Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Rootkit infection-according to TDSSKiller


  • This topic is locked This topic is locked
16 replies to this topic

#1 loveaustintx

loveaustintx

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Location:Austin, Texas
  • Local time:07:50 PM

Posted 13 June 2010 - 12:40 AM

Problem started with a Windows Host Process stop message. Faulting app was svchost, faulting module was ntdll.dll. Then CA Security Suite was unable to connect to server. Tried a restore point of 06/03 on 06/10 and after restoring that point received a Windows Update error of 80072EFE, which I do not believe that I was receiving before. Reason for being unsure is that I do not have update set to automatic. Reversed restore point but still had Win Update error. Checking further found proxy setting set on IE Advanced options - my default is Firefox. Unchecking this allowed CA to update, which was also having an issue since 06/04. Still received the windows update 80072EFE error and Host Process stop error.

Steps to resolve: GMER locked up pc almost immediately after starting scan. Renaming gmer.exe to test.exe allows scan to run a bit further, but ended with a error of non responding or automatically restarts pc. One entry that GMER did report was "atapi.sys suspicious modification". Since GMER was not completing it's scan I moved onto TDSSkiller. This program found & removed windows/system32/drivers/volsnap.sys infected with TDSS rootkit. After reboot was able to get update, but tried GMER again with the rename of test.exe and it again went non responsive.

Also scanned with CA Security, Malwarebytes, MS Malicious Removal Tool, & ESET online scanner (all of which came back clean) before running GMER & TDSSKiller tools

It has now been 5 plus hours (time is 12:30 a.m. CST on 06/13/2010} and have not received a Host process error, which previously was happening often. I have copied the DDS.txt report and attached the DDS attach.txt file. Can not attach a ark.txt from GMER as it will not complete it's scan.

Would very much appreciate if someone could take a look and see if TDSSKiller cleaned my infection or if I need to perform additional steps. Thank You


DDS (Ver_10-03-17.01) - NTFSx86
Run by Only Me at 0:09:57.10 on Sun 06/13/2010
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1041 [GMT -5:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: CA Anti-Spyware *enabled* (Updated) {6B98D35F-BB76-41C0-876B-A50645ED099A}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Seagate\SeagateManager\Sync\MaxSync.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WUDFHost.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovep.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Only Me.circuitcity-PC\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.tvguide.com/listings/
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\adobe contribute cs5\plugins\ieplugin\contributeieplugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-5.1.18.0\QOELoader.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exe
mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -cl
dRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: lmn.tv\www
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: PFW - UmxWnp.Dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\onlyme~1.cir\appdata\roaming\mozilla\firefox\profiles\24jrtgd0.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.tvguide.com/Listings/|http://www.google.com/
FF - component: c:\program files\adobe\adobe contribute cs5\plugins\firefoxplugin\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npContribute.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\users\only me.circuitcity-pc\appdata\local\yahoo!\browserplus\2.7.1\plugins\npybrowserplus_2.7.1.dll
FF - plugin: d:\program files\adobe\reader 8.0\reader\browser\nppdf32.dll
FF - plugin: j:\program files\download manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-6-24 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-6-24 45584]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-12-1 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-12-1 21104]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-12-1 32240]
R2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2007-4-16 266343]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-3-23 144960]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-6-24 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-18 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-6-24 281104]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-12-1 238928]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-6-24 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-8-16 189704]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2010-6-11 130280]
S1 KmxFilter;HIPS Core Filter Driver;c:\windows\system32\drivers\KmxFilter.sys [2007-10-18 51728]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvscpapisvr.exe --> c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [?]
S3 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-24 138744]
S3 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-6-24 103952]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"j:\program files\roxio creator 2009\digital home 11\roxioupnprenderer11.exe" --> j:\program files\roxio creator 2009\digital home 11\RoxioUPnPRenderer11.exe [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

=============== Created Last 30 ================

2010-06-12 17:45:00 176 ----a-w- c:\users\only me.circuitcity-pc\defogger_reenable
2010-06-11 16:25:18 746216 ----a-w- c:\windows\system32\drivers\vetefile.sys
2010-06-11 16:25:18 130280 ----a-w- c:\windows\system32\drivers\veteboot.sys
2010-06-10 19:15:06 0 d-----w- c:\program files\DAEMON Tools Lite(11)
2010-06-10 19:15:06 0 d-----w- c:\program files\DAEMON Tools Lite
2010-06-08 03:55:14 0 d-----w- c:\users\onlyme~1.cir\appdata\roaming\Pogo
2010-06-08 03:55:14 0 d-----w- c:\programdata\Pogo
2010-06-07 23:08:11 0 d-----w- c:\programdata\EA Core
2010-05-31 01:34:35 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-31 01:34:25 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-26 01:18:34 0 d-----w- c:\programdata\Pippa Funnell - Secrets of the Ranch
2010-05-22 21:33:31 197522 ----a-w- c:\windows\CINEMA EMPIRE Uninstaller.exe
2010-05-14 21:07:56 0 d-----w- c:\program files\Oberon Media

==================== Find3M ====================

2010-06-13 04:59:31 79869 ----a-w- c:\programdata\nvModes.dat
2010-06-13 00:14:46 227896 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-06-13 00:14:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2010-06-13 00:14:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2010-06-13 00:14:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2010-06-13 00:14:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2010-06-13 00:14:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2010-06-13 00:14:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2010-06-13 00:14:21 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2010-06-13 00:14:21 514270 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2010-06-10 19:15:48 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-12 17:44:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-05-11 23:11:37 222584 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-10 17:18:16 174 --sha-w- c:\program files\desktop.ini
2010-05-10 17:12:01 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-10 17:12:01 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-10 17:12:01 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-05-10 17:02:22 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-10 16:33:17 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-05-10 16:33:14 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 18:02:20 141238 ----a-w- c:\windows\hpoins14.dat
2010-04-04 02:18:05 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-04 02:18:04 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-03 23:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 23:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 23:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 22:55:31 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-04-03 22:55:31 56424 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-03 22:55:31 4503144 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-04-03 22:55:31 4029544 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 22:55:31 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 22:55:31 227944 ----a-w- c:\windows\system32\nvcod1914.dll
2010-04-03 22:55:31 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 22:55:31 2009704 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 22:55:31 15227496 ----a-w- c:\windows\system32\nvoglv32.dll
2010-04-03 22:55:31 1296488 ----a-w- c:\windows\system32\nvapi.dll
2010-04-03 22:55:31 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2008-04-03 22:51:39 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 0:11:28.31 ===============




Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:50 PM

Posted 16 June 2010 - 03:34 PM

Hello there,

Do you still have the TDSS Killer report? If so, please post it for me. thumbup2.gif

As for GMER, well what happens to you is not unusual. What you might try, since it applies in this case, is unchecking everything except the Sections, then give it a run that way. With this infection, that's where it shows up. smile.gif

It's been a few days since your original post.....how is it running?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 loveaustintx

loveaustintx
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Location:Austin, Texas
  • Local time:07:50 PM

Posted 17 June 2010 - 03:30 PM

Hi teacup! Thanks for the reply.

