Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Post In Here


  • This topic is locked This topic is locked
25 replies to this topic

#1 volcanojws

volcanojws

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 31 August 2010 - 12:21 PM

I've tried everything to post in here and when I do IE says I don't have an internet connection. I have completed all the proper steps to post the DDS log, attach.txt and ark.txt but I can't! AHHH! Can anyone help?

As soon as I paste or try to upload the DDS log, No go!

Attached Files


Edited by volcanojws, 31 August 2010 - 12:28 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 AM

Posted 07 September 2010 - 12:17 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 volcanojws

volcanojws
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 07 September 2010 - 04:05 PM

Thanks Gringo for taking the time to help me out!

Just so you know my initial reason for posting was the Google jump/redirect virus. I came here for help, followed all the steps but no matter what I try I cannot post the DDS log. The file will not attach to this thread nor will IE let me post the log into the body of this thread. I'm not sure if this is related to the virus I have or if I am doing something wrong. I have attached the "attach" file from DDS and the RK report is posted in the body below. Let me know what else I can do to try and get you the DDS log.


Thanks again!
Jason

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/20/2007 7:35:55 PM
System Uptime: 9/7/2010 8:25:11 AM (7 hours ago)

Motherboard: Hewlett-Packard | | 30C5
Processor: Intel® Core™2 Duo CPU T7300 @ 2.00GHz | U10 | 1995/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 42 GiB total, 7.882 GiB free.
D: is FIXED (NTFS) - 2 GiB total, 1.317 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: HP Integrated Module
Device ID: USB\VID_03F0&PID_171D\5&183C0CEE&0&1
Manufacturer:
Name: HP Integrated Module
PNP Device ID: USB\VID_03F0&PID_171D\5&183C0CEE&0&1
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\HPQ0006\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\HPQ0006\2&DABA3FF&0
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Shrew Soft Virtual Adapter
Device ID: ROOT\VNET\0000
Manufacturer: Shrew Soft
Name: Shrew Soft Virtual Adapter
PNP Device ID: ROOT\VNET\0000
Service: vnet

==== System Restore Points ===================

RP630: 8/25/2010 12:38:14 PM - System Checkpoint
RP631: 8/26/2010 11:17:36 AM - Removed TdcotiniHli
RP632: 8/26/2010 11:20:52 AM - Glary Utilities Restore Point
RP633: 8/26/2010 12:03:47 PM - Restore Operation
RP634: 8/26/2010 1:33:22 PM - Removed Java™ 6 Update 12
RP635: 8/26/2010 1:36:50 PM - Installed Java™ 6 Update 21
RP636: 8/26/2010 1:41:40 PM - Removed Java™ 6 Update 21
RP637: 8/26/2010 1:48:11 PM - Installed Java™ 6 Update 21
RP638: 8/30/2010 9:48:39 AM - System Checkpoint
RP639: 8/31/2010 1:06:56 PM - System Checkpoint
RP640: 9/2/2010 12:47:20 PM - System Checkpoint
RP641: 9/7/2010 9:10:35 AM - System Checkpoint

