BleepingComputer.com: TDL4@MBR code has been found

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

TDL4@MBR code has been found

#1 User is offline   herairness 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 17-April 11

Posted 17 April 2011 - 10:46 AM

Hello,
i've had this weird problem on my laptop since a few days, it's running very slow, sometimes not at all and Windows update refused to start or find any updates :( Microsoft Security Essentials found nothing, but i've used gmer before and tried it. It found the rootkit described in the topic, but after saving the log, the laptop gave me a bsod every time i tried to open any kind of browser to search what to do. So far i've only been able to run it in safe mode without networking but i can't do or run anything there, too. Help! Here's the gmer log:
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-16 20:41:34
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD3200BEVT-60A23T0 rev.02.01A02
Running: lf3ue2b0.exe; Driver: C:\Users\lars\AppData\Local\Temp\pxldapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13C1 82A8B339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AC4D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\spre.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 91C68D81 5 Bytes JMP 85E0F4E0
.text a81vi3f8.SYS 91866000 12 Bytes [44, B8, A1, 82, EE, B6, A1, ...]
.text a81vi3f8.SYS 9186600D 9 Bytes [97, A1, 82, 48, BB, A1, 82, ...] {XCHG EDI, EAX; MOV EAX, [0xa1bb4882]; ADD BYTE [EAX], 0x0}
.text a81vi3f8.SYS 91866017 170 Bytes [00, DE, 67, 39, 83, E6, 65, ...]
.text a81vi3f8.SYS 918660C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text a81vi3f8.SYS 918660CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1000] ntdll.dll!NtProtectVirtualMemory 76DD5F18 5 Bytes JMP 001B000A
.text C:\Windows\system32\svchost.exe[1000] ntdll.dll!NtWriteVirtualMemory 76DD6A98 5 Bytes JMP 001C000A
.text C:\Windows\system32\svchost.exe[1000] ntdll.dll!KiUserExceptionDispatcher 76DD7008 5 Bytes JMP 0019000A
.text C:\Windows\system32\svchost.exe[1000] ole32.dll!CoCreateInstance 76519D0B 5 Bytes JMP 0095000A
.text C:\Windows\system32\svchost.exe[1000] USER32.dll!GetCursorPos 76EEA4B3 5 Bytes JMP 009A000A
.text C:\Windows\system32\svchost.exe[1000] USER32.dll!GetForegroundWindow 76EF335D 5 Bytes JMP 009C000A
.text C:\Windows\system32\svchost.exe[1000] USER32.dll!WindowFromPoint 76F16BE9 5 Bytes JMP 009B000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1252] ntdll.dll!NtProtectVirtualMemory 76DD5F18 5 Bytes JMP 0077000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1252] ntdll.dll!NtWriteVirtualMemory 76DD6A98 5 Bytes JMP 00CA000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1252] ntdll.dll!KiUserExceptionDispatcher 76DD7008 5 Bytes JMP 0076000A
.text C:\Windows\Explorer.EXE[1556] ntdll.dll!NtProtectVirtualMemory 76DD5F18 5 Bytes JMP 009F000A
.text C:\Windows\Explorer.EXE[1556] ntdll.dll!NtWriteVirtualMemory 76DD6A98 5 Bytes JMP 00A0000A
.text C:\Windows\Explorer.EXE[1556] ntdll.dll!KiUserExceptionDispatcher 76DD7008 5 Bytes JMP 0097000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8329A042] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8329A6D6] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8329A800] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8329A13E] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\a81vi3f8.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73B22437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73B05600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73B056BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73B224B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73B18514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73B14CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73B1506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73B15144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73B16671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73B1826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73B187BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73B1901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73B1E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1556] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73B14BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[2192] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74E1FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[2192] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E1FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[2192] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E1FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[2192] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E1FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[2192] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74E1FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[2192] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74E1FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [73B22437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [73B05600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [73B056BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [73B224B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73B18514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [73B14CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [73B1506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [73B15144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73B16671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73B1826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73B187BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73B1901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73B1E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[3528] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [73B14BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84E031F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 84DFE1F8
Device \Driver\usbuhci \Device\USBPDO-0 85F4F1F8
Device \Driver\usbuhci \Device\USBPDO-1 85F4F1F8
Device \Driver\usbehci \Device\USBPDO-2 84DF4500
Device \Driver\usbuhci \Device\USBPDO-3 85F4F1F8
Device \Driver\usbuhci \Device\USBPDO-4 85F4F1F8
Device \Driver\usbuhci \Device\USBPDO-5 85F4F1F8
Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBPDO-6 85F4F1F8
Device \Driver\PCI_PNP8295 \Device\00000057 spre.sys
Device \Driver\volmgr \Device\HarddiskVolume1 84DFE1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\usbehci \Device\USBPDO-7 84DF4500
Device \Driver\volmgr \Device\HarddiskVolume2 84DFE1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 85E0B1F8
Device \Driver\volmgr \Device\HarddiskVolume3 84DFE1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdePort0 84E001F8
Device \Driver\atapi \Device\Ide\IdePort1 84E001F8
Device \Driver\atapi \Device\Ide\IdePort2 84E001F8
Device \Driver\atapi \Device\Ide\IdePort3 84E001F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 84E001F8
Device \Driver\msahci \Device\Ide\PciIde0Channel0 84E011F8
Device \Driver\msahci \Device\Ide\PciIde0Channel1 84E011F8
Device \Driver\msahci \Device\Ide\PciIde0Channel4 84E011F8
Device \Driver\msahci \Device\Ide\PciIde0Channel5 84E011F8
Device \Driver\cdrom \Device\CdRom1 85E0B1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 85E741F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{77F4EEE7-7C51-4CDB-9F0D-98282D08B429} 85E741F8
Device \Driver\sptd \Device\60248296 spre.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{130F2417-7D4B-4584-AA42-D498DFB45A8C} 85E741F8
Device \Driver\usbuhci \Device\USBFDO-0 85F4F1F8
Device \Driver\usbuhci \Device\USBFDO-1 85F4F1F8
Device \Driver\usbehci \Device\USBFDO-2 84DF4500
Device \Driver\usbuhci \Device\USBFDO-3 85F4F1F8
Device \Driver\usbuhci \Device\USBFDO-4 85F4F1F8
Device \Driver\usbuhci \Device\USBFDO-5 85F4F1F8
Device \Driver\usbuhci \Device\USBFDO-6 85F4F1F8
Device \Driver\usbehci \Device\USBFDO-7 84DF4500
Device \Driver\a81vi3f8 \Device\Scsi\a81vi3f81Port4Path0Target0Lun0 8602A1F8
Device \Driver\a81vi3f8 \Device\Scsi\a81vi3f81 8602A1F8
Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskWDC_WD3200BEVT-60A23T0__________________02.01A02#5&c1eac71&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE9 0xC0 0x2E 0x63 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0x9E 0x14 0x7D ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6D 0x5F 0xF1 0x3D ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE9 0xC0 0x2E 0x63 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0x9E 0x14 0x7D ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6D 0x5F 0xF1 0x3D ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

#2 User is offline   fireman4it 

  • Bleepin' Fireman
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 8,311
  • Joined: 24-May 08
  • Gender:Male
  • Location:Bement, ILL

Posted 17 April 2011 - 11:01 AM

Hello and welcome to Bleeping Computer



Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.

  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Note:
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.



Thanks
" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-

Posted Image
Posted Image

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click Posted Image

#3 User is offline   herairness 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 17-April 11

Posted 17 April 2011 - 11:17 AM

Hello again and thanks for the quick reply!