I looked in the tdsskiller folder on my desktop, but it only has the exe & the eula.txt - not sure where else to look... Will run another GMER using only Sections right now and will post back. Pc seems to be running okay, but since GMER had the atapi.sys suspicious modification notice I have not spent a lot of time online. Still taking too long to boot & there is a couple black screen flashes after the desktop appears that was not happening before.

Edited by loveaustintx, 17 June 2010 - 03:45 PM.


#4 loveaustintx

loveaustintx
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Location:Austin, Texas
  • Local time:07:50 PM

Posted 17 June 2010 - 03:47 PM

okay, so I disabled my AV & firewall, disconnected from Internet & closed all programs. Clicked on GMER, which is still named test.exe. It opened, but within just a few seconds I received a split second BSOD & then the pc restarted. Thought about renaming it once again and then retrying, but thought I should just come here and post my results before trying anything else.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:50 PM

Posted 17 June 2010 - 05:36 PM

Hi there,

I'm pretty sure TDSS Killer took care of the modified files (there were likely 2) but I sure would like to see it in black and white, and I know that's why you're here.

Don't worry about gmer for now. Let's have a look another way, and this way we'll be able to see everything that might be going on, not just any rootkit activity :

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to Austin.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 loveaustintx

loveaustintx
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Location:Austin, Texas
  • Local time:07:50 PM

Posted 17 June 2010 - 05:48 PM

will do right now - thanks

#7 loveaustintx

loveaustintx
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Location:Austin, Texas
  • Local time:07:50 PM

Posted 17 June 2010 - 06:21 PM

her is combo fix log:

ComboFix 10-06-17.02 - Only Me 06/17/2010 17:55:16.6.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1181 [GMT -5:00]
Running from: c:\users\Only Me.circuitcity-PC\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
SP: CA Anti-Spyware *disabled* (Updated) {6B98D35F-BB76-41C0-876B-A50645ED099A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\win.com
J:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))
.

