Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware / Trojan Removed - Somehow blocked Microsoft Update before being exterminated - What to do?


  • This topic is locked This topic is locked
26 replies to this topic

#1 flyingdutchman

flyingdutchman

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 06 July 2010 - 04:09 PM

My XP SP3 laptop started throwing strange IE 8 popups - sending me to alternate search engines or sites which showed search terms that had been entered into Google hours before. On 6/16/2010, around when these problems began, McAfee Security Center reported:

Generic FakeAlert!jb

and Quarantined it. I was still getting those strange popups and my CPU began to thrash. I tried to run Windows Defender but the Update failed. While investigating that problem, I determined that Windows Update itself was failing with an error saying "Cannot display the web page". I ran Spybot, Adaware, Malware Bytes, SuperAntiSpyWare and even Microsoft's online OneLive scanner. Only OneLive online scanner found anything other than cookies - it found a "Severe Problem" but gave no further information and produced no log file. It wasn't able to deal with the problem so I was left scratching my head.

I then ran across a thread that mentioned Kaspersky's online scanner. I disabled McAfee and ran the Kasperksy online scanner 7.0 and it found:

Trojan-Dropper.Win32.TDSS.bej

in my Temporary Internet Files folder under Content.IE5.

Since the online Ksspersky scanner 7.0 doesn't fix anything, I located that file and performed an On-Demand Scan using McAfee. McAfee now recognized it as a trojan called:

Generic Dropper!dev

and Quarantined it. I have no idea why this wasn't picked up earlier by McAfee.

I then re-ran Kaspersky Online Scanner against the entire machine and it found 0 threats. Ditto for McAfee. I let McAfee clean my machine by removing old restore points, cleaned temporary internet files, cleaned the cache, dead registry keys, etc.

So my machine is apparently "clean" but I think the malware somehow blocked my Microsoft Update before it was killed. Per a KB article, I updated all the Microsoft Update components, and I even ran sfc /scannow. Still no love from Microsoft Update, however.

Do I have a hacked DNSAPI.dll? Where does the blocking occur? What should I try next?

Thanks for any help you can provide.

Edited by hamluis, 06 July 2010 - 04:54 PM.
Moved from XP to Am I Infected forum ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:14 AM

Posted 06 July 2010 - 08:17 PM

Hello,


Please click Start > Run, type inetcpl.cpl in the runbox and press enter.

Click the Connections tab and click the LAN settings option.

Verify if "Use a proxy..." is checked, if so, UNcheck it and click OK/OK to exit.

Now check if the internet is working again.


Now run NcAfee FakeAlert Stinger


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 flyingdutchman

flyingdutchman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 07 July 2010 - 12:23 PM

Hi - and thanks for the help.

I checked the Proxy setting and it was not checked.

I downloaded the latest McAfee Stinger from July 2, 2010 and ran it as you requested. I disabled my McAfee Security Center temporarily. I set Stinger to Very High sensitivity and told it to Report Only. It found 4 occurrences of ARTEMIS trojan in

- HiJackThis.exe installer
- HiJackThis.exe program
- Quest SQLNavigator for Oracle unidbsrv.dll
- rkill.com

I don't believe these are real problems, except for maybe SQLNavigator. The other apps are all anti-malware tools.

Along about the time it found the problem in SQLNavigator, I got a small popup dialog (first time I've seen this) saying:

"Security Warning. Application cannot be executed. The file logon.scr is infected. Do you want to activate your antivirus software now?"

With this dialog showing, I am unable to open Task Manager because it gets closed immediately. I tried to open the Stinger log file and it closes immediately. I couldn't close the dialog so I clicked No and the dialog disappeared. When I tried to open McAfee Security Center to re-enable it, the malware dialog reappears and McAfee is closed immediately.

Should I go ahead and run MalwareBytes or deal with the Stinger results first?

I can't seem to find the button to upload a log file. Am I missing something?

Dutch

#4 flyingdutchman

flyingdutchman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 07 July 2010 - 12:39 PM

I had to restart the machine after the malware dialog wouldn't allow me to restart McAfee.