Log from DDS:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by lars at 19:05:50.15 on Sun 04/17/2011
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_24
Microsoft Windows 7 Ultimate 6.1.7601.1.1251.359.1033.18.1979.1373 [GMT 3:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\lars\Desktop\dds.scr
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://search.qip.ru
uStart Page = hxxp://qip.ru
uDefault_Page_URL = hxxp://qip.ru
uDefault_Search_URL = hxxp://search.qip.ru
uSearch Bar = hxxp://search.qip.ru/ie
uSearchAssistant = hxxp://search.qip.ru/ie
uURLSearchHooks: QIPBHO Class: {95289393-33ea-4f8d-b952-483415b9c955} - c:\users\lars\appdata\roaming\microsoft\internet explorer\qipsearchbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: QIPBHO Class: {95289393-33ea-4f8d-b952-483415b9c955} - c:\users\lars\appdata\roaming\microsoft\internet explorer\qipsearchbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [<NO NAME>]
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\lars\appdata\roaming\mozilla\firefox\profiles\5izrkhx2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
FF - Ext: B-Trust Smart Card Certificate: sc_cert_delete@b-trust.org - %profile%\extensions\sc_cert_delete@b-trust.org
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: QipAuthorizer: {32a1fd71-835e-4b11-8e54-886fda0b4c89} - %profile%\extensions\{32a1fd71-835e-4b11-8e54-886fda0b4c89}
FF - Ext: Gmail Checker: {6BFD307A-C040-11DA-9749-FB1C850B47DF} - %profile%\extensions\{6BFD307A-C040-11DA-9749-FB1C850B47DF}
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Yahoo! Mail Notifier: {89f8dde0-010a-11da-8cd6-0800200c9a66} - %profile%\extensions\{89f8dde0-010a-11da-8cd6-0800200c9a66}
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl17db85a2;MpKsl17db85a2;c:\programdata\microsoft\microsoft antimalware\definition updates\{b09d1f54-6c8e-47f2-a570-a377eebf340f}\MpKsl17db85a2.sys [2011-4-17 28752]
R1 MpKsl2a01a102;MpKsl2a01a102;c:\programdata\microsoft\microsoft antimalware\definition updates\{b09d1f54-6c8e-47f2-a570-a377eebf340f}\MpKsl2a01a102.sys [2011-4-17 28752]
R1 MpKslad14e22f;MpKslad14e22f;c:\programdata\microsoft\microsoft antimalware\definition updates\{b09d1f54-6c8e-47f2-a570-a377eebf340f}\MpKslad14e22f.sys [2011-4-16 28752]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2011-2-26 1000992]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S1 MpKsl7c5cd164;MpKsl7c5cd164;c:\programdata\microsoft\microsoft antimalware\definition updates\{b09d1f54-6c8e-47f2-a570-a377eebf340f}\MpKsl7c5cd164.sys [2011-4-17 28752]
S1 MpKsl8c3b0ab9;MpKsl8c3b0ab9;c:\programdata\microsoft\microsoft antimalware\definition updates\{b09d1f54-6c8e-47f2-a570-a377eebf340f}\MpKsl8c3b0ab9.sys [2011-4-16 28752]
S1 MpKslc9f43106;MpKslc9f43106;c:\programdata\microsoft\microsoft antimalware\definition updates\{b09d1f54-6c8e-47f2-a570-a377eebf340f}\MpKslc9f43106.sys [2011-4-17 28752]
S1 MpKslf74b3729;MpKslf74b3729;c:\programdata\microsoft\microsoft antimalware\definition updates\{b09d1f54-6c8e-47f2-a570-a377eebf340f}\MpKslf74b3729.sys [2011-4-16 28752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-26 136176]
S2 NewServiceInstall1;NewServiceInstall1;"c:\program files\sdl international\t2007\tt\lng\dialogs1031.lng" --> c:\program files\sdl international\t2007\tt\lng\Dialogs1031.lng [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-21 62464]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-21 15872]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2010-11-21 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-21 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-21 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 27264]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-21 112640]
.
=============== Created Last 30 ================
.
2011-04-17 15:22:30 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{b09d1f54-6c8e-47f2-a570-a377eebf340f}\MpKsl2a01a102.sys
2011-04-17 15:20:45 4322776 ----a-w- C:\commy.exe
2011-04-17 14:23:17 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{b09d1f54-6c8e-47f2-a570-a377eebf340f}\MpKsl17db85a2.sys
2011-04-16 15:51:05 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{b09d1f54-6c8e-47f2-a570-a377eebf340f}\MpKslad14e22f.sys
2011-04-16 15:44:40 -------- d-----w- c:\program files\CCleaner
2011-04-16 15:26:31 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-16 15:26:31 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-16 15:24:22 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
2011-04-16 15:24:21 439632 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{b5962a69-52af-4f75-b73b-8b3c511049a0}\gapaengine.dll
2011-04-16 15:24:02 6792528 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{b09d1f54-6c8e-47f2-a570-a377eebf340f}\mpengine.dll
2011-04-10 16:21:42 -------- d-----w- c:\users\lars\appdata\local\Adobe
2011-04-10 16:21:16 29272 ----a-w- c:\windows\system32\AdobePDF.dll
2011-04-05 14:29:41 -------- d-----w- c:\users\lars\appdata\local\ElevatedDiagnostics
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: WDC_WD3200BEVT-60A23T0 rev.02.01A02 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85CA0439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85ca67d0]; MOV EAX, [0x85ca684c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82A8D52F] -> \Device\Harddisk0\DR0[0x85C7B030]
3 CLASSPNP[0x88D8659E] -> ntkrnlpa!IofCallDriver[0x82A8D52F] -> [0x85BC7878]
5 ACPI[0x833B83D4] -> ntkrnlpa!IofCallDriver[0x82A8D52F] -> \IdeDeviceP0T0L0-0[0x85BBD908]
\Driver\atapi[0x85C7CC68] -> IRP_MJ_CREATE -> 0x85CA0439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskWDC_WD3200BEVT-60A23T0__________________02.01A02#5&c1eac71&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 625142446 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 19:06:30.84 ===============