2010-06-17 23:08 . 2010-06-17 23:08 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-17 23:08 . 2010-06-17 23:08 -------- d-----w- c:\users\ONLYME~1~CIR\AppData\Local\temp
2010-06-17 23:08 . 2010-06-17 23:08 -------- d-----w- c:\users\Only Me\AppData\Local\temp
2010-06-17 23:08 . 2010-06-17 23:08 -------- d-----w- c:\users\MissTech\AppData\Local\temp
2010-06-17 23:08 . 2010-06-17 23:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-17 21:56 . 2010-06-17 21:54 53632 ----a-w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-16 01:27 . 2010-06-16 01:27 -------- d-----w- c:\programdata\Jugilus
2010-06-11 16:25 . 2010-06-11 16:25 746216 ----a-w- c:\windows\system32\drivers\vetefile.sys
2010-06-11 16:25 . 2010-06-11 16:25 130280 ----a-w- c:\windows\system32\drivers\veteboot.sys
2010-06-10 19:15 . 2010-06-11 03:50 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-06-10 19:15 . 2010-06-10 19:18 -------- d-----w- c:\program files\DAEMON Tools Lite(11)
2010-06-08 03:55 . 2010-06-08 03:55 -------- d-----w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\Pogo
2010-06-08 03:55 . 2010-06-08 03:55 -------- d-----w- c:\programdata\Pogo
2010-06-07 23:08 . 2010-06-07 23:08 -------- d-----w- c:\programdata\EA Core
2010-05-31 01:34 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-31 01:34 . 2010-04-23 13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-26 01:18 . 2010-05-26 01:18 -------- d-----w- c:\programdata\Pippa Funnell - Secrets of the Ranch
2010-05-22 21:33 . 2010-05-22 21:33 197522 ----a-w- c:\windows\CINEMA EMPIRE Uninstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 22:00 . 2010-01-30 02:56 79869 ----a-w- c:\programdata\nvModes.dat
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2010-06-17 21:58 . 2008-03-24 02:01 514270 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2010-06-17 21:56 . 2010-05-11 20:25 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-17 21:54 . 2010-05-11 20:25 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-13 00:14 . 2010-05-10 16:17 227896 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-06-12 23:12 . 2008-04-27 23:03 -------- d-----w- c:\program files\HiJack This
2010-06-11 03:49 . 2010-01-30 02:49 -------- d-----w- c:\programdata\NVIDIA
2010-06-11 03:49 . 2010-01-13 15:43 -------- d-----w- c:\program files\QS
2010-06-11 03:49 . 2009-09-08 21:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 03:49 . 2009-05-02 22:12 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-06-11 03:49 . 2008-05-02 02:59 -------- d-----w- c:\programdata\HP Product Assistant
2010-06-11 01:52 . 2007-04-17 00:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-11 01:52 . 2008-11-01 17:31 -------- d-----w- c:\program files\Electronic Arts
2010-06-10 19:15 . 2008-03-23 02:38 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-06-10 19:13 . 2009-05-02 22:13 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-05-31 01:37 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-16 21:22 . 2009-03-24 02:46 -------- d-----w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\Youdagames
2010-05-15 03:30 . 2010-05-14 21:07 -------- d-----w- c:\program files\Oberon Media
2010-05-13 01:39 . 2008-09-07 06:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-13 01:39 . 2008-09-07 06:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-12 17:44 . 2010-05-12 17:44 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-05-11 23:11 . 2010-05-11 23:11 222584 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-11 22:52 . 2010-05-11 22:52 -------- d-----w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-05-11 21:03 . 2008-03-22 23:12 138600 ----a-w- c:\users\Only Me.circuitcity-PC\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-11 21:03 . 2010-05-11 21:03 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2010-05-11 20:41 . 2007-04-17 01:04 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-11 20:27 . 2010-05-11 20:27 -------- d-----w- c:\program files\Adobe Media Player
2010-05-11 19:05 . 2008-07-04 19:26 -------- d-----w- c:\program files\QuickTime
2010-05-10 17:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-05-10 17:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-10 17:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-05-10 17:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-05-10 17:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-05-10 17:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-05-10 17:02 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-10 16:33 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-05-10 16:33 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-05-07 01:04 . 2010-05-07 01:04 -------- d-----w- c:\programdata\Firefly Studios
2010-05-04 02:46 . 2010-05-04 00:52 -------- d-----w- c:\program files\Ubisoft
2010-04-29 20:39 . 2009-09-08 21:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-09-08 21:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 22:28 . 2010-04-27 22:28 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-26 22:30 . 2007-04-17 01:01 -------- d-----w- c:\program files\Microsoft Works
2010-04-26 21:48 . 2010-01-30 02:46 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-26 21:47 . 2010-01-30 02:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-23 08:17 . 2010-04-23 08:17 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-21 23:47 . 2008-05-06 02:11 -------- d-----w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\PlayFirst
2010-04-21 23:47 . 2008-04-08 00:50 -------- d-----w- c:\programdata\PlayFirst
2010-04-17 18:02 . 2008-05-02 02:43 141238 ----a-w- c:\windows\hpoins14.dat
2010-04-04 02:18 . 2010-04-04 02:18 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-04 02:18 . 2010-04-04 02:18 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-03 23:27 . 2010-04-03 23:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 23:27 . 2010-04-03 23:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:27 . 2010-04-03 23:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 23:27 . 2010-04-03 23:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 22:55 . 2010-04-26 21:44 56424 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-03 22:55 . 2010-04-26 21:44 4503144 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-04-03 22:55 . 2010-04-26 21:44 11573800 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-04-03 22:55 . 2010-04-26 21:44 4029544 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 22:55 . 2010-04-26 21:44 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 22:55 . 2010-04-26 21:44 2009704 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 22:55 . 2010-04-26 21:44 15227496 ----a-w- c:\windows\system32\nvoglv32.dll
2010-04-03 22:55 . 2010-04-26 21:44 227944 ----a-w- c:\windows\system32\nvcod1914.dll
2010-04-03 22:55 . 2010-04-26 21:44 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 22:55 . 2010-04-26 21:44 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-03 22:55 . 2010-01-30 02:43 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-04-03 22:55 . 2010-01-30 02:43 1296488 ----a-w- c:\windows\system32\nvapi.dll
2010-03-25 09:27 . 2010-03-25 09:27 1107264 ----a-w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\Mozilla\Firefox\Profiles\24jrtgd0.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
2008-04-03 22:51 . 2008-04-03 22:51 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-28 6144000]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-03-23 14088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-30 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2010-06-11 226640]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-01 173296]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-01 1193200]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 18:30 79368 ------w- c:\windows\System32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PCM Media Sharing.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PCM Media Sharing.lnk
backup=c:\windows\pss\PCM Media Sharing.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Only Me.circuitcity-PC^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\users\Only Me.circuitcity-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-02-02 18:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
2007-01-24 17:27 319488 ----a-w- c:\acer\Empowering Technology\SysMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-02-02 19:24 3383296 ----a-w- c:\program files\Acer Registration\ACE1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
2007-02-16 01:39 151552 ----a-w- c:\acer\AcerTour\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 08:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 09:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2007-02-07 07:04 464168 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-10-27 17:18 1103216 ----a-w- j:\program files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 19:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2008-10-28 21:42 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2010-01-19 10:34 266888 ----a-w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\Smilebox\SmileboxTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2009-10-26 19:46 1458176 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 18:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 KmxFilter;HIPS Core Filter Driver;c:\windows\system32\DRIVERS\KmxFilter.sys [2007-10-18 51728]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R3 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-06-25 138744]
R3 KmxFw;KmxFw;c:\windows\System32\DRIVERS\kmxfw.sys [2008-06-25 103952]
R3 NVIDIAHWAccess;NVIDIAHWAccess;c:\users\Only Me.circuitcity-PC\AppData\Roaming\NVIDIA\HWAccess.sys [x]
R3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;j:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-10 691696]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-06-25 63504]
S1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-06-25 45584]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2007-04-05 266343]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-10-28 156968]
S2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-06-25 66576]
S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
S2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-25 281104]
S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-06-25 88816]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-17 189704]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-14 c:\windows\Tasks\CAAntiSpywareScan_Daily as Only Me at 2 30 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 02:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tvguide.com/listings/
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: lmn.tv\www
FF - ProfilePath - c:\users\Only Me.circuitcity-PC\AppData\Roaming\Mozilla\Firefox\Profiles\24jrtgd0.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.tvguide.com/Listings/|http://www.google.com/
FF - component: c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npContribute.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: d:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: j:\program files\Download Manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
SafeBoot-klmdb.sys
MSConfigStartUp-Acrobat Assistant 8 - d:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-CPMonitor - j:\program files\Roxio Creator 2009\5.0\CPMonitor.exe
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-IS CfgWiz - c:\program files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\cltUIStb.exe
MSConfigStartUp-osCheck - c:\program files\Norton Internet Security\osCheck.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-17 18:09
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1217301447-2670163310-3195091564-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*R%Àh*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1217301447-2670163310-3195091564-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*R%Àh*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1217301447-2670163310-3195091564-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ca,d4,e0,3c,3a,e0,3f,a0,99,d2,e3,ef,d9,fa,8a,2b,c9,cd,99,27,b5,cc,1c,
f9,ae,bc,8f,19,ed,38,ea,29,96,c2,42,49,17,ac,d6,95,47,41,f5,55,a9,68,83,d1,\
"??"=hex:c8,94,1a,b8,7c,cb,b9,49,bf,5f,2b,b3,83,46,15,54

[HKEY_USERS\S-1-5-21-1217301447-2670163310-3195091564-1001\Software\SecuROM\License information*]
"datasecu"=hex:3a,08,41,ad,a9,3e,15,57,53,3b,9d,26,19,9d,b1,65,81,45,b1,29,1f,
cd,25,14,57,3b,b9,e5,35,2f,a7,60,04,ba,ff,bb,76,3b,f3,d4,d4,8b,ca,56,32,90,\
"rkeysecu"=hex:97,c7,00,66,b4,35,a2,fe,b5,1a,7b,17,b8,6b,be,ee