Upon restart, McAfee immediately found and removed this:

FakeAlert-FakeSpy!env.a

Was this lurking on my machine in stealth mode, and somehow invoked by Stinger?

Thanks

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:14 AM

Posted 07 July 2010 - 01:36 PM

Hi, let's approach it like this.. Run TDDS Killer
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Now run MBAM (MalwareBytes )


Yes I blieve Stinger kicked open the trouble maker for removal.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 flyingdutchman

flyingdutchman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 07 July 2010 - 02:03 PM

Here is the output of TDSSKiller. A rootkit was found and removed, followed by a reboot. I will run MalwareBytes now.

14:41:30:281 3340 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
14:41:30:281 3340 ================================================================================
14:41:30:281 3340 SystemInfo:

14:41:30:281 3340 OS Version: 5.1.2600 ServicePack: 3.0
14:41:30:281 3340 Product type: Workstation
14:41:30:281 3340 ComputerName: HP-LAPTOP1
14:41:30:281 3340 UserName: Scott
14:41:30:281 3340 Windows directory: C:\WINDOWS
14:41:30:281 3340 System windows directory: C:\WINDOWS
14:41:30:281 3340 Processor architecture: Intel x86
14:41:30:281 3340 Number of processors: 2
14:41:30:281 3340 Page size: 0x1000
14:41:30:281 3340 Boot type: Normal boot
14:41:30:281 3340 ================================================================================
14:41:30:859 3340 Initialize success
14:41:30:859 3340
14:41:30:859 3340 Scanning Services ...
14:41:30:984 3340 Raw services enum returned 383 services
14:41:31:000 3340
14:41:31:000 3340 Scanning Drivers ...
14:41:31:484 3340 Accelerometer (558a0039f0ef634397e1f61055504478) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
14:41:31:718 3340 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:41:31:765 3340 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
14:41:31:843 3340 ADIHdAudAddService (4e12c97cbfe99be15d7680918f9899ec) C:\WINDOWS\system32\drivers\ADIHdAud.sys
14:41:32:281 3340 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys
14:41:32:437 3340 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:41:32:515 3340 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
14:41:32:781 3340 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:41:32:890 3340 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:41:32:953 3340 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:41:33:265 3340 ati2mtag (3b23691e9eef04de3364d9271371bbde) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
14:41:33:875 3340 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:41:33:968 3340 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:41:34:078 3340 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:41:34:140 3340 BMLoad (98f4630b5867d911ad6eae79874bf5e6) C:\WINDOWS\system32\drivers\BMLoad.sys
14:41:34:281 3340 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:41:34:375 3340 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:41:34:500 3340 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:41:34:578 3340 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:41:34:609 3340 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:41:34:625 3340 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:41:34:765 3340 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:41:34:921 3340 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:41:35:015 3340 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:41:35:062 3340 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:41:35:171 3340 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:41:35:234 3340 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:41:35:359 3340 e1express (da1d21bb7d9b06c64275564f8e86c94e) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
14:41:35:562 3340 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:41:35:609 3340 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
14:41:35:625 3340 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:41:35:640 3340 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:41:35:703 3340 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
14:41:35:750 3340 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:41:35:750 3340 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:41:35:796 3340 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:41:35:859 3340 HBtnKey (407e41ddb2bfece109132aec296e0d98) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
14:41:35:968 3340 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:41:36:031 3340 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:41:36:093 3340 HP24X (362d8e46b618649591de2a5c2f0e58e1) C:\WINDOWS\system32\DRIVERS\HP24X.sys
14:41:36:296 3340 hpdskflt (5953c0952e4dd2b25b9adef05ab0285c) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
14:41:36:390 3340 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
14:41:36:531 3340 HSFHWAZL (f2c5aaae6403584fbc53053af0844411) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
14:41:36:671 3340 HSF_DPV (daab917eec9849840a13353198d48cc5) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
14:41:36:843 3340 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:41:36:906 3340 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:41:37:000 3340 iaStor (8ef427c54497c5f8a7a645990e4278c7) C:\WINDOWS\system32\DRIVERS\iaStor.sys
14:41:37:062 3340 IFXTPM (91c5e9f49f32110ced27e2f902fad607) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
14:41:37:421 3340 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:41:37:625 3340 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:41:37:703 3340 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
14:41:37:796 3340 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:41:37:875 3340 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:41:37:937 3340 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:41:38:000 3340 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:41:38:093 3340 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:41:38:218 3340 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:41:38:312 3340 Kbdclass (476dcd7a29ae6c9adef7db010c73db0a) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:41:38:312 3340 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: 476dcd7a29ae6c9adef7db010c73db0a, Fake md5: 463c1ec80cd17420a542b7f36a36f128
14:41:38:312 3340 File "C:\WINDOWS\system32\DRIVERS\kbdclass.sys" infected by TDSS rootkit ... 14:41:40:328 3340 Backup copy found, using it..
14:41:40:328 3340 will be cured on next reboot
14:41:40:468 3340 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:41:40:531 3340 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
14:41:40:656 3340 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:41:40:718 3340 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:41:40:750 3340 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
14:41:41:062 3340 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:41:41:187 3340 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
14:41:41:390 3340 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
14:41:41:578 3340 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys
14:41:42:125 3340 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
14:41:42:343 3340 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