==== Installed Programs ======================


==== Event Viewer Messages From Past Week ========


==== End Of File ===========================






RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBFAD7000 C:\WINDOWS\System32\ati3duag.dll 2924544 bytes (ATI Technologies Inc. , ati3duag.dll)
0xF5730000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2363392 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF5472000 C:\WINDOWS\system32\DRIVERS\NETw4x32.sys 2211840 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBFDA1000 C:\WINDOWS\System32\ativvaxx.dll 1515520 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xAE2E8000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 991232 bytes (Conexant Systems, Inc., HSF_DP driver)
0xAE235000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF71F6000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA0BD3000 C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 544768 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)
0xA4905000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xAA1E0000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF52FC000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xBFA1B000 C:\WINDOWS\System32\ati2cqag.dll 368640 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xAC040000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA0A19000 C:\WINDOWS\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xBFA75000 C:\WINDOWS\System32\atikvmag.dll 327680 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xAE425000 C:\WINDOWS\system32\drivers\ADIHdAud.sys 307200 bytes (Analog Devices, Inc., High Definition Audio Function Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF9D6000 C:\WINDOWS\System32\ati2dvag.dll 282624 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xF56B2000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 270336 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver)
0x9FEF9000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xAE3DA000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 212992 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xF5418000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 204800 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xF535A000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7358000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA0DE8000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF71C9000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9FD43000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xAA250000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF56F4000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA00A2000 C:\WINDOWS\system32\drivers\mfehidk.sys 163840 bytes (McAfee, Inc., Host Intrusion Detection Link Driver)
0xAA2C2000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA7998000 C:\WINDOWS\system32\DRIVERS\webc3vid.sys 159744 bytes (Creative Technology Ltd., Creative Video Blaster WebCam 2K Stream Class Mini Driver)
0xF72E4000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xAA2EA000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xAA27B000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 151552 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0xAEFC0000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF568E000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF53F5000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0x9FD96000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xAA2A0000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xAA310000 C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys 135168 bytes (AuthenTec, Inc., (TEST) Slide Fingerprint USB Driver)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF72AC000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF730A000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7329000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xAC180000 C:\WINDOWS\system32\drivers\InCDFs.sys 114688 bytes (Nero AG, InCD File System Driver)
0xF53DA000 C:\WINDOWS\system32\DRIVERS\dne2000.sys 110592 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)
0xAEFE4000 C:\WINDOWS\system32\drivers\AtiHdmi.sys 106496 bytes (ATI Research Inc., Ati High Definition Audio Function Driver)
0xF7197000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF72CC000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF71B1000 SafeBoot.sys 98304 bytes
0xAE40E000 C:\WINDOWS\system32\drivers\AEAudio.sys 94208 bytes (Andrea Electronics Corporation, Audio Noise Filtering Driver (32-bit))
0xF7283000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF53C3000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA0F5B000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF544A000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF545E000 C:\WINDOWS\System32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xF571C000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xAC16D000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBFAC5000 C:\WINDOWS\System32\atiok3x2.dll 73728 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xBF9C4000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF729A000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7347000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF53B2000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xA7617000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF5E55000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xA04E1000 C:\WINDOWS\system32\drivers\mfeavfk.sys 65536 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)
0xF5EA5000 C:\WINDOWS\System32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7497000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF5EC5000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF75A7000 C:\WINDOWS\System32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF75C7000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7507000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xAA68C000 C:\WINDOWS\system32\drivers\mfeapfk.sys 61440 bytes (McAfee, Inc., Access Protection Filter Driver)
0xF5A01000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF5E95000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 61440 bytes (REDC, RICOH SD Driver)
0xA5CE3000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF75D7000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF74A7000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF74F7000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF5E75000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF59B1000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xAD6A7000 C:\WINDOWS\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF74C7000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xA5D73000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xAB23C000 C:\WINDOWS\system32\drivers\mfetdik.sys 49152 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)
0xF5991000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF5EB5000 C:\WINDOWS\system32\DRIVERS\rismc32.sys 49152 bytes (RICOH Company, Ltd., PC-SC Driver for RICOH SmartCard Reader)
0xAB20C000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF5ED5000 C:\WINDOWS\system32\DRIVERS\HECI.sys 45056 bytes (Intel Corporation, Intel® Management Engine Interface)
0xF5E85000 C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS 45056 bytes (Infineon Technologies AG, Infineon Trusted Platform Module)
0xF5E65000 C:\WINDOWS\System32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF74B7000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF59A1000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF74D7000 SbAlg.sys 45056 bytes (SafeBoot N.V., SafeBoot FIPS AES Algorithm (256 bit))
0xF59E1000 C:\WINDOWS\System32\Drivers\SCDFilter.SYS 45056 bytes (Discrete Technologies, SecureDisc CD/DVD Filter Driver)
0xF59D1000 C:\WINDOWS\system32\DRIVERS\Accelerometer.sys 40960 bytes (Hewlett-Packard Corporation, HP Accelerometer)
0xF7487000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF648B000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF5971000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF59C1000 C:\WINDOWS\system32\DRIVERS\vfilter.sys 40960 bytes (Shrew Soft Inc, Shrew Soft IM Filter Driver)
0xF74E7000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xAD697000 C:\WINDOWS\System32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7517000 hpdskflt.sys 36864 bytes (Hewlett-Packard Corporation, HP Disk Filter)
0xF59F1000 C:\WINDOWS\system32\drivers\InCDRm.sys 36864 bytes (Nero AG, Nero MRW Filter Driver)
0xF5EE5000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF5981000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xAB22C000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA0223000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xAB1FC000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF77AF000 C:\WINDOWS\system32\drivers\InCDPass.sys 32768 bytes (Nero AG, Ahead RW Filter Driver)
0xF7867000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xAE670000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xAE698000 C:\WINDOWS\System32\drivers\psd.sys 32768 bytes (Infineon Technologies AG, PSD Device Driver)
0xAE668000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xF7797000 C:\WINDOWS\System32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xAE688000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xA4A4F000 C:\WINDOWS\system32\drivers\mfebopk.sys 28672 bytes (McAfee, Inc., Buffer Overflow Protection Driver)
0xAE660000 C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys 28672 bytes (McAfee, Inc., VSCore Code Analysis Driver)
0xA71AF000 C:\WINDOWS\system32\DRIVERS\NuidFltr.sys 28672 bytes (Microsoft Corporation, Filter Driver for Microsoft Hardware HID Non-User Input Data)
0xF7707000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF779F000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF77A7000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7717000 pavboot.sys 24576 bytes (Panda Security, S.L., Panda Boot Driver)
0xA71A7000 C:\WINDOWS\system32\DRIVERS\point32.sys 24576 bytes (Microsoft Corporation, Point32.sys)
0xAC1BC000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xAC1F4000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF778F000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xAE680000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xAE658000 C:\WINDOWS\system32\DRIVERS\webc3cam.SYS 24576 bytes (Creative Technology Ltd., Creative Video Blaster WebCam 2K Universal Serial Bus Camera Driver)
0xAA51D000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Cisco Systems, Inc., IEEE 802.1X Protocol Driver)
0xAE678000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF77BF000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF77C7000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF77B7000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xAB445000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF789F000 C:\WINDOWS\System32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF6772000 C:\WINDOWS\System32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xA5309000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xA0B4F000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0xF7977000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xAED0F000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xAED13000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 16384 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xF678E000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF678A000 C:\WINDOWS\system32\DRIVERS\SMCLIB.SYS 16384 bytes (Microsoft Corporation, Smard Card Driver Library)
0xF78A3000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF789B000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xAB8B8000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xAECFB000 C:\WINDOWS\System32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF4DD7000 C:\WINDOWS\System32\Drivers\InCDrec.SYS 12288 bytes (Nero AG, InCD File System Recognizer)
0xA5305000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7957000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF4DD3000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xA0545000 C:\WINDOWS\system32\Drivers\uphcleanhlp.sys 12288 bytes
0xF794F000 C:\WINDOWS\System32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xF7997000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798B000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7995000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF799B000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7A39000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF799D000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79AD000 C:\WINDOWS\System32\Drivers\RsvLock.SYS 8192 bytes (SafeBoot International, SafeBoot Reserved Files Lock Driver)
0xF798D000 SbFsLock.sys 8192 bytes (SafeBoot International, SafeBoot FS Locker)
0xF7A09000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7A05000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7989000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7BA6000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7AE3000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xAD5C4000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A50000 C:\WINDOWS\System32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x87320AEA ?_empty_? 1302 bytes
0x87320EC5 unknown_irp_handler 315 bytes
!!!!!!!!!!!Hidden driver: 0x8A15ECE8 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xF72CC000 WARNING: suspicious driver modification [atapi.sys::0x87320AEA]
WARNING: Virus alike driver modification [bthpan.sys]
WARNING: Virus alike driver modification [v1e5132.sys]
WARNING: Virus alike driver modification [compbatt.sys]
WARNING: Virus alike driver modification [sffp_mmc.sys]
WARNING: Virus alike driver modification [hsfdpsp2.sys]
WARNING: Virus alike driver modification [atinrvxx.sys]
WARNING: Virus alike driver modification [mup.sys]
0x05970000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 1077248 bytes
WARNING: Virus alike driver modification [sffp_sd.sys]
WARNING: Virus alike driver modification [irenum.sys]
WARNING: Virus alike driver modification [wadv08nt.sys]
WARNING: Virus alike driver modification [ati1mdxx.sys]
WARNING: Virus alike driver modification [acpiec.sys]
WARNING: Virus alike driver modification [cpqdap01.sys]
WARNING: Virus alike driver modification [wadv07nt.sys]
WARNING: Virus alike driver modification [wadv09nt.sys]
WARNING: Virus alike driver modification [sffdisk.sys]
WARNING: Virus alike driver modification [wadv11nt.sys]
WARNING: Virus alike driver modification [pcmcia.sys]
WARNING: Virus alike driver modification [nikedrv.sys]
WARNING: Virus alike driver modification [rio8drv.sys]
WARNING: Virus alike driver modification [riodrv.sys]
WARNING: Virus alike driver modification [ws2ifsl.sys]
WARNING: Virus alike driver modification [tdpipe.sys]
WARNING: Virus alike driver modification [ati1pdxx.sys]
WARNING: Virus alike driver modification [fsvga.sys]
WARNING: Virus alike driver modification [usbvideo.sys]
WARNING: Virus alike driver modification [tunmp.sys]
WARNING: Virus alike driver modification [nwlnkflt.sys]
WARNING: Virus alike driver modification [ftdisk.sys]
WARNING: Virus alike driver modification [mtlmnt5.sys]
WARNING: Virus alike driver modification [mutohpen.sys]
0x05910000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 126976 bytes
WARNING: Virus alike driver modification [usb8023.sys]
WARNING: Virus alike driver modification [usb8023x.sys]
WARNING: Virus alike driver modification [slnt7554.sys]
WARNING: Virus alike driver modification [fltmgr.sys]
WARNING: Virus alike driver modification [mtlstrm.sys]
WARNING: Virus alike driver modification [slwdmsup.sys]
WARNING: Virus alike driver modification [SbFsLock.sys]
WARNING: Virus alike driver modification [recagent.sys]
WARNING: Virus alike driver modification [atinmdxx.sys]
WARNING: Virus alike driver modification [atinttxx.sys]
WARNING: Virus alike driver modification [cbidf2k.sys]
WARNING: Virus alike driver modification [battc.sys]
WARNING: Virus alike driver modification [diskdump.sys]
WARNING: Virus alike driver modification [wacompen.sys]
WARNING: Virus alike driver modification [asyncmac.sys]
WARNING: Virus alike driver modification [atinpdxx.sys]
WARNING: Virus alike driver modification [Hdaudio.sys]
WARNING: Virus alike driver modification [tape.sys]
WARNING: Virus alike driver modification [dmio.sys]
WARNING: Virus alike driver modification [usbintel.sys]
WARNING: Virus alike driver modification [nwrdr.sys]
WARNING: Virus alike driver modification [HPZipr12.sys]
WARNING: Virus alike driver modification [s3gnbm.sys]
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\SafeBoot.sys]
WARNING: Virus alike driver modification [bthenum.sys]
WARNING: Virus alike driver modification [hpdskflt.sys]
WARNING: Virus alike driver modification [ntmtlfax.sys]
WARNING: Virus alike driver modification [ndis.sys]
WARNING: Virus alike driver modification [acpi.sys]
WARNING: Virus alike driver modification [bthusb.sys]
WARNING: Virus alike driver modification [nv4_mini.sys]
WARNING: Virus alike driver modification [hidir.sys]
WARNING: Virus alike driver modification [partmgr.sys]
WARNING: Virus alike driver modification [rmcast.sys]
WARNING: Virus alike driver modification [secdrv.sys]
0x03600000 Hidden Image-->System.XML.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 2060288 bytes
WARNING: Virus alike driver modification [ipinip.sys]
WARNING: Virus alike driver modification [mbam.sys]
WARNING: Virus alike driver modification [ati1ttxx.sys]
WARNING: Virus alike driver modification [tsbvcap.sys]
WARNING: Virus alike driver modification [HPZius12.sys]
WARNING: Virus alike driver modification [hsfbs2s2.sys]
WARNING: Virus alike driver modification [watv06nt.sys]
WARNING: Virus alike driver modification [tcpip6.sys]
WARNING: Virus alike driver modification [pciidex.sys]
WARNING: Virus alike driver modification [sonydcam.sys]
WARNING: Virus alike driver modification [watv10nt.sys]
WARNING: Virus alike driver modification [hidbth.sys]
WARNING: Virus alike driver modification [usbcamd.sys]
WARNING: Virus alike driver modification [usbcamd2.sys]
WARNING: Virus alike driver modification [usbprint.sys]
WARNING: Virus alike driver modification [cinemst2.sys]
WARNING: Virus alike driver modification [ati1snxx.sys]
0x04A60000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 266240 bytes
0x047B0000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 270336 bytes
WARNING: Virus alike driver modification [bthport.sys]
WARNING: Virus alike driver modification [pavboot.sys]
WARNING: Virus alike driver modification [atinsnxx.sys]
WARNING: Virus alike driver modification [ati1xbxx.sys]
0x04440000 Hidden Image-->System.Data.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 2961408 bytes
WARNING: Virus alike driver modification [DAMDrv.sys]
WARNING: Virus alike driver modification [rndismp.sys]
WARNING: Virus alike driver modification [rndismpx.sys]
WARNING: Virus alike driver modification [ati1raxx.sys]
0x04FE0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 307200 bytes
WARNING: Virus alike driver modification [atmepvc.sys]
0x03830000 Hidden Image-->System.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 3158016 bytes
WARNING: Virus alike driver modification [atinxbxx.sys]
WARNING: Virus alike driver modification [nwlnkfwd.sys]
WARNING: Virus alike driver modification [ati2mtaa.sys]
WARNING: Virus alike driver modification [ipfltdrv.sys]
WARNING: Virus alike driver modification [rawwan.sys]
WARNING: Virus alike driver modification [ati1xsxx.sys]
WARNING: Virus alike driver modification [atmuni.sys]
WARNING: Virus alike driver modification [disk.sys]
WARNING: Virus alike driver modification [ati1tuxx.sys]
WARNING: Virus alike driver modification [bthprint.sys]
WARNING: Virus alike driver modification [ip6fw.sys]
WARNING: Virus alike driver modification [crusoe.sys]
WARNING: Virus alike driver modification [isapnp.sys]
WARNING: Virus alike driver modification [amdk6.sys]
WARNING: Virus alike driver modification [amdk7.sys]
WARNING: Virus alike driver modification [bthmodem.sys]
WARNING: Virus alike driver modification [wpdusb.sys]
WARNING: Virus alike driver modification [nmnt.sys]
WARNING: Virus alike driver modification [slntamr.sys]
WARNING: Virus alike driver modification [sisagp.sys]
WARNING: Virus alike driver modification [viaagp.sys]
WARNING: Virus alike driver modification [agp440.sys]
WARNING: Virus alike driver modification [mountmgr.sys]
WARNING: Virus alike driver modification [alim1541.sys]
WARNING: Virus alike driver modification [p3.sys]
WARNING: Virus alike driver modification [amdagp.sys]
0x03550000 Hidden Image-->System.configuration.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 438272 bytes
WARNING: Virus alike driver modification [uagp35.sys]
WARNING: Virus alike driver modification [SbAlg.sys]
WARNING: Virus alike driver modification [agpcpq.sys]
WARNING: Virus alike driver modification [mtxparhm.sys]
WARNING: Virus alike driver modification [gagp30kx.sys]
WARNING: Virus alike driver modification [irbus.sys]
0x012E0000 Hidden Image-->Intuit.Spc.Foundations.Portability.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 471040 bytes
0x048C0000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 479232 bytes
WARNING: Virus alike driver modification [stream.sys]
WARNING: Virus alike driver modification [classpnp.sys]
WARNING: Virus alike driver modification [mspqm.sys]
0x05250000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 5033984 bytes
WARNING: Virus alike driver modification [HPZid412.sys]
WARNING: Virus alike driver modification [tosdvd.sys]
WARNING: Virus alike driver modification [atinraxx.sys]
WARNING: Virus alike driver modification [volsnap.sys]
0x01250000 Hidden Image-->Intuit.Spc.Foundations.Primary.Logging.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 53248 bytes
WARNING: Virus alike driver modification [1394bus.sys]
WARNING: Virus alike driver modification [mspclock.sys]
WARNING: Virus alike driver modification [atmlane.sys]
WARNING: Virus alike driver modification [nwlnkspx.sys]
WARNING: Virus alike driver modification [ati1btxx.sys]
WARNING: Virus alike driver modification [ntfs.sys]
WARNING: Virus alike driver modification [atinbtxx.sys]
WARNING: Virus alike driver modification [vdmindvd.sys]
WARNING: Virus alike driver modification [dmload.sys]
WARNING: Virus alike driver modification [smbali.sys]
WARNING: Virus alike driver modification [rfcomm.sys]
WARNING: Virus alike driver modification [atmarpc.sys]
WARNING: Virus alike driver modification [ohci1394.sys]
WARNING: Virus alike driver modification [nwlnknb.sys]
WARNING: Virus alike driver modification [atinxsxx.sys]
0x057C0000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 634880 bytes
WARNING: Virus alike driver modification [ati1rvxx.sys]
WARNING: Virus alike driver modification [mf.sys]
WARNING: Virus alike driver modification [enum1394.sys]
WARNING: Virus alike driver modification [udfs.sys]
WARNING: Virus alike driver modification [pci.sys]
WARNING: Virus alike driver modification [hsfcxts2.sys]
WARNING: Virus alike driver modification [virtualnet.sys]
WARNING: Virus alike driver modification [bridge.sys]
WARNING: Virus alike driver modification [atintuxx.sys]
WARNING: Virus alike driver modification [sr.sys]
WARNING: Virus alike driver modification [mskssrv.sys]
WARNING: Virus alike driver modification [mcd.sys]
WARNING: Virus alike driver modification [WudfPf.sys]
0x01290000 Hidden Image-->Intuit.Spc.Foundations.Primary.ExceptionHandling.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 77824 bytes
0xAC16D000 WARNING: Virus alike driver modification [ipsec.sys], 77824 bytes
0x04380000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x872F1B50 ] PID: 1216, 778240 bytes
WARNING: Virus alike driver modification [dmboot.sys]
WARNING: Virus alike driver modification [WudfRd.sys]
0x034F0000 Hidden Image-->Intuit.Spc.Foundations.Primary.Config.dll [ EPROCESS 0x872F1B50 ] PID: 1216, 86016 bytes
WARNING: Virus alike driver modification [nwlnkipx.sys]
WARNING: Virus alike driver modification [mqac.sys]
WARNING: Virus alike driver modification [ksecdd.sys]
WARNING: Virus alike driver modification [slnthal.sys]
WARNING: Virus alike driver modification [scsiport.sys]

