Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something is still infecting my computer... what is it?


  • Please log in to reply
13 replies to this topic

#1 alongwalk

alongwalk

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 13 April 2010 - 11:56 PM

Hello, I've been having malware/virus issues for the past number of weeks. I'm running Windows XP Home, service pack 3.

Originally, the problem was with google redirects - something redirecting my google search result links to bizarre generic search pages. I managed to get that fixed... and all was fine for a couple weeks.

Next, was a problem with bogus "download this malware protection" popups. I tried to kill them using ctrl-alt-delete and killing processes, but it quickly got so bad I couldn't run any program - my entire screen was filled with these pop-ups - seems they launched with every .exe, and prevented anything else from being used. I was finally able to stop this by running a .reg file via a jump drive - times were desperate! Then, I ran malwarebytes which seemed to clean things up - deleted a number of files. (my bitdefender has proven to be worthless for these problems).

However, I kept getting re-infected.

So, I bought the pay version of malwarebytes. This seems to have stopped the re-infections, but I have a few issues.
- Malwarebytes is continuously blocking "access to a potentially malicious website". A copy of a recent protection log is below.
- I get occasional full-screen "pop-behind" Internet Explorer windows from strange websites. When this happens, I just kill the entire explorer process.
- Something is blocking me from accessing the Windows update web page, which I've tried to do manually... as I've read separately that they just released a couple XP security patches this week.
- Every few days, I run a malwarebytes scan and it discovers and removes a number of malware/virus files. But, most scans are clean.
- Randomly (maybe once a night or so) I'll hear a windows "exclamation sound" (the horn/thump sound) like some warning has occurred, but there is nothing displayed anywhere. I've noticed that this often precipitates a new round of problems... which a scan from malwarebytes confirms...

Something is obviously still infecting my computer... acting like a caged animal that sometimes nips.

I know there are lots of suggested approaches to this, but I really want to get some kind of focus before I go banging around. I do have a technical background, but not so much experience with these sort of problems. Any advice on where to start?

Thanks in advance.

(a recent malwarebytes protection log is below)

20:48:44 My Name MESSAGE Protection started successfully
20:48:47 My Name MESSAGE IP Protection started successfully
20:57:49 My Name IP-BLOCK 213.163.89.104
20:57:52 My Name IP-BLOCK 213.163.89.104
20:57:58 My Name IP-BLOCK 213.163.89.104
21:07:50 My Name IP-BLOCK 213.163.89.106
21:07:53 My Name IP-BLOCK 213.163.89.106
21:07:59 My Name IP-BLOCK 213.163.89.106
21:08:11 My Name IP-BLOCK 213.163.89.106
21:08:14 My Name IP-BLOCK 213.163.89.106
21:08:20 My Name IP-BLOCK 213.163.89.106
21:08:32 My Name IP-BLOCK 213.163.89.105
21:08:35 My Name IP-BLOCK 213.163.89.105
21:08:41 My Name IP-BLOCK 213.163.89.105
21:09:04 My Name IP-BLOCK 213.174.154.9
21:09:07 My Name IP-BLOCK 213.174.154.9
21:09:13 My Name IP-BLOCK 213.174.154.9
21:13:10 My Name IP-BLOCK 213.163.89.104
21:13:13 My Name IP-BLOCK 213.163.89.104
21:13:19 My Name IP-BLOCK 213.163.89.104
21:23:31 My Name IP-BLOCK 213.163.89.104
21:23:34 My Name IP-BLOCK 213.163.89.104
21:23:40 My Name IP-BLOCK 213.163.89.104
21:30:52 My Name IP-BLOCK 213.163.89.104
21:30:55 My Name IP-BLOCK 213.163.89.104
21:31:01 My Name IP-BLOCK 213.163.89.104


EDIT: Moved from XP to Am I Infected, more appropriate foum ~ Hamluis.

Edited by hamluis, 14 April 2010 - 06:40 AM.


BC AdBot (Login to Remove)

 


#2 rosiesdad

rosiesdad

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 14 April 2010 - 06:19 AM

I am sure this needs to be moved to the security/malware forum, you will get some help from malware experts.