14:41:42:562 3340 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:41:42:640 3340 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:41:42:718 3340 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:41:42:812 3340 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:41:42:843 3340 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:41:42:906 3340 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys
14:41:43:156 3340 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:41:43:218 3340 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:41:43:234 3340 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:41:43:343 3340 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:41:43:375 3340 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:41:43:390 3340 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:41:43:437 3340 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:41:43:500 3340 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
14:41:43:515 3340 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:41:43:546 3340 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:41:43:625 3340 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:41:43:656 3340 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:41:43:703 3340 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
14:41:43:718 3340 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:41:43:750 3340 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:41:43:968 3340 NETw5x32 (aa88346ab7849a1cb34bd3424febfece) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
14:41:44:156 3340 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:41:44:203 3340 Nmea (b0d5188e282dc4edae7020f333427bc8) C:\WINDOWS\system32\DRIVERS\pctnullport.sys
14:41:44:609 3340 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:41:44:703 3340 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:41:44:796 3340 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:41:44:859 3340 NWADI (0973c0c696780161f4526586d5eac422) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
14:41:44:906 3340 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:41:44:921 3340 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:41:44:984 3340 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:41:45:046 3340 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:41:45:078 3340 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:41:45:093 3340 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:41:45:140 3340 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys
14:41:45:390 3340 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:41:45:468 3340 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:41:45:515 3340 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
14:41:45:578 3340 PCTINDIS5 (1e715247efffdda938c085913045d599) C:\WINDOWS\system32\PCTINDIS5.SYS
14:41:46:171 3340 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:41:46:250 3340 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:41:46:359 3340 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:41:46:515 3340 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:41:46:593 3340 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:41:46:625 3340 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:41:46:656 3340 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:41:46:703 3340 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:41:46:734 3340 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:41:46:812 3340 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:41:46:890 3340 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
14:41:47:000 3340 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:41:47:093 3340 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
14:41:47:296 3340 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
14:41:47:468 3340 rismc32 (7c21554942bef51cbd84fd7d4e62cb9a) C:\WINDOWS\system32\DRIVERS\rismc32.sys
14:41:47:687 3340 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
14:41:47:781 3340 RsFx0103 (fd692c6ffade58f7c4c3c3c9a0ec35bd) C:\WINDOWS\system32\DRIVERS\RsFx0103.sys
14:41:48:093 3340 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
14:41:48:109 3340 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:41:48:203 3340 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
14:41:48:265 3340 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:41:48:375 3340 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:41:48:500 3340 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:41:48:578 3340 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
14:41:48:687 3340 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
14:41:48:890 3340 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:41:48:984 3340 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:41:49:046 3340 swmsflt (150ab4fa272130ec55b2a4faebdf47f9) C:\WINDOWS\System32\drivers\swmsflt.sys
14:41:49:203 3340 swmx00 (2712cc6d42f1c620e3b5d81b215b942d) C:\WINDOWS\system32\DRIVERS\swmx00.sys
14:41:49:484 3340 SWNC5E00 (47edcd5fdd249e5273cb90e56be97a5d) C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys
14:41:49:656 3340 SynTP (a74f8b2a64cecaa77fc86bdfeef4f9d0) C:\WINDOWS\system32\DRIVERS\SynTP.sys
14:41:49:656 3340 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\SynTP.sys. Real md5: a74f8b2a64cecaa77fc86bdfeef4f9d0, Fake md5: f646480d0dd9df3900bf4b53673c647d
14:41:49:750 3340 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:41:49:828 3340 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:41:49:859 3340 tcpipBM (4bed0c7fdf414d1bd26bf33ea673ca49) C:\WINDOWS\system32\drivers\tcpipBM.sys
14:41:50:046 3340 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:41:50:109 3340 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:41:50:156 3340 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:41:50:234 3340 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:41:50:281 3340 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:41:50:359 3340 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:41:50:421 3340 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:41:50:453 3340 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:41:50:484 3340 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:41:50:531 3340 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:41:50:562 3340 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:41:50:609 3340 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:41:50:703 3340 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:41:50:750 3340 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:41:50:812 3340 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:41:50:937 3340 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
14:41:51:203 3340 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:41:51:343 3340 winachsf (be3a842c2f2e87e7c840d36bcf13e8e0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
14:41:51:687 3340 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
14:41:51:796 3340 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:41:51:890 3340 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:41:51:953 3340 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:41:51:984 3340 Reboot required for cure complete..
14:41:52:171 3340 Cure on reboot scheduled successfully
14:41:52:171 3340
14:41:52:171 3340 Completed
14:41:52:171 3340
14:41:52:171 3340 Results:
14:41:52:171 3340 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:41:52:171 3340 File objects infected / cured / cured on reboot: 1 / 0 / 1
14:41:52:171 3340
14:41:52:171 3340 KLMD(ARK) unloaded successfully