Edited by volcanojws, 07 September 2010 - 04:15 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 AM

Posted 07 September 2010 - 04:18 PM

upload it to here and send me the link

http://www.mediafire.com/


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 volcanojws

volcanojws
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 07 September 2010 - 04:32 PM

Thanks. I believe the mediafire server may be down or this virus knows every possible solution and is one step ahead of you. ;-)

I'm sure it's just a mediafire server issue. I'll keep an eye out for it to come back up.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 AM

Posted 07 September 2010 - 04:44 PM

You can do it here to

http://www.megaupload.com

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 volcanojws

volcanojws
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 07 September 2010 - 05:05 PM

This is weird! The DDS file will not load to MegaUpload. The attach file will and the RK report will but the DDS errors. Ideas?

#8 volcanojws

volcanojws
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 07 September 2010 - 05:10 PM

AH HA!!! I tricked it. I printed the log to a .tif file and uploaded it.

Here is the link.

http://www.megaupload.com/?d=WNYSVYQN

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 AM

Posted 07 September 2010 - 05:34 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 volcanojws

volcanojws
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 07 September 2010 - 07:53 PM

Hi Gringo,

Below is the ComboFix log. Everything seemed to run okay. Two things happened:

1. ComboFix detected the presence of rootkit activity or something like that and rebooted the computer. After that it ran fine start to finish.