Log from MBRCheck:
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Ultimate Edition
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: Hewlett-Packard
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: Presario CQ56 Notebook PC
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 181):
0x82A50000 \SystemRoot\system32\ntkrnlpa.exe
0x82A19000 \SystemRoot\system32\halmacpi.dll
0x85B86000 \SystemRoot\system32\kdcom.dll
0x83038000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x830BD000 \SystemRoot\system32\PSHED.dll
0x830CE000 \SystemRoot\system32\BOOTVID.dll
0x830D6000 \SystemRoot\system32\CLFS.SYS
0x83118000 \SystemRoot\system32\CI.dll
0x8320B000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8327C000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8328A000 \SystemRoot\system32\drivers\ACPI.sys
0x832D2000 \SystemRoot\system32\drivers\WMILIB.SYS
0x832DB000 \SystemRoot\system32\drivers\msisadrv.sys
0x832E3000 \SystemRoot\system32\drivers\vdrvroot.sys
0x832EE000 \SystemRoot\system32\drivers\pci.sys
0x83318000 \SystemRoot\System32\drivers\partmgr.sys
0x83329000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x83331000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8333C000 \SystemRoot\system32\drivers\volmgr.sys
0x8334C000 \SystemRoot\System32\drivers\volmgrx.sys
0x83397000 \SystemRoot\System32\drivers\mountmgr.sys
0x833AD000 \SystemRoot\system32\drivers\atapi.sys
0x833B6000 \SystemRoot\system32\drivers\ataport.SYS
0x833D9000 \SystemRoot\system32\drivers\msahci.sys
0x833E3000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x833F1000 \SystemRoot\system32\drivers\amdxata.sys
0x831C3000 \SystemRoot\system32\drivers\fltmgr.sys
0x83000000 \SystemRoot\system32\drivers\fileinfo.sys
0x88625000 \SystemRoot\System32\Drivers\Ntfs.sys
0x88754000 \SystemRoot\System32\Drivers\msrpc.sys
0x8877F000 \SystemRoot\System32\Drivers\ksecdd.sys
0x88792000 \SystemRoot\System32\Drivers\cng.sys
0x887EF000 \SystemRoot\System32\drivers\pcw.sys
0x88600000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x88826000 \SystemRoot\system32\drivers\ndis.sys
0x888DD000 \SystemRoot\system32\drivers\NETIO.SYS
0x8891B000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x88A38000 \SystemRoot\System32\drivers\tcpip.sys
0x88B82000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x88BB3000 \SystemRoot\system32\drivers\vmstorfl.sys
0x88BBC000 \SystemRoot\system32\drivers\volsnap.sys
0x88A00000 \SystemRoot\System32\Drivers\spldr.sys
0x88A08000 \SystemRoot\System32\drivers\rdyboost.sys
0x88940000 \SystemRoot\System32\Drivers\mup.sys
0x88950000 \SystemRoot\System32\drivers\hwpolicy.sys
0x88958000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8898A000 \SystemRoot\system32\drivers\disk.sys
0x8899B000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x88800000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x83011000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x8881F000 \SystemRoot\System32\Drivers\Null.SYS
0x889F3000 \SystemRoot\System32\Drivers\Beep.SYS
0x88609000 \SystemRoot\System32\drivers\vga.sys
0x8D605000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8D626000 \SystemRoot\System32\drivers\watchdog.sys
0x8D633000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8D63B000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8D643000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8D64B000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8D656000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8D664000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8D67B000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D687000 \SystemRoot\system32\drivers\afd.sys
0x8D6E1000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8D713000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8D71A000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8D739000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x8D74A000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8D758000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8D76B000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8D77C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8D7BD000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8D7C7000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8D7D1000 \SystemRoot\System32\drivers\discache.sys
0x8D83F000 \SystemRoot\system32\drivers\csc.sys
0x8D8A3000 \SystemRoot\System32\Drivers\dfsc.sys
0x8D8BB000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x8D8C9000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8D8EA000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8D8FC000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8DE0C000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8E729000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8D900000 \SystemRoot\System32\drivers\dxgmms1.sys
0x8E7E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8D939000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8E7EB000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8D984000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8F200000 \SystemRoot\system32\DRIVERS\rtl8192se.sys
0x8F312000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x8F31C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8F334000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8F341000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8F37C000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8F37E000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8F38B000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8F394000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
0x8F3A1000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x8F3B3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8F3CB000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8F3D6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8D9A3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8D9BB000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8D9D2000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8DE00000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x8F3F8000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8D800000 \SystemRoot\system32\DRIVERS\ks.sys
0x8D9E9000 \SystemRoot\system32\DRIVERS\umbus.sys
0x90A1E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x90A62000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x90A73000 \SystemRoot\system32\drivers\HdAudio.sys
0x90AC3000 \SystemRoot\system32\drivers\portcls.sys
0x90AF2000 \SystemRoot\system32\drivers\drmk.sys
0x91B80000 \SystemRoot\System32\win32k.sys
0x90B0B000 \SystemRoot\System32\drivers\Dxapi.sys
0x90B15000 \SystemRoot\System32\Drivers\crashdmp.sys
0x90B22000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x90B2D000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x90B37000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x90B48000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x90B5F000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x90B6A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x90B7D000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x90B84000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x90B8F000 \SystemRoot\System32\Drivers\usbvideo.sys
0x90BB3000 \SystemRoot\system32\DRIVERS\monitor.sys
0x91DE0000 \SystemRoot\System32\TSDDD.dll
0x91A20000 \SystemRoot\System32\cdd.dll
0x90BBE000 \SystemRoot\system32\drivers\luafv.sys
0x90BD9000 \SystemRoot\system32\drivers\WudfPf.sys
0x90A00000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x94A0B000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x94A51000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x94A61000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x94A74000 \SystemRoot\system32\DRIVERS\vwifimp.sys
0x94A7D000 \SystemRoot\system32\drivers\HTTP.sys
0x94B02000 \SystemRoot\system32\DRIVERS\bowser.sys
0x94B1B000 \SystemRoot\System32\drivers\mpsdrv.sys
0x94B2D000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x94B50000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x94B8B000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x94BBE000 \SystemRoot\System32\Drivers\SENTINEL.SYS
0xA983A000 \SystemRoot\system32\drivers\peauth.sys
0xA98D1000 \SystemRoot\System32\Drivers\secdrv.SYS
0xA98DB000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA98FC000 \SystemRoot\System32\drivers\tcpipreg.sys
0xA9909000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA9958000 \SystemRoot\System32\DRIVERS\srv.sys
0xA99A9000 \??\C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6D15FA63-11F2-4BC6-93D0-F7E850E814BA}\MpKsl39185d20.sys
0xA99AF000 \SystemRoot\system32\DRIVERS\NisDrvWFP.sys
0x77220000 \Windows\System32\ntdll.dll
0x48350000 \Windows\System32\smss.exe
0x77460000 \Windows\System32\apisetschema.dll
0x00580000 \Windows\System32\autochk.exe
0x77080000 \Windows\System32\setupapi.dll
0x773F0000 \Windows\System32\shlwapi.dll
0x76F80000 \Windows\System32\wininet.dll
0x773E0000 \Windows\System32\lpk.dll
0x76D80000 \Windows\System32\iertutil.dll
0x773A0000 \Windows\System32\ws2_32.dll
0x76CB0000 \Windows\System32\user32.dll
0x76BE0000 \Windows\System32\msctf.dll
0x76B80000 \Windows\System32\difxapi.dll
0x76B30000 \Windows\System32\Wldap32.dll
0x76A80000 \Windows\System32\rpcrt4.dll
0x76A30000 \Windows\System32\gdi32.dll
0x77390000 \Windows\System32\psapi.dll
0x769A0000 \Windows\System32\oleaut32.dll
0x77360000 \Windows\System32\imagehlp.dll
0x768F0000 \Windows\System32\msvcrt.dll
0x768D0000 \Windows\System32\imm32.dll
0x76850000 \Windows\System32\comdlg32.dll
0x767B0000 \Windows\System32\advapi32.dll
0x767A0000 \Windows\System32\nsi.dll
0x76710000 \Windows\System32\clbcatq.dll
0x75AC0000 \Windows\System32\shell32.dll
0x75960000 \Windows\System32\ole32.dll
0x758C0000 \Windows\System32\usp10.dll
0x75780000 \Windows\System32\urlmon.dll
0x75770000 \Windows\System32\normaliz.dll
0x75750000 \Windows\System32\sechost.dll
0x75670000 \Windows\System32\kernel32.dll