#7 flyingdutchman

flyingdutchman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 07 July 2010 - 03:12 PM

Malware Bytes found more issues but said it was able to Quarantine and delete them:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4289

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/7/2010 4:09:57 PM
mbam-log-2010-07-07 (16-09-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 232293
Time elapsed: 1 hour(s), 1 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruoolfdx (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruoolfdx (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Scott\Local Settings\Temp\pdfupd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Scott\Local Settings\Temporary Internet Files\Content.IE5\1YJLPYVG\e9abad[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\4456f238.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\94.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Scott\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:14 AM

Posted 07 July 2010 - 03:20 PM

So how is it running now??
I would still want to run these..

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 flyingdutchman

flyingdutchman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 07 July 2010 - 03:26 PM

Thanks to your assistance, I am making tangible progress in cleaning up this mess. The machine rebooted after MalwareBytes ran, after that I was able to get to Microsoft Update again.

I will run ATF and SAS per your instructions and get back to you.

Thanks again for the help!

#10 flyingdutchman

flyingdutchman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 07 July 2010 - 05:54 PM

ATF ran and cleaned about 225mb.

SAS ran and produced the following log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/07/2010 at 06:32 PM

Application Version : 4.40.1002

Core Rules Database Version : 5169
Trace Rules Database Version: 2981

Scan type : Complete Scan
Total Scan Time : 01:23:35

Memory items scanned : 539
Memory threats detected : 0
Registry items scanned : 7784
Registry threats detected : 0
File items scanned : 104039
File threats detected : 32

Adware.Flash Tracking Cookie
C:\Documents and Settings\Scott\Application Data\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\WT37ZYJB\CONVOAD.TECHNORATIMEDIA.COM