2. During the installation of the recovery module some file named catchme (or similar to that, I can't remember the entire file name) failed to install or something like that. According to Combo Fix the recovery module did install fine though.

Thanks again!

ComboFix 10-09-07.01 - Administrator 09/07/2010 19:11:13.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1324 [GMT -5:00]
Running from: c:\documents and settings\jschaible\desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\jschaible\g2mdlhlpx.exe
c:\documents and settings\jschaible\Local Settings\Application Data\{2B3B71B0-9D80-497D-94B1-9986CE3855C3}
c:\documents and settings\jschaible\Local Settings\Application Data\{2B3B71B0-9D80-497D-94B1-9986CE3855C3}\chrome.manifest
c:\documents and settings\jschaible\Local Settings\Application Data\{2B3B71B0-9D80-497D-94B1-9986CE3855C3}\chrome\content\_cfg.js
c:\documents and settings\jschaible\Local Settings\Application Data\{2B3B71B0-9D80-497D-94B1-9986CE3855C3}\chrome\content\overlay.xul
c:\documents and settings\jschaible\Local Settings\Application Data\{2B3B71B0-9D80-497D-94B1-9986CE3855C3}\install.rdf
c:\windows\sysdat.dll

----- BITS: Possible infected sites -----

hxxp://si-helpdesk
c:\windows\system32\drivers\SafeBoot.sys . . . is infected!! . . . Failed to find a valid replacement.
.
((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
.

2010-09-07 23:32 . 2010-09-07 23:32 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-428241f8-n\msvcp71.dll
2010-09-07 23:32 . 2010-09-07 23:32 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-428241f8-n\jmc.dll
2010-09-07 23:32 . 2010-09-07 23:32 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-428241f8-n\msvcr71.dll
2010-09-07 23:31 . 2010-09-07 23:31 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7d31483b-n\decora-sse.dll
2010-09-07 23:31 . 2010-09-07 23:31 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7d31483b-n\decora-d3d.dll
2010-08-31 13:42 . 2010-08-31 13:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\IBM
2010-08-27 16:55 . 2010-08-27 16:55 -------- d-----w- c:\program files\Runtime Software
2010-08-27 16:25 . 2010-08-27 16:51 -------- d-----w- c:\windows\system32\NtmsData
2010-08-27 15:06 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-27 13:49 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-27 13:25 . 2010-08-27 13:25 -------- d-----w- c:\documents and settings\jschaible\Local Settings\Application Data\Sunbelt Software
2010-08-27 13:24 . 2010-08-27 13:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-27 13:24 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-27 13:24 . 2010-08-27 13:24 -------- d-----w- c:\program files\Lavasoft
2010-08-26 18:49 . 2010-08-26 18:49 53248 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\cache\6.0\35\259fce23-17d389f0-n\IeEmbed.exe
2010-08-26 18:49 . 2010-08-26 18:49 45056 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\cache\6.0\35\259fce23-17d389f0-n\tray.dll
2010-08-26 18:49 . 2010-08-26 18:49 188416 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\cache\6.0\35\259fce23-17d389f0-n\MozEmbed.exe
2010-08-26 18:49 . 2010-08-26 18:49 110592 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\cache\6.0\35\259fce23-17d389f0-n\jdic.dll
2010-08-26 18:37 . 2010-08-26 18:37 503808 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23780d6d-n\msvcp71.dll
2010-08-26 18:37 . 2010-08-26 18:37 499712 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23780d6d-n\jmc.dll
2010-08-26 18:37 . 2010-08-26 18:37 348160 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23780d6d-n\msvcr71.dll
2010-08-26 18:37 . 2010-08-26 18:37 12800 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5997957c-n\decora-d3d.dll
2010-08-26 18:37 . 2010-08-26 18:37 61440 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5997957c-n\decora-sse.dll
2010-08-26 18:37 . 2010-08-26 18:48 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 17:05 . 2010-08-26 17:05 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-26 14:50 . 2010-09-07 21:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-26 14:27 . 2010-08-26 14:27 120 ----a-w- c:\windows\Trezoxi.dat
2010-08-26 14:27 . 2010-08-26 14:27 0 ----a-w- c:\windows\Sboqi.bin
2010-08-24 17:54 . 2010-08-26 16:18 -------- d-----w- c:\documents and settings\jschaible\Application Data\GlarySoft
2010-08-24 17:53 . 2010-08-24 17:53 -------- d-----w- c:\program files\Glary Utilities
2010-08-23 19:45 . 2000-09-06 14:43 135680 ----a-w- c:\windows\Webdelc.exe
2010-08-23 19:27 . 2010-08-23 21:02 -------- d-----w- c:\documents and settings\jschaible\Application Data\Creative
2010-08-23 19:27 . 2010-08-23 19:31 1093 ----a-w- c:\documents and settings\jschaible\Application Data\Creative\WebCam Monitor\Setting.sys
2010-08-23 19:27 . 2010-08-23 19:28 305 ----a-w- c:\documents and settings\jschaible\Application Data\Creative\WebCam Monitor\CacheSetting.sys
2010-08-23 19:19 . 2008-04-14 05:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-08-23 19:19 . 2008-04-14 05:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-08-23 19:14 . 2010-08-23 19:17 -------- d-----w- C:\CtDriverInstTemp
2010-08-23 19:14 . 2001-12-18 06:22 94208 ----a-w- c:\windows\ctdrvins.exe
2010-08-23 19:14 . 2001-12-11 06:03 53248 ----a-w- c:\windows\system32\webc3pin.dll
2010-08-23 19:14 . 2001-11-07 10:01 25241 ----a-w- c:\windows\system32\drivers\webc3cam.sys
2010-08-23 19:14 . 2001-11-07 10:01 16453 ----a-w- c:\windows\system32\webc3usd.dll
2010-08-23 19:14 . 2001-11-07 07:00 49152 ----a-w- c:\windows\system32\webc3ext.dll
2010-08-23 19:14 . 2001-11-07 07:00 166504 ----a-w- c:\windows\system32\drivers\webc3vid.sys
2010-08-23 19:14 . 2001-05-23 06:10 49152 ----a-w- c:\windows\system32\webc3vfw.dll
2010-08-23 19:14 . 2000-08-04 07:01 15360 ----a-w- c:\windows\system32\webc3vfw.drv
2010-08-23 19:13 . 2010-08-23 19:17 -------- d-----w- C:\WebCam3Gen
2010-08-23 19:08 . 2010-08-23 20:33 -------- d-----w- c:\program files\Creative
2010-08-23 19:08 . 1999-10-11 06:01 41984 ----a-w- c:\windows\CTREGRUN.EXE
2010-08-19 20:09 . 2010-08-19 20:09 -------- d-----w- c:\documents and settings\jschaible\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-07 23:29 . 2007-11-21 02:19 49792 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-07 22:14 . 2010-01-22 03:15 -------- d-----w- c:\documents and settings\jschaible\Application Data\uTorrent
2010-09-03 19:21 . 2010-01-18 21:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-03 16:46 . 2010-01-18 21:11 117760 ----a-w- c:\documents and settings\jschaible\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-27 22:03 . 2010-09-03 16:19 195180 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat
2010-08-27 17:25 . 2010-01-10 22:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-27 13:49 . 2009-11-19 23:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-27 13:24 . 2009-11-19 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-26 19:40 . 2010-01-11 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-26 18:48 . 2007-11-20 17:36 -------- d-----w- c:\program files\Common Files\Java
2010-08-26 18:48 . 2007-11-20 17:36 -------- d-----w- c:\program files\Java
2010-08-26 16:22 . 2010-01-10 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-24 18:25 . 2007-12-03 15:17 -------- d-----w- c:\program files\Autofutures
2010-08-24 18:25 . 2007-11-21 02:41 -------- d-----w- c:\program files\ATI Technologies
2010-08-23 22:22 . 2010-08-02 14:46 -------- d-----w- c:\documents and settings\jschaible\Application Data\Skype
2010-08-23 19:25 . 2007-11-21 02:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-14 21:09 . 2009-12-31 21:06 36 ---ha-w- c:\windows\system32\f9t.dat
2010-08-03 14:56 . 2007-11-20 19:38 49792 -c--a-w- c:\documents and settings\jschaible\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-02 14:46 . 2010-08-02 14:46 -------- d-----r- c:\program files\Skype
2010-08-02 14:46 . 2010-08-02 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-02 13:55 . 2009-08-11 13:14 -------- d-----w- c:\program files\thinkTDA
2010-08-02 13:51 . 2008-01-17 20:04 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-08-02 13:51 . 2008-01-17 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-08-02 13:44 . 2008-01-17 20:15 -------- d-----w- c:\documents and settings\jschaible\Application Data\Roxio
2010-08-02 13:36 . 2009-12-25 15:22 -------- d-----w- c:\documents and settings\jschaible\Application Data\HpUpdate
2010-07-23 20:01 . 2008-07-15 20:27 -------- d-----w- c:\documents and settings\jschaible\Application Data\U3
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1282048]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-05-23 677408]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-05-01 404248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-12-11 14848]
"SCDClient"="c:\program files\Discrete Technologies\SecureDisc Client\SCDHelper.exe" [2008-03-26 618496]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-22 136512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-11-20 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 14:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 07:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-373489508-1182832557-1595358894-1248\Scripts\Logon\0\0]
"Script"=atflogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-373489508-1182832557-1595358894-2696\Scripts\Logon\0\0]
"Script"=atflogon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 11:42 143360 ----a-w- c:\windows\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"CTRegRun"=c:\windows\CTRegRun.EXE
"HP Software Update"=c:\program files\Hp\HP Software Update\HPWuSchd2.exe
"Scheduler"=c:\windows\SMINST\Scheduler.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/27/2010 8:49 AM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/18/2010 2:29 PM 28552]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [4/26/2007 8:23 PM 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 2:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [3/29/2007 5:54 PM 13696]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [4/18/2007 8:32 PM 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [4/26/2007 8:23 PM 5808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 8:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 74480]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [3/31/2003 7:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [3/31/2003 7:00 AM 14336]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [4/27/2007 11:58 AM 221184]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1355928]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [11/20/2007 10:22 PM 1489688]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/18/2007 8:06 PM 41216]
R3 pflt;Shrew Soft Miniport Filter;c:\windows\system32\drivers\vfilter.sys [11/11/2008 3:47 PM 40576]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [11/20/2007 10:39 PM 47616]
R3 SCDFilter;SCDFilter;c:\windows\system32\drivers\SCDFilter.sys [3/26/2008 11:54 AM 41856]
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [8/23/2010 2:14 PM 166504]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [4/23/2007 2:13 PM 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [4/30/2007 9:28 AM 172131]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 7:15 AM 15008]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 7408]
S3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\drivers\virtualnet.sys [11/11/2008 3:47 PM 6912]
S4 dtpd;ShrewSoft DNS Proxy Daemon;c:\program files\ShrewSoft\VPN Client\dtpd.exe -service --> c:\program files\ShrewSoft\VPN Client\dtpd.exe -service [?]
S4 iked;ShrewSoft IKE Daemon;c:\program files\ShrewSoft\VPN Client\iked.exe -service --> c:\program files\ShrewSoft\VPN Client\iked.exe -service [?]
S4 ipsecd;ShrewSoft IPSEC Daemon;c:\program files\ShrewSoft\VPN Client\ipsecd.exe -service --> c:\program files\ShrewSoft\VPN Client\ipsecd.exe -service [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 22:34 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 13:58]