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
Completion time: 2010-06-17 18:16:22
ComboFix-quarantined-files.txt 2010-06-17 23:16

Pre-Run: 59,229,765,632 bytes free
Post-Run: 59,412,914,176 bytes free

- - End Of File - - C31E27109CB29373ED6E46558900E19D


#8 loveaustintx

loveaustintx
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Location:Austin, Texas
  • Local time:07:50 PM

Posted 17 June 2010 - 06:25 PM

woo hoo - I found the tdsskiller log and have copied below - log was created June 12th

19:08:58:982 0464 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
19:08:58:982 0464 ================================================================================
19:08:58:982 0464 SystemInfo:

19:08:58:982 0464 OS Version: 6.0.6001 ServicePack: 1.0
19:08:58:982 0464 Product type: Workstation
19:08:58:982 0464 ComputerName: ACER
19:08:58:982 0464 UserName: Only Me
19:08:58:982 0464 Windows directory: C:\Windows
19:08:58:982 0464 Processor architecture: Intel x86
19:08:58:982 0464 Number of processors: 2
19:08:58:982 0464 Page size: 0x1000
19:08:58:982 0464 Boot type: Normal boot
19:08:58:982 0464 ================================================================================
19:08:59:450 0464 Initialize success
19:08:59:450 0464
19:08:59:450 0464 Scanning Services ...
19:09:00:059 0464 Raw services enum returned 449 services
19:09:00:074 0464
19:09:00:074 0464 Scanning Drivers ...
19:09:01:868 0464 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
19:09:01:900 0464 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
19:09:01:931 0464 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
19:09:01:962 0464 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
19:09:01:993 0464 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
19:09:02:056 0464 AFD (763e172a55177e478cb419f88fd0ba03) C:\Windows\system32\drivers\afd.sys
19:09:02:102 0464 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
19:09:02:165 0464 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
19:09:02:196 0464 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
19:09:02:227 0464 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
19:09:02:274 0464 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
19:09:02:290 0464 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
19:09:02:352 0464 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
19:09:02:383 0464 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
19:09:02:430 0464 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
19:09:02:492 0464 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
19:09:02:586 0464 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
19:09:02:758 0464 atikmdag (194a2261dad9b766b1b7333a5dc26999) C:\Windows\system32\DRIVERS\atikmdag.sys
19:09:02:898 0464 AtiPcie (a356e45e8432432c06981ea63a1e0fe8) C:\Windows\system32\DRIVERS\AtiPcie.sys
19:09:02:945 0464 atksgt (3c4b9850a2631c2263507400d029057b) C:\Windows\system32\DRIVERS\atksgt.sys
19:09:03:007 0464 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
19:09:03:070 0464 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
19:09:03:101 0464 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
19:09:03:132 0464 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
19:09:03:179 0464 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
19:09:03:241 0464 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
19:09:03:288 0464 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
19:09:03:319 0464 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
19:09:03:366 0464 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
19:09:03:428 0464 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
19:09:03:475 0464 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
19:09:03:491 0464 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
19:09:03:522 0464 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
19:09:03:569 0464 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
19:09:03:584 0464 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
19:09:03:616 0464 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
19:09:03:662 0464 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
19:09:03:803 0464 DfsC (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys
19:09:03:928 0464 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
19:09:03:974 0464 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
19:09:04:021 0464 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
19:09:04:037 0464 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
19:09:04:099 0464 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
19:09:04:130 0464 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
19:09:04:193 0464 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
19:09:04:240 0464 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
19:09:04:271 0464 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
19:09:04:333 0464 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
19:09:04:411 0464 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
19:09:04:458 0464 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
19:09:04:474 0464 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
19:09:04:505 0464 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
19:09:04:536 0464 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
19:09:04:583 0464 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
19:09:04:614 0464 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
19:09:04:630 0464 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
19:09:04:692 0464 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
19:09:04:739 0464 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
19:09:04:770 0464 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
19:09:04:801 0464 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
19:09:04:832 0464 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
19:09:04:879 0464 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
19:09:04:910 0464 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
19:09:04:957 0464 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
19:09:05:004 0464 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
19:09:05:035 0464 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
19:09:05:066 0464 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
19:09:05:113 0464 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
19:09:05:176 0464 int15 (9d64201c9e5ac8d1f088762ba00ff3ab) C:\Acer\Empowering Technology\eRecovery\int15.sys
19:09:05:285 0464 IntcAzAudAddService (98fb74ec7f46e25ec082f1925eef39cd) C:\Windows\system32\drivers\RTKVHDA.sys
19:09:05:394 0464 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
19:09:05:441 0464 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
19:09:05:503 0464 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
19:09:05:566 0464 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
19:09:05:628 0464 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
19:09:05:659 0464 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
19:09:05:706 0464 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
19:09:05:753 0464 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
19:09:05:784 0464 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
19:09:05:831 0464 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
19:09:05:909 0464 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
19:09:05:924 0464 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
19:09:05:956 0464 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\Windows\system32\drivers\klmd.sys
19:09:06:002 0464 KmxAgent (f4ffca2de8290de6118583bf74962243) C:\Windows\system32\DRIVERS\kmxagent.sys
19:09:06:034 0464 KmxCF (990484e1d6c9164caf9ab3ae86b36283) C:\Windows\system32\DRIVERS\KmxCF.sys
19:09:06:096 0464 KmxCfg (df0de1110162e761a7f60c392ad177dd) C:\Windows\system32\DRIVERS\kmxcfg.sys
19:09:06:127 0464 KmxFile (28c7643d33ed066622e93260f818adfd) C:\Windows\system32\DRIVERS\KmxFile.sys
19:09:06:174 0464 KmxFilter (e21760ce6a936879ae92e2425c80fd03) C:\Windows\system32\DRIVERS\KmxFilter.sys
19:09:06:205 0464 KmxFw (e382e61fec3a85b283fb23bedf21848a) C:\Windows\System32\DRIVERS\kmxfw.sys
19:09:06:221 0464 KmxSbx (2df089f8594ae18d5c1a1bfbdd967eab) C:\Windows\system32\DRIVERS\KmxSbx.sys
19:09:06:283 0464 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
19:09:06:314 0464 lirsgt (4127e8b6ddb4090e815c1f8852c277d3) C:\Windows\system32\DRIVERS\lirsgt.sys
19:09:06:346 0464 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
19:09:06:408 0464 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
19:09:06:455 0464 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
19:09:06:502 0464 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
19:09:06:548 0464 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
19:09:06:564 0464 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
19:09:06:611 0464 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
19:09:06:642 0464 MODEMCSA (cbb59c41f19efea1a000793e08070a62) C:\Windows\system32\drivers\MODEMCSA.sys
19:09:06:720 0464 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
19:09:06:751 0464 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
19:09:06:798 0464 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
19:09:06:829 0464 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
19:09:06:860 0464 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
19:09:06:907 0464 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
19:09:06:923 0464 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
19:09:06:970 0464 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
19:09:07:032 0464 mrxsmb (7afc42e60432fd1014f5342f2b1b1f74) C:\Windows\system32\DRIVERS\mrxsmb.sys
19:09:07:079 0464 mrxsmb10 (8a75752ae17924f65452746674b14b78) C:\Windows\system32\DRIVERS\mrxsmb10.sys
19:09:07:126 0464 mrxsmb20 (f4d0f3252e651f02be64984ffa738394) C:\Windows\system32\DRIVERS\mrxsmb20.sys
19:09:07:157 0464 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
19:09:07:188 0464 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
19:09:07:219 0464 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
19:09:07:250 0464 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
19:09:07:313 0464 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
19:09:07:328 0464 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
19:09:07:360 0464 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