Adware.Tracking Cookie
media-glam.pictela.net [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\SUS83DKG ]
media.entertonement.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\SUS83DKG ]
media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\SUS83DKG ]
media.onsugar.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\SUS83DKG ]
media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\SUS83DKG ]
media1.break.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\SUS83DKG ]
objects.tremormedia.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\SUS83DKG ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\SUS83DKG ]
service.twistage.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\SUS83DKG ]
2mdn.net [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
adsatt.espn.go.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
alpha.clickformant.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
cdn4.specificclick.net [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
convoad.technoratimedia.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
core.insightexpressai.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
ec.atdmt.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
googleads.g.doubleclick.net [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
media-macys2.pictela.net [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
media.cnbc.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
media.nbcbayarea.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
media.nbclosangeles.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
media.thewb.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
media.vmixcore.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
media01.kyte.tv [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
media10.washingtonpost.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
mediastore.verizonwireless.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
rmd.atdmt.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
spe.atdmt.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
stmedia.startribune.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
videos.mediaite.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]
vidii.hardsextube.com [ C:\Documents and Settings\Scott\Application Data\Macromedia\Flash Player\#SharedObjects\WT37ZYJB ]


Please confirm that SAS was supposed to be configured with only 3 options that you noted above. It only found cookies.

Windows Update has already downloaded an update, and Windows Defender is updating properly again.

The machine appears to be working much better now. Do I need to do anything else?

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:14 AM

Posted 07 July 2010 - 08:24 PM

OK, yes ..SAS was run correctly.
This looks good and clean now.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 flyingdutchman

flyingdutchman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 12 July 2010 - 02:37 PM

Sorry about the delay in responding to you - we had an office move over the weekend.

My machine appears to be clean again - although I have one more question for you. Early on in my malware experience, my mouse and synaptics touchpad driver disappeared. I had to download a new syaptics driver from the HP site. I notice in one of the scans that I posted earlier, it says something about one of my keyboard drivers having a fake MD5. I'm not sure if that fake MD5 is a result of the new driver I had to grab from HP, or if it might be the result of key logger malware. Should I be concerned?

Thanks,
Dutch

#13 flyingdutchman

flyingdutchman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 12 July 2010 - 02:39 PM

Here is the line reported by TDSSKiller:

14:41:49:656 3340 SynTP (a74f8b2a64cecaa77fc86bdfeef4f9d0) C:\WINDOWS\system32\DRIVERS\SynTP.sys
14:41:49:656 3340 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\SynTP.sys. Real md5: a74f8b2a64cecaa77fc86bdfeef4f9d0, Fake md5: f646480d0dd9df3900bf4b53673c647d

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:14 AM

Posted 12 July 2010 - 02:51 PM

This driver appears to be infected.. the rest of the log would show us what was done about it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 flyingdutchman

flyingdutchman
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 12 July 2010 - 03:00 PM

Here is the whole log from TDSSKiller: Notice the kbdclass.sys file was "forged" and a backup copy found. The other file was SynTP.sys - it says it is also "forged" but doesn't say anything about it being fixed from a backup copy.

14:41:30:281 3340 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
14:41:30:281 3340 ================================================================================
14:41:30:281 3340 SystemInfo:

14:41:30:281 3340 OS Version: 5.1.2600 ServicePack: 3.0
14:41:30:281 3340 Product type: Workstation
14:41:30:281 3340 ComputerName: HP-LAPTOP1
14:41:30:281 3340 UserName: Scott
14:41:30:281 3340 Windows directory: C:\WINDOWS
14:41:30:281 3340 System windows directory: C:\WINDOWS
14:41:30:281 3340 Processor architecture: Intel x86
14:41:30:281 3340 Number of processors: 2
14:41:30:281 3340 Page size: 0x1000
14:41:30:281 3340 Boot type: Normal boot
14:41:30:281 3340 ================================================================================
14:41:30:859 3340 Initialize success
14:41:30:859 3340
14:41:30:859 3340 Scanning Services ...
14:41:30:984 3340 Raw services enum returned 383 services
14:41:31:000 3340
14:41:31:000 3340 Scanning Drivers ...
14:41:31:484 3340 Accelerometer (558a0039f0ef634397e1f61055504478) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
14:41:31:718 3340 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:41:31:765 3340 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
14:41:31:843 3340 ADIHdAudAddService (4e12c97cbfe99be15d7680918f9899ec) C:\WINDOWS\system32\drivers\ADIHdAud.sys
14:41:32:281 3340 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys
14:41:32:437 3340 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:41:32:515 3340 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
14:41:32:781 3340 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:41:32:890 3340 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:41:32:953 3340 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:41:33:265 3340 ati2mtag (3b23691e9eef04de3364d9271371bbde) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
14:41:33:875 3340 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:41:33:968 3340 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:41:34:078 3340 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:41:34:140 3340 BMLoad (98f4630b5867d911ad6eae79874bf5e6) C:\WINDOWS\system32\drivers\BMLoad.sys
14:41:34:281 3340 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:41:34:375 3340 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:41:34:500 3340 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:41:34:578 3340 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:41:34:609 3340 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:41:34:625 3340 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:41:34:765 3340 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:41:34:921 3340 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:41:35:015 3340 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:41:35:062 3340 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:41:35:171 3340 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:41:35:234 3340 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:41:35:359 3340 e1express (da1d21bb7d9b06c64275564f8e86c94e) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
14:41:35:562 3340 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:41:35:609 3340 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
14:41:35:625 3340 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:41:35:640 3340 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:41:35:703 3340 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
14:41:35:750 3340 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:41:35:750 3340 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:41:35:796 3340 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:41:35:859 3340 HBtnKey (407e41ddb2bfece109132aec296e0d98) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
14:41:35:968 3340 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:41:36:031 3340 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:41:36:093 3340 HP24X (362d8e46b618649591de2a5c2f0e58e1) C:\WINDOWS\system32\DRIVERS\HP24X.sys
14:41:36:296 3340 hpdskflt (5953c0952e4dd2b25b9adef05ab0285c) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
14:41:36:390 3340 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
14:41:36:531 3340 HSFHWAZL (f2c5aaae6403584fbc53053af0844411) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
14:41:36:671 3340 HSF_DPV (daab917eec9849840a13353198d48cc5) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
14:41:36:843 3340 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:41:36:906 3340 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:41:37:000 3340 iaStor (8ef427c54497c5f8a7a645990e4278c7) C:\WINDOWS\system32\DRIVERS\iaStor.sys
14:41:37:062 3340 IFXTPM (91c5e9f49f32110ced27e2f902fad607) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
14:41:37:421 3340 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:41:37:625 3340 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:41:37:703 3340 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
14:41:37:796 3340 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:41:37:875 3340 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:41:37:937 3340 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:41:38:000 3340 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:41:38:093 3340 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:41:38:218 3340 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:41:38:312 3340 Kbdclass (476dcd7a29ae6c9adef7db010c73db0a) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:41:38:312 3340 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: 476dcd7a29ae6c9adef7db010c73db0a, Fake md5: 463c1ec80cd17420a542b7f36a36f128
14:41:38:312 3340 File "C:\WINDOWS\system32\DRIVERS\kbdclass.sys" infected by TDSS rootkit ... 14:41:40:328 3340 Backup copy found, using it..
14:41:40:328 3340 will be cured on next reboot
14:41:40:468 3340 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:41:40:531 3340 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
14:41:40:656 3340 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:41:40:718 3340 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:41:40:750 3340 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
14:41:41:062 3340 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:41:41:187 3340 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
14:41:41:390 3340 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
14:41:41:578 3340 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys
14:41:42:125 3340 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
14:41:42:343 3340 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
14:41:42:562 3340 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:41:42:640 3340 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:41:42:718 3340 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:41:42:812 3340 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:41:42:843 3340 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:41:42:906 3340 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys
14:41:43:156 3340 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:41:43:218 3340 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:41:43:234 3340 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:41:43:343 3340 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:41:43:375 3340 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:41:43:390 3340 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:41:43:437 3340 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:41:43:500 3340 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
14:41:43:515 3340 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:41:43:546 3340 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:41:43:625 3340 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:41:43:656 3340 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:41:43:703 3340 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
14:41:43:718 3340 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:41:43:750 3340 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:41:43:968 3340 NETw5x32 (aa88346ab7849a1cb34bd3424febfece) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
14:41:44:156 3340 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:41:44:203 3340 Nmea (b0d5188e282dc4edae7020f333427bc8) C:\WINDOWS\system32\DRIVERS\pctnullport.sys
14:41:44:609 3340 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:41:44:703 3340 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:41:44:796 3340 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:41:44:859 3340 NWADI (0973c0c696780161f4526586d5eac422) C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
14:41:44:906 3340 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:41:44:921 3340 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:41:44:984 3340 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:41:45:046 3340 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:41:45:078 3340 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:41:45:093 3340 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:41:45:140 3340 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys
14:41:45:390 3340 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:41:45:468 3340 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:41:45:515 3340 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
14:41:45:578 3340 PCTINDIS5 (1e715247efffdda938c085913045d599) C:\WINDOWS\system32\PCTINDIS5.SYS
14:41:46:171 3340 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:41:46:250 3340 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:41:46:359 3340 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:41:46:515 3340 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:41:46:593 3340 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:41:46:625 3340 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:41:46:656 3340 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:41:46:703 3340 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:41:46:734 3340 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:41:46:812 3340 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:41:46:890 3340 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
14:41:47:000 3340 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:41:47:093 3340 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
14:41:47:296 3340 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
14:41:47:468 3340 rismc32 (7c21554942bef51cbd84fd7d4e62cb9a) C:\WINDOWS\system32\DRIVERS\rismc32.sys
14:41:47:687 3340 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
14:41:47:781 3340 RsFx0103 (fd692c6ffade58f7c4c3c3c9a0ec35bd) C:\WINDOWS\system32\DRIVERS\RsFx0103.sys
14:41:48:093 3340 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
14:41:48:109 3340 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:41:48:203 3340 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
14:41:48:265 3340 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:41:48:375 3340 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:41:48:500 3340 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:41:48:578 3340 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
14:41:48:687 3340 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
14:41:48:890 3340 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:41:48:984 3340 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:41:49:046 3340 swmsflt (150ab4fa272130ec55b2a4faebdf47f9) C:\WINDOWS\System32\drivers\swmsflt.sys
14:41:49:203 3340 swmx00 (2712cc6d42f1c620e3b5d81b215b942d) C:\WINDOWS\system32\DRIVERS\swmx00.sys
14:41:49:484 3340 SWNC5E00 (47edcd5fdd249e5273cb90e56be97a5d) C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys
14:41:49:656 3340 SynTP (a74f8b2a64cecaa77fc86bdfeef4f9d0) C:\WINDOWS\system32\DRIVERS\SynTP.sys
14:41:49:656 3340 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\SynTP.sys. Real md5: a74f8b2a64cecaa77fc86bdfeef4f9d0, Fake md5: f646480d0dd9df3900bf4b53673c647d
14:41:49:750 3340 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:41:49:828 3340 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:41:49:859 3340 tcpipBM (4bed0c7fdf414d1bd26bf33ea673ca49) C:\WINDOWS\system32\drivers\tcpipBM.sys
14:41:50:046 3340 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:41:50:109 3340 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:41:50:156 3340 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:41:50:234 3340 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:41:50:281 3340 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:41:50:359 3340 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:41:50:421 3340 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:41:50:453 3340 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:41:50:484 3340 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:41:50:531 3340 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:41:50:562 3340 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:41:50:609 3340 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:41:50:703 3340 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:41:50:750 3340 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:41:50:812 3340 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:41:50:937 3340 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
14:41:51:203 3340 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:41:51:343 3340 winachsf (be3a842c2f2e87e7c840d36bcf13e8e0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
14:41:51:687 3340 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
14:41:51:796 3340 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:41:51:890 3340 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:41:51:953 3340 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:41:51:984 3340 Reboot required for cure complete..
14:41:52:171 3340 Cure on reboot scheduled successfully
14:41:52:171 3340
14:41:52:171 3340 Completed
14:41:52:171 3340
14:41:52:171 3340 Results:
14:41:52:171 3340 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:41:52:171 3340 File objects infected / cured / cured on reboot: 1 / 0 / 1
14:41:52:171 3340
14:41:52:171 3340 KLMD(ARK) unloaded successfully




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users