2010-09-08 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-08-24 16:21]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {6FBF430D-9B97-46D0-813D-EAE502D70586} = 68.87.72.130
DPF: {7B62F6EE-D046-11D3-9C5E-0060082627F7} - hxxps://epackage1.ups.com/download/TWDownload.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-WebCam Plus - c:\windows\ctdrvins.exe -uninstall usb\vid_05a9&pid_a511 -plugin webc3pin.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 19:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x8740AEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74fbf28
\Driver\ACPI -> ACPI.sys @ 0xf735ecb8
\Driver\atapi -> atapi.sys @ 0xf72d2852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® Wireless WiFi Link 4965AG -> SendCompleteHandler -> NDIS.sys @ 0xf71debb0
PacketIndicateHandler -> NDIS.sys @ 0xf71cda0d
SendHandler -> NDIS.sys @ 0xf71e1b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1900)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\system32\DeviceNP.dll

- - - - - - - > 'lsass.exe'(1960)
c:\windows\system32\WININET.dll
c:\windows\SbHpNp.dll

- - - - - - - > 'explorer.exe'(1652)
c:\windows\system32\WININET.dll
c:\windows\system32\APSHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\ifxtcs.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\JavaNew\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\lotus\notes\ntmulti.exe
c:\windows\system32\IfxPsdSv.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\UPHClean\uphclean.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\IAM\bin\asghost.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
.
**************************************************************************
.
Completion time: 2010-09-07 19:47:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-08 00:47

Pre-Run: 8,815,161,344 bytes free
Post-Run: 9,095,262,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 16D672121A8BEFF30A5AD34B49CA7056



#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 AM

Posted 07 September 2010 - 10:09 PM

Hello

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.





Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 volcanojws

volcanojws
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 07 September 2010 - 10:20 PM