#3 virus1kimberbee0

virus1kimberbee0

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 14 April 2010 - 08:03 AM

just wanted to say my issue is identical down to the random exclamation noises with no warning at night (also had bitdefender and said no thanks to the $70 upgrade since they could not prevent even this). I did discover both "neosploit exploit.exe" which I think avg removed because I haven't found it since, and Trojan horse Generic 17.ayen which I thought I removed, but I am still having the google redirects so guess I didn't. Malware bytes turns up nothing. I'm not sure if the op had found the virus yet or not, but I wanted to post what I found.

#4 marrowshard

marrowshard

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:54 AM

Posted 14 April 2010 - 04:58 PM

Out of curiosity, have you got a HijackThis log to show us? I used to have AVG on my computer and it was notorious for 1)missing obvious infections and 2)getting its own files infected. I currently run Malwarebytes and Avast to catch most things, but i really don't think i could live without HijackThis. Download it if you haven't already, let it scan, and post the logfile here please =)

#5 alongwalk

alongwalk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 14 April 2010 - 08:45 PM

Thanks, but reading all the warnings on this site, they ask not to post logs unless prompted by an "expert"... lest you never get help. Anyway, if I get no better alternatives in a few days, I'll give that a shot & see how it goes.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:54 AM

Posted 14 April 2010 - 09:23 PM

Hello you are correct not to run HJT on your own and two we dont even use it unless we have to anymore it's dated.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 alongwalk

alongwalk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 16 April 2010 - 10:12 PM

Thanks for the advice... I do appreciate your taking the time to reply. However, it appears I'm still in the same situation. I ran ATF and then SAS in safe mode, per the instructions. SAS didn't find anything though. The log is below:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/15/2010 at 11:41 PM

Application Version : 4.35.1002

Core Rules Database Version : 4813
Trace Rules Database Version: 2625

Scan type : Complete Scan
Total Scan Time : 02:11:18

Memory items scanned : 222
Memory threats detected : 0
Registry items scanned : 4674
Registry threats detected : 0
File items scanned : 213437
File threats detected : 0


Strangely, it seems I did get a Windows update, as when I went to shut my computer down last night, it mentioned there were updates to install, then prompted me to reboot. Perhaps this "malware" is only disallowing me from manual Windows updates? Anyway, I'm still having the same issues as in m y original post - malwarebytes blocking multiple IP connect attempts, mystery "warning thump sounds", strange "pop-behinds", etc. Any other ideas? My guess is that this malware was partially removed by malwarebytes earlier, and is somehow crippled, but that also makes it harder to detect. Or, perhaps it has managed to over-write some legitimate windows system file with a bit of malicious code - again, that'd be very hard to detect.

One other minor thing... I think SAS has changed their menu around since you wrote those instructions. The instructions should read, in part:
... Under "Configuration and Preferences", go to "Scanning Control", and make sure the following Scanner Options are checked (leave all others unchecked): ...

Any other ideas?

#8 alongwalk

alongwalk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 16 April 2010 - 10:43 PM

A little more... I'm sitting here a bit later, and getting messages from my BitDefender that it's blocked multiple viruses on my computer. This is identified as:

Virus Name: Rootkit.Patched.TDSS.Gen
Path: C:\WINDOWS\System32\drivers\iaStor.sys
The file has been disinfected

I got this same message multiple times... Any meaning to this? This warning message appeared after no action from me.

#9 alongwalk

alongwalk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 16 April 2010 - 11:08 PM

So, since I got that warning message, I figured I'd try another scan with SAS, since such warnings have usually precipitated other more serious problems (like BitDefender is catching some, but not all of the problems). So, I went back to safe mode, and re-scanned with SAS, and got this:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/16/2010 at 08:57 PM

Application Version : 4.35.1002

Core Rules Database Version : 4813
Trace Rules Database Version: 2625

Scan type : Quick Scan
Total Scan Time : 00:09:32

Memory items scanned : 213
Memory threats detected : 0
Registry items scanned : 440
Registry threats detected : 0
File items scanned : 11592
File threats detected : 9

Adware.Tracking Cookie
C:\Documents and Settings\My Name\Cookies\my_name@mediaplex[2].txt
C:\Documents and Settings\My Name\Cookies\my_name@insightexpressai[1].txt
C:\Documents and Settings\My Name\Cookies\my_name@doubleclick[1].txt
C:\Documents and Settings\My Name\Cookies\my_name@ads.bleepingcomputer[2].txt
C:\Documents and Settings\My Name\Cookies\my_name@collective-media[1].txt
C:\Documents and Settings\My Name\Cookies\my_name@apmebf[1].txt
C:\Documents and Settings\My Name\Cookies\my_name@eas.apm.emediate[1].txt
C:\Documents and Settings\My Name\Cookies\my_name@invitemedia[2].txt
C:\Documents and Settings\My Name\Cookies\my_name@ad.yieldmanager[2].txt


