 1000000a, parameter1 00000166, parameter2 00000002, parameter3 00000000, parameter4 804faada.
11/20/2011 9:00:55 PM, error: Service Control Manager [7034] - The Spybot S&D 2 Live Protection Service service terminated unexpectedly. It has done this 1 time(s).
11/20/2011 8:57:49 PM, error: PCTCore [280] - 
11/20/2011 12:08:38 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
11/20/2011 12:06:32 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 APPDRV cmdGuard cmdHlp Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL SDHookDriver Tcpip
11/19/2011 8:10:17 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
11/19/2011 5:21:51 PM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
11/19/2011 3:32:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/19/2011 3:30:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 APPDRV Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
11/19/2011 3:30:11 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/19/2011 3:30:11 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/19/2011 3:30:11 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/19/2011 3:30:11 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/19/2011 3:29:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/19/2011 11:24:34 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Spybot-S&D 2 Updating Service service to connect.
11/19/2011 11:24:34 PM, error: Service Control Manager [7000] - The Spybot-S&D 2 Updating Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
11/18/2011 10:38:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
11/18/2011 10:18:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss Tcpip
.
==== End Of File ===========================

I know I should have shut down Avira but there was no option to do so upon right clicking it, and I could not stop it through task manager because TM is completely taken over. HELP!!! Thanks in advance!


----------



## Zaq123

Bump, Please.
Sorry I did not zip those files, I have winrar so I could not have done so anyway. Right after posting to this forum, "whatever" has stopped trying to load 127.0.0. I've found a system restore point, I had turned off system restore. I did a virus scan with my usb drive in and it found that combofix is the TR/Yakes.ado.11 Trojan. I don't know if that is typical. I also remembered that on the Dell driver CD I have there is one driver that is an old version of Java that spybot s&d says is a virus or trojan. I did not load that driver on this install. Help!


----------



## Ried

Hello Zaq123,

That is a false detection for ComboFix. You can safely ignore that finding.

May I please see the C:\Combofix.txt and the log produced by TDSSKiller? You'll find the log for TDSSKiller on the C:\ drive as well.


----------



## Zaq123

Hello Ried, thank you so much for your help. Here are the logs. As you can see, I had webroot on my system at the time and was unable to disable it.

ComboFix 11-11-22.01 - Owner 11/22/2011 6:30.1.1 - x86
Running from: E:\ComboFix.exe
AV: Webroot SecureAnywhere *Enabled/Updated* {D486329C-1488-4CEB-9CC8-D662B732D904}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\1028_DELL_XPS_Vostro 1000 .MRK
c:\windows\system32\drivers\DELL_XPS_Vostro 1000 .MRK
.
.
((((((((((((((((((((((((( Files Created from 2011-10-22 to 2011-11-22 )))))))))))))))))))))))))))))))
.
.
2011-11-22 13:04 . 2011-11-22 13:09 -------- d-----w- C:\d09abc78b87bd6cf02
2011-11-22 12:54 . 2011-11-22 12:54 -------- d-----w- C:\TDSSKiller_Quarantine
2011-11-19 21:47 . 2011-11-19 21:48 -------- d-----w- C:\a45514b98559813237f47e1c15
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-28 07:06 . 2004-08-04 10:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2004-08-04 10:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2004-08-04 10:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2004-08-04 10:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-11-05 06:53 . 2011-11-20 19:09 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CPA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-05-10 18:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"WRSVC"="c:\program files\Webroot\WRSA.exe" -ul
"Broadcom Wireless Manager UI"=c:\windows\system32\WLTRAY.exe
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"SigmatelSysTrayApp"=%ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
"WinPatrol"=c:\program files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
"Trend Micro RUBotted V2.0 Beta"=c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe"
"emsisoft anti-malware"="c:\program files\Emsisoft Anti-Malware\a2guard.exe" /d=60
"ThreatFire"=c:\program files\ThreatFire\TFTray.exe
"Dell QuickSet"=c:\program files\Dell\QuickSet\quickset.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management 
.
R2 a2AntiMalware;Emsisoft Anti-Malware 6.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2011-11-16 2996784]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [2010-12-17 439632]
R2 SDHookService;Spybot S&D 2 Live Protection Service;c:\program files\Spybot - Search & Destroy 2\SDHookSvc.exe [2011-10-05 130976]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2011-10-05 892336]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2011-10-05 955816]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [x]
R2 WRSVC;WRSVC;c:\program files\Webroot\WRSA.exe [2011-11-22 633088]
R3 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
R3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2011-11-02 51632]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2011-02-22 69392]
S0 WRkrn;WRkrn;c:\windows\System32\drivers\WRkrn.sys [2011-11-22 106824]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 SDHookDriver;Spybot-S&D 2 Hook Driver;c:\program files\Spybot - Search & Destroy 2\SDHookDrv32.sys [2011-10-05 38504]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2011-04-24 225856]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 43757201
*NewlyCreated* - A2ANTIMALWARE
*NewlyCreated* - FXLIAKOB
*NewlyCreated* - ROOTREPEAL
*NewlyCreated* - SDHOOKDRIVER
*NewlyCreated* - TFSYSMON
*NewlyCreated* - THREATFIRE
*NewlyCreated* - TMCOMM
*Deregistered* - 43757201
*Deregistered* - fxliakob
*Deregistered* - rootrepeal
*Deregistered* - tmcomm
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-22 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2011-11-22 22:46]
.
2011-11-22 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-11-19 20:08]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\bok3zs1f.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-11-22 06:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ... 
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ThreatFire]
"AlternateImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(876)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-11-22 06:36:10
ComboFix-quarantined-files.txt 2011-11-22 13:36
.
Pre-Run: 70,299,193,344 bytes free
Post-Run: 70,490,894,336 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - 757A6F056ABCA8F389C52D32FC4FCEA5