Here is the log requested



2010/09/07 22:12:33.0328 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/07 22:12:33.0328 ================================================================================
2010/09/07 22:12:33.0328 SystemInfo:
2010/09/07 22:12:33.0328
2010/09/07 22:12:33.0328 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/07 22:12:33.0328 Product type: Workstation
2010/09/07 22:12:33.0328 ComputerName: LIN-ATF937
2010/09/07 22:12:33.0328 UserName: Administrator
2010/09/07 22:12:33.0328 Windows directory: C:\WINDOWS
2010/09/07 22:12:33.0328 System windows directory: C:\WINDOWS
2010/09/07 22:12:33.0328 Processor architecture: Intel x86
2010/09/07 22:12:33.0328 Number of processors: 2
2010/09/07 22:12:33.0328 Page size: 0x1000
2010/09/07 22:12:33.0328 Boot type: Normal boot
2010/09/07 22:12:33.0328 ================================================================================
2010/09/07 22:12:33.0578 Initialize success
2010/09/07 22:12:38.0156 ================================================================================
2010/09/07 22:12:38.0156 Scan started
2010/09/07 22:12:38.0156 Mode: Manual;
2010/09/07 22:12:38.0156 ================================================================================
2010/09/07 22:12:39.0171 Accelerometer (ac24b66995aff48be6b2f8cc3ca843c7) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
2010/09/07 22:12:39.0250 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/07 22:12:39.0296 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/09/07 22:12:39.0406 ADIHdAudAddService (aa77f63a33244fd94ed2bc66f710024d) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2010/09/07 22:12:39.0468 AEAudio (358063ab6c1c4173b735525cdfa65f94) C:\WINDOWS\system32\drivers\AEAudio.sys
2010/09/07 22:12:39.0515 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/07 22:12:39.0593 AegisP (a1ad1a4a9f18d900ca9c93fa3efdcb56) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/09/07 22:12:39.0750 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/07 22:12:39.0890 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/09/07 22:12:39.0984 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/07 22:12:40.0046 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/07 22:12:40.0171 ati2mtag (e41250655174bcf82b3874ba928d9d3d) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/09/07 22:12:40.0343 AtiHdmiService (dc6957811ff95f2dd3004361b20d8d3f) C:\WINDOWS\system32\drivers\AtiHdmi.sys
2010/09/07 22:12:40.0437 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/07 22:12:40.0484 ATSWPDRV (293e8cc3c246a89f4cca75b024ad757f) C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
2010/09/07 22:12:40.0515 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/07 22:12:40.0625 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/07 22:12:40.0687 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/07 22:12:40.0734 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/09/07 22:12:40.0796 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/07 22:12:40.0843 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/07 22:12:40.0953 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/07 22:12:41.0046 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/09/07 22:12:41.0125 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/09/07 22:12:41.0187 CTL511Plus (d491f164e6d5ebacbb73e0f85d47e9d9) C:\WINDOWS\system32\DRIVERS\webc3vid.sys
2010/09/07 22:12:41.0312 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2010/09/07 22:12:41.0406 CVPNDRVA (5ba042bcab6246c6bba51606afd7b488) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2010/09/07 22:12:41.0515 DAMDrv (5d5984255a4bfaa4262fb750df7cd537) C:\WINDOWS\system32\DRIVERS\DAMDrv.sys
2010/09/07 22:12:41.0578 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/07 22:12:41.0687 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/07 22:12:41.0734 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/07 22:12:41.0750 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/07 22:12:41.0765 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/07 22:12:41.0859 DNE (2eddbb3ef1dd5a28cb07c149d36e7286) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2010/09/07 22:12:41.0921 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/07 22:12:41.0984 e1express (05e35fca7e7b2921dd7bcaa72f3903c6) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/09/07 22:12:42.0109 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/07 22:12:42.0218 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/09/07 22:12:42.0234 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/07 22:12:42.0265 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/09/07 22:12:42.0296 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/07 22:12:42.0328 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/07 22:12:42.0421 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/07 22:12:42.0453 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/07 22:12:42.0500 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/09/07 22:12:42.0531 HECI (66fed3eeabdce17829edf4c68702ed22) C:\WINDOWS\system32\DRIVERS\HECI.sys
2010/09/07 22:12:42.0640 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/07 22:12:42.0671 hpdskflt (4f586a990238ab147099bc76c07c566e) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
2010/09/07 22:12:42.0796 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/09/07 22:12:42.0921 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/09/07 22:12:43.0046 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/09/07 22:12:43.0140 HSFHWAZL (3c01c18b866488fb6cc4e7d5472986a0) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2010/09/07 22:12:43.0218 HSF_DPV (0d7d34441e37e4a41b61cff0cbca1e3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/09/07 22:12:43.0375 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/07 22:12:43.0500 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/07 22:12:43.0562 IFXTPM (667cfdb801df771f47b7c39373c2d850) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2010/09/07 22:12:43.0750 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/07 22:12:43.0781 InCDfs (580a81790cd0a48d85da322267da7ac4) C:\WINDOWS\system32\drivers\InCDFs.sys
2010/09/07 22:12:43.0812 InCDPass (aaa2789d2ce21b31be9406ba1ceb7285) C:\WINDOWS\system32\drivers\InCDPass.sys
2010/09/07 22:12:43.0875 InCDrec (4d022577e9072b5d22e0a383a7806bbb) C:\WINDOWS\system32\drivers\InCDrec.sys
2010/09/07 22:12:43.0937 incdrm (c258e57321a3c3737f4fa815fa69ee0b) C:\WINDOWS\system32\drivers\InCDRm.sys
2010/09/07 22:12:44.0046 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/07 22:12:44.0078 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/07 22:12:44.0109 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/07 22:12:44.0203 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/07 22:12:44.0234 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/07 22:12:44.0250 IPSec (4fda1328121c6c793bf8a8db7050c1ab) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/07 22:12:44.0250 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 4fda1328121c6c793bf8a8db7050c1ab, Fake md5: 23c74d75e36e7158768dd63d92789a91
2010/09/07 22:12:44.0250 IPSec - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/09/07 22:12:44.0281 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/07 22:12:44.0312 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/07 22:12:44.0406 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/07 22:12:44.0437 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/07 22:12:44.0468 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/07 22:12:44.0515 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/07 22:12:44.0578 Lavasoft Kernexplorer (32da3fde01f1bb080c2e69521dd8881e) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2010/09/07 22:12:44.0703 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/09/07 22:12:44.0843 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/09/07 22:12:44.0890 mfeapfk (b5c306c5b5e7417b9d2b410894678069) C:\WINDOWS\system32\drivers\mfeapfk.sys
2010/09/07 22:12:44.0968 mfeavfk (87b28198b308af3469d6e0b81d86c1fa) C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/09/07 22:12:45.0093 mfebopk (cf37784dd24c83f62626bc0ea3f5e386) C:\WINDOWS\system32\drivers\mfebopk.sys
2010/09/07 22:12:45.0125 mfehidk (241c09c7d8c589ea1d72a36e6578e42c) C:\WINDOWS\system32\drivers\mfehidk.sys
2010/09/07 22:12:45.0203 mferkdk (37b5228bea6b4429ffb90dfa77af4431) C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
2010/09/07 22:12:45.0343 mfetdik (19c2d8af421e96d12e4004ca2162dbe9) C:\WINDOWS\system32\drivers\mfetdik.sys
2010/09/07 22:12:45.0421 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/07 22:12:45.0484 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/07 22:12:45.0500 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/07 22:12:45.0593 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/07 22:12:45.0656 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/07 22:12:45.0703 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/07 22:12:45.0750 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/07 22:12:45.0875 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/07 22:12:45.0906 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/07 22:12:45.0953 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/07 22:12:45.0984 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/07 22:12:46.0093 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/07 22:12:46.0125 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/09/07 22:12:46.0171 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/07 22:12:46.0203 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/09/07 22:12:46.0312 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/07 22:12:46.0343 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/09/07 22:12:46.0390 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/07 22:12:46.0437 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/07 22:12:46.0468 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/07 22:12:46.0593 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/07 22:12:46.0640 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/07 22:12:46.0656 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/07 22:12:46.0796 NETw4x32 (a9574f52e2fd5c1c1b4807a326e0488f) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
2010/09/07 22:12:46.0937 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/09/07 22:12:46.0984 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/07 22:12:47.0031 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/07 22:12:47.0140 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2010/09/07 22:12:47.0234 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/07 22:12:47.0281 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/07 22:12:47.0312 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/07 22:12:47.0359 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/09/07 22:12:47.0500 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/07 22:12:47.0531 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/07 22:12:47.0562 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/07 22:12:47.0625 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
2010/09/07 22:12:47.0734 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/07 22:12:47.0843 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/07 22:12:47.0875 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/09/07 22:12:47.0921 PCTINDIS5 (a12bcc5d39c14a2d08df68ebb00aea0d) C:\WINDOWS\system32\PCTINDIS5.SYS
2010/09/07 22:12:48.0265 PersonalSecureDrive (c7d5cf6c7dbe6d96de252457721bd0e8) C:\WINDOWS\System32\drivers\psd.sys
2010/09/07 22:12:48.0437 pflt (fcd52ab737c4416df577e80ce85a37fa) C:\WINDOWS\system32\DRIVERS\vfilter.sys
2010/09/07 22:12:48.0546 Point32 (dcdf0421a1c14f2923e298a30fd7636d) C:\WINDOWS\system32\DRIVERS\point32.sys
2010/09/07 22:12:48.0593 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/07 22:12:48.0625 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/09/07 22:12:48.0734 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/07 22:12:48.0765 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/07 22:12:48.0859 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/07 22:12:48.0890 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/07 22:12:48.0906 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/07 22:12:48.0937 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/07 22:12:48.0953 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/07 22:12:49.0046 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/07 22:12:49.0093 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/07 22:12:49.0125 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/07 22:12:49.0171 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/07 22:12:49.0281 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2010/09/07 22:12:49.0359 RimSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/09/07 22:12:49.0453 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/09/07 22:12:49.0484 rismc32 (7c21554942bef51cbd84fd7d4e62cb9a) C:\WINDOWS\system32\DRIVERS\rismc32.sys
2010/09/07 22:12:49.0562 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/09/07 22:12:49.0593 RsvLock (40ace983d0b03e997191ff6f7ff407d7) C:\WINDOWS\system32\drivers\RsvLock.sys
2010/09/07 22:12:49.0765 s24trans (eadfb87f911a7a75d1b80617f92901e8) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2010/09/07 22:12:49.0828 SafeBoot (58a8f41e174b28843692812d55547dc3) C:\WINDOWS\system32\drivers\SafeBoot.sys
2010/09/07 22:12:49.0828 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\SafeBoot.sys. md5: 58a8f41e174b28843692812d55547dc3
2010/09/07 22:12:49.0828 SafeBoot - detected Locked file (1)
2010/09/07 22:12:49.0906 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/09/07 22:12:49.0953 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/09/07 22:12:50.0000 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/09/07 22:12:50.0125 SbAlg (f6367fb350f8e5d3f6dd8040e4c0e33b) C:\WINDOWS\system32\drivers\SbAlg.sys
2010/09/07 22:12:50.0156 SbFsLock (df4a90b29b878e8cd95a1ac8f94ca954) C:\WINDOWS\system32\drivers\SbFsLock.sys
2010/09/07 22:12:50.0203 SCDFilter (611d3490a1a836b86c1ba0079904c968) C:\WINDOWS\system32\drivers\SCDFilter.sys
2010/09/07 22:12:50.0250 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/09/07 22:12:50.0343 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/07 22:12:50.0406 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/07 22:12:50.0437 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/07 22:12:50.0468 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/07 22:12:50.0546 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/09/07 22:12:50.0656 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/07 22:12:50.0687 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/07 22:12:50.0734 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/07 22:12:50.0765 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/09/07 22:12:50.0875 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/07 22:12:50.0890 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/07 22:12:51.0031 SynTP (5876072999220ef2fba1ddec86d2b97e) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/09/07 22:12:51.0171 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/07 22:12:51.0234 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/07 22:12:51.0343 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/07 22:12:51.0375 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/07 22:12:51.0390 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/07 22:12:51.0500 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/07 22:12:51.0656 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/07 22:12:51.0843 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/07 22:12:51.0984 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/07 22:12:52.0046 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/07 22:12:52.0218 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/09/07 22:12:52.0406 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/07 22:12:52.0531 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/07 22:12:52.0578 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/07 22:12:52.0671 vnet (e1fe7d6d9b45a4d2d1e92503cb2672ce) C:\WINDOWS\system32\DRIVERS\virtualnet.sys
2010/09/07 22:12:52.0796 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/07 22:12:52.0843 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
2010/09/07 22:12:53.0062 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/07 22:12:53.0218 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/09/07 22:12:53.0484 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/07 22:12:53.0640 winachsf (bb62e6fadcfe4096151103ac4b07f1ed) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/09/07 22:12:53.0921 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/09/07 22:12:53.0968 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/09/07 22:12:54.0015 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/07 22:12:54.0046 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/07 22:12:54.0109 ================================================================================
2010/09/07 22:12:54.0109 Scan finished
2010/09/07 22:12:54.0109 ================================================================================
2010/09/07 22:12:54.0140 Detected object count: 2
2010/09/07 22:13:12.0593 IPSec (4fda1328121c6c793bf8a8db7050c1ab) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/07 22:13:12.0593 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 4fda1328121c6c793bf8a8db7050c1ab, Fake md5: 23c74d75e36e7158768dd63d92789a91
2010/09/07 22:13:13.0625 Backup copy found, using it..
2010/09/07 22:13:13.0703 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured after reboot
2010/09/07 22:13:13.0703 Rootkit.Win32.TDSS.tdl3(IPSec) - User select action: Cure
2010/09/07 22:13:13.0703 Locked file(SafeBoot) - User select action: Skip
2010/09/07 22:13:17.0578 Deinitialize success