I have a feeling that these are files that ATF-Cleaner would have removed first. I didn't re-run ATF cleaner this time. I also didn't do a full scan, since I don't have 2 hours to sit and wait again. I stopped it after it'd found these files. These don't look too harmful... true? Heck, one of them is a cookie from bleepingcomputer!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:54 AM

Posted 17 April 2010 - 09:13 AM

Hello, yes they are trcking cookies. A little byte of info that makes subsequent visits to that site load quicker. You can uncheck some or just remove them all. The list gets repopu;ated when you revisit. I just remove them anyway.

Run TDDS Killer
  • Go to this page and Download TDSSKiller.zip to your Desktop.
  • Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  • Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If TDSSKiller alerts you that the system needs to reboot, please consent.
  • When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 alongwalk

alongwalk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 17 April 2010 - 08:38 PM

I'm almost afraid to say this, lest I jinx my situation, but I think that did it!

tdsskiller seems to have done the trick. Logs are below... I'm not getting the "malicious website blocked" messages from mbam, I'm able to connect to the windows update page, haven't gotten any pop-behinds or random "warning thump" sounds. One other thing I had forgotten to mention - I had previously been using Chrome as my browser. This rootkit had disabled Chrome (got nothing but a blank page), and didn't let me re-install it (install just froze-up). I'm now re-running Chrome again... in fact typing this message via Chrome.

iaStor.sys appears to have been my corrupted file... who'd have guessed?

My guess is that this malicious program was able to punch a hole in the security using something in Explorer or Firefox, and knew that it couldn't work with Chrome. It was allowing other malware to be downloaded and installed on my computer- which I kept cleaning up, then later blocking...

So, thanks a ton! I hope this thread can be retired, and/or someone learns something from this. In the end, the thing that might have proved key was bitdefender, which gave the clue you were able to use to figure out what was wrong. So, maybe I shouldn't be so hard on Bitdefender after all. While it didn't prevent or fix this, at least it played a role.

Logs are below... thanks again so much for spending your time helping the rest of us. I'm not sure if there is some way to donate to bleeping computer, but I'll look into it...

TDSSKiller log:

12:18:08:296 3388 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
12:18:08:296 3388 ================================================================================
12:18:08:296 3388 SystemInfo:

12:18:08:296 3388 OS Version: 5.1.2600 ServicePack: 3.0
12:18:08:296 3388 Product type: Workstation
12:18:08:296 3388 ComputerName: DESKTOP2
12:18:08:296 3388 UserName: Jonathan Ley
12:18:08:296 3388 Windows directory: C:\WINDOWS
12:18:08:296 3388 Processor architecture: Intel x86
12:18:08:296 3388 Number of processors: 2
12:18:08:296 3388 Page size: 0x1000
12:18:08:312 3388 Boot type: Normal boot
12:18:08:312 3388 ================================================================================
12:18:08:328 3388 UnloadDriverW: NtUnloadDriver error 2
12:18:08:328 3388 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:18:08:406 3388 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:18:08:406 3388 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:18:08:406 3388 wfopen_ex: Trying to KLMD file open
12:18:08:406 3388 wfopen_ex: File opened ok (Flags 2)
12:18:08:406 3388 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:18:08:406 3388 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:18:08:406 3388 wfopen_ex: Trying to KLMD file open
12:18:08:406 3388 wfopen_ex: File opened ok (Flags 2)
12:18:08:406 3388 Initialize success
12:18:08:406 3388
12:18:08:406 3388 Scanning Services ...
12:18:08:500 3388 Raw services enum returned 335 services
12:18:08:515 3388
12:18:08:515 3388 Scanning Kernel memory ...
12:18:08:515 3388 Devices to scan: 16
12:18:08:515 3388
12:18:08:515 3388 Driver Name: Disk
12:18:08:515 3388 IRP_MJ_CREATE : BA91EBB0
12:18:08:515 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:515 3388 IRP_MJ_CLOSE : BA91EBB0
12:18:08:515 3388 IRP_MJ_READ : BA918D1F
12:18:08:515 3388 IRP_MJ_WRITE : BA918D1F
12:18:08:515 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:515 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:515 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:515 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:515 3388 IRP_MJ_FLUSH_BUFFERS : BA9192E2
12:18:08:515 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:515 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:515 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:515 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:515 3388 IRP_MJ_DEVICE_CONTROL : BA9193BB
12:18:08:515 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CF28
12:18:08:515 3388 IRP_MJ_SHUTDOWN : BA9192E2
12:18:08:515 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:515 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:515 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:515 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:515 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:515 3388 IRP_MJ_POWER : BA91AC82
12:18:08:515 3388 IRP_MJ_SYSTEM_CONTROL : BA91F99E
12:18:08:515 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:515 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:515 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:531 3388 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:18:08:531 3388
12:18:08:531 3388 Driver Name: Disk
12:18:08:531 3388 IRP_MJ_CREATE : BA91EBB0
12:18:08:531 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:531 3388 IRP_MJ_CLOSE : BA91EBB0
12:18:08:531 3388 IRP_MJ_READ : BA918D1F
12:18:08:531 3388 IRP_MJ_WRITE : BA918D1F
12:18:08:531 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:531 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:531 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:531 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:531 3388 IRP_MJ_FLUSH_BUFFERS : BA9192E2
12:18:08:531 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:531 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:531 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:531 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:531 3388 IRP_MJ_DEVICE_CONTROL : BA9193BB
12:18:08:531 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CF28
12:18:08:531 3388 IRP_MJ_SHUTDOWN : BA9192E2
12:18:08:531 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:531 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:531 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:531 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:531 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:531 3388 IRP_MJ_POWER : BA91AC82
12:18:08:531 3388 IRP_MJ_SYSTEM_CONTROL : BA91F99E
12:18:08:531 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:531 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:531 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:531 3388 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:18:08:531 3388
12:18:08:531 3388 Driver Name: Disk
12:18:08:531 3388 IRP_MJ_CREATE : BA91EBB0
12:18:08:531 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:531 3388 IRP_MJ_CLOSE : BA91EBB0
12:18:08:531 3388 IRP_MJ_READ : BA918D1F
12:18:08:531 3388 IRP_MJ_WRITE : BA918D1F
12:18:08:531 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:531 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:546 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:546 3388 IRP_MJ_FLUSH_BUFFERS : BA9192E2
12:18:08:546 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:546 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:546 3388 IRP_MJ_DEVICE_CONTROL : BA9193BB
12:18:08:546 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CF28
12:18:08:546 3388 IRP_MJ_SHUTDOWN : BA9192E2
12:18:08:546 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:546 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:546 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:546 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:546 3388 IRP_MJ_POWER : BA91AC82
12:18:08:546 3388 IRP_MJ_SYSTEM_CONTROL : BA91F99E
12:18:08:546 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:546 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:546 3388 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:18:08:546 3388
12:18:08:546 3388 Driver Name: Disk
12:18:08:546 3388 IRP_MJ_CREATE : BA91EBB0