05:53:25.0640 2852 TDSS rootkit removing tool 2.6.20.0 Nov 22 2011 12:05:55
05:53:25.0937 2852 ============================================================
05:53:25.0937 2852 Current date / time: 2011/11/22 05:53:25.0937
05:53:25.0937 2852 SystemInfo:
05:53:25.0937 2852 
05:53:25.0937 2852 OS Version: 5.1.2600 ServicePack: 3.0
05:53:25.0937 2852 Product type: Workstation
05:53:25.0937 2852 ComputerName: PC-OWNER-AK47
05:53:25.0937 2852 UserName: Owner
05:53:25.0937 2852 Windows directory: C:\WINDOWS
05:53:25.0937 2852 System windows directory: C:\WINDOWS
05:53:25.0937 2852 Processor architecture: Intel x86
05:53:25.0937 2852 Number of processors: 1
05:53:25.0937 2852 Page size: 0x1000
05:53:25.0937 2852 Boot type: Normal boot
05:53:25.0937 2852 ============================================================
05:53:27.0171 2852 Initialize success
05:53:30.0687 3372 ============================================================
05:53:30.0687 3372 Scan started
05:53:30.0687 3372 Mode: Manual; 
05:53:30.0687 3372 ============================================================
05:53:32.0046 3372 a2acc (05dac43a484272de87eac038814a7840) C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys
05:53:32.0046 3372 a2acc - ok
05:53:32.0234 3372 Abiosdsk - ok
05:53:32.0312 3372 abp480n5 - ok
05:53:32.0375 3372 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
05:53:32.0375 3372 ACPI - ok
05:53:32.0437 3372 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
05:53:32.0437 3372 ACPIEC - ok
05:53:32.0453 3372 adpu160m - ok
05:53:32.0515 3372 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
05:53:32.0515 3372 aec - ok
05:53:32.0578 3372 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
05:53:32.0593 3372 AFD - ok
05:53:32.0609 3372 Aha154x - ok
05:53:32.0640 3372 aic78u2 - ok
05:53:32.0656 3372 aic78xx - ok
05:53:32.0687 3372 AliIde - ok
05:53:32.0765 3372 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
05:53:32.0765 3372 AmdK8 - ok
05:53:32.0796 3372 amsint - ok
05:53:32.0843 3372 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
05:53:32.0843 3372 APPDRV - ok
05:53:32.0875 3372 asc - ok
05:53:32.0906 3372 asc3350p - ok
05:53:32.0921 3372 asc3550 - ok
05:53:33.0000 3372 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
05:53:33.0000 3372 AsyncMac - ok
05:53:33.0046 3372 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
05:53:33.0046 3372 atapi - ok
05:53:33.0062 3372 Atdisk - ok
05:53:33.0171 3372 ati2mtag (e78b73eb84c257d0d940e041742d2699) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
05:53:33.0187 3372 ati2mtag - ok
05:53:33.0218 3372 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
05:53:33.0218 3372 Atmarpc - ok
05:53:33.0265 3372 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
05:53:33.0265 3372 audstub - ok
05:53:33.0359 3372 BCM43XX (9208c78bd9283f79a30252ad954c77a2) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
05:53:33.0359 3372 BCM43XX - ok
05:53:33.0421 3372 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
05:53:33.0421 3372 bcm4sbxp - ok
05:53:33.0453 3372 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
05:53:33.0453 3372 Beep - ok
05:53:33.0500 3372 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
05:53:33.0500 3372 cbidf2k - ok
05:53:33.0515 3372 cd20xrnt - ok
05:53:33.0531 3372 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
05:53:33.0531 3372 Cdaudio - ok
05:53:33.0562 3372 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
05:53:33.0562 3372 Cdfs - ok
05:53:33.0578 3372 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
05:53:33.0593 3372 Cdrom - ok
05:53:33.0640 3372 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
05:53:33.0640 3372 cercsr6 - ok
05:53:33.0656 3372 Changer - ok
05:53:33.0687 3372 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
05:53:33.0687 3372 CmBatt - ok
05:53:33.0703 3372 CmdIde - ok
05:53:33.0734 3372 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
05:53:33.0734 3372 Compbatt - ok
05:53:33.0765 3372 Cpqarray - ok
05:53:33.0796 3372 dac2w2k - ok
05:53:33.0812 3372 dac960nt - ok
05:53:33.0828 3372 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
05:53:33.0828 3372 Disk - ok
05:53:33.0890 3372 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
05:53:33.0906 3372 dmboot - ok
05:53:33.0921 3372 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
05:53:33.0921 3372 dmio - ok
05:53:33.0937 3372 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
05:53:33.0937 3372 dmload - ok
05:53:33.0984 3372 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
05:53:34.0000 3372 DMusic - ok
05:53:34.0015 3372 dpti2o - ok
05:53:34.0062 3372 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
05:53:34.0062 3372 drmkaud - ok
05:53:34.0109 3372 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
05:53:34.0109 3372 Fastfat - ok
05:53:34.0156 3372 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
05:53:34.0156 3372 Fdc - ok
05:53:34.0171 3372 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
05:53:34.0171 3372 Fips - ok
05:53:34.0187 3372 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
05:53:34.0203 3372 Flpydisk - ok
05:53:34.0218 3372 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
05:53:34.0234 3372 FltMgr - ok
05:53:34.0250 3372 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
05:53:34.0265 3372 Fs_Rec - ok
05:53:34.0281 3372 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
05:53:34.0281 3372 Ftdisk - ok
05:53:34.0296 3372 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
05:53:34.0312 3372 Gpc - ok
05:53:34.0328 3372 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
05:53:34.0328 3372 HDAudBus - ok
05:53:34.0359 3372 hpn - ok
05:53:34.0421 3372 HSFHWAZL (290cdbb05903742ea06b7203c5a662f5) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
05:53:34.0421 3372 HSFHWAZL - ok
05:53:34.0453 3372 HSF_DPV (7ab812355f98858b9ecdd46e6fcc221f) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
05:53:34.0468 3372 HSF_DPV - ok
05:53:34.0531 3372 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
05:53:34.0531 3372 HTTP - ok
05:53:34.0546 3372 i2omgmt - ok
05:53:34.0562 3372 i2omp - ok
05:53:34.0578 3372 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
05:53:34.0578 3372 i8042prt - ok
05:53:34.0609 3372 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
05:53:34.0609 3372 Imapi - ok
05:53:34.0640 3372 ini910u - ok
05:53:34.0656 3372 IntelIde - ok
05:53:34.0687 3372 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
05:53:34.0687 3372 Ip6Fw - ok
05:53:34.0718 3372 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
05:53:34.0734 3372 IpFilterDriver - ok
05:53:34.0750 3372 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
05:53:34.0750 3372 IpInIp - ok
05:53:34.0796 3372 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
05:53:34.0796 3372 IpNat - ok
05:53:34.0828 3372 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
05:53:34.0828 3372 IPSec - ok
05:53:34.0859 3372 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
05:53:34.0859 3372 IRENUM - ok
05:53:34.0890 3372 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
05:53:34.0906 3372 isapnp - ok
05:53:34.0953 3372 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
05:53:34.0953 3372 Kbdclass - ok
05:53:35.0000 3372 KeyScrambler (8f1bb80d589affb9c5e9cd7544251b29) C:\WINDOWS\system32\drivers\keyscrambler.sys
05:53:35.0015 3372 KeyScrambler - ok
05:53:35.0078 3372 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
05:53:35.0078 3372 kmixer - ok
05:53:35.0109 3372 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
05:53:35.0109 3372 KSecDD - ok
05:53:35.0140 3372 lbrtfdc - ok
05:53:35.0187 3372 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
05:53:35.0187 3372 mdmxsdk - ok
05:53:35.0250 3372 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
05:53:35.0250 3372 mnmdd - ok
05:53:35.0265 3372 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
05:53:35.0281 3372 Modem - ok
05:53:35.0296 3372 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
05:53:35.0296 3372 Mouclass - ok
05:53:35.0312 3372 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
05:53:35.0312 3372 MountMgr - ok
05:53:35.0328 3372 mraid35x - ok
05:53:35.0343 3372 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
05:53:35.0343 3372 MRxDAV - ok
05:53:35.0421 3372 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
05:53:35.0421 3372 MRxSmb - ok
05:53:35.0453 3372 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
05:53:35.0453 3372 Msfs - ok
05:53:35.0500 3372 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
05:53:35.0515 3372 MSKSSRV - ok
05:53:35.0531 3372 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
05:53:35.0531 3372 MSPCLOCK - ok
05:53:35.0562 3372 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