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 AM

Posted 07 September 2010 - 10:42 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
File::
c:\windows\Trezoxi.dat
c:\windows\Sboqi.bin


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 volcanojws

volcanojws
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 07 September 2010 - 11:05 PM

Here is the newest Combo Fix log. No problems from start to finish. Computer seems to be running okay but Combo Fix did not require a reboot. I am staying away from IE because the jump/redirect has directed me to autoloading virus pages in the past.







ComboFix 10-09-07.01 - Administrator 09/07/2010 22:48:13.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1321 [GMT -5:00]
Running from: c:\documents and settings\jschaible\desktop\ComboFix.exe
Command switches used :: c:\documents and settings\jschaible\desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active


FILE ::
"c:\windows\Sboqi.bin"
"c:\windows\Trezoxi.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Sboqi.bin
c:\windows\Trezoxi.dat

.
((((((((((((((((((((((((( Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
.

2010-09-07 23:32 . 2010-09-07 23:32 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-428241f8-n\msvcp71.dll
2010-09-07 23:32 . 2010-09-07 23:32 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-428241f8-n\jmc.dll
2010-09-07 23:32 . 2010-09-07 23:32 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-428241f8-n\msvcr71.dll
2010-09-07 23:31 . 2010-09-07 23:31 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7d31483b-n\decora-sse.dll
2010-09-07 23:31 . 2010-09-07 23:31 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7d31483b-n\decora-d3d.dll
2010-08-31 13:42 . 2010-08-31 13:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\IBM
2010-08-27 16:55 . 2010-08-27 16:55 -------- d-----w- c:\program files\Runtime Software
2010-08-27 16:25 . 2010-08-27 16:51 -------- d-----w- c:\windows\system32\NtmsData
2010-08-27 15:06 . 2010-08-12 12:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-27 13:49 . 2010-08-12 12:15 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-27 13:25 . 2010-08-27 13:25 -------- d-----w- c:\documents and settings\jschaible\Local Settings\Application Data\Sunbelt Software
2010-08-27 13:24 . 2010-08-27 13:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-27 13:24 . 2010-08-12 12:16 2979848 -c--a-w- c:\documents and settings\All Users\Application Data\{ECC164E0-3133-4C70-A831-F08DB2940F70}\Ad-AwareInstall.exe
2010-08-27 13:24 . 2010-08-27 13:24 -------- d-----w- c:\program files\Lavasoft
2010-08-26 18:49 . 2010-08-26 18:49 53248 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\cache\6.0\35\259fce23-17d389f0-n\IeEmbed.exe
2010-08-26 18:49 . 2010-08-26 18:49 45056 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\cache\6.0\35\259fce23-17d389f0-n\tray.dll
2010-08-26 18:49 . 2010-08-26 18:49 188416 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\cache\6.0\35\259fce23-17d389f0-n\MozEmbed.exe
2010-08-26 18:49 . 2010-08-26 18:49 110592 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\cache\6.0\35\259fce23-17d389f0-n\jdic.dll
2010-08-26 18:37 . 2010-08-26 18:37 503808 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23780d6d-n\msvcp71.dll
2010-08-26 18:37 . 2010-08-26 18:37 499712 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23780d6d-n\jmc.dll
2010-08-26 18:37 . 2010-08-26 18:37 348160 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23780d6d-n\msvcr71.dll
2010-08-26 18:37 . 2010-08-26 18:37 12800 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5997957c-n\decora-d3d.dll
2010-08-26 18:37 . 2010-08-26 18:37 61440 ----a-w- c:\documents and settings\jschaible\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-5997957c-n\decora-sse.dll
2010-08-26 18:37 . 2010-08-26 18:48 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 17:05 . 2010-08-26 17:05 -------- d-----w- c:\windows\system32\wbem\Repository
2010-08-26 14:50 . 2010-09-08 02:49 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-24 17:54 . 2010-08-26 16:18 -------- d-----w- c:\documents and settings\jschaible\Application Data\GlarySoft
2010-08-24 17:53 . 2010-08-24 17:53 -------- d-----w- c:\program files\Glary Utilities
2010-08-23 19:45 . 2000-09-06 14:43 135680 ----a-w- c:\windows\Webdelc.exe
2010-08-23 19:27 . 2010-08-23 21:02 -------- d-----w- c:\documents and settings\jschaible\Application Data\Creative
2010-08-23 19:27 . 2010-08-23 19:31 1093 ----a-w- c:\documents and settings\jschaible\Application Data\Creative\WebCam Monitor\Setting.sys
2010-08-23 19:27 . 2010-08-23 19:28 305 ----a-w- c:\documents and settings\jschaible\Application Data\Creative\WebCam Monitor\CacheSetting.sys
2010-08-23 19:19 . 2008-04-14 05:09 5504 -c--a-w- c:\windows\system32\dllcache\mstee.sys
2010-08-23 19:19 . 2008-04-14 05:09 5504 ----a-w- c:\windows\system32\drivers\MSTEE.sys
2010-08-23 19:14 . 2010-08-23 19:17 -------- d-----w- C:\CtDriverInstTemp
2010-08-23 19:14 . 2001-12-18 06:22 94208 ----a-w- c:\windows\ctdrvins.exe
2010-08-23 19:14 . 2001-12-11 06:03 53248 ----a-w- c:\windows\system32\webc3pin.dll
2010-08-23 19:14 . 2001-11-07 10:01 25241 ----a-w- c:\windows\system32\drivers\webc3cam.sys
2010-08-23 19:14 . 2001-11-07 10:01 16453 ----a-w- c:\windows\system32\webc3usd.dll
2010-08-23 19:14 . 2001-11-07 07:00 49152 ----a-w- c:\windows\system32\webc3ext.dll
2010-08-23 19:14 . 2001-11-07 07:00 166504 ----a-w- c:\windows\system32\drivers\webc3vid.sys
2010-08-23 19:14 . 2001-05-23 06:10 49152 ----a-w- c:\windows\system32\webc3vfw.dll
2010-08-23 19:14 . 2000-08-04 07:01 15360 ----a-w- c:\windows\system32\webc3vfw.drv
2010-08-23 19:13 . 2010-08-23 19:17 -------- d-----w- C:\WebCam3Gen
2010-08-23 19:08 . 2010-08-23 20:33 -------- d-----w- c:\program files\Creative
2010-08-23 19:08 . 1999-10-11 06:01 41984 ----a-w- c:\windows\CTREGRUN.EXE
2010-08-19 20:09 . 2010-08-19 20:09 -------- d-----w- c:\documents and settings\jschaible\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-08 03:15 . 2003-03-31 12:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2010-09-07 23:29 . 2007-11-21 02:19 49792 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-07 22:14 . 2010-01-22 03:15 -------- d-----w- c:\documents and settings\jschaible\Application Data\uTorrent
2010-09-03 19:21 . 2010-01-18 21:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-03 16:46 . 2010-01-18 21:11 117760 ----a-w- c:\documents and settings\jschaible\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-27 22:03 . 2010-09-03 16:19 195180 ----a-w- c:\windows\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat
2010-08-27 17:25 . 2010-01-10 22:56 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-27 13:49 . 2009-11-19 23:03 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-27 13:24 . 2009-11-19 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-26 19:40 . 2010-01-11 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-26 18:48 . 2007-11-20 17:36 -------- d-----w- c:\program files\Common Files\Java
2010-08-26 18:48 . 2007-11-20 17:36 -------- d-----w- c:\program files\Java
2010-08-26 16:22 . 2010-01-10 22:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-24 18:25 . 2007-12-03 15:17 -------- d-----w- c:\program files\Autofutures
2010-08-24 18:25 . 2007-11-21 02:41 -------- d-----w- c:\program files\ATI Technologies
2010-08-23 22:22 . 2010-08-02 14:46 -------- d-----w- c:\documents and settings\jschaible\Application Data\Skype
2010-08-23 19:25 . 2007-11-21 02:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-14 21:09 . 2009-12-31 21:06 36 ---ha-w- c:\windows\system32\f9t.dat
2010-08-03 14:56 . 2007-11-20 19:38 49792 -c--a-w- c:\documents and settings\jschaible\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-02 14:46 . 2010-08-02 14:46 -------- d-----r- c:\program files\Skype
2010-08-02 14:46 . 2010-08-02 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-08-02 13:55 . 2009-08-11 13:14 -------- d-----w- c:\program files\thinkTDA
2010-08-02 13:51 . 2008-01-17 20:04 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-08-02 13:51 . 2008-01-17 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-08-02 13:44 . 2008-01-17 20:15 -------- d-----w- c:\documents and settings\jschaible\Application Data\Roxio
2010-08-02 13:36 . 2009-12-25 15:22 -------- d-----w- c:\documents and settings\jschaible\Application Data\HpUpdate
2010-07-23 20:01 . 2008-07-15 20:27 -------- d-----w- c:\documents and settings\jschaible\Application Data\U3
.