12:18:08:546 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:546 3388 IRP_MJ_CLOSE : BA91EBB0
12:18:08:546 3388 IRP_MJ_READ : BA918D1F
12:18:08:546 3388 IRP_MJ_WRITE : BA918D1F
12:18:08:546 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:546 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:546 3388 IRP_MJ_FLUSH_BUFFERS : BA9192E2
12:18:08:546 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:546 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:546 3388 IRP_MJ_DEVICE_CONTROL : BA9193BB
12:18:08:546 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CF28
12:18:08:546 3388 IRP_MJ_SHUTDOWN : BA9192E2
12:18:08:546 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:546 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:546 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:546 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:546 3388 IRP_MJ_POWER : BA91AC82
12:18:08:546 3388 IRP_MJ_SYSTEM_CONTROL : BA91F99E
12:18:08:546 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:546 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:546 3388 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:18:08:546 3388
12:18:08:546 3388 Driver Name: Disk
12:18:08:546 3388 IRP_MJ_CREATE : BA91EBB0
12:18:08:546 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:546 3388 IRP_MJ_CLOSE : BA91EBB0
12:18:08:546 3388 IRP_MJ_READ : BA918D1F
12:18:08:546 3388 IRP_MJ_WRITE : BA918D1F
12:18:08:546 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:546 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:546 3388 IRP_MJ_FLUSH_BUFFERS : BA9192E2
12:18:08:546 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:546 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:546 3388 IRP_MJ_DEVICE_CONTROL : BA9193BB
12:18:08:546 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CF28
12:18:08:546 3388 IRP_MJ_SHUTDOWN : BA9192E2
12:18:08:546 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:546 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:546 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:546 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:546 3388 IRP_MJ_POWER : BA91AC82
12:18:08:546 3388 IRP_MJ_SYSTEM_CONTROL : BA91F99E
12:18:08:546 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:546 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:546 3388 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:18:08:546 3388
12:18:08:546 3388 Driver Name: USBSTOR
12:18:08:546 3388 IRP_MJ_CREATE : AC47C218
12:18:08:546 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:546 3388 IRP_MJ_CLOSE : AC47C218
12:18:08:546 3388 IRP_MJ_READ : AC47C23C
12:18:08:546 3388 IRP_MJ_WRITE : AC47C23C
12:18:08:546 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:546 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:546 3388 IRP_MJ_FLUSH_BUFFERS : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:546 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:546 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:546 3388 IRP_MJ_DEVICE_CONTROL : AC47C180
12:18:08:546 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : AC4779E6
12:18:08:546 3388 IRP_MJ_SHUTDOWN : 804F4562
12:18:08:546 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:546 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:546 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:546 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:546 3388 IRP_MJ_POWER : AC47B5F0
12:18:08:546 3388 IRP_MJ_SYSTEM_CONTROL : AC479A6E
12:18:08:546 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:546 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:546 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:562 3388 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
12:18:08:562 3388
12:18:08:562 3388 Driver Name: USBSTOR
12:18:08:562 3388 IRP_MJ_CREATE : AC47C218
12:18:08:562 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:562 3388 IRP_MJ_CLOSE : AC47C218
12:18:08:562 3388 IRP_MJ_READ : AC47C23C
12:18:08:562 3388 IRP_MJ_WRITE : AC47C23C
12:18:08:562 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:562 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:562 3388 IRP_MJ_FLUSH_BUFFERS : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_DEVICE_CONTROL : AC47C180
12:18:08:562 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : AC4779E6
12:18:08:562 3388 IRP_MJ_SHUTDOWN : 804F4562
12:18:08:562 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:562 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:562 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:562 3388 IRP_MJ_POWER : AC47B5F0
12:18:08:562 3388 IRP_MJ_SYSTEM_CONTROL : AC479A6E
12:18:08:562 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:562 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:562 3388 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
12:18:08:562 3388
12:18:08:562 3388 Driver Name: USBSTOR
12:18:08:562 3388 IRP_MJ_CREATE : AC47C218
12:18:08:562 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:562 3388 IRP_MJ_CLOSE : AC47C218
12:18:08:562 3388 IRP_MJ_READ : AC47C23C
12:18:08:562 3388 IRP_MJ_WRITE : AC47C23C
12:18:08:562 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:562 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:562 3388 IRP_MJ_FLUSH_BUFFERS : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_DEVICE_CONTROL : AC47C180
12:18:08:562 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : AC4779E6
12:18:08:562 3388 IRP_MJ_SHUTDOWN : 804F4562
12:18:08:562 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:562 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:562 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:562 3388 IRP_MJ_POWER : AC47B5F0
12:18:08:562 3388 IRP_MJ_SYSTEM_CONTROL : AC479A6E
12:18:08:562 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:562 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:562 3388 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
12:18:08:562 3388
12:18:08:562 3388 Driver Name: USBSTOR