Processes (total 46):
0 System Idle Process
4 System
264 C:\Windows\System32\smss.exe
356 csrss.exe
416 C:\Windows\System32\wininit.exe
424 csrss.exe
472 C:\Windows\System32\services.exe
488 C:\Windows\System32\lsass.exe
496 C:\Windows\System32\lsm.exe
520 C:\Windows\System32\winlogon.exe
640 C:\Windows\System32\svchost.exe
720 C:\Windows\System32\svchost.exe
780 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
868 C:\Windows\System32\svchost.exe
936 C:\Windows\System32\svchost.exe
1000 C:\Windows\System32\svchost.exe
1076 C:\Windows\System32\audiodg.exe
1268 C:\Windows\System32\svchost.exe
1412 C:\Windows\System32\svchost.exe
1520 C:\Windows\System32\dwm.exe
1552 C:\Windows\explorer.exe
1688 C:\Windows\System32\spoolsv.exe
1700 C:\Windows\System32\taskeng.exe
1716 C:\Windows\System32\taskhost.exe
1796 C:\Windows\System32\svchost.exe
1856 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
1876 C:\Windows\System32\igfxtray.exe
1884 C:\Windows\System32\hkcmd.exe
1892 C:\Windows\System32\igfxpers.exe
1900 C:\Program Files\Microsoft Security Client\msseces.exe
1912 C:\Program Files\Windows Sidebar\sidebar.exe
2032 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
2220 C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
2592 WmiPrvSE.exe
2732 C:\Windows\servicing\TrustedInstaller.exe
2800 C:\Windows\System32\SearchIndexer.exe
2856 C:\Windows\System32\svchost.exe
3136 C:\Windows\System32\SearchProtocolHost.exe
3176 C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
3216 C:\Windows\System32\SearchFilterHost.exe
3288 C:\Program Files\Internet Explorer\iexplore.exe
3356 C:\Program Files\Internet Explorer\iexplore.exe
3824 C:\Program Files\Internet Explorer\iexplore.exe
2080 C:\Users\lars\Desktop\MBRCheck.exe
2120 C:\Windows\System32\conhost.exe
2144 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x0000003d`f9200000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200BEVT-60A23T0, Rev: 02.01A02

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

Attached File(s)


#4 User is offline   fireman4it 

  • Bleepin' Fireman
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 8,311
  • Joined: 24-May 08
  • Gender:Male
  • Location:Bement, ILL

Posted 17 April 2011 - 03:37 PM

Hello herairness,
  • Welcome to Bleeping Computer.

  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:

  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.

  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.

  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".

  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.



1.
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

2.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


3.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDsskiller log
Combofix.txt
How is your machine running now?
" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-

Posted Image
Posted Image

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click Posted Image

#5 User is offline   herairness 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 17-April 11

Posted 17 April 2011 - 04:52 PM

Hello fireman4it and thanks again for helping out so quickly!

I did as you instructed:

TDSS log:
2011/04/18 00:17:04.0701 3400 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/18 00:17:04.0717 3400 ================================================================================
2011/04/18 00:17:04.0717 3400 SystemInfo:
2011/04/18 00:17:04.0717 3400
2011/04/18 00:17:04.0717 3400 OS Version: 6.1.7601 ServicePack: 1.0
2011/04/18 00:17:04.0717 3400 Product type: Workstation
2011/04/18 00:17:04.0717 3400 ComputerName: PCB
2011/04/18 00:17:04.0717 3400 UserName: lars
2011/04/18 00:17:04.0717 3400 Windows directory: C:\Windows
2011/04/18 00:17:04.0717 3400 System windows directory: C:\Windows
2011/04/18 00:17:04.0717 3400 Processor architecture: Intel x86
2011/04/18 00:17:04.0717 3400 Number of processors: 2
2011/04/18 00:17:04.0717 3400 Page size: 0x1000
2011/04/18 00:17:04.0717 3400 Boot type: Normal boot
2011/04/18 00:17:04.0717 3400 ================================================================================
2011/04/18 00:17:05.0263 3400 Initialize success
2011/04/18 00:17:08.0804 3448 ================================================================================
2011/04/18 00:17:08.0804 3448 Scan started
2011/04/18 00:17:08.0804 3448 Mode: Manual;
2011/04/18 00:17:08.0804 3448 ================================================================================
2011/04/18 00:17:11.0207 3448 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
2011/04/18 00:17:11.0253 3448 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
2011/04/18 00:17:11.0300 3448 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
2011/04/18 00:17:11.0363 3448 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\drivers\adp94xx.sys
2011/04/18 00:17:11.0409 3448 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\drivers\adpahci.sys
2011/04/18 00:17:11.0425 3448 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\drivers\adpu320.sys
2011/04/18 00:17:11.0472 3448 AFD (1151fd4fb0216cfed887bfde29ebd516) C:\Windows\system32\drivers\afd.sys
2011/04/18 00:17:11.0519 3448 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
2011/04/18 00:17:11.0597 3448 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\drivers\djsvs.sys
2011/04/18 00:17:11.0659 3448 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
2011/04/18 00:17:11.0690 3448 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
2011/04/18 00:17:11.0706 3448 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
2011/04/18 00:17:11.0753 3448 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\drivers\amdk8.sys
2011/04/18 00:17:11.0768 3448 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\drivers\amdppm.sys
2011/04/18 00:17:11.0799 3448 amdsata (e7f4d42d8076ec60e21715cd11743a0d) C:\Windows\system32\drivers\amdsata.sys
2011/04/18 00:17:11.0831 3448 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\drivers\amdsbs.sys
2011/04/18 00:17:11.0846 3448 amdxata (146459d2b08bfdcbfa856d9947043c81) C:\Windows\system32\drivers\amdxata.sys
2011/04/18 00:17:11.0893 3448 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
2011/04/18 00:17:11.0940 3448 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\drivers\arc.sys
2011/04/18 00:17:11.0971 3448 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\drivers\arcsas.sys
2011/04/18 00:17:12.0018 3448 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/04/18 00:17:12.0033 3448 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
2011/04/18 00:17:12.0111 3448 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\drivers\bxvbdx.sys
2011/04/18 00:17:12.0174 3448 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/04/18 00:17:12.0252 3448 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2011/04/18 00:17:12.0314 3448 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/04/18 00:17:12.0330 3448 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
2011/04/18 00:17:12.0345 3448 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\BrFiltLo.sys
2011/04/18 00:17:12.0361 3448 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\BrFiltUp.sys
2011/04/18 00:17:12.0408 3448 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2011/04/18 00:17:12.0439 3448 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/04/18 00:17:12.0455 3448 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/04/18 00:17:12.0470 3448 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/04/18 00:17:12.0486 3448 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\drivers\bthmodem.sys
2011/04/18 00:17:12.0548 3448 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2011/04/18 00:17:12.0657 3448 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\DRIVERS\cdrom.sys
2011/04/18 00:17:12.0689 3448 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\drivers\circlass.sys
2011/04/18 00:17:12.0735 3448 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2011/04/18 00:17:12.0829 3448 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/04/18 00:17:12.0845 3448 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
2011/04/18 00:17:12.0891 3448 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2011/04/18 00:17:12.0907 3448 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2011/04/18 00:17:12.0938 3448 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/04/18 00:17:12.0985 3448 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\drivers\crcdisk.sys
2011/04/18 00:17:13.0063 3448 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
2011/04/18 00:17:13.0157 3448 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
2011/04/18 00:17:13.0172 3448 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2011/04/18 00:17:13.0219 3448 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\drivers\disk.sys
2011/04/18 00:17:13.0266 3448 dmvsc (2a958ef85db1b61ffca65044fa4bce9e) C:\Windows\system32\drivers\dmvsc.sys
2011/04/18 00:17:13.0344 3448 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2011/04/18 00:17:13.0422 3448 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
2011/04/18 00:17:13.0703 3448 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\drivers\evbdx.sys
2011/04/18 00:17:13.0968 3448 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\drivers\elxstor.sys
2011/04/18 00:17:14.0046 3448 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
2011/04/18 00:17:14.0108 3448 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2011/04/18 00:17:14.0155 3448 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2011/04/18 00:17:14.0186 3448 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\drivers\fdc.sys
2011/04/18 00:17:14.0217 3448 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2011/04/18 00:17:14.0249 3448 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2011/04/18 00:17:14.0358 3448 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\drivers\flpydisk.sys
2011/04/18 00:17:14.0389 3448 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2011/04/18 00:17:14.0451 3448 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2011/04/18 00:17:14.0467 3448 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2011/04/18 00:17:14.0561 3448 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
2011/04/18 00:17:14.0639 3448 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\drivers\gagp30kx.sys
2011/04/18 00:17:14.0888 3448 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2011/04/18 00:17:14.0982 3448 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
2011/04/18 00:17:15.0075 3448 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/04/18 00:17:15.0107 3448 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\drivers\HidBatt.sys
2011/04/18 00:17:15.0138 3448 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\drivers\hidbth.sys
2011/04/18 00:17:15.0169 3448 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\drivers\hidir.sys
2011/04/18 00:17:15.0419 3448 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
2011/04/18 00:17:15.0575 3448 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
2011/04/18 00:17:15.0684 3448 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
2011/04/18 00:17:15.0871 3448 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
2011/04/18 00:17:16.0121 3448 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/04/18 00:17:16.0323 3448 iaStorV (a3cae5d281db4cff7cff8233507ee5ad) C:\Windows\system32\drivers\iaStorV.sys
2011/04/18 00:17:17.0150 3448 igfx (8266ae06df974e5ba047b3e9e9e70b3f) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/04/18 00:17:17.0634 3448 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\drivers\iirsp.sys
2011/04/18 00:17:17.0681 3448 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
2011/04/18 00:17:17.0727 3448 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2011/04/18 00:17:17.0759 3448 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/04/18 00:17:17.0790 3448 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
2011/04/18 00:17:17.0805 3448 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2011/04/18 00:17:18.0024 3448 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2011/04/18 00:17:18.0071 3448 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
2011/04/18 00:17:18.0102 3448 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
2011/04/18 00:17:18.0445 3448 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/04/18 00:17:18.0492 3448 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
2011/04/18 00:17:18.0539 3448 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys
2011/04/18 00:17:18.0570 3448 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
2011/04/18 00:17:18.0632 3448 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/04/18 00:17:18.0679 3448 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\drivers\lsi_fc.sys
2011/04/18 00:17:18.0710 3448 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\drivers\lsi_sas.sys
2011/04/18 00:17:18.0726 3448 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\drivers\lsi_sas2.sys
2011/04/18 00:17:18.0741 3448 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\drivers\lsi_scsi.sys
2011/04/18 00:17:18.0773 3448 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2011/04/18 00:17:18.0804 3448 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\drivers\megasas.sys
2011/04/18 00:17:18.0835 3448 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\drivers\MegaSR.sys
2011/04/18 00:17:18.0897 3448 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2011/04/18 00:17:18.0975 3448 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2011/04/18 00:17:19.0007 3448 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
2011/04/18 00:17:19.0053 3448 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2011/04/18 00:17:19.0085 3448 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
2011/04/18 00:17:19.0147 3448 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\Windows\system32\DRIVERS\MpFilter.sys
2011/04/18 00:17:19.0163 3448 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
2011/04/18 00:17:19.0553 3448 MpKsld10e282e (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6D15FA63-11F2-4BC6-93D0-F7E850E814BA}\MpKsld10e282e.sys
2011/04/18 00:17:19.0787 3448 MpNWMon (f32e2d6a1640a469a9ed4f1929a4a861) C:\Windows\system32\DRIVERS\MpNWMon.sys
2011/04/18 00:17:19.0849 3448 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2011/04/18 00:17:19.0896 3448 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
2011/04/18 00:17:19.0927 3448 mrxsmb (b272b4c3e085ea860c12f2e4faf2ffa2) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/04/18 00:17:19.0943 3448 mrxsmb10 (9ac33ef26c8a3ad0f117d00eb7301d03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/04/18 00:17:19.0974 3448 mrxsmb20 (e0abdb5ed7e199e242a7d028e76c1d3a) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/04/18 00:17:19.0989 3448 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
2011/04/18 00:17:20.0021 3448 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
2011/04/18 00:17:20.0052 3448 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2011/04/18 00:17:20.0083 3448 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2011/04/18 00:17:20.0099 3448 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
2011/04/18 00:17:20.0161 3448 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2011/04/18 00:17:20.0192 3448 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/04/18 00:17:20.0208 3448 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2011/04/18 00:17:20.0301 3448 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2011/04/18 00:17:20.0333 3448 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/04/18 00:17:20.0348 3448 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2011/04/18 00:17:20.0379 3448 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\drivers\MTConfig.sys
2011/04/18 00:17:20.0395 3448 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2011/04/18 00:17:20.0473 3448 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2011/04/18 00:17:20.0504 3448 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
2011/04/18 00:17:20.0551 3448 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/04/18 00:17:20.0567 3448 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/04/18 00:17:20.0629 3448 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/04/18 00:17:20.0645 3448 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/04/18 00:17:20.0660 3448 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
2011/04/18 00:17:20.0691 3448 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2011/04/18 00:17:20.0723 3448 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
2011/04/18 00:17:20.0785 3448 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\drivers\nfrd960.sys
2011/04/18 00:17:20.0847 3448 NisDrv (17e2c08c5ecfbe94a7c67b1c275ee9d9) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
2011/04/18 00:17:20.0879 3448 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2011/04/18 00:17:20.0910 3448 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2011/04/18 00:17:20.0988 3448 Ntfs (33c3093d09017cfe2e219f2472bff6eb) C:\Windows\system32\drivers\Ntfs.sys
2011/04/18 00:17:21.0035 3448 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2011/04/18 00:17:21.0050 3448 nvraid (af2eec9580c1d32fb7eaf105d9784061) C:\Windows\system32\drivers\nvraid.sys
2011/04/18 00:17:21.0066 3448 nvstor (9283c58ebaa2618f93482eb5dabcec82) C:\Windows\system32\drivers\nvstor.sys
2011/04/18 00:17:21.0097 3448 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
2011/04/18 00:17:21.0128 3448 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
2011/04/18 00:17:21.0159 3448 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\drivers\parport.sys
2011/04/18 00:17:21.0175 3448 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
2011/04/18 00:17:21.0222 3448 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\drivers\parvdm.sys
2011/04/18 00:17:21.0237 3448 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
2011/04/18 00:17:21.0253 3448 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
2011/04/18 00:17:21.0315 3448 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\drivers\pcmcia.sys
2011/04/18 00:17:21.0362 3448 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2011/04/18 00:17:21.0378 3448 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2011/04/18 00:17:21.0518 3448 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2011/04/18 00:17:21.0549 3448 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\drivers\processr.sys
2011/04/18 00:17:21.0612 3448 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2011/04/18 00:17:21.0659 3448 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\drivers\ql2300.sys
2011/04/18 00:17:21.0768 3448 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\drivers\ql40xx.sys
2011/04/18 00:17:21.0815 3448 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2011/04/18 00:17:21.0846 3448 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2011/04/18 00:17:21.0908 3448 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/04/18 00:17:21.0939 3448 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/04/18 00:17:21.0971 3448 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/04/18 00:17:21.0986 3448 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2011/04/18 00:17:22.0002 3448 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
2011/04/18 00:17:22.0033 3448 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/04/18 00:17:22.0064 3448 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/04/18 00:17:22.0142 3448 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
2011/04/18 00:17:22.0189 3448 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2011/04/18 00:17:22.0220 3448 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2011/04/18 00:17:22.0267 3448 RdpVideoMiniport (68a0387f58e226deee23d9715955572a) C:\Windows\system32\drivers\rdpvideominiport.sys
2011/04/18 00:17:22.0298 3448 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
2011/04/18 00:17:22.0376 3448 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
2011/04/18 00:17:22.0439 3448 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2011/04/18 00:17:22.0517 3448 RTL8167 (d5ede44ca85899e0478208c8413c1c31) C:\Windows\system32\DRIVERS\Rt86win7.sys
2011/04/18 00:17:22.0735 3448 rtl8192se (ab771b512804aa85959e9da8ca55165b) C:\Windows\system32\DRIVERS\rtl8192se.sys
2011/04/18 00:17:22.0985 3448 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
2011/04/18 00:17:23.0156 3448 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
2011/04/18 00:17:23.0187 3448 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
2011/04/18 00:17:23.0281 3448 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/04/18 00:17:23.0577 3448 Sentinel (b3c1b187fefc941f63ce0df93d02eb9f) C:\Windows\System32\Drivers\SENTINEL.SYS
2011/04/18 00:17:23.0749 3448 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\drivers\serenum.sys
2011/04/18 00:17:23.0811 3448 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\drivers\serial.sys
2011/04/18 00:17:23.0843 3448 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\drivers\sermouse.sys
2011/04/18 00:17:23.0889 3448 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
2011/04/18 00:17:23.0905 3448 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
2011/04/18 00:17:23.0921 3448 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
2011/04/18 00:17:23.0952 3448 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\drivers\sfloppy.sys
2011/04/18 00:17:23.0983 3448 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
2011/04/18 00:17:24.0030 3448 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\drivers\SiSRaid2.sys
2011/04/18 00:17:24.0045 3448 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\drivers\sisraid4.sys
2011/04/18 00:17:24.0077 3448 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2011/04/18 00:17:24.0233 3448 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2011/04/18 00:17:24.0576 3448 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\System32\Drivers\sptd.sys
2011/04/18 00:17:24.0779 3448 srv (112127c3b2e64d7680cc39cd0a39dd7e) C:\Windows\system32\DRIVERS\srv.sys
2011/04/18 00:17:24.0981 3448 srv2 (e5dd784a4ee5ebc72a86c677c988fcdb) C:\Windows\system32\DRIVERS\srv2.sys
2011/04/18 00:17:25.0169 3448 srvnet (cdbe627e16cc9e98f343d73f8e81d258) C:\Windows\system32\DRIVERS\srvnet.sys
2011/04/18 00:17:25.0340 3448 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\drivers\stexstor.sys
2011/04/18 00:17:25.0527 3448 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
2011/04/18 00:17:25.0621 3448 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
2011/04/18 00:17:25.0652 3448 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
2011/04/18 00:17:25.0730 3448 Synth3dVsc (f2ad8960812fd111e20e84659ef19d43) C:\Windows\system32\drivers\synth3dvsc.sys
2011/04/18 00:17:25.0808 3448 SynTP (067cb9d745407a8c1b26e89a6a2ce152) C:\Windows\system32\DRIVERS\SynTP.sys
2011/04/18 00:17:26.0370 3448 Tcpip (37e8fa3779668837ca9e2c36d2415949) C:\Windows\system32\drivers\tcpip.sys
2011/04/18 00:17:26.0978 3448 TCPIP6 (37e8fa3779668837ca9e2c36d2415949) C:\Windows\system32\DRIVERS\tcpip.sys
2011/04/18 00:17:27.0275 3448 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/04/18 00:17:27.0353 3448 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
2011/04/18 00:17:27.0368 3448 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
2011/04/18 00:17:27.0399 3448 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
2011/04/18 00:17:27.0415 3448 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\DRIVERS\termdd.sys
2011/04/18 00:17:27.0477 3448 terminpt (052306fd76793d5d5ab5d9891fd1adbb) C:\Windows\system32\drivers\terminpt.sys
2011/04/18 00:17:27.0555 3448 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/04/18 00:17:27.0587 3448 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
2011/04/18 00:17:27.0618 3448 TsUsbGD (01246f0baad7b68ec0f472aa41e33282) C:\Windows\system32\drivers\TsUsbGD.sys
2011/04/18 00:17:27.0649 3448 tsusbhub (045acb987c650d8186c6b4a692223860) C:\Windows\system32\drivers\tsusbhub.sys
2011/04/18 00:17:27.0758 3448 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
2011/04/18 00:17:27.0789 3448 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\drivers\uagp35.sys
2011/04/18 00:17:27.0821 3448 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
2011/04/18 00:17:27.0867 3448 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
2011/04/18 00:17:27.0914 3448 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\DRIVERS\umbus.sys
2011/04/18 00:17:27.0930 3448 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\drivers\umpass.sys
2011/04/18 00:17:27.0977 3448 usbccgp (7e72e7d7e0757d59481d530fd2b0bfae) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/04/18 00:17:27.0992 3448 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
2011/04/18 00:17:28.0023 3448 usbehci (cfbce999c057d78979a181c9c60f208e) C:\Windows\system32\DRIVERS\usbehci.sys
2011/04/18 00:17:28.0055 3448 usbhub (9d22aad9ac6a07c691a1113e5f860868) C:\Windows\system32\DRIVERS\usbhub.sys
2011/04/18 00:17:28.0086 3448 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\drivers\usbohci.sys
2011/04/18 00:17:28.0101 3448 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\drivers\usbprint.sys
2011/04/18 00:17:28.0117 3448 USBSTOR (bf63ebfc6979fefb2bc03df7989a0c1a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/04/18 00:17:28.0133 3448 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/04/18 00:17:28.0179 3448 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\Windows\system32\Drivers\usbvideo.sys
2011/04/18 00:17:28.0242 3448 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
2011/04/18 00:17:28.0273 3448 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/04/18 00:17:28.0289 3448 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2011/04/18 00:17:28.0335 3448 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
2011/04/18 00:17:28.0367 3448 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
2011/04/18 00:17:28.0398 3448 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\drivers\viac7.sys
2011/04/18 00:17:28.0429 3448 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
2011/04/18 00:17:28.0507 3448 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
2011/04/18 00:17:28.0538 3448 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
2011/04/18 00:17:28.0585 3448 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
2011/04/18 00:17:28.0694 3448 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2011/04/18 00:17:28.0788 3448 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
2011/04/18 00:17:28.0850 3448 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\drivers\vsmraid.sys
2011/04/18 00:17:28.0897 3448 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
2011/04/18 00:17:28.0944 3448 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
2011/04/18 00:17:28.0959 3448 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\Windows\system32\DRIVERS\vwifimp.sys
2011/04/18 00:17:29.0006 3448 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\drivers\wacompen.sys
2011/04/18 00:17:29.0053 3448 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
2011/04/18 00:17:29.0069 3448 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
2011/04/18 00:17:29.0100 3448 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\drivers\wd.sys
2011/04/18 00:17:29.0131 3448 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/04/18 00:17:29.0287 3448 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/04/18 00:17:29.0318 3448 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2011/04/18 00:17:29.0427 3448 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/04/18 00:17:29.0505 3448 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/04/18 00:17:29.0552 3448 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
2011/04/18 00:17:29.0615 3448 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/04/18 00:17:29.0724 3448 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/18 00:17:29.0755 3448 ================================================================================
2011/04/18 00:17:29.0755 3448 Scan finished
2011/04/18 00:17:29.0755 3448 ================================================================================
2011/04/18 00:17:29.0771 3440 Detected object count: 1
2011/04/18 00:17:43.0779 3440 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/18 00:17:43.0795 3440 \HardDisk0 - ok
2011/04/18 00:17:43.0795 3440 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/04/18 00:18:02.0921 3388 Deinitialize success