19:09:07:406 0464 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
19:09:07:469 0464 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
19:09:07:500 0464 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
19:09:07:547 0464 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
19:09:07:578 0464 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
19:09:07:656 0464 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
19:09:07:703 0464 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
19:09:07:750 0464 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
19:09:07:796 0464 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
19:09:07:828 0464 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
19:09:07:874 0464 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
19:09:07:921 0464 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
19:09:07:968 0464 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
19:09:08:030 0464 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
19:09:08:062 0464 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
19:09:08:140 0464 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
19:09:08:202 0464 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
19:09:08:233 0464 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
19:09:08:280 0464 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
19:09:08:654 0464 nvlddmkm (c8cb6135884cbc2a10225c4c3cef0f95) C:\Windows\system32\DRIVERS\nvlddmkm.sys
19:09:09:232 0464 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
19:09:09:278 0464 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
19:09:09:325 0464 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
19:09:09:419 0464 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
19:09:09:481 0464 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
19:09:09:544 0464 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
19:09:09:575 0464 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
19:09:09:606 0464 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
19:09:09:684 0464 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
19:09:09:715 0464 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
19:09:09:778 0464 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
19:09:09:840 0464 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
19:09:09:871 0464 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
19:09:09:934 0464 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
19:09:09:965 0464 PSDFilter (c2821f33b846a52fdc25ff554acf11f2) C:\Windows\system32\DRIVERS\psdfilter.sys
19:09:09:996 0464 PSDNServ (28d3a91fe7791b970e6b15c88f98dfbd) C:\Windows\system32\drivers\PSDNServ.sys
19:09:10:012 0464 psdvdisk (3a66f69459052de13ef8a0f77d728a73) C:\Windows\system32\drivers\psdvdisk.sys
19:09:10:058 0464 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\Windows\system32\Drivers\PxHelp20.sys
19:09:10:090 0464 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
19:09:10:121 0464 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
19:09:10:168 0464 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
19:09:10:214 0464 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
19:09:10:246 0464 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
19:09:10:292 0464 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
19:09:10:339 0464 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
19:09:10:402 0464 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
19:09:10:448 0464 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
19:09:10:480 0464 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
19:09:10:495 0464 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
19:09:10:542 0464 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
19:09:10:604 0464 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
19:09:10:636 0464 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
19:09:10:682 0464 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
19:09:10:745 0464 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
19:09:10:792 0464 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
19:09:10:823 0464 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
19:09:10:870 0464 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
19:09:10:901 0464 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
19:09:10:932 0464 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
19:09:10:963 0464 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
19:09:11:010 0464 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
19:09:11:057 0464 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
19:09:11:119 0464 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
19:09:11:182 0464 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
19:09:11:244 0464 smserial (859e3adc59d1c89a66aa6492c14d379e) C:\Windows\system32\DRIVERS\smserial.sys
19:09:11:338 0464 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
19:09:11:400 0464 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\System32\Drivers\sptd.sys
19:09:11:494 0464 srv (8e5fc19b3b38364c5f44ccecec5248e9) C:\Windows\system32\DRIVERS\srv.sys
19:09:11:540 0464 srv2 (4ceeb95e0b79e48b81f2da0a6c24c64b) C:\Windows\system32\DRIVERS\srv2.sys
19:09:11:572 0464 srvnet (f9c65e1e00a6bbf7c57d9b8ea068c525) C:\Windows\system32\DRIVERS\srvnet.sys
19:09:11:618 0464 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
19:09:11:696 0464 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
19:09:11:743 0464 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
19:09:11:759 0464 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
19:09:11:837 0464 Tcpip (2eae4500984c2f8dacfb977060300a15) C:\Windows\system32\drivers\tcpip.sys
19:09:11:915 0464 Tcpip6 (2eae4500984c2f8dacfb977060300a15) C:\Windows\system32\DRIVERS\tcpip.sys
19:09:11:962 0464 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
19:09:12:024 0464 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
19:09:12:040 0464 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
19:09:12:086 0464 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
19:09:12:118 0464 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
19:09:12:196 0464 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
19:09:12:258 0464 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
19:09:12:274 0464 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
19:09:12:320 0464 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
19:09:12:383 0464 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
19:09:12:430 0464 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
19:09:12:492 0464 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
19:09:12:539 0464 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
19:09:12:601 0464 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
19:09:12:664 0464 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
19:09:12:710 0464 USBAAPL (60a68a5ea173a97971ee9f1ff49eb2b3) C:\Windows\system32\Drivers\usbaapl.sys
19:09:12:742 0464 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
19:09:12:804 0464 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
19:09:12:851 0464 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
19:09:12:882 0464 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
19:09:12:944 0464 usbohci (7bdb7b0e7d45ac0402d78b90789ef47c) C:\Windows\system32\DRIVERS\usbohci.sys
19:09:12:991 0464 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
19:09:13:054 0464 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
19:09:13:116 0464 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
19:09:13:163 0464 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
19:09:13:210 0464 VET-FILT (daadb622164e93376b31598c053a9e87) C:\Windows\system32\drivers\VET-FILT.sys
19:09:13:241 0464 VET-REC (66747d67066e29b24363d5537b93d294) C:\Windows\system32\drivers\VET-REC.sys
19:09:13:288 0464 VETEBOOT (c079f80582c31728029f3efcdfeaf221) C:\Windows\system32\drivers\VETEBOOT.sys
19:09:13:319 0464 VETEFILE (31bab965e7af8295c22f641401d622b3) C:\Windows\system32\drivers\VETEFILE.sys
19:09:13:381 0464 VETFDDNT (10545ed2f206c922eb02e522b1a3fa75) C:\Windows\system32\drivers\VETFDDNT.sys
19:09:13:397 0464 VETMONNT (77ef6a724334313b808fb6fe36b57be6) C:\Windows\system32\drivers\VETMONNT.sys
19:09:13:428 0464 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
19:09:13:459 0464 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
19:09:13:522 0464 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
19:09:13:553 0464 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
19:09:13:600 0464 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
19:09:13:662 0464 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
19:09:13:724 0464 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
19:09:13:771 0464 volsnap (f71ae7a1d67ef88c696362f8463ea25b) C:\Windows\system32\drivers\volsnap.sys
19:09:13:787 0464 Suspicious file (Forged): C:\Windows\system32\drivers\volsnap.sys. Real md5: f71ae7a1d67ef88c696362f8463ea25b, Fake md5: d8b4a53dd2769f226b3eb374374987c9
19:09:13:787 0464 File "C:\Windows\system32\drivers\volsnap.sys" infected by TDSS rootkit ... 19:09:20:588 0464 Backup copy found, using it..
19:09:20:604 0464 will be cured on next reboot
19:09:20:713 0464 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
19:09:20:760 0464 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
19:09:20:822 0464 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
19:09:20:822 0464 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
19:09:20:869 0464 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
19:09:20:932 0464 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
19:09:20:978 0464 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
19:09:21:025 0464 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
19:09:21:056 0464 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
19:09:21:103 0464 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
19:09:21:150 0464 yukonwlh (04e268adfc81964c49dc0c082d520f7e) C:\Windows\system32\DRIVERS\yk60x86.sys
19:09:21:150 0464 Reboot required for cure complete..
19:09:21:353 0464 Cure on reboot scheduled successfully
19:09:21:353 0464
19:09:21:353 0464 Completed
19:09:21:353 0464
19:09:21:353 0464 Results:
19:09:21:353 0464 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:09:21:353 0464 File objects infected / cured / cured on reboot: 1 / 0 / 1
19:09:21:353 0464
19:09:21:353 0464 KLMD(ARK) unloaded successfully