05:53:35.0562 3372 MSPQM - ok
05:53:35.0593 3372 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
05:53:35.0593 3372 mssmbios - ok
05:53:35.0640 3372 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
05:53:35.0640 3372 Mup - ok
05:53:35.0703 3372 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
05:53:35.0703 3372 NDIS - ok
05:53:35.0734 3372 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
05:53:35.0734 3372 NdisTapi - ok
05:53:35.0750 3372 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
05:53:35.0750 3372 Ndisuio - ok
05:53:35.0765 3372 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
05:53:35.0765 3372 NdisWan - ok
05:53:35.0812 3372 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
05:53:35.0812 3372 NDProxy - ok
05:53:35.0828 3372 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
05:53:35.0828 3372 NetBIOS - ok
05:53:35.0859 3372 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
05:53:35.0859 3372 NetBT - ok
05:53:35.0968 3372 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
05:53:35.0968 3372 NPF - ok
05:53:35.0984 3372 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
05:53:35.0984 3372 Npfs - ok
05:53:36.0031 3372 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
05:53:36.0046 3372 Ntfs - ok
05:53:36.0078 3372 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
05:53:36.0078 3372 Null - ok
05:53:36.0125 3372 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
05:53:36.0125 3372 NwlnkFlt - ok
05:53:36.0156 3372 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
05:53:36.0156 3372 NwlnkFwd - ok
05:53:36.0203 3372 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
05:53:36.0203 3372 Parport - ok
05:53:36.0218 3372 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
05:53:36.0218 3372 PartMgr - ok
05:53:36.0250 3372 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
05:53:36.0250 3372 ParVdm - ok
05:53:36.0265 3372 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
05:53:36.0265 3372 PCI - ok
05:53:36.0281 3372 PCIDump - ok
05:53:36.0312 3372 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
05:53:36.0312 3372 PCIIde - ok
05:53:36.0343 3372 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
05:53:36.0359 3372 Pcmcia - ok
05:53:36.0375 3372 PDCOMP - ok
05:53:36.0375 3372 PDFRAME - ok
05:53:36.0390 3372 PDRELI - ok
05:53:36.0406 3372 PDRFRAME - ok
05:53:36.0421 3372 perc2 - ok
05:53:36.0437 3372 perc2hib - ok
05:53:36.0500 3372 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
05:53:36.0500 3372 PptpMiniport - ok
05:53:36.0531 3372 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
05:53:36.0531 3372 Processor - ok
05:53:36.0546 3372 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
05:53:36.0546 3372 PSched - ok
05:53:36.0562 3372 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
05:53:36.0562 3372 Ptilink - ok
05:53:36.0578 3372 ql1080 - ok
05:53:36.0593 3372 Ql10wnt - ok
05:53:36.0609 3372 ql12160 - ok
05:53:36.0625 3372 ql1240 - ok
05:53:36.0640 3372 ql1280 - ok
05:53:36.0671 3372 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
05:53:36.0671 3372 RasAcd - ok
05:53:36.0687 3372 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
05:53:36.0703 3372 Rasl2tp - ok
05:53:36.0718 3372 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
05:53:36.0718 3372 RasPppoe - ok
05:53:36.0734 3372 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
05:53:36.0734 3372 Raspti - ok
05:53:36.0765 3372 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
05:53:36.0765 3372 Rdbss - ok
05:53:36.0781 3372 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
05:53:36.0781 3372 RDPCDD - ok
05:53:36.0812 3372 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
05:53:36.0812 3372 rdpdr - ok
05:53:36.0859 3372 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
05:53:36.0875 3372 RDPWD - ok
05:53:36.0906 3372 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
05:53:36.0906 3372 redbook - ok
05:53:36.0953 3372 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
05:53:36.0953 3372 rimmptsk - ok
05:53:37.0109 3372 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
05:53:37.0109 3372 SASDIFSV - ok
05:53:37.0125 3372 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
05:53:37.0125 3372 SASKUTIL - ok
05:53:37.0171 3372 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
05:53:37.0171 3372 sdbus - ok
05:53:37.0250 3372 SDHookDriver (47dd7bb6b72a5f49e01f53597bcaeac7) C:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys
05:53:37.0250 3372 SDHookDriver - ok
05:53:37.0281 3372 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
05:53:37.0281 3372 Secdrv - ok
05:53:37.0328 3372 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
05:53:37.0328 3372 Serial - ok
05:53:37.0390 3372 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
05:53:37.0390 3372 Sfloppy - ok
05:53:37.0406 3372 Simbad - ok
05:53:37.0437 3372 Sparrow - ok
05:53:37.0484 3372 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
05:53:37.0484 3372 splitter - ok
05:53:37.0515 3372 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
05:53:37.0515 3372 sr - ok
05:53:37.0578 3372 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
05:53:37.0578 3372 Srv - ok
05:53:37.0671 3372 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
05:53:37.0671 3372 STHDA - ok
05:53:37.0703 3372 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
05:53:37.0703 3372 swenum - ok
05:53:37.0734 3372 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
05:53:37.0734 3372 swmidi - ok
05:53:37.0750 3372 symc810 - ok
05:53:37.0765 3372 symc8xx - ok
05:53:37.0781 3372 sym_hi - ok
05:53:37.0796 3372 sym_u3 - ok
05:53:37.0859 3372 SynTP (936cd58395d36659bb798b961ef7357f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
05:53:37.0859 3372 SynTP - ok
05:53:37.0890 3372 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
05:53:37.0890 3372 sysaudio - ok
05:53:37.0953 3372 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
05:53:37.0968 3372 Tcpip - ok
05:53:38.0000 3372 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
05:53:38.0000 3372 TDPIPE - ok
05:53:38.0015 3372 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
05:53:38.0015 3372 TDTCP - ok
05:53:38.0031 3372 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
05:53:38.0046 3372 TermDD - ok
05:53:38.0109 3372 TfSysMon (57edbb5fe7ff09bb21121d13bb950ba5) C:\WINDOWS\system32\drivers\TfSysMon.sys
05:53:38.0109 3372 TfSysMon - ok
05:53:38.0140 3372 TosIde - ok
05:53:38.0171 3372 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
05:53:38.0171 3372 Udfs - ok
05:53:38.0187 3372 ultra - ok
05:53:38.0203 3372 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
05:53:38.0218 3372 Update - ok
05:53:38.0265 3372 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
05:53:38.0265 3372 usbehci - ok
05:53:38.0296 3372 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
05:53:38.0296 3372 usbhub - ok
05:53:38.0343 3372 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
05:53:38.0343 3372 usbohci - ok
05:53:38.0375 3372 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
05:53:38.0390 3372 USBSTOR - ok
05:53:38.0421 3372 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
05:53:38.0421 3372 VgaSave - ok
05:53:38.0437 3372 ViaIde - ok
05:53:38.0468 3372 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
05:53:38.0468 3372 VolSnap - ok
05:53:38.0500 3372 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
05:53:38.0500 3372 Wanarp - ok
05:53:38.0531 3372 WDICA - ok
05:53:38.0578 3372 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
05:53:38.0578 3372 wdmaud - ok
05:53:38.0640 3372 winachsf (a8596cf86d445269a42ecc08b7066a4c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
05:53:38.0656 3372 winachsf - ok
05:53:38.0718 3372 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
05:53:38.0718 3372 WmiAcpi - ok
05:53:38.0781 3372 WRkrn (1e53973998d1b327035c2a010d7749ac) C:\WINDOWS\system32\drivers\WRkrn.sys
05:53:38.0781 3372 WRkrn - ok
05:53:38.0828 3372 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
05:53:38.0828 3372 WS2IFSL - ok
05:53:38.0890 3372 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
05:53:38.0890 3372 WudfPf - ok
05:53:38.0921 3372 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
05:53:38.0921 3372 WudfRd - ok
05:53:38.0968 3372 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
05:53:39.0140 3372 \Device\Harddisk0\DR0 - ok
05:53:39.0140 3372 Boot (0x1200) (ea6e6043177b2f7f73259da0ff4e018d) \Device\Harddisk0\DR0\Partition0
05:53:39.0140 3372 \Device\Harddisk0\DR0\Partition0 - ok
05:53:39.0156 3372 ============================================================
05:53:39.0156 3372 Scan finished
05:53:39.0156 3372 ============================================================