((((((((((((((((((((((((((((( SnapShot@2010-09-08_00.40.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-08 03:16 . 2010-09-08 03:16 16384 c:\windows\Temp\Perflib_Perfdata_6e0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1282048]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-05-23 677408]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-05-03 57344]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-05-01 404248]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-12-11 14848]
"SCDClient"="c:\program files\Discrete Technologies\SecureDisc Client\SCDHelper.exe" [2008-03-26 618496]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-22 136512]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-11-20 6144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-04-30 14:19 49152 ----a-w- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 07:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-373489508-1182832557-1595358894-1248\Scripts\Logon\0\0]
"Script"=atflogon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-373489508-1182832557-1595358894-2696\Scripts\Logon\0\0]
"Script"=atflogon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 11:42 143360 ----a-w- c:\windows\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"CTRegRun"=c:\windows\CTRegRun.EXE
"HP Software Update"=c:\program files\Hp\HP Software Update\HPWuSchd2.exe
"Scheduler"=c:\windows\SMINST\Scheduler.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/27/2010 8:49 AM 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [1/18/2010 2:29 PM 28552]
R0 SafeBoot;SafeBoot;c:\windows\system32\drivers\SafeBoot.sys [4/26/2007 8:23 PM 100095]
R0 SbAlg;SbAlg;c:\windows\system32\drivers\SbAlg.sys [10/9/2006 2:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\system32\drivers\SbFsLock.sys [3/29/2007 5:54 PM 13696]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [4/18/2007 8:32 PM 39080]
R1 RsvLock;RsvLock;c:\windows\system32\drivers\rsvlock.sys [4/26/2007 8:23 PM 5808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 8:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 74480]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [3/31/2003 7:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [3/31/2003 7:00 AM 14336]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [4/27/2007 11:58 AM 221184]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [11/20/2007 10:22 PM 1489688]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [4/18/2007 8:06 PM 41216]
R3 pflt;Shrew Soft Miniport Filter;c:\windows\system32\drivers\vfilter.sys [11/11/2008 3:47 PM 40576]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [11/20/2007 10:39 PM 47616]
R3 SCDFilter;SCDFilter;c:\windows\system32\drivers\SCDFilter.sys [3/26/2008 11:54 AM 41856]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1355928]
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\drivers\webc3vid.sys [8/23/2010 2:14 PM 166504]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [4/23/2007 2:13 PM 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [4/30/2007 9:28 AM 172131]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [8/12/2010 7:15 AM 15008]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 7408]
S3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\drivers\virtualnet.sys [11/11/2008 3:47 PM 6912]
S4 dtpd;ShrewSoft DNS Proxy Daemon;c:\program files\ShrewSoft\VPN Client\dtpd.exe -service --> c:\program files\ShrewSoft\VPN Client\dtpd.exe -service [?]
S4 iked;ShrewSoft IKE Daemon;c:\program files\ShrewSoft\VPN Client\iked.exe -service --> c:\program files\ShrewSoft\VPN Client\iked.exe -service [?]
S4 ipsecd;ShrewSoft IPSEC Daemon;c:\program files\ShrewSoft\VPN Client\ipsecd.exe -service --> c:\program files\ShrewSoft\VPN Client\ipsecd.exe -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb
*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 22:34 451872 -c--a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-09-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 13:58]

2010-09-08 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-08-24 16:21]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {6FBF430D-9B97-46D0-813D-EAE502D70586} = 68.87.72.130
DPF: {7B62F6EE-D046-11D3-9C5E-0060082627F7} - hxxps://epackage1.ups.com/download/TWDownload.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 22:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????T??????????????|?M?|?????M?|&?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1896)
c:\windows\system32\APSHook.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\windows\system32\DeviceNP.dll

- - - - - - - > 'lsass.exe'(1952)
c:\windows\system32\APSHook.dll
c:\windows\SbHpNp.dll
.
Completion time: 2010-09-07 22:58:52
ComboFix-quarantined-files.txt 2010-09-08 03:58
ComboFix2.txt 2010-09-08 00:47

Pre-Run: 9,091,997,696 bytes free
Post-Run: 9,100,066,816 bytes free

- - End Of File - - 71F605878A454B7FF0A759AD229A25E6

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:43 AM

Posted 07 September 2010 - 11:23 PM

Hello

QUOTE
Here is the newest Combo Fix log. No problems from start to finish. Computer seems to be running okay but Combo Fix did not require a reboot. I am staying away from IE because the jump/redirect has directed me to autoloading virus pages in the past.
now is the time to check it out and let me know how it is doing

extra combofix report

I need to see one of the extra reports combofix makes
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
CODE
C:\Qoobox\Add-Remove Programs.txt
  • click ok
  • copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users