#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:50 PM

Posted 17 June 2010 - 06:33 PM

Excellent! clapping.gif

So it says it took care of the random second file, and this is confirmed by the new one listed in the ComboFix log. Now....**the** question.....Since you ran the TDSS Killer, have you seen the warning for the modified atapi.sys? You mentioned that that was what had you worried. I need to know whether it was before or after. If it was after, then we'll need to replace it.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 loveaustintx

loveaustintx
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Location:Austin, Texas
  • Local time:07:50 PM

Posted 17 June 2010 - 06:38 PM

the warning about atapi.sys was in GMER before running TDss Killer. Could never get GMER to finish and after running TDSS Killer GMER refused to run

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:50 PM

Posted 17 June 2010 - 06:50 PM

Okay...thanks. smile.gif *Usually* atapi.sys is the main file modified with this infection. The thing here is there is no mention of it in either of those reports. Like I said before, the file that TDSS Killer took care of is listed in ComboFix, and atapi.sys isn't. There is also no modification/rootkit activity listed in ComboFix at all. To be on the safe side, let's go ahead and replace atapi.sys with one we know beyond a doubt is clean.


* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

QUOTE
FCOPY::
C:\WINDOWS\SERVICEPACKFILES\I386\atapi.sys | c:\windows\system32\drivers\atapi.sys


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

I see bits and pieces of Norton in the reports. Doesn't look like you use it any more. Run this tool to get rid of the mess it left behind :

The Norton uninstall tool uninstalls ALL Norton 2004-2010products from your computer. It also uninstalls Norton Ghost 10.0/9.0/2003. http://service1.symantec.com/SUPPORT/tsgen...005033108162039

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 loveaustintx

loveaustintx
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Location:Austin, Texas
  • Local time:07:50 PM

Posted 17 June 2010 - 07:27 PM

Well, the 1st time I dragged it onto ComboFix, it started and then it asked if I was trying to run CFScript & it looked to be spelled wrong then it CF closed. I checked my spelling it was as you typed so I tried again and CF ran another scan. When finished the CFScript.txt file I was no longer on my desktop. Hope I did it right. Here is log:

ComboFix 10-06-17.02 - Only Me 06/17/2010 19:02:04.7.2 - x86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1042 [GMT -5:00]
Running from: c:\users\Only Me.circuitcity-PC\Desktop\ComboFix.exe
Command switches used :: c:\users\Only Me.circuitcity-PC\Desktop\CFScript.txt
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
SP: CA Anti-Spyware *disabled* (Updated) {6B98D35F-BB76-41C0-876B-A50645ED099A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-05-18 to 2010-06-18 )))))))))))))))))))))))))))))))
.