05:53:39.0171 3828 Detected object count: 0
05:53:39.0171 3828 Actual detected object count: 0
05:53:56.0046 3692 ============================================================
05:53:56.0046 3692 Scan started
05:53:56.0046 3692 Mode: Manual; SigCheck; TDLFS; 
05:53:56.0046 3692 ============================================================
05:53:56.0375 3692 a2acc (05dac43a484272de87eac038814a7840) C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys
05:53:56.0562 3692 a2acc - ok
05:53:56.0593 3692 Abiosdsk - ok
05:53:56.0609 3692 abp480n5 - ok
05:53:56.0671 3692 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
05:53:56.0906 3692 ACPI - ok
05:53:57.0000 3692 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
05:53:57.0171 3692 ACPIEC - ok
05:53:57.0187 3692 adpu160m - ok
05:53:57.0234 3692 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
05:53:57.0406 3692 aec - ok
05:53:57.0468 3692 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
05:53:57.0515 3692 AFD - ok
05:53:57.0531 3692 Aha154x - ok
05:53:57.0546 3692 aic78u2 - ok
05:53:57.0546 3692 aic78xx - ok
05:53:57.0578 3692 AliIde - ok
05:53:57.0625 3692 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
05:53:57.0656 3692 AmdK8 - ok
05:53:57.0671 3692 amsint - ok
05:53:57.0718 3692 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
05:53:57.0750 3692 APPDRV ( UnsignedFile.Multi.Generic ) - warning
05:53:57.0750 3692 APPDRV - detected UnsignedFile.Multi.Generic (1)
05:53:57.0765 3692 asc - ok
05:53:57.0781 3692 asc3350p - ok
05:53:57.0781 3692 asc3550 - ok
05:53:57.0843 3692 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
05:53:57.0953 3692 AsyncMac - ok
05:53:58.0000 3692 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
05:53:58.0156 3692 atapi - ok
05:53:58.0187 3692 Atdisk - ok
05:53:58.0343 3692 ati2mtag (e78b73eb84c257d0d940e041742d2699) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
05:53:58.0500 3692 ati2mtag - ok
05:53:58.0546 3692 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
05:53:58.0687 3692 Atmarpc - ok
05:53:58.0734 3692 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
05:53:58.0906 3692 audstub - ok
05:53:59.0000 3692 BCM43XX (9208c78bd9283f79a30252ad954c77a2) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
05:53:59.0109 3692 BCM43XX - ok
05:53:59.0156 3692 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
05:53:59.0218 3692 bcm4sbxp - ok
05:53:59.0234 3692 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
05:53:59.0437 3692 Beep - ok
05:53:59.0453 3692 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
05:53:59.0656 3692 cbidf2k - ok
05:53:59.0671 3692 cd20xrnt - ok
05:53:59.0687 3692 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
05:53:59.0859 3692 Cdaudio - ok
05:53:59.0906 3692 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
05:54:00.0031 3692 Cdfs - ok
05:54:00.0046 3692 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
05:54:00.0171 3692 Cdrom - ok
05:54:00.0218 3692 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
05:54:00.0250 3692 cercsr6 ( UnsignedFile.Multi.Generic ) - warning
05:54:00.0250 3692 cercsr6 - detected UnsignedFile.Multi.Generic (1)
05:54:00.0265 3692 Changer - ok
05:54:00.0328 3692 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
05:54:00.0468 3692 CmBatt - ok
05:54:00.0484 3692 CmdIde - ok
05:54:00.0515 3692 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
05:54:00.0640 3692 Compbatt - ok
05:54:00.0656 3692 Cpqarray - ok
05:54:00.0671 3692 dac2w2k - ok
05:54:00.0687 3692 dac960nt - ok
05:54:00.0718 3692 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
05:54:00.0875 3692 Disk - ok
05:54:00.0937 3692 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
05:54:01.0093 3692 dmboot - ok
05:54:01.0109 3692 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
05:54:01.0265 3692 dmio - ok
05:54:01.0281 3692 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
05:54:01.0421 3692 dmload - ok
05:54:01.0468 3692 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
05:54:01.0625 3692 DMusic - ok
05:54:01.0656 3692 dpti2o - ok
05:54:01.0687 3692 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
05:54:01.0828 3692 drmkaud - ok
05:54:01.0890 3692 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
05:54:02.0062 3692 Fastfat - ok
05:54:02.0093 3692 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
05:54:02.0250 3692 Fdc - ok
05:54:02.0281 3692 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
05:54:02.0437 3692 Fips - ok
05:54:02.0453 3692 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
05:54:02.0609 3692 Flpydisk - ok
05:54:02.0656 3692 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
05:54:02.0796 3692 FltMgr - ok
05:54:02.0828 3692 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
05:54:02.0984 3692 Fs_Rec - ok
05:54:03.0015 3692 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
05:54:03.0187 3692 Ftdisk - ok
05:54:03.0234 3692 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
05:54:03.0375 3692 Gpc - ok
05:54:03.0437 3692 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
05:54:03.0593 3692 HDAudBus - ok
05:54:03.0609 3692 hpn - ok
05:54:03.0671 3692 HSFHWAZL (290cdbb05903742ea06b7203c5a662f5) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
05:54:03.0734 3692 HSFHWAZL - ok
05:54:03.0781 3692 HSF_DPV (7ab812355f98858b9ecdd46e6fcc221f) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
05:54:03.0859 3692 HSF_DPV - ok
05:54:03.0921 3692 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
05:54:03.0968 3692 HTTP - ok
05:54:03.0984 3692 i2omgmt - ok
05:54:04.0000 3692 i2omp - ok
05:54:04.0046 3692 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
05:54:04.0203 3692 i8042prt - ok
05:54:04.0234 3692 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
05:54:04.0406 3692 Imapi - ok
05:54:04.0421 3692 ini910u - ok
05:54:04.0437 3692 IntelIde - ok
05:54:04.0468 3692 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
05:54:04.0609 3692 Ip6Fw - ok
05:54:04.0656 3692 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
05:54:04.0812 3692 IpFilterDriver - ok
05:54:04.0843 3692 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
05:54:04.0984 3692 IpInIp - ok
05:54:05.0015 3692 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
05:54:05.0171 3692 IpNat - ok
05:54:05.0203 3692 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
05:54:05.0343 3692 IPSec - ok
05:54:05.0375 3692 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
05:54:05.0531 3692 IRENUM - ok
05:54:05.0578 3692 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
05:54:05.0734 3692 isapnp - ok
05:54:05.0765 3692 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
05:54:05.0906 3692 Kbdclass - ok
05:54:05.0968 3692 KeyScrambler (8f1bb80d589affb9c5e9cd7544251b29) C:\WINDOWS\system32\drivers\keyscrambler.sys
05:54:05.0984 3692 KeyScrambler - ok
05:54:06.0046 3692 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
05:54:06.0187 3692 kmixer - ok
05:54:06.0218 3692 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
05:54:06.0281 3692 KSecDD - ok
05:54:06.0312 3692 lbrtfdc - ok
05:54:06.0359 3692 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
05:54:06.0375 3692 mdmxsdk - ok
05:54:06.0453 3692 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
05:54:06.0625 3692 mnmdd - ok
05:54:06.0671 3692 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
05:54:06.0828 3692 Modem - ok
05:54:06.0843 3692 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
05:54:06.0984 3692 Mouclass - ok
05:54:07.0015 3692 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
05:54:07.0156 3692 MountMgr - ok
05:54:07.0171 3692 mraid35x - ok
05:54:07.0218 3692 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
05:54:07.0375 3692 MRxDAV - ok
05:54:07.0453 3692 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
05:54:07.0484 3692 MRxSmb - ok
05:54:07.0515 3692 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
05:54:07.0671 3692 Msfs - ok
05:54:07.0718 3692 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
05:54:07.0859 3692 MSKSSRV - ok
05:54:07.0875 3692 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
05:54:08.0000 3692 MSPCLOCK - ok
05:54:08.0031 3692 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
05:54:08.0156 3692 MSPQM - ok
05:54:08.0203 3692 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
05:54:08.0328 3692 mssmbios - ok
05:54:08.0375 3692 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
05:54:08.0421 3692 Mup - ok
05:54:08.0500 3692 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
05:54:08.0671 3692 NDIS - ok
05:54:08.0718 3692 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
05:54:08.0765 3692 NdisTapi - ok
05:54:08.0796 3692 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