2) combofix log
ComboFix 11-04-16.03 - lars 04/18/2011 0:24.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1251.359.1033.18.1979.1386 [GMT 3:00]
Running from: F:\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2011-03-17 to 2011-04-17 )))))))))))))))))))))))))))))))
.
.
2011-04-17 21:30 . 2011-04-17 21:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-17 16:07 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6D15FA63-11F2-4BC6-93D0-F7E850E814BA}\mpengine.dll
2011-04-16 15:44 . 2011-04-16 15:44 -------- d-----w- c:\program files\CCleaner
2011-04-16 15:26 . 2011-04-16 15:26 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-16 15:26 . 2011-04-16 15:26 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-16 15:24 . 2011-02-27 09:29 439632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-04-16 15:24 . 2011-02-27 09:29 439632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B5962A69-52AF-4F75-B73B-8B3C511049A0}\gapaengine.dll
2011-04-10 16:21 . 2011-04-10 16:23 -------- d-----w- c:\users\lars\AppData\Local\Adobe
2011-04-10 16:21 . 2007-03-23 01:05 29272 ----a-w- c:\windows\system32\AdobePDF.dll
2011-04-10 16:15 . 2011-04-10 16:22 -------- d-----w- c:\program files\Common Files\Adobe
2011-04-05 14:29 . 2011-04-05 14:29 -------- d-----w- c:\users\lars\AppData\Local\ElevatedDiagnostics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 11:13 . 2011-03-15 11:13 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-02-23 07:35 . 2011-02-26 14:49 5943120 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E084AB94-B378-49BE-88A7-A72E1D0784C2}\mpengine.dll
2011-02-18 18:01 . 2011-02-18 18:01 7680 ----a-w- c:\windows\system32\drivers\bg-BG\bthport.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 3584 ----a-w- c:\windows\system32\drivers\bg-BG\portcls.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 3072 ----a-w- c:\windows\system32\drivers\bg-BG\hidbth.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 3072 ----a-w- c:\windows\system32\drivers\bg-BG\ataport.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 2560 ----a-w- c:\windows\system32\drivers\bg-BG\serscan.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 2560 ----a-w- c:\windows\system32\drivers\bg-BG\BTHUSB.SYS.mui
2011-02-18 18:01 . 2011-02-18 18:01 2048 ----a-w- c:\windows\system32\drivers\bg-BG\bthenum.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 2048 ----a-w- c:\windows\system32\drivers\bg-BG\amdide.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 2560 ----a-w- c:\windows\system32\drivers\bg-BG\scfilter.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 48128 ----a-w- c:\windows\system32\drivers\bg-BG\tcpip.sys.mui
2011-02-10 20:54 . 2011-02-27 09:30 5943120 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-03 05:54 . 2011-02-26 14:41 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 MpKsl7c5cd164;MpKsl7c5cd164;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B09D1F54-6C8E-47F2-A570-A377EEBF340F}\MpKsl7c5cd164.sys [x]
R1 MpKsl8c3b0ab9;MpKsl8c3b0ab9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B09D1F54-6C8E-47F2-A570-A377EEBF340F}\MpKsl8c3b0ab9.sys [x]
R1 MpKslc9f43106;MpKslc9f43106;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B09D1F54-6C8E-47F2-A570-A377EEBF340F}\MpKslc9f43106.sys [x]
R1 MpKslf74b3729;MpKslf74b3729;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B09D1F54-6C8E-47F2-A570-A377EEBF340F}\MpKslf74b3729.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-26 136176]
R2 NewServiceInstall1;NewServiceInstall1;c:\program files\SDL International\T2007\TT\Lng\Dialogs1031.lng [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-03-15 691696]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-02-04 1000992]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-26 14:19]
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-26 14:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qip.ru
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
FF - Ext: B-Trust Smart Card Certificate: sc_cert_delete@b-trust.org - %profile%\extensions\sc_cert_delete@b-trust.org
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: QipAuthorizer: {32a1fd71-835e-4b11-8e54-886fda0b4c89} - %profile%\extensions\{32a1fd71-835e-4b11-8e54-886fda0b4c89}
FF - Ext: Gmail Checker: {6BFD307A-C040-11DA-9749-FB1C850B47DF} - %profile%\extensions\{6BFD307A-C040-11DA-9749-FB1C850B47DF}
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Yahoo! Mail Notifier: {89f8dde0-010a-11da-8cd6-0800200c9a66} - %profile%\extensions\{89f8dde0-010a-11da-8cd6-0800200c9a66}
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NewServiceInstall1]
"ImagePath"="\"c:\program files\SDL International\T2007\TT\Lng\Dialogs1031.lng\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-04-18 00:32:27
ComboFix-quarantined-files.txt 2011-04-17 21:32
.
Pre-Run: 38,045,306,880 bytes free
Post-Run: 37,849,174,016 bytes free
.
- - End Of File - - C658C39E8B9F6C3B09A29EFDCC7C4C1D