2010-06-18 00:15 . 2010-06-18 00:15 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-18 00:15 . 2010-06-18 00:15 -------- d-----w- c:\users\ONLYME~1~CIR\AppData\Local\temp
2010-06-18 00:15 . 2010-06-18 00:15 -------- d-----w- c:\users\Only Me\AppData\Local\temp
2010-06-18 00:15 . 2010-06-18 00:15 -------- d-----w- c:\users\MissTech\AppData\Local\temp
2010-06-18 00:15 . 2010-06-18 00:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-17 21:56 . 2010-06-17 21:54 53632 ----a-w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-16 01:27 . 2010-06-16 01:27 -------- d-----w- c:\programdata\Jugilus
2010-06-11 16:25 . 2010-06-11 16:25 746216 ----a-w- c:\windows\system32\drivers\vetefile.sys
2010-06-11 16:25 . 2010-06-11 16:25 130280 ----a-w- c:\windows\system32\drivers\veteboot.sys
2010-06-10 19:15 . 2010-06-11 03:50 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-06-10 19:15 . 2010-06-10 19:18 -------- d-----w- c:\program files\DAEMON Tools Lite(11)
2010-06-08 03:55 . 2010-06-08 03:55 -------- d-----w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\Pogo
2010-06-08 03:55 . 2010-06-08 03:55 -------- d-----w- c:\programdata\Pogo
2010-06-07 23:08 . 2010-06-07 23:08 -------- d-----w- c:\programdata\EA Core
2010-05-31 01:34 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-31 01:34 . 2010-04-23 13:55 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-26 01:18 . 2010-05-26 01:18 -------- d-----w- c:\programdata\Pippa Funnell - Secrets of the Ranch
2010-05-22 21:33 . 2010-05-22 21:33 197522 ----a-w- c:\windows\CINEMA EMPIRE Uninstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 22:00 . 2010-01-30 02:56 79869 ----a-w- c:\programdata\nvModes.dat
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2010-06-17 21:58 . 2008-03-24 02:01 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2010-06-17 21:58 . 2008-03-24 02:01 514270 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2010-06-17 21:56 . 2010-05-11 20:25 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-17 21:54 . 2010-05-11 20:25 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-13 00:14 . 2010-05-10 16:17 227896 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-06-12 23:12 . 2008-04-27 23:03 -------- d-----w- c:\program files\HiJack This
2010-06-11 03:49 . 2010-01-30 02:49 -------- d-----w- c:\programdata\NVIDIA
2010-06-11 03:49 . 2010-01-13 15:43 -------- d-----w- c:\program files\QS
2010-06-11 03:49 . 2009-09-08 21:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-11 03:49 . 2009-05-02 22:12 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-06-11 03:49 . 2008-05-02 02:59 -------- d-----w- c:\programdata\HP Product Assistant
2010-06-11 01:52 . 2007-04-17 00:47 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-11 01:52 . 2008-11-01 17:31 -------- d-----w- c:\program files\Electronic Arts
2010-06-10 19:15 . 2008-03-23 02:38 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-06-10 19:13 . 2009-05-02 22:13 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-05-31 01:37 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-16 21:22 . 2009-03-24 02:46 -------- d-----w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\Youdagames
2010-05-15 03:30 . 2010-05-14 21:07 -------- d-----w- c:\program files\Oberon Media
2010-05-13 01:39 . 2008-09-07 06:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-13 01:39 . 2008-09-07 06:46 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-12 17:44 . 2010-05-12 17:44 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2010-05-11 23:11 . 2010-05-11 23:11 222584 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-11 22:52 . 2010-05-11 22:52 -------- d-----w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-05-11 21:03 . 2008-03-22 23:12 138600 ----a-w- c:\users\Only Me.circuitcity-PC\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-11 21:03 . 2010-05-11 21:03 -------- d-----w- c:\programdata\regid.1986-12.com.adobe
2010-05-11 20:41 . 2007-04-17 01:04 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-11 20:27 . 2010-05-11 20:27 -------- d-----w- c:\program files\Adobe Media Player
2010-05-11 19:05 . 2008-07-04 19:26 -------- d-----w- c:\program files\QuickTime
2010-05-10 17:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2010-05-10 17:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2010-05-10 17:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2010-05-10 17:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2010-05-10 17:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2010-05-10 17:03 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-05-10 17:02 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-10 16:33 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-05-10 16:33 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-05-07 01:04 . 2010-05-07 01:04 -------- d-----w- c:\programdata\Firefly Studios
2010-05-04 02:46 . 2010-05-04 00:52 -------- d-----w- c:\program files\Ubisoft
2010-04-29 20:39 . 2009-09-08 21:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-09-08 21:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 22:28 . 2010-04-27 22:28 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-04-26 22:30 . 2007-04-17 01:01 -------- d-----w- c:\program files\Microsoft Works
2010-04-26 21:48 . 2010-01-30 02:46 -------- d-----w- c:\program files\NVIDIA Corporation
2010-04-26 21:47 . 2010-01-30 02:46 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-23 08:17 . 2010-04-23 08:17 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-21 23:47 . 2008-05-06 02:11 -------- d-----w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\PlayFirst
2010-04-21 23:47 . 2008-04-08 00:50 -------- d-----w- c:\programdata\PlayFirst
2010-04-17 18:02 . 2008-05-02 02:43 141238 ----a-w- c:\windows\hpoins14.dat
2010-04-04 02:18 . 2010-04-04 02:18 444952 ----a-w- c:\windows\system32\wrap_oal.dll
2010-04-04 02:18 . 2010-04-04 02:18 109080 ----a-w- c:\windows\system32\OpenAL32.dll
2010-04-03 23:27 . 2010-04-03 23:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-03 23:27 . 2010-04-03 23:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:27 . 2010-04-03 23:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-03 23:27 . 2010-04-03 23:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 22:55 . 2010-04-26 21:44 56424 ----a-w- c:\windows\system32\OpenCL.dll
2010-04-03 22:55 . 2010-04-26 21:44 4503144 ----a-w- c:\windows\system32\nvwgf2um.dll
2010-04-03 22:55 . 2010-04-26 21:44 11573800 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2010-04-03 22:55 . 2010-04-26 21:44 4029544 ----a-w- c:\windows\system32\nvcuda.dll
2010-04-03 22:55 . 2010-04-26 21:44 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-04-03 22:55 . 2010-04-26 21:44 2009704 ----a-w- c:\windows\system32\nvcuvid.dll
2010-04-03 22:55 . 2010-04-26 21:44 15227496 ----a-w- c:\windows\system32\nvoglv32.dll
2010-04-03 22:55 . 2010-04-26 21:44 227944 ----a-w- c:\windows\system32\nvcod1914.dll
2010-04-03 22:55 . 2010-04-26 21:44 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 22:55 . 2010-04-26 21:44 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-04-03 22:55 . 2010-01-30 02:43 9386600 ----a-w- c:\windows\system32\nvd3dum.dll
2010-04-03 22:55 . 2010-01-30 02:43 1296488 ----a-w- c:\windows\system32\nvapi.dll
2010-03-25 09:27 . 2010-03-25 09:27 1107264 ----a-w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\Mozilla\Firefox\Profiles\24jrtgd0.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
2008-04-03 22:51 . 2008-04-03 22:51 774144 ----a-w- c:\program files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 2153472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"RtHDVCpl"="RtHDVCpl.exe" [2008-05-28 6144000]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-03-23 14088]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-07-30 177392]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2010-06-11 226640]
"capfasem"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-01 173296]
"cafwc"="c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-01 1193200]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-02-16 151552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 18:30 79368 ------w- c:\windows\System32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^PCM Media Sharing.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\PCM Media Sharing.lnk
backup=c:\windows\pss\PCM Media Sharing.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Only Me.circuitcity-PC^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\users\Only Me.circuitcity-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-02-02 18:05 1261568 ----a-w- c:\program files\Acer Assist\launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Empowering Technology Monitor]
2007-01-24 17:27 319488 ----a-w- c:\acer\Empowering Technology\SysMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-02-02 19:24 3383296 ----a-w- c:\program files\Acer Registration\ACE1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
2007-02-16 01:39 151552 ----a-w- c:\acer\AcerTour\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 08:44 500208 ------w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager]
2010-02-22 09:57 406992 ----a-w- c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2007-02-07 07:04 464168 ----a-w- c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
2009-10-27 17:18 1103216 ----a-w- j:\program files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 19:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2008-10-28 21:42 181544 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]
2010-01-19 10:34 266888 ----a-w- c:\users\Only Me.circuitcity-PC\AppData\Roaming\Smilebox\SmileboxTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2009-10-26 19:46 1458176 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 18:37 517096 ----a-w- c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 KmxFilter;HIPS Core Filter Driver;c:\windows\system32\DRIVERS\KmxFilter.sys [2007-10-18 51728]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R3 KmxCF;KmxCF;c:\windows\system32\DRIVERS\KmxCF.sys [2008-06-25 138744]
R3 KmxFw;KmxFw;c:\windows\System32\DRIVERS\kmxfw.sys [2008-06-25 103952]
R3 NVIDIAHWAccess;NVIDIAHWAccess;c:\users\Only Me.circuitcity-PC\AppData\Roaming\NVIDIA\HWAccess.sys [x]
R3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;j:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-06-10 691696]
S1 KmxAgent;KmxAgent;c:\windows\system32\DRIVERS\kmxagent.sys [2008-06-25 63504]
S1 KmxFile;KmxFile;c:\windows\system32\DRIVERS\KmxFile.sys [2008-06-25 45584]
S2 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe [2007-04-05 266343]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-10-28 156968]
S2 KmxSbx;KmxSbx;c:\windows\system32\DRIVERS\KmxSbx.sys [2008-06-25 66576]
S2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [2007-10-18 1010192]
S2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [2007-10-18 801296]
S2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [2008-06-25 281104]
S3 KmxCfg;KmxCfg;c:\windows\system32\DRIVERS\kmxcfg.sys [2008-06-25 88816]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-08-17 189704]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-14 c:\windows\Tasks\CAAntiSpywareScan_Daily as Only Me at 2 30 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 02:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tvguide.com/listings/
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: lmn.tv\www
FF - ProfilePath - c:\users\Only Me.circuitcity-PC\AppData\Roaming\Mozilla\Firefox\Profiles\24jrtgd0.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.tvguide.com/Listings/|http://www.google.com/
FF - component: c:\program files\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}\components\Contribute.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npContribute.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npff_gdm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: d:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll
FF - plugin: j:\program files\Download Manager\npfpdlm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-17 19:15
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1217301447-2670163310-3195091564-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*R%Àh*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1217301447-2670163310-3195091564-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*R%Àh*\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1217301447-2670163310-3195091564-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ca,d4,e0,3c,3a,e0,3f,a0,99,d2,e3,ef,d9,fa,8a,2b,c9,cd,99,27,b5,cc,1c,
f9,ae,bc,8f,19,ed,38,ea,29,96,c2,42,49,17,ac,d6,95,47,41,f5,55,a9,68,83,d1,\
"??"=hex:c8,94,1a,b8,7c,cb,b9,49,bf,5f,2b,b3,83,46,15,54