05:54:08.0921 3692 Ndisuio - ok
05:54:08.0968 3692 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
05:54:09.0109 3692 NdisWan - ok
05:54:09.0156 3692 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
05:54:09.0187 3692 NDProxy - ok
05:54:09.0218 3692 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
05:54:09.0375 3692 NetBIOS - ok
05:54:09.0406 3692 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
05:54:09.0593 3692 NetBT - ok
05:54:09.0687 3692 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sys
05:54:09.0687 3692 NPF - ok
05:54:09.0734 3692 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
05:54:09.0875 3692 Npfs - ok
05:54:09.0921 3692 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
05:54:10.0062 3692 Ntfs - ok
05:54:10.0109 3692 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
05:54:10.0250 3692 Null - ok
05:54:10.0312 3692 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
05:54:10.0500 3692 NwlnkFlt - ok
05:54:10.0515 3692 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
05:54:10.0703 3692 NwlnkFwd - ok
05:54:10.0750 3692 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
05:54:10.0875 3692 Parport - ok
05:54:10.0890 3692 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
05:54:11.0015 3692 PartMgr - ok
05:54:11.0031 3692 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
05:54:11.0203 3692 ParVdm - ok
05:54:11.0218 3692 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
05:54:11.0359 3692 PCI - ok
05:54:11.0375 3692 PCIDump - ok
05:54:11.0421 3692 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
05:54:11.0578 3692 PCIIde - ok
05:54:11.0609 3692 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
05:54:11.0718 3692 Pcmcia - ok
05:54:11.0734 3692 PDCOMP - ok
05:54:11.0750 3692 PDFRAME - ok
05:54:11.0765 3692 PDRELI - ok
05:54:11.0781 3692 PDRFRAME - ok
05:54:11.0796 3692 perc2 - ok
05:54:11.0812 3692 perc2hib - ok
05:54:11.0875 3692 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
05:54:12.0031 3692 PptpMiniport - ok
05:54:12.0062 3692 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
05:54:12.0203 3692 Processor - ok
05:54:12.0218 3692 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
05:54:12.0359 3692 PSched - ok
05:54:12.0390 3692 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
05:54:12.0578 3692 Ptilink - ok
05:54:12.0593 3692 ql1080 - ok
05:54:12.0609 3692 Ql10wnt - ok
05:54:12.0625 3692 ql12160 - ok
05:54:12.0640 3692 ql1240 - ok
05:54:12.0640 3692 ql1280 - ok
05:54:12.0687 3692 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
05:54:12.0875 3692 RasAcd - ok
05:54:12.0906 3692 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
05:54:13.0046 3692 Rasl2tp - ok
05:54:13.0062 3692 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
05:54:13.0203 3692 RasPppoe - ok
05:54:13.0218 3692 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
05:54:13.0375 3692 Raspti - ok
05:54:13.0453 3692 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
05:54:13.0578 3692 Rdbss - ok
05:54:13.0609 3692 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
05:54:13.0781 3692 RDPCDD - ok
05:54:13.0828 3692 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
05:54:13.0953 3692 rdpdr - ok
05:54:14.0000 3692 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
05:54:14.0046 3692 RDPWD - ok
05:54:14.0093 3692 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
05:54:14.0250 3692 redbook - ok
05:54:14.0312 3692 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
05:54:14.0359 3692 rimmptsk - ok
05:54:14.0500 3692 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
05:54:14.0515 3692 SASDIFSV - ok
05:54:14.0546 3692 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
05:54:14.0546 3692 SASKUTIL - ok
05:54:14.0625 3692 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
05:54:14.0781 3692 sdbus - ok
05:54:14.0843 3692 SDHookDriver (47dd7bb6b72a5f49e01f53597bcaeac7) C:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys
05:54:14.0859 3692 SDHookDriver - ok
05:54:14.0906 3692 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
05:54:15.0015 3692 Secdrv - ok
05:54:15.0062 3692 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
05:54:15.0187 3692 Serial - ok
05:54:15.0250 3692 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
05:54:15.0375 3692 Sfloppy - ok
05:54:15.0406 3692 Simbad - ok
05:54:15.0421 3692 Sparrow - ok
05:54:15.0500 3692 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
05:54:15.0625 3692 splitter - ok
05:54:15.0656 3692 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
05:54:15.0796 3692 sr - ok
05:54:15.0859 3692 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
05:54:15.0906 3692 Srv - ok
05:54:16.0000 3692 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
05:54:16.0109 3692 STHDA - ok
05:54:16.0171 3692 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
05:54:16.0312 3692 swenum - ok
05:54:16.0359 3692 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
05:54:16.0515 3692 swmidi - ok
05:54:16.0531 3692 symc810 - ok
05:54:16.0546 3692 symc8xx - ok
05:54:16.0562 3692 sym_hi - ok
05:54:16.0578 3692 sym_u3 - ok
05:54:16.0640 3692 SynTP (936cd58395d36659bb798b961ef7357f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
05:54:16.0703 3692 SynTP - ok
05:54:16.0750 3692 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
05:54:16.0875 3692 sysaudio - ok
05:54:16.0937 3692 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
05:54:16.0984 3692 Tcpip - ok
05:54:17.0031 3692 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
05:54:17.0171 3692 TDPIPE - ok
05:54:17.0203 3692 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
05:54:17.0343 3692 TDTCP - ok
05:54:17.0375 3692 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
05:54:17.0531 3692 TermDD - ok
05:54:17.0578 3692 TfSysMon (57edbb5fe7ff09bb21121d13bb950ba5) C:\WINDOWS\system32\drivers\TfSysMon.sys
05:54:17.0593 3692 TfSysMon - ok
05:54:17.0609 3692 TosIde - ok
05:54:17.0656 3692 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
05:54:17.0796 3692 Udfs - ok
05:54:17.0812 3692 ultra - ok
05:54:17.0859 3692 Update  (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
05:54:18.0000 3692 Update - ok
05:54:18.0046 3692 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
05:54:18.0156 3692 usbehci - ok
05:54:18.0187 3692 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
05:54:18.0312 3692 usbhub - ok
05:54:18.0359 3692 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
05:54:18.0500 3692 usbohci - ok
05:54:18.0546 3692 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
05:54:18.0687 3692 USBSTOR - ok
05:54:18.0718 3692 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
05:54:18.0875 3692 VgaSave - ok
05:54:18.0890 3692 ViaIde - ok
05:54:18.0937 3692 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
05:54:19.0093 3692 VolSnap - ok
05:54:19.0140 3692 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
05:54:19.0265 3692 Wanarp - ok
05:54:19.0281 3692 WDICA - ok
05:54:19.0343 3692 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
05:54:19.0453 3692 wdmaud - ok
05:54:19.0515 3692 winachsf (a8596cf86d445269a42ecc08b7066a4c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
05:54:19.0578 3692 winachsf - ok
05:54:19.0640 3692 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
05:54:19.0781 3692 WmiAcpi - ok
05:54:19.0843 3692 WRkrn (1e53973998d1b327035c2a010d7749ac) C:\WINDOWS\system32\drivers\WRkrn.sys
05:54:19.0859 3692 WRkrn - ok
05:54:19.0921 3692 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
05:54:20.0109 3692 WS2IFSL - ok
05:54:20.0156 3692 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
05:54:20.0203 3692 WudfPf - ok
05:54:20.0234 3692 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
05:54:20.0250 3692 WudfRd - ok
05:54:20.0296 3692 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
05:54:20.0546 3692 \Device\Harddisk0\DR0 - ok
05:54:20.0546 3692 Boot (0x1200) (ea6e6043177b2f7f73259da0ff4e018d) \Device\Harddisk0\DR0\Partition0
05:54:20.0546 3692 \Device\Harddisk0\DR0\Partition0 - ok
05:54:20.0562 3692 ============================================================
05:54:20.0562 3692 Scan finished
05:54:20.0562 3692 ============================================================
05:54:20.0671 2980 Detected object count: 2
05:54:20.0671 2980 Actual detected object count: 2
05:54:58.0484 2980 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS - copied to quarantine
05:54:58.0484 2980 APPDRV ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 
05:54:58.0578 2980 C:\WINDOWS\system32\drivers\cercsr6.sys - copied to quarantine
05:54:58.0578 2980 cercsr6 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine 
05:55:49.0500 1160 Deinitialize success