3) My machine is back to the quick start up and loading of Windows, windows are opening and programs, including browsers, are finally opening and running smoothly without much load on the CPU! Oh, and no BSOD for the last hour or so, too.

p.s. Please let me know when I can reenable the CD/DVD emulation as well.

This post has been edited by herairness: 17 April 2011 - 04:53 PM

#6 User is offline   fireman4it 

  • Bleepin' Fireman
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 8,311
  • Joined: 24-May 08
  • Gender:Male
  • Location:Bement, ILL

Posted 17 April 2011 - 08:46 PM

Hello,

Things look pretty good let do some final checking and cleanup of some leftovers.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

DDS::
uStart Page = hxxp://qip.ru
uDefault_Search_URL = hxxp://search.qip.ru
uSearchAssistant = hxxp://search.qip.ru/ie

Firefox::
FF - ProfilePath - c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}

Driver::
VGPU
NewServiceInstall1
MpKslf74b3729
MpKslc9f43106
MpKsl8c3b0ab9
MpKsl7c5cd164


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.

Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.

Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


Things to include in your next reply::
Combofix.txt
MBAM log
Eset log
How is your machine running now?
" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-

Posted Image
Posted Image

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click Posted Image

#7 User is offline   herairness 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 17-April 11

Posted 18 April 2011 - 05:51 AM

Hello again and thanks so much for your efforts!