[HKEY_USERS\S-1-5-21-1217301447-2670163310-3195091564-1001\Software\SecuROM\License information*]
"datasecu"=hex:3a,08,41,ad,a9,3e,15,57,53,3b,9d,26,19,9d,b1,65,81,45,b1,29,1f,
cd,25,14,57,3b,b9,e5,35,2f,a7,60,04,ba,ff,bb,76,3b,f3,d4,d4,8b,ca,56,32,90,\
"rkeysecu"=hex:97,c7,00,66,b4,35,a2,fe,b5,1a,7b,17,b8,6b,be,ee

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(952)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'Explorer.exe'(2884)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
Completion time: 2010-06-17 19:22:11
ComboFix-quarantined-files.txt 2010-06-18 00:22
ComboFix2.txt 2010-06-17 23:16

Pre-Run: 59,150,196,736 bytes free
Post-Run: 59,092,643,840 bytes free

- - End Of File - - 68237BF42117E4791D08D7C4DC8C73C1

Edited by loveaustintx, 17 June 2010 - 07:28 PM.


#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:50 PM

Posted 17 June 2010 - 07:33 PM

May be a silly question, sorry, but did you make sure you ran it as administrator? Doesn't look like it worked.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 loveaustintx

loveaustintx
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Location:Austin, Texas
  • Local time:07:50 PM

Posted 17 June 2010 - 07:39 PM

My user account is administrator, UAC turned off. I think the CF title bar stated Administrator at least it did the 1st time I ran it. The only difference from the pic in your post is that my file showed as CFScript.txt, because I have the option to show file extensions. Should I try again?

Not sure if this will help, but I do not have a ServicePackFiles folder under windows. I am running Vista Home Premium with SP1.

Edited by loveaustintx, 17 June 2010 - 08:09 PM.


#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:07:50 PM

Posted 18 June 2010 - 11:24 AM

At the risk of sounding blase.....no, don't worry about trying again. That was mainly me being extra over cautious. There is no sign at all, like we talked about last night, that the infection is still present.

If everything is still well today, then please delete ComboFix and its folder, C:\Qoobox. Empty your recycle bin and reboot.

I don't know about down there, but up here just east of Dallas it sure is miserable. wacko.gif Try and stay cool. thumbup2.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users