----------



## Ried

You're welcome. 

Download and run  HAMeb_check.exe

Post the contents of the resulting log.

Also, are you connecting to the internet with router? What happens when you do searches with Google - do you experience redirects?


----------



## Zaq123

Hello again,
Yes I connect through a router. I have not been getting any OBVIOUS redirects, but I am very certain that my browising is being manipulated. This all started a couple of months ago. I believe I was either hacked through utube or another site I was a member of. I went to utube and my password was changed and my passord was changed on the other website. I have wiped, with massive overkill - DOD, and reloaded my op probably easily 6 times since. I even took the darn thing apart and removed the battery, took out the hard drive, of course, replaced the hard drive, and wiped it with the internal battery out and reloaded it. I know taking the battery out of an XP OS doesn't clear the BIOS like it used to, but I thought I'd do everything I could think of. Like I stated earlier, with a fresh clean install, and never touching the internet, the true administrator accounts password changed, as did the user admin password. I don't know how that is even possible??? After I reformatted this time and tried to connect to the internet, the router passwords were changed and I could not connect to the internet even directly through the ethernet cable. I went to the library and it connected just fine. I came back and factory reseted the routers and password protected them again and have been using it since. I am not insane, nor a liar. How is this possible? I'm beginning to really, really wonder what "entity" is behind this. Or, maybe I am going insane?
Here is the log you requested.

C:\Documents and Settings\Owner\Desktop\HAMeb_check.exe
Mon 11/28/2011 at 17:43:55.12

Account active No
Local Group Memberships 

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 
kernel: MBR read successfully
user & kernel MBR OK 

~~ Checking for termsrv32.dll ~~

termsrv32.dll was not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"=5985:TCP:*isabled:Windows Remote Management 


~~ EOF ~~


----------



## Zaq123

Oh, and spybot s&d - older version, where you can check the system startup (IMO serious error not having this feature in beta) said ctfmon was a virus or trojan. It was in a windows uninstall folder and another windows folder (can't remember now), and, of course, in system32. I understand with XP that the other folder was OK. I had disabled ctfmon through regional and languages. I just decided to take them all out. The system immediately asked to restore ctfmon. I didn't.


----------



## Ried

I'm not sure about that finding for ctfmon and wouldn't worry too much about it at this point.

Here's the thing - you replaced the hard drive, so that would rule out an infected master boot record.

You've already reset the router, so that rules out a hacked router.

I'm not seeing anything in any of the logs, and unfortunately, we can't remove what we cannot see.

Can you explain to me about Administrator password being changed? How long ago did that happen? Or let me rephrase - has it been changed without your doing so, after you did the hard reset on the router?


----------



## Zaq123

I see the way I stated that post that it sounds like I put in a new hard drive. I did not, I just removed it when I took out the battery and let it sit overnight, then put it back in the computer. I do believe the routers were hacked, the passwords were changed. Yes, the passwords on my machine were changed without me doing so and no one has had access to my computer. You say there is nothing to be seen? Rootkit identified a number of rootkits that it could not remove. When I open task manager, all that shows is the user profile screen which is blank. Like I stated, I am certain that my browser is being redirected - just minutes ago, doing a search to correctly spell a word, the only dictionary that came up was in spanish, and this was a google search. In researching around about my situation, I found information about Blue Pill. Considering things I do on utube, this trojan would be right up someones alley. Is a bios hack possible?s


----------



## Ried

I've been doing this for 6 years and have yet to come across an infected bios.

Since you clarified that you did _not_ replace the hard drive, I'd like for you to run another tool please.

Please download aswMBR.exe and save it to your desktop. 

Double click aswMBR.exe to start the tool. At this time, select *No* when prompted to download the Avast database.


Click *Scan*
Upon completion of the scan, click *Save log* and save it to your desktop, and post that log in your next reply for review. * Note - do NOT attempt any Fix yet. *

You will also notice another file created on the desktop named *MBR.dat*. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.




> Rootkit identified a number of rootkits that it could not remove.


What rootkits? What tool exactly is that, and is there a log you can show me?


----------



## Zaq123

Should I uninstall winrar so I can zip that file?


----------



## Ried

No, no need to go through that. I happen to have winrar, so go ahead and use that.


----------



## Zaq123

I did not see your question about the rootkits. TrendMicro's RootkitBuster found them, but I am unable to find the log. I did run the combofix and tddskiller before coming to this forum. Perhaps I should run them again?
Here are the other logs requested.


swMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-11-28 20:03:40
-----------------------------
20:03:40.343 OS Version: Windows 5.1.2600 Service Pack 3
20:03:40.343 Number of processors: 1 586 0x7C02
20:03:40.343 ComputerName: PC-OWNER-AK47 UserName: Owner
20:03:41.015 Initialize success
20:03:55.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:03:55.875 Disk 0 Vendor: WDC_WD800BEVS-75RST0 04.01G04 Size: 76319MB BusType: 3
20:03:57.890 Disk 0 MBR read successfully
20:03:57.890 Disk 0 MBR scan
20:03:57.890 Disk 0 Windows XP default MBR code
20:03:57.890 Disk 0 scanning sectors +156280320
20:03:57.984 Disk 0 scanning C:\WINDOWS\system32\drivers
20:04:14.437 Service scanning
20:04:15.656 Modules scanning
20:04:21.796 Disk 0 trace - called modules:
20:04:21.812 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS 
20:04:21.812 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84b8dab8]
20:04:21.812 3 CLASSPNP.SYS[f7544fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x84b95d98]
20:04:21.812 Scan finished successfully
20:05:51.234 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
20:05:51.250 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


----------



## Zaq123

As you can see, I use ccleaner and glary's. I do wipe everything from my system fairly regularly, all the logs, etc. I don't know if doing that may be removing information that would be useful to you?


----------



## Ried

Yes, those logs may have proven helpful to me. 

One more thing we can check, but it will require you to have a blank CD to create a bootable disc.

Download *gparted-live-0.10.0-3.iso* and save it to your desktop. 

If you double-click the file, you should be prompted to burn the image to a blank CD. If so, proceed and let me know when done. 

If not prompted, download *IsoBurner-Setup.exe* and save it to your desktop. 

Double-click *IsoBurner-Setup.exe* and follow the prompts to install it. 