1) combofix log:
ComboFix 11-04-16.03 - lars 04/18/2011 11:27:03.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1251.359.1033.18.1979.1333 [GMT 3:00]
Running from: F:\ComboFix.exe
Command switches used :: F:\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\chrome.manifest
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\chrome\bittorrentbar.jar
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\ConduitAutoCompleteSearch.js
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\ConduitAutoCompleteSearch.xpt
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\ConduitToolbar.idl
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\ConduitToolbar.js
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\ConduitToolbar.xpt
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCore.dll
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCore.xpt
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\defaults\alertSettingsComponent.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\defaults\appContextMenu.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\defaults\engineContextMenu.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\defaults\engineSettings.json
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\defaults\fbAlert.js
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\defaults\getAppsContextMenu.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\defaults\postAppsContextMenu.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\defaults\toolbarContextMenu.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\defaults\unsharedAppsContextMenu.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\install.rdf
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\lib\xpcom.js
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\META-INF\manifest.mf
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\META-INF\zigbert.rsa
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\META-INF\zigbert.sf
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\searchplugin\conduit.gif
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\searchplugin\conduit.ico
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\searchplugin\conduit.PNG
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\searchplugin\conduit.src
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\searchplugin\conduit.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\version.txt
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\chrome.manifest
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\chrome\conduitengine.jar
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\components\ConduitAutoCompleteSearch.js
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\components\ConduitAutoCompleteSearch.xpt
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\components\ConduitToolbar.idl
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\components\ConduitToolbar.js
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\components\ConduitToolbar.xpt
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\components\RadioWMPCore.dll
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\components\RadioWMPCore.xpt
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\defaults\alertSettingsComponent.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\defaults\appContextMenu.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\defaults\engineContextMenu.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\defaults\engineSettings.json
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\defaults\fbAlert.js
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\defaults\getAppsContextMenu.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\defaults\postAppsContextMenu.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\defaults\toolbarContextMenu.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\defaults\unsharedAppsContextMenu.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\DualPackage\install.rdf
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\install.rdf
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\lib\xpcom.js
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\META-INF\manifest.mf
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\META-INF\zigbert.rsa
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\META-INF\zigbert.sf
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\searchplugin\conduit.gif
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\searchplugin\conduit.ico
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\searchplugin\conduit.PNG
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\searchplugin\conduit.src
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\searchplugin\conduit.xml
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\setup.ini
c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\extensions\engine@conduit.com\version.txt
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MPKSL8C3B0AB9
-------\Legacy_MPKSLC9F43106
-------\Service_MpKsl7c5cd164
-------\Service_MpKsl8c3b0ab9
-------\Service_MpKslc9f43106
-------\Service_MpKslf74b3729
-------\Service_NewServiceInstall1
-------\Service_VGPU
.
.
((((((((((((((((((((((((( Files Created from 2011-03-18 to 2011-04-18 )))))))))))))))))))))))))))))))
.
.
2011-04-18 08:33 . 2011-04-18 08:33 -------- d-----w- c:\users\lars\AppData\Local\temp
2011-04-18 08:33 . 2011-04-18 08:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-18 08:24 . 2011-04-18 08:24 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E7DC91A9-0960-4A1C-813B-F6856C5A0EAC}\MpKsl81fab3f8.sys
2011-04-17 21:46 . 2011-03-15 04:05 6792528 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E7DC91A9-0960-4A1C-813B-F6856C5A0EAC}\mpengine.dll
2011-04-16 15:44 . 2011-04-16 15:44 -------- d-----w- c:\program files\CCleaner
2011-04-16 15:26 . 2011-04-16 15:26 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-16 15:26 . 2011-04-16 15:26 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-16 15:24 . 2011-02-27 09:29 439632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-04-16 15:24 . 2011-02-27 09:29 439632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B5962A69-52AF-4F75-B73B-8B3C511049A0}\gapaengine.dll
2011-04-10 16:21 . 2011-04-10 16:23 -------- d-----w- c:\users\lars\AppData\Local\Adobe
2011-04-10 16:21 . 2007-03-23 01:05 29272 ----a-w- c:\windows\system32\AdobePDF.dll
2011-04-10 16:15 . 2011-04-10 16:22 -------- d-----w- c:\program files\Common Files\Adobe
2011-04-05 14:29 . 2011-04-05 14:29 -------- d-----w- c:\users\lars\AppData\Local\ElevatedDiagnostics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-15 11:13 . 2011-03-15 11:13 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-02-23 07:35 . 2011-02-26 14:49 5943120 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E084AB94-B378-49BE-88A7-A72E1D0784C2}\mpengine.dll
2011-02-18 18:01 . 2011-02-18 18:01 7680 ----a-w- c:\windows\system32\drivers\bg-BG\bthport.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 3584 ----a-w- c:\windows\system32\drivers\bg-BG\portcls.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 3072 ----a-w- c:\windows\system32\drivers\bg-BG\hidbth.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 3072 ----a-w- c:\windows\system32\drivers\bg-BG\ataport.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 2560 ----a-w- c:\windows\system32\drivers\bg-BG\serscan.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 2560 ----a-w- c:\windows\system32\drivers\bg-BG\BTHUSB.SYS.mui
2011-02-18 18:01 . 2011-02-18 18:01 2048 ----a-w- c:\windows\system32\drivers\bg-BG\bthenum.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 2048 ----a-w- c:\windows\system32\drivers\bg-BG\amdide.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 2560 ----a-w- c:\windows\system32\drivers\bg-BG\scfilter.sys.mui
2011-02-18 18:01 . 2011-02-18 18:01 48128 ----a-w- c:\windows\system32\drivers\bg-BG\tcpip.sys.mui
2011-02-10 20:54 . 2011-02-27 09:30 5943120 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-02-03 05:54 . 2011-02-26 14:41 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-25 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-25 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-25 170520]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-02-26 136176]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-24 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [2010-11-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2011-03-15 691696]
S1 MpKsl81fab3f8;MpKsl81fab3f8;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E7DC91A9-0960-4A1C-813B-F6856C5A0EAC}\MpKsl81fab3f8.sys [2011-04-18 28752]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys [2010-02-04 1000992]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-26 14:19]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-26 14:19]
.
.
------- Supplementary Scan -------
.
uSearchAssistant = hxxp://search.qip.ru/ie
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\lars\AppData\Roaming\Mozilla\Firefox\Profiles\5izrkhx2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.qip.ru/search?from=FF&query=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Ghostery: firefox@ghostery.com - %profile%\extensions\firefox@ghostery.com
FF - Ext: Noia 2.0 eXtreme OPT: noia2_option@kk.noia - %profile%\extensions\noia2_option@kk.noia
FF - Ext: B-Trust Smart Card Certificate: sc_cert_delete@b-trust.org - %profile%\extensions\sc_cert_delete@b-trust.org
FF - Ext: Forecastfox Weather: {0538E3E3-7E9B-4d49-8831-A227C80A7AD3} - %profile%\extensions\{0538E3E3-7E9B-4d49-8831-A227C80A7AD3}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: QipAuthorizer: {32a1fd71-835e-4b11-8e54-886fda0b4c89} - %profile%\extensions\{32a1fd71-835e-4b11-8e54-886fda0b4c89}
FF - Ext: Gmail Checker: {6BFD307A-C040-11DA-9749-FB1C850B47DF} - %profile%\extensions\{6BFD307A-C040-11DA-9749-FB1C850B47DF}
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Yahoo! Mail Notifier: {89f8dde0-010a-11da-8cd6-0800200c9a66} - %profile%\extensions\{89f8dde0-010a-11da-8cd6-0800200c9a66}
FF - Ext: Noia 2.0 (eXtreme): {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} - %profile%\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2011-04-18 11:40:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-18 08:40
.
Pre-Run: 37,183,709,184 bytes free
Post-Run: 36,717,760,512 bytes free
.
- - End Of File - - 820C127825282E4C175A480646E96D4C

2)malwarebyte log
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6388

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

4/18/2011 12:03:58 PM
mbam-log-2011-04-18 (12-03-58).txt

Scan type: Quick scan
Objects scanned: 149367
Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

3)eset log
D:\Games\Heroes III\chronicles\Conquest of the Underworld\UNDERWORLD.ICD a variant of Win32/Kryptik.KJI trojan cleaned by deleting - quarantined
D:\install\adobe\keygen.exe a variant of Win32/Keygen.AH application cleaned by deleting - quarantined

#8 User is offline   fireman4it 

  • Bleepin' Fireman
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 8,311
  • Joined: 24-May 08
  • Gender:Male
  • Location:Bement, ILL

Posted 18 April 2011 - 09:23 AM

Hello,


1.
Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:
  • Download the latest version of Adobe Reader Version X and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • Once the installation is finished, go here: Adobe Update Page and scroll down to UPDATES/PROGRAMS. From there download: Adobe Reader X update - multiple languages and save it to your desktop.
  • Double-click the file AdbeRdrUpd932_all_incr.msp on your desktop to start installing the update and follow the prompts.
  • Once the update is done click Exit.
Your Adobe Reader is now up to date!


2.
Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall


  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".


3.
You can now re-enable the CD/DVD emulation


4.

Congratulations! You now appear clean! :cool:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.



Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install

  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-

Posted Image
Posted Image

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click Posted Image

#9 User is offline   herairness 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 17-April 11

Posted 18 April 2011 - 04:12 PM

Hello,
i have successfully completed all the steps you recommended and can safely say that my machine is back to its usual fast mode of operation! Once again thanks a million for your fast and helpful replies!

#10 User is offline   fireman4it 

  • Bleepin' Fireman
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 8,311
  • Joined: 24-May 08
  • Gender:Male
  • Location:Bement, ILL

Posted 18 April 2011 - 10:45 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-

Posted Image
Posted Image

If I have helped you, consider making a donation to help me continue the fight against Malware!
Just click Posted Image

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users