12:18:08:562 3388 IRP_MJ_CREATE : AC47C218
12:18:08:562 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:562 3388 IRP_MJ_CLOSE : AC47C218
12:18:08:562 3388 IRP_MJ_READ : AC47C23C
12:18:08:562 3388 IRP_MJ_WRITE : AC47C23C
12:18:08:562 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:562 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:562 3388 IRP_MJ_FLUSH_BUFFERS : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_DEVICE_CONTROL : AC47C180
12:18:08:562 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : AC4779E6
12:18:08:562 3388 IRP_MJ_SHUTDOWN : 804F4562
12:18:08:562 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:562 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:562 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:562 3388 IRP_MJ_POWER : AC47B5F0
12:18:08:562 3388 IRP_MJ_SYSTEM_CONTROL : AC479A6E
12:18:08:562 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:562 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:562 3388 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
12:18:08:562 3388
12:18:08:562 3388 Driver Name: USBSTOR
12:18:08:562 3388 IRP_MJ_CREATE : AC47C218
12:18:08:562 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:562 3388 IRP_MJ_CLOSE : AC47C218
12:18:08:562 3388 IRP_MJ_READ : AC47C23C
12:18:08:562 3388 IRP_MJ_WRITE : AC47C23C
12:18:08:562 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:562 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:562 3388 IRP_MJ_FLUSH_BUFFERS : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_DEVICE_CONTROL : AC47C180
12:18:08:562 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : AC4779E6
12:18:08:562 3388 IRP_MJ_SHUTDOWN : 804F4562
12:18:08:562 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:562 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:562 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:562 3388 IRP_MJ_POWER : AC47B5F0
12:18:08:562 3388 IRP_MJ_SYSTEM_CONTROL : AC479A6E
12:18:08:562 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:562 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:562 3388 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
12:18:08:562 3388
12:18:08:562 3388 Driver Name: Disk
12:18:08:562 3388 IRP_MJ_CREATE : BA91EBB0
12:18:08:562 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:562 3388 IRP_MJ_CLOSE : BA91EBB0
12:18:08:562 3388 IRP_MJ_READ : BA918D1F
12:18:08:562 3388 IRP_MJ_WRITE : BA918D1F
12:18:08:562 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:562 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:562 3388 IRP_MJ_FLUSH_BUFFERS : BA9192E2
12:18:08:562 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_DEVICE_CONTROL : BA9193BB
12:18:08:562 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CF28
12:18:08:562 3388 IRP_MJ_SHUTDOWN : BA9192E2
12:18:08:562 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:562 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:562 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:562 3388 IRP_MJ_POWER : BA91AC82
12:18:08:562 3388 IRP_MJ_SYSTEM_CONTROL : BA91F99E
12:18:08:562 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:562 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:562 3388 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:18:08:562 3388
12:18:08:562 3388 Driver Name: sbp2port
12:18:08:562 3388 IRP_MJ_CREATE : BA9406F0
12:18:08:562 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:562 3388 IRP_MJ_CLOSE : BA9406F0
12:18:08:562 3388 IRP_MJ_READ : 804F4562
12:18:08:562 3388 IRP_MJ_WRITE : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:562 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:562 3388 IRP_MJ_FLUSH_BUFFERS : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:562 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_DEVICE_CONTROL : BA940950
12:18:08:562 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA93F72A
12:18:08:562 3388 IRP_MJ_SHUTDOWN : 804F4562
12:18:08:562 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:562 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:562 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:562 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:562 3388 IRP_MJ_POWER : BA93A074
12:18:08:562 3388 IRP_MJ_SYSTEM_CONTROL : BA9408EE
12:18:08:562 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:562 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:562 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:593 3388 C:\WINDOWS\system32\DRIVERS\sbp2port.sys - Verdict: 1
12:18:08:593 3388
12:18:08:593 3388 Driver Name: Disk
12:18:08:593 3388 IRP_MJ_CREATE : BA91EBB0
12:18:08:593 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:593 3388 IRP_MJ_CLOSE : BA91EBB0
12:18:08:593 3388 IRP_MJ_READ : BA918D1F
12:18:08:593 3388 IRP_MJ_WRITE : BA918D1F
12:18:08:593 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:593 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:593 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:593 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:593 3388 IRP_MJ_FLUSH_BUFFERS : BA9192E2
12:18:08:593 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:593 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:593 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:593 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:593 3388 IRP_MJ_DEVICE_CONTROL : BA9193BB
12:18:08:593 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CF28
12:18:08:593 3388 IRP_MJ_SHUTDOWN : BA9192E2
12:18:08:593 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:593 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:593 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:593 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:593 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:593 3388 IRP_MJ_POWER : BA91AC82
12:18:08:593 3388 IRP_MJ_SYSTEM_CONTROL : BA91F99E