Double-click the iso file again and you should be prompted to burn the iso to CD. Let me know when you have accomplished that.


----------



## Zaq123

Is the gibberish that is shown in the dat file normal? I don't have a CD on hand, but will try to round one up quickly.


----------



## Ried

If you're referring to the mbr.dat file, yes - it needs to be viewed with a special tool.


----------



## Zaq123

Ok, I downloaded gparted and unzipped it. It's now a set of folders. I in the utils folder there's a win32 folder, this has the only exe file I could find. I clicked that and a dos screen flashed for a split second and that's it. HELP!


----------



## Ried

It should not have been a .zip file - it's an .iso file. Click this link to be taken directly to download Download GParted from SourceForge.net


----------



## Zaq123

That's what I thought, it did say iso. In trying to download it again, it says gparted . . .iso
which is a: WinRAR archive (110 MB)
What should firefox do . . . and it has the open with WinRAR default.
It will not allow me to download it without using WinRar, or IE, notepad, etc.


----------



## Ried

In Firefox click Tools>Options 
Click the Applications tab and look for that file type .iso in the list. Click Actions and change it to Save File.

If that doesn't work out for you, can you download it from IE?


----------



## Zaq123

I just went ahead and got rid of winrar. I've got it burned. Now what?


----------



## Ried

You will have to change your boot order to load from your CD-ROM drive: 

Follow the steps here to change the boot order in your BIOS to boot up from a CD:

How to Set BIOS to Boot from CDROM - www.hiren.info

Accept all default options as the LiveCD loads. By that I mean when you'll be seeing a blue screen with
"configuring console-data"
"Don't touch keymap" will be highlighted
Various other options 

Anything it says, just click OK to.

You should then see a screen that lists your partitions. Hopefully, you have a camera you can use to take a picture of that screen and upload that to me.

If not, very carefully, write down exactly what is listed there. I need all of it.

When you're done with that, click the Exit button in the upper right hand corner.


----------



## Zaq123

There are some changes to my system on reboot - my screen resolution has changed and there are changes in Dell's Quickset having to do with my wireless - however, the real area I need to configure is Bios Administration locked and I have to contact my system administrator. Broadcom, Dell's wireless utility is still gone, but the drivers are still loaded.

Here is what I hope you are looking for: I am very dyslexic is please bare that in mind.

failed to read: session.screen0.toolbar.maxOver
setting default value
" " " : session.screen0.toolbar.visable
setting default value
" " " : session.screen0.toolbar.alpha
setting default value
" " " : " " " .layer
setting default value
" " ": " " " .onhead
setting default value
" " " " " " .placemat
setting default vale
" " " " " " .height
setting default value
failed to read:session.screen0.iconbar.mode
setting default value
" " " " " .iconbar.alliagnment
set deflt vlu
.iconbar.iconwidth
set deflt vlu
.iconbar.conTextPaddling
set deflt vlu
.iconbar.userPixmap
set deflt vlu

libparted: 2.3
failed to read: session screen0.titlebar.left
failed to read:setting default value screen0.titlebar.size
gdialog is /usr/bin/gdialog
gdialog is /urs/bin/gdialog
Broadeast message from [email protected] (Mon Nov 28 22:41;11 2011)
system is going down for reboot
using makefile style concurrent boot in runlevel6
stopping MD monitoring sevice:mdadm- - monitor
unmounting iscsi-backed filesystem:unmounting all devices marked_netdev (or dav)
asking all processes ended within 1 second . . . done
unmounting temp filesystem . . . done
deactivating swap . . . done
stopping remaining crypto disks. . . done
stopping early crypto disks . . . done
stopping early crypto disks . . . done
live boot is resyncing snapshots and caching reboot files . . . mounted:/live/cow is busy 

AAAAHHHhhhhhhh!! I need a camera!


----------



## Zaq123

I see that what I typed did not post just as I typed it - all the " " " collapsed. I just added them where it was all a repeated session.screen0.toolbar and session.screen0.iconbar. I'm sure you likely realize that, but figured I would clarify.
Thank you so much for your help today!! Have a good night.


----------



## Ried

You're welcome. 

Did you ever get to a screen that looked similar to this? That is what I need a pic of, or for you to write down: (it won't have the red box or arrow, just a list of partitions, their sizes, and whether they're Active, or Boot.)


----------



## Zaq123

OMGosh! Yes, and thankfully I did, LOL!

/dev/sda1 74.52 GiB

/dev/sda/ ntfs 74.52 GiB 9.39 GiB 65.13 GiB flags (I'm not sure if it did say flags or if I wrote that down for the flags section)
unallocated unallocated  10.34 MiB

There was no Active or Boot.
What had changed in Dell Quickset is now gone again. Should I get rid of that sys restore point?


----------



## Ried

Nice job! :smile:

I'm sorry, I'm not following what you mean by 'what had changed in Dell Quickset..' and no, do not get rid of any restore points til we're through here.

I appreciate all your efforts, but without knowing what is Active, or Boot, I can't establish what I'm looking for.

Try this - click Start>Run and copy/paste the following into the Run box and click OK:

*diskmgmt.msc*

Give it time to populate, then take a screenshot and post that to me. In Windows a screenshot of the entire monitor, complete with taskbar, can be copied to the system clipboard by pressing the Print screen key (normally located in the top row on the right-hand side of the keyboard).. 

You can then paste the clipboard into a program like MS Paint to save it as an image file or paste it directly into a document. 

Press the Print screen key 
Click the "Start" button (normally located in the bottom left of your screen). 
Click "Run" & type "mspaint" (without quotes) & click the "OK" button. 
Wait while the application "Paint" opens. Once it is open, proceed to the next step. 
Click the "Edit" menu and select "Paste". 
Click the "File" menu and select "Save As...". A dialog box will appear. 
In the "File name" field, enter a name of your choice. 
Click the "Save as type" drop-down and select "JPEG (*.JPG;*.JPEG;*.JPE*;.JFIF)". 
Click the "Save" button.
To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, browse to where you saved the file, and Click Upload.


----------



## Zaq123

Ok, what the deal was with dell quickset is that in it are options for wireless capabilities there was a change to that, that would have helped me get my broadcom wireless back and working. Broadcom is the usual way my computer connects to the internet. In my first post, this whole broadcom system disappeared after I had removed all those IE temp files and wiped the free space. When restarted the computer broadcom was gone, keyscrambler was toast, my firewall was disabled, etc., etc.
Here is the screenshot.


----------



## Zaq123

OK, I went and ran that cd again. On the /dev/sda/ line, it did say boot. I was tired, and wrote flag.


----------



## Ried

Ok, we have conflicting info between GParted and Windows disk management.

I need for you to boot from the GParted disc you created, same as before, get it to that screen where it shows the partions.

This is the one I need more detail on

unallocated unallocated *10.34 MiB*

Does it have a yellow triangle with an exclamation point next to it, or does it say 'boot hidden' in the far right column?


----------



## Zaq123

I'm not sure if you saw my 10:26 am post. Should I still run the cd again?


----------



## Ried

I saw it. :smile:

Yes, I still need you to run the CD again, paying special attention to what I mentioned to look for.


----------



## Zaq123

It does not say anything, there are just dashes, no triangle, no exclamation point.


----------



## Ried

Good, then there is no problem with it.

I'm sorry, I'm not finding any malware anywhere here. Please run TrendMicro's RootkitBuster again and report the findings to me.

Also, test for redirects again. Are you sure in your search for dictionary or spelling of a word, that you didn't click on a link that was for a Spanish site?


----------



## Zaq123

I never clicked any links in my search for the word. I just put it in the browser and the first and only dictionary that even came up was in Spanish. There is something on this machine. Every symptom I have listed is real and has happened. My normal wireless is toast. My task manager is toast. All kinds of programs disappeared or were rendered useless. I can not see any way that wiping free space after isolating "unusual" files in IE would possibly have this effect. I did not do any registry tinkering. I honestly believe that I have gotten the attention of a hackers group, and have very good reasons for that belief. I am hacked, obviously above and beyond the scope of what perhaps someone would even have the knowledge of, or even know what to look for. I'm sure trojans like the one you looked for that can get into packaged downloads, could easily be manipulated by very good hackers. Whatever this is, is remaining in my system even through wipes, and reloads. You said you'd never come across a bios hack. They do exist though. 
Here's the log.
+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 5.0.0.1041
| Computer Name: PC-OWNER-AK47
| User Name: Owner
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
MBR unsupported disk type
[FILE_STREAM]:
FullPath : C:\Documents and Settings\Owner\desktop\dds.com:Zone.Identifier:$DATA
FullPathLength: 47
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x1
ShareAccess : 0x0
Type : 0x0
[FILE_STREAM]:
FullPath : C:\Documents and Settings\Owner\desktop\gmer.zip:Zone.Identifier:$DATA
FullPathLength: 48
DesiredAccess : 0x0
Options : 0x0
Attributes : 0x20
ShareAccess : 0x0
Type : 0x0
2 hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x805b1d8e
CurrentHandler : 0xf7bbb8a4
ServiceNumber : 0x19
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x8061acec
CurrentHandler : 0xf7bbb85e
ServiceNumber : 0x29
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x805a0816
CurrentHandler : 0xf7bbb8ae
ServiceNumber : 0x32
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x805c736a
CurrentHandler : 0xf7bbb854
ServiceNumber : 0x35
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x8061b188
CurrentHandler : 0xf7bbb863
ServiceNumber : 0x3f
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x8061b358
CurrentHandler : 0xf7bbb86d
ServiceNumber : 0x41
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x805b39a2
CurrentHandler : 0xf7bbb89f
ServiceNumber : 0x44
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x8061cf10
CurrentHandler : 0xf7bbb872
ServiceNumber : 0x62
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x805c13f8
CurrentHandler : 0xf7bbb840
ServiceNumber : 0x7a
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x805c1684
CurrentHandler : 0xf7bbb845
ServiceNumber : 0x80
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x80618f10
CurrentHandler : 0xf7bbb8c7
ServiceNumber : 0xb1
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x8061cdc0
CurrentHandler : 0xf7bbb87c
ServiceNumber : 0xc1
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x805981ba
CurrentHandler : 0xf7bbb8b8
ServiceNumber : 0xc8
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x8061c6cc
CurrentHandler : 0xf7bbb877
ServiceNumber : 0xcc
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x805c7a8c
CurrentHandler : 0xf7bbb8b3
ServiceNumber : 0xd5
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x805b6114
CurrentHandler : 0xf7bbb8bd
ServiceNumber : 0xed
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x8061925e
CurrentHandler : 0xf7bbb868
ServiceNumber : 0xf7
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x8060ec2c
CurrentHandler : 0xf7bbb8c2
ServiceNumber : 0xff
ModuleName : 
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : Z
Image Path : 
OriginalHandler : 0x805c8da6
CurrentHandler : 0xf7bbb84f
ServiceNumber : 0x101
ModuleName : 
SDTType : 0x0
No hidden operating system service hooks found.

--== Dump Hidden Port ==--
No hidden ports found.

--== Dump Kernel Code Patching ==--
No kernel code patching detected.

--== Dump Hidden Services ==--
No hidden services found.


----------



## Ried

As I mentioned before, I'm not finding any malware and we can only remove what can be seen.

What BIOS is on this machine? Enter your BIOS and it should be listed across the top of the screen.


----------



## Zaq123

I didn't mean to sound abrupt there, I'm just so frustrated with this situation. As far as I can tell, the bios is Dell version 2.6.3 with the last update for it on 12/07/07.


----------



## Ried

It's alright. I can understand your frustration and concern over what has been happening on this machine. From what I've seen, Dell Bios is not one that they target, so it's a really slim chance that it has been hacked. 


Here's a thought of what may have happened/be happening.



> With a complete clean install and without ever connecting to the internet, I have had my administrator account hijacked and password protected and user password changed
> 
> ** clients hxxp://127.0.0.1:21332


 That hxxp entry is indeed a hook to malware, but at that point, you had not reset your router and if you router had been hacked, that could explain that.




> This "thing" has complete control over task manager.


If by that you mean this..


> When I open task manager, all that shows is the user profile screen which is blank.


 Double click anywhere in the outer frame of Task Manager and the tabs and top menu bar should be back.

To get the User Profile info populated, click Start, Run and type *Services.msc* into the Run box and click OK.

You will see the services listed alphabetically. Locate *Terminal Services *and double-click it 
Set the *Startup type *to *Manual*, and click *Apply* 
Click the *Start* button to launch the service manually. 
Similarly, double-click *Fast User Switching Compatibility* service 
Set the *Startup type* to *Manual*, and click *Apply *
Click the *Start *button to launch the service manually.
Is Task Manager populated now?



> I've run a combofix and it always removes two Vostro files. This vostro is the BIOS drive.
> 
> c:\windows\system32\drivers\1028_DELL_XPS_Vostro 1000 .MRK
> c:\windows\system32\drivers\DELL_XPS_Vostro 1000 .MRK


As I mentioned earlier, these files are not infected. CF targets these files due to the space in the filename before the file extension. That is not standard file naming technique, so it will continue to get targeted by CF until Dell changes that.



> My normal wireless is toast.


Can you explain that a bit further? I can see in your Attach.txt that the Wireless has been disabled in Device Manager. Have you tried to re-enable it via Control Panel>System>Hardware>Device Manager?


> ==== Disabled Device Manager Items =============
> .
> Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
> Description: Dell Wireless 1395 WLAN Mini-Card
> Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000B1028&REV_01\4&232B014&0&0030
> Manufacturer: Broadcom
> Name: Dell Wireless 1395 WLAN Mini-Card
> PNP Device ID: PCI\VEN_14E4&DEV_4315&SUBSYS_000B1028&REV_01\4&232B014&0&0030
> Service: BCM43XX


Did any of that help?


----------



## Zaq123

Thank you, I did get my task manager back. As far my wireless. My computer normally uses a Broadcom interface. I've tried downloading the Broadcom drivers again to try to fix the problem. That is not working. The wireless has been working all along, just not via broadcom.


----------



## Ried

For that issue, you might want to talk to the folks in our Network Support section. Perhaps they can help you to get that working again.

Other than that, how has the machine been behaving since resetting the router?


----------



## Zaq123

It's been doing fine. I'm still getting strange results at times. How is it that this same situation has happened again and again after wiping the hard drive and reloading? How is a router hacked? Could it be that "they" have "locked onto" my mac address??


----------



## Ried

Router hijacks are quite common, especially if you never gave it a strong password. I think in this case, what happened was that the router was hacked througout your formatting and reinstalling the Operating System.

Since the router is a separate entity from the hard drive and Operating System, it would have remained hijacked throught all the reinstalls. Once you performed the hard reset on the router, that took care of that. 

If it would give you peace of mind, now that the router is cleared, you could wipe the hard drive, and reinstall the Operating System one more time. I think you'll be happy with the results.


----------



## Zaq123

Thank you for all your help. I knew from the beginning that I would have to wipe and reinstall. As far as the router hack and passwords, I use very complicated passwords, but I think I very likely had a keylogger. Anyway, thanks again for your help


----------