12:18:08:593 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:593 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:593 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:593 3388 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:18:08:593 3388
12:18:08:593 3388 Driver Name: Disk
12:18:08:593 3388 IRP_MJ_CREATE : BA91EBB0
12:18:08:593 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:593 3388 IRP_MJ_CLOSE : BA91EBB0
12:18:08:593 3388 IRP_MJ_READ : BA918D1F
12:18:08:593 3388 IRP_MJ_WRITE : BA918D1F
12:18:08:593 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:593 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:593 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:593 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:593 3388 IRP_MJ_FLUSH_BUFFERS : BA9192E2
12:18:08:593 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:593 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:593 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:593 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:593 3388 IRP_MJ_DEVICE_CONTROL : BA9193BB
12:18:08:593 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA91CF28
12:18:08:593 3388 IRP_MJ_SHUTDOWN : BA9192E2
12:18:08:593 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:593 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:593 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:593 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:593 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:593 3388 IRP_MJ_POWER : BA91AC82
12:18:08:593 3388 IRP_MJ_SYSTEM_CONTROL : BA91F99E
12:18:08:593 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:593 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:593 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:593 3388 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:18:08:593 3388
12:18:08:593 3388 Driver Name: iaStor
12:18:08:593 3388 IRP_MJ_CREATE : BA67EFC2
12:18:08:593 3388 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:18:08:593 3388 IRP_MJ_CLOSE : BA67EFC2
12:18:08:593 3388 IRP_MJ_READ : 804F4562
12:18:08:593 3388 IRP_MJ_WRITE : 804F4562
12:18:08:593 3388 IRP_MJ_QUERY_INFORMATION : 804F4562
12:18:08:593 3388 IRP_MJ_SET_INFORMATION : 804F4562
12:18:08:593 3388 IRP_MJ_QUERY_EA : 804F4562
12:18:08:593 3388 IRP_MJ_SET_EA : 804F4562
12:18:08:593 3388 IRP_MJ_FLUSH_BUFFERS : 804F4562
12:18:08:593 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:18:08:593 3388 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:18:08:593 3388 IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:18:08:593 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:18:08:593 3388 IRP_MJ_DEVICE_CONTROL : BA682CB6
12:18:08:593 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA682F78
12:18:08:593 3388 IRP_MJ_SHUTDOWN : 804F4562
12:18:08:593 3388 IRP_MJ_LOCK_CONTROL : 804F4562
12:18:08:593 3388 IRP_MJ_CLEANUP : 804F4562
12:18:08:593 3388 IRP_MJ_CREATE_MAILSLOT : 804F4562
12:18:08:593 3388 IRP_MJ_QUERY_SECURITY : 804F4562
12:18:08:593 3388 IRP_MJ_SET_SECURITY : 804F4562
12:18:08:593 3388 IRP_MJ_POWER : BA687D12
12:18:08:593 3388 IRP_MJ_SYSTEM_CONTROL : BA687E72
12:18:08:593 3388 IRP_MJ_DEVICE_CHANGE : 804F4562
12:18:08:593 3388 IRP_MJ_QUERY_QUOTA : 804F4562
12:18:08:593 3388 IRP_MJ_SET_QUOTA : 804F4562
12:18:08:593 3388 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: 1
12:18:08:593 3388
12:18:08:593 3388 Driver Name: iaStor
12:18:08:593 3388 IRP_MJ_CREATE : 8A73FD6B
12:18:08:593 3388 IRP_MJ_CREATE_NAMED_PIPE : 8A73FD6B
12:18:08:593 3388 IRP_MJ_CLOSE : 8A73FD6B
12:18:08:593 3388 IRP_MJ_READ : 8A73FD6B
12:18:08:593 3388 IRP_MJ_WRITE : 8A73FD6B
12:18:08:593 3388 IRP_MJ_QUERY_INFORMATION : 8A73FD6B
12:18:08:593 3388 IRP_MJ_SET_INFORMATION : 8A73FD6B
12:18:08:593 3388 IRP_MJ_QUERY_EA : 8A73FD6B
12:18:08:593 3388 IRP_MJ_SET_EA : 8A73FD6B
12:18:08:593 3388 IRP_MJ_FLUSH_BUFFERS : 8A73FD6B
12:18:08:593 3388 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A73FD6B
12:18:08:593 3388 IRP_MJ_SET_VOLUME_INFORMATION : 8A73FD6B
12:18:08:593 3388 IRP_MJ_DIRECTORY_CONTROL : 8A73FD6B
12:18:08:593 3388 IRP_MJ_FILE_SYSTEM_CONTROL : 8A73FD6B
12:18:08:593 3388 IRP_MJ_DEVICE_CONTROL : 8A73FD6B
12:18:08:593 3388 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A73FD6B
12:18:08:593 3388 IRP_MJ_SHUTDOWN : 8A73FD6B
12:18:08:593 3388 IRP_MJ_LOCK_CONTROL : 8A73FD6B
12:18:08:593 3388 IRP_MJ_CLEANUP : 8A73FD6B
12:18:08:593 3388 IRP_MJ_CREATE_MAILSLOT : 8A73FD6B
12:18:08:593 3388 IRP_MJ_QUERY_SECURITY : 8A73FD6B
12:18:08:593 3388 IRP_MJ_SET_SECURITY : 8A73FD6B
12:18:08:593 3388 IRP_MJ_POWER : 8A73FD6B
12:18:08:593 3388 IRP_MJ_SYSTEM_CONTROL : 8A73FD6B
12:18:08:593 3388 IRP_MJ_DEVICE_CHANGE : 8A73FD6B
12:18:08:593 3388 IRP_MJ_QUERY_QUOTA : 8A73FD6B
12:18:08:593 3388 IRP_MJ_SET_QUOTA : 8A73FD6B
12:18:08:593 3388 Driver "iaStor" infected by TDSS rootkit!
12:18:08:609 3388 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: 1
12:18:08:609 3388 File "C:\WINDOWS\system32\drivers\iaStor.sys" infected by TDSS rootkit ... 12:18:08:609 3388 Processing driver file: C:\WINDOWS\system32\drivers\iaStor.sys
12:18:08:609 3388 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
12:18:08:828 3388 vfvi6
12:18:08:906 3388 !dsvbh1
12:18:09:375 3388 dsvbh2
12:18:09:375 3388 fdfb3
12:18:09:375 3388 Backup copy found, using it..
12:18:09:437 3388 will be cured on next reboot
12:18:09:437 3388 Reboot required for cure complete..
12:18:09:453 3388 Cure on reboot scheduled successfully
12:18:09:453 3388
12:18:09:453 3388 Completed
12:18:09:453 3388
12:18:09:453 3388 Results:
12:18:09:453 3388 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
12:18:09:453 3388 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:18:09:453 3388 File objects infected / cured / cured on reboot: 1 / 0 / 1
12:18:09:453 3388
12:18:09:453 3388 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:18:09:453 3388 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:18:09:453 3388 UnloadDriverW: NtUnloadDriver error 1
12:18:09:453 3388 KLMD(ARK) unloaded successfully

MalwareBytes log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4002

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/17/2010 12:26:01 PM
mbam-log-2010-04-17 (12-26-01).txt

Scan type: Quick scan
Objects scanned: 103013
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by alongwalk, 17 April 2010 - 08:39 PM.


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:54 AM

Posted 17 April 2010 - 09:31 PM

Shhhh looks good..
Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 alongwalk

alongwalk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:54 AM

Posted 17 April 2010 - 11:39 PM

Thanks again for the advice.

Here's an interesting epilogue. I had my computer on for a couple hours - not using it. Then, I came back, surfed a couple things, and got a flurry of blocked IP addresses. On a whim I looked up these IP addresses. One of them is identified as xeeno.com, hosted by Softlayer Technologies in Texas. And the other is unidentified, hosted by Consonus in Utah.

It turns out that xeeno.com is the forum server for macrumors.com, a forum I've visited quite a bit recently. They share an ISP - Softlayer Technologies - who has also hosted a company - IObit - that malwarebytes is accusing of stealing malwarebytes code. There's an interview with malwarebytes about this here:
http://news.softpedia.com/news/Malwarebyte...ad-126389.shtml

So, malwarebytes is blocking Softlayer Technologies.

This is from August 2009, so I'm not sure of the latest, but apparently it's not 100% resolved yet. Perhaps this is being discussed elsewhere on bleepingcomputer? I'm not sure... Anyway, it seems that this part of my problem isn't a virus/malware, rather an international information espionage case that I'm caught in the middle of.

As for the unidentified IP hosted by Consonus? I have no idea...

Edited by alongwalk, 17 April 2010 - 11:40 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,166 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:54 AM

Posted 18 April 2010 - 03:28 PM

Thanks, yes were discussing it here
http://www.bleepingcomputer.com/forums/ind...61&hl=IObit

But your commemnt on the server is also interesting and I will pass your post along.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users